Wiley Handbook of Science and Technology for Homeland Security, 4 Volume Set

WILEY HANDBOOK OF SCIENCE AND TECHNOLOGY FOR HOMELAND SECURITY

Editor-in-Chief John G. Voeller Black & Veatch

Associate Managing Editor Marie Vachon Consultant

Editorial Board Bilal M. Ayyub University of Maryland, College Park John Cummings Sandia National Laboratory (retired) Ron Fisher Argonne National Laboratory Adrian Gheorghe Old Dominion University Patricia Hu Oak Ridge National Laboratory Larry Kerr Office of the Director of National Intelligence George Kilgore Honeywell International (retired) David Matsumoto San Francisco State University

Tim Oppelt Environmental Protection Agency (retired) James P. Peerenboom Argonne National Laboratory John Phillips Central Intelligence Agency Ramana Rao Bruce Resnick Cargill, Incorporated Simon Szykman National Institute of Standards and Technology Ngai Wong Joint Science and Technology Office for Chemical and Biological Defense

Editorial Staff VP & Director, STMS Book Publishing: Janet Bailey Executive Editor: Arza Seidel Associate Content Manager Director: Geoff Reynolds Production Manager: Shirley Thomas Senior Production Editor: Kellsee Chu Illustration Manager: Dean Gonzalez Editorial Assistant: Sherry Wasserman

WILEY HANDBOOK OF SCIENCE AND TECHNOLOGY FOR HOMELAND SECURITY

Edited by JOHN G. VOELLER Black & Veatch

The Wiley Handbook of Science and Technology for Homeland Security is available online at: http://mrw.interscience.wiley.com/emrw/9780470087923/home/

A JOHN WILEY & SONS, INC., PUBLICATION

Copyright © 2010 by John Wiley & Sons, Inc. All rights reserved Published by John Wiley & Sons, Inc., Hoboken, New Jersey Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com. Library of Congress Cataloging-in-Publication Data: Wiley handbook of science and technology for homeland security / edited by John G. Voeller, Black & Veatch. p. cm. Includes bibliographical references and index. ISBN 978-0-471-76130-3 (cloth : set) – ISBN 978-0-470-13846-5 (cloth : v. 1) – ISBN 978-0-470-13848-9 (cloth : v. 2) – ISBN 978-0-470-13849-6 (cloth : v. 3) – ISBN 978-0470-13851-9 (cloth : v. 4) 1. Civil defense–Handbooks, manuals, etc. 2. Security systems–Handbooks, manuals, etc. 3. Terrorism–Prevention–Handbooks, manuals, etc. I. Voeller, John G. UA926.W485 2010 363.34–dc22 2009041798 Printed in the United States of America 10 9 8 7 6 5 4 3 2 1

CONTENTS

PREFACE

xiii

INTRODUCTION AND OVERVIEW

1

Policy Development for Homeland Security

3

Threats and Challenges to Homeland Security

21

Terrorist Organizations and Modeling Trends

32

Risk Communication: An Overlooked Tool in Combating Terrorism

45

CROSS-CUTTING THEMES AND TECHNOLOGIES

57

Risk Modeling and Vulnerability Assessment

57

Terrorism Risk: Characteristics and Features

59

Risk Analysis Frameworks for Counterterrorism

75

Risk Analysis and Management for Critical Asset Protection

93

Logic Trees: Fault, Success, Attack, Event, Probability, and Decision Trees

106

Bayesian Networks

117

Using Risk Analysis to Inform Intelligence Analysis

131 v

vi

CONTENTS

Vulnerability Assessment

140

Risk Communication

151

Probabilistic Risk Assessment (PRA)

162

Scenario Analysis, Cognitive Maps, and Concept Maps

186

Time-Domain Probabilistic Risk Assessment Method for Interdependent Infrastructure Failure and Recovery Modeling

197

Risk Transfer and Insurance: Insurability Concepts and Programs for Covering Extreme Events

207

Quantitative Representation of Risk

223

Qualitative Representation of Risk

237

Terrorism Risk

251

Terrorist Threat Analysis

260

Risk Analysis Methods for Cyber Security

279

Defeating Surprise Through Threat Anticipation and Possibility Management

290

Memetics for Threat Reduction in Risk Management

301

High Consequence Threats: Electromagnetic Pulse

309

High Consequence Threats: Nuclear

319

Modeling Population Dynamics for Homeland Security Applications

330

Sensing and Detection

341

Protecting Security Sensors and Systems

343

Threat Signatures of Explosive Materials

359

Radioactive Materials Sensors

371

Knowledge Extraction from Surveillance Sensors

387

RADAR and LiDAR perimeter protection sensors

398

Design Considerations in Development and Application of Chemical and Biological Agent Detectors

411

Sensing Dispersal of Chemical and Biological Agents in Urban Environments

423

Sensing Releases of Highly Toxic and Extremely Toxic Compounds

435

2D-to-3D Face Recognition Systems

468

Eye and Iris Sensors

489

A Tandem Mobility Spectrometer for Chemical Agent and Toxic Industrial Chemical Monitoring

501

Dynamic Load Balancing for Robust Distributed Computing in the Presence of Topological Impairments

512

Passive Radio Frequency Identification (RFID) Chemical Sensors for Homeland Security Applications

523

CONTENTS

vii

Protection, Prevention, Response and Recovery

545

Protection and Prevention: An Overview Protection and Prevention: Threats and Challenges from a Homeland Defense Perspective Consequence Mitigation Security Assessment Methodologies for U.S. Ports and Waterways Defending Against Malevolent Insiders Using Access Control Less-Lethal Payloads for Robotic and Automated Response Systems Defending Against Directed Energy Weapons: RF Weapons and Lasers The Sensor Web: Advanced Technology for Situational Awareness

547

Critical Information Infracture Protection

637

Critical Information Infrastructure Protection, Overview Australia Austria Brazil Canada Estonia Finland France Germany Hungary India Italy Japan Republic of Korea Malaysia The Netherlands New Zealand Norway Poland Russia Singapore Spain Sweden Switzerland

639 654 665 675 686 695 705 714 722 735 744 754 763 773 786 793 805 813 822 832 846 854 865 874

556 569 582 593 603 615 624

viii

CONTENTS

United Kingdom United States European Union (EU) The Forum of Incident Response and Security Teams (FIRST) Group of Eight (G8) North Atlantic Treaty Organization (NATO) Organization for Economic Co-Operation and Development (OECD) United Nations (UN) The World Bank Group

882 890 907 920 922 926 932 936 942

Cyber Security

945

Classes of Vulnerabilities and Attacks Authentication, Authorization, Access Control, and Privilege Management Advanced Attacker Detection and Understanding with Emerging Honeynet Technologies Detection of Hidden Information, Covert Channels, and Information Flows Attack Traceback and Attribution Cyber Forensics Cyber Security Policy Specification and Management Multilevel Security Cyber Security Standards Cyber Security Metrics and Measures Trusted Platforms: The Root of Security High Assurance: Provably Secure Systems and Architectures Security of Distributed, Ubiquitous, and Embedded Computing Platforms Security of Web Application and Services and Service-Oriented Architectures Cyber Security Technology Usability and Management Cyber Security Education, Training, and Awareness Industrial Process Control System Security Cyber Security for the Banking and Finance Sector

947 965

System and Sector Interdependencies System and Sector Interdependencies: An Overview System and Sector Interdependencies: An Overview of Research and Development President’s Commission on Critical Infrastructure Protection Input–Output Modeling for Interdependent Infrastructure Sectors Application of a Conditional Risk Assessment Methodology for Prioritization of Critical Infrastructure

975 983 999 1009 1022 1032 1052 1061 1068 1079 1090 1102 1110 1124 1132 1142

1159 1161 1172 1186 1204 1209

CONTENTS

Critical Infrastructures at Risk: A European Perspective Vulnerability Assessment Methodologies for Interdependent Systems Robustness, Resilience, and Security of National Critical Infrastructure Systems Inherently Secure Next-Generation Computing and Communication Networks for Reducing Cascading Impacts Implications of Regulation on the Protection of Critical Infrastructures Characterizing Infrastructure Failure Interdependencies to Inform Systemic Risk Managing Critical Infrastructure Interdependencies: The Ontario Approach Analysis of Cascading Infrastructure Failures Water Infrastructure Interdependencies Infrastructure Dependency Indicators Object-Oriented Approaches for Integrated Analysis of Interdependent Energy Networks Geospatial Data Support for Infrastructure Interdependencies Analysis The Military Roots of Critical Infrastructure Analysis and Attack Network Flow Approaches for Analyzing and Managing Disruptions to Interdependent Infrastructure Systems

Social and Behavioral Research VOLUME 3 Social and Psychological Aspects of Terrorism Human Sensation and Perception Human Behavior and Deception Detection Speech and Video Processing for Homeland Security Training and Learning Development for Homeland Security Training for Individual Differences in Lie Detection Ability Deterrence: An Empirical Psychological Model

Decision Support Systems Technologies for Real-Time Data Acquisition, Integration, and Transmission Multi-objective Decision Analysis Naturalistic Decision Making, Expertise, and Homeland Security Classification and Clustering for Homeland Security Applications Experience with Expert Judgment: The TU Delft Expert Judgment Data Security and Safety Synergy Critical Infrastructure Protection Decision Making

ix

1223 1243 1257 1281 1293 1310 1325 1334 1343 1352 1360 1376 1392 1419

1429 1431 1439 1455 1465 1479 1488 1500

1513 1515 1523 1535 1549 1559 1588 1599

x

CONTENTS

The Use of Threat, Vulnerability, and Consequence (TVC) Analysis for Decision Making on The Deployment of Limited Security Resources

1613

KEY APPLICATION AREAS

1623

Agriculture and Food Supply

1623

Vulnerability of the Domestic Food Supply Chain The Global Food Supply Chain Economic Impact of a Livestock Attack Social, Psychological, and Communication Impacts of an Agroterrorism Attack Foreign Animal Diseases and Food System Security Insects as Vectors of Foodborne Pathogens Farm Level Control of Foreign Animal Disease and Food-Borne Pathogens Risk Assessment, Risk Management, and Preventive Best Practices for Retailers and Foodservice Establishments Risk Assessment and Safety of the Food Supply Microbiological Detectors for Food Safety Applications General Detector Capabilities for Food Safety Applications Mitigating Public Health Risks from an Agroterror Attack Processing and Packaging that Protects the Food Supply Against Intentional Contamination Early Detection and Diagnosis of High-Consequence Plant Pests in the United States Mitigating Consequences of Pathogen Inoculation into Processed Food Microbial Forensics and Plant Pathogens: Attribution of Agricultural Crime Potential for Human Illness from Animal Transmission or Food-Borne Pathogens Livestock Agroterrorism and the Potential Public Health Risk The Role of Food Safety in Food Security Carver + Shock: Food Defense Software Decision Support Tool The EDEN Homeland Security Project: Educational Opportunities in Food and Agrosecurity Decontamination and Disposal of Contaminated Foods Carcass Disposal Options Optimal Investments in Mitigating Agroterrorism Risks Mid-Infrared Sensors for the Rapid Analysis of Select Microbial Food Borne Pathogens Pulsenet: A Program to Detect and Track Food Contamination Events

1625 1636 1644 1653 1668 1683 1696 1718 1730 1742 1768 1831 1841 1855 1873 1880 1894 1909 1916 1923 1932 1945 1959 1970 1988 2004

CONTENTS

Developing Risk Metrics to Estimate Risks of Catastrophic Biological and Bioterrorist Events: Applications to the Food Industry

Water Water Infrastructure and Water Use in the United States Protecting Water Infrastructure in the United States Drinking Water Supply, Treatment, and Distribution Practice in the United States Homeland Security and Wastewater Treatment Water Supply and Wastewater Management Regulations, Standards, and Guidance Roles of Federal, State, and Local Authorities in Water Infrastructure Security Potential Contamination Agents of Interest Understanding the Implications of Critical Infrastructure Interdependencies for Water Surveillance Methods and Technologies for Water and Wastewater Systems Designing an Optimum Water Monitoring System Emergency Response Planning for Drinking Water Systems Treatability of Contaminants in Conventional Systems Decontamination Methods for Drinking Water Treatment and Distribution Systems Decontamination Methods for Wastewater and Stormwater Collection and Treatment Systems Prevention of Contamination of Drinking Water in Buildings and Large Venues

Communications and Information Infrastructure Critical Infrastructure Protection: Telecommunication Strategies for Protecting the Telecommunications Sector Wireless Security

Energy Systems Comparative Risk Assessment for Energy Systems: A Tool for Comprehensive Assessment of Energy Security Lessons Learned for Regional and Global Energy Security Large-Scale Electricity Transmission Grids: Lessons Learned from the European Electricity Blackouts

xi

2017

2029 2031 2044 2077 2095 2115 2127 2135 2152 2166 2180 2194 2217 2222 2245 2259

2273 2275 2292 2309

2325 2327 2345 2358

xii

CONTENTS

Interdependent Energy Infrastructure Simulation System Self-healing and Resilient Energy Systems Nano-Enabled Power Sources

Public Health Threat from Emerging Infectious Diseases Foreign Dengue Virus Presents a Low Risk to U.S. Homeland Data Sources for Biosurveillance Biosurveillance Tradecraft The North Carolina Biosurveillance System ESSENCE: A Practical Systems for Biosurveillance Biodefense Priorities in Life-Science Research: Chemical Threat Agents Development of Radiation Countermeasures Challenges to Medical Countermeasures against Chemical, Biological, Radiological, and Nuclear (CBRN) Agents Medical Countermeasures against Emerging Threat Agents Biodefense Workforce Health Risk Assessment for Radiological, Chemical, and Biological Attacks

Transportation Security Roles and Implications of Transportation Systems in Homeland Security Transportation System as a Security Challenge Population Evacuations Emergency Transportation Operations and Control Ultra-scale Computing for Emergency Evacuation Harden Security of High-Risk and Critical Supply Chains Transportation Security Performance Measures

Intelligence Systems

2372 2379 2401

2415 2417 2425 2431 2447 2465 2481 2491 2503 2529 2540 2550 2562

2587 2589 2601 2615 2633 2639 2655 2665

2681

File Forensics and Conversion Craniofacial Aging New Approaches to Iris Recognition: One-Dimensional Algorithms Spectrally Adaptive Nanoscale Quantum Dot Sensors Finding Inadvertent Release of Information

2683 2690 2707 2716 2729

CONTENTS

2739

CONTRIBUTORS

2747

INDEX

2769

PREFACE

The topic of homeland security did not begin with the World Trade Center or the Irish Republican Army (IRA) or the dissidents of past empires, but began when the concept of a nation versus a tribe or kingdom took root and allegiance to people was a choice, not a mandate. The concept of terrorism is part of homeland security but not all of it, as there are other risks to homeland security that come from Mother Nature or our own lack of action, like infrastructure renewal, that have much higher probabilities of creating substantial damage and loss of life than any group of terrorists could ever conceive. Hence, the focus of this Handbook focuses more on the insecurities that can disrupt or damage a nation, its people and economy, and the science and technology (S&T) ideas and tools that can assist in detecting, preventing, mitigating, recovering, and repairing the effects of such insecurities. The number of S&T topics that are involved in the physical, cyber, and social areas of homeland security include thousands of specialties in hundreds of disciplines, and no single collection could hope to cover even a majority of these. The Handbook was designed to discuss those areas that form a foundation of knowledge and awareness that readers can use to base their understanding on and move to higher levels of sophistication and sensitivity as needed. For example, the many different areas of detection of chemical substances alone could take around 100 volumes to cover, but there is a subset of this knowledge that brings the reader a solid base on which to build a more advanced knowledge view, if desired. Such subsets in each major topic area were the targets of the Handbook. The Handbook is organized in sections with each addressing a major topic from cyber security to food safety. The articles within each section are designed to range from instructions about fundamentals to some of the latest material that can be shared. Over time, we will add new sections and articles within each to make the Handbook a living entity. John Wiley & Sons has done many such large collections, some being truly massive, and has developed support systems to address such a challenge. xiii

xiv

PREFACE

Several key goals were paramount in the creation of this Handbook. First was to gather true experts from all sources to talk about S&T for homeland security, homeland defense, and counterterrorism with very limited control over what was presented. Some of what is done in this vast S&T space has to be classified so as to not “communicate our punches” to our adversaries, which is especially true in a military setting. However, homeland security is largely domestic, and solutions must be available for sale, operation, and maintenance in public infrastructure and networks. Having experts speak in an open channel in the Handbook is important to inform the public, officials, law enforcement, researchers, academics and students so that they can work together and increase our collective national knowledge. A second goal was to take a portion of the thousands of possible sources of knowledge about the hundreds of S&T topics that are part of homeland security and put them in one location. Moreover, this Handbook increases the opportunity for an expert in one topic to easily find connected, adjacent or codependant topics that would have normally required other searches, references and licenses to access. Homeland security involves so much of cross-discipline action and interdependency examination that this goal was considered especially important. A third goal was to create a venue where knowledge of different theories, approaches, solutions, and implications could be compared. There are many ways to address homeland security concerns and needs in different disciplines and specialties that nothing less than a multivolume, multiyear project looking for hundreds of authors out of thousands of candidates was required. The Handbook addressed this by the services of some of the best in the world in each major topic area acting as Section Editors. These top experts knew whom to invite, whom could contribute, and most important how much of the overall knowledge in their specialty could be conveyed without drifting into sensitive areas. The Handbook would have been impossible to produce without their incredible efforts in selecting, reviewing, and overseeing their section content. A fourth goal was to provide a place where even experts in one facet of homeland security could learn about other facets with confidence that the quality of the information would meet their standards. From exceptional discussions about how the European Union views cyber security differently from the United States to massive work on all the different food-safety-detection equipment available, the focus of all contributors was journal quality, peer-reviewed knowledge, with references and links to additional knowledge to allow the reader to go deeper. A fifth goal was the creation of a substantial enough body of knowledge about the many different facets of homeland security so that policy and decision-makers could get a picture of how much has been done and how much needs to be done to create robust solutions in all the needed areas. Even in places that have dealt with terrorism for over a century, the world still does not have strong, cost-effective solutions to some of the most fundamental problems. For example, we have very limited to no ability to spot a bomb in a car moving toward a building at a sufficient distance to know whether to destroy or divert it before it can damage the target. Even simpler, the ability to spot a personnel-borne improvised explosive device (IED) in a crowd coming into a Las Vegas casino is still beyond our collective capability. The bounding of what we know and don’t know that can be applied in a domestic setting needed to be documented at least in part for dozens of major areas in homeland security. A sixth goal that was not part of the pages of the Handbook was to create a visibility of expertise among all the contributors and reviewers to help them connect with others and

PREFACE

xv

enable collaboration. Only a large collection of this type creates such a vast opportunity in known areas of S&T for shared learning and new relationships. A seventh goal was to present the S&T of homeland security in a way that would allow one of the most important aspects of the economics involved to be considered. This is not the economics of creating or acquiring one solution but rather finding more than one use for a given solution. An inescapable issue in many areas of homeland security S&T is that a fully successful solution applied to only one small market will likely fail because there is insufficient revenue and market to sustain the provider. Building a few hundred detectors for specific pathogens is likely to fail because of lack of volume or will perhaps never see funding as this becomes evident in the original business plan. The solution to this issue is finding multiple uses for each device. For example, a chemical detector looking for contraband or dangerous materials a few days a year may provide continuous service in looking for specific air pollutants related to allergy mitigation in a building. The Handbook provides exposure to the reader in capabilities built for homeland security that might bring benefit in other more frequently needed areas thereby making both applications more viable. The Handbook authors were asked to contribute material that was instructional or that discussed a specific threat and solution or provided a case study on different ways a problem could be addressed and what was found to be effective. We wanted new material where possible, but given the nature of a handbook we wanted to also bring great work that might already be published in places not easily encountered and with proper permission could be repurposed into the Handbook for broader visibility. One of the conditions set by the Senior Editor before taking on the project was that the Handbook needed to be published both in print and on the Web. The dynamic online collection will not only allow new articles and topics to be added but also updated when threats, solutions, or methods change. The Senior Editor greatly appreciates John Wiley & Sons for accepting this challenge. The Section Editors of the Handbook have done a superb job of assembling their authors and topics and ensuring a good balance of foundations and details in their articles. The authors in the Handbook have produced valuable content and worked hard with the Wiley editing staff to enhance quality and clarity. And finally, the Wiley staff has taken on the management of hundreds of contributors with patience and energy beyond measure. This Handbook was conceived as a living document designed to mutate and grow as the topics presented changed or the capabilities of S&T advanced to meet existing and new threats. We hope readers will consider how they might be able to contribute to the Handbook body of knowledge and consider writing about their special expertise for submission sometime in the future. Editor-in Chief John G. Voeller

INTRODUCTION AND OVERVIEW

POLICY DEVELOPMENT FOR HOMELAND SECURITY Jeffrey Hunker Carnegie Mellon University, Pittsburgh, Pennsylvania

1 INTRODUCTION In science and technology, five factors make effective and consistent Policy Development for Homeland Security difficult [1]. •

The definition and goals of Homeland Security continue to evolve. Multiple decision makers and high levels of organizational complexity diffuse decision-making authority and responsibility and make policy prioritization difficult. • Policy prioritization is further challenged because of the breadth and ambiguity of Homeland Security threats. This, together with highly differentiated interests and levels of support for different projects from the research community challenge policy makers ability to distinguish and invest in the important, not just the interesting. • Metrics for judging project contribution frequently are difficult to create. • Distinct roles for key Homeland Security functions—intelligence, prevention, response and reconstruction, and “defend and respond”—overlap with and can be difficult to distinguish from the Nation’s overall National Security agenda. •

For the practicing policy maker, these characteristics—shifting goals, complex and competing interests, and difficulty in measuring results—are not uncommon. It is the mark of good policy development to overcome these challenges and to produce results that benefit the nation.

2 OVERVIEW OF POLICY DEVELOPMENT Policy development, in any field, is an art, not a science.

3

4

INTRODUCTION AND OVERVIEW

2.1 Defining Policy; Defining Homeland Security A policy is an attempt to define and structure a rational basis for action or inaction [2]. Policy is a long-term commitment; tactics are short-term actions. Tactics and implementation are overlapping concepts in the execution of policy. Policy also needs to be distinguished from (but overlaps with) administration and politics. “Administration” is the “management of any office, employment, or organization direction” [3]. Administration is decision making in bounded rationality—making decisions that are not derived from an examination of all the alternatives [2, p. 278]. Politics, from the Greek for citizen, is about “exercising or seeking power in governmental or public affairs” [3]. Policy, at least ideally, takes into consideration all alternatives, distinguishing it from administration. A focus, or lack thereof, on power distinguishes policy from politics. However, policy development is critically constrained by both administration and politics. Political feasibility requires elected officials (or their proxies) to support the policy. Organizational feasibility requires the requisite organizations to support the policy and implement it in a way that makes its success possible [4] (President Kennedy is noted for saying “I like the idea, but I’m not certain that the Government will”.). Homeland Security, the object of policy development for this article, has a shifting definition. The National Strategy for Homeland Security (2002) defines it as “a concerted national effort to prevent terrorist attacks within the United States, reduce America’s vulnerability to terrorism, and minimize the damage and recover from attacks that do occur” [5]. In practice, however, homeland security now includes protection against and response to natural or accidental manmade disasters, such as hurricanes and toxic spills. Reflecting this reality, this article principally will address policy development related to terrorism, but will also refer to issues in the prevention and response to natural and accidental disasters. Homeland Security is thought of in multiple ways even within the narrower confines of protection against terrorism. For example, in protecting key economic and national security assets such as the electric grid, our telecommunication network, and basic utilities, different constituencies will refer to agendas in “critical infrastructure protection (CIP)”, “critical information infrastructure protection”, or “protection of physical assets”. These agendas overlap, but each has its own scientific and political constituency. The shifting definition of “Homeland Security” as a policy goal prompts three observations. First, prevention and response to natural and accidental disasters is a relatively mature policy agenda in comparison to the terrorism agenda (though provision of insurance for hurricane disasters and perspectives on climate change challenge policy makers and politicians alike). Had not the Federal Emergency Management Agency (FEMA) and the Coast Guard—two principal Federal agencies with responsibilities for natural and accidental disasters—been included in the Department of Homeland Security, it may indeed have been the case that the “mission creep” apparent in the definition of Homeland Security would not have taken place. However, whether or not natural and accidental disasters are “Homeland Security” issues, policy makers at Department of Homeland Security (DHS) must address these agendas. Their challenge is to integrate and seek synergies in pursuing disparate policy goals. The search for synergies is an important, but oftentimes overlooked, element in policy development. Finally, FEMA’s performance, in particular, in responding to Hurricane Katrina highlights the gulf between policy and implementation that policy makers ignore at their peril. The author has reviewed the policies regarding hurricane

POLICY DEVELOPMENT FOR HOMELAND SECURITY

5

response in the Gulf of Mexico; on paper they appear more than adequate. Implementation was the problem. 2.2 The Policy Development Process A common characterization of policy development, useful but inaccurate, lists a series of steps [2, p. 77]: •

Defining the problem. What is the context for a policy? • Defining the solution. Who specifies it, the and why? ◦ Identifying alternative responses/solutions ◦ Evaluating options ◦ Selecting the policy option • Implementation. Who implements it, and why? Who follows it, and why? • Evaluation. How is conformity with a policy tracked and evaluated? This taxonomy is useful in that it describes the steps that any emergent policy follows. However, this taxonomy ignores the real world of policy making, involving interacting cycles of multiple constituencies within government (at many different levels) and outside of government [2, p. 80]. An example of Homeland Security policy development helps to illustrate this observation: In 1999, during the preparation of the first National Plan for Information Systems Protection (the National Plan) [5, 6] a series of informal discussions between two White House offices (the National Security Council and the Office of Science and Technology Policy) and other Executive Branch agencies (the National Science Foundation (NSF) and the Critical Infrastructure Assurance Office (CIAO)) led to the insight that most federally funded cyber security R&D was directed toward mission-specific goals of the funding agencies (e.g. the Defense Advanced Research Projects Agency (DARPA) and the National Security Agency (NSA). Consequently, there were serious gaps in addressing research questions that, although important, did not garner a specific agency constituency. Following several workshops with outside researchers and prolonged internal discussions, a proposal was developed to create a “virtual National Laboratory”—a consortium of US-based research institutions—charged with identifying and addressing the gaps in the Nation’s cyber research agenda. This work led to the inclusion in the National Plan of the goal to “establish a new public–private mechanism to coordinate Federal R&D in information systems security with private sector needs and efforts” [6, p. xxi]. Discussions with Congressional members and staff during 1999 evinced considerable interest, but no positive results. Meanwhile, a number of research institutions began vigorously to express interest both to Congress and the Executive Branch in becoming the host institution. That year, Congressional action, independent of Administration’s thinking as to possible host institutions, created the Institute for Security Technology Studies (ISTS) at Dartmouth College. With the creation of the DHS, funding and oversight of the ISTS was located in the Science and Technology Directorate. Oversight of ISTS initiatives always has been vigorous, but no quantifiable metrics for performance exist. There are several lessons from this example. In developing the policy options, there was never a formal development and ranking of alternatives. Consultation with constituencies within and outside the Federal government (Congress, Federal agencies

6

INTRODUCTION AND OVERVIEW

funding cyber R&D, first responders, and outside research institutions) was continuous throughout the policy development process. Events (such as the placement at Dartmouth) were not necessarily planned by the policy makers (though not unwelcome). Quantifiable metrics were never developed; in particular there was never any consideration of cost/benefit analysis. A final point—of all of the stages of policy development, policy evaluation is perhaps the most difficult. Practicing policy makers often describe policies as “effective” or “ineffective”, yet the policy literature speaks most often of “efficiency”. A particular allocation of resources is efficient if and only if there is no better allocation of those same resources [4, p. 32]. A policy is effective if it is adequate to accomplish a purpose, producing the intended or expected result [3]. From a practitioner’s perspective, measures of allocative efficiency are rarely meaningful—effectiveness is the most commonly employed heuristic. To summarize, policy development does not translate easily into the abstract. The context for a policy, who specifies it, who implements it, who follows it, and how conformity of policy is tracked and evaluated, are situation specific. Some generalizations are possible, but not many.

3 CASE EXAMPLES OF POLICY DEVELOPMENT Three short case examples illustrate the range of issues in developing Homeland Security policy. 3.1 Cyber Security: A Challenge of Defining the Threat and Establishing Incentives “Cyber Security” means security of our electronic information and communication systems—notably the Internet but also proprietary computer networks (whether used by business or government) including wireless networks [7]. The focus here is on intentional attacks, and mostly on attacks that could affect the “critical functions” that keep a society running well—in commerce, government, and national security/homeland defense. Following Presidential Decision Directive 63 in May 1998 (CIP) the protection of cyber and information systems against attack has been a national priority. The Department of Defense (DOD), with a focus on protecting its own extensive systems, and DHS, in the Information Analysis and Infrastructure Protection Directorate, have primary Federal responsibility. National Plans and associated Research and Development plans coordinate Federal policy. Private sector participation is key to the policy’s effectiveness. In particular, sector specific organizations (e.g. for banking and financial institutions) have been created to both promote private sector cyber security and, very importantly, share information within themselves and with the Federal government about cyber threats and attacks [8]. Our understanding of threats, however, is limited. Proactive anticipation of new threats is difficult because the complexity of software makes a priori identification of security vulnerabilities difficult and because new forms of attack (e.g. spear phishing, or distributed denial of service attacks) continually evolve. Publicly available statistics on cyber security are poor. Surveys and compilations of cyber attacks and violations

POLICY DEVELOPMENT FOR HOMELAND SECURITY

7

rely on voluntary reporting, and interviews with Chief Information Officers and other officials responsible for security indicate a widespread reluctance to report most intrusions, including even attempted intrusions [9]. With this caveat, the following are examples. •

More than 2,000,000 personal computers are infected and attackers store and serve pornography from them, attack other computers or send out spam using them, or install spy ware to obtain credit card numbers and other personal information. • Large numbers of sensitive government and contractor computers have been infected with hidden software that records everything done on those computers, and reports back to those that installed that software [8]. General types of threats may include: •

Cyber-crime (phishing, extortion, fraud, etc.). This crime is already rampant and is growing in scale and sophistication. • Cyber-terror (attacking a crucial website or a computer-controlled infrastructure (e.g. the electric power grid) or, for example, attacking New York Stock Exchange (NYSE) systems). Many “mischief” attacks of this kind have already been tried and succeeded. They too could easily grow in scale and sophistication—with the potential for use by terrorists. • Cyber-warfare (cyber-terror or cyber-espionage used by one state against another). It appears that this has already been tried at least twice, in the Chinese attempts at reprisals against United States government information networks after the May 1999 accidental bombing of the Chinese embassy in Belgrade, and again by Russian distributed denial of service attacks against Estonian computer networks in May 2007 (both countries deny any involvement). But key unanswered questions persist. What are the chances that a skilled group of cyber-criminals might hire themselves out as mercenaries for cyber-terror or cyberwarfare? What might they be most likely to attack, and how? Our ability to answer these questions is limited, yet an understanding of where and how threats might materialize is central to building effective policies for protection and response. Consequently, our security responses, though often quite sophisticated, tend to be piecemeal, ad hoc, and not infrequently focused on the short term. The possible consequences are not well characterized either. These may include: •

immediate damage or disruption (“planes fall out of the sky”, the power grid goes down); • loss of confidence (e.g. no confidence in NYSE systems, so people begin to take their securities listings and their trading somewhere else); • general deterioration of an industry or an activity due to constant low-level incidents. A second major cyber security policy challenge is to create incentives for action. Software developers, for example, are largely immune from tort liability actions challenging the security and reliability of their products. Several states have codified this exemption. The “tragedy of the commons” is also at work in networked systems. The software that

8

INTRODUCTION AND OVERVIEW

acts as “traffic cop” for the Internet—the Border Gateway Protocol (BGP)—is sensitive to accidental (or deliberate) misconfigurations. A decade ago an accidental BGP misconfiguration redirected the entire Internet to a single site in Florida. Although technical solutions to make a repeat of this incident less likely exist, in essence, no single Internet routing point has an incentive to install these solutions. Hence, a decade later, the network still relies upon the good faith and good programming skills of an increasingly large (and increasingly global) community of service providers. Cyber security presents an example of how although national focus has led to an extensive and detailed policy framework, it has failed to address key foundations. Scientific and understanding the extent and nature of cyber threats, and in technical work in technology solutions (e.g. encryption, firewalls, and intrusion detection) abounds; however, progress in creating risk management systems, and managerial/network imperatives for action are far less advanced. 3.2 Fire: Consistent and Effective Public–Private Partnership Fire has long been recognized as a serious danger to urban society, commerce, and natural systems. There have been myriad individual homes and businesses destroyed by fire, and occasional large-scale catastrophes—the great London and Tokyo fires of the 17th century, the Chicago fire, and major forest fires such as in Yellowstone Park a decade ago. Though yet to occur, major urban conflagrations, from nuclear or other causes, remain a real, though distant, threat. Four major outcomes have emerged from our concern with fire. •

Governments, private businesses, and citizens have long worked to understand how fires start and spread, how they can be contained and extinguished, and how they can be prevented. Continuous and sustained research has successively addressed new issues, as, for example, when new materials enter into building construction or furnishings, or when new sources of combustion, such as electrical wiring, are introduced. Research takes place at the Federal (e.g. National Institute of Standards and Technology), state, and private sector levels. • In parallel, common pools of risk knowledge have been created, updated, and perhaps most importantly, widely shared among insurers, risk managers, and researchers. This statistical data provides the necessary foundation for managing the risk of fire. • The result is a well-developed system in which we have fire codes, fire insurance, agreed-upon standards for products and for fire protection systems, and well-defined procedures and resources in place for calling firefighting companies to the scene of a fire—all backed up by a good knowledge of what the losses could be, in terms of both dollars and human life, and therefore a good way of assessing risk, justifying costs, and compensating for damage. • For the (fortunately) special case of major conflagrations (forest fires, major urban conflagrations) a well-exercised system of coordinated Federal resources (Department of the Interior, Department of Agriculture, Defense Department (National Guard), DHS (FEMA), and state and local assets) is in place. The policy response to fire exemplifies an almost three century-long process integrating widespread recognition of the threat together with private and public investments in

POLICY DEVELOPMENT FOR HOMELAND SECURITY

9

understanding the threat, working to reduce it, creating systems to respond to fires (large and small) when they occur, and developing sophisticated regulatory and risk management mechanisms to reduce and spread risk. What is most notable is that this policy structure was not created “top–down”, but developed from enlightened self-interest and the recognition of a Federal role in two dimensions—research and emergency response and reconstitution. The policy structure is not perfect; for example a comprehensive national fire code has yet to be adopted in place of a myriad of local codes. Nonetheless, it stands as a model of successful policy development. 3.3

Y2K: Top–Down Policy Response to a Specific Threat

From the preparation and execution of Y2K some key lessons can be drawn. • • • •

• •

• •

•

A clear decision for action was made by the White House, with clear goals and timelines. A strong leader, with close ties to the President, and extensive business and government credibility, was chosen. Education—of the business community and government agencies—was a major and long term focus. Incentives, but not regulation, were used to enhance both action and cooperation among the private sector. For example, the Securities and Exchange Commission (SEC) did not require filing organizations to take action, merely to report publicly in their filings what if any action an organization was taking. National legislation, to promote information sharing and reduce liability for Y2K related actions, was enacted. Public–private partnership was emphasized. A sophisticated operations’ center, coordinating business and government resources and information, was built (the Information Coordination Center); strong leadership (a retired Marine Corps General) led the effort. Constant and effective communications kept the press and public informed. Extensive and effective outreach to key non-US constituencies, including the UN, helped to ensure that preparation for the Y2K event was, if not global, certainly not exclusively a US priority. The core operational team managing the issue was a tight, small, high quality team based at the White House.

The response to the “Y2K bug” illustrates an effective policy development and implementation process. Clear goals (motivated by a pressing threat, though skeptics abounded), strong leadership, effective implementation driven by a subtle combination of “carrot-and-stick”, and measurable outcomes (things either worked, or they did not) characterize this initiative. Some key observations emerge from these case examples. Policies, however detailed, that fail to address fundamental issues reduce their likelihood of being effective (this is sometimes referred to as the “elephant in the drawing room” syndrome—there’s an elephant, but no one acknowledges its presence). Policy can be emergent, constructing itself through the uncoordinated actions of various constituencies. Clear goals, strong leadership, and measurable outcomes are critical to successful policy.

10

INTRODUCTION AND OVERVIEW

4 SELECT RESEARCH AGENDAS AND IMPLICATIONS FOR POLICY DEVELOPMENT A representative but certainly not exhaustive list of major Homeland Security research topics illuminates some key drivers for policy development. One taxonomy [10] for research divides scientific challenges into those which have been around for a while and those which have emerged more recently, either in response to new policy concerns (e.g. terrorism, global climate change, and so on) or evolutions in the technology frontier (e.g. greater computational and networking capabilities). The former includes: • • • • • •

identification and treatment of known pathogens; better technologies for emergency responders; blast-resistant and fire-resistant structures; air filtering against known pathogens and chemicals; decontamination techniques; and technologies to enhance security against cyber attacks.

Areas that have emerged more recently include the following. • • • • • • •

• •

creating an intelligent, adaptive electric power grid; revising land use and disaster preparedness/response policies in the face of global climate change; capturing, analyzing, and assessing useful information for emergency officials and responders with new sensor and surveillance technologies; creating a common risk model that allows comparison between and across infrastructures; developing methodologies to accurately identify and predict both actors perpetrating and motivations for cyber attacks; identifying and predicting paths and methods of currently undetectable food and water alteration; developing networks—both physical (e.g. transportation) and electronic (e.g. the Internet) in which security is being imposed as a basic design consideration, not as an add on; designing self diagnosing and self repairing systems and facilities; and providing a common Homeland Security operating picture available to all decision makers at all levels.

Many other agendas exist. For example the Draft National Plan for Research and Development in Support of Critical Infrastructure Protection [11] identifies nine key themes. •

detection and sensor systems; protection and prevention; • entry and access portals; • insider threats; •

POLICY DEVELOPMENT FOR HOMELAND SECURITY

11

•

analysis and decision support systems; response, recovery, and reconstitution; • new and emerging threats and vulnerabilities; • advanced infrastructure architectures and system design; • human and social issues. •

With a mission of “filling gaps” in the Homeland Security R&D agenda, the Institute for Information Infrastructure Protection has identified potentially key R&D grand challenges [12]: • • • • • • • •

secure digital healthcare infrastructure; value-added infrastructure protection; cost-effective CIP through Information Infrastructure Resilience; trusted realms; national critical infrastructure web for disaster and attack management, analysis, and recovery; spatial clustering of information infrastructure—a basis for vulnerability assessment; beyond the domain name system (DNS); and establishing a national identity.

Implications for Policy Development: These lists of noteworthy projects challenge policy development for Homeland Security in at least four ways. •

There exist numerous and highly differentiated scientific and technical agendas. New challenges with long-standing infrastructures—such as port security—or new issues—like the identification of potentially explosive liquid combinations— continue to emerge. For policy makers, no clear, widely accepted methodology to prioritize initiatives across domains exists. • Input metrics (e.g. dollars spent) for each initiative are easy to develop; meaningful output metrics (e.g. how much safer are coastal communities from the threat of catastrophic hurricanes, how much safer are US citizens from terrorist threats) largely do not exist. • The scientific and technical communities demonstrate widely different levels of interest and effort in engaging these topics. For example, of 80 key researchers in Homeland Security at a 2005 conference [13], less than 6 were focused on human and social issues such as insider threats. Detection and sensor systems were the focus of the bulk of the work. • Some issues of perhaps paramount importance barely appear in the research portfolio. There appears to be a systematic underinvestment in key areas like human social interactions. Interoperability between networked systems was the subject of a recent special session of the IEEE, and is, arguably, a critical element in any system of effective Homeland Security, yet little basic work appears to be taking place [14]. Thus, opportunities in scientific and technical research and deployment for Homeland Security are numerous and varied; this abundance challenges policy makers in establishing clear goals and monitoring and assessing their impact.

12

INTRODUCTION AND OVERVIEW

5 ORGANIZATIONAL COORDINATION FOR POLICY The multiplicity of research agendas as well as organizations with a stake in research and development make vital a strong and dynamic integrative framework for communication and cooperation across domains and constituencies, both for policy makers and researchers. Some agendas address issues of immediate concern and impact, while others focus on expanding the frontiers of knowledge. Shortly we will consider in detail an example of such an effective integrative framework, but first we will outline some overall challenge to policy coordination. 5.1 Complexity of the System Homeland Security should not be thought of as the DHS, but as a system that incorporates a breadth of constituencies—Federal agencies, states and localities, private organizations, individual citizens, and other countries and international organizations. At least 22 disparate organizations make up the DHS [1, pp. 59–60], [15]. In addition, the FBI, DOD, and the intelligence community are parts of this system. Policy development for science and R&D in this complex system faces several tensions: •

identifying and establishing policies for R&D requirements; matching these with the threats; • resolving organizational conflicts over resources and priorities; and • measuring progress and success. •

Complexity can be viewed on at least two planes. Within the Federal government most agencies have at least some part of the Homeland Security agenda. As an example, the National Strategy to Secure Cyberspace engages at least 15 major Federal departments and agencies apart from DHS. Each element brings to bear differing perspectives (law enforcement, National R&D capabilities, new technology policies, and responsibility for economic sectors or citizen concerns) [15, pp. 348–350, 416–419]. Within this framework, the ultimate level of coordinating authority matters. While in the Clinton Administration coordination ultimately rested with a National Coordinator of White House rank, coordination for cyber security policy now resides at a lesser level within DHS. A more complete, and hence complex, picture of the same agenda (again, only a small part of the Homeland Security agenda) shows how many agents at the first level, firms and their individual actors, at the second, a panoply of legal instruments and national plans (including but not only those of the US), and finally a larger and emerging multinational agenda play a role, each with its own area of focus. A short (and partial) listing of the published policy plans gives a rough idea of the variety of Homeland Security policies. •

DHS, Interim National Infrastructure Protection Plan (2005). DHS, National Response Plan (2004). • National Research Council, Making the Nation Safer: The Role of Science and for Countering Terrorism (2002). • Office of Management and Budget (OMB), 2003 Report to Congress on Combating Terrorism (2003). •

POLICY DEVELOPMENT FOR HOMELAND SECURITY • • • • • •

13

RAND National Defense Research Institute, The Physical Protection Planning Process, Proceedings of workshops (2002) sponsored by OSD. White House, Homeland Security Presidential Directive 7 (HSPD-7): Critical Infrastructure Identification, Prioritization, and Protection, 2003. White House, National Strategy for Homeland Security (2002). White House, National Strategy for the Physical Protection of Critical Infrastructures and Key Assets (2003). White House, National Strategy to Secure Cyberspace (2003). White House, NSC-63; Critical Infrastructure Protection (1998).

5.2 Coordination of Policy Overall coordination of these policies takes place in three levels [15]. At its highest level, a Homeland Security Coordination Council, modeled in part on the National Security Council (Cabinet level attendance) provides integration. For the plethora of plans, several key instruments are used. •

National Response Plan ( NRP ): The purpose of the NRP is to establish the single comprehensive approach required to enhance US ability to respond to domestic incidents. It provides a framework of incident management protocols to address these threats. Established on the basis of HSPD-5—Management of Domestic Incidents (2003)—the NRP applies to high impact events requiring a coordinated and, as appropriate, combined response. As a Response Plan, it does not directly establish science policy, though as a policy document it has a major impact [16]. • An integral component of the NRP is the National Incident Management System. Its purpose is to provide a consistent nationwide approach to prepare for, respond to, and recover from domestic incidents of consequence. • HSPD-7 assigns responsibility to Sector Specific Agencies’ (SSAs) designated for protection activities in specific areas—for example the Department of Energy is responsible for protection of energy assets, including the production, refining, storage, and distribution of oil, gas, and electric power. SSAs report to the DHS on these actions. As the examples of Y2K and fire protection policy illustrate, numerous and engaged constituencies need not be a barrier to effective policy. However, the evolving definition of what comprises Homeland Security, the long histories of many of the organizations involved, and the sometimes inchoate understanding of what the goals of Homeland Security policy are certainly challenge effective policy making.

6 FEDERAL CYBER SECURITY R&D POLICY: AN EXAMPLE OF EFFECTIVE POLICY DEVELOPMENT Since 1998, the framework for cyber security R&D has evolved, and now shows great promise of providing an effective framework for decision making. It serves as a good example both of how structures for policy coordination and development evolve over

14

INTRODUCTION AND OVERVIEW

time, and also of how coordination can be achieved by the thoughtful use of metrics and the acquisition of supporting data. Three themes stand out in this evolution •

focusing the policy making process to incorporate needed cross-cutting and integrative perspectives; • developing and institutionalizing detailed knowledge of both the “baseline” of R&D projects, and current and projected resource allocations for these projects; and • Continuous progress to seamlessly integrate cyber security R&D into the CIP agenda, and the even broader homeland security agenda, while also tackling difficult challenges such as technology transfer of R&D results. As such, federal cyber security R&D policy is a good example for readers of this article. It is worth noting that federal cyber security programs are relatively small, both in terms of the number of people involved and the dollar amounts. Total federal support for cyber security R&D is of the order of $500 mm, with much of it within the DOD. The number of policy makers engaged is also small. Cyber security R&D is a complex topic, however, and requires a probably unprecedented understanding of and cooperation with the private sector in order to be effective. 6.1 Focusing the Policy Making Process After PDD 63, the Critical Infrastructure Protection R&D Interagency Working Group (CIP R&D IWG) was formed to coordinate federal R&D policy. The IWG included the principal agencies that performed cyber security R&D work (Defense, National Science Foundation, National Institute of Standards and Technology, and Energy) as well as representatives from agencies charged with working with specific private sectors (energy, information and communications, banking and finance, transportation, vital services, and international). The IWG had a complex reporting structure—a theme that runs through the entire evolution of the policy making process here—and reported to three groups: (1) the Committee on National Security, part of the National Science and Technology Council (NSTC)that in turn was chaired by the White House Office of Science and Technology Policy (OSTP); (2) the Committee on Technology (also a NSTC committee); and (3) the Critical Infrastructure Coordination Group, responsible for coordination all CIP policy, which was chaired by the National Security Council. The CIP R&D IWG organized its work by sector, and, while important work was done, the sector focuses inadequately addressed at least five challenges [10, p. 4]: •

many different sectors contain infrastructure that is vulnerable to exactly the same threats; • the majority of the sector specific policies did not address the inherent and broadly applicable interdependencies between infrastructure sectors; • physical threats and solutions were considered separately from cyber threats and solutions;

POLICY DEVELOPMENT FOR HOMELAND SECURITY

15

•

the process was challenged to address simultaneously two different paths toward improved security—special efforts to reduce vulnerabilities and improvements coming from the normal efforts to design new infrastructures for higher performance and quality of service; • The process was also challenged in evaluating new threats and opportunities coming from new technological advances that might not be readily incorporated into the normal design process. Along with these challenges, starting in 2002 a number of other changes in the overall policy environment led to a restructuring of the organization and focus of federal cyber security R&D policy. The Cyber Security Research and Development Act (Nov 2002) gave responsibility for coordinating cyber security R&D to OSTP, with special charges to NSF and NIST to perform research. The National Strategy to Secure Cyberspace was issued in February 2003. The report recommended that OSTP coordinates development of an annual federal cyber security research agenda. Homeland Security Presidential Directive 7 (December 2003) required an annual CIP R&D plan to be developed by OSTP and DHS. A series of outside reports on cyber security R&D—from the National Science Foundation (2002), RAND (2002), the President’s Information Technology Advisory Committee (February 2005), and the interagency InfoSec Research Council Hard Problem List (November 2005)—all provided perspective on research priorities, or appropriate strategies, for federal cyber security research. Following one intermediate reorganization of the policy making process, in mid 2005 the Cyber Security and Information Assurance Working Group (CSIA) was formed to shape federal cyber security R&D policy, reporting to both the NSTC Subcommittee on Networking and Information Technology R&D (NITRD) and the Subcommittee on Infrastructure. Reflecting the continuing theme of complex reporting relationships, these subcommittees in turn report variously to the NSTC Committees on Technology and Homeland and National Security. Three important and positive changes resulted from this evolution. •

NITRD jointly overseeing CSIA made explicit the recognition that cyber security has a broad impact on the nation’s interests beyond just CIP. • In place of sector-specific policies, initiatives are organized around integrative themes addressing both physical and cyber threats and solutions. In the April 2006 cyber security R&D plan [17] there are eight initiatives: ◦ functional cyber security and information assurance; ◦ securing the infrastructure; ◦ domain-specific security; ◦ cyber security and information assurance characterization and assessment; ◦ foundations for cyber security and information assurance; ◦ enabling technologies for cyber security/information assurance R&D ◦ advanced and next-generation systems and architecture; ◦ social dimensions of cyber security/information assurance.

16

INTRODUCTION AND OVERVIEW •

Policy themes and projects are compared and correlated with outside perspectives, starting with the NSF and RAND reports, and also the R&D chapters of the “sector specific” plans developed for the National Infrastructure Protection Plan, and international perspectives from the EU and elsewhere. There is also continued consultation with academia, government labs, and industry. There is a strong match between the themes and projects prioritized by all groups, and recent consultations have surfaced only a few projects that were not already in the plans [18].

6.2 Transparency into the Granularity of Projects and Budgets A second very important evolution in cyber security R&D policy development has been to create the administrative systems so that decision makers can look at the universe of individual R&D projects and the resources applied to each project. Previously, there was no comprehensive database of cyber security R&D projects across relevant Federal agencies. A major step forward over the past two years has been to create a very specific database by project—a “program” level perspective is too coarse to provide the needed insight into various efforts—cross-referenced by threat, by sector, by technology, by stage of the project (e.g. basic research), and by agency. Together with this baseline of projects is a breakout of budget support for cyber security research, starting with the President’s FY07 budget submission. Previously, budget amounts for cyber security research were difficult to identify because they were often grouped with noncyber security research in other program areas. While some agencies did not participate in the FY07 NITRD budget breakout for cyber security R&D in the FY07 budget supplement (notably DHS and some elements of the Department of Energy), the Office of Management and Budget’s annual budget guidance now requires agencies to submit separate budget amounts for cyber security R&D as part of their annual budget submissions. These reforms provide two important benefits. •

Decision makers are now able to map R&D priorities against the set of specific projects and their funding, and identify gaps in the national agenda; • Individual agencies can now identify areas where their individual interests and projects complement or duplicate work going on elsewhere in the Federal government. 6.3 Integrating Cyber Security R&D into Broader Agendas There is a complex and not universally agreed-upon overlap and integration between the concepts of “cyber security”, “CIP”, and “homeland security”, and this article is, simply put, not the place for an adequate discussion of these issues. Suffice to say that there is a multiplicity of plans addressing some of these different perspectives, as well as a widespread feeling that ultimately cyber security R&D policy needs to be integrated into a comprehensive homeland security R&D policy that also includes consideration and linkages to issues like weapons of mass destruction, and other threats to homeland security. There is also a need to adopt a national perspective—not just a government perspective—that incorporates private sector initiatives and priorities. Both of these thrust for broader integration are underway. Work is currently being done to integrate cyber and weapons of mass destruction R&D policy, with an explicit

POLICY DEVELOPMENT FOR HOMELAND SECURITY

17

goal, as one policy maker said, of “erasing some of these plans” [18]. With “sector coordinating councils” that serve as the forum for dialog between government and the private sector, there is also a forum that appears to be reasonably effective in talking with industry. Hence, the current policy framework shows great promise of being able to not only provide an integrated platform for making effective choices about cyber security R&D policy, but also a way of integrating cyber security with other facets of the broad homeland security R&D agenda across both the government and private sector. 6.4 Challenges The progress made in creating a framework for effective cyber security R&D policy is by no means complete. One major challenge, for example, is to improve technology transfer from federally funded R&D projects into the hands of users. This is a long-standing challenge, and agencies have adopted various strategies and programs to address it. NSF, for example, largely relies on the project specific researchers to disseminate the results of their work, while the service laboratories in the defense department have technology transfer offices charged with that mission. What is important to note is that this issue is very much a focus of attention by policy makers in OSTP and elsewhere charged with cyber security R&D, and that, while the challenge of tech transfer may never be “solved”, considerable improvement can, and most likely will, be made. To summarize, there is value in looking at instances in which policy system has evolved to provide an ongoing and sustaining framework for better decision making. The evolving structure for Federal cyber security R&D policy provides one such example.

7 LESSONS FOR BETTER POLICY DEVELOPMENT With a broad set of science and technology research initiatives, the role of Homeland Security policy is to drive, in the national interest, to match policy needs with opportunities. Some key themes for improving policy development for Homeland Security include the following: 7.1 Threats Should Prioritize Policy Effective Homeland Security policy development is challenged by our incomplete articulation of what we are preparing either to defend against or respond to. The inability to clearly identify threats has at least three significant consequences. •

Blurring the distinction between policy and tactics. Policy defines the (longer term) investment interests, tactics relate to more immediate actions, and without a lack of clarity in threats, policy and tactical responses are blurred, and implementation suffers. • Impeding organizational coordination. With multiple and indiscriminate threats, different organizations will focus, without clear metrics, on their perceptions, not on the national needs. • Impeding the prioritization of policy goals. Above all, the lack of a clear structure linking threats to goals tries our ability to prioritize resources to goals of greatest importance.

18

7.2

INTRODUCTION AND OVERVIEW

Tension, Managed Properly, Makes Good Policy

As an element of good policy development, a tension needs to be managed—but not avoided—between duplication of initiatives on one hand, and on the other hand ensuring a portfolio of projects, perhaps in some cases competitive, but integrated into an operable policy framework. 7.3 Better Metrics Are Needed Sometimes metrics need not measure direct impacts, but can be proxies for outputs that are inherently difficult to capture. A non-Homeland Security example: ALCOA embarked on a corporate wide and intensive program to improve its safety performance. The genius of this high priority initiative was that a focus on safety was in fact a proxy for a wide range of process improvements within the company and its network of suppliers and customers. A safer workplace was not only a laudable goal in itself, it drove major productivity improvements. 7.4 Implementation Matters Although policy defines and structures a basis for action, the impact of policy ultimately depends on the actions taken by the plethora of actors—Federal, state, and local agencies; the private sector; and individuals—who are, figuratively or literally, “on the ground”. Creating the incentives and structures for assessing effort and impact remains perhaps the single greatest weakness in policy development and implementation—and also the greatest opportunity for improvement. 7.5 Clarifying the Line Between National Security and Homeland Security Among the major challenges are the existing distinctions between Homeland Security and “National Defense” generally. DOD policies and willingness to engage in homeland defense continue to evolve; a clear set of policies here are needed [1, pp. 213–230]. Secondly, the integration of federal programs and investments with state and local capabilities (both as first responders and as an integral part of ensuring defensive and protective capabilities) is an area for improvement. While integrated communications capabilities, for example, are important, a stronger integration into R&D is needed. However, an expansion of a single integrative organization—an original conceptualization of DHS—would address this second concern, but does not appear to have much promise given current political realities. 7.6

Leveraging Lessons from the Private Sector

The use of market mechanisms may provide novel insight for more effective policy development, particularly in science and research. Managing key financial and operational risks is central to any organization (e.g. even the United States Government has “Continuity of Government” requirements). Greater use of market mechanisms may prove an important part of better linking policy goals with effective implementation.

POLICY DEVELOPMENT FOR HOMELAND SECURITY

19

7.7 Delegating Responsibility and Dividing the Labor: Who Deals With What? Ultimately, one who studies Homeland Security policy development is faced with a troubling observation: it remains unclear as to who knows what to do, who manages or drives the policy agenda, and who is in charge of implementation. Ultimately, who terminates projects, and nurtures others? Who reviews the portfolios of investments? Who are the “they” who really will make the decisions?

8 CONCLUSION As this article indicates, policy development for homeland defense not only supports a vigorous science and technology portfolio but also has room for improvement. Both from a science and technology perspective and as an operational set of activities, significant reforms need to be made. Lessons from our existing post 9/11 experience, from other successful (and less successful) federal agencies, and from non-federal sources can all provide useful insights. In conclusion, four observations were made •

Policy development for homeland security is highly complex for reasons both of substance and organization. • Policy making and implementation is fundamentally challenged by the need for effective communication and cooperation—with appropriate metrics to support these policies. • R&D policy faces a tension between duplication and managing portfolios of competitive initiatives integrated through an operable policy framework; • Competing interests in conjunction with great organizational and topical complexity can mask or provoke a gap in leadership. Who actually is in charge—both with “big” decisions and smaller projects?

REFERENCES 1. Ranum, M. J. (2004). The Myth of Homeland Security, Wiley Publishing Company, Indianapolis, Indiana, pp. 1–50 for a good overview (total pages 1–230). 2. Parsons, W. (1995). Public Policy: An Introduction to the Theory and Practice of Policy Analysis, Edward Elgar, Brookfield, Vermont, p. 14 (total pages i–xviii, 1–675). 3. Stein, J. (1966). The Random House Dictionary of the English Language; The Unabridged Edition, Random House, New York. 4. Munger, M. C. (2000). Analyzing Policy: Choices, Conflicts, and Practices, WW Norton and Co., New York, pp. 14–15 (total pages I–xvii, 1–430). 5. The White House. Office of Homeland Security (2002). National Strategy for Homeland Security, The White House, Washington, D.C., July 2002, p. 2. (total pages 1–71). 6. The White House (1999). Defending America’s Cyberspace: National Plan for Information Systems Protection (draft), The White House, Washington, D.C., May 1999 (total pages i–xxvi,1–128).

20

INTRODUCTION AND OVERVIEW

7. Fischer, Eric A. (2005). Creating a National Framework for Cyber Security: An Analysis of Issues and Options. CRS RL 32777, Congressional Research Service, The Library of Congress, February 22, 2005. p. 6, 1–56. 8. The White House, The National Strategy to Secure Cyberspace. Washington, DC: The White House, February 2003. 9. Paller, A. (2006). Research Director, The SANS Institute, Bethesda, Maryland . Presentation at Carnegie Mellon University, May 2006. 10. Commentary from Guidance for Writers on Wiley Handbook of Science and Technology for Homeland Security (2006). John Wiley and Sons, Hoboken NJ. 11. Executive Office of the President, Office of Science and Technology Policy, Department of Homeland Security, Science and Technology Directorate (2004). The National Plan for Research and Development in Support of Critical Infrastructure Protection, Washington, DC, pp. 23–67 provides detail in each policy area (total pages 1–81). 12. The Institute for Information Infrastructure Protection www.theI3P.org. 13. Critical Infrastructure Protection Workshop for Academic and Federal Laboratory R&D Providers (2005). Science and Technology Directorate, Department of Homeland Security, Washington, DC, June 29, 2005. 14. IEEE Special Session on Integration and Interoperability of National Security Information Systems (2006). Cambridge, MA, June 8–9, 2006. 15. Kean, T. H., Hamilton, L. H., Ben-Veniste, R., Kerrey, B., Fielding, F. F., Lehman J. F., Gorelick, J. S., Roemer, T. J., Gorton, S., Thompson, J. R. (2004). The 9/11 Commission Report: Final Report of the National Commission on Terrorist Attacks Upon the United States, W.W. Norton and Company, Inc., New York, pp. 423–428 (total pages). 16. U.S. Department of Homeland Security (2005). Interim National Infrastructure Protection Plan, Washington, D.C., February 2005, pp. 38–39 (total pages 1–35). 17. U.S. Department of Defense (2005). Strategy for Homeland Defense and Civil Support , Washington, D.C., June 2005 pp. 36–38 (total pages 1–40). 18. National Science and Technology Council (2006). Interagency Working Group on Cyber Security and Information Assurance. Federal Plan for Cyber Security and Information Assurance Research and Development , National Science and Technology Council, Washington, April 2006. 19. Voeller, J. (2006). OSTP, December 2006.

FURTHER READING US Department of Justice. Computer Crime and Intellectual Property Section www.cybercrime. gov. US Government Accountability Office (2001). Testimony before the Subcommittee on National Security, Veterans Affairs, and International Relations, House Committee on Government Reform. Homeland Security: Key Elements of Risk Management Statement of Raymond J. Decker, Director Defense Capabilities and Management, October 12, 2001. www.house. govInternational CIIIP Directory, based on the G-8 CIIP Experts Initiative. E-mail ciip-directory @niscc.gov.uk for more details. Other US Government documents: National Strategy for the Physical Protection of Critical Infrastructure and Key Assets; National Strategy for Homeland Security; National Strategy to Secure Cyberspace. David, M. (2002). Concepts for Enhancing Critical Infrastructure Protection Relating Y2K to CIP Research and Development , Santa Monica. National Infrastructure Security Co-ordination Center (NISCC) www.nisc.gov.uk.

THREATS AND CHALLENGES TO HOMELAND SECURITY

21

THREATS AND CHALLENGES TO HOMELAND SECURITY David M. Weinberg Practical Risk LLC, Rio Rancho, New Mexico

1 THREAT SPECTRUM This survey article is not meant to be exhaustive in detail or citations. Rather, it highlights some conventional threats and challenges and also attempts to tease the reader to consider some less conventional threats. This is done to stimulate the interest of the research community, and to play their role in one of the most complicated issues facing the United States and its people. Within the context of governmental homeland security, the word threat has different meanings to different people and organizations. This article attempts to look at threat in conventional and some unconventional ways. Similarly, the term challenges carries much semantic heft, and it too will be considered in terms of conventional ways and otherwise. Threat is commonly taken to mean that set of activities and purposes aimed at doing harm. Although this definition may be thought to specifically refer to the threat of terrorism, it actually applies to natural hazards and catastrophic accidents as well. A discussion of threat can be broad indeed. Conventionally, terrorism threat is generally dissected into two components: namely, intent (to perform an act) and capability (resources, including intellectual, to accomplish the act). Recent work by Williams [1, 2] adds a third dimension (or metric), at least to radical jihadist terrorism, namely, authority. Within the Department of Homeland Security (DHS), some workers also break capability into subcomponents such as the intellectual capability to conceive and design what is needed for an attack and the capability to infiltrate the nation, organize all necessary manpower and material logistics, and remain undetected until the attack is executed. Clearly, the topic of threat includes getting into our adversary’s head. This topic is being addressed by the National Consortium for the Study of Terrorism and Responses to Terrorism (START) [3]. Therefore, for the purposes of this article, it is preferable to start this discussion with something a bit simpler than threat and examine things that could cause harm in a somewhat more generic sense.

2 TYPES OF THREATS AND CHALLENGES Terrorism attacks can generally be broken into those that are physical attacks (i.e. 9/11), virtual attacks (i.e. computer hacking and viruses), and a category best described as “other”. Physical attacks represent a broad spectrum of possible attack modes

22

INTRODUCTION AND OVERVIEW

(often referred to as threats or threat vectors) that include the likes of much of what is seen in the media on an all-too-frequent basis. These attacks include improvised explosive devices (IED), a mode faced repeatedly by our troops in Iraq, backpack bombs such as used in the London and Madrid bombings, and suicide vests seen worldwide. An IED’s big brother is a vehicle or vessel borne improvised explosive device (VBIED), differing from the IED in its delivery mechanism, size, and potential for destruction. These two attack modes or threat types make up the greatest statistical population of terrorist attacks across the world [4, 5]. Less often experienced within the homeland are other physical attacks that include assassinations and kidnapping, although we have seen these modes perpetrated by terrorists carried out on US citizens abroad. These conventional physical attacks represent a type-of-attacks spectrum, namely from the somewhat impersonal attack on a group to the very personal attack on an individual. In both cases, there is some individual or group that has conspired to directly harm the homeland and/or its citizens by using a specific designed-for-purpose weapon. As a class, such threats are fairly predictable in their effect, and to some degree, in their standard practices and procedures. While various types of attacks are “pigeonholed” below for convenience of discussion, it is acknowledged that such summarization may contribute to artificially discretizing what is a continuous, multidimensioned spectrum. For brevity and simplicity, neither multiple attacks, simultaneous or those along a predetermined timeline, are addressed. The reader is referred to other portions of this volume to investigate some of the complications raised by these attack scenarios. 2.1 Conventional Physical Attacks Attacks can be direct or indirect. Protection and prevention against terrorist acts is a problem not unlike the “inverse problem” in conventional deterministic modeling. Given a result, some (perhaps very large) set of paths exist to go from the initial condition to the observed result (each path representing one determined path). The security problem faced, of course, is that all paths cannot be interdicted, so judgments must be made regarding the various paths and actions taken to disrupt a most likely path. Evaluation of multiple paths is not unlike the approach taken by law enforcement and counterterrorism by “thinking like the criminal/terrorist”, and defining what set of things must be brought together for the act to be realized. It becomes a problem in inductive logic whereby the system of reasoning extends deductive logic to less-than-certain inferences [6]. In this example, a sequence of events leading to the result are believed to support the conclusion, but do not ensure that this conclusion is right. Unfortunately, inductive approaches can miss the unanticipated event [7], sometimes with horrific consequences such as 9/11. The predictability of such types of direct physical attacks, however, is hampered not only by the number of possible attack paths needed to be considered for interdiction but also by the ingenuity of the adversary. Adversarial ingenuity is demonstrated frequently by their design, and use of less well-known weapons (i.e. peroxide-based explosives, the root cause of our inability to take containers of liquids on airplanes, home-built armor-piercing explosively formed projectiles (EFPs) used in Iraq, and ability to quickly adapt to countermeasures) presents an enormous challenge to the nation. Subsequent to 9/11, a federal directive was promulgated throughout the rail and chemical sectors to cease shipments of chlorine gas fearing that a rail car might be attacked in a populous area killing or injuring many. A few days later, the directive was lifted

THREATS AND CHALLENGES TO HOMELAND SECURITY

23

because high-density population areas needed chlorine to purify drinking water supplies. Within about 90 days of the attack on the Pentagon, the Blue Plains Wastewater Treatment Plant in Southwest Washington, DC, converted its process so that large tanks of chlorine and sulfur dioxide (an equally hazardous gas) would be essentially eliminated from the plant site and switched to an alternative technology. These examples illuminate preventive actions against what many call indirect attacks because terrorists could use existing infrastructure against the nation. During its first 4 years, the DHS spent significant resources identifying terrorist-created chemical releases as an indirect attack mode with the result that a new organization was created to define and ensure security standards across the chemical industry. The existence of standards across a sector, however, does not necessarily correlate to security. For instance, chemical contamination of a foodstuff could cause as much damage and panic as the release of a noxious plume from some manufacturing plant. Equally insidious, counterfeit materials (parts or substances) used in sensitive applications can also constitute threats to people, or in some cases, economic well being. In an open society, tracking materials—and people—from origin to endpoint creates a sociological problem, which the nation continues to struggle with. 2.2 Nonconventional Physical Attacks The attacks described above are classed as being conventional in nature because the means of executing them are reasonably straightforward. Similarly, the tactics used and results obtained from these attacks are conventional. There are, however, less conventional types of attacks of importance to the nation. At the forefront, of course, is that group of attacks termed weapons of mass destruction/effect (WMD/E). Those attacks are covered elsewhere in this volume and are not discussed here. Another unconventional, but not unknown, attack is that class considered denial of use attacks. These scenarios encompass a myriad of agents dispersed into, on, or around infrastructure important to continuity of operations. The anthrax attacks in 2001 using the US Postal Service’s Trenton Processing and Distribution Center as a delivery system is one example of such denial of use attack. Unfortunately, in the case of the 2001 attacks, 5 of the 22 citizens exposed to the spores succumbed. Subsequently, then-Senator Tom Daschle’s office suite in the Hart Building on Capitol Hill was found to have anthrax contamination causing building evacuation and shutdown of the government mail service until decontamination efforts could clean the premises for occupancy. The Trenton postal facility was not reopened until March 15, 2005, some three and a half years after the contamination was discovered. Had this attack been to a “critical” commercial facility (i.e. one that is essential to the nation and without substitute), it is questionable whether the corporate enterprise or the country could have survived such a lapse in service. Another scenario that could result in denial of use is that of a radiological dispersion device (RDD). In this scenario, radionuclides from any number of sources could be dispersed using explosive or aerosol means and could result in denial of use for years, even decades depending on the material used. Biological and RDD attacks are not necessarily aimed at creating many casualties. Rather the economic hardship and/or the fear created within the population that works in or near the facility thereby preventing the facility from performing its necessary function may be the true goal. Although such attacks of a neighborhood retail facility may cause no great harm to the nation or inconvenience to the population, there are many facilities

24

INTRODUCTION AND OVERVIEW

that if shut down for extended periods of time can seriously impact the national economy (Wall Street) or national security (single-source for critical military component). Two other nonconventional attack types being faced by the nation include virtual (cyber) attacks and attacks being staged by hostile nation-states. The former of these is dealt with extensively elsewhere in this volume, and the latter lies outside the scope of the volume. Neither is discussed here. Other nonconventional attacks that seem farfetched, but nonetheless could wreak havoc throughout America also exist. They are called attacks here for the purpose of continuity, but they actually represent broad challenges as well. The first of these types constitutes a form of economic attack by currency, trade, or resource manipulation. These attacks could emerge from nation-states, but could also come from other, even transnational groups bent on controlling some particular part of the commercial or financial market. One example that happened, but was notably nonnefarious, was the over $300b investment in high-profile commercial American real estate by the Japanese in the 1980s. In the early 1990s, market forces reduced the value of these investments by as much as 50% [8]. While this example is one of arguably benign global investing, the question posed becomes “What if intentions are nefarious?” One such example is clearly illustrated by the 1960 formation of the Organizations of Exporting Petroleum Countries (OPEC) and subsequent withholding of oil exports to the United States in the early 1970s and 1980s. Although academicians continue to argue over the root causes of the embargos, the net result was an energy crisis in the United States that, at least in part, was driven by a political stance taken to punish the alleged wrongdoer. Other technical and geopolitical events eventually nullified the problem, but as a nation, the problem has still not gone away; we are more dependent on foreign oil imports (by over a factor of two) than we were when the embargoes were first exercised 30 years ago. How can the United States protect itself from such economic attacks? “Energy Independence”, while making a catchy bumper sticker, is as demonstrably lacking in substance as “Financial Independence”. The effects of globalization are rooted deep in American society, and our interdependencies on both external supplies of energy and money create a formidable challenge in a world of highly heterogeneous cultures. Another nonconventional attack that lays well beyond media headlines constitutes an equally formidable challenge. Simply put, it is the attack, perhaps self-inflicted, that the nation faces with respect to its intellectual infrastructure. Most readers can recall at least one article within the last year chiding “education in this country” for poor scores in science and math, relative to the rest of the world. It is similarly recognized that American colleges and universities are “educating the world”. The implications of failing elementary and secondary education for its citizens and excellence at the college level attracting students from across the globe are not straightforward. However, two examples might be useful in stimulating research into how the nation can address this challenge. Corporate recruiters are always looking for the “best and brightest” regardless of the particular type of expertise they represent. For jobs within the United States, significant resources must be spent if the desired employee is not a US citizen. For jobs within the government that require a security clearance, US citizenship is even more important. Looking at technical fields, the percentage of US graduate students who are US citizens has been decreasing for decades (except for a brief reversal following 9/11 [9]). A recent article [10] states that:

THREATS AND CHALLENGES TO HOMELAND SECURITY

25

“International students, especially at the graduate level, are considered an important brainpower infusion to the United States. In certain fields like engineering and physical sciences, foreign students account for more than 40 percent of total students at the graduate level, according to CGS (Council of Graduate Studies). ‘There is not a strong domestic pipeline in those disciplines,’ said Catharine Stimpson, dean of New York University’s Graduate School of Arts and Sciences. ‘The U.S. has a strong dependence on international talents.’”

The implications of US dependence on offshore intellectual infrastructure are discussed at length by Canton [11]. As the scientific and technical challenges to homeland security evolve, finding qualified personnel will represent sociological and educational challenges as difficult as anything in engineering or the sciences. Like the national physical infrastructure, our intellectual infrastructure is sufficiently intertwined with that of other nations that makes unilateral solutions (intellectual independence) impossible. From a threat, perspective, denial of access to information or knowledge can be an effective attack not dissimilar to denial of use.

3

ORIGIN OF THREATS

Within the scope of an overview article, exhaustive enumeration of all of the various sources of threats that play a role in homeland security would be redundant to other articles in this volume, and could go on for volumes in themselves. For greatest simplicity, four general types of threat considered here are international terrorism, domestic terrorism and hate groups, natural hazards, and catastrophic accidents. Three are anthropogenic, hence to some degree they can be defended or prevented, but the results of all four must be considered in the context of response and recovery. 3.1

International Terrorists

According to the Memorial Institute for the Prevention of Terrorism, there are over 1200 international terrorist groups [12], all of whom have agendas at odds with normal political intercourse. Although national attention has highlighted Al-Qaeda since 9/11, other groups are also “on the radar”. Specific motivational differences between the groups are not of importance to this article. Rather, it is important to understand what kinds of attacks against what kinds of infrastructures may be posed by the transnational terrorists. As mentioned earlier, intent and capability are two venerable types of information needed to judge how realistic a threat from a particular group may be. Also mentioned earlier is the newer concept of authority, at least for radical Muslim jihadists. For more insight into this aspect, the reader is referred to the work of Williams cited below. It may be that his concept could be extended to other groups as well. Simply put, the execution of any particular terrorist event depends on someone effectively saying “Go”. Williams shows the role played by fatwas, legal and religious justifications, and speeches given by radical Muslims intent on causing harm. However illogical, that role—choice of target type, what is and is not acceptable behavior during the execution of the attack, and the weapons used (each providing important insights to potential defenders)—can also be

26

INTRODUCTION AND OVERVIEW

seen in historical criminal behaviors (i.e. anecdotal prohibition of violence on family members by the Mafia). Getting this kind of insight is an immense challenge for the nation if only because these reasonings and rationalizations are dynamic even within the groups themselves. Complexity is not a reason to avoid trying to understand these drivers, but developing an institutional understanding of another culture can take decades. 3.2 Domestic Terrorists and Hate Groups The April 19, 1995, bombing of the Alfred P. Murrah Federal Building in Oklahoma City by disaffected military veterans brought national attention to a threat nexus that had largely been ignored by the public since publicity of the Symbionese Liberation Army, the Black Panthers, and others in the 1970s. Timothy McVeigh and Terry Nichols’ attack graphically demonstrated how ill-prepared the country was for dealing with violent acts perpetrated by its own internal terrorists. Organized domestic terrorist groups such as the Aryan Nation, the Klu Klux Klan, and the New Order reside in the twilight between a “conventional” terrorist group and a “conventional” hate group. The line separating the two may be dim. However, radicalization by Muslim jihadists and others in homeland prisons is a growing and morphing threat, which is not necessarily racially based. Without dwelling on fine distinctions between domestic terror and hate groups, the result of their actions can still terrorize segments of our society or citizens within a particular region. All this compounds the problem of operating cells of transnational groups (e.g. Al-Qaeda, Al-Fuqra, and Aum Shinrikyo) that may form alliances of convenience with domestic groups, including criminal enterprises, possibly with or without their explicit knowledge. Groups such as the Animal Liberation Front and Earth Liberation Front often raise parochial headlines, but are not broadly thought of as national threats. 3.3 Naturally Occurring Challenges In the simplest terms, natural hazards can be classed into those that are to some extent predictable allowing the population to take some preparatory measures, and those that “come out of the blue”. The former would include floods, hurricanes, tornados, some biological events, and wildfires (initiated by lightning strikes). The latter would consist of earthquakes, some biological events, and some volcanic eruptions. Man has been living with and fearing the vicissitudes of Mother Nature for millennia. But, only recently has technology developed to the extent that some of these threats can be prevented (in rare cases) or engineered around to reduce consequences. Medicinal prophylaxis is arguably the most illustrious example of man’s ability to prevent a threat from causing harm to health. Certain structures such as levees and dams can mitigate catastrophic impacts but do not prevent threats to them: often making them critical facilities. Similarly, preparations for hurricanes and tornadoes may mitigate impacts, as does buildings designed for earthquakes; but such natural hazards are unique (no two will be exactly alike in consequence or response) and will occur as long as natural processes continue. As demonstrated too well, the national response to Hurricane Katrina was reminiscent of the response to the tragedy of 9/11. Interruptions to the global integration of economies [13] caused by natural disasters and the continuing interweaving of physical and commercial infrastructure (i.e. chemical feedstocks from Mexico and oil and gas energy from Canada), not only represent serious

THREATS AND CHALLENGES TO HOMELAND SECURITY

27

challenges to homeland security professionals, but also pose a great scientific challenge. Clearly, knowledge-based actions have been shown to have saved lives through weather modeling. Scientific efforts and innumerable data collection efforts have saved lives by evacuating some remote Oregon areas prior to the eruption of Mt St Helens. However, such apparently academic pursuits are rarely seen (or funded) as homeland security efforts; yet the products of these research fields provide much information in the effort to prevent serious consequences of these threats. 3.4 Catastrophic Accidents In ways similar to natural hazards, catastrophic accidents create impacts that might be indistinguishable from terrorist attacks. Such accidents could include the rupture of rail tank cars filled with toxic chemicals, the core meltdown at a nuclear power plant, a space shuttle crashing, equipment wear/burn-out with catastrophic failure, and so on. Unfortunately, all of these examples did (or nearly did) happen in recent history, but fortunately none occurred in large US population centers. For all intents and purposes, the possibility of the “event that never happened” spawned the field of probabilistic risk assessment (PRA) back in the 1970s when the government and private industry had to develop ways to plan for the risk of such events. The pursuit of PRA and fault-tree analyses by statisticians and engineers over the past three decades has helped reduce the likelihood of such catastrophic events by creating engineering and public safety standards that have prevented Bhopal- or Chernobyl-type events here. These disciplines continue to offer insights into the nation’s homeland security.

4 PREVENTION AND PROTECTION In J. Cummings’ article in this volume, he refers to Merriam-Webster’s online dictionary for some important definitions [14]. Prevention is defined in several, interlinked ways. Simply put, the DHS seeks to ensure that attacks on the homeland and its people do not occur. Often this is thought to be primarily a function of the intelligence and counterterrorism agencies; those aspects are covered elsewhere in the Handbook. Protection is essentially defined as shielding from an event or attack. Taking these definitions and the threat spectrum discussed above as the context for the technical challenges the nation faces, four activities evolve that provide focus for security professionals, namely; detect the threat, deter the attack, defend against its outcomes, and/or devalue the target. Much is written elsewhere in the Handbook regarding the first three of these, but the last one, devaluing the target (for the attacker) brings into play resiliency and redundancy. Redundancy is an important and useful way to devalue any given target. However, redundancy is largely an asset-by-asset approach that provides protection from a single-point-of-failure situation. While this approach has been taken by some parts of the private sector, it is not physically or economically feasible to create redundancy for many of the nation’s most important infrastructure assets. A large hydroelectric dam is where it is in part because of unique geography. Refineries are extremely expensive and, considering issues as divergent as pipeline connectivity and environmental regulation, cannot easily be duplicated. Resiliency is a concept that applies to individual assets and to systems or networks of assets. Simply put, resiliency is a design property that allows the asset, network, or

28

INTRODUCTION AND OVERVIEW

system to “fail gracefully”, or in such a way as to allow consequences of the failure to be minimized. Consider the automobile tire that you can drive on even after it is ruptured. Self-healing materials and networks are under intense study now, and will continue to play a growing role in homeland security. Greater sophistication in modeling and simulation is also giving rise to designing ways such that systems may actually heal themselves or fail gracefully. However, resiliency must become even broader. We recognize that the interdependencies of the nation’s infrastructure are far-reaching and mostly poorly understood. Work in this arena is addressed in the Handbook section titled System and Sector Interdependencies, and the reader is referred to that section for more details.

5 CHALLENGES TO DHS Some challenges to the DHS and the nation are scattered within the context of the threat spectrum. Many of these challenges are obvious and straightforward, such as sensors for detecting harmful substances or organisms, materials that can provide more and better protection by strengthening facilities while keeping costs reasonable, and software tools to frustrate cyber attacks before they can damage our physical and/or economic infrastructure. Technical challenges related to catastrophic accidents mimic those for natural hazard and terrorism attacks when it comes to physical infrastructure protection. Conventional attacks, by terrorists, nature, or accidents, all require advances in a variety of scientific and engineering endeavors. Less conventional, however, are the security considerations and approaches that will be needed to protect new technologies as they are deployed throughout our infrastructure. There are also two other challenges that the DHS faces as an institution that represents and works for the nation. 5.1 Defining the Unacceptable In some ways, this problem is reminiscent of the problem faced by the Environmental Protection Agency since its inception “How clean is clean?” Within an attack context, it becomes “How bad (number killed or hurt, dollars lost, people traumatized, etc.) is bad?”, and “What constitutes acceptable losses?” As painful as these questions are to contemplate, they must be considered. Since its inception, the DHS has provided billions of dollars to state, local, tribal, and territorial governments in the form of grants to make the nation safer from terrorism attacks. Both 9/11 and Hurricane Katrina brought public attention to the simple fact that very large-scale events are a national issue requiring a national response. But at what price and for how long? There is no politically correct answer to the question of how many casualties are acceptable, but unfocused funding and unnecessary preventative processes and material are equally unacceptable. The DHS Secretary, Michael Chertoff stated that “risk management must guide our decision making as we examine how we can best organize to prevent, respond and recover from an attack”. To allocate resources, money, material, or personnel, the DHS must prioritize. However, prioritization, like triage, requires that choices be made regardless of how uncomfortable they may be. For many reasons, classical statistics cannot help in the prediction of terrorist attacks although they have proven useful, at least to the insurance industry, to help planning for natural events. There remains, however, the paradox of quantitative (defensible but often technically intricate) versus qualitative (what seems

THREATS AND CHALLENGES TO HOMELAND SECURITY

29

right, albeit possibly quite subjective) solutions within the political environment where there will be winners and losers for federal resources. Making those choices is a significant challenge for the DHS. 5.2 Communicating to the Public In today’s era of 24/7 global news, Edward R. Murrow once said “The newest computer can merely compound, at speed, the oldest problem in the relations between human beings, and in the end the communicator will be confronted with the old problem, of what to say and how to say it.” This concept is particularly pertinent to homeland security in general. In simple terms, most people ask two questions: “How likely is something bad to happen?” and “If that bad thing happens, how bad will it be?” Insight into how the government and private industry has attempted to communicate answers to these questions in the past is, sometimes humorously, documented by Lewis [15]. Most people have great difficulty in fathoming just how likely any number of bad things really are. Schneier said [16], “I think terrorist attacks are much harder than most of us think. It is harder to find willing recruits than we think. It is harder to coordinate plans. It is harder to execute those plans. It is easy to make mistakes. Terrorism has always been rare, and for all we have heard about 9/11 changing the world, it is still rare.” Even a casual review of terrorism incidents as compared to violent crimes proves him out. Communicating the risk of both man-made and natural catastrophic events remains a major challenge to the DHS and the nation as a whole.

6 RESEARCH NEEDS The complexities of our nation’s infrastructure belie simple listings of technological needs. The same complexities require bringing together very complicated components, systems, and results. Such complications and the challenges they bring forms most of this Handbook. For this author’s part, however, there are three major categories of research needs that will help move us closer to a more secure nation. The first of these includes more sophisticated modeling and simulation (M&S) of extremely rare events, terrorist systems, and networks, and outcomes from conventional and unconventional attack modes. Thanks to massive increases in computational capabilities, M&S can now be done for problems that only a decade ago were intractable. However, M&S is not reality, nor will it ever replace all of the possibilities that reality represents. That said, M&S does provide important tools into understanding phenomena (physical, virtual, and even psychological) that otherwise could simply not be gathered. For instance, today’s blast models are based on materials with energy equivalent to trinitrotoluene (TNT). The damage done to structures is modeled with a characteristic pressure wave caused by a certain amount of that explosive located at a specified distance from the modeled structure. However, despite the number of plots accomplished and foiled that utilized “bathtub” or peroxide-based explosives, little is known about their explosive characteristics against a variety of target types. It is infeasible to run experiments on all possible combinations of conventional and other explosives and targets. Therefore, more work is needed to better define envelopes of behaviors enabling betterinformed protective decisions to be made. Similar statements can be made regarding impact of natural hazards on man-made structures. Some level of experimentation has

30

INTRODUCTION AND OVERVIEW

been done, but many of the historical impacts do not translate directly to today’s infrastructure and their interdependencies. In this author’s opinion, the M&S of the nation’s infrastructure interdependencies is the single greatest and perhaps most difficult M&S infrastructure security challenge facing the nation. It is a problem of such complexity and across so many orders of magnitude that it will take decades to master. Knowledge management is a second category of research needs. Information overload has become a major challenge in today’s technological world. While new sensors and other data are collected (see the Sensing and Detection section of this volume), how we translate the data first into information and then into knowledge are pushing security professionals (and their IT systems) to their limits. Managing all of that in a retrievable way has become a significant and expensive challenge. Within the last decade, IT architectures began evolving from strictly hierarchical to more relational ones. More work needs to be done in this and associated areas in the pursuit of data, information, and knowledge. It is only when easily accessible broad knowledge across many disciplines is fused with judgment that decision makers can plot the best path for their enterprise or the nation. More research in the social and psychological sciences constitutes the third area of great need for the DHS and the nation. There are two over-arching drivers for these areas to be addressed. First, great good can be accomplished by extensive and excellent scientific advances in all sorts of technologies. While supporting science at large, how these advances can be used to support the making of federal policy, in fact, provides the true return on investment for the government. Second, inasmuch as the government’s role is to establish and execute the political will of the nation through policy, gathering data on what the nation wants, needs, and how willing they are to accept it is a supremely difficult task. In some measure, the challenge of communication feeds this research need as well, because policy is fed by communication, which in turn needs to be communicated back to the nation. Within infrastructure protection, a clear understanding of the risks run, and therefore the protection and prevention activities required to address that risk, must be communicated to the consumer, for in the end, it is the consumer that will have to live with the decisions driven by those risks, or less desirably, the perception of those risks. Alfred Hitchcock, who knew something about creating terror in people’s minds stated: “There is no terror in a bang, only in the anticipation of it.” By being psychologically and socially prepared for the bang, regardless of it being man-made or natural, the impact of the event can be reduced.

7 CONCLUSIONS The extent of this Handbook’s Table of Contents illustrates that homeland security is as complex as life itself. Invigorated by the terror attacks of 9/11, homeland security has expanded to include any and all catastrophic events. Total protection from and prevention of catastrophes is not achievable. However, their impacts to the nation can be partially mitigated by technology, partially by barriers (including regulation and legislation), and to a significant degree by knowing and understanding the risk, which includes threat, the knowledge and understanding of which must be objective, and not be used for fear mongering. In hindsight, the 9/11 attacks are understandable, perhaps even predictable. The perpetrator’s ability to execute an attack must be seen as the target of protection and prevention technology. It is within our nation’s ability to impact the execution of

THREATS AND CHALLENGES TO HOMELAND SECURITY

31

an event, be it from terrorists or man-made mistakes, and by so doing prevention and protection will make their contribution to homeland security.

REFERENCES 1. Williams, J. F. (2007). Authority and the role of perceived religious authorities under Islamic Law in terrorist operations. Proceedings Federalist Society—Georgia State University, Atlanta. 2. Williams, J. F. (2007). Al-Qaida strategic threats to the international energy infrastructure: authority as an integral component of threat assessment. Proceedings Carlton University— Ottawa Center for Infrastructure Protection, Ottawa Canada. 3. National Consortium for the Study of Terrorism and Responses to Terrorism (START). http:// www.start.umd.edu/, 2008. 4. Memorial Institute for the Prevention of Terrorism. http://www.mipt.org/IncidentTacticModule. jsp, 2007. 5. National Consortium for the Study of Terrorism and Responses to Terrorism. http://209.232. 239.37/gtd1/charts/weapon type pie.gif andhttp://209.232.239.37/gtd2/charts/weapon type.gif, 2008. 6. Stanford Encyclopedia of Philosophy, http://plato.stanford.edu/entries/logic-inductive/, 2008. 7. Taleb, M. N. (2007). The Black Swan—The Impact of the Highly Improbable. Random House, New York, p. 366. 8. Pristin, T. (2005). Commercial real estate; echoes of the 80’s: Japanese return to U.S. market. The New York Times http://www.nytimes.com/2005/01/26/business/26prop.html. 9. Kujawa, A. (2005). Foreign Student Enrollment at U.S. Graduate Schools up in 2005 , http:// www.america.gov/st/washfile-english/2005/November/20051107160749aawajuk0.8633234. html. 10. Du, W. (2007). Foreign Student Enrollment Rebounds in U.S.; MSNBC , http://www.msnbc. msn.com/id/20393318/. 11. Canton, J. (2006). The Extreme Future —The Top Trends That Will Reshape the World in the Next 20 Years. Plume, New York, p. 371. 12. Memorial Institute for the Prevention of Terrorism. http://209.232.239.37/gtd2/browse. aspx?what=perpetrator, 2008. 13. Friedman, T. L. (2005). The World is Flat . Farrar, Straus, and Giroux, New York, p. 660. 14. Merriam-Webster online dictionary. http://www.merriam-webster.com/, 2008. 15. Lewis, H. W. (1990). Technological Risk . WW Norton & Company, New York, p. 353. 16. Schneier, B. (2006). The Scariest Terror Threat of All , http://wired.com/politics/security/ commentary/securitymatters/2006/06/71152.

FURTHER READING Chalk, P., Hoffman, B., Reville, R., and Kasupski, A.-B. (2005). Trends in Terrorism. RAND Corporation, Santa Monica, CA, p. 75. Garcia, M. L. (2006). Vulnerability Assessment of Physical Protection Systems. Elsivier, Amsterdam, p. 382. Haimes, Y. Y. (2004). Risk Modeling, Assessment, and Management. John Wiley & Sons, New York, p. 837.

32

INTRODUCTION AND OVERVIEW

Jenkins, B. J., Crenshaw, M., Schmid, A. P., Weinberg, L., Ganor, B., Gorriti, G., Gunartna, R., and Ellis, J. O., Eds. (2007). Terrorism: What’s Coming—The Mutating Threat . Memorial Institute for the Prevention of Terrorism, Oklahoma. website: http://www.terrorisminfo. mipt.org/pdf/Terrorism-Whats-Coming-The-Mutating-Threat.pdf9. Kline, M. (1967). Mathematics for the Nonmathematician. Dover Publications, New York, p. 641. Mueller, J. (2006). Overblown. Free Press, New York, p. 259. Post, J. M. (2005). The Al-Qaeda Training Manual; USAF Counterproliferation Center, Maxwell Air Force Base, U.S. Government Printing Office 2005-536-843, p. 175. Presidential Decision Directive 63: Protecting America’s Critical Infrastructures. The White House, May 28, 1998, http://www.fas.org/irp/offdocs/pdd-63.htm. Ridgeway, J. (2004). It’s All for Sale. Duke University Press, Durham & London, p. 250. Roberts, P. (2005). The End of Oil . Houghton Mifflin Company, New York, p. 399. Sauter, M. A., and Carafano, J. J. (2005). Homeland Security. McGraw-Hill, New York, p. 483. Schneier, B. (2006). Beyond Fear. Springer, New York, p. 295. Securing Our Homeland. Department of Homeland Security Strategic Plan, Washington, DC, (http://www.dhs.gov/xlibrary/assets/DHS StratPlan FINAL spread.pdf).

TERRORIST ORGANIZATIONS AND MODELING TRENDS Irmak Renda-Tanali University of Maryland University College, Adelphi, Maryland

Christopher D. Hekimian DXDT Engineering and Research, LLC, Hagerstown, Maryland

1 INTRODUCTION The US Joint Tactics, Techniques and Procedures (JTTP) for Antiterrorism, Joint Publication 3-07.2 as cited in [1] states: The terrorist organization’s structure, membership, resources, and security determine its capabilities and reach”. Any method of analysis and understanding that can be directed against the broad threat posed by terrorist organizations (TOs) can contribute to mitigation strategies. Moreover, since TO activities are often covert, and government secrets regarding intelligence pertaining to TOs are closely guarded, knowledge, understanding, and analytical tools may be the only assets that analysts have to direct toward terrorism threat mitigation. Understanding the structures

TERRORIST ORGANIZATIONS AND MODELING TRENDS

33

and modes of operation of terrorist groups is a key enabler in the assessment and mitigation of the terrorism threat. Organizational structures of terrorist groups that may appear complex during initial assessments may be more understandable when laid out in systematically modeled formats. This article focuses on existing and ongoing efforts related to terrorist data analysis and modeling aspects that deal with terror risk mitigation.

2 SCIENTIFIC OVERVIEW The research in support of understanding the construct and operation of TOs can be categorized into (i) studies that focus on definition/conceptual issues; (ii) case studies of particular regions, countries, movements, and events; (iii) counterterrorism and crisis management; (iv) terrorism data analysis and modeling, and other related topics. This article deals with terrorism data analysis and modeling. Discussion of an overview of the seminal thinkers and works on terrorism studies were provided by Hopple in reference 2. Although there is no universally agreed upon definition of terrorism, various definitions exist and have been adopted by organizations worldwide. Therefore it is helpful to disclose the definition up front with the disclaimer that other definitions may or may not be equally valid for the discussion at hand. Key researches on the current bases for classification and categorization of TOs have been summarized in unclassified military documents that are referenced in this article. Other sources on the topic include US Congressional reports and other government and academic reports. The RAND organization provides a large amount of recent research on the operation and function of TOs and has been cited multiple times in this article. A large amount of current research pertaining to the organizational structures of TOs and how those structures tend to affect operations and vulnerabilities are available in military and academic reports and journal articles by Fatur (2005), Shapiro (2005), and Hoffman (2004). There are a wide range of organization modeling methods and scholarly research, including case studies, dissertations, and theses, and articles have been cited in each section of this article. The work of Barry Silverman of University of Pennsylvania, in modeling terrorist behavior, and of Kathleen Carley of Carnegie-Mellon, in network organization modeling, is at the forefront of the advancement of these methods and their application. The reader is encouraged to obtain these documents to find more detailed information on those topics that are beyond the scope of this article.

3 TERRORIST ORGANIZATIONS 3.1 Terrorism Definitions The definition of what constitutes “terror”, “terrorism”, and hence a “terrorist” or “terrorist organization”, is a matter of significant debate. Some embrace the position that one man’s terrorist is another man’s freedom fighter. In fact, there is a plurality of reasonable definitions suitable to provide context and focus to discussions on homeland security. For example, a study conducted by the Federal Research Service of the United States Library of Congress [3] presents the following definition for terrorism:

34

INTRODUCTION AND OVERVIEW

[T]he calculated use of unexpected, shocking and unlawful violence against noncombatants . . . and other symbolic targets perpetrated by a clandestine member(s) of a sub-national group . . . for the psychological purpose of publicizing a political or religious cause and/or intimidating or coercing a government(s) or civilian population into accepting demands on behalf of the cause.” (Reference 3, p. 12)

Ganor [4] further restricts the definition given above by stipulating that the targets must be civilian and attacked to attain political aims. Given a definition of terrorism, a terrorist group can be defined as an organizational structure that employs terrorism as a means to further its goals. Terrorist groups can be defined as organizations based on the following criteria set forth by Crenshaw (Reference 5, p. 466): •

The group has a defined structure and processes by which collective decisions are made. • Members of the organization occupy roles that are functionally differentiated. • There are recognized leaders in positions of formal authority. • The organization has collective goals which it pursues as a unit, with collective responsibility for its actions. A report by the National War College entitled Combating Terrorism in a Globalized World [6], states: “Collectively, terrorist organizations pose the single greatest threat to American and international peace and prosperity” (Reference 6, p xix). Through links with other TOs, organized crime, drug traffickers, and state and corporate sponsors, TOs constitute a kind of de facto nation, complete with the ability to conduct war [6].

The potential targets of terrorist attacks can be summarized as •

the direct victims of the attack; • members of society who are threatened by the prospect of being victims of similar attacks; • the wider audience of the act who are intended to receive the message that the TO is a force to be reckoned with; • government entities whose hand the terrorists are trying to force. 4 TERRORIST ORGANIZATION CONCEPTS In a broad sense, TOs can be visualized in terms of a set of concentric rings. In the center of the rings is the leadership of the organization. The area just outside the leadership area represents the operations cells, where the responsibility for tactical planning and execution of operations resides. The area outside the operations ring represents the network of those sympathetic to the organization’s cause. The sympathizers provide financial support to the organization either directly or indirectly [7]. The following sections describe key concepts associated with TOs, including TO members, TO funding sources, organizational learning for TOs, and TO functions and capabilities.

TERRORIST ORGANIZATIONS AND MODELING TRENDS

35

4.1 TO Members Members of TOs may typically fall into one of the four general classifications [8]: 1. Leaders, providing direction and policy. 2. Cadres, planning and conducting operations and maintaining logistics, intelligence operations, and communications. 3. Active supporters, engaging in political and fund-raising activities. 4. Passive supporters, sympathizers based on shared end goals or through fear. “[P]assive supporters can be useful for political activities, fund-raising or through unwitting or coerced assistance in intelligence gathering or other nonviolent activities” (Reference 8, p. 3–2). Members of TOs may progress upward through the power structure by earning the trust of leadership over time or through other factors such as familial or tribal relationships. Trust is likely to be earned through participation in risky operations. After a member has proven to be dedicated to the cause and capable, they are more likely to be rewarded with a leadership role. Typically, leaders are less likely to be involved directly with terrorist tactical operations [9]. 4.2

TO Funding

TOs typically rely on any combination of six basic sources of funding [9]: 1. 2. 3. 4. 5. 6.

direct contributions from private individuals; donations from charitable institutions; government sponsors; legitimate businesses; contributions from members; profits from criminal enterprises (robbery, kidnapping, hijacking, extortion, trafficking, gambling, black market, etc.).

A TO may be state supported. Sometimes the support exists due to intimidation or extortion. Some governments may support the terrorist’s cause ideologically, but disagree with some of the methods employed by the TO. Most financial support for TOs originates from nongovernment sources [10]. 4.3 Organizational Learning in TOs A study of organizational learning within terrorist groups sets forth that in order for terrorist groups to endure, they must adapt to conditions around them (e.g. threats, technology, and societal factors) and within them (e.g. compromise of key organizational elements) [11]. The greater the ability of a TO to learn, the more effective it can be in choosing targets, identifying vulnerabilities for the maximum desired impact of attacks, and avoiding and confounding counterterrorism efforts [11]. Learning within the TO, and the ability to convey knowledge and information in a timely manner, affects the ability of the organization to adapt and survive [11]. The type of organizational structure of a TO and its communication resources will impact the ability of a TO to learn,

36

INTRODUCTION AND OVERVIEW

share knowledge, and adapt. According to Hopmeier [12], this is evolution, which TOs do much better than governments or counterterror organizations, because their response time is much smaller and their “bureaucratic inertia” is less due to the smaller size. 4.4 TO Size TOs can be of various degrees of maturity and capability. However, the nature of terrorism is such that a large organization is not required to complete a large scale attack that is successful from the terrorist’s perspective (e.g. the bombing of the Alfred E. Murrah federal building in Oklahoma City) [8]. TOs are often interconnected such that mutual aid is provided among them. Examples of such aid might be the supply of weapons, ammunition, or training; referral or vetting of personnel; sharing of safe havens; and of course, the exchange of intelligence. In effect, even a small TO may be able to make use of information and resources that they otherwise would not have access to without the support of a greater terrorist community [6]. Emergent terrorist groups can act as proxy or under guidance from larger organizations with more experience and resources. Smaller groups can be absorbed by larger organizations. Several small, hierarchical organizations might coalesce into a larger networked one. Conversely, a smaller organization might splinter off from a larger one. The splintering may occur due to strategic reasons or over disagreements over transitions of power. Each method of formation carries with it implications with respect to the organizational structure, experience level, and capabilities of the resulting organizations [8]. 4.5 TO Functions A 2005 RAND organization report says: “In order to act effectively, a TO must be able to organize people and resources, gather information about its environment and adversaries, shape a strategic direction for actions of its members, and choose tactics, techniques and procedures for achieving strategic ends” (Reference 11, p. 95).

Generally, TOs must address certain key functions, including [11] • • • • • • • • • •

training logistics communications fund-raising collaboration/interface with other TOs or sponsors intelligence operational security tactical operations recruiting indoctrination.

Large organizations are also likely to have medical services that are organic to their structure. Well-funded organizations may participate in social services within their regions

TERRORIST ORGANIZATIONS AND MODELING TRENDS

37

of influence. Distributing food, providing jobs, and organizing educational and youth activities are all ways of developing and strengthening ties within the communities upon which they rely for cover, support, and new recruits [11].

4.6 TO Categories and Classifications The military guide to terrorism in the twenty-first century [8] categorizes TOs as follows: • • • • •

structure—including hierarchical and networked (such as chain, hub, and flat networks); government affiliation—including nonstate supported, state supported, and state directed (operating as an agent of a government); motivation—separatist, ethnocentric, nationalistic, revolutionary; ideology—including political (for example, right wing, left wing, and anarchist); religious; social (for example, animal rights, abortion, environment, and civil rights); international scope—for example, domestic; international (i.e. regional and routinely operational in multiple countries within a specific region); transnational (i.e. transcontinental or global or routinely operational in multiple countries and in multiple regions).

A US Congressional Research Report from 2004 [13] identifies even more characteristics associated with [foreign] TOs. These additional characteristics are included in the following list: • • • • • • •

goals and objectives favored tactics primary areas of operation links with other groups business associations composition of the organization membership nonterror activities.

To understand the motivations and actions of TOs more thoroughly, some researchers have found it useful to categorize them as either political or fanatic [7]. Political TOs tend to use terrorism as a means to achieve political goals. On the other hand, fanatic groups tend to be more interested in violence as an end in itself. These groups may have lost sight of their political goals or may be locked in a cycle of revenge, or may have more criminal interests [7]. Most TOs are politically or religiously motivated such that they can benefit from the association with some legitimate or otherwise popular cause [6]. US Department of State list of Designated Foreign Terrorist Organizations includes religious as well as various national separatist organizations and ideologically inspired organizations. TOs focusing on racial separatism, opposition to abortion, animal rights, and environmental issues are not uncommon in many of the westernized nations [14].

38

INTRODUCTION AND OVERVIEW

4.7 Organizational Structures of TOs The two general categories of structure for TOs are networked and hierarchical. Terrorist groups may be structured as a combination of the two types. Hierarchical organizations are characterized by well-defined vertical command and control structure. The lower level functional elements of hierarchical organizations are usually specialized (e.g. logistics, operations, and intelligence) as opposed to being stand-alone elements whose capabilities span those same specialties. The latter type is more characteristic of networked organizations [8]. Hierarchical organizational structures are characterized by leadership, that is, centralized in terms of authority. Although the centralized leadership structure provides more organizational control over doctrine, motivation, and operations, these structures are usually more dependent on communication channels, structured logistics, and disciplined membership. These dependencies represent additional vulnerability to successful penetration or counterterror operations [7]. A terrorist network that is of distributed (decentralized) structure tends to be more capable of operation when key leadership is eliminated [15]. However, since terrorist activities are often covert and because modern information and communication systems are susceptible to being intercepted and analyzed, significant challenges to communications and the transfer of funds exist throughout these kinds of TOs. Owing to inexperience, fear of compromise or of leaving an evidence trail, record keeping is likely to be done sparingly or not at all in some cases, adding to the uncertainty and unaccountability of actions within the networked organization [9]. TOs that are bound by broader beliefs, such as religious, environmental, or moral, do not require the type of coordination that politically motivated organizations do. Consequently, networked structures of more or less self-sufficient operational cells distributed geographically are suitable to conduct their operations over a wide area and in cooperation with other like-minded organizations. The leadership of such organizations or of a particular “movement” can set broad goals, and networked TOs can independently choose targets and act against them in a manner that they see fit. The whole organization will expect to benefit in terms of influence and publicity and the attainment of its collective goals [8]. If a network becomes excessively distributed, it tends to lose much of its organizational aspects and instead becomes more of an idea or concept [16]. A correlation has been identified between the general structure of a TO and its ideology or motivating principles [8]. For example, Leninist or Maoist groups tend toward hierarchical structure (implying centralized leadership). Hierarchical groups are better suited for coordination and synchronization with political efforts. Larger organizations tend to adopt a networked, cellular structure at some point to reduce the risk of security breaches and counterintelligence failures [8]. 4.8 TO Enabling Factors According to the National War College report, the “most prominent contributing factors that enable terrorism to flourish” are (Reference 6, p. 54) •

poverty and economic and social inequities; poor governance with economic stagnation; • illiteracy and lack of education; •

TERRORIST ORGANIZATIONS AND MODELING TRENDS • •

39

resentment to the encroachment of western values; unpopular foreign policies among potential target countries.

5 MODELS A current trend in terrorist threat mitigation is to employ technology in the form of analytical tools as models, simulations, and data mining software to derive understanding about TOs where hard intelligence resources are limited or nonexistent. A general knowledge of the prevalent models of terrorist organizational structures can be expected to lead to a better understanding of the threat, functionality, capabilities, and vulnerabilities of the organization [8]. The following sections discuss, in general terms, the most current analytical methods employed against the modeling and analysis of TOs. 5.1 Network Models To conduct network analysis on a terrorist group, one typically represents the members of the group as nodes and the links between the nodes are representative of associations such as chain of command or resource dependencies [17]. The relative number of links emanating from a node tends to suggest a leadership position within a network, or otherwise, a key resource node [17]. When there are many short paths passing through a member, a gatekeeper role is likely. A gatekeeper acts as a facilitator between subgroups of a network [17]. Nodes (members) that are not linked are likely to exist in separate subgroups [7]. Organizational network modeling programs are available that can automatically identify the links per node of a network and present the results graphically in a top-down (hierarchical) fashion or in a rose form where the most influential nodes are located in the center of the diagram. The same programs can be used to identify subgroups within the network [18]. The NetBreaker modeling and analysis tool developed by Argonne National Laboratory [19] takes as input a list of known organization members (and their functions, if known), along with any unknown members and any known or hypothesized interactions involving the group. The interim analysis result is a set of all the possible terrorist networks that could include the input set. The interim analysis is based on validated network formation rules. Subsequent questions and rules are applied to reduce the size of the interim solution set, thereby honing in on the most likely actual structure of the organization. This kind of analysis is useful for identifying key functionaries in the network and for identifying vulnerabilities so that counterterror efforts can be more keenly focused. The information required as input to network modeling tools is more likely to be found in a centralized terror network. Compromised elements of a centralized terrorist network will tend to lead, ultimately, to other elements. However, centralized structures can be expected to operate through well-established leadership chains and have well-organized communication and logistics channels. Distributed networks tend to be more difficult to identify or eliminate since leadership communication and logistics channels can be expected to be shorter. For distributed networks where elements act with more autonomy and with greater independence, it tends to be more difficult to identify dependencies between network elements.

40

INTRODUCTION AND OVERVIEW

Network modeling methods can be useful for determining what subgroups exist within a network. Moreover, the following information may be uncovered [20]: • • • • • •

Whether subgroups are subordinate to one another. Whether the subgroups exist within a common logistics chain. Whether the subgroups have members in common. Whether the subgroups rely on one another for operational or financial support. Whether the overall network is centralized or distributed in form. What roles do members or subgroups play?

Clues to the structure of TOs can be uncovered that may lead to insights as to where limited counterterrorism resources can be directed for the most effect. For example, if a network is found to be more of a centralized structure, penetrating or destroying the nucleus of the network would tend to offer the greatest impact against the network as a whole. Similarly, when chain-like dependencies and linkages to subgroups are identified, whole operational cells (subgroups) could be effectively cut off and temporarily isolated with a “surgical” application of counterterror operations [17]. 5.2 Network Influence Models Influence models are derived from network models. They are based on an assumption that for the most part, members with more links attached to them have influence over those members with fewer links. The degree of influence is taken as a degree of importance of an individual to the organization as a whole [18]. Influence diagrams are intended to capture the interrelationship of factors pertinent to a given decision at a snapshot in time. Therefore, unlike causal and Bayesian models that are discussed in the following section, they have the weakness of being insensitive causal factors and decision-making processes [21]. 5.3 Causal and Markov Modeling Causal modeling of TOs is a method of identifying precursor conditions and/or actions that lead to some other condition or action on behalf of the TO. Some of the questions that causal modeling would address might be as follows [2] •

What conditions lead a TO to evolve from a nationally focused one to a transnational organization? • How do national characteristics manifest in TOs? • How do large events, including natural disasters, likely to affect TOs? • What is the relationship between political activity and terrorism activities? Causal models can be built based on a Markov chain construct where actions, conditions, and decision points are modeled in a flow chart fashion. Transition from one node in the Markov chain to another will occur based on a probability determined by the current state of model (i.e. what conditions are currently prevailing within the TO), and not based on precursor conditions that led the TO to the current state. Known information can be compared with a validated causal model to identify the patterns associated with specific terrorist activities and threats [22].

TERRORIST ORGANIZATIONS AND MODELING TRENDS

41

5.4 Bayesian Models Bayesian models built on the Markov technique are used to answer high-level questions regarding a TO based on more conditions that can affect the transition of state. The types of questions that are answered might include the following: Will the organization merge with another? Will it attack a specific target? Will it escalate an attack? The Bayesian aspect of the modeling method addresses the decision-making processes and reactions within the organization that are conditioned upon previous actions and the current state of affairs. The Markovian aspect of the model defines the basic processes associated with operating a TO or planning or carrying out a terrorist attack. Bayesian (probabilistic) decisions are derived at different states along a chain of Markov-modeled events based on the plurality of conditions. The combined result of the Bayesian and Markov modeling is a complex model that can be used as a test bed for antiterrorism policy [23] and as a foundation for agent-based models such as those described in Section 5.6. 5.5 Dynamic Organizational Theory Although the structure of TOs may hold clues to the strengths and/or vulnerabilities of it, understanding the dynamic aspects of the organization is also of great interest. The dynamic aspects might reveal under what conditions certain key functions such as training, recruiting, and funding become critically challenged or significantly enabled. Any probabilistic rules governing the likely responses of the organizational behavior to counterterror, bureaucratic, or societal stimuli are of interest to those planning antiterror strategies or conducting risk mitigation [24]. DeGhetto sets forth that organization theory (i.e. the study of organizational dynamics) and, specifically, organizational decline theory can be used effectively against TOs [25]. The agent-based modeling (ABM) methods described in the following section provide a means for testing counterterror strategies such as those outlined in DeGhetto’s thesis [25]. Terrorist group decline factors, as identified by Kent Layne Oots, are the lack of entrepreneurial leadership, recruitment, ability to form coalitions with other groups, political and financial outside support, internal and external competition, and internal cohesiveness [26]. Preemption, deterrence, backlash, and burnout are the main factors for terrorist group decline, as identified by Gurr and Ross [27]. Another factor might be the failure of legitimate or illegitimate commercial ventures that the organization might be involved in. 5.6 Agent-Based Models and Complex Adaptive Systems A system modeled as a set of independently simulated, interacting, and adaptive “agents” is referred to as a complex adaptive system ( CAS ). Modeling a TO as a CAS is often effective in bringing out the dynamic aspects of the organization. The agents that comprise a CAS are themselves models of dynamic entities such as people or other groups or organizations. The rules that govern agent behaviors are typically based on a large set of empirical and/or random variables [24]. Basic agent rules might govern movement, trading behavior, combat, interaction with the environment, cultural behaviors, and interaction between sexes and noncombatants [28]. In a sense, with ABM, a model of a relevant portion of the world, with as many relevant factors and conditions represented as possible, is developed. Within that world,

42

INTRODUCTION AND OVERVIEW

a TO is modeled as a CAS comprising many free-acting agents (perhaps sharing the same goal or motivations) that are programmed to behave and respond like real people. The combined result of the agents responding independently to conditions, other agents, and stimuli is an emergent and unpredictable higher level organizational behavior [24]. ABM in the context of a dynamic network model allows internal reactions and regrouping of a TO to be anticipated when one or more members are compromised or eliminated. The capability also can be used to help identify terrorists or to identify hidden dependencies on critical personnel or resources [29]. ABM provides a kind of “flight simulator” functionality that can serve as a test bed for tying various tactical and policy approaches in response to the terror threat and under a wide range of conditions [30]. Simulations based on ABM are also useful to determine the limits of an organization’s capabilities. 5.7 Human Behavior Models In ABM, modeled agents can have individual human characteristics, including personality traits such as temperament, dedication to the group, and ambition. These traits provide input to behavioral models. The actions and roles of the agents are subject to rules of social interaction and broader guiding principles [19]. A human behavior model developed by Barry Silverman et al., University of Pennsylvania, includes, for example, over 100 interdependent submodels of anthropological, physiological, medical, societal, cultural, religious, and political factors. The models have been incorporated into sophisticated, game-like simulations with life-like avatars, each with specific personalities and motivations. The models can be used to train in counterterror operations and to help identify terrorists based on interactions with others and patterns of behavior [29]. 5.8 Population Dynamics Models High-level modeling of TOs in terms of the size of the organization is taking place at the University of Maryland, Center for Technology and Systems Management (CTSM). Terrorist population dynamics (TPD) models rely on data pertaining to the growth and contraction of terrorist network population over a given time interval to estimate factors such as current terrorist population size, typical rates of growth and contraction of the TO, and correlations of TO size with activities and societal forces acting outside of the TO [31].

6 RESEARCH DIRECTIONS The effectiveness of the modeling and analytical methods described in this article is limited by the quality and accuracy of information that the models are provided with and are based on. Increasingly, models and historical data are turned to fill the gaps of knowledge about TOs that are the result of otherwise poor intelligence. Models can be expanded but the ability to validate the models based on known facts about TOs will continue to be a challenge.

TERRORIST ORGANIZATIONS AND MODELING TRENDS

43

Case studies directed toward validation of the methods will always be valuable. A common set of metrics is needed to base evaluations of models and their specific applications. These metrics will allow a host of model and analytical techniques to be evaluated against each other in the context of a wide range of questions, TOs and conditions. Areas for continued research include the hybridization of some of the methods described in the article. Review of the literature indicates that TO dependencies on resources such as arms, real properties, various kinds of communications, and transportation can be more rigorously modeled, perhaps revealing new insights or points of vulnerability. The flow of specific commodities within a TO can provide clues to the timing, nature, and scale of pending attacks. A recurring theme in the literature is that TOs inevitably persist under challenged conditions that are often exclusive to covert, illegal, and largely unpopular organizations. The notion that TOs do not face at least the same problems with other large organizations, including bureaucracy, conflict, fraud, poor morale, attrition, and financial hardship, is not founded based on the research. Consequently, the opportunity exists to aggravate and exploit some of these factors to mitigate the threat posed by TOs [25] [9].

REFERENCES 1. US Joint Chiefs of Staff. Joint Tactics, Techniques and Procedures (JTTP) for Antiterrorism, U.S. Government Joint Chiefs of Staff 3-07.2. (Revised first draft). 2004 Apr 9. (FOUOReferenced in [7], pp. 3–1. 2. Hopple, G. W. (1982). Transnational terrorism: prospectus for a causal modeling approach. Terrorism Int. J. 6(1), 73–100. 3. Library of Congress, Federal Research Center. (1999). The Sociology and Psychology of Terrorism: Who Becomes a Terrorist and why. Report. Washington (DC), 1999 Sept. 186. There are other standard definitions. One compendium is provided by the Terrorism Research Center Inc, URL: http://www.terrorism.com. 4. Ganor, B. (2002). Defining terrorism: is one man’s terrorist another man’s freedom fighter? Police Pract. Res. 3(4), 287–304. 5. Crenshaw, M. (1985). An organizational approach to the analysis of political terrorism. Orbis 29(3), 465–489. 6. National War College Student Task Force on Combating Terrorism. (2002). Combating Terrorism in a Globalized World . Report. National War College, Washington, DC, 2002 Nov. 88 pages. 7. Franck, R. E., and Melese, F. (2004). Exploring the structure of terrorists’ WMD decisions: a game theory approach. Def. Secur. Anal. 20(4), 355–372. 8. U.S. Army Training and Doctrine Command. (2005). A Military Guide to Terrorism in the Twenty-First Century; TRADOC DCSINT Handbook , Number 1 Chapter 3: Terrorist group organization, Leavenworth, KS, 3-1–3-12. Available from http://www.fas.org/irp/threat/ terrorism/index.html; Internet; accessed Jan. 28, 2007. 9. Shapiro, J. (2005). The greedy terrorist: a rational-choice perspective on terrorist organizations’ inefficiencies and vulnerabilities. Strateg. Insights 4(1), 13. 10. Mickolus, E. (2005). How do we know if we are winning the war against terrorists? Issues in measurement. Stud. Conflict Terrorism 25(3), 151–160. 11. Jackson, B. A., Baker, J. C., Cragin, K., Parachini, J., Trujillo, H. R., and Chalk, P. (2005). Aptitude for Destruction: Volume 2: Case Studies of Organizational Learning in Five Terrorist

44

12. 13.

14.

15.

16. 17. 18. 19.

20.

21. 22.

23.

24. 25. 26. 27. 28. 29. 30.

INTRODUCTION AND OVERVIEW

Groups. RAND Corporation, Santa Monica, CA, p. 216, available from: http://www.rand. org/pubs/monographs/2005/RAND MG332.pdf, accessed 2007 Feb. 24. Hopmeier, M.. Unconventional. (2007). Terrorism Expert , Interview by phone. 2007 Mar. 18. Cronin, A. R., Aden, H., Frost, A., and Jones, B.. Congressional Research Service [CRS]. (2004). Foreign terrorist organizations. Report for Congress. Library of Congress; 2004 Feb. 6. 111. Available from: http://www.fas.org/irp/crs/RL32223.pdf, accessed ∼2007 Feb. 24. National Defense University (US) [NDU]. (2002). Chemical, Biological, Radiological, and Nuclear Terrorism: the Threat According to the Current Unclassified Literature. Center for the Study of Weapons of Mass Destruction. ISN Publishing House, p. 46, available from: http://www.isn.ethz.ch/pubs/ph/details.cfm?v21=94077&lng=en&id=26595, accessed 2007 Feb 24. Fatur, R. B.. (2005). Influencing transnational terrorist organizations: using influence nets to prioritize factors, [masters thesis]. Air Force Institute of Technology Wright-Patterson AFB OH School of Engineering and Management, 2005 June. 94 p. A523634. Hoffman, B. (2004). The changing face of Al Qaeda and the global war on terrorism. Stud. Conflict Terrorism 27(6), 549–560. Xu, J., and Chen, H. (2005). Criminal network analysis and visualization. Commun. ACM 48(6), 101–107. Brams, S., Mutlu, H., and Ramirez, S. L. (2006). Influence in terrorist networks: from undirected to directed graphs. Stud. Conflict Terrorism 29(7), 679–694. North, M. J., Macal, C. M., and Vos, J. R.. (2004). Terrorist organizational modeling. Argonne National Laboratory: NAACSOS Conference, Pittsburgh, PA, 2004 June 27; n.d., p. 4 http://www.casos.cs.cmu.edu/events/conferences/2004/2004 proceedings/North Michael.doc., accessed Feb 24, 2007. McAndrew, D. (1999). The structural analysis of criminal networks. In The Social Psychology of Crime: Groups, Teams, and Networks, Offender Profiling Series, III , D. Canter, and L. Alison, Eds. Darthmouth, Aldershot. Clemen, R. T., and Reilly, T. (2001). Making Hard Decisions with Decision Tools. Duxbury Resource Center, Belmont, CA, p. 752. Coffman, T. R., and Marcus, S. E.. (2004). Dynamic classification of groups through social network analysis and HMMs. IEEE: Aerospace Conference 2004 , BigSky, MO, 2004 Mar. 6, IEEE, 2004, p. 8. Tu, H., Allanach, J., Singh, S., Pattipati, K. R., and Willett, P.. (2005). Information Integration via Hierarchical and Hybrid Bayesian Networks [Internet] . Storrs, CT: [cited 2007 Feb. 24]. p. 14, available from: http://servery.engr.uconn.edu/cyberlab/Satnam/docs/HHBN.pdf. Elliott, E., and Kiel, L. D. (2004). A complex systems approach for developing public policy toward terrorism: an agent-based approach. Chaos Solitons Fractals 20, 63–68. DeGhetto, T. H. (1994). Precipitating the decline of terrorist groups: a systems analysis, [master’s thesis]. Naval Postgraduate School, Monterey, CA, Mar. 24. 89 p. Oots, K. L. (1989). Organizational perspectives on the formation and disintegration of terrorist groups. Terrorism 12(3), 139–152. Ross, J. I., and Gurr, T. R. (1989). Why terrorist subsides: a comparative study of Canada and the United States. Comp. Polit. 21(4), 405–426. Epstein, J. M. (1989). Agent-based computational models and generative social science. Complexity 4(5), 41–60. Goldstein, H.. (2006). Modeling Terrorists. IEE Eng Spectrum [serial on the Internet]. 2006 Sept. [cited 2007 Jan. 30]; Available from: http://spectrum.ieee.org/print/4424. Holland, J. H. (1995). Hidden Order: How Adaptation Builds Complexity. Helix Books, Reading, MA.

RISK COMMUNICATION—AN OVERLOOKED TOOL IN COMBATING TERRORISM

45

31. Kaminskiy, M., and Ayyub, B. (2006). Terrorist population dynamics model. Risk Anal. 26(3), 747–752.

FURTHER READING Ackoff Center for Advancement of Systems Approaches. (2007). Available from: http://www.acasa. upenn.edu/. See for more information on agent-based social behavior models at University of Pennsylvania. Center for Computational Analysis of Social and Organizational Systems (CASOS). (2007) http://www.casos.cs.cmu.edu/terrorism/projects.php. See for more information on social network modeling efforts at Carnegie Mellon University. Farey, J. D. (2003). Breaking Al Qaeda cells: a mathematical analysis of counterterrorism operations (a guide for risk assessment and decision making). Stud. Conflict Terrorism 26, 399–411. Gunaratna, R. (2005). The prospects of global terrorism. Society 42(6), 31–35. Gunaratna, R. (2005). Responding to terrorism as a kinetic and ideological threat. Brown J. World Aff. 11(2), 243. Johnston, R. (2005). Analytic culture in the U.S. intelligence community. The Center for the Study of Intelligence. CIA, Pittsburgh, PA, p. 184, available from: http://www.fas.org/irp/cia/ product/analytic.pdf, accessed∼n.d. Klerks, P. (2001). The network paradigm applied to criminal organizations: theoretical nitpicking or a relevant doctrine for investigators? Recent developments in the Netherlands. Connections 24(3), 53–65. Krebs, V. E. (2001). Mapping networks of terrorist cells, Connections 24(3), 43–52. Newman, M., Barabasi, A. L., and Watts, D. J. (2006). The Structure and Dynamics of Networks. Princeton University Press, Princeton, NJ.

RISK COMMUNICATION—AN OVERLOOKED TOOL IN COMBATING TERRORISM David Ropeik Risk Communication, Ropeik & Associates, Concord, Massachusetts

1 THE NEED The terrorist attacks on September 11, 2001, killed approximately 3000 people, directly. But the death toll was higher. 1018 more Americans died in motor vehicle crashes

46

INTRODUCTION AND OVERVIEW

October through December 2001 than in those 3 months the year before, according to researchers at the University of Michigan’s Transportation Research Institute. As those researchers observe “ . . . the increased fear of flying following September 11 may have resulted in a modal shift from flying to driving for some of the fearful” [1]. 1018 people died, more than one-third the number of people killed in the attacks of September 11, in large part because they perceived flying to be more dangerous and driving less so, despite overwhelming statistical evidence to the contrary. As much as 17% of Americans outside New York City reported symptoms of posttraumatic stress two months after the September 11, 2001, attacks [2]. Even 3 years later, a significant number of Americans were still suffering serious health problems as a result of that stress. In a random sample of 2000 Americans, people who reported acute stress responses to the 9/11 attacks, even if they only watched the events on television, had a 53% increased incidence in doctor-diagnosed cardiovascular ailments like high blood pressure, heart problems, or stroke for up to 3 years following the attacks. The impact was worse among those who continued to worry that terrorism might affect them in the future. These people were three to four times more likely to report a doctor-diagnosed cardiovascular problem [3]. The Oxford English Dictionary defines terrorism as “the action or quality of causing dread”. But that definition is inadequate. The dread caused by terrorism is just an intermediate outcome. More important are the health effects that result from such fear. Terrorism injures and kills both directly—from the attacks themselves—and indirectly, from what has been called the social amplification of risk, from the behaviors and stress that our worries produce [4]. Risk communication is an underutilized tool for combating those effects and minimizing the harm that terrorism can cause.

2 RISK COMMUNICATION DEFINED The term risk communication arose largely as a result of environmental controversies in the 1970s, when public concern was high about some relatively low threats to human and environmental health. Scientists, regulators, and the regulated community described this public concern as irrational, and in their frustration they looked for ways to make people behave more rationally (as defined by those experts), especially about issues such as air and water pollution, nuclear power, and industrial chemicals. The goal of early risk communication was rarely to enlighten people so that they might improve their health. It was frequently to reduce conflict and controversy, an effort to talk people out of opposing some product or technology of which they were afraid. One researcher defined risk communication as “a code word for brainwashing by experts or industry” [5]. But risk communication has evolved. This article will use the following definition: “Risk communication is a combination of actions, words, and other messages responsive to the concerns and values of the information recipients, intended to help people make more informed decisions about threats to their health and safety.”

That definition attempts to embody the ways that risk communication has matured over the past two decades. The consensus among experts in the field now rejects the one-way “We’ll teach them what they need to know” approach. A National Research Council effort to move the field forward produced this definition in 1989. “Risk communication is

RISK COMMUNICATION—AN OVERLOOKED TOOL IN COMBATING TERRORISM

47

an interactive process of exchange of information and opinion among individuals, groups, and institutions. It involves multiple messages about the nature of risk and other messages, not strictly about risk, that express concerns, opinions, or reactions to risk messages or to legal and institutional arrangements for risk management” [6]. In other words, risk communication should be considered a dynamic two-way street. Both sides get to talk, and both sides have to listen, and respond to input from the other. More fundamentally, and intrinsic to the idea of the two-way street, is the growing acceptance among risk communication experts that risk means something different to the lay public than to scientists and regulators. “Risk” is perceived as more than a science-based rational calculation by the general public. Other attributes, like trust, dread, control, and uncertainty, also factor into the judgments people make about what they are afraid of. As risk communication has evolved, more and more experts in the field agree that both the science-based view of experts and the affective view of risk among the general public are valid, and both must be respected and incorporated if communications about risk is to be effective. This evolution is summed up in Risk Communication and Public Health, edited by Peter Bennett and Kenneth Calman: “ . . . there has been a progressive change in the literature on risk: • from an emphasis on ‘public misperceptions’, with a tendency to treat all deviations

from expert estimates as products of ignorance or stupidity • via empirical investigation of what actually concerns people and why • to approaches which stress that public reactions to risk often have a rationality of their

own, and that ‘expert’ and ‘lay’ perspectives should inform each other as part of a two-way process” [7].

The evidence that illuminates what actually concerns people and why, requires discussion at some length. A solid body of careful research from a number of fields has established that the lay public’s perception of risk is based on a dual process of fact-based analysis and intuitive, affective factors. The Greek Stoic philosopher Epictetus said “People are disturbed, not by things, but by their view of them.” Understanding the roots of what shapes those views allows the true dialogue of modern risk communication to take place.

3 THE BIOLOGY OF FEAR Neuroscientists have found that what we consciously describe as fear begins in a subcortical organ called the amygdala. Critically for risk communication, in very simplified terms, information is processed in the amygdala, the part of the brain where fear begins, before it is processed in the cortex, the part of the brain where we think. We fear first and think second [8]. That alone suggests that risk communication that merely attempts to communicate the facts, without factoring in the emotional issues involved, will not be as successful. There is also neuroscientific evidence suggesting that as we process information, we fear more, and think less. Neural circuits have been identified that lead from the

48

INTRODUCTION AND OVERVIEW

amygdala to parts of the cortex, circuits which, in essence, trigger a “fight or flight” response (accelerated heart rate, hormonal responses, etc.). The pathways coming back into the amygdala from the thinking “rational” cortex have also been identified. And there are more circuits out of the amygdala, the organ that stimulates a fear response, than there are circuits coming back in from the “thinking” brain, which could moderate that response. So when we encounter information that might pose a threat, we generally fear first and think second, and fear more and think less. This basic description of the way the human brain is physically wired has fundamental implications for risk communication and dramatically reinforces the importance of findings from social science, which explain why risk means one thing to experts and another to the lay public.

4

RISK PERCEPTION PSYCHOLOGY

Some of what we are commonly afraid of seems instinctive: snakes, heights, the dark, and so on. But how do we subconsciously “decide” what to be afraid of, and how afraid to be, when the threat does not trigger an instinctive reaction; when we hear about a new disease, product, or technology, or when we try to gauge the risk of something against its benefits, or when we witness an act of terrorism? How does the human mind translate raw data into our perceptions of what is risky and what is not? The answers can be found in two literatures, both critically relevant to risk communication. The first is the study of how people generally make judgments of any kind, including judgments about risk, under conditions of uncertainty. The second is the specific study of the psychology of risk perception, which has identified more than a dozen affective attributes that tend to make some threats feel more worrisome than others, even when our apprehension is not consistent with the scientific data. 4.1 General Heuristics and Biases The discovery of systematic heuristics and biases—mental shortcuts—that we use to make choices under uncertainty, when we do not have all the facts, or all the time we need to get all the facts, or all the intellectual ability to fully understand the facts we have, was led by, among others, Daniel Kahneman, who was awarded the 2002 Nobel Gold Medal in Economics for his work. Kahneman and others identified a number of mental processes that simplify decision making when time or complete information is not available. This field has direct relevance for risk communication, as noted in a seminal paper on risk perception: “When laypeople are asked to evaluate risks, they seldom have statistical evidence on hand. In most cases, they must make inferences based on what they remember hearing or observing about the risk in question.” “These judgmental rules, known as heuristics, are employed to reduce difficult mental tasks to simpler ones” [9]. Here are a few of the heuristics and biases relevant to risk perception, and therefore to risk communication. •

Availability. “ . . . people assess the . . . the probability of an event by the ease with which instances or occurrences can be brought to mind” [10]. The risk of terrorism in the United States is statistically quite low. But apprehension has been elevated since September 11, 2001, in part because such an event is more “available” to our

RISK COMMUNICATION—AN OVERLOOKED TOOL IN COMBATING TERRORISM

49

consciousness. The availability heuristic explains why, when a risk is in the news (flu vaccine issues, an outbreak of food poisoning, child abduction, etc.), it evokes more fear than when the same risk is around, at the same level, but just not making headlines. • Framing. The way a choice is presented can distort the judgment that results. Imagine you are the mayor of a city of 1 million people and a fatal disease is spreading through your community. It is occurring mostly, but not exclusively in one neighborhood of 5000 residents. With a fixed amount of money, you can either (i) save 20% of the 5000 residents in that neighborhood, or (ii) save 0.2% of the entire city of 1 million. What do you do? A sizable number of people in risk communication classes I teach choose option (i), which produces a greater percentage effectiveness, but condemns 1000 people to death. Reframed, the choice would be: you can spend a fixed amount of money and save 1000 people or 2000. Presented that way, the choice is obvious. But the framing of the question in terms of percentages skews the judgment. Understanding the importance of framing is a key to better risk communication. • Anchoring and adjustment. People estimate probabilities based on an initial value and adjusting from there. In one experiment, two groups of high school students estimated the sum of two numerical expressions that they were shown for just 5 s, not long enough for a complete computation. The first group was shown 9 × 8 × 7 × 6 × 5 × 4 × 3 × 2 × 1. Their median estimate was 2250. The median estimate for the second group, shown the same sequence, but in ascending order—1 × 2 × 3 × 4 × 5 × 6 × 7 × 8 × 9—was 512 [11]. Knowledge of the anchoring effect is another tool for better risk communication. • Representativeness. This is “the tendency to regard a sample as a representation of the whole, based on what we already know” [12]. Consider two people: ◦ A white woman who is shy and withdrawn, with little interest in people, a strong need for order and structure, and a passion for detail. ◦ A young man of middle-eastern complexion who is passionate, but sullen, quick to anger, bright, and unconcerned with material possessions. Which one is the librarian, and which one is the terrorist? Without complete data by which to make a fully informed choice, the representativeness heuristic gives you a simple mental process by which to take the partial information and fit it into the preexisting category it represents. This suggests that risk communication must consider the patterns of knowledge and information people already have, on which they will base their response to what the communicator says.

4.2 Risk Perception Characteristics Work in a related field, the specific study of the perception of risk, has identified a number of attributes that make certain risks feel more worrisome than others. These risk perception factors are essentially the personality traits of potential threats that help us subconsciously “decide” what to be afraid of and how afraid to be. They offer powerful insight into why “risk” means different things to the lay public than it does to experts. A few of these factors have particular relevance to terrorism.

50

INTRODUCTION AND OVERVIEW •

•

•

• •

•

•

Trust. When we trust the people informing us about a risk, our fears go down. When we trust the process deciding whether we will be exposed to a hazard, we will be less afraid. When we trust the agencies that are supposed to protect us, we will be less afraid. If we do not trust the people informing us, the process determining our exposure to a risk, or the people protecting us, we will be more afraid. Trust comes from openness, honesty, competence, accountability, and respecting the lay public’s intuitive reasoning about risk. Risk versus Benefit. The more we perceive a benefit from any given choice, the less fearful we are of the risk that comes with that choice. This factor helps explain why, of more than 400,000 “first responders” asked to take the smallpox vaccine in 2002, fewer than 50,000 did. They were being asked to take a risk of about one in a million—the known fatal risk of the vaccine—in exchange for ZERO benefit, since there was no actual smallpox threat. Imagine, however, there was just one confirmed case of smallpox in a US hospital. The fatality risk of the vaccine would still be one in a million, but the benefit of the shot would suddenly look much greater Control. If you feel as though you can control the outcome of a hazard, you are less likely to be afraid. This can be either physical control as when you are driving and controlling the vehicle, or a sense of control of a process, as when you feel you are able to participate in policy making about a risk through stakeholder involvement, participating in public hearings, voting, and so on. This is why, whenever possible, risk communication should include information not just about the risk (“Terrorists have attacked the food supply”), but also offer information about what people can do to reduce their risk (“Boil milk before you drink it”). Specifically as regards food-related terrorism, information about how people can participate in a food recall is of particular value, by giving people a sense of control. Imposed versus voluntary. We are much less afraid of a risk when it is voluntary than when it is imposed on us, as is the case in terrorism, agricultural, or otherwise. Natural versus human-made. If the risk is natural, we are less afraid. If it is human-made, we are more afraid. A radiologically contaminated conventional explosive—a “dirty bomb”—will evoke much more fear than radiation from the sun, which will cause far more illness and death. A natural foodborne pathogen such as E. coli O157:H will likely produce less concern than a “militarized” pathogen such as anthrax, regardless of their scientific risk profiles. Dread. We are more afraid of risks that might kill us in particularly painful, gruesome ways than risks that kill us in more benign fashion. Ask people which risk sounds worse, dying in a fiery plane crash or dying of heart disease, and they are likely to be more afraid of the plane crash, despite the probabilities. This factor helps explain why the United States has a “War on Cancer”, but not “War on Heart Disease”. Cancer is perceived as a more dreadful way to die, so it evokes more fear, and therefore more pressure on government to protect us, thought heart disease kills far more people annually. Catastrophic versus chronic. We tend to be more afraid of things that can kill a lot of us in one place at one time, such as a plane crash, than heart disease or stroke or chronic respiratory diseases or influenza, which cause hundreds of thousands more

RISK COMMUNICATION—AN OVERLOOKED TOOL IN COMBATING TERRORISM

51

deaths, but spread out over time and location. This factor makes foodborne illness outbreaks much more frightening than the chronic presence of foodborne illness, which sickens one American in four per year. • Uncertainty. The less we understand about a risk, the more afraid we are likely to be, as is the case with terrorism, particularly a terrorist attack on the food supply, where there will likely be many unknowns. When uncertainty exists because all the facts are not in, the fear that results must be acknowledged and respected. • Is the risk personal. Understandably, a risk that we think can happen to us evokes more concern than a risk that only threatens others. As a demonstration of this, consider how the attacks of September 11 made terrorism a risk not just to Americans living somewhere else, but to Americans at home. Suddenly we realized “this could happen to ME!” We began referring to the United States as “The Homeland”. We could probably take the “H” and the “O” out of the word. What we are really saying is that now terrorism could happen in the “MEland”. This factor explains why numbers alone are ineffective as risk communications. One in a million is too high if you think you can be the one. • Personification. A risk made real by a person/victim, such as news reports showing someone who has been attacked by a shark or a child who has been kidnapped, becomes more frightening than one that is statistically real, but only hypothetical. There are a few important general qualifications about the heuristics and biases mentioned earlier, and the risk perception factors listed immediately above. Often, several of these factors are relevant for any given risk. A terrorist attack on the food supply will certainly evoke issues of trust, dread, and control, among other factors. The availability heuristic will certainly affect how afraid we are. Also, while the research suggests that these tendencies are universal, any given individual will perceive a risk uniquely depending on his or her life circumstances, that is, age, gender, health, genetics, lifestyle choices, demographics, education, and so on. This means that although it is good risk communication practice to consider the emotional concerns of the audience, not everyone in a large audience shares the same concerns. As the National Research Council report suggests, “For issues that affect large numbers of people, it will nearly always be a mistake to assume that the people involved are homogeneous . . . . It is often useful to craft separate messages that are appropriate for each segment” [13]. 5 RECOMMENDATIONS In general, by understanding and respecting the psychological reasons for people’s concerns (or lack of concerns in the case of terrorism preparedness), risk communication strategies can be devised that take these factors into account and shape messages that are more resonant with people’s perceptions. That in turn, increases the likelihood that the messages will be more trusted, better-received, which increases the impact they will have. However, as the National Research Council report noted, “ . . . there is no single overriding problem and thus no simple way of making risk communication easy” [14]. So although this article provides suggestions on fundamentals, it cannot offer a detailed how-to guide to risk communication.

52

INTRODUCTION AND OVERVIEW

But there are several widely accepted general recommendations: Include risk communication in all risk management policy making and action. Far more is communicated by what you do than what you say. “Risk communication . . . must be understood in the context of decision making involving hazards and risks, that is, risk management” (NRC) [15]. Consider the example cited a few pages ago of the failed Bush administration smallpox vaccination policy. Had the risk perception factor of “risk versus benefit” been considered when the policy was being discussed, officials might not have chosen a policy unlikely to meet its objectives since it asked people to take a risk (albeit low) for ZERO benefit. In other words, the policy itself, not the press releases about it, carried implicit, but very clear risk communication information that had a lot to do with how people responded. Information that affects how people think and feel about a given risk issue is conveyed in nearly all of the management actions an agency or a company or a health official takes on that issue. All risk management should include consideration of the risk perception and risk communication implications of any policy or action under review. Quite specifically, this means that organizations should include risk communication in the responsibilities of senior managers, not just of the public relations or communications staff . As the NRC report suggests, risk managers cannot afford to treat risk communication as an afterthought that comes at the end of the process after risk assessment has been done and policy set. Recognize that the gaps between public perception and the scientific facts about a risk can lead to behaviors that can threaten public health. These gaps are part of the overall risk that must be managed . Whether people are more afraid of a risk than they need to be or when they are not afraid enough, this perception gap is a risk in and of itself and must be included in dealing with any specific risk issue and in all risk management and public health efforts. Consider the example or the fear of flying post 9/11. One of the messages of the federal government was, paraphrasing, “Live your normal lives or the terrorists win. Go shopping.” Had they considered the importance of the feeling of control to people’s perceptions, perhaps the message might have suggested “Live your normal lives or the terrorists win. For example, flying seems scary right now. But if you choose not to fly and drive instead, because having a sense of control makes driving safer, remember that driving is much riskier, and if you die behind the wheel, the terrorists have won.” Such a message might have saved the lives of some of those who made the choice to drive instead of fly. Trust is fundamentally important for effective risk communication, and it is on the line with everything you do. “ . . . messages are often judged first and foremost not by content but by the source: ‘Who is telling me this, and can I trust them?’ If the answer to the second question is ‘no’, any message from that source will often be disregarded, no matter how well-intentioned and well delivered” (Bennett and Calman) [16]. Trust is determined in part by who does the communicating. When the anthrax attacks took place in the fall of 2001, the principal government spokespeople were the Attorney General, the Director of the FBI, and the Secretary of Health and Human Services, and not the head of the CDC or the US. Surgeon General—doctors likely to be more trusted than politicians. Had risk communication been included in the considerations of senior managers as the anthrax issue was beginning to develop, and incorporated into the deliberations of how to manage the overall anthrax risk, the more trusted officials would have done the majority of the public speaking, which might have done more to

RISK COMMUNICATION—AN OVERLOOKED TOOL IN COMBATING TERRORISM

53

help the public keep their concern about the risk of bioterrorism in perspective. This lesson should be applied to any risk communication in connecting with agroterrorism. But trust is more than just who does the talking. Trust also depends on competence. If people believe that a public health or safety agency is competent, they will trust that agency to protect them, and be less afraid, than if they doubt the agency’s ability. When the first mad cow case in the United States was found in 2003, the US Department of Agriculture and Food and Drug Administration were able to point to a long list of regulatory actions they had taken for years to keep the risk low. So the actions taken by those agencies, years before the news conferences and press releases about that first case, had risk perception implications by establishing trust and thus affecting the public’s judgment about the risk and their behavior. This helps explain why beef sales in the United States after that first case was discovered were effectively unchanged. Trust is also heavily dependent on honesty. Of course, honesty means many things. In some instances, it can mean apologizing or taking responsibility for mistakes. When leaks developed in underground tunnels that are part of a major transportation project in Boston, press attention and public criticism focused on the contractor responsible for the tunnels until the chairman of the company said at a tense public hearing “We apologize for our mistakes” [17] (Note that the apology was made ‘sincere’ by the fact that it came from the head of the company, and the fact that the company offered to pay for repairs.). Criticism of the company dropped substantially thereafter. Another example of honesty is avoiding the desire to over-reassure. Again, the way the USDA handled mad cow disease illustrates one example. In the years prior to that first sick cow being found, top officials never promised there was ZERO risk of mad cow disease, either in animals or in humans, just that the risk was very low. Had they followed the initial inclination of some senior USDA officials and promised that the risk was ZERO, that single first case would probably have provoked more public concern because people might have feared that the government’s overassurance was not honest and could not be trusted. And, obviously, honesty means not covering things up or telling untruths or half-truths. Being caught keeping secrets is almost always worse than revealing the information, even if damaging, first. Remember the framing heuristic mentioned above. How people think about an issue is based in part on the first way it is presented. Even if information is damaging, revealing it first gives the communicator the opportunity to “paint the first picture” of how people will think about the matter. Adopting risk communication into intrinsic risk management requires fundamental cultural change. Sharing control, admitting mistakes, acknowledging the validity of the public’s intuitive risk perception, not keeping secrets, being open and honest . . . these are all countercultural to political, legal, and scientific organizations and people, the kinds of organizations and people who will be in charge of dealing with terrorist threats to the food supply. These are countercultural suggestions in a litigious society. They are countercultural to the myth of the purely rational decision-maker. As risk communication researcher and practitioner Peter Sandman has observed, “What is difficult in risk communication isn’t figuring out what to do; it’s overcoming the organizational and psychological barriers to doing it” [18]. Nonetheless, countless examples demonstrate how adoption of the principles of risk communication are in the best interests of most organizations, public safety officials, politicians, as well as the interest of public health. In the case of terrorism, they help officials with more effective risk management to protect public health. They increase

54

INTRODUCTION AND OVERVIEW

support for an agency’s overall agenda or a company’s brand and products, political support for a candidate or legislation, and they reduce controversy and legal actions. While these benefits may not be readily quantifiable, and only realized over the long term, they are real, well-supported by numerous examples, and argue strongly for the cultural change necessary for the adoption of best practice risk communication principles. Finally, if at all possible within constraints of time and budget, any specific risk communication should be systematically designed and executed, including iterative evaluation and refinement. “We wouldn’t release a new drug without adequate testing. Considering the potential health (and economic) consequences of misunderstanding risks, we should be equally loath to release a new risk communication without knowing its impact” [19]. Risk communication messages and strategies specific to each plausible terrorist scenario should be developed in advance, and tested and revised to maximize effectiveness. Being prepared for purposeful contamination of the food supply, with various agents, at various points of entry in the farm-to-fork system, is vital to protecting public health in such events.

6 CONCLUSION The human imperative of survival compels us to make rapid decisions about the threats we face. But this decision-making process is almost always constrained by a lack of complete information, a lack of time to collect more information, and a lack of cognitive abilities to understand some of the information we have. In response, humans have evolved a dual system of reason and affect to rapidly judge how to keep ourselves safe. In many cases these judgments work to protect us. But sometimes they can lead to behaviors that feel right, but actually raise our risk, whether we are more afraid of a relatively low risk or not afraid enough of a relatively big one. Great harm to public health can occur in such cases. To mitigate this threat, it is critical that an understanding of risk perception and its application to effective risk communication become an intrinsic part of how organizations deal with the threat of terrorism.

REFERENCES 1. Sivak, M., and Flanagan, M. (2004). Consequences for road traffic fatalities of the reduction in flying following September 11, 2001. Trans. Res. Part F 7(4-5), 301–305. 2. Silver, R. C., Holman, E. A., McIntosh, D., Poulin, M., and Gil-Rivas, V. (2002). Nationwide longitudinal study of psychological responses to September 11. JAMA 288, 11235–11244. 3. Holman, E. A., Silver, R. C., Poulin, M., Andersen, J., Gil-Rivas, V., and McIntosh, D. (2008). Terrorism, acute stress, and cardiovascular health, a 3-year study following the September 11th attacks. Arch. Gen. Psychiatry 65(1), 73–80. 4. Pidgeon, N., Kasperson, R., and Slovic, P., Eds. (2003). The Social Amplification of Risk , Cambridge University Press, Cambridge, UK. 5. Jasanoff, S. (1989). Differences in national approaches to risk assessment and management. Presented at the Symposium on Managing the Problem of Industrial Hazards: the International Policy Issues, National Academy of Sciences, Feb. 27. 6. Improving Risk Communication, (1989). National Research Council, National Academy Press, p. 21.

RISK COMMUNICATION—AN OVERLOOKED TOOL IN COMBATING TERRORISM

55

7. Bennett, P., and Calman, K., Eds. (1999). Risk Communication and Public Health, Oxford University Press, New York, p. 3. 8. This very simplified synthesis of LeDoux’s work comes from Ledoux, J. (1998). The Emotional Brain: the Mysterious Underpinnings of Emotional Life, Simon and Schuster, New York. 9. Slovic, P., Fischhoff, B., and Lichtenstein, S. (2001). A revised version of their original article appears. In Judgment Under Uncertainty: Heuristics and biases, D. Kahneman, P. Slovic, and A. Tversky, Eds. Cambridge University Press, Cambridge, UK, pp. 463–489. 10. Kahneman, D., Slovic, P., and Tversky, A., Eds. (1982). Judgment Under Uncertainty: Heuristics and biases, Cambridge University Press, Cambridge, UK, pp. 11–12. 11. Kahneman, D., Slovic, P., and Tversky, A., Eds. Judgment Under Uncertainty: Heuristics and biases, Cambridge University Press, Cambridge, UK, pp. 14–15. 12. Kahneman, D., Slovic, P., and Tversky, A., Eds. (1982). Judgment Under Uncertainty: Heuristics and biases, Cambridge University Press, Cambridge, UK, p. 24. 13. Improving Risk Communication, (1989). National Research Council, National Academy Press, p. 132. 14. Improving Risk Communication, (1989). National Research Council, National Academy Press, p. 3. 15. Improving Risk Communication, (1989). National Research Council, National Academy Press, p. 22. 16. Bennett, P., and Calman, K. (1991). Risk Communication and Public Health, Oxford University Press, Oxford, UK, p. 4. 17. Big Dig Firm Apologizes, Considers Fund for Repairs, (2004). Boston Globe, Dec. 3, p. 1. 18. Sandman, P. The Nature of Outrage (part1), www.psandman.com. 19. Morgan Granger, M., Fischhoff, B., Bostrom, A., and Altman, C. (2002). Risk Communication A Mental Models Approach, Cambridge University Press, Cambridge, UK, p. 180.

CROSS-CUTTING THEMES AND TECHNOLOGIES RISK MODELING AND VULNERABILITY ASSESSMENT

TERRORISM RISK: CHARACTERISTICS AND FEATURES Bilal M. Ayyub Center for Technology and Systems Management, Department of Civil and Environmental Engineering, University of Maryland, College Park, Maryland

1 INTRODUCTION Risk is associated with all projects, business ventures, and activities taken by individuals and organizations regardless of their sizes, natures, and time and place of execution and utilization. Acts of violence including terrorism can be considered as an additional hazard source. These risks could result in significant losses, such as economic and financial losses, environmental damages, budget overruns, delivery delays, and even injuries and loss of life. In broad context, risks are taken even though they could lead to adverse consequences because of potential benefits, rewards, survival, and future return on investment. Risk taking is a characteristic of intelligence for living species since it involves decision making that is viewed as an expression of higher levels of intelligence. The chapter defines and discusses terrorism risk and its characteristics and features.

2 TERMINOLOGY Definitions that are needed for risk analysis are presented herein [1]. Several definitions are available for the term terrorism, though without a globally accepted one. The following are selected definitions: •

US Code of Federal Regulations: “ . . . the unlawful use of force and violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives” (28 C.F.R. Section 0.85). • Current US national security strategy: “premeditated, politically motivated violence against innocents”.

59

60

CROSS-CUTTING THEMES AND TECHNOLOGIES •

•

• •

•

United States Department of Defense: the “calculated use of unlawful violence to inculcate fear; intended to coerce or intimidate governments or societies in pursuit of goals that are generally political, religious, or ideological”. British Terrorism Act 2000 defines terrorism so as to include not only attacks on military personnel but also acts not usually considered violent, such as shutting down a website whose views one dislikes. 1984 US Army training manual says “terrorism is the calculated use of violence, or the threat of violence, to produce goals that are political or ideological in nature”. 1986 Vice-President’s Task Force: “Terrorism is the unlawful use or threat of violence against persons or property to further political or social objectives. It is usually intended to intimidate or coerce a government, individuals, or groups or to modify their behavior or politics.” Insurance documents define terrorism as “any act including, but not limited to, the use of force or violence and/or threat thereof of any person or group(s) of persons whether acting alone or on behalf of, or in connection with, any organization(s) or government(s) committed for political, religions, ideological or similar purposes, including the intention to influence any government and/or to put the public or any section of the public in fear”.

A hazard is an act or phenomenon posing potential harm to some person(s) or thing(s), that is, a source of harm, and its potential consequences. For example, uncontrolled fire is a hazard, water can be a hazard, and strong wind is a hazard. In order for the hazard to cause harm, it needs to interact with person(s) or thing(s) in a harmful manner. Hazards need to be identified and considered in projects’ life cycle analyses since they could pose threats and could lead to project failures. Threat is any indication, circumstance, or event with the potential to cause the loss of or damage to an asset. Threat can also be defined as the intention and capability of an adversary to undertake actions that would be detrimental to assets. Reliability can be defined for a system or a component as its ability to fulfill its design functions under designated operating and/or environmental conditions for a specified time period. This ability is commonly measured using probabilities. Reliability is, therefore, the occurrence probability of the complementary event to failure. For a failure event, consequences can be defined as the degree of damage or loss from some failure. Each failure of a system has some consequence(s). A failure could cause economic damage, environmental damage, injury or loss of human life, or other possible events. Consequences need to be quantified in terms of failure—consequence severities using relative or absolute measures for various consequence types to facilitate risk analysis. Risk originates from the Latin term risicum meaning the challenge presented by a barrier reef to a sailor. The Oxford dictionary defines risk as the chance of hazard, bad consequence, loss, and so on. Also, risk is the chance of a negative outcome. Formally, risk can be defined as the potential of losses for a system resulting from an uncertain exposure to a hazard or as a result of an uncertain event. Risk should be identified based on risk events or event scenarios. Risk can be viewed as a multidimensional quantity that includes event-occurrence probability, event-occurrence consequences, consequence significance, and the population at risk; however, it is commonly measured as a pair of

TERRORISM RISK: CHARACTERISTICS AND FEATURES

61

the probability of occurrence of an event, and the outcomes or consequences associated with the event’s occurrence. Another common representation of risk is in the form of an exceedence probability function of consequences. Probability is a measure of the likelihood, chance, odds, or degree of belief that a particular outcome will occur. A conditional probability is the probability of occurrence of an event based on the assumption that another event (or multiple events) has occurred. An asset is any person, environment, facility, physical system, material, cyber system, information, business reputation, or activity that has a positive value to an owner or to society as a whole. The occurrence probability (p) of an outcome (o) can be decomposed into an occurrence probability of an event or threat (t) and the outcome-occurrence probability given the occurrence of the event (o|t). The occurrence probability of an outcome can be expressed as follows using conditional probability concepts: p(o) = p(t)p(o|t)

(1)

In this context, threat is defined as a hazard or the capability and intention of an adversary to undertake actions that are detrimental to a system or an organization’s interest. In this case, threat is a function of only the adversary or competitor, and usually cannot be controlled by the owner of the system. The adversary’s intention to exploit his capability may, however, be encouraged by vulnerability of the system or discouraged by an owner’s countermeasures. The probability p(o|t) can be decomposed further into two components: success probability of the adversary and a conditional probability of consequences as a function of this success. This probability p(o|t) can then be computed as the success probability of the adversary times the conditional probability of consequences given this success. The success probability of the adversary is referred to as the vulnerability of the system for the case of this threat occurrence. Vulnerability is a result of any weakness in the system or countermeasure that can be exploited by an adversary or competitor to cause damage to the system and result in consequences. The performance of a system or component can be defined as its ability to meet functional requirements. The performance of an item can be described by various elements, such as speed, power, reliability, capability, efficiency, and maintainability. The design and operation of system affects this performance. A system is a deterministic entity comprising an interacting collection of discrete elements and commonly defined using deterministic models. The word deterministic implies that the system is identifiable and not uncertain in its architecture. The definition of the system is based on analyzing its functional and/or performance requirements. A description of a system may be a combination of functional and physical elements. Usually functional descriptions are used to identify high information levels on a system. A system can be divided into subsystems that interact. Additional details in the definition of the system lead to a description of the physical elements, components, and various aspects of the system. Methods to address uncertainty in systems architecture are available and can be employed as provided by [3]. Risk-based technologies (RBT) are methods or tools and processes used to assess and manage the risks of a component or system. RBT methods can be classified into risk management that includes risk assessment/risk analysis and risk control using failure prevention and consequence mitigation, and risk communication. Risk assessment consists

62

CROSS-CUTTING THEMES AND TECHNOLOGIES

of hazard identification, event-probability assessment, and consequence assessment. Risk control requires the definition of acceptable risk and comparative evaluation of options and/or alternatives through monitoring and decision analysis. Risk control also includes failure prevention and consequence mitigation. Risk communication involves perceptions of risk, which depends on the audience targeted. Hence, it is classified into the media, the public, and the engineering community. Safety can be defined as the judgment of risk tolerance (or acceptability in the case of decision making) for the system. Safety is a relative term since the decision of risk acceptance may vary depending on the individual making the judgment. Different people are willing to accept different risks as demonstrated by different factors such as location, method or system type, occupation, and lifestyle. The selection of these different activities demonstrates an individual’s safety preference despite a wide range of risk values. It should be noted that risk perceptions of safety may not reflect the actual level of risk in some activity. Risk assessment is a technical and scientific process by which the risks of a given situation for a system are modeled and quantified. Risk assessment can require and/or provide both qualitative and quantitative data to decision makers for use in risk management. Risk analysis is the technical and scientific process to breakdown risk into its underlying components. Risk assessment and analysis provide the processes for identifying hazards, event-probability assessment, and consequence assessment. The risk assessment process answers three basic questions: (i) What can go wrong? (ii) What is the likelihood that it will go wrong? (iii) What are the consequences if it does go wrong? Answering these questions requires the utilization of various risk methods as discussed in this section. A summary of selected methods is provided in Table 1. A typical overall risk analysis and management methodology can be expressed in the form of a workflow or block diagram consisting of the following primary steps: 1. definition of a system based on a stated set of analysis objectives; 2. hazard or threat analysis, definition of failure scenarios, and hazardous sources and their terms; 3. data collection in a life cycle framework; 4. qualitative risk assessment; 5. quantitative risk assessment; and 6. management of system integrity through countermeasures, failure prevention, and consequence mitigation using risk-based decision making. Methods to support these steps are described in various articles of this section on “Risk Modeling and Vulnerability Assessment”. Risk can be assessed and presented using matrices for preliminary screening by subjectively estimating probabilities and consequences in a qualitative manner. A risk matrix is a two-dimensional presentation of likelihood and consequences using qualitative metrics for both the dimensions as given in Tables 2–4 and Figure 1 with risk subjectively assessed as high (H), medium (M), and low (L). The articles on “Quantitative representation of risk” and “Qualitative representation of risk” describe other methods for representing risk. A countermeasure is an action taken or a physical capability provided whose principal purpose is to reduce or eliminate one or more vulnerabilities or to reduce the frequency of attacks. Consequence mitigation is the preplanned and coordinated actions or system

TERRORISM RISK: CHARACTERISTICS AND FEATURES

TABLE 1

63

Risk Assessment Methods

Method Safety/review audit

Checklist What-If Hazard and operability study (HAZOP) Preliminary hazard analysis (PrHA)

Probabilistic risk analysis (PRA) Failure modes and effects analysis (FMEA) Fault tree analysis (FTA) Event tree analysis (ETA)

The Delphi Technique

Interviewing

Experience-based identification Brain storming

Scope Identifies equipment conditions or operating procedures that could lead to a casualty or result in property damage or environmental impacts Ensures that organizations are complying with standard practices Identifies hazards, hazardous situations, or specific accident events that could result in undesirable consequences Identifies system deviations and their causes that can lead to undesirable consequences and determine recommended actions to reduce the frequency and/or consequences of the deviations Identifies and prioritizes hazards leading to undesirable consequences early in the life of a system. It determines recommended actions to reduce the frequency and/or consequences of the prioritized hazards. This is an inductive modeling approach Quantifies risk, and was developed by the nuclear engineering community for risk assessment. This comprehensive process may use a combination of risk assessment methods Identifies the components (equipment) failure modes and the impacts on the surrounding components and the system. This is an inductive modeling approach Identifies combinations of equipment failures and human errors that can result in an accident. This is an deductive modeling approach Identifies various sequences of events, both failures and successes that can lead to an accident. This is an inductive modeling approach Assists to reach consensus of experts on a subject such as project risk while maintaining anonymity by soliciting ideas about the important project risks that are collected and circulated to the experts for further comment. Consensus on the main project risks may be reached in a few rounds of this process [3]. Identifies risk events by interviews of experienced project managers or subject-matter experts. The interviewees identify risk events based on experience and project information Identifies risk events based on experience including implicit assumptions Identifies risk events using facilitated sessions with stakeholders, project team members, and infrastructure support staff

features that are designed to reduce or minimize the damage caused by attacks (consequences of an attack), support and complement emergency forces (first responders), facilitate field-investigation and crisis management response, and facilitate recovery and reconstitution. Consequence mitigation may also include steps taken to reduce shortand long-term impacts, such as providing alternative sources of supply for critical goods and services. Mitigation actions and strategies are intended to reduce the consequences (impacts) of an attack, whereas countermeasures are intended to reduce the probability that an attack will succeed in causing a failure or significant damage.

64

CROSS-CUTTING THEMES AND TECHNOLOGIES

TABLE 2 Likelihood Categories for a Risk Matrix Category A B C D E F

Description

Annual Probability Range

Likely Unlikely Very unlikely Doubtful Highly unlikely Extremely unlikely

≥0.1 (1 in 10) ≥0.01 (1 in 100) but 10.1145/1143120.1143131] 41. Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L. F., Hong, J., and Nunge, E. (2007). Protecting people from phishing: the design and evaluation of an embedded training email system. CHI 2007: Conference on Human Factors in Computing Systems, San Jose, CA, April 28–May 3, 2007, pp. 905–914.

1122

CROSS-CUTTING THEMES AND TECHNOLOGIES

42. Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J., and Nunge, E. (2007). Anti-phishing phil: the design and evaluation of a game that teaches people not to fall for phish. Proceedings of the 2007 Symposium On Usable Privacy and Security. Pittsburgh, PA, July 18–20 200. 43. Wu, M., Miller, R. C., and Garfinkel, S. L. (2006). Do security toolbars actually prevent phishing attacks? Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’06. (Montr´eal, Qu´ebec, Canada, April 22–27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. ACM, New York, pp. 601–610. DOI = http://doi.acm.org/10.1145/1124772.1124863. 44. Zhang, Y., Egelman, S., Cranor, L., and Hong, J. (2007). Phinding phish: evaluating anti-phishing tools. 2007. Proceedings of the 14th Annual Network & Distributed System Security Symposium (NDSS 2007), San Diego, CA, February 28th–2nd March. 45. Zhang, Y., Hong, J., and Cranor, L. (2007). CANTINA: a content-based approach to detecting phishing web sites. 2007. Proceedings of the 16th International World Wide Web Conference (WWW2007). Banff, AB, May 8–12, 2007, pp. 639–648. 46. Cook, D. L., Gurbani, V., and Daniluk, M. (2008). Phishwish: a stateless phishing filter using minimal rules. Proceedings of Financial Crypto, El Cozumeleno Beach Resort, Cozumel, January, 2008. 47. Provos, N., McNamee, D., Mavrommatis, P., Wang, K., and Modadugu, N. (2007). The ghost in the browser analysis of web-based malware. Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets. (Cambridge, MA). USENIX Association, Berkeley, CA, pp. 4–4. 48. Dhamija, R. and Tygar, J. D. (2005). The battle against phishing: dynamic security skins. Proceedings of the 2005 Symposium on Usable Privacy and Security, SOUPS ’05, vol. 93. (Pittsburgh, Pennsylvania, July 06–08, 2005). ACM, New York, pp. 77–88. DOI = http://doi.acm.org/10.1145/1073001.1073009. 49. Bank of America (2006). How Bank of America SiteKey Works for Online Banking Security. Bank of America, [Online] 2006. [Cited: January 19, 2008.] http://www.bankofamerica. com/privacy/sitekey/. 50. Schechter, S. E., Dhamija, R., Ozment, A., and Fischer, I. (2007). The Emperor’s New Security Indicators. IEEE Computer Society, Washington, DC, SP ’07: Proceedings of the 2007 IEEE Symposium on Security and Privacy. pp. 51–65. 51. Balfanz, D., Durfee, G., Grinter, R. E., and Smetters, D. K. (2004). In search of usable security—five lessons from the field. IEEE J. Secur. Priv. 2(5), 19–24. 52. Balfanz, D., Durfee, G. and Smetters, D. K. (2005). Making the Impossible easy: usable PKI. In Security and usability: Designing Secure Systems that People Can Use, L. F. Cranor and S. Garfinkel, Eds. O’Reilly Media, Sebastopol, CA, pp. 319–334. 53. Balfanz, D., Smetters, D. K., Stewart, P., and Wong, H. C. (2002). Talking to strangers: authentication in ad-hoc wireless networks. Network and Distributed System Security Symposium. Internet Society, San Diego, CA, February 6–8, 2002. 54. Stajano, F. and Anderson, R. J. (2000). The resurrecting duckling: security issues for Ad-hoc wireless networks. In Proceedings of the 7th international Workshop on Security Protocols, Lecture Notes In Computer Science, vol. 1796 (April 19–21, 1999). B. Christianson, B. Crispo, J. A. Malcolm, and M. Roe, Eds. Springer-Verlag, London, pp. 172–194. 55. McCune, J. M., Perrig, A., and Reiter, M. K. (2005). Seeing-Is-believing: using camera phones for human-verifiable authentication. Proceedings of the 2005 IEEE Symposium on Security and Privacy, (May 08–11, 2005). IEEE Computer Society, Washington, DC, pp. 110–124. DOI = http://dx.doi.org/10.1109/SP.2005.19.

CYBER SECURITY TECHNOLOGY USABILITY AND MANAGEMENT

1123

56. Balfanz, D. (2003). Usable access control for the world wide web. Proceedings of the 19th Annual Computer Security Applications Conference, ACSAC, (December 08–12, 2003). IEEE Computer Society, Washington, DC, p. 406. 57. Gutmann, P. (2003). Plug-and-play PKI: a PKI your mother can use. Proceedings of the 12th Conference on USENIX Security Symposium—Volume 12 , (Washington, DC, August 04–08, 2003). USENIX Association, Berkeley, CA, pp. 4–4. 58. Gutmann, P. Underappreciated security mechanisms. Peter Gutmann, [Online] [Cited: 1 20, 2008.] http://www.cs.auckland.ac.nz/∼pgut001/pubs/underappreciated.pdf. 59. Garfinkel, S. L. and Miller, R. C. (2005). Johnny 2: a user test of key continuity management with S/MIME and outlook express. Proceedings of the 2005 Symposium on Usable Privacy and Security, SOUPS ’05, vol. 93. (Pittsburgh, Pennsylvania, July 06–08, 2005). ACM, New York, pp. 13–24. DOI=http://doi.acm.org/10.1145/1073001.1073003. 60. Parno, B., Kuo, C., and Perrig, A. (2006). Phoolproof phishing prevention. Financial Cryptography and Data Security 10th International Conference. British West Indies, February 27–March 2, 2006. 61. Corner, M. D. and Noble, B. D. (2002). Zero-interaction authentication. Proceedings of the 8th Annual international Conference on Mobile Computing and Networking, (Atlanta, Georgia, USA, September 23–28, 2002). ACM, New York, pp. 1–11. DOI=http://doi.acm.org/ 10.1145/570645.570647. 62. Bauer, L., Cranor, L. F., Reeder, R. W., Reiter, M. K., and Vaniea, K. (2008). A user study of policy creation in a flexible access-control system. ACM SIGCHI Conference on Human Factors in Computing Systems (CHI ’08). 63. Smetters, D. K., Balfanz, D., Durfee, G. E., Smith, T., and Lee, K. (2006). Instant matchmaking: simple, secure virtual extensions to ubiquitous computing environments. Ubicomp 2006, Proceedings of the 8th International Conference of Ubiquitous Computing. Springer Verlag, Irvine, CA, September 17–21, 2006; LCS 4206: pp. 477–494. 64. Yee, K.-P. (2002). User interaction design for secure systems. In Proceedings of the 4th International Conference on Information and Communications Security, Lecture Notes in Computer Science 2513, R. Deng, S. Qing, F. Bao, and J. Zhou, Eds. Springer-Verlag, Heidelberg, http://zesty.ca/sid/. 65. Yee, K.-P. (2005). Guidelines and strategies for secure interaction design (Chapter 13). In Security and Usability: Designing Secure Systems that People Can Use, L. F. Cranor and S. Garfinkel, Eds. O’Reilly, Sebastopol, CA. 66. Chiasson, S., Biddle, R., and Somayaji, A. (2007). Even experts deserve usable security: design guidelines for security management systems. Workshop on Usable IT Security Management (USM’07) held with the ACM Symposium on Usable Privacy and Security (SOUPS 2007), July 2007. 67. Mannan, M., van Oorschot, P. C. Security and usability: the gap in real-world online banking. New Security Paradigms Workshop (NSPW). New Hampshire. Sept. 18–21, 2007.

FURTHER READING Cranor, L. F. and Garfinkel, S. Security and Usability: Designing Secure Systems that People Can Use. O’Reilly & Associates, 2005. Gutmann, P. (2008). Usable Security Fundamentals, http://www.cs.auckland.ac.nz/∼pgut001/pubs/ usability.pdf. The HCISEC Bibliography. http://gaudior.net/alma/biblio.html. Yee, K.-P. The Usable Security Blog. http://usablesecurity.com/.

1124

CROSS-CUTTING THEMES AND TECHNOLOGIES

CYBER SECURITY EDUCATION, TRAINING, AND AWARENESS Richard Kissel and Mark Wilson National Institute of Standards and Technology, Gaithersburg, Maryland

1 INTRODUCTION The cyber security education, training, and awareness (ETA) program is a critical component of the cyber security program. It is the vehicle for disseminating security information that the workforce, including managers, need to do their jobs. In terms of the total security solution the importance of the workforce in achieving cyber security goals and the importance of learning as a countermeasure, cannot be overstated. Establishing and maintaining a robust and relevant ETA program as part of the overall cyber security program is the primary conduit for providing the workforce with the information and tools needed to protect an organization’s vital information resources. These programs will ensure that personnel at all levels of the organization understand their cyber security responsibilities to properly use and protect the information and resources entrusted to them. Organizations that continually train their workforce in organizational cyber security policy and role-based cyber security responsibilities will have a higher rate of success in protecting information. As cited in audit reports, periodicals, and conference presentations, people are arguably the weakest element in the cyber security formula that is used to secure systems and networks. The people factor, not technology, is a critical factor that is often overlooked in the cyber security equation. Robust and enterprise-wide ETA programs are needed to address this growing concern.

2 EDUCATION, TRAINING, AND AWARENESS POLICY All users have cyber security responsibilities. Although there is no mandate for formal education (provided by colleges or universities) and certification of information security professionals, they are mentioned in this section since some organizations include them as part of a comprehensive training solution for employees.

3 COMPONENTS: EDUCATION, TRAINING, AWARENESS, AND CERTIFICATION An organization’s cyber security program policy should contain a clear and distinct section devoted to organization-wide requirements for the ETA program. Although cyber security ETA is generally referred to as “a” program, many organizations consider ETA to be three distinct functions, each with separate purposes, goals, and approaches. Proper

CYBER SECURITY EDUCATION, TRAINING, AND AWARENESS

1125

implementation of these components (with consideration of options such as professional certification) promotes professional development, which leads to a high-performance workforce. Requirements for the cyber security ETA program should be documented in the enterprise-level policy and should include: •

definition of cyber security roles and responsibilities; development of program strategy and a program plan; • implementation of the program plan; and • maintenance of the cyber security ETA program. •

3.1 Education Education integrates all of the cyber security skills and competencies of the various functional specialties into a common body of knowledge and adds a multidisciplinary study of concepts, issues, and principles (technological and social). Cyber security education strives to produce cyber security specialists and professionals who are capable of vision and proactive response. A significant and increasing number of colleges and universities provide academic programs to support the cyber security needs of the public and private sectors. Many of these schools partner with the public sector to accomplish research and development tasks to improve cyber security. The National Security Agency (NSA) and the Department of Homeland Security (DHS) have built and are maintaining a robust program called the Centers of Academic Excellence in Information Assurance Education. The program seeks to produce a growing number of professionals with information assurance expertise in various disciplines. 3.2 Training Cyber security training strives to produce the relevant and required security knowledge and skills within the workforce. Training supports competency development and helps personnel understand and learn how to perform their cyber security role. The most important difference between training and awareness is that training seeks to teach skills that allow a person to perform a specific function, while awareness seeks to focus an individual’s attention on an issue or a set of issues. Role-based training provides cyber security modules and/or courses that are tailored to the specific needs of each group of people who have been identified as having significant responsibilities for information security in their organization. The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-16 provides guidance for establishing role- and performance-based cyber security training programs. Other models that can be used for developing role-based cyber security training are the Committee on National Security Systems (CNSS) Training Standards, the Office of Personnel Management (OPM) “IT Roadmap”, and the DHS Essential Body of Knowledge (EBK). Critical elements to address or consider when developing training material are: •

Needs assessment. A needs assessment will identify what additional cyber security training is needed or required, beyond what the organization is currently doing. Sometimes, the needs assessment takes the form of an auditor’s report. The needs

1126

•

•

•

•

CROSS-CUTTING THEMES AND TECHNOLOGIES

assessment may identify additional people in particular roles who need training, or it may identify that people who have trained need additional training. A needs assessment will help an organization determine if a complete training course is necessary or if a module that focuses on particular topics will be sufficient. Setting the bar. “Setting the bar” means that a decision must be made as to the complexity of the material that will be developed. The complexity must be commensurate with the role and the needs of the person or people who will undergo the learning effort. Material should be developed based on two important criteria: (i) the target attendee’s position within the organization, and (ii) knowledge of the cyber security skills required for that position. The complexity of the material must be determined before development begins. Setting the bar is an important aspect of the “scoping guidance” to be developed and utilized throughout the analysis, design, development, implementation, and evaluation (”Analysis, Design, Development, Implementation,and Evaluation (ADDIE)”) process. The ADDIE instructional design model. The ADDIE model is a systematic instructional design model consisting of five phases: analysis, d esign, d evelopment, i mplementation, and evaluation. Each phase consists of outcomes that feed into the next phase in the model. For example, input to the Analysis Phase is the output of the needs assessment identifying the existing training gaps within the organization. As each role is analyzed, attention should be paid to the competencies or knowledge, skills, and abilities (KSAs) needed for each role as well as the particular topics, tasks, and/or elements that support the competencies or KSAs. Each competency or KSA used within each role may become a module that is suitable for use within other role-based training that may be required. For example, many cyber security roles require some level of knowledge of laws and organizational policy. A single development effort with multiple modules that can be added and removed based on the particular audience, could save significant development time. Role-based training versus topic-based training. Role-based cyber security training allows the recipient of the training to learn what he or she needs to know and be able to do, based on their current job. This is perhaps the most important distinction between role-based and topic-based training. While topic-based training is easier to develop because, for the most part, it can be developed once and for diverse audiences, it approaches being a one-size-fits-all solution. Unfortunately, an easy solution like this, to a complex issue like cyber security training, can in itself be a vulnerability as dangerous as a poorly configured operating system or firewall. Topic-based training is best employed within a role-based training framework, when a particular topic (e.g. incident response and reporting, configuration management, contingency planning) needs to be taught as a stand-alone module (or part of a training course) to people in a particular role, or to a group of people in different roles who need to know a similar amount of information about that topic. Sources of cyber security training. The first step in determining sources of training material to build a course or module is to decide if the material will be developed in-house or contracted out. If the organization has in-house expertise and can afford to allocate the necessary resources to develop training material for courses

CYBER SECURITY EDUCATION, TRAINING, AND AWARENESS

1127

and/or modules, there are several federal government-focused training documents or programs that can be used. These include: ◦ NIST SP 800-16. This document contains a robust role-based training methodology. The general-to-specific aspects of the methodology include a list of roles, role-specific matrices that contain responsibilities and training areas, and specific sets of cells for each role matrix that, in turn, contain cyber security topics and elements to be used to build training material for each cell. ◦ CNSS training standards. These standards are also role-based and contain sets of tasks, capabilities, and KSAs needed for those serving in each role. ◦ OPM IT roadmap. This OPM project is a web-based application based on the federal government’s GS-2210 Information Technology (IT) Specialist Job Series. One of the IT Specialist subseries, the Information Security “parenthetical”, has related levels of learning, competencies, expected behaviors, and recommended training courses. ◦ DHS EBK. This document is based on a number of existing federal guidelines and standards. It contains a methodology that includes roles, competency areas, responsibilities, terms, and concepts. 3.3

Awareness

Cyber security awareness is a blended solution of activities that promote security, establish accountability, and inform the workforce of security news. Awareness seeks to focus an individual’s attention on an issue or a set of issues. Awareness is a program that continually pushes the cyber security message to users in a variety of formats. An awareness program includes a variety of tools, communication, outreach, and metrics development. •

Tools. Awareness tools are used to promote cyber security and inform users of threats and vulnerabilities that impact their organization and “personal” work environment by explaining the “what” but not the “how” of security, and communicating what-is- and what-is-not-allowed. Awareness is used to explain the rules of behavior for using an organization’s information and information systems and establishes a level of expectation on the acceptable use of the same. Awareness not only communicates cyber security policies and procedures that need to be followed, but also provides the foundation for any sanctions and disciplinary actions imposed for noncompliance. Types of tools include: ◦ events, such as a cyber security awareness day; ◦ promotional materials; ◦ briefings (program- or system-specific or issue-specific); and ◦ rules of behavior. • Communication. A large part of an awareness effort is communication with users, managers, executives, system owners, and others. A communications plan is needed to identify stakeholders, types of information that is to be disseminated, channels for disseminating information, and the frequency of information exchanges. The plan

1128

CROSS-CUTTING THEMES AND TECHNOLOGIES

also identifies whether the communications are one-way or two-way. Activities that support communication include: ◦ assessment (as is/to be models); ◦ strategic plan; and ◦ program implementation. • Outreach. Outreach is critical for leveraging best practices within any organization. It has two elements for intra- and inter-organization awareness. The intraorganization element promotes internal awareness of cyber security. A Web portal that provides a one-stop shop for cyber security information can be an effective outreach tool. Policy, frequently asked questions (FAQs), cyber security e-newsletters, links to resources, and other useful information are easily accessible to all employees. This tool promotes a consistent and standard message. The interorganization element promotes sharing among organizations and is used to leverage training and awareness resources. 3.4

Certification

In response to the growing demand for cyber security personnel within organizations, in both the public and private sectors, there has been a movement toward increased professional standards for cyber security personnel. This “professionalization” integrates education, training, and experience with an assessment mechanism to validate knowledge and skills, resulting in the certification of a predefined level of competence. 4 DESIGNING, DEVELOPING, AND IMPLEMENTING AN EDUCATION, TRAINING, AND AWARENESS PROGRAM The development of a cyber security ETA program involves three major steps: 1. Designing the program (including the development of the cyber security ETA program plan); 2. Developing the ETA material; and 3. Implementing the program. Even a small amount of cyber security ETA can go a long way toward improving the cyber security posture of, and vigilance within, an organization. 4.1 Designing an ETA Program ETA programs must be designed with the mission of the organization in mind. The ETA program must support the business needs of the organization and be relevant to the organization’s culture and information technology architecture. The most successful programs are those that users feel are relevant to the subject matter and issues presented. Designing an ETA program answers the question “What is our plan for developing and implementing ETA opportunities that are compliant with existing policies?” In the design step of the program, the organization’s ETA needs are identified, an effective organization-wide plan is developed, organizational buy-in is sought and secured, and priorities are established.

CYBER SECURITY EDUCATION, TRAINING, AND AWARENESS

1129

4.2 Developing an ETA Program Once the ETA program has been designed, supporting material can be developed. Material should be developed with the following in mind: “What behavior do we want to reinforce?” (awareness); “What skill or skills do we want the audience to learn and apply?” (training and education). In both cases, the focus should be on specific material that the participants should integrate into their jobs. Attendees will pay attention and incorporate what they see or hear in a session if they feel that the material was developed specifically for them. Any presentation that feels so impersonal and general that it could be given to any audience, will be filed away as just another of the annual “We’re here because we have to be here” sessions. An ETA program can be effective, however, if the material is interesting, current, and relevant. The awareness audience must include all users in an organization. Users may include employees, contractors, other organization personnel, visitors, guests, and other collaborators or associates requiring access. The message to be spread through an awareness program, or campaign, should make all individuals aware of their commonly-shared cyber security responsibilities. On the other hand, the message in a training class is directed at a specific audience. The message in training material should include everything related to cyber security that attendees need to know in order to perform their jobs. Training material is usually far more in-depth than material used in an awareness session or campaign. An education course goes beyond the immediately practical skills taught in training sessions by presenting the underlying and related concepts, issues, and principles of particular aspects of the profession. This allows the student to understand the subject in far greater depth than is usually provided in training. 4.3 Implementing an ETA Program A cyber security ETA program should be implemented only after a needs assessment has been conducted, a strategy has been developed, an ETA program plan for implementing that strategy has been completed, and ETA material has been developed. The program’s implementation must be fully explained to the organization to achieve support for its implementation and commitment of necessary resources. This explanation includes expectations of organization management and staff support, as well as expected results of the program and benefits to the organization. Funding issues must also be addressed. For example, organization managers must know if the cost to implement the ETA program will be totally funded by the Chief Information Officer (CIO) or the cyber security program budget, or if their budgets will be impacted to cover their share of the expense of implementing the program. It is essential that everyone involved in the implementation of the program understand their roles and responsibilities. In addition, schedules and completion requirements must be communicated. Once the plan for implementing the ETA program has been explained to (and accepted by) organization management, the implementation can begin. Since there are several ways to present and disseminate ETA material throughout an organization, organizations should tailor their implementation to the size, organization, and complexity of their enterprise.

1130

CROSS-CUTTING THEMES AND TECHNOLOGIES

4.4 Postimplementation An organization’s cyber security ETA program can quickly become obsolete if sufficient attention is not paid to technological advancements, IT infrastructural changes, organizational changes, and shifts in organizational mission and priorities. CIOs and senior organization cyber security officers need to be cognizant of this potential problem and incorporate mechanisms into their strategy to ensure that the program continues to be relevant and compliant with overall objectives. Continuous improvement should always be the theme for cyber security ETA initiatives, as this is one area where you can never do enough. Efforts supporting this postimplementation feedback loop should be developed with respect to the cyber security organization’s overall ongoing performance measures program. 4.5 Monitoring Compliance Once the program has been implemented, processes should be put in place to monitor compliance and effectiveness. An automated tracking system can be designed to capture key information on program activity (e.g. courses, dates, audience, costs, sources etc.). The tracking system should capture this data at an organization level, so it can be used to provide enterprise-wide analysis and reporting regarding ETA initiatives. Tracking compliance involves assessing the status of the program as indicated by the database information, and mapping it to standards established by the organization. Reports can be generated and used to identify gaps or problems. Corrective action and necessary follow-up can then be taken. This follow-up may take the form of formal reminders to management; additional ETA offerings; and/or the establishment of a corrective plan with scheduled completion dates. A tracking system is likely to be more economically feasible in a government agency or a large company than in a small business. A small business may not be able to justify the costs of such a system, and in a small business it should be easier to track those employees needing and attending cyber security training. 4.6 Evaluation and Feedback Formal evaluation and feedback mechanisms are critical components of any cyber security ETA program. Continuous improvement cannot occur without a good sense of how the existing program is working. In addition, the feedback mechanism must be designed to address objectives initially established for the program. Once the baseline requirements have been solidified, a feedback strategy can be designed and implemented. Various evaluation and feedback mechanisms that can be used to update the ETA program plan include surveys, evaluation forms, independent observation, status reports, interviews, focus groups, technology shifts, and/or benchmarking. A feedback strategy should incorporate elements that address quality, scope, deployment method (e.g. Web-based, on-site, off-site), level of difficulty, ease of use, duration of session, relevancy, currency, and suggestions for modification. Metrics are essential to feedback and evaluation. They can be used to: •

measure the effectiveness of the cyber security ETA program; • provide information for many of the data requests that an organization may be required to provide with regard to compliance; and,

CYBER SECURITY EDUCATION, TRAINING, AND AWARENESS •

1131

provide an important gauge for demonstrating progress and identifying areas for improvement.

4.7 Managing Change It is necessary to ensure that the program, as structured, continues to evolve as new technology and associated cyber security issues emerge. Training needs will shift as new skills and capabilities become necessary to respond to new architectural and technology changes. A change in the organizational mission and/or objectives can also influence ideas on how best to design training solutions and content. Emerging issues, such as homeland defense, will also impact the nature and extent of cyber security ETA activities that are necessary to keep users informed and/or trained about the latest threats, vulnerabilities, and countermeasures. New laws and court decisions may also impact organization policy that, in turn, may affect the development and/or implementation of ETA material. Finally, as cyber security policies evolve, ETA material should reflect these changes. 4.8 Program Success Indicators CIOs, program officials, and organization cyber security officers should be primary advocates for ETA. Securing an organization’s information and infrastructure is a team effort, requiring the dedication of capable individuals to carry out their assigned cyber security roles within the organization. Listed below are some key indicators to gauge the support for, and acceptance of, the program: • • • • •

•

• • • •

key stakeholder demonstrates commitment and support; sufficient funding is budgeted and available to implement the agreed-upon ETA strategy; appropriate organizational placement of senior officials with key cyber security responsibilities; infrastructure to support broad distribution (e.g. Web, e-mail, learning management systems) and posting of cyber security ETA materials is funded and implemented; executive/senior-level officials deliver messages to staff regarding cyber security (e.g. staff meetings, broadcasts to all users by organization head), champion the program, and demonstrate support for training by committing financial resources to the program; metrics indicate improved cyber security performance by the workforce (e.g. to explain a decline in cyber security incidents or violations, indicate that the gap between existing ETA coverage and identified needs is shrinking, the percentage of users being exposed to awareness material is increasing, the percentage of users with significant cyber security responsibilities being appropriately trained is increasing); executives and managers do not use their status in the organization to avoid cyber security controls that are consistently adhered to by the rank and file; level of attendance at cyber security forums/briefings/training is consistently high. recognition of cyber security contributions (e.g. awards, contests) is a standard practice within an organization; and individuals playing key roles in managing/coordinating the cyber security program demonstrate commitment to the program and motivation to promote the program.

1132

CROSS-CUTTING THEMES AND TECHNOLOGIES

REFERENCES 1. National Institute of Standards and Technology Special Publication 800–16. (1998). Information Technology Security Training Requirements: A Role- and Performance-Based Model . 2. National Institute of Standards and Technology Special Publication 800–50. (2003). Building an Information Technology Security Awareness and Training Program. 3. National Institute of Standards and Technology Special Publication 800–55. (2003). Security Metrics Guide for Information Technology Systems.

INDUSTRIAL PROCESS CONTROL SYSTEM SECURITY Ivan Susanto, Rich Jackson Jr., and Donald L. Paul Chevron Corporation, San Ramon, California

1 INTRODUCTION Process control systems or industrial automation and control systems (IACS) used in the O&G Industry are vulnerable to new threats with potentially serious consequences. Vulnerabilities come from many sources, including, but not limited to increasing access to IACS, increased digital intensity in the form of digital oil fields, smart sensors generating ever increasing amounts of data, real-time optimization, reservoir modeling, and global value chains that are highly leveraged on information and connectivity. In order to address these vulnerabilities, a public–private partnership called Project LOGIIC was formed to create and execute projects that address critical O&G cyber security Research and Development (R&D) needs, and produce solutions upon their completion, which can be deployed in the industry. ISA Security Compliance Institute (ISCI) also combines the talents of industry leaders from a number of major control system users and manufacturers to create a collaborative industry certification-based program. 2 BACKGROUND Process control systems or IACS are used by O&G companies at their offshore platforms, pipelines, refineries, plants, and other industrial assets. IACS are collections of personnel, hardware, and software that can affect or influence the safe, secure, and reliable operation of an industrial process. The systems include, but are not limited to [1]:

INDUSTRIAL PROCESS CONTROL SYSTEM SECURITY

1133

1. Industrial control systems including distributed control systems (DCSs), programmable logic controllers (PLCs), remote terminal units (RTUs), intelligent electronic devices, supervisory control and data acquisition (SCADA), networked electronic sensing and control, and monitoring and diagnostic systems. (In this context, process control systems include basic process control systems and safety-instrumented system [SIS] functions, whether they are physically separate or integrated.) 2. Associated information systems such as advanced or multivariable control, on-line optimizers, dedicated equipment monitors, graphical interfaces, process historians, manufacturing execution systems, and plant information management systems. 3. Associated internal, human, network, or machine interfaces used to provide control, safety, and manufacturing operations functionality to continuous, batch, discrete, and other processes. There is an increased reliance on IACS for safe, secure, and reliable operations of facilities. Historically, it was thought that IACS were secure because they relied on proprietary networks and hardware and were considered immune to network attacks that plague corporate information systems. This is no longer true. While no solution can offer a complete solution, defense-in-depth methods can help detect and delay or even prevent breaches. Without the right information at the right time, there cannot be an appropriate response to threats. 2.1 The Problem IACS used in the O&G industry are potentially vulnerable to new threats. Standardization and integration with corporate business systems have increased the potential exposure to these systems. IACS data were traditionally used in a contained environment only by those in that environment. Now, government agencies, business partners, suppliers, and others want access to the IACS data, causing more time to be spent on filling requests and less attention to monitoring for potential breaches. Most importantly, this integration requires network connections that provide access and raise risks and threats. 2.2 New Threats Most people will click on interesting links, especially when they are sent by someone known to them. Employees and vendors often use thumb drives, CDs, or DVDs to support IACS, and these portable media are readily inserted into an IACS environment without scanning for viruses first. It takes real effort to stop and think about risk; whether it is real or a cleverly disguised threat. Removable drives and e-mail links are just two ways that these threats can be introduced. Threats to energy industry systems have expanded beyond the typical physical attacks of the past. When these physical attacks are combined with cyber attacks on the control systems, the results could be much more damaging. The changing nature of control systems means that attackers ranging from hackers through organized cyber criminals and sophisticated insiders can have physical effects through cyber means. The new networked control systems and commercial off the shelf (COTS) technology are vulnerable to attacks that are not specifically aimed at them. For example, the Port

1134

CROSS-CUTTING THEMES AND TECHNOLOGIES

of Houston had to shut down operation of its control system in September, 2001. This system controlled ship movement, docking, mooring, loading, and unloading. They were affected by a “denial of service” attack, which was not aimed at them but which affected them just the same. The attack was the result of a “botnet” or robot network of computers, typical to those used by organized crime. There are other known security incidents happening in the industries as well, such as the Maroochy Shire Sewage Spill, an IP Address change shut down chemical plant, and a slammer-infected laptop shutting down a DCS. These are the factors that contribute to risk in the IACS environment [2]: •

Adoption of open standardized technologies susceptible to known vulnerabilities; • Connectivity of Control Systems with other networks, including the Corporate network; • Insecure remote connections; • Widespread availability of technical information about control systems. On the basis of a recent industry trend, both security risks from insiders and outsiders still continue to be of most concern, with hackers gaining a greater understanding of IACS. 2.3 The Solution LOGIIC-1 Team [3] within a critical infrastructure environment, addressing security risk is a shared problem that can only be addressed and solved collaboratively. In the LOGIIC partnership, the following were the goals: •

Demonstrating a forward-looking opportunity to reduce vulnerabilities of O&G process control environments. • Creating a working model to leverage the collective resources of the O&G industry, government agencies, and national laboratories for future cyber security projects. • Leveraging existing SCADA cyber security knowledge and tools from the O&G industry, government, and vendors to ◦ align with existing and future activities being performed in the SCADA industry, National Laboratory Testbeds, and O&G industry; ◦ assist the National Laboratory Testbeds with the research and development of new solutions focused on the O&G industry, which will address existing security weaknesses (evolutionary) and breakthrough security solutions (revolutionary). ISA Certification is one resource that promises to provide asset owners [4] a well-designed and managed product security certification process, leading to improved process reliability and safety. Certification responds to a common need for a shared security vision to be executed by suppliers, asset owners, and consultants. It also will promote better field-tested standards that are clearly followed by industry. 3 SCIENTIFIC STUDY In the LOGIIC-1 Project (Event Correlation), a defense-in-depth solution can collect all raw events (data) from IACS to business/corporate network, correlate it and analyze

INDUSTRIAL PROCESS CONTROL SYSTEM SECURITY

1135

abnormal events to provide information to decision makers enabling them to validate threats and take appropriate action. Monitoring is the key to building better defenses, especially for new unknown threats and vulnerabilities, but implementing even a simple perimeter intrusion detection system (IDS) can produce such volumes of data that it can become overwhelming. Too much data from an IDS would then become a hindrance rather than a help. And as illustrated in Figure 1, for systems without layered security architecture, it only takes a single vulnerability for an attacker to bring a system down. Even for systems with layered, defense-in-depth approaches to security, an attacker can still cause damage. We need to know how many “open doors” we have left for attackers. One answer to the problem is to have a central correlation engine that is fed with inputs from IACS to the business/corporate network. 3.1

Correlation Benefits

While there are many sources of security data available, the amount of data is substantial and often in incompatible formats. Both of these factors hinder transforming the raw data into useful information [5]. A best-in-class correlation system can help by gathering data from all sources and analyzing it for trends. Some benefits of implementing such a correlation system are •

Event and log aggregation; • Normalizing of events into a standard format; • Categorizing and prioritizing events;

Defense mechanism

Attacker Vulnerabi ity Threat

PCS Controller

PCS Controller

1/0

1/0

1/0

1/0 1/0 1/0

FIGURE 1 Threats and vulnerabilities.

1136

CROSS-CUTTING THEMES AND TECHNOLOGIES

•

Filtering extraneous events; Grouping similar events; • Discovering relationships between events; • Health monitoring from many small data points; • Building big picture of the IACS health. •

Awareness of a problem is the first step to implementing preventive or corrective measures. 3.2 Detection There are four types of security events that should be detected. In Figure 2, we let the depicted barrier abstractly to represent the perimeter defense. The four categories of events that we want to detect apply to the physical world as well as to computer systems and networks. The probing/provocation category represents the case when attackers attempt to penetrate the defense but are unsuccessful. Examples in the cyber realm include port scanning and repeated authentication or authorization failures, such as password-guessing or file system browsing. Even though the perimeter defense works as intended, we still want to detect this kind of event because we are under attack and the attackers could eventually succeed. Circumvention occurs when attackers find a way to reach their goal without confronting the perimeter defense. As an example, a corporation could have a strictly configured firewall protecting its corporate network from the Internet, but a badly configured wireless access point on the corporate network can allow an attacker parked on the street outside to get to the network without even going through a firewall. Penetration occurs when vulnerability in the perimeter defense allows attackers to get through. An example of penetration is when an attacker with knowledge of software bugs can compromise the system using access that allows through well-configured firewall. Finally, Insiders are attackers already inside the perimeter. For example, a firewall between the corporate network and the Internet does nothing to stop a disgruntled employee from stealing data from an internal database and hand-carrying it out of the building on a CD-ROM or other portable storage device. It should be noted that an

(a) Probing/ provocation

(b) Circumvention

(c) Penetration

FIGURE 2 IDS event triggered responses [6, p. 7].

(d) Insider

INDUSTRIAL PROCESS CONTROL SYSTEM SECURITY

1137

attacker who has used circumvention or penetration to get inside the perimeter could also be considered an insider, from a detection perspective. 3.3 Technical Challenges 3.3.1 Typical IACS Environment. A test bed model (Fig. 3) in LOGIIC-1 project was developed using generic DCS and SCADA system with field devices to describe typical IACS environment. Some trade-offs and assumptions were taken into account in this testing model. 3.3.2 IACS Abnormal Events. There is a technical challenge in understanding the abnormal events that can be caused by an adversary in a PCSs [3]. IACS are vulnerable to the same kind of attacks experienced in a standard IT environment, but have the added vulnerability of attacks that are unique to IACS. 3.3.3 Detecting IACS Abnormal Events. Another challenge is in understanding how to detect the abnormal events that can be caused by an adversary in a PCSs [3]. Standard information technology defenses can detect and defend against the same types of attacks in PCSs. 3.4 Implementing Defense and Detection in-Depth The next technical challenge is to identify the layers that need to be instrumented to achieve a defensive in-depth detection [3]. The following layers were identified:

802.1 Historian Firewell client

Corp. laptop

Internet

Corporate network Domain controller

DMZ network DCS historian

Extranet PCN access server

Eng. wrkstn

HMI

HMI

DCS PCN

802.11

DCS historian

DCS server

Historian

SCADA PCN Field Site concentrator gateway

DCS controller

DCS PLANT PCN Segment 802.11

Flow computer OPC server

PLC

Field site 1

SCADA server

Simulated field telemetry

Field site 2

Serial

FIGURE 3 LOGIIC-1 Baseline O&G lab environment (courtesy of DHS LOGIIC brochure).

1138

CROSS-CUTTING THEMES AND TECHNOLOGIES

•

Network Boundary Host Network Connection • Host Operating System • Process Control Application. •

The final challenge is to show that IT network devices (e.g. IDSs) can be used with IACS, as well as with their field devices such as flow computers or PLCs. Security alerts from the devices must be able to be correlated to provide the proper intrusion detection in a realistic control system environment. 3.5 Test Bed Operating Model The LOGIIC-1 test bed included four individual networks: a Corporate Network, a DMZ Network, a DCS Network, and a SCADA Network. The test environment includes both a SCADA application typically used to manage pipelines as well as a DCS application used to run refineries. These applications reside on process control networks (PCNs) with other IACS-specific equipment. The standard IT defenses selected as event sources include the following: •

Network segment firewalls (in reporting, not blocking modes); Host firewalls (again, in reporting, not blocking modes); • Network IDSs; • Network devices (wired and wireless routers). •

Three sources specific to control systems are •

PCS-protocol aware IDSs on the PCNs; Alarms from the DCS and SCADA; • Alarms from flow computers. •

A suite of sensors was selected to implement this defense-in-depth strategy. These sensors are triggered by abnormal activity and produce security events that are collected and correlated by an Enterprise Security Management (ESM) application. It is critical to relate security events in the IT network with IACS events to provide situational awareness. This allows IACS operators to identify threats that would previously go unnoticed. These threats can now be mitigated before potentially serious process disruptions occur. Three sets of correlation rules were developed to enable this awareness: 1. Rules that identify steps of the critical attack scenarios (e.g. moving from network segment to another). 2. Rules that implement common IACS policies. IACS is quite static compared to business/corporate networks, so violation alerts can include rogue systems, IACS configuration changes, and port scans. 3. Rules that apply a data dictionary for IACS-specific security events. This dictionary would map proprietary logged IACS events to standardized security events.

INDUSTRIAL PROCESS CONTROL SYSTEM SECURITY

1139

4 SUMMARY In the LOGIIC-1 Project, the team was able to implement ESM application (correlation engine) in generic O&G DCS & SCADA systems within a laboratory environment and integrated them with a simulated business network [5]. As a result, the project • • • • •

Successfully developed, implemented, and tested four attack scenarios, which model new threats to IACS brought by standardization and interconnectivity; Implemented a PCS security data dictionary; Identified, correlated, and alerted the compromises to environment at and across all levels; Provided enhanced situational awareness; Built an in-depth solution for industry deployment.

IT-type sensors were placed to detect events on the IACS generated information, which was combined with events extracted from the control system applications. Attack pictures were created using events from both sources. The IT types of sensors provided events generated by their standard IT signature set, as well as events generated by a Modbus signature set to detect PCS-specific attacks. The control system applications were also able to provide unique control system alarm events for correlation. On the basis of the results, it was predicted that there would be a reduction in workload for a security analyst looking for attacks, since filtering reduced the number of events an analyst would need to examine. One of the attack scenarios used created over 7,000,000 low-level events from the system sensors, which were reduced to about 1000 correlated events and then further prioritized to only 130 high-priority alerts. The LOGIIC-1 results have now been implemented by several companies in their real-world environment, proving that this LOGIIC collaboration/partnership works very effectively.

5 NEXT STEPS The LOGIIC model was developed to have broad applicability within the O&G industry as well as other IACS-dependent industries and government, and the synergy from such a private–public partnership results in higher quality results, reduced R&D, and lower costs. Addressing IACS cyber security risks within any critical infrastructure environment is a shared problem and needs to be addressed through a collaborative effort. The LOGIIC model has proven to be a vehicle that provide the necessary collaborative results. In addition to the LOGIIC model, industries can improve PCSs security by supporting other industry collaboration such as the following: •

ISA-99 Committee that establishes standards, recommended practices, technical reports, and related information that will define procedures for implementing electronically secure manufacturing and control systems and security practices and assessing electronic security performance. The Committee’s focus is to improve

1140

CROSS-CUTTING THEMES AND TECHNOLOGIES

the confidentiality, integrity, and availability of components or systems used for manufacturing or control, and to provide criteria for procuring and implementing secure control systems. Compliance with the Committee’s guidance will improve manufacturing and control system electronic security, and will help identify vulnerabilities and address them, thereby reducing the risk of compromising confidential information or causing manufacturing control systems degradation or failure [7]. • ISCI, which is an industry consortium that facilitates an efficient forum of asset owners and suppliers for proposing, reviewing, and approving security conformance requirements for products in the automation controls industry. The resulting requirements form the basis for the ISASecure™ compliance designation, enabling suppliers to develop secure automation control products based on industry consensus security standards (security compliance “out of the box”). The ISASecure™ designation creates instant recognition of automation control products and systems that comply with ISASecure™ technical specifications. As a result, asset owners are able to efficiently procure and deploy ISASecure™ products with well-known security characteristics that are in conformance with industry consensus security standards such as ISA99. [8] • Other security collaboration/partnerships such as API and NPRA.

6 CONCLUSION The Event Correlation research conducted by the LOGIIC program addresses the need for coordination at many levels if our nation’s critical PCSs are going to be secure. At the technology level, security data from many disparate sources must be collected and analyzed as an integrated resource. Otherwise, a potential avalanche of events can result in valuable security information being overlooked or misinterpreted, increasing the probability of a successful attack. At the same time, coordination at the organizational and national level is also critical. Without it, each company would be forced to proceed on its own, achieving far less in the end. Instead, the synergy generated by the private–public partnership in LOGIIC resulted in a security project with higher quality results, reduced research time, and lower costs. We believe it stands as a model for industry and government cooperation in critical infrastructure security going forward.

ACKNOWLEDGMENTS We would like to thank: •

Chevron Corporation, for supporting cyber security activities such as LOGIIC, ISCI, and ISA-99 in the O&G industry, and also for assistance in publishing this article. • The members of LOGIIC-1(Correlation Project) for their participation in the project and their significant contributions to the solution (http://www.cyber.st.dhs.gov/ logiic.html).

INDUSTRIAL PROCESS CONTROL SYSTEM SECURITY

1141

•

Ulf Lindqvist, Dale Peterson, Thomas Culling, Eric J. Byres, and Linda Shaltz for their special contributions to the completion of this paper. • The Department of Homeland Security for providing valuable information via the LOGIIC website http://www.cyber.st.dhs.gov/docs/LOGIICbrochure.pdf. REFERENCES 1. ANSI/ISA-99.00.01-2007 (2007). Security for Industrial Automation and Control Systems, Part1: Terminology, Concepts, and Models. p. 24, used with permission, ISA, www.isa.org. 2. GAO (2004). Challenges and Efforts to Secure Control Systems March, 2004. 3. LOGIIC-1 Team (2005). Project Framing Document for DHS LOGIIC Project , July, 2005. 4. ISA Security Compliance Institute (2007). Membership Prospectus, June, 2007. 5. Aubuchon, T. (2006). The LOGIIC correlation project. Presented at DHS LOGIIC Cyber Security Project Conference, Houston, September 11, 2006. 6. Ulf Lindqvist (1999). On the Fundamentals of Analysis and Detection of Computer Misuse. PhD Thesis, School of Electrical and Computer Engineering, Chalmers University of Technology,G¨oteborg, Sweden Copyright 1999 by Ulf Lindqvist, figure reprinted with permission. 7. ISA99 Purpose (1995-2007). ISA Website, http://www.isa.org/MSTemplate.cfm?MicrositeID= 988&CommitteeID=6821, used with permission, ISA, www.isa.org. 8. ISA Insights (2008). The ISA Security Compliance Institute, 2008 Edition, used with permission—ISA Security Compliance Institutee.

FURTHER READING ANSI/ISA-TR99.00.02-2004 (2004). Integrating Electronic Security into the Manufacturing and Control Systems Environment . ANSI/ISA-TR99.00.01-2007, (2007). Security Technologies for Industrial Automation and Control Systems. Byres E.J., Leversage D, and Kube N. (2007). Security incidents and trends in SCADA and process industries. Industrial Ethernet Book issue 39: 2. Byres E.J. and Lowe J.. (2004). The myths and facts behind cyber security risks for industrial control systems, VDE 2004 Congress, VDE, Berlin, October. http://www.us-cert.gov/control systems/csdocuments.html#docs. Kuipers D. and Fabro Mark. Control Systems Cyber Security Defense-in-Depth Strategies. (2006). Idaho National Lab, Idaho State. NIST SP-800-53, Revision 2, NIST Recommended Security Controls for Federal Information Systems. http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf, 2007. Permann M., Hammer J., Lee K., and Rohde K.. (2006). “Mitigations for Security Vulnerabilities Found in Control System Networks”, ISA. Securing your SCADA and Industrial Control System, (2005). U.S. DHS, ISBN 0-16-075115-2 . Using Operational Security (OPSEC) to Support a Cyber Security Culture in Control Systems Environments version 1.0, Recommended Practice, February (2007). US-CERT Informational Focus Paper, Control Systems Cyber Security Awareness, United States Computer Emergency Readiness Team, July.

1142

CROSS-CUTTING THEMES AND TECHNOLOGIES

CYBER SECURITY FOR THE BANKING AND FINANCE SECTOR Valerie Abend and Brian Peretti Department of Treasury, Washington, D.C.

C. Warren Axelrod Bank of America, Charlotte, North Carolina

Andrew Bach NYSE Euronext, New York, New York

Kevin Barry, Don Donahue, and Ken Wright Depository Trust and Clearing Corporation, New York, New York

John Carlson BITS, Washington, D.C.

Frank Castelluccio, Dan DeWaal, David Engaldo, and George Hender Options Clearing Corporation, Chicago, Ilinois

David LaFalce The Clearing House, New York, New York

Mark Merkow American Express Company, New York, New York

William Nelson FS-ISAC, Dulles, Virginia

John Panchery Securities Industry Financial Market Association, New York, New York

Dan Schutzer Financial Services Technology Consortium, New York, New York

David Solo Corporate Technology Office, Citigroup Inc., New York, New York

Jennifer L. Bayuk Consultant, Towaco, New Jersey

1 HISTORY OF COOPERATION The US government and financial institutions have a long history of cooperation. The government recognized financial institutions as an integral part of the nation’s critical

CYBER SECURITY FOR THE BANKING AND FINANCE SECTOR

1143

infrastructure. As such, financial institutions are highly regulated and constantly supervised by regulatory agencies to ensure that they are able to withstand the various and increasing threats they face. Examples of cooperation between the public and private sector in the late 1990s include preparations for the Century Date Change or “Y2K”, Preliminary Research and Development Roadmap for Protecting and Assuring Critical National Infrastructures (July 1998) by the President’s Commission on Critical Infrastructure Protection (PCCIP) and the Critical Infrastructure Assurance Office (CIAO),1 and Presidential Decision Directive (PDD) 63 on Critical Infrastructure Protection (CIP, May 1998). PDD 63 established the first governmental approach to protecting the nation’s critical infrastructures, assigning responsibility for protecting infrastructures in different economic segments to different governmental agencies, provided each responsible agency would appoint a private sector “Sector Coordinator” to work with the agency to pursue infrastructure protection in the sector, and encouraging the sharing of infrastructure protection information between government and private industry through the formation of information sharing and analysis centers (ISACs). It also supported research and development, outreach, and vulnerability assessment. PDD 63 described “A National Goal” as follows: “No later than the year 2000, the United States shall have achieved an initial operating capability and no later than five years from today [i.e. by May 22, 2003] the United States shall have achieved and shall maintain the ability to protect the nation’s critical infrastructures form intentional acts that would significantly diminish the abilities of • the Federal Government to perform essential national security missions and to ensure

the general public health and safety; • state and local governments to maintain order and to deliver minimal essential public

services; • the private sector to ensure the orderly functioning of the economy and the delivery of

essential telecommunications, energy, financial and transportation services.” [emphasis added]

Under PDD 63, the Department of the Treasury (“Treasury”) was assigned the responsibility for the banking and finance sector, and appointed Steve Katz, then Chief Information Security Officer for Citibank, as the first private sector “Sector Coordinator”. In the following years, the US Congress focused on cyber security issues as it related to privacy protection. Two significant laws governing privacy and security protections were enacted in the 1990s, the Health Insurance Portability and Accountability Act of (1996) also known as (HIPPA) and the Financial Services Modernization Act of 1999,2 also known as the Gramm–Leach–Bliley Act (GLBA) (1999). HIPAA3 was enacted to restrict control of and access to patients’ information and GLBA includes a provision requiring financial institutions to safeguard personal information. In 2001, regulators finalized regulations requiring financial institutions 1 The Preliminary Research and Development Roadmap for Protecting and Assuring Critical National Infrastructures is available at http://cipp.gmu.edu/archive/190 PCCIPCIAORandDRoadmap 0798.pdf Other pertinent documents can be found in the CIP Digital Archive in the George Mason University School of Law Critical Infrastructure Protection Program website at http://cipp.gmu.edu/clib/CIPDigitalArchive.php. 2 Public Law No. 106– 102. 3 Public Law 104–191, 42 U.S.C. 1301 et seq.

1144

CROSS-CUTTING THEMES AND TECHNOLOGIES

to establish appropriate safeguards for the use, disclosure, privacy, and security of personal information, including Social Security Numbers (SSNs). The regulators applied strong enforcement tools to ensure that financial institutions complied with these security requirements. In addition, the Federal Financial Institutions Examination Council (FFIEC),4 issued several Information Technology booklets on topics including information security, business continuity planning (BCP), and outsourcing.5 In January 2000, the Clinton Administration released Defending America’s Cyberspace: National Plan for Information Systems Protection, Version 1.0: An Invitation to a Dialogue. This report urged the creation of public private partnerships to address cyber security issues Shortly after the 9/11 attacks of September 11, 2001, the government and financial services industry responded. Executive Order (EO) 132286 Establishing the Office of Homeland Security ( HLS ) and the Homeland Security Council created the present structure for the protection of the homeland and EO 132317 Critical Infrastructure Protection in the Information Age, outlined, inter alia, the public partnerships context for the protection of the critical infrastructure. Private sector advisory councils were formed, including the Homeland Security Advisory Council(HSAC) (EO 13228) and the National Infrastructure Advisory Council (NIAC) (EO 13231). The Office of HLS, first headed by former Pennsylvania Governor Thomas Ridge, was formed. In addition, the President’s Critical Infrastructure Protection Board (PCIPB), based on the Clinton administration’s Defending America’s Cyberspace plan, was established. The PCIPB coordinated an effort to draft a national infrastructure protection strategy that included contributions from both public and private participants. All participants were asked to comment on how this effort should evolve. In particular, the goal was to avoid legislation and regulation by means of proactive collaborative measures. Each of the critical sectors was directed to publish its own strategy.8 Several financial services industry organizations supported these efforts, including the Securities Industry Association (formerly SIA, now Securities Industry and Financial Markets Association [SIFMA]), BITS (the Financial Services Roundtable’s technology and operations division), and the Financial Services Information Sharing and Analysis Center (FS-ISAC). This support was intended to foster closer working relationships between government and the finance sector. The US financial regulators and the US Treasury Department were also looking at these issues. Following a series of organizational meetings in 2001, the US Treasury and financial regulators developed a process to coordinate the activities of federal and state financial services regulators by establishing the Financial and Banking Information Infrastructure Committee (FBIIC).9 The FBIIC, originally a standing committee of the PCIPB, but currently chartered under the President’s Working Group on Financial Markets, is charged with improving coordination and communication among financial regulators, enhancing the resiliency of 4

An interagency body with representation from the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and Office of Thrift Supervision (OTS). 5 These Booklets are available at www.ffiec.gov/guides.htm. 6 http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=2001 register&docid=fr10oc01-144.pdf. 7 http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=2001 register&docid=fr18oc01-139.pdf. 8 The entire list of sector plans, as well as copies of the plans, are available at the website of the Partnership for Critical Infrastructure Security (PCIS) at www.pcis.org. 9 Membership information can be found at www.fbiic.gov.

CYBER SECURITY FOR THE BANKING AND FINANCE SECTOR

1145

the financial sector, and promoting the public–private partnership. Treasury’s Assistant Secretary for Financial Institutions chairs the committee. In fulfilling its mission, the FBIIC set out to: •

identify critical infrastructure assets, their locations, potential vulnerabilities, and prioritize their importance to the financial system of the US; • establish secure communications capability among the financial regulators and protocols for communicating during an emergency; and • ensure sufficient staff at each member agency with appropriate security clearances to handle classified information and to coordinate in the event of an emergency. Working with appropriate members of financial institution regulatory agencies, the FBIIC has accomplished the following: •

provided key federal and state financial regulators with secure telecommunications equipment for use in a crisis, and we adding a capacity for encrypted e-mail; • written emergency communications procedures allowing communication between financial regulators and Federal, state, and local stakeholders; • worked to systematically identify critical financial infrastructures, assess vulnerabilities within the critical financial infrastructure, address vulnerabilities, and evaluate progress; and • identified the infrastructure that is critical to the retail payments system, the insurance industry, and the housing finance industry. On May 10, 2002, key leaders from the financial services industry, with the encouragement of the Treasury, established the Financial Services Sector Coordinating Council (FSSCC).10 Rhonda MacLean, then Chief Information Security Officer at Bank of America Corporation, was appointed the second Sector Coordinator for Financial Services by Treasury, and served as the founding Chairman of the FSSCC. The banking and finance sector published its first version of the sector’s critical infrastructure protection plan in May 2002. The “National Strategy for Critical Infrastructure Protection“ was jointly drafted by several associations including BITS, SIA, FS-ISAC, AbA, and in consultation with the financial regulators.11 Members of the FSSCC and FBIIC meet three times a year for discussions and briefings. On September 18, 2002, the Bush administration released a draft of The National Strategy to Secure Cyberspace. The National Strategy outlined the “preferred” means of interaction between the public and private sectors. After incorporating comments, the Bush administration released the final National Strategy to Secure Cyberspace in February 2003.12 On March 1, 2003, the Department of Homeland Security (DHS) was formally established and many of the responsibilities of the PCIPB were transferred to DHS. 10 Details

about the FSSCC and its activities can be found at the FSSCC website at www.fsscc.org. 2004 update of this strategy and other publications about the FSSCC’s activities can be found at the FSSCC website. 12 The National Strategy to Secure Cyberspace, The White House, February 2003, is available at www. whitehouse.gov/pcipb/cyberspace strategy.pdf. This document implements a component of The National Strategy for Homeland Security and is complemented by The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, which are available at www.whitehouse.gov/pcipb/physical strategy.pdf. 11 A

1146

CROSS-CUTTING THEMES AND TECHNOLOGIES

In September 2002, several regulatory agencies released a draft paper outlining more stringent BCP requirements for certain types of large financial institutions. The Draft Interagency White Paper on Sound Practices to Strengthen the Resilience of the US Financial System was released for public comment by the Federal Reserve Board (FRB), Office of the Comptroller of the Currency (OCC), Securities and Exchange Commission(SEC), and the New York State Banking Department. Several financial institutions and associations submitted detailed comment letters on the proposal and objected to several onerous proposed requirements. In April 2003, three of the original agencies (the FRB, OCC, and SEC) released the final Sound Practices White Paper after considering 90 comment letters from industry participants.13 The revised final paper did not insist on a minimum distance between primary and backup sites (e.g., 300 mile mission distance between primary and backup sites). However, it does require that institutions have staff, located outside their primary sites, which can conduct business if those at the primary site cannot get to the backup facilities. This became a good precedent for how meaningful, respectful discussion can lead to a proposal that meets requirements but is not overly burdensome on industry members. In 2003, the President released the National Strategy to Secure Cyberspace and National Strategy for Physical Protection of Critical Infrastructures and Key Assets. These documents called for Treasury, as the lead agency for the banking and finance sector, to develop a research and development agenda for the sector. Treasury, working with the FBIIC and the FSSCC, published an agenda for the sector entitled “Closing the Gap”. The driving force behind the document was a desire to identify key areas where additional research dollars could be spent to make the sector more secure. This document was socialized among Federal departments and agencies, academics, and financial services participants. On March 7 and 8, 2005, Treasury, in conjunction with the National Science Foundation (NSF), hosted a workshop entitled “Resilient Financial Information Systems”. Participants from academia and the public and private sectors worked to discuss and identify research priorities to advance the resilience of the financial sector and protect the nation’s critical financial infrastructure. As the issue of research and development (R&D) for the financial services sector matured, the FSSCC developed a working group to focus specifically on the issue for R&D and to coordinate its activities with respect to critical infrastructure and key resources (CI/KR) R&D. At Treasury’s request, the FSSCC joined DHS in a May 2005 workshop focused on R&D priorities. DHS published an updated version of the National Infrastructure Protection Plan (NIPP) in 2005. The role of the sector-specific agencies in coordinating the activities of the sector was again reaffirmed in the document. As DHS was finalizing the NIPP R&D plans and programs, the FSSCC formed an R&D Committee to focus on those plans and programs that would provide the most significant benefits with respect to the specific CI/KR requirements of the financial services industry. In May 2006, this committee issued a list of priority research projects. The FSSCC Research and Development Committee Research Challenges and the FSSCC Research and Development Research Agenda were issued to assist researchers in focussing research on top concerns.14 In February 2008, the FSSCC R&D Committee began to “beta test” the Subject Matter Advisory Response Team (SMART) program. The SMART program assists research 13

The Interagency Paper is available at www.sec.gov/news/studies/34-47638.htm. of these documents are available at www.fsscc.org.

14 Both

CYBER SECURITY FOR THE BANKING AND FINANCE SECTOR

1147

and development organizations working on Critical Infrastructure Protection Projects by providing subject matter expertise for financial institutions necessary to facilitate their R&D endeavors.

2 ORGANIZATIONAL ROLES 2.1

FSSCC

The Financial Services Sector Coordinating Council (FSSCC) for critical infrastructure protection and homeland security (CIP/HLS) is a group of more than 30 private sector firms and financial trade associations that works to help reinforce the financial services sector’s resilience against terrorist attacks and other threats to the nation’s financial infrastructure. Formed in 2002, FSSCC works with Treasury, which has direct responsibility for infrastructure protection and HLS efforts for the financial services sector. The mission of the FSSCC is to foster and facilitate the coordination of financial services sector-wide voluntary activities and initiatives designed to improve CIP/HLS. Its objectives are to: • • • • •

•

provide broad industry representation for CIP/HLS and related matters for the financial services sector and for voluntary sector-wide partnership efforts; foster and promote coordination and cooperation among participating sector constituencies on CIP/HLS related activities and initiatives; identify voluntary efforts where improvements in coordination can foster sector preparedness for CIP/HLS; establish and promote broad sector activities and initiatives that improve CIP/HLS; identify barriers and recommend initiatives to improve sector-wide voluntary CIP/HLS information and knowledge sharing and the timely dissemination processes for critical information sharing among all sector constituencies; and improve sector awareness of CIP/HLS issues, available information, sector activities/initiatives, and opportunities for improved coordination.

As described above, the FSSCC is the private side of the public–private partnership which supports the National Infrastructure Protection Plan (NIPP). The other organizations listed in this section are all members of the FSSCC. Each organization has strengths in different areas, allowing the FSSCC to coordinate efforts of various members in support of overall infrastructure protection goals. Since the FSSCC was established, it has been chaired by distinguished and prominent members of the financial community Rhonda MacLean of Bank of America from 2002–2004, Donald Donahue of The Depository Trust and Clearing Corporation from 2004 through 2006 and George S. Hender of The Options Clearing Corporation from 2006 to 2008, and Shawn Johnson of State Street Global Advisors in 2008. 2.2 FSSCC Member Organizations All FSSCC member organizations have contributed to industry goals for CIP. The organizations described below have provided the most direct focus on collaboration with respect to cyber security issues in the Banking and Finance Sector.

1148

CROSS-CUTTING THEMES AND TECHNOLOGIES

2.2.1 BITS. In 1996, members of Bankers Roundtable (now The Financial Services Roundtable) created BITS in order to respond to significant technological changes facing the banking industry. BITS initially focused on changes in electronic commerce and the payments system, but evolved over time to focus on new threats that emerged in the areas of Internet security, fraud reduction, and CIP. Before 9/11, BITS helped to create the FS-ISAC. After 9/11, BITS helped to create the FSSCC and ChicagoFIRST.15 In 2001, BITS established the BITS Crisis Management Coordination Working Group (CMC-WG). This working group implemented The BITS and Financial Services Roundtable Crisis Communicator, a high-speed communications programs, that allowed the organization to connect all the key players—member CEOs and government and other business leaders—who might need to convene and determine how to address a crisis. The BITS and Financial Services Roundtable (FSR) Crisis Management Process: Members’ Manual of Procedures was developed to provide BITS’ members with the ability to communicate and coordinate with each other, government agencies, and other sectors in order to implement the emergency response and recovery process for the financial services sector. One of the greatest lessons learned from 9/11 was the extent of the financial services sector’s interdependencies and reliance on other critical sectors, specifically telecommunications and power. With the help of the Board of Governors of the Federal Reserve System, notably Steve Malphrus, BITS convened a conference in New York City in July 2002. The conference focused on ways to get tangible progress from other critical infrastructure sectors toward the goal of cooperation between government and the private sector. One tool that resulted from the BITS Telecommunications Working Group efforts is the BITS Guide to Business—Critical Telecommunications Services. Completed in 200416 , the Guide is based on extensive work by BITS members, participation by major telecommunications companies, and involvement by the National Communications System (NCS) and the President’s National Security Telecommunications Advisory Council (NSTAC). The Guide is a comprehensive tool used by BITS’ member institutions to better understand the risks of telecommunications interdependencies and achieve greater resiliency. 2.2.2 ChicagoFIRST. Another clear lesson from 9/11 was the stunning impact an event could have on critical financial services operations that are heavily located in one regional area. Louis Rosenthal, ABN AMRO, and Ro Kumar, The Options Clearing Corporation, saw the potential risks in the Chicago area and energized their peers and a set of partners. BITS facilitated the process of forming the regional coalition. In 2003–04 the US Treasury Department founded an evaluation and guide for establishing regional coalition through the Boston Consulting Group and BITS. ChicagoFIRST, the result of these efforts, is a free-standing nonprofit organization that provides robust coordination services to maintain the resilience of the critical financial services that reside in the area. It continues to serve as a model for others, including FloridaFIRST and other regional coalitions.17 15 ChicagoFIRST

is a nonprofit association dedicated to addressing HLS and emergency management issues affecting financial institutions and requiring a coordinated response. 16 The BITS Telecommunications Working Group, led by John DiNuzzo (formerly of FleetBoston/Bank of America Corporation) was a subgroup of the BITS CMC-WG. 17 Improving Business Continuity in the Financial Services Sector: A Model for Starting Regional Coalitions (US Treasury: November, 2004). http://www.treas.gov/press/releases/reports/chicagofirst handbook.pdf

CYBER SECURITY FOR THE BANKING AND FINANCE SECTOR

1149

2.2.3 Financial Services Information Sharing and Analysis Center (FS-ISAC). The FS-ISAC was conceived at a meeting of Financial Industry leaders with the Treasury at the White House Conference Center in March 1999. An Information Sharing Working Group was established. The financial services industry members participating in the original Information Sharing Working Group appointed a Board of Managers, who formed FS-ISAC limited liability corporation (LLC). It was officially launched by US Treasury Secretary Lawrence A. Summers at a ceremony in the Treasury building on October 1, 1999, as a means of meeting the finance sector’s information-sharing obligation under PDD 63 on CIP. On December 9, 2003, the Treasury announced that it would purchase $2 million in services from the FS-ISAC. Treasury’s contract with the FS-ISAC resulted in a new, next-generation FS-ISAC that is intended to benefit the Treasury, other financial regulators, and the private sector. In the press release, the Treasury indicated the purposes for the funding were as follows18 •

• • •

•

Transform the FS-ISAC from a technology platform that serves approximately 80 financial institutions to one that serves the entire 30,000 institution financial sector, including banks, credit unions, securities firms, insurance companies, commodity futures merchants, exchanges, and others. Provide a secure, confidential forum for financial institutions to share information among each other as they respond in real time to particular threats. Add information about physical threats to the cyber threat information that the FS-ISAC currently disseminates. Include an advance notification service that will notify member financial institutions of threats. The primary means of notification will be by Internet. If, however, Internet traffic is disrupted, the notification will be by other means, including telephone calls and faxes. Include over 16 quantitative measures of the FS-ISAC’s effectiveness that will enable the leadership of the FS-ISAC and Treasury to assess both the FS-ISAC’s performance and the aggregate state of information sharing within the industry in response to particular threats.

The FS-ISAC was able to arrange with a managed security service provider to fund the initial development and implementation of the FS-ISAC systems and networks in return for the right to reuse the technology developed. The FS-ISAC thus succeeded in meeting its original goal of becoming a viable means for the banking and finance sector to share information about security threats, vulnerabilities, incidents, and remedies. E-mail alerts and notifications sent by the FS-ISAC give financial firms advanced notice of threats, vulnerabilities, and events so that they can proactively protect themselves. The FS-ISAC also hosts an information-sharing website, conference calls, and conferences that allow its members more interactive sharing opportunities. In 2006, the FS-ISAC established a Survey Review Committee to provide oversight of the process of member-submitted surveys of the FS-ISAC membership. The FS-ISAC survey process allows for one live poll at a time to ensure maximum participation. The primary contact at each member organization is asked to complete each survey or route it to the appropriate area within their company to have it answered by the 18 http://www.ustreas.gov/press/releases/reports/factsheet

js1048.pdf.

1150

CROSS-CUTTING THEMES AND TECHNOLOGIES

most qualified individual. Surveys conducted in 2007 included Employee Access to HR Information, Data Transfer Methods, and Information Security Program Organization. Once the survey is completed, a Poll Results Report is created that includes a brief summary and the final poll results. Using the survey tool link provided, members can also conduct their own detailed analysis of survey results to meet their unique needs. Through the personal involvement of members of the FS-ISAC’s Board of Managers and the FS-ISAC membership at large, the reach of the FS-ISAC members19 quickly spread well beyond the original mandate. Early on, board members were involved in efforts such as • • •

• •

participating, through the FSSCC, in drafting the finance sector’s segment of Version 2.0 of the NIPP; assisting in, and being supportive of, the establishment of the BITS laboratory for testing and certifying security software relevant to financial services institutions; working with Treasury to develop an outreach and education program to increase awareness of sector security threats, vulnerabilities, and best practices, and to indicate how the FS-ISAC might assist them in these areas; briefing Federal agencies as to the workings of the FS-ISAC; and testifying before congressional committees and otherwise representing the views of the banking and finance sector on cyber security and CIP.

The FS-ISAC has been a model for a number of other ISACs in critical US sectors, such as transportation, energy and information technology, as well as ISACs in foreign countries (e.g. Canada) and in individual corporate organizations (e.g. the Worldwide ISAC). Its October 2007 biannual conference was recently coordinated in conjunction with the CIP Congress, carrying the theme “When Failure is Not an Option” and was accordingly attended by members of other ISACs. 2.2.4 FSTC. The Financial Services Technology Consortium (FSTC) was established in 1993 at the dawn of the commercialization of the Internet. FSTC is a nonprofit organization with members from the financial services industry (financial services providers and vendors), government agencies, and academia, who collaborate on projects to explore and solve strategic business–technology issues through concept validation, prototype and piloting, and development of standards. Its mission is to harness technology advances and innovative thinking to help solve the problems of the financial services industry. Early projects dealt with paper check imaging, the convergence of the payments products, and securing electronic banking, commerce, and payments over the Internet. These projects helped spur the growth of electronic commerce and paved the way for Check 21 and the electronification of the paper check through the development of important new standards and industry utilities and collaborations. After September 11, FSTC’s focus expanded to include addressing business continuity issues in addition to security, fraud management, and payments, leading to a partnership with Carnegie Mellon that developed a Resiliency Framework. FSTC also initiated a focus on enterprise architecture aimed at helping financial services firms to streamline and consolidate their siloed systems and processes, enabling the reduction of redundant 19 The Board of Managers and members of the FS-ISAC are not restricted from other industry activities beyond the work of the FS-ISAC.

CYBER SECURITY FOR THE BANKING AND FINANCE SECTOR

1151

processes and systems, to provide a more efficient and flexible organization, able to more rapidly and easily accommodate new products, services, and processes needed to meet new business opportunities and threats. FSTC thrives when the knowledge of members comes together through the formation of initiatives and projects that will better the industry as a whole. FSTC projects are its core activity and one of the key benefits of FSTC membership. 2.2.5 SIFMA. SIFMA provides a forum for securities firms, exchanges, industry utilities, and regulators to share knowledge, plans, and information. It is responsible for developing and promoting industry-specific practice guidelines, for providing liaison between the securities industry and regulators and legislators, and for coordinating industry-wide initiatives. SIFMA has standing committees to coordinate industry-wide initiatives for various types of securities industry trading and operations activities. The SIFMA BCP Committee was established as the SIA BCP in November 2001 to address and coordinate business continuity issues for the securities industry. In conjunction with the BCP Committee mission, SIFMA (and its predecessors, the SIA and the Bond Markets Association) has led an extensive on-going industry-wide business continuity testing initiative since 2002. The effort allows the industry as a whole to verify and demonstrate the resilience of the securities markets and to provide individual firms with opportunities to test their procedures with other industry participants in a way they could not do on their own. Industry tests include tabletop exercises, connectivity tests, communications tests, participation in national disaster recovery tests, and pandemic flu exercises. SIFMA in conjunction with the BCP Committee operates the Securities Industry Emergency Command Center that functions as the industry’s central point of emergency communications and coordination during significant emergencies. Initial testing efforts in 2002, 2003, and 2004 involved basic connectivity tests between individual firms and exchanges. Much more robust business continuity tests were conducted in 2005 and 2006. Over 250 firms, exchanges and industry utilities participated in these tests, which involved transmission of dummy transactions from firms’ and exchanges’ backup sites using backup communications links. The industry demonstrated a 95% pass rate on these tests. SIFMA also coordinates securities industry participation in the national TopOff emergency exercises and focuses heavily on planning for a potential flu pandemic and on conducting pandemic planning exercises. SIFMA’s Information Security Subcommittee, which was established in 2003, addresses and coordinates information security issues from an industry perspective and facilitates information sharing among SIFMA member firms. The Subcommittee provides comments to regulatory authorities on proposed information security rules and regulations and develops industry initiatives. The Subcommittee has focused on a variety of issues including developing guidance on the design and testing of Sarbanes Oxley controls, working with legislators on proposed Security Breach Legislation, tracking and assessing Microsoft security releases, and establishing guidance on effective means of dealing with phishing attempts. In 2007, SIFMA formed the Information Risk Advisory Council to provide advice to SIFMA’s Technology, Information Security, BCP, and Privacy Committees. The Council identifies issues of significant importance to securities firms and works with SIFMA Committee to integrate these into the committees’ annual goals.

1152

CROSS-CUTTING THEMES AND TECHNOLOGIES

3 SAMPLE SIGNIFICANT EVENTS Although cyber security-related events are a daily occurrence in the financial industry, some events are more significant than the others with respect to collaborative information sharing. The events listed below were significant in that the collaboration that occurred during the event served to strengthen the bonds of communication between public and private sector CIP organizations. 3.1 Russian Hacker Case In June 1994, a Russian crime ring managed to get inside the Citibank computer system and transfer $140,000 from the Philippine National Bank to a bank in Finland. The bank in the Philippines called to complain that the transaction had not been authorized. Citibank realized something was amiss and set up a special team to start looking into transactions of similar circumstance. However, it was not given that the unauthorized transfer was the first discovery of a chain of illegal activity. By the middle of July, the team identified a similar transfer had taken place and yet a third by the end of the month. By this time, Citibank had called in the Federal Bureau of Investigation (FBI) and the investigation was in full swing. Transactions were being illegally transferred from cities as far away as Djakarta and Buenos Aires to banks in San Francisco and Israel. In total, fraudulent transactions amounted to more than $3 million; though in the end, the gang of thieves managed to abscond with only $400,000. The system breached was called the Citibank Cash Management system. This system allowed corporate customers to transfer money automatically from their accounts to whoever they are paying. And it handled approximately 100,000 transactions a day, totaling $500 billion. The Citibank system relied on static passwords, which they intend for users to memorize. The passwords remain the same each time a user enters the system, and although they are encrypted, the crime ring was somehow able to get a password and identification numbers of some of these corporate customers. The investigation team realized that the passwords traversed through many network links that were not necessarily fully owned and operated by the bank, but many were leased from telecommunication companies in various countries which provided the bank with network links between its offices. The question the investigators faced was did the perpetrator have an insider in Citibank or was he able to get them using conventional “network-sniffing” software. On August 5, a fraudster transferred $218,000 from a Citibank account in Djakarta and another $304,000 from a bank in Argentina to Bank of America accounts in San Francisco that had been set up by a Russian couple. They would go to the bank after the money was transferred and attempt to withdraw it. At that point, investigators identified the perpetrators. They were kept under observation by both the public and private sector through October, transferring money from and to more accounts. The idea of computer control of funds was new to the media at that time. It was a new idea to reporters that a person could be sitting at a computer in Russia in the middle of the night keying in passwords and watching money move across a screen. The Internet was still young at the time and largely unused commercially. The transfers were done through a proprietary network managed by Citibank. But, like the Internet, these proprietary networks cross over other proprietary networks and it is at these points that

CYBER SECURITY FOR THE BANKING AND FINANCE SECTOR

1153

passwords become most vulnerable. Yet cooperation between the bank investigators, telecommunications administrators, and law enforcement led eventually to Vladimir Levin, a young Russian hacker. He was trapped through a traced telecommunications line performing a fraudulent transaction and was imprisoned. In the course of the investigation, several people were arrested (including half a dozen Russian citizens, for which this story is known as the “Russian Hacker Case”). Immediately after, Citibank ended the use of static passwords over its Funds Transfer networks and started issuing One Time Password tokens to customers using those networks (these tokens were a form of two factor authentication from a small company named RSA from its founders, Rivest, Shamir, and Adelman, then infrequently encountered). 3.2 Slammer Worm On January 23, 2003, a structured query language (SQL) injection dubbed the “slammer worm” started to infect rapidly through computer systems throughout the world. Although a patch was released for the vulnerability, many organizations had not installed it. As a result, the worm spread very quickly, infecting, by one account, 75,000 victims within 10 min after its release. Although financial institutions were not greatly affected by the worm, Treasury, in coordination with the FBIIC and FSSCC, convened a meeting on February 25, 2003, to discuss issues related to the worm. In addition to members of the FBIIC and FSSCC, several private sector groups attended, including Microsoft and electronic data system (EDS). At the meeting, communications protocols were developed to aid in the sharing of information in the event of another incident. The protocols were exercised during several other virus/worm attacks, including SoBig.F and BugBear.b. 3.3 2003 Power Outage At approximately 4:11 pm Eastern Daylight Time (EDT) on August 14, 2003, a power outage affected a large portion of the Northeastern United States, roughly from Detroit to New York City. Although there was minimal disruption to delivery of financial services in the affected area, the incident did expose a greater need to continue to examine the backup systems institutions. For example, the American Stock Exchange had relied upon steam power to cool their trading floor. Upon reaching out to the SEC and the Treasury, a backup steam generator was located and the exchange was able to open and close on Friday, August 15, 2003.20 Many lessons learned from that set of events. One lesson led to the BITS Guide to Business—Critical Power , developed in cooperation with the Critical Power Coalition and Power Management Concepts, and published in 2006. It provides financial institutions with industry business practices for understanding, evaluating, and managing the associated risks, when the predicted reliability and availability of the electrical system are disrupted—and it outlines ways by which financial institutions can enhance reliability and ensure uninterrupted backup power. The following table, Table 1 describes a series of publications and events related to information sharing and coordination within the finance and banking sectors. 20 The report, Impact of the Recent Power Blackout and Hurricane Isabel on the Financial Services Sector , can be found at http://www.treas.gov/offices/domestic-finance/financial-institution/cip.

1154

CROSS-CUTTING THEMES AND TECHNOLOGIES

TABLE 1 Publications and Events Date

Name of Publication/Event

February 1996

CIWG (Critical Infrastructure Working Group) Report

July 1996

EO (Executive Order) 13010

October 1997

Critical Foundations: Protecting America’s Infrastructures

May 1998

PDD-63 (Presidential Decision Directive Number 63) for Critical Infrastructure Protection

July 1998

Preliminary Research and Development Roadmap for Protecting and Assuring Critical National Infrastructures Official launch of the FS-ISAC (Financial Services Information Sharing and Analysis Center) Defending America’s Cyberspace: National Plan for Information Systems Protection, Version 1: An Invitation to a Dialog Report of the President of the United States on the Status of Federal Critical Infrastructure Protection Activities

October 1999

January 2000

January 2001

Comments Suggested establishing PCCIP (President’s Commission on Critical Infrastructure Protection) for the longer-term view and the IPTF (Infrastructure Protection Task Force) for coordination of then existing infrastructure protection efforts. Formed PCCIP, IPTF and CIAO (Critical Infrastructure Assurance Office) Available at www.fas.org/irp/offdocs/ eo13010.htm Report issued by PCCIP suggesting a strategy incorporating research and development, information sharing, education, and awareness By May 2003: The Federal Government to perform essential national security missions and to ensure the general public health and safety State and local governments to maintain order and to deliver minimum essential public services The private sector to ensure the orderly functioning of the economy and the delivery of essential telecommunications, energy, financial, and transportation services. Report issued by PCCIP and CIAO as a follow-up of Critical Foundations: Protecting America’s Infrastructure. Section 2.1 addresses the Banking and Finance sector Launched by US Treasury Secretary Laurence P. Summers—available at www.fsisac.com This report urged the creation of public private partnerships to address cyber security issues

Available at www.fas.org

CYBER SECURITY FOR THE BANKING AND FINANCE SECTOR

TABLE 1

(Continued )

Date March 2002

May 2002

July 2002 February 2003

February 2003 March 2003

2003

July 2003

December 2003

May 2004

1155

Name of Publication/Event Banking and Finance Sector: The National Strategy for Critical Infrastructure Protection Banking and Finance Sector National Strategy for Critical Infrastructure Assurance National Strategy for Homeland Security The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets The National Strategy to Secure Cyberspace FFIEC IT Examination Handbook: Business Continuity Planning PCIS Industry Compendium to the National Strategy to Secure Cyberspace Risk Management Principles for Electronic Banking, Basel Committee on Banking Supervision, Bank for International Settlements Homeland Security Presidential Directive (HSPD)—7 on Critical Infrastructure Identification, Prioritization, and Protection

Homeland Security Strategy for Critical Infrastructure Protection in the Financial Services Sector: Version 2

Comments Available at www.pcis.org

Available at www.pcis.org

Available at www.whitehouse.gov/ homeland/book/nat strat hls.pdf Available at www.whitehouse.gov/pcipb/physical. html Available at http://www.whitehouse.gov/pcipb/ Available at www.ffiec.com

Analysis of plans and summary of commonalities. Available at www.pcis.org Available at www.bis.org/publ/bcbs98.pdf

Covers policy, roles and responsibilities of Secretary of Homeland Security, other offices, and so on, coordination with the private sector. Note: Consistent with Homeland Security Act of 2002, produce “National Plan for Critical Infrastructure and Key Resources Protection” within one year, that is, by December 2004. www.whitehouse.gov/news/releases/ 2003/12/print/20031217-5.html Objectives of Financial Services Strategy:

Identifying and reducing vulnerabilities in the financial services infrastructure to such attacks Ensuring the resiliency of the nation’s financial services infrastructure to minimize the damage and expedite the recovery from attacks that do occur, and (continued overleaf )

1156

CROSS-CUTTING THEMES AND TECHNOLOGIES

TABLE 1 (Continued ) Date

Name of Publication/Event

February 2005

National Infrastructure Protection Plan (Interim)

2005

FFIEC IT Examination Handbook: Information Security Interagency Sound Practices to Strengthen the Resilience of the US Financial System FSSCC Research Challenges Booklet National Infrastructure Protection Plan FSSCC R & D Agenda FSSCC Annual Report

April 2003

April 2006 June 2006 October 2006 December 2006

May 2007

2005 (–2007)

Sector-Specific Plan: Banking and Finance Sector for Critical Infrastructure Protection Protecting the US Critical Infrastructure: 2004 (–2006) in Review

Comments Promoting public trust and confidence in the financial services sector’s ability to withstand and recover from attacks that do occur. Available at www.fsscc.org Superseded by June 2006 NIPP http://cipp.gmu.edu/archive/ Interim NIPP Feb 05.pdf Available at www.ffiec.com

Available at www.sec.gov/news/studies/ 34-47638.htm Available at www.fsscc.org Available at www.dhs.gov Available at www.fsscc.org FSSCC published the Banking and Finance Sector-Specific Plan as their annual report. Available at www.fsscc.org http://www.dhs.gov/xlibrary/assets/nippssp-banking.pdf

Annual reports, expected to continue, available at www.fsscc.org

3.4 Pandemic Planning In September and October 2007, SIFMA, in partnership with the FSSCC, the FBIIC, and the Treasury, conducted a multiweek pandemic flu exercise for the full financial services sector. This was the largest most ambitious financial services exercise to date that addressed business process recovery as a sector in communication with its sector-specific agency. The exercise offered a realistic simulation of the spread of a pandemic wave in the United States. It was designed to identify how a pandemic could affect the financial markets and to provide participants with an opportunity to examine their pandemic business recovery plans under a demanding scenario. Over 2700 financial services organizations participated. 3.5 Operation Firewall On October 28, 2004, the US Department of Justice, in coordination with the United States Secret Service (USSS), executed over 28 search and arrest warrants in connect

CYBER SECURITY FOR THE BANKING AND FINANCE SECTOR

1157

with Operation Firewall,21 an undercover investigation designed to stop the flow of stolen credit card numbers and other personal information. This operation lured criminals into a false sense of security by creating a fake website for buying and selling purloined credit card information. The main target was a group that called itself Shadowcrew, whose sole purpose was to defraud the financial services sector. The operation, which lasted over an 18 month period, ended with the seizure of over 100 computers and the arrest of 28 individuals—21 in the United States and seven in Europe and Russia. Through the cooperation of several major financial services sector entities, the underground “carding” scene was dealt a major blow from which it is still attempting to recover.

4 FUTURE CHALLENGES The examples above demonstrate high levels of collaboration among dedicated individuals representatives financial institutions, associations, and government agencies. For this collaboration to continue, it will require proactive engagement, open communications, and trust. The industry needs to cooperatively work with the respective agencies to develop rules and regulations that best meet the requirements of government while maintaining a strong finance sector and not overburdening financial institutions. Since 9/11, government has proven its willingness to reach out and ensure the consensus of the financial community in its efforts to strengthen the infrastructure. It has also demonstrated increased trust on the part of the private side of the financial sector of government’s intent and a willingness to work with the various agencies, and to persuade others that cooperation is ultimately the best approach where each side can achieve its goals.

FURTHER READING The FSSCC Research and Development Committee. (2006). The FSSCC Research and Development Committee Research Challenges, April 2006, http://www.fsscc.org. The FSSCC Research and Development Committee. (2006). The FSSCC Research and Development Committee Research Agenda, October 2006, http://www.fsscc.org.

21 http://www.secretservice.gov/press/pub2304.pdf.

SYSTEM AND SECTOR INTERDEPENDENCIES

SYSTEM AND SECTOR INTERDEPENDENCIES: AN OVERVIEW James P. Peerenboom and Ronald E. Fisher Argonne National Laboratory, Argonne, Illinois

1 INTRODUCTION The importance of infrastructure interdependencies was first highlighted at the national level in 1997 when the President’s Commission on Critical Infrastructure Protection (CIP) released its landmark report, Critical Foundations: Protecting America’s Infrastructures [1]. The report pointed out that the security, economic prosperity, and social well-being of the nation depend on the reliable functioning of our increasingly complex and interdependent infrastructures. In defining its case for action, the Commission noted that interdependency between and among our infrastructures increases the possibility that a rather minor and routine disturbance could cascade into regional or national problems. The Commission further concluded that technical complexity could also permit interdependencies and associated vulnerabilities to go unrecognized until a major failure occurs. The blackout on August 14, 2003, in which large portions of the Midwest and Northeast United States and Ontario, Canada, experienced an electric power outage, dramatically illustrated the enormously complex technical challenge that we face in preventing cascading impacts [2]. In the nearly 10 years since the release of the Critical Foundations report, much has been written about identifying, understanding, and analyzing infrastructure interdependencies, and significant progress has been made [3]. This progress has been the result of a number of interrelated factors, including the following: •

the emergence of a risk-based national strategy for all-hazards infrastructure protection that explicitly addresses dependencies and interdependencies; • focused national Research and Development (R&D) efforts that address both physical and cyber infrastructures and their interdependencies in a more integrated manner; • new analytical techniques that capture complex system response and human behavior; • a growing awareness of interdependencies issues and increased interest by local and regional stakeholder groups who have held interdependencies-related exercises, 1161

1162

CROSS-CUTTING THEMES AND TECHNOLOGIES

captured lessons learned from natural and man-made infrastructure disruptions, and been proactive in addressing interdependencies-related needs; and • a new generation of professionals who have the requisite educational backgrounds and skill sets to address infrastructure and interdependencies. These factors are briefly discussed in the following sections of this article and in more detail in the subsequent articles of this handbook.

2 CONCEPTS AND TERMINOLOGY The release, over the past several years, of national strategy and policy documents, such as Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection (HSPD-7), The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, The National Strategy to Secure Cyberspace, and the National Infrastructure Protection Plan (NIPP), have reshaped the definition of critical infrastructure and key resources (CIKR) in the United States [4–7]. These documents define 18 CIKR as follows: agriculture and food, water, health care and public health, emergency services, defense industrial base, energy, information technology, banking and finance, telecommunications, dams, transportation systems, chemical, postal and shipping, national monuments and icons, government facilities, commercial facilities, and commercial nuclear reactors critical manufacturing was added in 2008 as the 18th sector. Although other countries may aggregate differently (e.g. Canada identifies 10 critical infrastructures), significant similarities can be found in terms of capturing the assets, systems, and networks that, if lost or degraded to varying degrees, would have a debilitating impact on national security, public health and safety, the economy, and other dimensions of concern. A variety of concepts and definitions can be used to describe interdependencies among the CIKR sectors [8, 9]. The NIPP defines interdependency as the “multi- or bi-directional reliance of an asset, system, network, or collection thereof, within or across sectors, on input, interaction, or other requirement from other sources in order to function properly” [7]. Infrastructure interdependencies are characterized in terms of four general categories: •

physical (e.g. the material output of one infrastructure is used by another); cyber (e.g. infrastructures utilize electronic information and control systems); • geographic (e.g. infrastructures are co-located in a common corridor); and • logical (e.g. infrastructures are linked through financial markets). •

The proliferation of information technology, along with the widespread use of automated monitoring and control systems and increased reliance on the open marketplace for purchasing and selling infrastructure commodities and services (e.g. electric power), has intensified the prevalence and importance of cyber and logical interdependencies. Physical, cyber, geographic, and logical infrastructure interdependencies transcend individual infrastructure sectors (by definition) and generally transcend individual public and private-sector companies. Further, they vary significantly in scale and complexity, ranging from local linkages (e.g. municipal water-supply systems and local emergency services), to regional linkages (e.g. electric power coordinating councils), to national

SYSTEM AND SECTOR INTERDEPENDENCIES: AN OVERVIEW

1163

linkages (e.g. interstate natural gas and transportation systems), to international linkages (e.g. telecommunications and banking and finance systems). These scale and complexity differences create a variety of spatial, temporal, and system representation issues that are difficult to identify and analyze. To facilitate analysis, infrastructure interdependencies must be viewed from a “system of systems,” or holistic, perspective. Failures affecting interdependent infrastructures can be described in terms of three general categories: •

Cascading failure. A disruption in one infrastructure causes a disruption in a second infrastructure (e.g. the August 2003 blackout led to communications and water-supply outages, air traffic disruptions, chemical plant shutdowns, and other interdependency-related impacts). • Escalating failure. A disruption in one infrastructure exacerbates an independent disruption of a second infrastructure (e.g. the time for recovery or restoration of an infrastructure increases because another infrastructure is not available). • Common cause failure. A disruption of two or more infrastructures at the same time results from a common cause (e.g. Hurricane Katrina simultaneously impacted electric power, natural gas, petroleum, water supply, emergency services, telecommunications, and other infrastructures). As an illustration of cascading and escalating failures, consider the disruption of a microwave communications network that is used for the supervisory control and data acquisition (SCADA) system in an electric power network. The lack of monitoring and control capabilities by the SCADA system could cause generating units to be taken off-line, which, in turn, could cause a loss of power at a distribution substation. This loss could lead to blackouts for the area served by the substation. The electricity outages could affect multiple dependent infrastructures (depending on the availability of backup systems), such as transportation and water systems, commercial office buildings, schools, chemical facilities, banking and financial institutions, and many others. These disruptions could lead to delays in repair and restoration activities (i.e. an escalating failure) because of logistics, communications, business services, and other interdependency-related problems. This simplified example reinforces the notion that understanding and analyzing cascading and escalating failures require a systems perspective and a broad set of interdisciplinary skills. The state of operation of an infrastructure—which can range from normal operation to various levels of stress, disruption, or repair and restoration—must also be considered in examining interdependencies. Further, it is necessary to understand backup systems, other mitigation mechanisms that reduce interdependency-related problems, and the change in interdependencies as they relate to outage duration and frequency. Such considerations add complexity to the process of quantifying infrastructure interdependencies. 2.1 Lessons Learned Analytical studies and real-world events have highlighted the importance of the characteristics and complexities described above. A number of lessons have been learned that have broad implications for interdependencies planning and analysis:

1164

CROSS-CUTTING THEMES AND TECHNOLOGIES

FIGURE 1 Intra- and interregional interdependencies. •

•

•

•

•

Interdependencies have no borders. Infrastructure systems and supply chains transcend geographic and geopolitical boundaries, allowing disruptions to cascade in ways that are not well documented or well understood. Interdependencies can be considered at multiple levels. Different perspectives can be applied in analyzing interdependencies, ranging from an asset- or facility-level perspective to a network-, community-, region-, systems-, or CIKR sector-level perspective. Intra- and interregional interdependencies are fundamental to ensuring regional resilience. Analysts must examine interdependencies that are internal to a region (intraregional interdependencies), as well as the interconnections with other regions (interregional interdependencies), which could include backbone infrastructure systems and networks, transfers of goods and services, and shared emergency response capabilities (Fig. 1). Interdependencies can influence all components of risk. Interdependencies can act as a “risk multiplier” in that they can influence all components of risk. For example, interdependencies can (i) amplify the consequences of a disruption because of cascading and escalating impacts, (ii) expand the set of vulnerabilities because CIKR can be affected indirectly, and (iii) in the case of terrorism, change the threat (intent) through innovative targeting to specifically exploit interdependencies. Interdependencies change during events. Pre-event interdependencies, which are a function of system operations and topologies, change during an event (trans-event) depending on the specific assets affected, the use of backup systems, and the implementation of contingency plans. Post-event interdependencies may be different from pre-event interdependencies depending on how infrastructure systems are reconstituted, how supply chains are reconfigured, and how operational procedures and contingency plans are modified.

SYSTEM AND SECTOR INTERDEPENDENCIES: AN OVERVIEW

1165

Given these considerations, key questions—from an owner/operator viewpoint—that facilitate discovery of interdependencies information and help determine the importance of interdependencies impacts include the following: •

Do you know what CIKR you depend on and who are your suppliers? ◦ direct reliance on infrastructures; ◦ indirect reliance through supply chains; and ◦ reliance on vendors (goods and services). • Do you know what cascading impacts might result from disruptions? • Do you know what backup systems are in place and how long they are likely to last? • Do you know where to get information about infrastructure restoration priorities and time lines? 2.2 Research and Development Needs Consistent with the new national strategy described in the NIPP, The National Plan for Research and Development in Support of Critical Infrastructure Protection (NCIP R&D Plan)—prepared by the Office of Science and Technology Policy and the Department of Homeland Security (DHS) Directorate for Science and Technology—recognizes that physical and cyber infrastructures must be addressed in an integrated manner because these two areas are interdependent in all sectors, and each can disrupt or disable the other [10]. The NCIP R&D Plan represents an important shift in philosophy in that past R&D roadmaps for CIP tended to separate physical and cyber considerations. As described more fully in later articles of this handbook, the NCIP R&D Plan notes that “critical infrastructure systems are complex, interconnected physical and cyber networks that include nodes and links with multiple components. Analysis and decision support methods help decision makers make informed choices involving these complex systems using structured, analytic approaches that incorporate controlling factors and detailed knowledge relevant to the critical infrastructure systems and their interconnectivity and reliance on one another.” Among the many R&D needs described in the Plan, decision and analysis R&D work is needed to achieve the following: •

Develop risk-informed prioritization and investment strategies to fund research, to address the most serious issues first, and to achieve the best return from the limited funding resources available. • Develop precision vulnerability analysis tools to quantitatively predict the performance of critical infrastructure network elements if attacked, and advance these engineering tools to include new materials, innovative network design concepts, and emerging computational methods. • Develop high-fidelity modeling and simulation capabilities to quantitatively represent the sectors and their interconnectivity and to identify realistic, science-based consequences if attacked. • Develop integrated, multi-infrastructure advanced action and response plans for a range of threat/hazard scenarios, and “war-game” these actions and plans to anticipate problems and prepare in advance the most effective combinations and sequences of protection measures before an event occurs.

1166

CROSS-CUTTING THEMES AND TECHNOLOGIES

The emphasis on developing modeling and simulation capabilities and making riskinformed decisions underscores the need to (i) devise new approaches for addressing CIKR as a “system of systems” and (ii) explicitly include interdependencies considerations. Difficult issues related to spatial and temporal modeling resolution, propagation pathways for cascading disruptions, system complexity and nonlinear behavior, uncertainty, and human factors remain largely unanswered (although, as described below, progress is being made).

3 MODELING OF INFRASTRUCTURE INTERDEPENDENCIES The “science” of interdependencies is still relatively new, although new modeling and simulation tools are beginning to address selected dimensions of interdependency (Fig. 2). A variety of models and computer simulations have been developed to analyze the operational aspects of individual infrastructures (e.g. load flow and stability programs for electric power networks, connectivity and hydraulic analyses for pipeline systems, traffic management models for transportation networks). In addition, simulation frameworks that allow the coupling of multiple, interdependent infrastructures are beginning to emerge. For example, the DHS National Infrastructure Simulation and Analysis Center (NISAC)—built around a core partnership of Los Alamos National Laboratory and Sandia National Laboratories and chartered to develop advanced modeling, simulation, and analysis capabilities for the nation’s CIKR—has developed tools to address physical and cyber dependencies and interdependencies in an all-hazards context [7]. Actor-based

Type of failure

ibl e

ve

lex

Environment

FIGURE 2

ing

rm

al

lat ca

ical

Phys

No

Es

l

ra Tempo Spatial

ic om on / Ec gal tory l Le gula nica re ech al/ T ci al So litic po

ess Publi c polic y Secu rity Healt h safet y

Inf

ap ti Ad

Busin

ational Organiz onal Operati

State of operation

ir/ n pa atio Re stor re sed/ d s re te St rup dis

Coupling and response behavior

se/ Loo t tigh / ear Lin plex m o c

Ca

sc

Co ca mmo us n ad e ing

Infrastructure characteristics

r

Cybe

al

Logic

ic raph Geog

Types of interdependencies

Dimensions of interdependencies [3].

SYSTEM AND SECTOR INTERDEPENDENCIES: AN OVERVIEW

1167

infrastructure modeling, simulation, and analysis tools, such as the Interdependent Energy Infrastructure Simulation System (IEISS), have been developed to assist individuals in analyzing and understanding interdependent energy infrastructures [11]. Dynamic systems and agent-based models also are being developed to capture economic interactions between the decision makers in infrastructure networks [12]. NISAC also has developed tools such as N-ABLE, a large-scale microeconomic simulation tool that captures the complex supply chain and market dynamics of businesses in the US economy, and the Fast Analysis Infrastructure Tool, which provides information on infrastructure assets, including their interrelationships with other infrastructure assets. Other interdependencies-related tools include the Urban Infrastructure Suite, a set of seven interoperable modules that employ advanced modeling and simulation methodologies to represent urban infrastructures and their interdependencies, as well as populations [13]. In a joint effort, Argonne, Los Alamos, and Sandia national laboratories, under the sponsorship of the DHS Science and Technology Directorate, are developing a risk-informed decision support system (DSS)—the Critical Infrastructure Protection/ Decision Support System (CIP/DSS)—that provides insights for making CIP decisions by considering all CIKR sectors and their primary interdependencies [14]. CIP/DSS will assist decision makers in making informed choices by functionally representing the CIKR sectors and their interdependencies; computing human health and safety, economic, public confidence, national security, and environmental impacts; and synthesizing a methodology that is technically sound, defensible, and extendable. CIP/DSS will address questions such as the following: •

What are the consequences of attacks on infrastructure in terms of national security, economic impact, public health, and conduct of government, including the consequences that propagate to other infrastructures? • Are there choke points in our nation’s infrastructures (i.e. areas where one or two attacks could have the largest impact)? What and where are the choke points? • What are the highest-risk areas when consequence, vulnerability, and threat information are incorporated into an overall risk assessment? • What investment strategies can the United States make that will have the most impact in reducing overall risk? CIP/DSS has been applied to problems involving an agricultural pathogen that affected the food chain and involved regional transportation quarantines, as well as a telecommunications disruption that degraded the operation of other infrastructure sectors. Using CIP/DSS, analysts computed decision metrics and utility values for several investment alternatives that would mitigate the impact of the incidents. Argonne National Laboratory has developed a series of modeling and simulation tools to address various facets of infrastructure assurance and interdependencies. These tools include the Electricity Market Complex Adaptive Systems (EMCAS) model, which is designed to provide new insights into today’s dynamic electricity markets [15–17]. EMCAS uses agent-based modeling techniques that represent multiple and diverse market participants or “agents,” each with its own unique set of business and bidding strategies, risk preferences, objectives, and decision rules. The success of an agent is a function not only of its own decisions and actions, but also of the decisions and actions of other market participants. Because minimal amounts of local information are shared among

1168

CROSS-CUTTING THEMES AND TECHNOLOGIES

participants, agent decisions in EMCAS are made without either perfect knowledge or certainty. The model’s complex adaptive systems (CAS) approach empowers market agents to learn from past experience and change and adapt their behavior when future opportunities arise. With EMCAS, analysts can capture and investigate the complex interactions between the physical infrastructures (i.e. generation, transmission, and distribution) and the economic behaviors of market participants, which are a trademark of the newly emerging markets. The model does this by representing the transmission grid in detail and simulating the market operation on a chronological, hourly basis. This feature is particularly important when trying to assess the issue of market power. Other CAS models, such as SMART II+ and SymSuite, have been developed to analyze large-scale, interconnected infrastructures with complex physical architectures [18, 19]. These models emphasize the specific evolution of integrated infrastructures and their participants’ behavior, not just simple trends or end states. Argonne is also developing a next-generation drag-and-drop simulation-building platform that offers a unique, comprehensive, and unified modeling environment with capabilities for developing and integrating dynamic physical systems models, agent-based simulations, real-time data flows, advanced visualization, and postprocessing tools. Another tool, called Restore, was developed at Argonne to address the postdisruption elements of interdependencies. Through Monte Carlo simulation, Restore estimates the time and/or cost to restore a given infrastructure component, a specific infrastructure system, or an interdependent set of infrastructures to an operational state [20]. The tool allows users to create a representative model of recovery and restoration activities. Graphical and tabular results allow analysts to better quantify the impact of infrastructure disruptions. Restore also provides a framework for incorporating uncertainty into the analysis of critical infrastructures. Considerable research and model development are also underway at academic institutions and research centers throughout the world. For example, a Critical Infrastructure Simulation by Interdependent Agents (CISIA) simulator was developed at the Universita Roma Tre using CAS techniques to analyze the short-term effects of infrastructure failures in terms of fault propagation and performance degradation [21]. An interoperability input–output Model was developed at the University of Virginia Center for Risk Management of Engineering Systems to analyze the impacts of an attack on an infrastructure and the cascading effects (in economic and inoperability terms) on all other interconnected and interdependent infrastructures [22]. Although it is not possible to cite all relevant researches, an inventory and analysis of protection policies in 20 countries and 6 international organizations was published in 2006 by the Center for Security Studies in Zurich, Switzerland [23].

4 EDUCATION AND SKILL REQUIREMENTS Multiple viewpoints and a broad set of interdisciplinary skills are required to understand, analyze, and sustain the robustness and resilience of our interdependent infrastructures [9]. For example, engineers (e.g. chemical, civil, electrical, industrial, mechanical, nuclear, structural, and systems) are needed to understand the technological underpinnings of

SYSTEM AND SECTOR INTERDEPENDENCIES: AN OVERVIEW

1169

the infrastructures, as well as the complex physical architectures and dynamic feedback mechanisms that govern their operation and response (e.g. response to stresses and natural and man-made disruptions). Supply-chain analysts are needed to unravel and analyze, from an interdependencies perspective, the local, regional, national, and international flows of goods and services that support the functioning of our infrastructures. Computer scientists, information technology specialists, and network and telecommunications experts are needed to understand the electronic and informational (cyber) linkages among the infrastructures. Information security and information assurance professionals are needed to ensure cyber security. Economists are needed to understand the myriad marketplace and financial considerations that shape the business environment for public and private-sector infrastructure owners and operators. Expertise in estimating the direct and indirect economic consequences of infrastructure disruptions and building the necessary business cases for action is critical. Social scientists are needed to understand the behaviors of infrastructure service providers, brokers, consumers, and other organizational entities that compete in the new economy. Health physicists and safety professionals are needed to quantify the public health and safety consequences of various disruption events that involve a wide range of threats (e.g. chemical, biological, radiological, nuclear, and explosive sources). Lawyers, regulatory analysts, and public policy experts are needed to understand the legal, regulatory, and policy environment within which the infrastructures operate. Security and risk management experts are needed to perform vulnerability assessments (physical and cyber) and develop strategies to protect against, mitigate the effects of, respond to, and recover from infrastructure disruptions. Software engineers, along with appropriate infrastructure domain and interdependencies experts, are needed to develop modeling and simulation tools to assess the technical, economic, psychological, and national security implications of technology and policy decisions designed to ensure the reliability and security of the nation’s interdependent infrastructures. Insights from such tools will inform policy and decision-making processes. Most important, risk and decision analysts are needed to help government officials at all levels, as well as private-sector infrastructure owners and operators, make costeffective operation, protection, and risk management decisions. Such skills are also required to make defensible public policy, R&D, and resource-allocation decisions—and to effectively communicate those decisions.

5 PATH FORWARD Important progress is being made in developing analytical approaches and modeling and simulation tools to address various facets of interdependencies. However, much remains to be accomplished, particularly because of the complexity and pervasive nature of interdependencies, and because they influence—in complex and uncertain ways—each component of the risk equation (threat, vulnerability, and consequence). A wide range of interdisciplinary skills are clearly required for comprehensive interdependencies analysis. This creates an additional challenge in terms of training across the diverse range of skill sets (e.g. software engineers, economists, and social scientists) and developing integrated

1170

CROSS-CUTTING THEMES AND TECHNOLOGIES

analyses and assessments. Exercises, such as the Blue Cascades exercises undertaken in the Pacific Northwest, provide a forum for discussing such issues and uncovering critical concerns at both the local and regional levels [24]. Information captured in responding to accidents and natural disasters, such as the August 2003 blackout and the recent hurricanes along the Gulf Coast, also provide valuable insights. The following actions provide a foundation and path forward for understanding and analyzing interdependencies: • • • • • • •

Identify internal and external infrastructure assets, systems, and networks that, if lost or degraded, could adversely affect the facility, sector, or region of interest. Study natural disasters and incidents to gain insight into interdependencies problems and solutions. Develop contingency plans to deal with cascading outages. Identify how backup systems and other mitigation mechanisms can reduce interdependencies problems (and implement these mechanisms, as appropriate). Address interdependencies-related security through contractual arrangements with suppliers and distributors. Develop effective and secure procedures to share sensitive information, as appropriate, and tools to analyze interdependencies-related impacts. Collaborate, cooperate, and participate with supply/security partners; avoid failure of imagination in terms of “what if” events that could lead to infrastructure disruptions and associated interdependencies-related impacts.

REFERENCES 1. President’s Commission on Critical Infrastructure Protection (1997). Critical Foundations: Protecting America’s Infrastructures. Available at http://fas.org/library/pccip.pdf. 2. U.S.-Canada Power System Outage Task Force (2004). Final Report on the August 14, 2003, Blackout in the United States and Canada: Causes and Recommendations, April. 3. Rinaldi, S., Peerenboom, J. P., and Kelly, T. (2001). Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies. IEEE Control Syst. Mag. pp 11–25. 4. The White House (2003). Homeland Security Presidential Directive/HSPD-7: Critical Infrastructure Identification, Prioritization, and Protection. Available at http://www.dhs.gov/xabout /laws/gc 121459789952.sthm#1. Department of Homeland Security, Washington, DC. 5. The White House (2003). The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets. Available at http://www.dhs.gov/xlibrary/assets/Physical Strategy.pdf. Department of Homeland Security, Washington, DC. 6. The White House (2003). The National Strategy to Secure Cyberspace. Washington, DC. 7. U.S. Department of Homeland Security (2006). National Infrastructure Protection Plan. Department of Homeland Security, Washington, DC. 8. Peerenboom, J. P., Fisher, R. E., Rinaldi, S., and Kelly, T. (2002). Studying the Chain Reaction. Electr. Perspect . 22–35. 9. Peerenboom, J. P. (2001). Infrastructure Interdependencies: Overview of Concepts and Terminology, invited paper, National Science Foundation/Office of Science and Technology Policy Workshop on Critical Infrastructure: Needs in Interdisciplinary Research and Graduate Training, June 14–15, 2001, Washington, DC.

SYSTEM AND SECTOR INTERDEPENDENCIES: AN OVERVIEW

1171

10. The Executive Office of the President, Office of Science and Technology Policy, and the Department of Homeland Security Science and Technology Directorate (2004). The National Plan for Research and Development in Support of Critical Infrastructure Protection. 11. Visarraga, D., Bush, B., Linger, S. P., and McPherson, T. N. (2005). Development of a JAVA Based Water Distribution Simulation Capability for Infrastructure Interdependency Analyses. World Water Congress 2005: Impacts of Global Climate Change, May 15–19, Anchorage, Alaska, p. 14. 12. Brown, T., Beyeler, W., and Barton, D. (2004). Assessing Infrastructure Interdependencies: The Challenge of Risk Analysis for Complex Adaptive Systems. Int. J. Crit. Infr. 1(1),pp. 108–117. 13. See the Los Alamos National Laboratory web site (http://www.lanl.gov) and Sandia National Laboratories web site (http://www.sandia.gov/mission/homeland/programs/critical/nisac.html) for more detailed descriptions of tools and capabilities. 14. Bush, B., Dauelsberg, L., Ivey, A., LeClaire, R., Powell, D., DeLand, S., and Samsa, M. (2005). Critical Infrastructure Protection Decision Support System (CIP/DSS) Project Overview, LA-UR-05-1870, 3rd International Conference of the System Dynamics Society, July 17–21, 2005, Boston, MA. 15. Veselka, T., Boyd, G., Conzelmann, G., Koritarov, V., Macal, C., North, M., Schoepfle, B., and Thimmapuram, P. (2002). Simulating the Behavior of Electricity Markets with an Agent-Based Methodology: The Electricity Market Complex Adaptive System (EMCAS) Model. 22nd International Association for Energy Economics International Conference, October 2002 Vancouver, BC, Canada. 16. North, M. J., Thimmapuram, P. R., Macal, C. Cirillo, R., Conzelmann, G., Koritarov, V., and Veselka, T. (2003). EMCAS: An Agent-Based Tool for Modeling Electricity Markets. Proceedings of the Agent 2003 Conference on Challenges in Social Simulation, October 2003, Argonne National Laboratory/The University of Chicago, Chicago, IL. 17. Macal, C., Boyd, G., Cirillo, R., Conzelmann, G., North, M., Thimmapuram, P., and Veselka, T. (2004). Modeling the Restructured Illinois Electricity Market as a Complex Adaptive System. 24th Annual North American Conference of the USAEE/IAEE: Energy, July 8–10, 2004, Environment and Economics in a New Era, Washington, DC. 18. North, M. J. (2000). SMART II+: The Spot Market Agent Research Tool Version 2.0 Plus Natural Gas Proceedings of the Computational Analysis of Social and Organizational Science Conference 2000 , Carnegie Mellon University, Pittsburgh, PA, pp. 161–162. 19. Thomas, W. H., North, M. J., Macal, C. M., and Peerenboom, J. P. (2003). From Physics to Finances: Complex Adaptive Systems Representation of Infrastructure Interdependencies, Naval Surface Warfare Center Technical Digest , Naval Surface Warfare Center, Dahlgren, VA, pp. 58–67. 20. Peerenboom, J. P., Fisher, R. E., and Whitfield, R. (2001). Recovering from Disruptions of Interdependent Critical Infrastructures presented at the CRIS/DRM/IIIT/NSF Workshop, September 10–11, 2001, Alexandria, VA. 21. Panzieri, S., Setola, R., and Ulivi, G. (2004). An Agent Based Simulator for Critical Interdependent Infrastructures. Proceedings of the 2nd International Conference on Critical Infrastructures, October 24–27, 2004. 22. Haimes, Y. Y., Horowitz, B.M., Lambert, J.H., Santos, J.R., Lian, C., and Crowther, K.G. (2005). et al. Inoperability Input-Output Model for Interdependent Infrastructure Sectors: Theory and Methodology. J. Infr. Sys. 11(2), 67–79. 23. See the International Critical Information Infrastructure Protection (CIIP) Handbook , available at the Crisis and Risk Network web site http://www.crn.ethz.ch/. 24. See Pacific NorthWest Economic Region web site for Blue Cascades information http://www. pnwer.org.

1172

CROSS-CUTTING THEMES AND TECHNOLOGIES

SYSTEM AND SECTOR INTERDEPENDENCIES: AN OVERVIEW OF RESEARCH AND DEVELOPMENT Paul D. Domich CIP Consulting, Inc., Boulder, Colorado

1 INTRODUCTION This article will address the National Critical Infrastructure Protection Research and Development (NCIP R&D) Plan, the National Infrastructure Protection Plan (NIPP) and sector-specific agencies’ (SSAs) R&D efforts.

2 HIGH-LEVEL R&D PRIORITIES FOR CRITICAL INFRASTRUCTURE/KEY RESOURCE As recognized in the National Strategy for Homeland Security, “The Nation’s advantage in science and technology is a key to securing the homeland.” Research and development in modeling complex systems, data analysis, information sharing, threat identification and the detection of attacks, and the development of effective countermeasures will help prevent or limit the damage from disasters both man-made and naturally occurring. A systematic national effort has been created to leverage science and technology capabilities in support of national homeland security goals that involve private sector companies, universities, research institutes, and government laboratories involved in research and development on a very broad range of issues.

3 MOTIVATION FOR A NATIONAL R&D PLAN Achieving this potential to field important new capabilities and focus new efforts in support of homeland security is a major undertaking. The Department of Homeland Security (DHS) and other federal agencies have been given responsibility to work with private and public entities to ensure that our homeland security research and development efforts are of sufficient size and sophistication to counter the threats posed by natural disasters and terrorism. The goal of this national R&D effort is to develop the desired new capabilities through “an unprecedented level of cooperation throughout all levels of government, with private industry and institutions, and with the American people to protect our critical infrastructures (CIs) and key assets from terrorist attack.”1 1 Homeland

Security Presidential Directive 7/HSPD-7.

SYSTEM AND SECTOR INTERDEPENDENCIES

1173

4 NATIONAL STRATEGIES, PRESIDENTIAL DIRECTIVES, AND AUTHORIZING LEGISLATION The roles and responsibilities related to critical infrastructure/key resource (CIKR) research and development follow from a series of authorities, including the Homeland Security Act of 2002, CIKR protection-related legislation, Presidential Executive Orders, Homeland Security Presidential Directives, and National Strategies. These current authorities and directives have built upon those previously issued including Presidential Decision Directive 63—Protecting America’s Critical Infrastructures (PDD-63) released in May of 1998 and spanning the broad homeland security landscape. The most significant authorities related to CIKR research and development are the Homeland Security Act of 2002 and Homeland Security Presidential Directive/HSPD-7. Critical infrastructures as defined include food and water systems, agriculture, health systems and emergency services, information technology, telecommunications, banking and finance, energy (electrical, nuclear, gas and oil, and dams), transportation (air, highways, rail, ports, and waterways), the chemical and defense industries, postal and shipping entities, and national monuments and icons. Key resources refer to publicly or privately controlled resources essential to the minimal operations of the economy or government.

The Homeland Security Act of 2002 provides the basis for the roles and responsibilities of the US Department of Homeland Security (DHS) in the protection of the nation’s CIKR. This act defined the DHS mission as that of “reducing the nation’s vulnerability to terrorist attacks,” major disasters, and other emergencies, and charged the department with the responsibility of evaluating vulnerabilities and ensuring that steps are implemented to protect the high-risk elements of America’s CIKR. The Homeland Security Act created the DHS Science and Technology Directorate and assigned it the responsibility to perform research and development in these areas in support of the broad DHS mission. Title II, Section 201 of the Act also assigned primary responsibility to the DHS to develop a comprehensive national plan for securing CIKR and for recommending “measures necessary to protect the key resources and CI of the United States in coordination with other agencies of the Federal Government and in cooperation with state and local government agencies and authorities, the private sector, and other entities.” Similarly, Homeland Security Presidential Directive/HSPD-7 established the official US policy for “enhancing protection of the Nation’s CIKR” and mandated a national plan. This directive sets forth additional roles and responsibilities for DHS, sector-specific agencies (SSAs), other federal departments and agencies, state, local, and tribal governments, the private sector, and other security partners to fulfill HSPD requirements and calls for the collaborative development of the NIPP. HSPD-7 designates Federal Government SSAs for each of the CIKR sectors and requires development of an annual plan for each sector. HSPD-7 also directed the Secretary of DHS in coordination with the Director of the Office of Science and Technology Policy to prepare on an annual basis, a federal research and development plan in support of critical infrastructure identification, prioritization, and protection. This plan is the National Plan for Research and Development in support of National Critical Infrastructure Protection (NCIP R&D) and was first released in 2005 (www.dhs.gov).

1174

CROSS-CUTTING THEMES AND TECHNOLOGIES

5 NATIONAL INFRASTRUCTURE PROTECTION PLAN The NIPP is a multiyear plan describing mechanisms for sustaining the nation’s steadystate protective posture. The NIPP and its component sector-specific plans (SSPs) (see below) include a process for annual review, periodic interim updates as required, and regularly scheduled partial reviews and reissuance every 3 years, or more frequently, if directed by the Secretary of the DHS. In accordance with HSPD-7, the NIPP defines the framework for security partners to identify, prioritize, and protect the nation’s CIKR from terrorist attacks emphasizing protection against catastrophic health effects and mass casualties. The NIPP coordinates the activities for both public and private security partners in carrying out CIKR protection activities while respecting and integrating the authorities, jurisdictions, and prerogatives of each. While DHS has overall responsibility for developing the NIPP, the SSAs and their public and private sector counterparts are active partners in its development. The goal of the NIPP, to achieve a safer, more secure, and more resilient America, consists of the following principal objectives: •

understanding and sharing information about terrorist threats and other hazards; building security partnerships to share information and implement CIKR protection programs; • implementing a long-term risk management program that includes: • hardening and ensuring the resiliency of CIKR against known threats and hazards, as well as other potential contingencies; • processes to interdict human threats to prevent potential attacks; • planning for rapid response to CIKR disruptions to limit the impacts on public health and safety, the economy, and government functions; • planning for rapid CIKR restoration and recovery for those events that are not preventable; and • maximizing efficient use of resources for CIKR protection. •

The NIPP comprehensive risk management framework clearly defines CIP roles and responsibilities for the DHS; federal SSAs; and other federal, state, local, territorial, tribal, and private sector security partners. The NIPP risk management framework is applied on an asset, system, network, or function basis, depending on the fundamental characteristics of the individual CIKR sectors. As illustrated in Figure 1, the framework relies on a continuous improvement cycle

Physical Cyber Human

Set security goals

Identify assets, systems, networks and functions

Access risks (consequences vulnerabilities and threats)

Prioritize

Implement protective programs

Measure effectiveness

Continuous improvement to enhance protention of CL/KR

FIGURE 1 NIPP risk management framework.

Feedback loop

SYSTEM AND SECTOR INTERDEPENDENCIES

Sector-Specific Agency

Critical Infrastructure/Key Resources Sector

Department of Agriculture Department of Health and Human Services

Agriculture and food

Department of Defense

Defense industrial base

Department of Energy

Energy

Department of Health and Human Services

Public health and healthcare

Department of the Interior

National monuments and icons

Department of the Treasury

Banking and finance

Environmental Protection Agency

Drinking water and water treatment systems

Department of Homeland Security Office of Infrastructure Protection

1175

Chemical Commercial facilities Dams Emergency services Commercial nuclear reactors, materials, and waste

Office of Cyber Security and Telecommunications

Information technology Telecommunications

Transportation Security Administration

Postal and shipping

Transportation Security Administration, US Coast Guard

Transportation systems

Immigration and Customs Enforcement, Federal Protective Service

Government facilities

FIGURE 2 Sector Specific Agencies.

so as to address the ever-changing homeland security landscape. The NIPP also provides the coordinated approach needed to establish national CIKR priorities, goals, and requirements for infrastructure protection, including related short-term R&D requirements. The NIPP was first released in June 2006 (www.dhs.gov). 6 SECTOR-SPECIFIC PLANS Annual SSPs are required from each of the federal SSAs (See Fig. 2). These plans provide a common vehicle across all CIKR sectors to communicate CIKR protection performance and progress to security partners and other government entities and focuses on: priorities and annual goals for CIKR protection and associated gaps; sector-specific requirements for CIKR protection activities and programs based on risk and need; and projected CIKR-related resource requirements for the sector. Emphasis is placed on anticipated gaps or shortfalls in funding for sector-level CIKR protection and/or for protection efforts related to national-level CIKR that exists within the sector. The SSP plans address R&D requirements and activities relevant to the sector and include a description of future capabilities and R&D needed for that sector. These R&D sections align with the high

1176

CROSS-CUTTING THEMES AND TECHNOLOGIES

level federal CIKR R&D priorities but may also contain desired capabilities unique to the sector requirements and, therefore, not included in the broader and prioritized NIPP and NCIP R&D strategies and plans. The sector coordinating councils (SCCs) are self-organized and self-governed forums comprised of private sector owners and operators with specific membership varying from sector to sector, reflecting the demographics of each sector. The SCCs serve as principal sector policy coordination and planning entities for CIKR issues.

The government coordinating councils (GCCs) are the government counterpart for each SCC established to facilitate interagency and cross-jurisdictional coordination. The GCC is comprised of representatives across various levels of government (federal, state, local, or tribal) as appropriate to the individual sector. SSPs are developed by a designated lead federal agency in close collaboration with the corresponding SCCs, GCCs, and their state, local, territorial, and tribal homeland security partners. These plans address the unique characteristics and risk for each sector while coordinating their activities with other sector and national priorities. The SSPs for each sector must be completed and submitted to DHS within 180 days of issuance of the NIPP. The SSPs serve to clearly define sector security partners and their authorities, regulatory bases, and roles and responsibilities. The plans address sector interdependencies and identify existing procedures for sector interaction, information sharing, coordination, and partnership as is appropriate. The SSAs and the various security partners identify and agree upon the goals and objectives for the sector as well as the desired protective posture for that sector. Consistent with the NIPP, the SSPs independently define the methodology used for assessing the risks and vulnerabilities of the sector and the mitigation strategy used. Specifically, the SSPs identify priority CIKR and functions within the sector, including cyber considerations; assess sector risks including potential consequences, vulnerabilities, and threats; assess and prioritize assets, systems, networks, and functions of national-level significance within the sector; and develop risk-mitigation programs based on detailed knowledge of sector operations and risk landscape. The plans also develop the protocols to transition between steady-state CIKR protection and incident response in an all-hazards environment and define the performance metrics to measure the effectiveness of the approaches employed. The SSP concurrence process includes a formal review process for GCC member departments and agencies, as well as demonstrated or documented collaboration and coordination within the SCC, which may include letters of endorsement or statements of concurrence.

7 NATIONAL PLAN FOR RESEARCH AND DEVELOPMENT IN SUPPORT OF CRITICAL INFRASTRUCTURE PROTECTION The research and development plan for protecting CIKR mandated by HSPD-7 is the NCIP R&D. This plan focuses on (i) creating a baseline that identifies major research

SYSTEM AND SECTOR INTERDEPENDENCIES

1177

and technology development efforts within federal agencies and (ii) articulating a vision that takes into account future needs and identifies threat-based research gaps. The NCIP R&D Plan is developed through an intensive, collaborative, interagency effort and is coordinated with the R&D requirements coming from the NIPP and the associated SSPs. This public document highlights the longer-term targeted investments needed to help secure and protect the nation’s key infrastructures and resources from acts of terrorism, natural disasters, or other emergencies. The plan is organized around nine major focus areas or themes that impact all CIs, identifies three high level goals for protecting CIKR, and prioritizes key R&D areas needed for CIKR protection. Additional details on the NCIP R&D plan are described below.

8 RELATIONSHIP BETWEEN THE THREE CIKR PLANS FROM AN R&D PERSPECTIVE The NIPP Plan and SSPs together provide key elements to the operationally focused CIKR protection strategy applicable within and across all sectors. The SSPs also address the unique needs, vulnerabilities, and methodologies associated with each sector while the NIPP provides the high level strategies and overall coordination of these activities. The SSP and NIPP plans encourage alignment with other homeland security plans and strategies at the state, local, territorial, and tribal levels, providing for coordinated CIKR protection responsibilities appropriate within each of the respective jurisdictions. The strategy outlined in the NIPP processes is also intended to provide the coordination, cooperation, and collaboration among private sector security partners within and across sectors to synchronize efforts and avoid duplicative security requirements. From an R&D perspective, each of the three national plans has wholly, or as a key component, the requirement to identify and prioritize new capabilities and future CIKR R&D needs. Proper coordination and alignment of these three plans are essential to making intelligent and effective investments in those R&D areas deemed most critical in the presence of limited R&D resources (both monetary and human). The proper coordination of these R&D activities takes into account the effective planning horizon for each plan, the stakeholder focus, and national R&D priorities established for protecting CIKR. With respect to R&D requirements, the NCIP R&D Plan represents the longer-term comprehensive strategy for research and development across all sectors, focusing on new and ongoing federal R&D. In contrast, the annual NIPP and SSP reports include R&D requirements over a 1- and 3-year planning horizon respectively and address the most pressing capabilities needed immediately. Stakeholder input is central to an effective short- and long-term R&D strategy. Similar to the NIPP, the NCIP R&D Plan provides for the coordination, cooperation, and collaboration among other federal agencies, and private sector security partners within and across sectors to synchronize related R&D efforts and avoid duplicative programs. Asset owners and operators across all sectors, public and private sector commercial service providers and product developers, professional and trade associations, and the broad national research and development community including academia, federal agencies and National Laboratories, and private sector groups, all provide valuable input to the R&D agenda for CIKR. The NCIP R&D working with these stakeholder groups develops the long-term R&D strategy for CIKR.

1178

CROSS-CUTTING THEMES AND TECHNOLOGIES

9 CYCLICAL DEVELOPMENT The NCIP R&D plan includes a survey of current top-priority CIKR research and development underway at federal agencies and National Laboratories. This baseline represents current R&D in support of homeland security as well as other traditional agency mission areas impacting CIKR. The future capabilities identified in each of these three plans assume a cyclical development cycle where current technology is successively evolved building upon existing applications and capabilities. This development approach provides security providers with interim technologies while maintaining focus on longer-term national CIKR priority R&D goals and objectives. 10 MOTIVATION FOR CROSS-CUTTING R&D THEMES FOR ALL SECTORS AND INFRASTRUCTURES Previous efforts to develop the R&D requirements for infrastructure protection were typically assembled along individual sector categories. In particular, directed planning activities to be organized along sector lines. Following the extensive work to implement PDD 63, it was apparent that this sector orientation challenged our ability to cost-effectively and efficiently address key factors related to the R&D. Relevant factors identified in the 2005 National Plan for Research and Development in Support of Critical Infrastructure Protection include the following: • •

• •

•

Many different sectors contain infrastructure systems that are vulnerable to the same threats. Combined planning of related sectors more directly addresses the inherent and broadly applicable interconnections and interdependencies among infrastructure sectors. Past efforts had a tendency to separately consider cyber and physical, which are interdependent in all sectors. The efforts to reduce vulnerability were separate from the efforts to design new infrastructure for higher performance and quality. Efforts to reduce vulnerability are more effective if they are incorporated into new designs. The challenge of evaluating cross-cutting new threats against opportunities coming from new technological advances has not been adequately addressed. Cross-cutting observations of threats and opportunities could potentially be incorporated by designers into future specialized systems.

The NIPP together with the accompanying SSPs provide detailed sector plans essential for operational-level focus and for strategic and resource prioritization. However for R&D planning purposes, important cross-sector synergies can be realized and funding better leveraged by grouping the sector R&D requirements across common themes. Due to the functional and operational requirements, the sector focus though is retained in the NIPP together with the SSPs for obvious reasons. 11

NINE COMMON THEMES

The NCIP R&D Plan is structured around nine themes in the fields of science, engineering, and technology that support all CI sectors, encompass both cyber and physical

SYSTEM AND SECTOR INTERDEPENDENCIES

1179

concerns, and are strongly integrated into an overall security strategy. The basis for selection of these nine themes was their repeated occurrence in the expressed concerns of infrastructure owners and operators, industry representatives, academia and government officials. The nine themes identified in the NCIP R&D plan are as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9.

Detection and sensor systems; Protection and prevention; Entry and access portals; Insider threats; Analysis and decision support systems; Response, recovery, and reconstitution; New and emerging threats and vulnerabilities; Advanced infrastructure architectures and systems design; and Human and social issues.

Through a broad interagency collaborative effort, federal agency experts and others have confirmed the completeness of nine themes and identified three broad long-term strategic goals for CIKR. The three overarching CIKR strategic goals identified are as follows: •

Goal 1: A national common operating picture for CI • Goal 2: A next-generation computing and communications network with security “designed-in” and inherent in all elements and • Goal 3: A resilient, self-diagnosing, and self-healing physical and cyber infrastructure system. The nines themes of the NCIP R&D Plan map directly onto each of the three long-term strategic goals and contain both long-term and short-term priority research and development areas. Figure 3 below which appears in the 2005 National Plan for Research and Development in Support of Critical Infrastructure Protection, illustrates a mapping of a single theme area priority onto a strategic goal. These high level goals and their associated high priority R&D areas were vetted with stakeholder groups from the private sector, academia, and the National Laboratories, and serve to drive future R&D efforts and ensure that new and effective technologies will be available for the future security of the Nation’s CIKR. 12 NCIP R&D PLAN THEME AREA: ANALYSIS AND DECISION SUPPORT SYSTEMS This section describes the analysis and decision support system theme of the NCIP R&D Plan. This development is representative of the conclusions identified and serves to illustrate the range of R&D activities inherent in each theme area. Two examples are provided: The critical infrastructure protection decision support system and the interdependency models used to analyze the collapse of the World Trade Center (WTC) towers resulting from a terrorist attack. Examination of trade-offs between the benefits of risk reduction and the costs of protective action require analysis and decision support systems that incorporate threat

1180

CROSS-CUTTING THEMES AND TECHNOLOGIES

Response, recovery, and reconstitution

Detection and sensor systems

Incorporate replacement leap technologies in stabilization and recovery construction

Providing sensors that integrate data, examine at systems level, sense errors and guide repairs

New and emerging threats and vulnerabilities Sense and develop defense against new threats as an intrinsic part of operators

Next generation BCADA systems share duties, redistribute loads

Develop controlled collapse, manage losses, expedite demolition and reconciliation

Build systems capable of designing own replacement

Inherent lessors learned adaptation and anticipation for minimum reduced capacity

Create systems that inherenty learn, prove, mutate and become better at recognition & control

Build secure role tailored controls that change per circumstances

Incorporate smart materials, embedded sensors, and monitoring

Resilient, Self-Healing, SelfDiagnosing Infrastructure

Develop shielding & sacrificial systems to enhance protection & maximize residence

Protection and prevention

Creative, Multisense, intuitive prevention and management of events

Fully effective efficient human intervention for operations and emergencies

Human and social issues

Security of entry portals and access to assets Extreme strength materials, self-repairing of fractures, reactive energetic reflectors

Advanced infrastructure architecture and systems design

Role-based controls arrest while monitoring

Provide graceful stealth to maneuver threat actor to show full intentions while maintaining real asset integrity

Insider threats

Select optimum actions to prevent shut-down and minimize losses

Advanced modeling for emerging materials and Innovative designs, Immune to advancing threats

Analysis and decision support technologies

FIGURE 3 Relationship of NCIP R&D goals and themes.

information, vulnerability assessments, and disruption consequences in quantitative analyses through advanced modeling and simulation. Broadly interpreted, the analysis and decision support technologies area addresses future R&D needs in • • • • • •

risk analysis and decision theory for evaluating strategies and prioritizing CIP investments; threat evaluation; vulnerability and performance evaluation and design of upgrades; forensic analysis and reconstruction; consequence analysis and modeling of interconnected CI sectors, and; integrated systems modeling.

SYSTEM AND SECTOR INTERDEPENDENCIES

1181

Of the existing systems and technologies available presently, many are focused on military applications and are classified or otherwise restricted and have not been examined within the broad, integrated context necessary for homeland security in a domestic setting. As such, future work is needed to transform Department of Defense-focused technologies to homeland security applications were possible and to develop new technologies where gaps in current capabilities exist. Many of these topic areas are ripe for future research and development opportunities. Future R&D in analysis and decision support should be cognizant of, and attempt to address the major challenges in this field of study are as follows: •

the increasing size and complexity of the models under examination; the vast size and complexity of the sectors being modeled; • the need to tightly couple or integrate multiple models across disciplines and across sectors; • the absence of standardized analysis metrics and measures across sectors; and • the need for more agile, robust, and high confidence systems. •

Future advances in the analysis and decision support approaches will change how analyses are performed and informed decisions are made. Together with improvements in graphical and computational capabilities and improved communication capability, accurate and timely decision information will transform how the nation responds to man-made and natural disasters. Central to all three of the strategic goals for CIKR is the development of effective and validated analysis and decision support systems. 13 OVERVIEW OF CONSEQUENCE ANALYSIS AND MODELING OF INTERCONNECTED CRITICAL INFRASTRUCTURE SECTORS Of particular interest for this section is decision support through consequence analysis and the analytical modeling of interconnected and interdependent CIs. These consequence and impact analyses are central to quantifying the severity of disasters and are used in decision support systems by decision makers both for planning purposes and for real-time protection, response, and recovery activities. Decision- makers must have the capability to understand the causes of disruptions to infrastructures (e.g. cascading failures), the consequences of decisions, and the trade-offs between alternative actions in the decision-making process. Through HSPD-7, 13 CI sectors have been identified: Agriculture and Food, Public Health/Health Care, Drinking Water and Wastewater Treatment Systems, Energy, Banking and Finance, National Monuments and Icons, Defense Industrial Base, Information Technology, Telecommunications, Chemical, Transportation Systems, Emergency Services, and Postal and Shipping. Analytical models of these CIs must possess sufficient accuracy to accurately represent their normal behavior and the effects of disruptions due to a range of threats. The inherent interconnectivity and interdependencies of these systems make this modeling effort a long-term monumental challenge. 14 OVERVIEW OF MODELS There has been considerable effort put forth in providing analytical models for select infrastructure sectors. For energy and the telecommunications sectors, for example,

1182

CROSS-CUTTING THEMES AND TECHNOLOGIES

detailed models have been previously developed by Department of Energy (DOE), National Communications System, and private sector organizations from these sectors. As mentioned previously, the DOE National Laboratories and the DHS National Infrastructure Simulation and Analysis Center (NISAC) have developed and/or extended the number of infrastructure models to include interdependencies and to enhance model fidelity and breadth of application. Models for agriculture, food, banking and finance, government facilities, are either less mature or not well understood or characterized. For specific biological events, such as pandemic/avian flu, the US Department of Health and Human Services and DHS have developed detailed models to analyze the spread and impact of a major biological disease outbreak.

15 INFRASTRUCTURE SYSTEM AND SECTOR INTERDEPENDENCY R&D PRIORITIES Current infrastructure system and sector interdependency development at three DOE National Laboratories are focusing on new tools for interdependency modeling and simulation of the CI sectors. These models use a system dynamics approach to analyze changes in supplies and demands within and between infrastructures. These models study disasters ranging from major hurricane impacts to biological/agriculture disease outbreaks to failures in key components of the telecommunication system. These studies use existing knowledge and understanding of the systems and sectors under examination and verify model behaviors-—where possible—using past disaster events to confirm that the predicted interdependencies and computational results were realistic. Other efforts such as those of NISAC seek to develop higher fidelity models with comparable vulnerability and consequence analyses for select CI sectors. These focused sector models provide detailed understanding of the progression and impact of disruptions to the associated infrastructures though they embody more limited interdependencies with other infrastructures. Important advances in vulnerability assessments will include new integrated physics-based models for analyzing highly complex and integrated systems such as those that were developed for the fire dynamics and structural failure analyses of the WTC towers. Advances are still needed in the development of practical tools for quantifying the full spectrum of the consequence metrics identified in HSPD-7 in order to inform investment decisions for all-hazards risk management and emergency preparedness. These types of models must be developed to address the needs for CIP with data and results that are compatible and interoperable with other sector models. These systems must be flexible and responsive to evolving requirements and conditions imposed by decision makers and changes in the physical and cyber environments. Data for these systems must remain current and contain sufficient granularity to provide adequate specification to the models to be useful in detailed analyses. And there is a need for improved modeling and simulation methods that will make it easier to predict the behavior of complex generic computer networks under various scenarios, and to perform ”what-if” analyses. This latter development will be analogous to a virtual experiment performed on a computer network under a range of different conditions. Integration of such cyber network models into larger infrastructure models will contribute to the understanding that is gained from interdependency modeling for the CI sectors.

SYSTEM AND SECTOR INTERDEPENDENCIES

1183

Example 1: The Critical Infrastructure Protection-Decision Support System (CIP-DSS) The Critical Infrastructure Protection-Decision Support System (CIP-DSS), developed by the DOE National Laboratories at Sandia, Los Alamos, and Argonne through funding from the DHS, is a risk-informed decision analysis tool using a suite of mathematical models for assessing the consequences of CI disruption at both the metropolitan and national levels. This modeling effort is the first of its kind to incorporate infrastructure interdependencies along with workforce or population, and geographical influences, in a unified decision support system. The CIP-DSS modeling system comprises a wide range of mathematical models, tools, and associated data. Included are system dynamics models that: represent each of the 17 relevant sectors/assets; include geographical influences that interact with each sector component in the model; represent the primary interdependencies among infrastructures and primary processes, activities and interactions of each infrastructure; provide for important feedback mechanisms and all critical inputs and outputs across infrastructures; and have the capability to handle major substitution effects. The data for the models comes from a range of sources and include, for example, industry production reports, published literature, and data from the Census Bureau and Bureau of Labor Statistics. This system is used to simulate the steady-state conditions simultaneously across all infrastructures and the effects of disruptions to steady state, caused by specific threat scenarios in a Monte Carlo simulation setting. The outputs to the consequence modeling are used in a decision-support methodology to analyze and evaluate alternative strategies and their related impacts. Examples of questions that this decision support system is designed to answer include the following:2 •

What are the consequences of attacks on infrastructure in terms of national security, economic impact, public health, and conduct of government, including the consequences that propagate to other infrastructures? • Are there choke points in our nation’s infrastructures (i.e. areas where one or two attacks could have the largest impact)? What and where are the choke points? • Incorporating consequence, vulnerability, and threat information into an overall risk assessment, what are the highest risk areas? • What investment strategies can the United States make such that it will have the most impact in reducing overall risk? To develop the CIP-DSS decision support methodology, the system developers conducted a series of formal and informal interviews of CIKR decision makers and stakeholders in order to identify requirements for the decision support system, define the decision environment, and quantify the prioritization of consequences. The taxonomy of decision metrics derived from this research involves six categories: (i) sector-specific, (ii) human health and safety, (iii) economic, (iv) environmental, (v) sociopolitical, and (vi) national security. The risk-related preferences for the decision 2 CIP-DSS Documentation.

1184

CROSS-CUTTING THEMES AND TECHNOLOGIES

makers were encoded to arrive at multi-attribute utility functions consistent with the output of the consequence models and applicable to the scenarios under consideration. These multi-attribute utility functions describe the preferences of the decision maker as a function of the frequency of the disaster and its consequences relative to the decision metrics previously defined. Currently, the CIP-DSS system is fully operational. The model has been used to produce detailed analyses of both simulated and real-life disasters providing analysis and insights to decision makers and strategic planners. The initial model representations provide broad infrastructure coverage and are iteratively being refined and enhanced. Significant efforts are underway to analyze specific threat scenarios as defined by stakeholders and program sponsors. The system requires continuous testing and refinement as a result of insights developed in the threat scenario build-out. The CIP-DSS system has provided a valuable understanding of the infrastructures and their dynamics, developed insight into infrastructures viewed as dynamic systems, and provided analyses that can identify high leverage points and suggest mitigation strategies. This simulation and assessment capability allows decision makers to understand the CI of the United States including its components, their coupling, and their vulnerabilities. This capability can be used in a crisis response mode as well as in an analysis and assessment mode to provide decision makers with a better basis to make prudent, strategic investments, and policy resolutions needed to improve the security of our infrastructure.

Example 2: Integrated high-fidelity models—NIST Analysis of the WTC tower Collapse The second example area of the analysis and decision support system is the National Institute of Standards and Technology (NIST) Analysis of the WTC tower collapse. A complex and broad suite of software models were used in the analysis that led to a series of recommendations for changes in design and material requirements for tall buildings. These tools together with detailed laboratory forensic analysis provided an extensive and comprehensive list of recommended changes to building codes and standards. Following the terrorist attacks on September 11, 2001, NIST was authorized by the US Congress to conduct a multiyear building and fire safety investigation into the collapse of the WTC Towers (WTC 1 and 2) and WTC 7. The analysis studied the factors contributing to the probable cause of post-impact collapse and required a thorough examination of the planes’ impact, fire dynamics and structural failures, the effectiveness of resistance design and retrofit of the structures, and the effectiveness of the fire resistive coatings on structural steel. The subsequent analysis resulted in the most detailed study of a complex system/structure ever performed and was successful in integrating the dynamical effects within multiple software-based mathematical models. Model outputs were combined to provide a thorough understanding of the effects of the explosion and resulting fire, and the effects of superheated steel on the structural integrity of a steel structure.

SYSTEM AND SECTOR INTERDEPENDENCIES

1185

Critical analysis interdependencies Compartment damage Debris and fuel Distribution

Aircraft impact damage LS-DYNA Resolution 1-4 In 4 10 x

SFRM damage

SAP to LS-DYNA Conversion

Reference Structural Models SAP 2000

Structural damage

Fire dynamics (FDS) Gas temperature Time-histories (FSI)

Structural response and failureanalysis ANSYS v.8.0

Baseline performance analysis Time scale: 10 orders of magnitude Length scale: 5 orders of magnitude

Resolution 1- 2 cm 1.5

Thermal analysis ANSYS v.8.0 Structural temperature time histories

SAP to ANSYS conversion

Resolution 50 cm 3 10 x

ANSYS Structural model

Resolution 1 to 60 in. 600 x

Collapse sequence

FIGURE 4 Model interdependencies from the NIST WTC collapse investigation.

The analysis of probable collapse sequences for the WTC required analyzing a variety of factors. This included the effects of the aircraft impact on the structures, the spread of jet-fuel and the resulting fire on multiple floors, the thermal weakening of structural components, and the progression of local structural failures that initiated the catastrophic collapse of the WTC Towers 1 and 2. The mathematical analysis was supported by laboratory-based experiments, visual and physical evidence acquired from multiple sources. The following Figure (Fig. 4) depicts the models and their interdependencies that were used in the NIST analysis.3 3 Taken from the US Federal Building and Fire Safety Investigation of the World Trade Center Disaster

to the 4th Annual Congress on Infrastructure Security for the Built Environment, October 19, 2005, Dr. James E. Hill, Director, Building and Fire Research Laboratory, NIST.

Also modeled in this investigation was the occupant evacuation of the towers, the condition of stairwells and the flow of evacuees from the buildings. The results of the modeling effort combined with a thorough laboratory analysis provided the key insights needed to accurately describe the factors that led to the collapse of the WTC towers in New York City on September 11, 2001. The key findings from the entire WTC study, as a result of the 3-year effort, can be found at http://wtc.nist.gov/.

1186

CROSS-CUTTING THEMES AND TECHNOLOGIES

16 FUTURE DIRECTIONS FOR SECTOR AND SYSTEM INTERDEPENDENCY R&D, PARTNERSHIP FOR CRITICAL INFRASTRUCTURE SECURITY The previous examples illustrate just two areas where analysis and decision support techniques have been advanced significantly. These are exemplary of the R&D required to address the complex systems and infrastructures currently present. Many new areas of research exist in analyzing the complex interdependencies of CIKR as well as development of accurate high-fidelity analysis models for specific infrastructures.

PRESIDENT’S COMMISSION ON CRITICAL INFRASTRUCTURE PROTECTION David A. Jones and James P. Peerenboom Argonne National Laboratory, Argonne, Illinois

Brenton C. Greene Northrop Grumman Corporation, McLean, Virginia

Irwin M. Pikus Consultant, Bethesda, Maryland

1 INTRODUCTION Following is a brief history that led to the creation of the President’s Commission on Critical Infrastructure Protection (PCCIP), selected details of the Commission’s inner-workings, an overview of the Presidential Decision Directive (PDD) promulgated as a result of the PCCIP report, and six research and development (R&D) areas targeted for further exploration. It is important to fully understand the concepts of infrastructure dependency and interdependency. Figure 1 depicts illustrative infrastructure dependencies for electric power, while Figure 2 depicts examples of interdependent infrastructures. In Figure 1 examples of dependencies of other infrastructures are shown for the electric power infrastructure operation. A problem with any function can adversely affect the operation of the infrastructure. In Figure 2 the interaction of two or more functions is shown. The definition of

PRESIDENT’S COMMISSION ON CRITICAL INFRASTRUCTURE PROTECTION

System status

Repair crew to sites

SCADA/EMS

Fuel resupply

System control

Transport to operations center

E-commerce

Telecom

Road

Component shipping

Operation and repair crew communication

Natural gas

Electric

Fuel for generators

Fuel resupply Rail Component shipping

Water Component shipping

Oil Fuel for maintenance

FIGURE 1

Fuel for generators

Cooling and emission control

Illustrative infrastructure dependencies for electric power. Fuels, Lubricants

Oil

Fuel Transport, Shipping Fuel for Generators, Lubricants

Power for Signaling, Switches

Transportation

ipp

ing

Fuel Transport, Shipping

Sh

Water for Production, Cooling, Emissions Reduction

Power for Pump and Lift Stations, Control Systems r Water fo , Cooling ns Emissio n o Reducti

Water

Power for Compressors, Storage, Natural Control Electric Gas Sys tem s Power r fo l Fue ators Gener SCAD Com munic A, Heat ation s DA, ns SCAnicatio Po u m Sw wer Com itc for he s

Wat e Coo r for ling SCA DA, C omm unica tio

SCADA, Communications

SCADA, Communications

Fuels, Lubricants

Power for Pumping Stations, Storage, Control Systems

Telecom

ns

ping

Ship

Fuel for Generators

Water for Production,

FIGURE 2 Examples of interdependent infrastructures.

on

educti

ions R

s , Emis Cooling

1187

1188

CROSS-CUTTING THEMES AND TECHNOLOGIES

interdependency can be found in the Glossary of Key Terms in the National Infrastructure Protection Plan—“The multi- or bi-directional reliance of an asset, system, network, or collection thereof, within or across sectors, on input, interaction, or other requirement from other sources in order to function properly.” The key to interdependency is that two or more assets depend on one another. Even though research on interdependencies in the United States began many years ago with efforts in the Department of Defense (DoD), the broader federal government effort began with the PCCIP in 1996–1997.

2 PROLOGUE—PRECURSOR EVENTS TO THE PCCIP Early critical infrastructure efforts began with military strategic targeting, as databases of key potential targets were assembled. Initiatives to identify the most critical targets drew on strategic insights from system experts who identified such targets as vital bridges and other transportation hubs, critical industrial capabilities, and similar strategic sites. In the 1980s, such approaches were further advanced by bringing in civilian engineers with greater insights as to how particular infrastructures functioned and how they might depend on external needs such as power or water. With the dynamic growth of computer processing capability and the creation of infrastructure databases, coupled with knowledge of how particular systems functioned, engineers began to model the performance of particular infrastructures. Though initially challenging, modeling became a vital tool for improving a particular infrastructure’s reliability, robustness, and recoverability in an emergency. As the models matured, they became more valuable for assessing system performance and predicting how systems would respond during particular events or in case of casualties. However, these models usually focused only on a specific system or infrastructure segment; they did not incorporate other infrastructure sectors. Thus, computer models of infrastructures had not yet begun to consider and model interdependencies. Consideration of interdependencies began in the late 1980s, whereby models of one particular infrastructure, such as electric power, could be considered alongside another infrastructure sector, such as telecommunications, thus beginning to explore where one infrastructure depended on signals, communications, or other processes within a separate infrastructure. This interdependency raised the possibility that an infrastructure could be attacked through its dependent elements; that is, something could be attacked without ever touching the obvious components within that infrastructure. However, while models of individual sectors were becoming increasingly mature, models of other sectors were often not compatible (i.e., in format, protocols, or input/outputs), and the merging of models to achieve interdependency modeling became a real challenge. With a significant increase of available open-source information on infrastructures in the 1990s, the ability to consider and assess infrastructure performance and interdependency improved. Thus, in the military targeting world, critical infrastructure targeting was continuing to advance. Targeting techniques were exploiting technology to render a particular infrastructure more vulnerable. In some ways, therefore, the more dependent a particular nation or system was on technology potentially increased the vulnerability of its critical infrastructures. Within DoD, these concepts advanced significantly, within an organization that evolved to become the Joint Warfare Analysis Center in Dahlgren, Virginia, and within the Joint Program Office for Special Technology Countermeasures, also in Dahlgren.

PRESIDENT’S COMMISSION ON CRITICAL INFRASTRUCTURE PROTECTION

1189

In 1992–1993, the maturation of critical node targeting led to discussions (within DoD’s Office of the Under Secretary for Policy) concerning the need to explore the potential vulnerability of our nation to similar targeting approaches. As indicated above, interdependencies rendered particular infrastructures potentially more vulnerable. This possibility was countered in part by another factor: the increasing complexity of our infrastructures—how they interconnected, what software systems operated them, and what security tools were in place to enhance both physical and cyber security. This complexity could make it more difficult to attack a particular infrastructure. Even though increased complexity of our infrastructures may reduce some vulnerabilities, new ones could also be introduced that need to be examined and understood. Some infrastructure sectors began to consider interdependency issues long before others. Among the earliest infrastructure sectors to begin building reliability and security into their systems were the telecommunications and the banking and finance sectors. The early efforts to assure telecommunications functionality and survivability were born following the Cuban Missile Crisis (1962) with the establishment of the National Communications System, which focused on building national security and emergency preparedness features into the nation’s communications infrastructure. Similarly, though for different reasons, banking and finance led most infrastructure sectors in building security into their facilities by asking such questions and answers as “Why do people rob banks?” “Because that is where the money is.” The industry’s concern over security was similarly advanced as they developed information technology processes that linked banking systems. Other policy efforts across government to consider potential vulnerabilities in our nation came to light—efforts often unknown to other branches of government. For example, a senate-directed study of infrastructure vulnerability was undertaken in the 1989–1990 time frame. Led by a Secret Service agent, this study produced a sensitive report that was delivered to both Senate leadership and the National Security Council (NSC). Similarly, the Center for Strategic and International Studies conducted a review of infrastructure vulnerability. All these efforts came to a similar conclusion: the potential vulnerability of critical infrastructure was an issue that warranted a more detailed study and possible actions to bolster our national security. Following the first World Trade Center bombing in 1993, New York City government established a committee on counterterrorism, with several subgroups that focused on infrastructure and emergency response issues. As a result, New York City bolstered its emergency operations center and developed very comprehensive planning on emergency response. As concerns for infrastructure vulnerability gained momentum within the national security policy community, a series of briefings were held in 1994–1995 to highlight potential critical infrastructure vulnerabilities and to assess terrorist threats that could potentially exploit such vulnerabilities. In late 1995, the Department of Justice and the DoD cosigned a document directing the establishment of a working group to explore critical infrastructure vulnerabilities in this light. The group, called the Critical Infrastructure Working Group (CIWG), was under the leadership and guidance of Ms Jamie Gorelick, Deputy Attorney General at that time. The CIWG consisted of eight members, including five subject-matter experts from the Defense, Justice, and Intelligence communities. Curiously, because many interagency legal issues began to surface in these discussions, the CIWG included three representatives from the offices of various general counsels. The tasking for the CIWG was to explore the concept of domestic vulnerability and, from that, recommend a possible course of action for the nation’s security. Following delivery of the CIWG report to the White House in January 1996, the CIWG was

1190

CROSS-CUTTING THEMES AND TECHNOLOGIES

reconvened to prepare a draft Executive Order, which established the PCCIP to explore critical infrastructure.

3 PCCIP REPORT OVERVIEW 3.1 Executive Order 13010, Critical Infrastructure Protection: Scope and Key Sections On July 15, 1996, President Clinton signed Executive Order 13010, titled Critical Infrastructure Protection, which focused on protecting those national infrastructures vital to the defense and economic security of the United States. The Order named eight specific infrastructures as critical to the United States and identified both physical and cyber threats to these infrastructures. The infrastructures were telecommunications, electric power systems, gas and oil storage and transportation, banking and finance, transportation, water supply systems, emergency services (including medical, police, fire, and rescue), and continuity of government. The Order also noted that many infrastructure enterprises are owned and/or operated by the private sector. Thus, a partnership between the government and the private sector was considered essential. The Order established a Presidential Commission to, among other things, assess the nature and scope of threats and the vulnerabilities of these critical infrastructures and recommend a comprehensive national policy and implementation strategy for assuring their continued operation. The Commission was to consist of a full-time chair, appointed by the president, and up to 20 full-time commissioners, no more than 2 of whom were to be nominated by each of 10 named departments and agencies. The departments and agencies directed to nominate commissioners were Treasury, Justice, Defense, Commerce, Transportation, Energy, Central Intelligence Agency, Federal Emergency Management Agency, Federal Bureau of Investigation (FBI), and National Security Agency. The Commission had authorized staff and contracting authority. Anticipating the sensitive nature of the information to be dealt with, each commissioner and many of the staff held high-level security clearances. Nothing in the Order explicitly cited the importance of interdependencies among the infrastructures, but interactions among the infrastructures was an implicit priority in the interdisciplinary structure of the Commission and the Order’s mandate to assess the scope and nature of the wide-ranging vulnerabilities of and threats to critical infrastructures. 3.2 Commission Structure One of the first tasks in the operation of the Commission was the development of a work plan. To help simplify the effort and rationalize work assignments, the Commission adopted a structure focused on five infrastructure sectors that incorporated the eight critical infrastructures named in the Executive Order and allowed for some necessary amplification. The five sectors were as follows: 1. Information and communications. Recognized the intimate and necessary connection between telecommunications and the entire range of information technology. The original scope was expanded to include the threats to and vulnerabilities of the full range of information systems, including, but not limited to, the telecommunications links. The sector included the Public Telecommunications Network, the

PRESIDENT’S COMMISSION ON CRITICAL INFRASTRUCTURE PROTECTION

2.

3.

4.

5.

1191

Internet, and millions of computers and related equipment in homes, businesses, academe, and other organizations across the nation. Energy. Included both the entire electric power infrastructure and portions of the oil and gas infrastructure. Both the Department of Energy (DOE) and Department of Transportation (DOT) have statutory authority pertaining to aspects of the oil and gas infrastructure. The DOE has responsibilities in the production and storage elements, while the DOT has responsibilities in the pipeline and transportation elements. Physical distribution. Included air, water, surface (including rail, road, and pipeline), and subsurface transportation subsectors—systems that facilitate the movement of people and goods. It also included navigation systems such as global positioning systems. Banking and finance. Included all infrastructure elements relating to financial transactions, including various financial institutions, financial markets, and the companies that service and work with them. Vital human services. Included water supply, emergency services, and government services at all levels (such as Social Security, weather forecasting, and aid to dependent children). The original mandate to include continuity of government was changed, with the approval of the White House, to focus on services provided by the government since issues of continuity of government were being addressed in other forums. The Commission explored the possibility of expanding the scope of this sector to include agriculture and public health but because of the limited time and resources available, decided that such expansion should be considered in the next phase of the government effort following the work of this Commission.

3.3 Commission Process After establishing the sectors and assigning lead and supporting commissioners and staff, the Commission, through the five sector teams, turned to developing a detailed characterization of each sector. This exercise served as a basis for understanding the nature of the vulnerabilities of the infrastructure, the threats it might face, and the potential consequences that might be expected from a successful attack. The work plan then called for the Commission to develop a national policy and a strategy for implementation. At every stage of the effort, the Commission took extraordinary measures to ensure that it acquired a solid base of information and that it vetted the work and thinking with a wide range of experts and stakeholders. Each sector arranged briefings (in many cases for the entire Commission) on the structure of the sector; its operations, dependencies on other sectors, particular weaknesses, and critical vulnerabilities; and potential consequences of failure, not only for customers but also for the broader community. Among the experts from whom briefings were requested were owners/operators of infrastructure organizations, trade associations, professional societies, community leaders, government officials, and subject-matter experts. Some briefings were classified, and nearly all were treated as highly sensitive even if not officially classified under national security procedures. Each sector group developed a thorough characterization of its respective infrastructure. In some cases, contractors were hired to develop the product—under the guidance of and with assistance from the commissioners. In other cases, the sector staff did the

1192

CROSS-CUTTING THEMES AND TECHNOLOGIES

bulk of the work with assistance from contractors. In at least one sector, a series of meetings across the nation in cooperation with the American Public Works Association elicited the views and concerns about infrastructure protection from local private and government groups. The Commission conducted several open “town meetings” at locations across the country (e.g., Boston and Houston), both to raise the level of awareness among the general public about critical infrastructure protection and to elicit information and perspectives concerning the issues. The Commission’s final report, Critical Foundations: Protecting America’s Infrastructures, was released publicly in October 1997. Much of the documentation developed by the Commission, however, has not been released to the public and is exempt from such release under statutes and executive orders. 3.4 Selected Case Studies of Infrastructures 3.4.1 Water Infrastructure. The water infrastructure was part of the vital human services sector, a varied collection of critical infrastructures that did not fit into the other four sectors. The Commissioner from the Department of Commerce was chosen to lead this sector, and several other commissioners were appointed to the team. In contradistinction from some other sectors, this team decided against contracting with an outside firm to help characterize the infrastructure and probe its vulnerabilities. Rather, this team hired a few staff to be responsible for the effort and several outside consultants to address specific problems. The team conducted a characterization of the water infrastructure through a series of discussions with the US Environmental Protection Agency, the US Geological Survey, the US Army Corps of Engineers, the Department of Health and Human Services, the American Water Works Association, and a number of individual water utilities across the country. In addition, facts and data provided by the organizations and utilities interviewed were analyzed and included in the characterization. These results were documented in the sector report, which, to date, has not been publicly released because of their sensitivity. The major security concerns that emerged were the potential for •

large-scale impacts on public health through purposeful contamination of the water supply with toxins and/or pathogens and • disruption of the water supply through destruction of assets such as pumps, pipes, valves, control systems (including supervisory control and data acquisition [SCADA]), and treatment facilities that would not only cause some challenges to public health but would also cause serious economic damage through the disruption of activities that depend on water supply. Both contamination and physical destruction of system assets are physical threats. The primary cyber threat relevant directly to water supply is through the SCADA system. While in principle, it is possible for a cyber attack to have serious consequences, even more dramatic and extensive impacts would be achievable more easily through the use of physical attacks, such as explosives and contaminants. The primary advantages of a cyber attack on water supply would be that, in many cases, an adversary could gain sufficient access, while maintaining a physical distance far from the target, and would have a better chance at disguising or hiding his or her identity.

PRESIDENT’S COMMISSION ON CRITICAL INFRASTRUCTURE PROTECTION

1193

At the time, opinion within the water sector concerning the importance of a threat of water contamination was divided, and no definitive studies had been conducted. The Commission team tasked one of the national laboratories to undertake a definitive study aimed at determining whether there were any chemical or biological agents, reasonably available to terrorists, in quantities that could be carried by one or two people that could cause thousands of deaths when introduced into a municipal water supply system. The study, which was not exhaustive, identified several such agents. This alerted the Commission to the extraordinary importance of preventing, detecting, and mitigating such potential contamination. The team also addressed several interdependencies of water supply systems. For example, water utilities use large quantities of chemical disinfectants such as chlorine or chloramine to kill a number of biological contaminants. Utilities generally have limited storage capacity for these materials and depend on timely delivery through either rail or truck transport. In addition, many water utilities run their SCADA systems over the public switched network, and disruption in those communication elements could wreak havoc on the operation of dependent utilities. Finally, with regard to dependencies of water on other infrastructures, most utilities require externally provided electric power to operate pumps and automatic controls, including valves and monitoring equipment. Other sectors, of course, depend on water. For example, illnesses and death caused by contaminated water would affect the workforce and strain resources needed for dealing with other emergencies. Few hospitals have alternate supplies of clean water, so a disruption could seriously affect their ability to care for patients. Many industries require clean water for their manufacturing processes. Most municipalities access water for fighting fires from the water supply utility. Therefore, a disruption in the supply of clean water could also affect fire fighting. In some cases, disruption in the flow of source waters could impair hydro-generation of electricity. The Commission found no indications of interdependencies leading from an attack on water supply to cascading (singularity) failures in other infrastructures in the near term. If longer term outages were encountered, the potential for such cascading failures seemed intuitively to be increased. 3.4.2 Energy Infrastructure. The Commission established an Energy team to lead the effort for the electric and oil and gas sectors. A DOE commissioner led a team consisting of several commissioners with supplemental help from DOE national laboratory experts in the electric power and the oil and natural gas infrastructures, as well as cyber security. The team generated two detailed reports that characterized the sectors, current trends, impacts from significant outages, threats and vulnerabilities, issues, risk management, interdependencies, protective measures, Commission outreach, and strategies and recommendations. Significant physical security information was drawn from previous reports because of terrorist concerns in the late 1980s [1, 2]. Organizations providing a wealth of reference material included DOE, Energy Information Administration, North American Electric Reliability Council (NERC), and Federal Energy Regulatory Commission. In addition, the Energy team conducted an extensive outreach program to many sector organizations (NERC, Edison Electric Institute, National Petroleum Council, American Petroleum Institute), and leading companies within the sectors. This effort collected the ideas and concerns of the owners/operators and invited review and comment of their thoughts on the subject.

1194

CROSS-CUTTING THEMES AND TECHNOLOGIES

Several vulnerability concerns emerged as listed below: • • • • • •

more reliance on computer networks and telecommunication systems not designed for secure operations; control systems (including SCADA) using commercial off-the-shelf hardware and software; proliferation of modems; sabotage of critical parts and difficulty of replacement; insufficient effort to correct previously identified physical security vulnerabilities; and availability of vulnerability information.

As stated in the Commission’s report, interdependencies were a key concern of the energy sector. “The security, economic prosperity, and social well being of the US depend on a complex system of interdependent infrastructures. The life blood of these interdependent infrastructures is energy . . . [3].” The power outages of July and August 1996 in the western United States clearly demonstrated the extensive impact to all of the other critical infrastructures. Telecommunications, water supply systems, transportation, emergency services, government services, and banking were all significantly affected by the blackouts, which covered most of that region. 3.5 The Nature of Interdependencies The Commission dealt with interdependencies as an integral part of the work of each infrastructure group. The final report did not deal with the subject separately but did recognize the overarching importance in connection with several strategic objectives and policy initiatives. There are two main sources of interdependency: geographic proximity (in which an attack on one element causes damage to proximate elements of other infrastructures) and functional interdependency (in which other infrastructure elements depend on the functioning of the attacked element in order to perform adequately). One of the most serious concerns due to the interdependencies among infrastructures is that the effects of an attack on one might, under certain conditions, cause cascading failures among other infrastructures, which in turn might amplify the effect on the originally attacked infrastructure and cause disproportionately high levels of damage on a wide geographic and functional scale. It is unlikely that an adversary would unknowingly choose such a critical target; however, the potential consequences call for special protective efforts for those specific assets. It became clear to the Commission that the degree of interdependency throughout the critical infrastructures was much higher than was first apparent on the surface. Energy and communications/information clearly underlie virtually everything else. But, in fact, significant outages in any of the critical infrastructures could be expected to seriously affect at least several other infrastructures. While the initial effects of a particular attack would be localized to the target assets, the degree of interconnectedness would, in many cases, lead well beyond the initial locale. The specific consequences of an event would be a function of the detailed nature of the interdependencies on an enterprise level. In addition to noting the extensive nature of interdependencies among the critical infrastructures, and therefore the need for wide-ranging partnership between government

PRESIDENT’S COMMISSION ON CRITICAL INFRASTRUCTURE PROTECTION

1195

and many elements of the private sector, the Commission considered a number of specific examples of interdependencies. For example, the loss of electric power would prevent the pumps at gasoline stations from operating, which would prevent vehicles from delivering products and services, which would cripple other infrastructure services and hamper repairs to the electric power infrastructure, thus compounding the cycle of consequences. During its limited life, the Commission was not able to delve more deeply into the nature and characterization of failure modes through interdependencies. It was clear that the real failure events unfolded through the effects on specific interdependent individual enterprises. That realization, however, would not lead to a generalized approach to understanding the phenomenon. On the other hand, integrating or averaging over entire sectors could provide a more workable approach because data would be more readily available, but would lose the reality of what actually causes the interlinked failures, and thus would likely lead to incorrect conclusions. Moreover, an averaged approach would not illuminate specific needs for protective measures. This clearly was an area in need of more research. 3.6

Partnership between Government and Industry

The Commission noted as a fundamental requirement that a wide-ranging partnership among governmental organizations and industrial entities was key to the success in protecting the nation’s critical infrastructures for the following reasons: • • • • •

the infrastructure enterprises were largely owned and/or operated by the private sector; the owners/operators were in a better position to assess their vulnerabilities and design protective measures; the large-scale consequences of an event affect the broad community, beyond the specific business responsibilities of the infrastructure enterprise; the government has regulatory and law enforcement responsibilities and authority and can also provide a mechanism for spreading the risk/costs; and the government can bring unique resources, such as intelligence and analysis capabilities, as well as diplomacy, to bear.

The Commission identified seven specific areas of responsibility for the owners/ operators of critical infrastructure (paraphrased here): 1. provide and manage the assets needed to ensure the delivery of infrastructure services efficiently and effectively; 2. meet customer expectations for quality and reliability; 3. manage risks effectively: (a) identify threats and vulnerabilities, (b) mitigate risks cost-effectively, (c) maintain emergency response and management capability; 4. give special consideration to vulnerabilities in information systems; 5. cooperate with others in the sector to identify the best reliability and security practices;

1196

CROSS-CUTTING THEMES AND TECHNOLOGIES

6. report criminal activities to law enforcement and cooperate with investigations;and 7. build working relationships with intelligence and law enforcement. State and local governments play several roles: regulation, law enforcement, administration of justice, response to incidents, and ownership/operation of certain infrastructures. The federal government has overarching responsibilities for national security, public health and safety, and the general welfare of the nation. Thus, unique resources are available, such as collection and analysis of intelligence, training and equipment for first responders, and relations with other countries and international organizations. The Commission recommended the establishment of national structures to facilitate the partnership and to address matters of policy formulation, planning for critical infrastructure protection, and the design and implementation of specific programs. The pros and cons were weighed for establishing a new department to protect the nation’s critical infrastructures, but it was decided that the political costs and barriers would render such a recommendation impossible to implement. Instead, the Commission recommended a small office in the White House (called the Critical Infrastructure Assurance Office [CIAO]) located in the Department of Commerce. In the aftermath of the terrorist attacks of September 11, 2001, the government did establish the Department of Homeland Security (DHS) with responsibilities that encompass most of the elements of critical infrastructure protection. These functions have been transferred to the DHS. Each of the infrastructure sectors was to have a lead government agency that would be responsible for identifying and working with sector coordinators from within the infrastructure community and for ensuring that the sector was tied in to the entire government activity in critical infrastructure protection. The indispensable step to establishing the partnership is information sharing. Chapter 5 of the PCCIP report, Establishing the Partnership, discusses the reluctance of private sector entities to share sensitive information with the government because of their concern about the government’s inability to protect the information. To address this concern, the Commission recommended that the government establish appropriate measures to protect private sector information. Also, the private sector noted that the limited information available from the government (e.g., specific threat information). However, on the other hand, elements of the government were frustrated by the perceived lack of information flow from the private sector. Among the innovative mechanisms recommended by the Commission was the establishment of Information Sharing and Analysis Centers (ISACs) in each sector. Their primary functions were •

to provide a forum for the infrastructure enterprises to share information and experiences concerning threats to and vulnerabilities of their sector as well as various problems encountered and possible solutions and • to provide a mechanism for the federal government to disseminate information and advice throughout the sector. Another innovative suggestion was that communication and cooperation among the ISA Cs could be very helpful in identifying and dealing with sector interdependencies. ISACs have now been established in most of the critical infrastructure sectors with varying results. It is a valuable mechanism that is still evolving in its implementation. However, the private sector business model has only worked for a few of

PRESIDENT’S COMMISSION ON CRITICAL INFRASTRUCTURE PROTECTION

1197

them. All of the new sectors and some of the PDD 63 sectors no longer have ISACs. Most of them did have the capacity to do real analysis but acted as ”pass-throughs” for information. Now each sector coordinating council (which replaced the PDD 63 sector coordinator) has the option to identify an ISAC to be their sector information sharing mechanism. 3.7 Risks in the Information Age The Commission anticipated that the threat of cyber attacks would grow rapidly to become a dominant concern for infrastructure assurance. The increasing reliance of all the nation’s sectors on the information and communications infrastructure suggested that one of the major risks would soon be that of a cyber attack. Such an attack would cause extraordinary damage and loss of capability through large-scale interdependencies with devastating effects on the United States. While the direction of the threat trend was correctly predicted, it has not yet reached the magnitude or urgency foreseen. The major threats to critical infrastructure remain physical—mostly kinetic—attacks. As an instrument of terror, an explosion is far more impressive than a cyber attack. When the attackers turn toward creating economic impacts instead of terrorizing populations, the role of cyber threats will undoubtedly increase. 4 PRESIDENTIAL DECISION DIRECTIVE 63 OVERVIEW PDD 63 institutionalized many of the recommendations from the PCCIP report [3]. Initially, PDD 63 noted a “growing potential vulnerability” and stated that “[m]any of the nation’s critical infrastructures have historically been physically and logically separate systems that had little interdependence. As a result of advances in information technology and the necessity of improved efficiency, however, these infrastructures have become increasingly automated and interlinked ” [4]. PDD 63 set a national goal that “any interruptions or manipulations of these critical infrastructures must be brief, infrequent, manageable, geographically isolated and minimally detrimental to the welfare of the United States” [5]. The President directed elements of the federal government to implement activities and encouraged the private sector to take steps to improve the protection of the US critical infrastructures as reported on by the PCCIP. The following three sections summarize his direction. 4.1 Federal Government PDD 63 established an organizational structure within the Executive Branch of the federal government to implement the Directive. Lead agencies were designated for each critical infrastructure with an appointed sector liaison official, as well as lead agencies and officials for special functions (national defense, foreign affairs, intelligence, and law enforcement). Also established was the position of national coordinator to chair an interagency group (Critical Infrastructure Coordination Group) to coordinate the overall implementation activities. The national coordinator would be supported by the National Plan coordination staff (Table 1). To strengthen the protection of critical infrastructures within the jurisdiction of the federal government, each department/agency was directed to appoint a senior-level official

1198

CROSS-CUTTING THEMES AND TECHNOLOGIES

TABLE 1 Presidential Directive Directive 63 Federal Government Organization, Annex A National Coordinator—Chair of Critical Infrastructure Coordination Group and supported by National Plan Coordination staff Lead Agency Commerce Energy

Treasury

Sector Liaison Information and communications Electric power Oil and gas production and storage Water supply Emergency fire services Continuity of government services Public health services, including prevention, surveillance, laboratory services, and personal health services Emergency law enforcement services Aviation, Highways, Mass transit, Pipelines, Rail, Waterborne commerce Banking and finance

Lead Agency Central Intelligence Agency Defense Justice/FBI State Office of Science and Technology Policy

Special Functions Foreign intelligence National defense Law enforcement and internal security Foreign affairs R&D coordination

Environmental Protection Agency Federal Emergency Management Administration Health and Human Services

Justice/FBI Transportation

to be the Critical Infrastructure Assurance Officer. The existing Chief Information Officer would be responsible for information assurance, while the Critical Infrastructure Assurance Officer would be responsible for protecting all other aspects of the department’s/agency’s critical infrastructure. To facilitate gathering of threat information and rapid distribution of such information, “the President immediately authorizes the FBI to expand its current organization to a full scale National Infrastructure Protection Center (NIPC) [6].”

4.2 Private Sector For the private sector, a National Infrastructure Assurance Council was to be established. It consisted of “a panel of major infrastructure providers and state and local government officials” appointed by the President to provide him advice. Periodic meetings were “to be held to enhance the partnership of the public and private sectors” [7]. Subsequently, the Council was established as the National Infrastructure Advisory Council by Executive Order 13231, and amended by EO 13286 and EO 13385. A private-sector coordinator to represent each sector was to be identified as the counterpart to the federal government’s sector liaison official. Owners/operators were “strongly encouraged” to create ISACs. “Such a center could serve as the mechanism for gathering, analyzing, appropriately sanitizing and disseminating private sector information to both industry and the NIPC” [8].

PRESIDENT’S COMMISSION ON CRITICAL INFRASTRUCTURE PROTECTION

1199

4.3 Research and Development The Directive established a formal R&D program with guidelines and specific tasking. •

Section V, Guidelines. “The Federal Government shall, through its research, development and procurement, encourage the introduction of increasingly capable methods of infrastructure protection.” • Section VIII, Tasks. The President requested the Principal’s Committee to submit to him a National Infrastructure Assurance Plan with milestones. R&D was one of the subordinate and related tasks: ◦ “Research and Development: Federally sponsored research and development in support of infrastructure protection shall be coordinated, be subject to multi-year planning, take into account private sector research, and be adequately funded to minimize our vulnerabilities on a rapid but achievable timetable.” • Annex A, Structure and Organization. “In addition, OSTP (Office of Science and Technology Policy) shall be responsible for coordinating research and development agendas and programs for the government through the National Science and Technology Council.” 4.4 Problems and Major Shortfalls of PDD 63 4.4.1 Lack of Partnership. There was significant resistance to the new concept of Critical Infrastructure Protection, both in the private sector and in many elements of the government. Also, many government departments and agencies were not familiar with the concept of a partnership with the private sector. Building the “partnership” would be a long-term process that would need to be developed over time (years), starting with personal relationships established on trust, followed by awareness and education efforts, and the active participation of partners with leadership skills with the ability to focus on outcomes of mutual benefit. The Directive was promulgated with minimal collaboration between the government and private sector. PDD 63 was written within the federal government. A senior official in the NSC led the effort to draft the document, relying on their support organization and an interagency group of senior representatives selected from the agencies involved. There was a need to stimulate dialogue across and within particular infrastructure sectors to drive and accelerate more collaboration on critical infrastructure thinking within infrastructure sector leadership. Part of the challenge is that many sectors had not previously engaged in critical infrastructure dialogues among themselves to consider opinions and develop conclusions toward their approach to critical infrastructure. While PDD 63 encouraged such efforts, little was done to bring together the leadership to stimulate such efforts. Fortunately, both the CIAO and the Partnership for Critical Infrastructure Security (PCIS) caused much of the internal sector dialogues to begin, though these successes took several years to begin consolidating effectively. Similarly, once a dialogue began within a particular sector, it took further effort (and time) to generate trusted dialogue between that sector and government. In some cases, this dialogue moved ahead very effectively while in some sectors, it still struggles a decade after the PCCIP. Further, many superb efforts are driven primarily by several very effective individuals leading their particular sector, though broad acceptance and understanding of CIP issues remain a challenge—thus, if that person ceased driving

1200

CROSS-CUTTING THEMES AND TECHNOLOGIES

leadership, many initiatives could potentially fade or be weakened. The need for sector CIP dialogues was vitally important at three levels: (i) within and across the sector; (ii) between the sector and other sectors, many of which had interdependent elements; and (iii) between the sector and government. While PDD 63 was ineffective in successfully achieving these ends, the CIAO and PCIS made significant strides prior to the establishment of DHS. 4.4.2 Lack of Resources for Implementation. To initiate a new program, the departments and agencies realized that the resources had to be taken out of existing funds. No new funds were available! Although the agencies submitted budget requests through their normal channels, and they were accepted by the Office of Management and Budget to some extent, the White House did not develop or present a unified set of supporting arguments to the congressional oversight committees involved. Because of the need to make Congress aware of the critical infrastructure issues and concerns, there was no clear idea of the need or magnitude of the undertaking. Thus, the implementation of PDD 63 began with a long-term effort of awareness and education. A key lesson learned in the government sphere is that central coordination of a distributed program is an essential element in its success. 4.4.3 Lack of Emphasis on Interdependencies. Even though interdependencies were stressed throughout the PCCIP report, PDD 63 gave it minimal emphasis. The most significant reference came at the end of Section IV: “During the preparation of the sectoral plans, the National Coordinator (see section VI), in conjunction with the Lead Agency Sector Liaison Officials and a representative from the National Economic Council, shall ensure their overall coordination and the integration of the various sectoral plans, with a particular focus on interdependencies” [9]. No single agency or department was given a lead role for interdependencies. Interdependency was one example of a crosscutting issue that could have been addressed by the Critical Infrastructure Coordination Group. However, the “unfunded mandate” problem made performance of the sector lead agency responsibilities too spotty and inconsistent to allow the different agencies to work on common issues.

5 CASE AND STRATEGY FOR ACTION IN TERMS OF INFRASTRUCTURE INTERDEPENDENCIES The tremendous explosion of technologies, including computers, processing, and communications processes, led to a complex mosaic of technology in every infrastructure sector. The reliance on other infrastructures continued to grow, led in large part by a markedly increased reliance on communications and control systems, providing signals and feedback mechanisms by which infrastructures are monitored and operated to include an expanded range of remote operations. Although experts in each of these processes are fluent as to how their particular systems interact dynamically to control and operate segments of the infrastructure, their insights are often limited to the narrow scope of their particular system or functional role. With the expanded complexity of technology, individual infrastructure sectors have advanced modeling and simulation processes that can mimic and, in some cases, function predictively in the operational control of an infrastructure sector, especially in localized or regional operations. However, it becomes far

PRESIDENT’S COMMISSION ON CRITICAL INFRASTRUCTURE PROTECTION

1201

more difficult for managers and decision makers to fully understand the broad range of detailed interactions and nuances by which their entire infrastructure functions technologically and operationally, especially during crises or emergency scenarios where dynamic changes occur more rapidly within the sector. This challenge becomes even greater when the scope of interdependencies upon other infrastructure sectors is considered. Each infrastructure sector’s consideration of critical infrastructure issues has advanced at its own pace; some sectors are further along the path of understanding and are taking appropriate actions to better assure resilience, recoverability, and robustness. This disparity becomes more obvious as we consider infrastructure outage events that occur periodically during any given year. In some cases, a sector’s response is impressively swift, mitigating the damaging effects of an outage and accelerating a return-to-normal operation. In other cases, a flawed response leads to open criticism, causing either governmental or privately led efforts to force improvements in emergency response-and-recovery processes and driving greater investments toward greater assurance of acceptable sector performance. The point is that different sectors, and sometimes varying management elements within the same sector, often are at different levels of technological and operational maturity in the understanding and response within their sector. This is further exacerbated when the issue of infrastructure interdependency is considered. Even sectors with mature processes for operations and recovery often have given limited consideration to developing predictive means for assessing their systematic reactions to emergency events occurring in other sectors on which they rely. In their defense, given (i) the difference in modeling and simulation maturity within each sector; (ii) the reliance on different and often incompatible technologies; and (iii) the variety of signal and protocol formats, the interoperability of modeling processes between infrastructure sectors is both complex and very limited. Furthermore, the best way to coordinate the operations among multiple infrastructures is often through leveraging preexisting relationships among the leaders, managers, and operators of those separate infrastructures. The more interdependent our infrastructures become—and their interdependence continues to grow year after year—the more urgent it becomes for our nation and its critical infrastructure owners/operators to more thoroughly consider critical infrastructure interdependencies. Operational processes, service-level agreements, emergency response systems, and organizational interactions and procedures must better address interdependencies to assure critical infrastructure protection. To do so will require many types of investments to help assure critical infrastructure performance for the future.

6 SUMMARY OF COMMISSION’S CONCLUSIONS ON RESEARCH AND DEVELOPMENT NEEDS Consistent with the scope of its charter and in recognition of the importance of interdependencies, the Commission addressed R&D needs not only for the eight specific infrastructures identified in Executive Order 13010, but also explicitly for the crosscutting interdependency issues that affect more than one infrastructure. The goal was to provide a road map for the development of technologies that will counter threats (physical, cyber, and other threats that arise from the complexity of automated systems and from increasing interdependencies among infrastructures) and reduce the vulnerabilities in those areas with the potential for causing “significant” national security, economic, and/or social impacts.

1202

CROSS-CUTTING THEMES AND TECHNOLOGIES

Basic research requiring long-term government investment was emphasized. However, it was recognized that this research must be accompanied by the development of technology within the private sector. As broadly defined by the Commission, technology includes processes, systems, models and simulations, and hardware and software. Strong involvement from infrastructure owners/operators was deemed essential to ensure the development of useful and usable products. The Commission concluded that federal R&D efforts were inadequate for the size of the R&D challenge presented by emerging cyber threats. They further noted that real-time detection, identification, and response tools were urgently needed and that R&D for infrastructure protection requires partnership among government, industry, and academia to ensure a successful and focused research and technology development effort. The Commission proposed a substantial increase in federal investment in infrastructure assurance research, targeting R&D and focusing on six R&D areas: 1. Information assurance. Assurance of vital information is increasingly a key component for the functioning of our interdependent infrastructures. The urgent need to develop new, affordable means of protection is apparent, given the increasing rate of incidents, the expanding list of known vulnerabilities, and the inadequate set of solutions available. 2. Intrusion monitoring and detection. Reliable automated monitoring and detection systems, timely and effective information collection technologies, and efficient data reduction and analysis tools are needed to identify and characterize structured attacks against infrastructure. 3. Vulnerability assessment and systems analysis. Advanced methods and tools for vulnerability assessment and systems analysis are needed to identify critical nodes within infrastructures, examine interdependencies, and help understand the behavior of these complex systems. Modeling and simulation tools and test beds for studying infrastructure-related problems are essential for understanding the interdependent infrastructures. 4. Risk management decision support. Decision support system methodologies and tools are needed to help government and private-sector decision makers effectively prioritize the use of finite resources to reduce risk. 5. Protection and mitigation. Real-time system control, infrastructure hardening, and containment and isolation technologies are needed to protect infrastructure systems against the entire threat spectrum. 6. Incident response and recovery. A wide range of new technologies and tools is needed for effective planning, response, and recovery from physical and cyber incidents that affect critical infrastructures. The fundamental R&D issue for critical infrastructure protection was framed by the Commission in terms of three interrelated questions: •

What R&D is needed to achieve the nation’s infrastructure assurance objectives? What level of corresponding investment is required? • Who should make this investment? •

PRESIDENT’S COMMISSION ON CRITICAL INFRASTRUCTURE PROTECTION

1203

These questions remain relevant and must be answered within a partnership between government and the private sector. The Commission noted that both entities must recognize that (i) infrastructure assurance risks cut across the public and private sectors; (ii) the private sector holds much of the relevant technical and empirical data on infrastructure operations, vulnerabilities, and interdependencies; and (iii) the private sector develops technology only when it identifies a market for it. The Commission concluded that successful implementation of technologies developed from government-funded research efforts requires close cooperation from private-sector owners and operators of our nation’s infrastructures.

7 CLOSING STATEMENT The PCCIP set the stage and Presidential Decision Directive 63 initiated the path forward. As stated in the Onward section of the PCCIP report—the Commission’s effort was “the prologue to a new era of infrastructure assurance (p. 101).”

REFERENCES 1. (a) Congress of the United States, Office of Technology Assessment (1990) Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage, OTA-E-453, (NTIS order #PB90-253287, GPO stock # 052-003-01197-2) (June 1990); see also (b) Charles, L., Draft Report for the Committee on Government Affairs, US∼Senate hearings. 2. The White House (1989). Vulnerability of Telecommunications and Energy Resources to Terrorism, Hearings before the Committee on Government Affairs, U.S. Senate, One Hundred First Congress, First Session, S. Hrg 101-73 (Feb. 7–8, 1989). 3. The White House (1997). President’s Commission on Critical Infrastructure Protection, Critical Foundations—Protecting America’s Infrastructures, Appendix A, p. A-24 (October 1997). 4. The White House (1998). Presidential Decision Directive-63, Section I, A Growing Potential Vulnerability (May 1998). 5. The White House (1998). Presidential Decision Directive-63, Section III, A National Goal (May 1998). 6. The White House (1998). Presidential Decision Directive-63, Annex A, Warning and Information Centers (May 1998). 7. The White House (1998). Presidential Decision Directive-63, Section VI-4, National Infrastructure Assurance Council (May 1998). 8. The White House (1998). Presidential Decision Directive-63, Annex A, Information Sharing and Analysis Center (ISAC) (May 1998). 9. The White House (1998). Presidential Decision Directive-63, Section IV, A Public-Private Partnership to Reduce Vulnerability (May 1998).

FURTHER READING Brown, K. A. (2006). Critical Path: A Brief History of Critical Infrastructure Protection in the United States. George Mason University Press, Arlington, VA. The White House (1998). The Clinton Administration’s Policy on Critical Infrastructure Protection: Presidential Decision Directive 63 , White Paper (May 22, 1998).

1204

CROSS-CUTTING THEMES AND TECHNOLOGIES

INPUT–OUTPUT MODELING FOR INTERDEPENDENT INFRASTRUCTURE SECTORS Joost R. Santos and Yacov Y. Haimes Center for Risk Management of Engineering Systems, University of Virginia, Charlottesville, Virginia

1 BACKGROUND: LEONTIEF INPUT–OUTPUT MODEL No literature survey on interdependency analysis is complete without mentioning the input–output (I–O) model, for which Wassily Leontief received the 1973 Nobel Prize in Economics. This model is useful for studying the effects of consumption shocks on interdependent sectors of the economy [1, 2]. Miller and Blair [3] provide a comprehensive introduction of the model and its applications. Leontief’s I–O model describes the equilibrium behavior of both regional and national economies [4, 5] and presents a framework capable of describing the interactive nature of economic systems. Extensions and current frontiers of I–O analysis can be found in Lahr and Dietzenbacher [6] and Dietzenbacher and Lahr [7]. It is worth noting that the traditional use of input–output analysis for estimating the effects of economic shifts (e.g. changes in consumption) has been extended to other applications, such as disaster risk management, environmental impact analysis, and energy consumption, among others. Various studies for estimating losses pursuant to disasters have employed traditional I–O analysis and extended approaches such as computable general equilibrium (CGE) models. Rose and Liao [8] conducted a case study of water-supply disruption scenarios in Portland using CGE to account for resilience factors (e.g. substitution and conservation) that business sectors typically consider in order to minimize potential losses. (Note that Rose [9] states that CGE is an extension rather than a replacement of the traditional I–O model). Cho et al. [10] identified the I–O model as a useful tool for estimating the economic costs associated with major earthquakes in urban areas. Lenzen et al. [11] implemented a multiregion environmental input–output analysis to determine CO2 multipliers based on international trade data for commodities that emit greenhouse gas by-products. Alc´antara and Padilla [12] developed an I–O-based methodology that considers energy demand elasticities for determining the key sectors that are involved in the final consumption of energy. The formulation of the basic Leontief I–O model is shown in Eq. (1). The notation x i refers to the total production output of industry i . The Leontief technical coefficient a ij indicates the ratio of the input of industry i to industry j , with respect to the total production requirements of industry j . Thus, given n industries, a ij can tell the distribution of inputs contributed by various industries i = 1, 2, . . . , n to the total inputs required by industry j . Finally, the notation c i refers to the final demand for the i th industry—the portion of industry i ’s total output for final consumption by end users (i.e. the excess of all intermediate consumptions by various industries j = 1, 2, . . . , n).    x = Ax + c ⇔ xi = (1) aij xj + ci ∀ i j

INPUT–OUTPUT MODELING FOR INTERDEPENDENT INFRASTRUCTURE SECTORS

1205

2 INOPERABILITY INPUT–OUTPUT MODEL (IIM) Today, the infrastructure sectors in the United States (and the entire global economy) are highly interdependent—making them more vulnerable to natural- and human-caused disruptive events. Such events upset the “business-as-usual” production levels of the affected systems and lead to a variety of economic losses, such as demand/supply reductions. Interdependency analysis applies to ripple effects triggered by various sources of disruption, including terrorism, natural calamities, and accidents, among others. On the basis of Leontief’s work, Haimes and Jiang [13] developed the inoperability input–output model (IIM) for interconnected systems. One of the metrics offered by the IIM is inoperability, which is defined as the inability of a system to perform its intended functions. In the IIM, inoperability can denote the level of the system’s dysfunction, expressed as a percentage of the system’s intended production level. Inoperability can be caused by internal failures or external perturbations, which adversely affect the delivery of a system’s intended output. The IIM was later expanded by Santos and Haimes [14] to quantify the economic losses triggered by terrorism and other disruptive events to economic systems (or industry sectors). The analysis of economic impacts associated with such events is made possible through the economic I–O data published by the Bureau of Economic Analysis (BEA) [15, 16]. The formulation of the IIM is as follows: q = A∗ q + c ∗

(2)

The details of model derivation and an extensive discussion of model components are found in Santos and Haimes [14]. In a nutshell, the terms in the IIM formulation in Eq. (2) are defined as follows: •

q is the inoperability vector expressed in terms of normalized economic loss. The elements of q represent the ratio of unrealized production (i.e. “business-as-usual” production minus degraded production) with respect to the “business-as-usual” production level of the industry sectors. • A* is the interdependency matrix, which indicates the degree of coupling of the industry sectors. The elements in a particular row of this matrix can tell how much additional inoperability is contributed by a column industry to the row industry. • c* is a demand-side perturbation vector expressed in terms of normalized degraded final demand (i.e. “business-as-usual” final demand minus actual final demand, divided by the “business-as-usual” production level). Previous IIM-based works on infrastructure interdependencies and risks of terrorism include Haimes [17], Jiang and Haimes [18], Crowther and Haimes [19], Haimes et al. [20, 21], Lian and Haimes [22], and Santos [23]. Other quantitative research on modeling terrorism risks has emerged in recent years because of sustained threats to homeland security. Apostolakis and Lemon [24] proposed the use of graph theory for modeling infrastructure interconnectedness and employed multiattribute utility theory for setting priorities to vulnerabilities. Pat´e-Cornell and Guikema [25] employed probabilistic risk analysis (PRA), decision analysis, and game theory for prioritizing vulnerabilities and their associated countermeasures. Bier and Abhichandani [26] proposed a game theory approach to model the way defenders and offenders determine optimal strategies for achieving their respective objectives of protecting or destroying a system.

1206

CROSS-CUTTING THEMES AND TECHNOLOGIES

3 APPLICATIONS OF THE IIM This section discusses representative applications of the IIM that resulted from three government-commissioned projects: (i) high-altitude electromagnetic pulse (HEMP) impact on interconnected sectors; (ii) economic impact of homeland security advisory system (HSAS) threat levels; and (iii) Virginia Department of Transportation (VDOT) interdependencies. 3.1 High-Altitude Electromagnetic Pulse (HEMP) Impact on Interconnected Sectors HEMP is defined as intense electromagnetic blasts induced by high-elevation nuclear explosions, which can potentially cause damage to electronic and electrical systems. National- and regional-level case studies have been conducted in this study to analyze the impacts of HEMP on the electric power, electromagnetic pulse (EMP) vulnerable equipment, workforce, and health services sectors. The EMP Commission’s guidance has been solicited to generate the perturbation scenarios employed in the case studies. Systemic parametric and sensitivity analyses of HEMP attack scenarios are achieved via consideration of various sources of uncertainties relating to (a) geographic scope and detail (e.g. national versus regional); (b) intensity of perturbation to an initial set of affected sectors (e.g. electric power, EMP-vulnerable equipment, and workforce); and (c) temporal characteristics surrounding sector recoveries (e.g. 60-day versus 1-year recovery rates). Trade-off analyses have been performed to analyze the effectiveness of resource allocation strategies associated with restoring diversely affected sectors. Recommendations from this study include developing cost-benefit-risk-balanced policies and solutions for managing disruptions and expediting recovery time from potential terrorist attacks [see [16] for details]. For a 60-day exponential electric power outage in the Greater Northeastern Region (GNR), as shown in Figure 1, the resulting direct and indirect sector impacts were ranked and classified according to two types of metrics: economic loss and inoperability. Approximately $14 billion in losses are incurred for this scenario, of which about 80% is realized within the first 20 days. 3.2 Economic Impact of Homeland Security Advisory System (HSAS) Threat Levels The IIM was used to estimate the economic impact of heightened HSAS threat levels and the corresponding courses of actions relating to the period of implementation and the regional scope of the alert. A system for generating the direct-sector impacts associated with various HSAS courses of actions was developed, along with a process for visualizing the results. Parametric analyses were conducted to address critical factors, such as impacted sectors, nature of impact (productivity loss versus demand reduction), and duration of effects. Input–output datasets for the Greater New York Metropolitan Region and the Newark Statistical Area (a subset consisting of six counties contiguous to Newark) were obtained from the BEA. These datasets enabled us to estimate the magnitude of economic impacts associated with the specified HSAS scenarios. National IIM analysis was also implemented to estimate the psychological response of the general public to HSAS alert modifications. In particular, we studied the sensitivity of recreation and other discretionary sectors to demand reductions potentially caused by increasing alert levels. The results show that economic repercussions of a red alert are large and are highly sensitive to the definition of nonessential businesses (i.e. discretionary vs. fundamental

1207

INPUT–OUTPUT MODELING FOR INTERDEPENDENT INFRASTRUCTURE SECTORS

Top-20 Affected sectors in terms of inoperability impact (greater northeastern region)

Greater northeastern region

til iti e El C s ec o t a M ron l ac cs In hin s Pr trum ery im e ar nt y s m Tr Oi eta an l & l sp ga or s ta tio Pa n Fo R pe r Fa od ubb br pro er ic du at ed cts m F eta R arm l ea i l e ng st C a om Pe m S te rs un ton on ic e al at i Ea ser ons tin vic g es pl a Ap ces C pa he re m l ic al s

Indirect impact (ripple effect) Direct impact

U

t ec ilit e Bu s t si M ron ne ac ic ss hi s se ner R r vic y ea e s In l es st ta ru te m W e ho F nts le ina s n C ale ce H ons trad ea tr lth uc e se tion R rv Tr eta ces an il t M spo rad is r t e c at Pr ser ion im vic ar es y m et a C C C l om he o m m al un i c ica al s In ti Ea su ons t ra Fo ing nc od pla e pr ce od s uc ts

U

El

Geographic scope of analysis

25 20 15 10 5 0

Cumulative loss with lingering demand effects Production losses ($M)

Indirect impact (ripple effect) Direct impact

5000 4000 3000 2000 1000 0

Inoperability (%)

Most affected sectors in terms of productivity (%)

Top-20 affected sectors in terms of economic loss impact (greater northeastern region) Productivity loss ($M)

Most affected sectors in terms of economic costs

Cumulative economic loss = $14B

16,000 12,000 8,000 4,000 0 0

10

20

30

40

50

60

Time (days)

FIGURE 1 Sample IIM results for a regional HEMP attack scenario.

sectors). On the basis of the assumption that approximately 10% of the businesses are nonessential, red alerts would likely result in $210 billion losses for the nation, $50 billion for the Greater New York Metropolitan Region, and $6.3 billion for the Newark Statistical Area. These losses are based on a one-week red alert followed by one year of consumption losses due to lingering public fear. Lingering demand effects have substantial economic impacts and should not be ignored—IIM results indicate that these losses are approximately 3 times the losses incurred during the first week of a red alert. Also, losses incurred in smaller regions are proportionately higher compared to overall domestic production. This observation may be attributable to the greater effort required to manage security and/or more focused public reaction when the red alert is local. 3.3 Virginia Department of Transportation (VDOT) Interdependencies The transportation network, being a lifeline infrastructure, is designed to support other infrastructures and systems. This symbiotic relationship creates vulnerabilities that affect not only the highway system but also all other systems dependent on transportation modes and facilities. The IIM was used for modeling and analysis of transportation interdependencies, which requires investigation of various transportation elements, such as road network structure, flow, and capacity, as well as the type of economic activities they support [27]. Mobility is an important aspect of recovery and can be assured through availability of transportation modes and facilities. Furthermore, workforce mobility is an important consideration during recovery to ensure uninterrupted availability of essential services other than transportation (health care, food supply, electric power, communication, etc.). The focus of the case study is to understand how a terrorist attack (or other disruption) on a highway system element (bridge, overpass, tunnel, road, etc.) propagates to other physical and economic sectors within Virginia and its contiguous region, so that management policies can be implemented to reduce the consequences of the event. These sectors include utilities, commerce, communication, and providers of basic necessities (food, water, and health care), among others.

1208

CROSS-CUTTING THEMES AND TECHNOLOGIES

REFERENCES 1. Leontief, W. W. (1951a). Input–Output Economics. Scientific American, pp. 15–21. 2. Leontief, W. W. (1951b). The Structure of the American Economy, 1919–1939: An Empirical Application of Equilibrium Analysis, 2nd ed., International Arts and Sciences Press, New York. 3. Miller, R. E., and Blair, P. D. (1985). Input–Output Analysis: Foundations and Extensions. Prentice-Hall, Englewood Cliffs, NJ. 4. Isard, W. (1960). Methods of Regional Analysis: An Introduction to Regional Science. MIT Press, Cambridge, MA. 5. Lahr, M. L., and Stevens, B. H. (2002). A study of regionalization in the generation of aggregation error in regional input-output models. J. Reg. Sci. 42, 477–507. 6. Lahr, M. L., and Dietzenbacher, E. (2001). Input–Output Analysis: Frontiers and Extensions. Palgrave, New York. 7. Dietzenbacher, E., and Lahr, M. L. (2004). Wassily Leontief and Input–Output Economics. Cambridge University Press, Cambridge. 8. Rose, A., and Liao, S. (2005). Modeling regional economic resilience to disasters: a computable general equilibrium analysis of water service disruptions. J. Reg. Sci. 45, 75–112. 9. Rose, A. (2004). Economic principles, issues, and research priorities in hazard loss estimation. In Modeling Spatial and Economic Impacts of Disasters, Y. Okuyama, and S. Chang, Eds. Springer-Verlag, New York, pp. 13–36. 10. Cho, S., Gordon, P., Moore, J. E. II, Richardson, H. W., Shinozuka, M., and Chang, S. (2001). Integrating transportation network and regional economic models to estimate the costs of a large urban earthquake. J. Reg. Sci. 41, 39–65. 11. Lenzen, M., Pade, L., and Munksgaard, J. (2004). CO2 multipliers in multi-region input-output models. Econ. Syst. Res. 16, 391–412. 12. Alc´antara, V., and Padilla, E. (2003). Key sectors in final energy consumption: an input–output application to the Spanish case. Energy Policy 31, 1673–1678. 13. Haimes, Y. Y., and Jiang, P. (2001). Leontief-based model of risk in complex interconnected infrastructures. J. Infrastruct. Syst. 7, 1–12. 14. Santos, J. R., and Haimes, Y. Y. (2004). Modeling the demand reduction input–output (I–O) inoperability due to terrorism of interconnected infrastructures. Risk Anal. 24, 1437–1451. 15. Bureau of Economic Analysis (BEA). (1997). Regional Multipliers: A User Handbook for the Regional Input-Output Modeling System (RIMS II). US Department of Commerce, Washington, DC. 16. Bureau of Economic Analysis (BEA). (1998). Benchmark Input-Output Accounts of the United States for 1992 . US Department of Commerce, Washington, DC. 17. Haimes, Y. Y. (2004). Risk Modeling, Assessment, and Management, 2nd ed. John Wiley & Sons, New York. 18. Jiang, P., and Haimes, Y. Y. (2004). Risk management for Leontief-based interdependent systems. Risk Anal. 24, 1215–1229. 19. Crowther, K. G., and Haimes, Y. Y. (2005). Application of the inoperability input–output model (IIM) for systemic risk assessment and management of interdependent infrastructures. Syst. Eng. 8, 323–341. 20. Haimes, Y. Y., Horowitz, B. M., Lambert, J. H., Santos, J. R., Lian, C., and Crowther, K. G. (2005a). Inoperability input-output model (IIM) for interdependent infrastructure sectors: theory and methodology. J. Infrastruct. Syst. 11, 67–79. 21. Haimes, Y. Y., Horowitz, B. M., Lambert, J. H., Santos, J. R., Crowther, K. G., and Lian, C. (2005b). Inoperability input-output model (IIM) for interdependent infrastructure sectors: case study. J. Infrastruct. Syst. 11, 80–92.

CONDITIONAL RISK ASSESSMENT METHODOLOGY

1209

22. Lian, C., and Haimes, Y. Y. (2006). Managing the risk of terrorism to interdependent infrastructure systems through the dynamic inoperability input-output model. Syst. Eng. 9, 241–258. 23. Santos, J. R. (2006). Inoperability input-output modeling of disruptions to interdependent economic systems. Syst. Eng. 9, 20–34. 24. Apostolakis, G. E., and Lemon, D. M. (2005). A screening methodology for the identification and ranking of infrastructure vulnerabilities due to terrorism. Risk Anal. 25, 361–376. 25. Pat´e-Cornell, M. E., and Guikema, S. (2002). Probabilistic modeling of terrorist threats: a systems analysis approach to setting priorities among countermeasures. Mil. Oper. Res. 7, 5–20. 26. Bier, V. M., and V. Abhichandani (2003). Optimal allocation of resources for defense of simple series and parallel systems from determined adversaries. ASCE Proc. Risk Based Decisionmaking Resour. 10, 59–76. 27. Haimes, Y. Y., Santos, J. R., and Williams, G. M. (2006). Assessing and managing the inoperability of virginia’s interdependent transportation systems. Int. J. Risk Assessment Manag. 4, 489–510.

APPLICATION OF A CONDITIONAL RISK ASSESSMENT METHODOLOGY FOR PRIORITIZATION OF CRITICAL INFRASTRUCTURE Edward J. Hecker and Yazmin Seda-Sanabria U.S. Army Corps of Engineers, Washington, D.C.

Enrique E. Matheu U.S. Department of Homeland Security, Washington, D.C.

James D. Morgeson and M. Anthony Fainberg Institute for Defense Analyses, Alexandria, Virginia

1 INTRODUCTION The Dams Sector comprises dams, navigation locks, levees, flood damage reduction systems, hurricane protection systems, mine tailings impoundments, and other similar water retention and/or control facilities. There are over 82,000 dams in the United States;

1210

CROSS-CUTTING THEMES AND TECHNOLOGIES

approximately 65% are privately owned and more than 85% are regulated by State Dam Safety Offices. The Dams Sector is a vital part of the nation’s infrastructure, and continually provides a wide range of economic, environmental, and social benefits, including hydroelectric power, river navigation, water supply, flood control, and recreation. The potential impacts associated with damage or destruction of dams could include significant loss of life, massive property damage, and severe long-term consequences. Many of these infrastructures were built before man-made threats were recognized as a possibility and their implications were fully understood. While many differences exist between the needs of individual dam owners and operators, the Dams Sector shares a collective goal of incorporating appropriate and practical protective measures to improve awareness, prevention, protection, response, and recovery. Meaningful assessment of risks and systematic prioritization of risk mitigation measures are critical elements to accomplish this goal.

2 RISK METHODOLOGY COMPARISON STUDY In 2006, the US Army Corps of Engineers (USACE) initiated a risk methodology comparison study for civil infrastructure projects. The initial phase of this study (see Figure 1) focused on a review of the state-of-practice of critical infrastructure security risk assessments, which could be applied to Corps civil works infrastructure projects. This study [1] identified a significant opportunity for collaboration with other Dams Sector partners, based on a clearer, more comprehensive understanding of requirements for a consistently applied, sector-wide risk assessment approach. The development of a framework that enables a sector-wide risk assessment is the primary goal of the Dams Sector-Specific Agency (SSA) within the Office of Infrastructure Protection in the US Department of Homeland Security (DHS). As a continuation to the comparison study effort, and through the auspices of an interagency agreement between USACE and DHS, the study was further expanded to establish the comparative advantages and limitations of a number of risk assessment methodologies. In this second phase, a technical review led by an external panel of experts was conducted to assess the technical approach and implementation of the selected methodologies. As a final phase, a select set of owners and operators conducted an analysis of requirements that provided a more detailed understanding of how well each methodology compared to the needs of organizations responsible for assessing security risks. Each of these phases is covered in additional detail below.

2.1 Phase 1—Site Assessments This phase primarily involved a literature review of risk analysis methodologies currently in use for security assessments of critical infrastructure, to assist in the identification of existing state-of-practice approaches with most applicability to dams. The term state-of-practice was used to denote those approaches currently in use that can provide useful input to decisions on managing risks associated with various threat scenarios. From this research, a preliminary screening of existing assessment methodologies was conducted and five methodologies were identified for application at two typical USACE projects; a navigation lock and dam, and a combined flood control, hydropower, and

CONDITIONAL RISK ASSESSMENT METHODOLOGY

1211

navigation lock project. The five methodologies were: Dam Assessment Matrix for Security and Vulnerability Risk (DAMSVR), developed by the Federal Energy Regulatory Commission; Risk Assessment Methodology for Dams (RAM-D), developed by Sandia National Laboratories; Critical Asset and Portfolio Risk Analysis (CAPRA), developed by the University of Maryland; Reclamation’s Risk Quantification Methodology (RRQUM) and Matrix Security Risk Analysis (MSRA), both developed by the US Bureau of Reclamation, and Joint Antiterrorism (JAT) Risk Assessment Methodology, developed by the US Department of Defense (DoD). It must be pointed out that some of these methodologies and approaches have continued evolving over time, and therefore their current versions may show differences with respect to those used in the initial phase of this effort. Technical teams with representatives from each of the risk assessment methodologies under consideration conducted site assessment visits at select dam sites during the November 2006 time frame. Each team conducted an independent evaluation of the sites, and collected the information required for the application of the corresponding assessment methodology. In advance of the site assessments, each methodology team was provided with the same read-ahead package, consisting of site information and descriptions of the functions and components of the project, including pictures, drawings, and other relevant information. For the purpose of this effort, a definition of threat scenarios was also provided. After the site assessment, each team provided a technical report summarizing the analysis resulting from the application of the risk assessment methodology to each site. 2.2 Phase II—Panel Reviews Phase II was initiated during 2007 by an external panel of experts who reviewed the risk assessment reports and evaluated the application of the corresponding methodologies to the two sites selected for the study. The objective was to establish comparative advantages and limitations of the technical approaches, as well as to identify any challenges encountered during the implementation process. The panel developed a systematic approach that included a comprehensive set of criteria to evaluate the results arising from Phase I of the study. The criteria established by the panel took into consideration the requirements from the National Infrastructure Protection Plan (NIPP) developed in 2006 [2] and updated in 2009. The NIPP provides a coordinated approach for the protection of critical infrastructure and key resources (CIKR). Other provisions in the NIPP include a risk management framework for systematically combining consequence, vulnerability, and threat information. The 2006 NIPP included specifications for baseline criteria that risk assessment methodologies should meet in order to enable comparative analyses between multiple sectors. The purpose of these baseline criteria was to assist in the use of assessments previously performed by owners and operators. These baseline criteria aimed to ensure that a given methodology is credible and comparable with other methods. The challenge of comparing results from multiple risk methodologies is significant since there is wide variation among methodologies on aspects such as assumptions, comprehensiveness, objectivity, inclusion of threat and consequence considerations, physical and cyber dependencies, and other characteristics. In addition to the 2006 NIPP baseline criteria, the expert panel considered some additional basic elements that are relevant to the types of infrastructures included within the Dams Sector. These sector-specific considerations were used to augment the 2006 NIPP baseline criteria. Table 1 shows the entire set of criteria used to facilitate the comparative evaluation by the panel.

1212

CROSS-CUTTING THEMES AND TECHNOLOGIES

TABLE 1 Evaluation Criteria NIPP-related criteria 1. Is the methodology based on documented risk analysis and security vulnerability analysis? 2. Does it specifically address consequences? Vulnerability? Threat? 3. Does the methodology provide reasonably complete results via a quantitative, systematic and rigorous process that (a) provides numerical values for estimated consequences, vulnerability and threat whenever possible, or uses scales when numerical values are not practical? (b) specifically addresses both public health and safety and direct economic consequences? (c) considers existing protective measures and their effects on vulnerabilities as a baseline? (d) examines physical, cyber, and human vulnerabilities? (e) applies the worst-reasonable-case standard when assessing consequences and choosing threat scenarios? (f) uses threat-based vulnerability assessments? 4. Is the methodology thorough and does it use the recognized methods of the professional disciplines relevant to the analysis? 5. Does it adequately address the relevant concerns of government, the CIKR workforce, and the public? 6. Does the methodology provide clear and sufficient documentation of the analysis process and the products that result from its use? 7. Is the methodology easily understandable to others as to assumptions used, key definitions, units of measurement, and implementation? 8. Does the methodology provide results that are reproducible or verifiable by equivalently experienced or knowledgeable personnel? 9. Is the methodology free from significant errors or omissions so that the results are suitable for decision-making? Dams Sector-specific criteria 1. Is the methodology able to conduct comparisons between assets and comparisons with other sectors? 2. Is the process Six Sigma friendly to allow for trend analysis involving similar structures or regional groupings of structures? 3. Can the methodology be used to identify security and protection measures that will result in quantifiable risk reduction? 4. Will implementation of the methodology result in distinguishing characteristics that can be used for meaningful prioritization and are important for decision-making? 5. Is the theoretical/analytical/mathematical formulation logically sound, consistently carried over across the whole methodology and reasonable/practical in terms of data/input requirements? 6. Does the method clearly identify and consider direct and indirect consequences associated with damage/failure of the facility and/or disruption of its functions? Does it consider potential effects on downstream population (population at risk, number of fatalities, and number of injuries)? Does it consider economic impacts (facility replacement and repair cost, direct property damage, business interruption costs and loss of benefits, emergency response impacts, search and rescue costs, short- and/or long-term environmental remediation and restoration costs, indirect effects on other infrastructure)? (continued overleaf)

CONDITIONAL RISK ASSESSMENT METHODOLOGY

TABLE 1

1213

(Continued )

7. Does the method identify a process for aggregating losses across various consequence types to allow an assessment of the cumulative loss of an attack? 8. Does the method clearly identify and quantify interdependency impacts? 9. Does the method effectively address economic impacts on regional interdependencies as many of these dams affect numerous entities upstream, downstream, and across state lines? 10. Does the threat assessment portion of the methodology have an “intelligence quality” process for identifying, quantifying, and qualifying intelligence and information from both public and private sectors, leading to a formal threat estimate that identifies the most credible threats to a facility, activity, organization, or region? 11. Does the method identify a process for allocating the threat for the entire Dams Sector down to the threat for a specific dam? 12. Does the methodology consider the structural condition and maintenance state of the facility or asset when evaluating the vulnerabilities? 13. Does the methodology consider the response effectiveness (time for arrival of first responders) when evaluating the vulnerabilities, or their effects on their resulting risk? 14. Is the methodology sensitive enough to capture the influence of alternative security/protection/response measures on the vulnerabilities and/or the resulting risk?

In August 2007, the expert panel convened to complete the review of the application of the five methodologies. The panel, facilitated by the Oak Ridge Institute for Science and Education, met for 3 days to share findings arising from their evaluation and to identify desirable features or limitations in current approaches. Results from the discussions were documented; some of the key highlights are as follows: •

The baseline criteria for risk assessment methodologies can identify desirable overall characteristics, but are inadequate to ensure that the results of methodologies will be compatible or their resulting data consistent. For the Dams Sector to produce comparable risk estimates, the basic criteria must be augmented with additional sector-specific technical considerations. • In some cases, the expert panel evaluation criteria required “yes” or “no” answers, yet many panelists felt that the most accurate answer lay in between. This led to disagreements among panelists, which were not capable of being resolved within the limitations of the evaluation criteria. Where possible, ordinal scales (e.g. “low, moderately low, moderate, moderately high, and high”) should be developed that would permit panelists to estimate the “degree” to which a methodology met a required criterion. Alternatively, questions which permitted panelists to provide somewhat open-ended descriptions that described and defended the panelist’s assessment were deemed desirable in some cases. • The evaluation lacked benchmarks or defined standards for best practices against which methods could be compared; thus, evaluators tended to evaluate each method against their own undefined “best practice” standards. • Experts agreed on the need to develop rational methods for transforming threat information and intelligence into comparative estimates (e.g. rank order or probabilities) for different attack scenarios (i.e. threat vector and target combinations) within the sector.

1214

CROSS-CUTTING THEMES AND TECHNOLOGIES

•

To obtain credible vulnerability results, expressed as a probability of attacker success given an attack, it is necessary to develop rational models that appropriately account for all layers of protection (including passive and active detection, assessment, and interdiction features). • It is necessary to establish a method for aggregating consequences across various consequence categories (human impacts, economic impacts, etc.), including cascading impacts and indirect effects arising from long-term project disruptions. • The methodology has to include a clear communication strategy for documenting attack-target predictions in a way that accounts for model limitations and data uncertainty. • Development of a sector-wide risk assessment approach will require a set of tools that can integrate information available from asset-specific assessments conducted at the facility level.

2.3 Phase III—Independent Analysis The third phase of the study was initiated in June 2008. Additional analysis of the requirements defined by the Dams Sector was conducted to develop a more detailed understanding of the results of the prior phases of the study. The primary objective of this phase was to further analyze the outcomes from Phase II, which included making a more detailed evaluation of the advantages and limitations of the representative methodologies considered. The desired end-state of the final phase of the study was to provide additional recommendation on the desired attributes that an effective risk assessment methodology should have, and to take additional steps toward achieving risk analysis interoperability across the Dams Sector. SRA International was funded to facilitate this phase of the study and develop an objective framework of common requirements and features for security risk analysis methodologies. Noting that much of the Phase II panel analysis generated agreement on “yes” and “no” answers while demonstrating significant differences in the open-ended comments, it was perceived that a more discriminating scale such as an ordinal scale could generate greater clarity. The result of this enabling step was the development of a methodology evaluation tool that could facilitate comparison of risk assessment methodologies on a more detailed and objective basis. This process identified a set of measurable requirements and preferences commonly associated with security risk analysis methodologies. This phase of the study relied on additional data elicited from a number of security risk experts affiliated with organizations with large portfolios of high-consequence dams. The interviews were conducted in September 2008. Each interview lasted between 1 and 2 h, and they were conducted via teleconference. First, the facilitators intentionally focused questions toward sector-wide needs and requirements, given likely resources and time constraints. Recognizing that most of the participants could identify many improvements to current security risk analysis that may be beyond current budget and resources, participants were directed to consider the best methodology achievable in the near term. The acronym BMAN (“best methodology available now”) was coined by the SRA team to identify this target methodology. The features of this benchmark methodology were explicitly defined based on the set of measurable requirements and preferences incorporated in the methodology evaluation tool.

CONDITIONAL RISK ASSESSMENT METHODOLOGY

1215

Second, participants were also asked to give a narrative response for a set of open-ended questions. The open-ended responses were particularly important because they allowed participants to reflect upon overarching risk methodology issues in a narrative format. It also permitted interviewees to express a more detailed and contextual perspective about methodology features for the Dams Sector. A systematic process was followed to capture these methodological requirements and preferences. In Phase II, in the absence of a thorough understanding of requirements and preferences, expert reviewers had little choice but to evaluate methods against a notional “ideal methodology,” without consideration of capabilities or resources needed to develop such an elusive perfect solution. The incorporation of a practical benchmark allows the objective comparison of methodologies through a set of technical requirements, while incorporating additional elements such as measures of their fitness with respect to practical capabilities and available resources. The study succeeded in identifying a wealth of critical issues and observations for further research. The final consolidation into a comprehensive requirements document however, would require additional development and approval across formal Dams Sector collaboration channels (Sector Coordinating Council and Government Coordinating Council). Once completed, the Dams Sector could be in a better position to evaluate, develop, or modify methodologies to bring them in line with sector-accepted requirements and preferences.

3 FINDINGS AND OBSERVATIONS Methodologies currently in use across the Dams Sector are hindered by the lack of common terminology and standards for security risk analysis. Compounding the issues are data quality and availability limitations that present further technical and logistical obstacles—often resulting in the creation of unique and incompatible solutions. As a result, these methodologies—while useful in their own right at the organization level—cannot meet the evolving requirements and expectations at the national and sector levels. If the achievement of sector-wide interoperability of risk assessment methods and compatibility of risk assessment results is to be achieved, significant work is still necessary to synchronize the requirements of stakeholders at several multiple levels, as indicated in Figure 2. For example, asset-level risk assessment methodologies must meet the needs of owners and operators who must use them to secure their assets and develop facility-specific security programs. Sector-wide risk assessments must be able to compare, consolidate, and prioritize basic results and information from facility-specific analyses. Finally, sector-specific assessments must also provide data that is deemed acceptably comparable with assessment results from the other 18 CIKR sectors, to facilitate national-level analysis. Numerous observations were captured during the interview process leading to the definition of benchmark methodological requirements and preferences. These are addressed below. •

Interview participants envisioned a benchmark methodology that was consistent, functional, and user-friendly. Participants unanimously stated that the consistency of a methodology would bolster the overall capability of the Dams Sector to aggregate risk values and prioritize assets and programs.

1216

CROSS-CUTTING THEMES AND TECHNOLOGIES

Phase I Site assessments

Phase III Independent analysis

Phase II Expert panel review

FIGURE 1 Project elements.

National-level risk assessments

Sector and regional-level risk assessments

State and infrastructurelevel risk assessments

Local and assetlevel risk assessments

Preparedness, response and recovery

DHS/ G&T

State governments

City, local and tribal governments

Common risk scales

DHS

Sectorspecific agencies

Infrastructure owner/operators

Asset owner/operators

Risk assessment data is collected once, but may be used for various purposes at different levels of government

Prevention and protection

FIGURE 2 Assessing risk at multiple levels.

A probabilistic approach using the standard risk equation risk = f(threat, vulnerability, consequence) was considered the best practical option in the near term. • Participants envisioned that the BMAN should principally address international terrorism, domestic terrorism, and insider threats. While this may appear somewhat limited in scope when compared to efforts to achieve an “all-hazards” methodology, it was noted that the Dams Sector has multiple programs that separately address security and safety concerns. Focusing one methodology on man-made hazards, while other programs addressed natural hazards and industrial accidents was not only stated as acceptable, but preferable. Therefore, the BMAN was envisioned as a stand-alone terrorist risk assessment methodology that did not weigh terrorism risk, natural disasters, and industrial/safety risks against one another. • Interviewees expressed a clear preference that the BMAN should be able to assist in improving resiliency, recovery, response, and protection, even though most current methodologies focus primarily on protection alone. •

CONDITIONAL RISK ASSESSMENT METHODOLOGY •

•

•

•

•

1217

Participants agreed that it is the shared responsibility of asset owners and operators and sector-wide decision-makers to determine how best to address sector-level risks, and indicated that BMAN should measure risk at the asset level and support prioritization needs at the sector level. Participants envisioned a BMAN that addresses a broad array of consequences and their impacts, including loss of life, economic costs, mission disruption, interdependencies and dependencies, national security, symbolic impacts, and environmental impacts. Some of the participants agreed that the threat portion of the ideal methodology should be scenario-based, as is a requirement in the NIPP. Intention, capability, target attractiveness, and history of adversary were all considered critical analysis factors. Participants also articulated that the threat portion of the BMAN should be amenable to customization, particularly at the asset level, where it should facilitate development of detailed scenarios that could capture unique site characteristics. Participants were nearly unanimous in expecting that the BMAN should strive for a high standard of completeness and documentation. Full documentation for BMAN was defined by the participants as including detailed coverage of scope, formulas, limitations, assumptions, scales, and instructions for use. Interviewees identified a number of additional features necessary for the BMAN that would make it as much a risk management tool as a risk assessment tool. For example, participants preferred a methodology that included techniques for prescreening assets and enabled cost–benefit analyses.

The interview process also discovered a series of issues affecting most if not all, of the five methodologies in the initial phase of the study. It was noted that methodology developers often took divergent approaches to overcome these obstacles, influenced in large part by the needs of their original organization and their own approach to risk management. The specifics of these issues and their implications for the Dams Sector are discussed below: 3.1 Lexicon Problem The ability to compare risk between assets, or to even identify which asset is at greatest risk, is undermined by the inability to compare risk results derived from one risk assessment methodology against those derived in another. At their highest level, almost all security risk assessments address consequence, vulnerability, and threat components of the problem, but more often than not they define and measure these variables in very different ways. There is little agreement on what factors are examined and how they are measured. While each methodology measures vulnerabilities, a risk analyst could not examine the results from each of these assessments side-by-side. This inconsistency is caused by design features in the methodologies themselves, as shown in Table 2, derived from information found in various parts of Ref. 1. For example, all of the methodologies address consequences in some way (Table 2); however, by definition, consequence categories differ in significant ways. Given the same unwanted event, a methodology measuring the economic costs resulting from cascading failures associated with infrastructure dependencies and interdependencies will present a different consequence rating than the methodology that measures only direct consequences.

1218 Strength Probability of loss

Security effectiveness

Attack profiles

Dam type Feature or component vulnerabilities Redundancy

Intrusion paths Delivery vehicles

Vulnerability

Loss of life Loss of dam function Secondary losses Recovery Disruption to essential facilities

Casualties Economic impacts Mission disruption Recuperation

Risk Methodology No. 2

Consequence

Risk Methodology No. 1

TABLE 2 Risk Variables

Perimeter Facility exterior Facility interior

Delivery method

Indirect economic Adversary tactics Weapons

Fatalities Serious injuries Property damage Equipment Direct economic

Risk Methodology No. 3

Security effectiveness

Loss of life Economic impacts Mission disruption

Risk Methodology No. 4

Likelihood of failure (lack of inherent strength)

Likelihood of success Dam type

Loss of life

Risk Methodology No. 5

1219

Threat

Dam type

Scenario attractiveness Security system effectiveness Relative asset attractiveness Annual rate of attack

Profile attractiveness

Terrorist history and intentions Targeting

Asset location

Existence Security measures Perception of success Threat level History of capability Terrorist operating environment Terrorist activities in country

Asset availability

Capability

Existence

Publicity

Location

Security system effectiveness

Suspicious activities

Base threat (attack frequency) Criticality

1220

CROSS-CUTTING THEMES AND TECHNOLOGIES

3.2 How You Measure Matters The scales and estimation that a methodology uses to estimate risk and its components greatly influence the risk assessment process as well as the final prioritization and decision-making. Measurement methods determine how data, such as expert elicitation, modeling, or owner and operator judgments, is synthesized and aggregated into quantitative values. Four of the five methodologies use some form of ordinal scales or bins, but the criteria defining the bins are incommensurate; therefore, the various scales used by these methodologies are incompatible. Instead of using ordinal scales, the fifth methodology uses ratio scales and probabilities, which yield well-known risk metrics (e.g. expected loss measured in dollar amounts for a given time frame) that are mathematically defensible when the risk parameters are multiplied to yield the final result. 3.3 Assessing Threat is a Continuing Challenge for Quantitative Analysis Calculating the threat posed by adversaries is one of the most pressing challenges in the broad risk-management community. This challenge is particularly acute at the facility-level analysis because local threat information is difficult to obtain, while sector-level threat data is often missing, inconsistent, or difficult to quantify. The majority of adversary threat data currently comes from intelligence reporting, which can be incomplete, conflicting, and sometimes “unfinished.” Analytical products are also not written with the premise that the data will be quantified, which makes threat data difficult to incorporate into risk assessments. The weakest piece of every methodology reviewed was threat assessment. Each dealt with this problem differently, and in most cases the alternative solutions provided further undermined the credibility and compatibility of the assessments. Adopting or facilitating the development of standardized threat scenarios and corresponding quantitative threat estimates is crucial to being able to compare risk assessments at the sector and national levels. 3.4 The Complexity versus Practicality Problem Many facilities in the Dams Sector do not require a complex model for assessing risk. It was considered more important to strive for a practical methodology rather than provide something that may tend to overcomplicate the process. Furthermore, employing complex methodologies often necessitates organizations looking outside of their current personnel to find the mix of skill sets necessary to conduct the most advanced assessments. As the methodology becomes more complex and rigorous, more time is not only required to perform the assessment, but also for training participants and decision-makers to understand the methodology itself. Given the number of dams within the sector, the availability of resources to produce a sector-wide assessment becomes an increasingly important constraint.

4 PROPOSED REQUIREMENTS FOR A SECTOR-WIDE RISK ASSESSMENT METHODOLOGY A comprehensive, sector-wide risk assessment and management program is achievable and within the Dams Sector’s reach. While each of the models reviewed has merit within a narrow field of use, none has the desirable properties of (i) satisfying the need for a

CONDITIONAL RISK ASSESSMENT METHODOLOGY

1221

practical approach suitable for comprehensive sector-wide use, and (ii) yielding risks results that can be objectively compared to risk results across the sector as well as results from other infrastructure sectors. The model that is both ideal and achievable will allow risk analysts at the sector level to be able to leverage the data already collected by owners and operators through facility-specific assessments, with the goal of conducting a sector-wide prioritization—without having to collect or develop significant amounts of new data. This sector-wide risk assessment framework will strive for the lowest achievable complexity and logistical burden, while taking maximum advantage of existing assessments. The model that results needs to be not only simple, transparent, and easy to use, but also mathematically defensible and ratio-scalable to provide for more rigorous analyses, if needed. This joint effort between the USACE and Dams SSA has identified and consolidated a substantial set of requirements that will be critical in achieving this practical goal. To be useful to stakeholders, a transparent and rigorous methodology would be able to evaluate risk numerically and to do this simply, so that risks ascribed to elements across critical infrastructure could be easily compared to each other. To accomplish this in a mathematically defensible way, the methodology would assign real, ratio-scalable numbers to each of the three parameters commonly accepted to compose risk: threat, vulnerability, and consequences. The simplest and most widely accepted approach for calculating risk is to multiply these three together, arriving at a value interpreted as total risk . To explain the concept clearly, a system of calculations is said to be “ratio scalable” if, within the system, a number x has a defined value that is half of 2x , one-third of 3x , and so on. As examples, a probability of 0.6 is twice the probability of 0.3; $20 has a value of twice $10. Such scales, probabilities, and dollars are ratio scalable. This is as opposed to ordinal scales, in which the numbers ascribed to a system do not necessarily have any well-defined ratio (such as scales that indicate relative qualities of 1 = “good” to 5 = “bad”). Threat may be considered as the likelihood (or probability) of attack and vulnerability as the probability of success given an attack . These probabilities should be treated as obeying the established laws of probability. Each will have a value between 0 and 1; when the two probabilities are multiplied together, the result will also be between 0 and 1. This product is most easily interpreted as the probability of a successful attack against that asset in a given time frame. When this probability is multiplied by the estimated consequences of a successful attack, the result may be logically interpreted as the expected value of the loss in a given time frame —or simply risk. If consequences are measured in dollars (this unit is obviously applicable to direct and indirect economic losses, and—using existing US government determinations—human casualties may be represented by an economic loss), the total risk is then estimated as the expected loss in dollars to an asset from a defined terrorist (or other) event. An ideal methodology would need to include a rigorous and repeatable procedure for estimating the probability of success given an attack, assuming that an attack was attempted in the first place. More precisely, the “probability of success given an attack” is defined as the probability of success for a particular and well-defined scenario, that is, for a given attack type on a given type of asset. A straight-forward way of determining this quantity would be to elicit from a panel of security experts the probability of success for the terrorist attack, based on the attack scenario, the generic characteristics of the asset, and the type of security measures in

1222

CROSS-CUTTING THEMES AND TECHNOLOGIES

place. This probability would not be calculated each time for each asset, but, once determined and systematically validated, would be made readily accessible in a lookup table or matrix that lists probabilities of success versus generic security configurations for a general type of asset. There would be a separate table for each attack type. In the Dams Sector, much effort has already been devoted to calculating and then further refining estimates of consequences for total or partial failure of a dam or its appurtenant structures. There is a significant body of knowledge that has been developed by the dam safety community, and that could be applied to the consequence estimation problem associated with security scenarios. Therefore, the evaluation of security risks could take advantage of consequence estimates developed by different owners and operators. However, there are still significant methodological differences between the different approaches currently available, and this hinders the direct comparison of the corresponding results. Eventually, Dams Sector owners and operators should agree on recommended methodologies for dam failure consequence calculations. Armed with a defined probability of success given an attack, and the consequences of a successful attack, these two parameters may be multiplied together to yield a conditional risk , that is, an expected loss given an attack attempt. A sector-wide conditional risk could offer an extremely useful insight on the attack types that could affect large segments of the sector or its subsectors, or the types of assets that could be associated with the highest risk for specific attack vectors. Finally, the next logical step beyond the determination of conditional risk would be the estimation of total risk . This requires the actual determination of the probability of attack as the additional parameter needed to complete the risk picture. How might an ideal methodology assign a probability, over a given time period, for an attack on a given type of asset? This number would have to be derived from intelligence information, as provided through a formalized process by the corresponding analysts. The probability could be derived by first assigning a value to the probability of a significant attack on the US critical infrastructure, then multiplying this by the likelihood that, given an attack, it would be aimed at the sector being considered (i.e. Dams Sector). Finally, one would have to assign a probability that the attack on this sector would be conducted against a specific type of dam or a particular dam. Extensions of the technique would include various probabilities estimated for different types of significant attack scenarios. The intelligence community is not usually forthcoming in producing numerical assessments of this sort. However, methods of expert elicitation have been used to dissect intelligence analysts’ opinions and assessments of likelihoods, even to the point of assigning relative likelihoods to different events. Expert elicitation, using intelligence experts, is analogous to the expert elicitation described earlier for estimating the probability of success given an attack (which is accomplished using security experts rather than intelligence experts). Estimating the probability of attack, loosely termed the threat probability, may be done by asking the experts to engage in a series of direct pair-wise comparisons of different potential threats, given intelligence information on adversary intents and capabilities. This method can produce at least defensible probabilities of attack that can feed the risk evaluation methodology described above. As in the case of calculating a probability of success given an attack, the output from this stage of analysis would be a lookup table of probabilities of occurrence for each significant attack type on a given facility type. Using the requirements and procedures sketched out above, different analysts would be able to apply a common methodology to facilities within a given sector and arrive

CRITICAL INFRASTRUCTURES AT RISK: A EUROPEAN PERSPECTIVE

1223

at similar, if not identical, answers that would be fully consistent. This would enable a systematic and reliable process that would directly support an effective sector-wide risk assessment framework.

REFERENCES 1. SRA International, Inc. (2008). Risk Methodology Evaluation Project, Draft Report Submitted to the Dams Sector Branch, Sector-Specific Executive Management Office, Office of Infrastructure Protection, U.S. Department of Homeland Security. U.S. Department of Homeland Security, Washington, DC. 2. U.S. Department of Homeland Security. (2006). National Infrastructure Protection Plan. U.S. Department of Homeland Security, Washington, DC.

CRITICAL INFRASTRUCTURES AT RISK: A EUROPEAN PERSPECTIVE Adrian V. Gheorghe Old Dominion University (ODU), Norfolk, Virginia University Politechnica, Bucharest, Romania

Marcelo Masera European Commission Joint Research Centre, Ispra, Italy

1 CRITICAL INFRASTRUCTURES: THE EUROPEAN POLICY CONTEXT Today’s infrastructures and their associated systems such as energy, pipelines, water, telecommunication, banking, Internet etc. are delivering services for addressing an adequate quality of life. They have greatly developed and advanced during the last century, growing from facilities with limited reach to continent-wide infrastructures. Most importantly, these systems were neither designed as integrated systems nor as systems-of-systems (SoS), but gradually evolved over time. Due to their relevance to the daily functioning of society, the impairment or failure of these infrastructures can have severe consequences, beyond simple business impact. As failures of critical infrastructures can affect the welfare of society at large and the stability of economic

1224

CROSS-CUTTING THEMES AND TECHNOLOGIES

and political systems, they are an expression of protecting our national security, that is, our homeland security [1]. Most infrastructures originate from local networks. Over time, municipal networks evolved. Interconnection of city networks and network expansion to rural areas were forged through intervention of the provincial authorities. Provincial networks thus emerged in the first half of the twentieth century. The national grid was not fully established until the second half of the century. Over time, the density of end user connections increased. Transport functions in the infrastructure were intensified (augmenting throughput and economy of scale), to serve a steadily increasing number of users and a steadily increasing demand per user. In the case of electric power, to improve the security of service, the national grid was interconnected across regions and national borders, most notably in Europe. At the moment, most national grids in Europe are interconnected and are operated as a single SoS. In the course of about one century the system’s dimensions have grown by several orders of magnitude. Currently we are managing and crucially depend upon transcontinental networks for electricity transmission, oil, and gas pipelines, vastly distributed information and telecommunication infrastructures. It is fair to say that the distinguishing attribute of our society is this capacity to develop, operate, and control the risks of extensive infrastructures composed of many interconnected systems, each one run by different (mainly private) companies. This evolution was not exempt of cross-links between politics, business, technologies and a variety of risks including financial, environmental, and political. The incorporation of new technologies, most notably the information and communications ones, enabled the expansion and networking of infrastructural systems and the improvement of their efficiency. While these infrastructures were becoming critical to society at large, policy-makers and business decision-makers realized that the assessment and management of risks was not just one more business function. One point that still requires full recognition is the implication of the term “critical”. In modern infrastructures it conveys the need to cope with new types of emerging risks. These risks are cross-organizational and international by nature: the interconnection of systems knows no borders but the risk management solutions proposed are basically a new edition of old models. This is still the case with solutions commonly offered by business continuity, civil defence, or emergency management institutions. Some infrastructures such as energy, water supply, and telecommunications are so vital and ubiquitous that their incapacity or destruction would not only affect the security and social welfare of any nation, but would also cascade across borders. Critical infrastructures are exposed to multiple threats–such as terrorist attacks, natural disasters, or institutional changes, –and in addition their failure might induce risks to other interconnected systems. Consequently, there is an urgent need to address such problems with appropriate risk assessment and governance instruments, supported by timely policy analysis at an international level. The main factors that have transformed the nature of infrastructures, that is, how these systems are designed, developed, deployed, and operated, are listed below: •

the liberalization of markets, mainly affecting the electric power and telecommunications fields which caused the previous monopolies to cede their position, unbundle their integrated business models, and compete with other players;

CRITICAL INFRASTRUCTURES AT RISK: A EUROPEAN PERSPECTIVE

1225

•

the networking among infrastructures, that require each other for completing their functioning, generating an intertwined mesh of interdependent systems; • the increase of cross-border interconnections, justified by the need to share capacity in case of major malfunctions, and also the mechanism for the integration of markets; • the technological change brought about by the evolution of information and communication technologies (ICT) and their pervasive use for improving the functionality and control of technical systems, the interaction with the industrial and business sides of companies, and the relations among the actors in the supply chains; • the advent of new systemic risks generated by complexity and nonlinear behavior of newly established SoS. The liberalization of markets has diluted responsibilities with respect to potential shortcomings. Each operator of an infrastructural system licitly looks after its own business interests. The countermeasures implemented for countering the risks respond to their own judgment of costs and benefits, in the context of the rules and constraints defined by the authorities. Typically, infrastructural services are recognized as basic public services and for that reason they are subject to governmental regulation. Nevertheless, risks are still managed piecewise, without an overall consideration of the compound effectiveness of single risk management approaches. The interdependencies among infrastructures makes it possible for system failures to originate from external systems. The normal way of dealing with risks is to consider systems with clearly defined interactions with their environment. But the complexity of interdependent infrastructures precludes the comprehensive knowledge of potential threats without a deeper understanding of the connected systems. The most that can be expected is the definition of service levels among the individual operators of the systems. The increase of cross-border interconnections has made each nation’s infrastructure dependent on the proper functioning of the ones in other countries. Some of these interconnections are part of long and complex international infrastructural corridors (e.g. energy, transport, telecommunications, etc.), that need to be consider in their entirety. Most of them will lose much of their functionality and usefulness if disconnected. In addition, this interaction means that each interconnected system is at the same time, a provider of services and a potential source of risk problems. These interconnections are not only structural and operational as they are further enmeshed in the links between markets, with operators making transactions in several of them. The great changes in ICT have extended the channels connecting the systems, with most of them using open public networks. This fact augments the possibility of suffering malicious attacks. Open networks, now reachable worldwide and accessible by many users, involve many disciplines in the problem: legal and market issues, technologies, international relations, homeland, and national security. Systemic risks are inevitable when implementing and operating these vast infrastructures. They originate not only from the composition of many technical installations, each one operated independently and following mainly its own autonomous rules, but also from the overlaying of several strata (technical, market, regulatory), each one split across several jurisdictional spaces. There is no simple answer to the question of how to deal with these critical systems. The first consequence of this situation is the conjunction of subjects previously treated in a separate manner: industrial policies for the regulation and development of services and the companies offering them, civil defense and emergency management for dealing

1226

CROSS-CUTTING THEMES AND TECHNOLOGIES

with the negative consequences of potential accidents, law enforcement for coping with organized crime, national defense for responding to external threats and so on. In light of the nature and challenges posed by critical infrastructures, a convergence of these topics is required. However, one question remains open: how should decisions about the risks in critical infrastructures be made? This goes beyond the realm of governments, as infrastructures are operated (almost exclusively) by private companies. But the accumulation of the risk management decisions by single companies will only rarely provide a proper answer to global risk situations. If the international dimension is added, the need for an apposite answer is indisputable. There is a new trend worldwide in addressing risks of complex systems, and this leads to the concept of risk governance.

2 EUROPEAN VIEW OF FUTURE CRITICAL INFRASTRUCTURE DEVELOPMENTS At of the beginning of 2007, some policy developments in the European Union regarding Critical Infrastructure Protection (CIP) were vigorously initiated. Due to their intrinsic nature, many infrastructures show a cross-border character. Therefore, during 2005–2006 the concept of European Critical Infrastructure (ECI) has been elaborated, which materializes from an adopted directive [2] on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection. It is worth noting that, although recognizing the nation-state’s precedence when dealing with this subject and the privileged link between infrastructure operators and national governments, it has been accepted that certain transnational coordination is required for coping with the ECI risk. The European Union has established a European Programme for Critical Infrastructure Protection (EPCIP), under which several sector-specific programs are being implemented (e.g. information, transport, energy, etc). In addition, the CIP (Critical Infrastructure Protection) subject is also considered a priority within the European Commission’s R&D 7th Framework Programme, 2007–2013. CIP has duly been treated as a national issue within the European Union. Nevertheless, several factors have made it evident that there is a need for joint action: •

several infrastructures are composed of networks that cross borders; the potential widespread effects of some situations deriving from different threats (e.g. natural causes and malicious attacks); • the potential benefits from joint investments in the development of solutions. •

The European Council requested the Commission in June 2004, to prepare a comprehensive strategy aiming at the protection of critical infrastructures [3]. The Commission reacted with a communication entitled “Critical Infrastructure Protection in the Fight against Terrorism” [4] presented on October 20, 2004. There, the Commission discussed concrete proposals for improving the state of European prevention, preparedness, and response to potential terrorist attacks involving critical infrastructures [3–9]. This initial focus on terrorist attacks was then widened to all kinds of potentially malicious attacks, and ultimately to a so-called all hazards approach. The reason for this was the understanding that the management of risks to infrastructures should, in the end, be calibrated according to all sources of danger.

CRITICAL INFRASTRUCTURES AT RISK: A EUROPEAN PERSPECTIVE

1227

It is clear that in most, if not all sectors, there are consolidated legal frameworks for countering safety risk (caused for instance, by natural hazards, technical failures or human errors). The security dimension somewhat overlaps with these safety situations when considering the possible consequences of some events. However there are obvious dissimilarities in their causes, and therefore in the required countermeasures. The difficult task in an all-hazards approach is to provide a comprehensive stance on risk, without unnecessarily disturbing other existing industrial requirements and obligations. In December 2004 the European Council approved the Commission’s proposal for setting up a European Programme for Critical Infrastructure Protection (EPCIP) and a Critical Infrastructure Warning Information Network (CIWIN) [3]. In 2005, the Commission, led by EC Directorate General Justice, Freedom and Security (DG JLS), worked on the elaboration of EPCIP, organized two European seminars on critical infrastructure protection and a number of informal meetings together with experts from all EU member states. As a result of this process, the Commission adopted the Green Paper on a European Programme for Critical Infrastructure Protection [6] in November 2005. This Green Paper not only put forward the definition of the principles that should guide European actions in the field, concrete proposals for the EPCIP framework, and the links between national and European critical infrastructures to the countries and society at large, but also anticipated the arrangement of funding sources for activities related to EPCIP which could include relevant studies and the development of specific methodologies. The Green Paper was then complemented by a detailed impact assessment. A policy package on EPCIP composed of a communication and a directive was adopted by the Commission in December 2006 [8]. The communication contains nonbinding measures designed to facilitate the implementation of EPCIP, and includes an EPCIP Action Plan. It discusses the general policy framework of EPCIP (including CIWIN, the work-streams to develop the programme, sectoral interdependencies, annual work planning, and the residual work on National Critical Infrastructure), and the directive defines the approach for the designation of critical infrastructure of a European dimension (that is, ECI). In parallel to this development, other Directorate Generals of the Commission began working on policies for the protection of the infrastructures under their remit. While EPCIP is intended to provide an overall framework for action, the specific discussions on policy measures and on how to coordinate the protection are done on a sector-by-sector basis. DG Energy and Transport (TREN) worked with national authorities and regulators, infrastructure operators and experts, in the definition of an approach for the infrastructures in its field of reference. This resulted in the adoption of the “Communication on Protecting Europe’s Critical Energy and Transport Infrastructure” in February 2007 [9]. This is the first sector-level initiative in the framework of the EPCIP programme. The main content of the communication—which due to the sensitivity of some of the subjects discussed has been defined as restricted, meaning that it is not available to the general public—is composed of criteria for the identification of ECI in each energy and transport sector. The communication does not contain any proposals for legislative measures, but legislation remains one of the options for subsequent work. In 2006, the EC Directorate General Information Society and Media (DG INFSO), presented a proposal of a structured process of consultation and dialogue on network and information security to be established with relevant stakeholders, including public administrations, the private sector, and individual users. The Commission adopted the

1228

CROSS-CUTTING THEMES AND TECHNOLOGIES

communication “Dialogue, partnership and empowerment” in 31 May 2006, creating a strategy for a Secure Information Society [7]. This strategy is partially dedicated to aspects of the Critical Information Infrastructure (CII), and recognizes that both the public and the private sector have pivotal roles to play. It aims to provide a basis for responding to the major challenge faced by Europe in that field, namely: •

raising awareness on the security risks; establishing a culture of security in which security is seen as a business value and an opportunity rather than as a liability and an additional cost; • fostering an appropriate framework of conditions for interoperable, open, and diverse solutions provided by a competitive, innovative European industry. •

The strategy recognizes that there is an increased connectivity between information and communication networks with other critical infrastructures (like transport and energy). The proposal is to develop a sector-specific policy for the information and communications sector for examining via a multi-stakeholder dialogue and the relevant economic, business, and societal drivers with a view to enhancing the security and resilience of the information infrastructure. Any review of the regulatory framework for electronic communications will have to consider elements to improve network and information security. These should include both technical and organizational measures by service providers, provisions dealing with the notification of security breaches, and specific remedies and penalties regarding breaches of obligations. But although legal norms might help in fostering the creation of markets for security products and services, it is obvious that those products and services will be born out of the interaction between the operators of critical infrastructures and the suppliers of technology. On the other hand, national governments need to put into practice best practices and be secure from the information and network point of view. A key point here is the communication and sharing of information threats, risks, and alerts but the global dimension of network and information security cannot be ignored. Europe needs to take into account the international level when coordinating and promoting cooperation on network and information security (e.g. implementing the agenda adopted at the World Summit on the Information Society, WSIS in November 2005). Finally, in December 2008, an agreement on the definition of ECI was reached. It has been defined as such critical infrastructure as located in member states of the European Union, the disruption or destruction of which would have a significant impact on at least two member states [2]. The identification of the ECI is the responsibility of each country, although the European Commission on a collaborative basis “draw the attention of the relevant Member States to the existence of potential critical infrastructures which may be deemed to satisfy the requirements for designation as an ECI” [2]. The EU Directive on Critical Infrastructures defined a first period of two years in which the EU countries are obliged to identify and designate critical infrastructures in the following sectors: energy (oil, gas, and electric power), and transport (including road transport, rail transport, air transport, inland waterways transport, ocean and short-sea shipping, and ports). The oil sector includes oil production, refining, treatment, storage, and transmission by pipelines. Similarly, the gas sector includes gas production, refining, treatment, storage, and transmission by pipelines, as well as liquefied natural gas (LNG)

CRITICAL INFRASTRUCTURES AT RISK: A EUROPEAN PERSPECTIVE

1229

terminals. The electricity sector includes infrastructures and facilities for generation and transmission. The identification of ECI will be based on an assessment of the significance of the impact of their potential loss, evaluated according to the so-called “cross-cutting” criteria. This includes effects resulting from cross-sector dependencies on other types of infrastructure, and comprises of the following: (i) potential casualties; (ii) economic effects (significance of economic loss and/or degradation of products or services, including potential environmental effects); and (iii) public effects (impact on public confidence, physical suffering, and disruption of daily life including the loss of essential services). In the field of CII, a new European policy initiative was presented [10] in early 2009. This initiative complements EPCIP since it deals with the ICT aspects. The initiative proposes actions that supplement other existing measures (e.g. judicial cooperation for dealing with cyber crime and terrorism targeting CIIs). This policy is based on the recognition that, with due respect for national autonomy, there is an urgent need to integrate the collaboration of all interested stakeholders as CII is essentially international in nature. Five streams of action have been identified. •

•

•

•

•

Preparedness and prevention. This requires the collaboration of Computer Emergency Response Teams. It is proposed that a European Public-Private Partnership for Resilience and a European Forum of Member States be created, to share information and good policy, operational practices. Detection and response. It is recognized that the need for early warning mechanisms can result in the establishment of a European Information Sharing and Alert System. This should provide services to citizens and Small and Medium Enterprises (SMEs), taking advantage of national and private sector information systems. Mitigation and recovery. The setting up of national contingency plans will be encouraged along with the organization of regular exercises for large-scale networks security incident response and disaster recovery. This is seen as the basis for the need for pan-European coordination. International and EU-wide cooperation. This is required for agreeing on EU priorities for long-term goals (e.g. regarding the resilience and stability of the Internet), establishing common guidelines where needed, and promoting principles and guidelines at the global level. Criteria for the ICT sector. In the context of EPCIP, these criteria will support the EU countries in the identification and designation of ECI regarding the ICT sector.

3 EUROPEAN CRITICAL INFRASTRUCTURES: CHALLENGES AND PRINCIPLES The European Programme on CIP aims to identify and characterize ECI and also to define a common framework for managing and governing risks. For this reason, a key element is the ability to determine which systems could be of relevance to more than one country, and then to establish how it would be possible to deal with those events in terms of prevention and reaction to hazards. This relationship between national and European approaches has to be flexible enough to take into account their complementarity. The respect for national jurisdiction has to be accompanied by the examination of potentially

1230

CROSS-CUTTING THEMES AND TECHNOLOGIES

harmonized approaches and similar levels of protection for infrastructures crossing borders or having a potential impact on other countries. In addition, any legal framework for enhancing security should be compatible with competition rules and internal market. This indicates the many prerequisites that should be considered by Europe while setting up EPCIP viz. national and local jurisdictions, sectoral industrial policies, fair competition, law enforcement requirements concerning malicious acts, civil protection and emergency management, and last but not the least, national security. To meet all these objectives, the EPCIP proposal identified both binding and nonbinding measures to be adopted by the Member States. The nonbinding measures are indicative of good practices that are advisable: (i) participation in CIP expert groups at EU level, (ii) use of a CIP information-sharing process, (iii) identification and analysis of interdependencies, (iv) elaboration of national CIP programmes, and (v) identification of national critical infrastructure. The EPCIP binding measures aim at fostering a harmonious collaboration among the different countries and infrastructure actors. The proposed ones are (i) nomination of CIP contact points, (ii) identification and designation of ECI, (iii) conducting threat and risk assessments for ECI, and (iv) elaboration of Operator Security Plans and the designation of Security Liaison Officers. In addition, the proposal of the directive presents several principles that summarized the approach that the Commission proposes for the implementation of EPCIP. They are as follows: • •

• • • •

Subsidiarity. Efforts in the CIP field should focus on ECI, and not on the ones falling under national or regional jurisdiction. Complementarity. Efforts should not be duplicated, and should be developed where they have proven to be effective, complementing and building on existing sectoral measures. Confidentiality. CIP data is sensitive and should be classified in an appropriate way, with access granted only on a need-to-know basis Stakeholder cooperation. All relevant stakeholders should be involved: owners or operators of critical infrastructures, public authorities, and other relevant bodies. Proportionality. Only relevant measures should be proposed for satisfying specific needs, proportionate to the level of risk and type of threat involved. Sector-by-sector approach. A list of CIP will be agreed upon, and then concrete actions will be developed.

4 CRITICAL ELECTRICITY INFRASTRUCTURE: THE EVOLUTION OF THE RISK Europe witnessed in the last few years a number of significant power contingencies. Some of them revealed the potentiality for a vast impact on the welfare of society, and triggered off pressing questions on the nature and reliability of electric power systems. Society has incorporated electricity as an intrinsic component, indispensable for achieving the expected level of quality of life. Therefore, any impingement on the continuity and properties of the electricity service would be able to distress society as a whole, affecting individuals, social and economic activities, other infrastructures, and essential government

CRITICAL INFRASTRUCTURES AT RISK: A EUROPEAN PERSPECTIVE

1231

functions [11]. It would be possible to hypothesize that in extreme situations this could even upset national security. The blackouts and near-misses that happened in the last few years illustrate several notable lessons that have to be carefully taken into consideration: •

There are hints of some inadequacy. Heavy workloads and limited reserve generation capacities make systems vulnerable to widespread disruptions. Protection systems have been found to play a key role in the majority of catastrophic failures. Power systems have not been designed to cope with the concurrent outage of two or more critical components. • Incidents were aggravated by other factors. These include the lack of timely comprehension by control-room operators of potentially far-reaching failures and short-term emergency requirements. • The recent liberalization of the European electricity market. This has led to increased cross-border trade for which power systems were not originally designed. • European TSOs. Transmission System Operators, which only recently have developed a more system-of-systems-wide monitoring capability, have no or limited influence on international power trading and the resulting power flows, and therefore confront more and more unanticipated congestions on the tie-lines. During the last decade, Europe has developed a comprehensive energy supply policy unbundling the previous monopolies and opening the generation and distribution markets [12]. This policy has deeply changed the business and regulatory landscape of the electric power infrastructure. From the consumer point of view, the effects have been positive: there are more potential suppliers, and prices follow market rules. The immediate economic effects of the new policy have not been accompanied by changes in the underpinning physical systems whose evolution demand at least medium-term investments and planning. For the time being, the power infrastructure has shown an appropriate reliability level, but new threats can be foreseen in the horizon. Some of these threats are internal to the infrastructure mainly due to the increasing complexity of many technical and market elements; some of them are external, for instance, the menace of terrorism. Therefore the security of the evolving European electric power infrastructure deserves a cautious and thorough consideration. A comparative analysis of policy and regulation in Western Europe has been provided earlier in Midttun [13]. Electricity is a common good , central to the security and welfare of almost half a billion people, and the stability and future economic development of more than 30 countries. For this reason, although local contingencies can be tolerated up to a given degree, if the power system appears unreliable at the continental level, this will become a matter of major concern. Europe cannot afford systematic failures of its power infrastructure that could eventually lead to the weakening of the citizens’ trust on societal institutions. The various national European electricity systems, after the transformation experienced in the last few years, now form part of a unique and integrated European Critical Electricity System-of-Systems (ECESoS). This situation results from an evolution spanning decades and is determined by two main driving forces, namely, market liberalization at the continental scale, and the high degree of interconnection among regional systems [14]. This has been made possible by the pervasive incorporation of ICT.

1232

CROSS-CUTTING THEMES AND TECHNOLOGIES

Interconnected national systems Power lines

National electric power system

National electric power system

European critical electricity infrastructure Generation distribution Tso Market actors Power exchange

Power lines

National electric power system

Generation distribution Tso Market actors Power exchange

Generation distribution Tso Market actors Power exchange

Data lines National electric power system

National electric power system

Generation distribution Tso Market actors Power exchange

Generation distribution Tso Market actors Power exchange

FIGURE 1 The ECESoS concept.

This complex system is a socio-technical artifact, and tends to function as a single entity, although it includes several jurisdictions, operators, and markets. It is derived from the interconnection of national and regional systems, but at the same time it behaves as a single, compound SoS . It is decentralized; still, disturbances can propagate through all of it and risks have to be coped with in a coordinated way. The passage from a set of electricity systems to the ECESoS is not just a question of more elements or actors, it represents a qualitative leap. ECESoS, an infrastructural SoS, is intrinsically different from a set of weakly connected power systems where energy flows among different systems are marginal. The materialization of ECESoS presents clear advantages, but also brings about vulnerabilities which may threaten its serviceability. The fact that these shortcomings exceed the providence of individual parties means that there is a need for new, effective instruments for managing risks. Figure 1 outlines this evolution of national electricity power systems (EPS) being embedded into ECESoS. This paper outlines the implications of this development, and studies the positive and negative effects of the extensive interconnectedness and digitalization (i.e. the ubiquitous application of ICT).

5 TRENDS AND DRIVING FORCES The liberalization of the European electricity sector has replaced centralized control by regional monopolies with a complex, decentralized market structure, in which many different agents control each part of a technically highly integrated ECESoS infrastructure. The distribution of the many functions in the electricity supply industry among numerous different actors and their coordination through national market mechanisms and grid codes has greatly increased the management complexity of the sector. This de facto decentralized control can work appropriately in the long term only if all the different agents in the system experience the correct incentives and comply with compatible rules throughout the European infrastructure. Technical reliability, which used to be the goal for gauging the performance of electric power systems, is not enough for the ECESoS reality. Many other factors including environmental compatibility, market practicality, and national security have to be included in the decision-making process.

CRITICAL INFRASTRUCTURES AT RISK: A EUROPEAN PERSPECTIVE

Generators

Integrated utility company

FIGURE 2

Transmission network

Distribution network

Distribution companies

1233

Load

Consumers

The organizational structure of the electricity system before liberalization.

These factors can be structured in five ranked layers (where the upper one comprises the lower ones): security, sustainability, economic efficiency, reliability, and technical performance. Security can be used as the overarching concept that includes all the other objectives. With respect to this notion of security, all stakeholders need to have a common understanding of the overall system goals and be willing to work toward them, both during normal operation and in case of contingencies. If not, the pursuit of their own private ends although legitimate, may be in conflict with public objectives such as availability and affordability. Whereas the regional monopolies of the past required only a relatively simple regulation of their performance and tariffs, the complex decentralized system that is the result of liberalization requires careful crafting of its institutional structure to ensure that the multiple, and sometimes conflicting, public goals are met (Fig. 2). Figures 2 and 3 illustrate the organizational changes that liberalization has brought about. Figure 2 shows, schematically, the structure of a regional monopoly: nearly all functions are performed by the same agent, the electricity utility company. Often, distribution and end user supply were managed by separate companies but these were again regional monopolies. Figure 3 shows a simple model of a liberalized electricity system. The figure shows the different groups of actors who together control the physical system. In Europe, many of these electricity systems are interconnected with each other. The operation is coordinated in several regional blocks (e.g. UCTE or the Union for the Coordination of Transmission of Electricity, Nordel, UK), whose composition leads to ECESoS. A second trend, which already existed prior to liberalization but was further stimulated by it, is the internationalization (i.e. interconnection among national grids) of the electricity system. The operation of the vast European power network is complicated by the many different jurisdictions that exist. At a technical level, the TSOs cooperate with each other. At the economic level, large differences continue to exist between the markets in different countries. In order to create an internationally level playing field, the economic conditions such as transmission tariffs and network access rules in different countries should be put into synergy. In practice, however, different countries liberalize with different speeds and implement different models, not always considering the global consequences of local measures. In addition, the changes in environmental standards, taxes, and subsidies should also be considered. The complexity that results from the combination of the liberalization and the internationalization of the ECESoS poses a threat to the reliability of electricity services.

CROSS-CUTTING THEMES AND TECHNOLOGIES

System operator Transmission network managers

Interconnector congestion management

Distribution network

Distribution network managers

Power exchange

Producers Balancing market

Economic subsystem

Load

Bilateral market

The market

Small consumers

TSO

Transmission network

Physical subsystem

Large consumers

Generators

Retail companies

1234

FIGURE 3 The organizational structure of a liberalized electricity system (decentralized model).

A clear case is given by the difficulties faced in the coordination of the responses to contingencies spread over a wide area. The multitude of industrial actors and the many countries involved also complicate the achievement of a balanced development of the system in the long-term, which in turn may give rise to more contingencies. The liberalization and the internationalization of the power systems and the facilitation of international trading, has also resulted in the adjustment of the association and cooperation among the operators of the power infrastructure. Partly as recognition of the continental reach of the power infrastructure, and partly due to the European policy initiatives toward the integration of cross-border collaboration, on 19 December 2008, 42 European TSOs from 34 European countries created a new association: the European Network of Transmission System Operators for Electricity (ENTSO-E). The declared objective is to contribute to the reliable and efficient management of pan-European and regional markets. A third trend, which we will call evolutionary unsuitability, is caused by the fact that electricity transmission networks are increasingly being used in ways for which they were not initially designed. Electricity systems are not just operated under high stress conditions, but also beyond the limits of their original design. The increasing development of wind power is already leading to stability problems in certain areas. The changes in the electric output of wind parks led to fast and significant changes in the way the electricity network is used but the network was not designed for such rapid operational changes. Distributed generation, which means the generation of electricity (and often also heat) in small units close to consumers, may also change the way the networks are used. Whereas large scale wind energy mainly impacts the transmission networks, distributed generation would change the nature of distribution networks. This trend is unavoidable in an ECESoS scenario. It is impossible to foresee the many uses that the infrastructure

CRITICAL INFRASTRUCTURES AT RISK: A EUROPEAN PERSPECTIVE

1235

will be subjected to. This will require a new approach to the engineering, deployment, and operation of the infrastructure including several non-engineering aspects. It is a “Science and Art” issue that requires continuous collective learning in the production and management of complex systems. A fourth significant trend is the wide-scale application of ICT in electricity systems from the level of individual switches up to the operational control of entire electricity networks, and from customer databases to automated spot markets. While the use of ICT provides many opportunities, the large increase in connected devices and information flows also increases the vulnerability of the ECESoS to both, failures of the information infrastructure and deliberate harm through the use of it. Therefore there is a double effect: on the one hand there is an increase in the functional capabilities due to the availability of information; but on the other there is a greater exposure of the system to cyber threats. All stakeholders have access, in one way or another, to the information components of the infrastructure therefore it is more difficult to prevent access to illegitimate intruders (Table 1). This amalgamation of electric power systems and ICT produces a new construct, “Electricity plus Information” (or E+I ). The ECESoS is connatural to this E+I paradigm; it is immersed into a reality where all electricity functions (i.e. production, trading, transmission, distribution, billing, customer interaction, etc.) are dependent on information. Electricity (the physical dimension of the infrastructural services) coexists with data (the digital dimension of the same infrastructural services). The first dimension is composed of tangible assets: generators, transmission lines, transformers, control and protection equipment, etc that are the traditional objects for the valuation of the power business. The second dimension corresponds to intangibles: knowledge, transaction relationships, customer information, contracts, consumption profiles, security culture, etc. Currently, the perceived value of intangibles is overtaking that of tangibles. This happens in a continuous process that transforms the electric power infrastructure, driving the formation and establishment of the E+I paradigm (Fig. 4). E+I is an ongoing process, with the power industry continuously incorporating ICT for the sake of improving the operations, functions, and protection of the power systems, as well as integrating engineering and business functions for linking with other technical and market operators. We can talk of the digitization of the power infrastructure. And looking into the future, we can only predict a more intense use of ICT, driven by the shift toward smart grids, distributed generation, diversity of energy sources, and further integration of the infrastructure with neighboring regions (e.g. North Africa, Russia, and Middle East). When assessing security, this E+I reality cannot be ignored. This affects which vulnerabilities and threats have to be taken into consideration, which measures can be taken for solving the problems, and also how the governance of risk can be implemented. The wealth of information and the easy access to data sources, have to be factored in when designing the risk governance process [4].

6 THREATS AND VULNERABILITIES The transformation of the electric power infrastructure driven by those trends indubitably bears favorable effects (e.g. diminishing prices for consumers, more competitive markets inducing innovative behaviors, alternative sources of electric power supply), but it might

1236

CROSS-CUTTING THEMES AND TECHNOLOGIES

TABLE 1 Sequence of Events: Italian Blackout Importance of Risk Awareness and Crisis Management: the Italian Blackout (A Short Description) Sequence of Events (September 28, 2003) • 3:00 Italy imports 6.9 GW, 25% of the country’s total load,

300 MW more than scheduled • 3:01 Trip of the 380-kV line Mettlen–Lavorgo caused by

•

•

• •

tree flash-over (no adequate tree cutting); overload of the adjacent 380-kV line Sils-Soazza 3:11 ETRANS (CH) informs GRTN (I): Request by phone to reduce the import by 300 MW (not enough), GRTN responded within 10 min 3:25 Trip of the Sils–Soazza line due to tree flash-over (at 110% of its nominal capacity) Italian grid loses its synchronism with the UCTE grid; almost simultaneous tripping of all the remaining connecting lines 3:27 Breakdown of the Italian system, which was not able to operate separately 21:40 Restoration of the Italian system complete

E

1950’s

I

E

Analog electronics

I

1970’s

IT support

E/I

Association ICT

1990’s E&I Blending

2010’s E+I Digitilization

FIGURE 4 The evolution of the E + I paradigm.

also generate negative conditions for the overall security of the infrastructure. These situations that are prone to risks are related to many facets of the infrastructure such as the organization of the power market, the regulation of the interconnections to the power grid, its topology, and the technological solutions applied. In addition, it is necessary to consider the perception and reaction of society to those risks. The liberalization of power markets has fragmented investment decisions upon many industrial players (mainly on the generation side). The relatively long time required for developing new installations causes uncertainties about whether the combination of individual decisions will guarantee the security and adequacy of the infrastructure.

CRITICAL INFRASTRUCTURES AT RISK: A EUROPEAN PERSPECTIVE

1237

This situation can be complicated by the dependence of investments on environmental considerations, fuel prices, and fuel availability. A key fact is that the growth of transmission capacity, and in some places of generation, falls very far behind the growth in consumption. The main constraint on the creation of new power lines and generation plants is the difficulty in obtaining the necessary permits, mainly related to environmental considerations while the fuel aspects are obviously determined by geopolitical circumstances. Markets entail the danger that all new power plants will make use of the same cheapest (available) fuel and the transition to liberalized markets has brought additional uncertainties provoked by changes in the regulatory frameworks. The central question is whether competitive markets, even in a stable phase after liberalization, provide adequate and timely investment incentives. The new regulation of power systems in Europe has a strong focus on costs. Nevertheless, it is not clear if the reduction of costs can be balanced with the need to maintain security and expand the power grid in a timely and economically efficient manner. A key point is that different European countries have liberalized with different speeds and implemented different market models. This creates a significant risk of market distortions, which is further aggravated by the complexity of the institutional design. Electricity generation has observed the development of power based on renewables. These are placed where the resources are available, not where the consumption exists. As a result, power transmission networks and international interconnectors are used in ways for which they were not designed, and their control and protection systems are put under stress. These changes in power markets and in power generation and transmission are accompanied by a pervasive use of ICT. This has had a beneficial effect on the operation of power systems, and the integration of the industrial and business information systems within and between companies. But it has opened up opportunities for new types of system failures, both of accidental and malicious origins. First of all, information security was never a point for industrial systems, and therefore there is a lack of proper security-related standards and specific security technologies. Only in the very last years, with the awareness that interconnected information systems were open to electronic attacks, standardization bodies (e.g. IEC, IEEE, NERC) have begun to work on appropriate security norms. However, technologies change rapidly and the application of standards necessitates time. This opens a window of opportunity for this kind of newly emerging risks. The power grid is exposed to accidental failures and natural hazards similar to the ones endured in the past. The question is whether the new structure with multiple operators is as resilient as the more centralized one in the past. The complexity of the European power network topology creates the possibility of failures that escalate from local problems to broad disturbances, and that propagate throughout the system potentially leading to cascading blackouts across international borders. This requires well-orchestrated protection, and the coordination of restoring services in case of widespread contingencies. As a matter of fact, many of the existing control and protection strategies and contingency defence plans are outdated because they were developed at a time when international flows were smaller, generation was dispatched by the system operator, and the use of ICT was much more limited. Much attention is currently given to the risk of terrorist attacks. The likelihood is difficult to estimate, but it would require a sophisticated, well-coordinated attack to bring a large part of the European power system down. Failure of individual power plants or

1238

CROSS-CUTTING THEMES AND TECHNOLOGIES

power lines is a contingency that the system is designed to withstand, but a complete assessment, considering the interdependencies with other infrastructures, has not been performed yet.

7 NEEDS: RISK GOVERNANCE, SCIENCE AND TECHNOLOGY The European electric power industry has been evolving rapidly in the last decade. The Electricity Directive 96/92/EC adopted in 1996 set common rules for the EU internal electricity market. It established the basis for the opening of the national markets, for the unbundling of the vertically integrated electricity companies, and in general for the organization of the generation, transmission, and distribution business. As a means for establishing communication between the stakeholders, electric power systems, and the policy decision-makers, a forum was organized to discuss the regulatory process and the formation of the European internal electricity market. It was set up and organized by the European Commission. The first meeting was held in 1988, and it is commonly known as the Florence Forum. Its objective is to provide a neutral and informal framework for discussions concerning the implementation of the Electricity Directives. The normative context was complete in 2003 with the new Electricity Directive n. 54 [15], complemented by the Regulation 1228 on cross-border trade [16]. This directive aims at establishing (at the latest by July 2007), an open European market for electricity where consumers will be free to shop around across borders. At the same time, a set of regulators have been instituted in all countries for ensuring the correct operation of the market and the regularity of the public services of the electricity supply. The fundamental issue of this policy initiative has been the institution of the European internal market for electricity, and it is possible to say that up to now it has been successful and beneficial for the European citizen. Nevertheless, risk and security (in the broad sense employed in this White Book) have not been considered main concerns. Security of supply is mentioned as one of the public service attributes to be guaranteed [17]. Specifically it is said that the goal is to achieve a “competitive, secure, and environmentally sustainable market in electricity” (Article 3) [17]. Some issues mentioned in the directive are market mechanisms for ensuring sufficient electricity generation, long-term planning, the need to monitor the balance between supply and demand, and topics left to the responsibility of each country. But no provision has been made for coping with the systemic risks that affect the European infrastructure as a whole. Therefore it is possible to discern a mismatch between the policy goal of developing a secure market, and the lack of dedicated mechanisms for dealing with risks that might rise beyond the control of the single power company and the single country. Would current instruments be effective for dealing with systemic risks affecting the infrastructure? The only group that brings together all stakeholders (industry, regulators, policy decision-makers, consumers) is the Florence Forum. Could it be used to take care of the infrastructure risks? The answer is negative, considering its current structure and working style. It is not a decision-oriented organization, and it is oriented toward informal debates. However, on the other hand, traditional methods of risk management (applied for instance by electric power companies) do not suffice for coping with the new challenges faced by the electricity infrastructure in its entirety. This paper analyzes these changes and proposes a new way for society to handle them: risk governance. On a parallel line

CRITICAL INFRASTRUCTURES AT RISK: A EUROPEAN PERSPECTIVE

1239

of work, in relation to CII (), one can consult “Policymaking for Critical Infrastructure. A Case Study on Strategic Interventions in Public Safety Telecommunications”, by Gow [18]. While the regional monopolies of the past were well-equipped to handle most challenges to the system, individually or in cooperation with each other, the scale and geographical scope of the potential security risks requires decision-making at many different levels: by international bodies such as the EU and associations of TSOs, at the national level by governments and regulators, at the company level by generation companies, network companies, system operators etc., and finally, perhaps also by the end users themselves. As both the causes of the risks and the possible strategies for handling them often involve many different parties, this paper proposes an approach of risk governance to arrive at joint solutions amongst all the involved stakeholders in addition to the management of risks by individual parties. The need for a new approach is partly due to the nature of the new risks, which range from terrorism and cyber attacks to international cascading blackouts, and partly due to the transformation of the national electricity systems into a continental infrastructure. In addition, the changing nature of the European electricity markets creates new vulnerabilities that need to be addressed. Liberalization has distributed control over the system among many more parties than used to be the case before, whereas the response to a contingency requires fast, coordinated actions. The increasing internationalization of the sector poses an additional challenge to contingency management across borders. In the near future, the European electricity infrastructure will be interconnected with North Africa, the Middle East, the whole Balkans, and substantial parts of Eastern Europe and Central Asia (from Lisbon to Vladivostok, and from the Arctic Circle to the Maghreb). Not the least, the ubiquitous application of ICT in every part of the sector creates many new opportunities but also incorporates new vulnerabilities. Past methods of managing risk in the electricity industry are no longer adequate in the realities of the current ECESoS scenario. This is partly due to the emergence of new risks and also due to the restructuring of the electricity industry. In the past, utility companies with a regional monopoly could be held responsible for virtually every aspect of the delivery of electricity. Electric utilities managed technical risks as well as environmental and health risks, and it was common practice to apply cost-benefit analysis in order to fulfill primarily the shareholders concerns. This can have trans-European impacts. The consequence of the current decentralized nature of liberalized electricity systems, is that individual actors cannot be held responsible for the way the system as a whole functions. This means that, more than in the past, issues such as reliability and resilience need to be addressed at the level of the whole system. This requires a new approach, which is risk governance, in addition to the risk management actions which were, and still need to be performed by the individual power companies. Risk governance admits the existence of multiple stakeholders, with their individual interests and viewpoints, in parallel with overall objectives (related to society as a whole). The decision-making process in general, and specifically that which is related to risks, has to take into consideration all these aspects. The diversity of objectives and actors has to be structured as a multi-criteria problem. In a liberalized system, all these parties need to work together with each other, as well as with parties who do not directly influence the physical system such as traders, brokers, power exchanges, and retail companies. Through the risk governance process, the different affected actors (should) cooperate to handle risks that exceed the boundaries of

1240

CROSS-CUTTING THEMES AND TECHNOLOGIES

their own risk management processes. Risks that are (or should be) the subject of the risk governance processes are either risks that involve multiple actors or risks that originate outside the control of the involved actors. Which issues should be dealt with through the risk governance process and which ones through the risk management process? If the solution is within the risk management loop, there is no need for governance of the issue. However, if the solution is beyond the powers of the actor who is affected, there is a need for risk governance.

8 CONCLUDING REMARKS: INTERDISCIPLINARY AND INTERNATIONAL DIMENSIONS In the following we would like to summarize the main inferences drawn from the preceding discussions: •

European society is witnessing the advent of ECESoS, a new kind of human construct of great technical and organizational complexity, which—for technical and political reasons—is managed on a piecemeal basis by tens of entities. It is subject to risks that are critical for society. Those risks are of a very varied nature, and have to be counteracted with a proper approach which will inevitably be based on parallel assessments and decisions by many actors. • The ECESoS is evolving into an “Electricity plus Information” (E+I) infrastructure. The operation of the power systems, the functioning of the markets, the links between industry, regulators, and users all are information-based. The efficiency of the system, the management of the security, the adequacy, and the market all are E+I matters. So, the electric service is now an E+I compound product. • The new risk landscape faced by ECESoS can be deconstructed into three layers: ◦ Technical layer. Risks are caused by technical deficiencies (including failure of components, human errors, and engineering flaws). Solutions are mainly technical in nature (e.g. strict application of information and communication security measures, proper training of operators, review of protection mechanisms). Some problems can be addressed by single actors, or by the joint effort of a limited group of them. ◦ System layer. Risks are caused by the interaction of several technical, organizational and market factors, with effects that are not always predictable (e.g. the discrepancy between electricity flows demanded by the market, and the available capacity of transmission lines). Solutions have to unavoidably combine different aspects (e.g. technical, financial) and actors, at times crossing national boundaries. ◦ Societal layer. Risks have a society-wide resonance, potentially affecting the proper performance of a whole community, its security and survivability. Due to the interconnectedness of ECESoS, these situations are transboundary by nature. Solutions have to address the infrastructure as a whole. This complexity calls for a European approach to risk governance. • Most importantly, the central focus of the debate should consider the assessment and management processes related to the risk affecting the ECESoS as a whole: ◦ ECESoS’s emerging risks that are of relevance across Europe, have to be governed by means of a decision-making process tailored to its specific needs and

CRITICAL INFRASTRUCTURES AT RISK: A EUROPEAN PERSPECTIVE

◦

◦

◦

◦

1241

requirements. Key features to be considered are the multiplicity of stakeholders, the emergent security attributes of the infrastructure, and the dynamic nature of the system. In order to be successful, the risk governance of ECESoS needs to take into account all risk factors and all threats that cannot be dealt with adequately by individual actors’ risk management processes. Risk governance should treat them in a comprehensive and systematic way: for example, bearing in mind power system dynamics, market incentives, ICT, and potential malicious attacks. Risk governance implies the involvement of all stakeholders, and clear rules for the deliberation and development of decisions. In Europe, due to the international nature of the problem, this situation will require the participation of national authorities, all businesses associated with the electric power infrastructure, international organizations, the European Union, and not least the end users. Risk governance is a new discipline, and more research is urgently needed to develop it. However, this should not discourage the application of current solutions to pressing problems such as those presented by ECESoS, because other alternatives are clearly less adequate. Risk governance needs to be supported by proper tools. The deployment of a risk governance process for the electric power infrastructure will require the utilization of advanced instruments (most likely based on digital platforms). These instruments should provide capabilities such as risk-related modeling, simulation, assessment, strategic gaming, metrics and visualization.

Implementing such a risk governance process for the ECESoS will require appropriate institutional settings. If nobody will be in charge of the problem, this can lead to two possible alternatives: (a) the modification of the mission statements of current organizations of the power sector in Europe; (b) the institution of a new organization with the specific purpose of governing the risks of ECESoS. In the first case, the many political and industrial actors concerned with the problem will have to reflect upon the convenience of modifying the status of entities created for other purposes. In the case of similar initiatives in the USA, the certification of the North American Electric Reliability Corporation as the “Electric Reliability Organisation” with the power of U.S. Energy Policty Act [19] followed the long-term involvement of that organization with the security and adequacy of the power infrastructure. Europe does not have such an existing entity. Without trying to mimic that approach, there are some lessons worth considering: the potential effectiveness of self-regulation with a direct involvement of the operators of the power system, and the convenience in developing standards and guidance for security and reliability as a means for disseminating awareness and good practices, and promoting a common reference baseline. The second line, that is creating a new entity for the governance of risks in the ECESoS, will require new legislative instruments. We can foresee that this road will not be straightforward–and we recognize that it is not considered a priority under the current political conditions. The focus of the attention is justifiably set on issues such

1242

CROSS-CUTTING THEMES AND TECHNOLOGIES

as emissions, renewable sources, and the consolidation of ownership, unbundling of the power infrastructure and the electric power markets. After the Third Energy Package issued in September 2007, no new initiatives are expected in the next few years unless a major event, as a significant blackout, proves the insufficiency of the current approaches. With risk governance of the power infrastructure in Europe remaining an open issue, many questions still await satisfactory answers: •

Will the sum of the individual risk management measures by each operator of the ECESoS suffice to assure the reliability and security of the whole infrastructure? • Is there a need for common standards? And in that case, is there a need for monitoring and enforcing compliance? Compliance can be guaranteed by a set of different mechanisms: peer pressure, penalties, economic incentives, etc. The verification of capabilities can be linked to certification, auditing, and other qualification procedures. Who will decide this? • While facing systemic risks, which are the appropriate joint capabilities and how can they be developed? A typical attribute of risk is that it is made fully apparent only with the occurrence of detrimental events which could even degenerate into disasters with catastrophic consequences. Then not only is it too late for any risk management action, but infrastructure and society might suffer serious negative consequences for years. In this respect, Europe still needs to develop a comprehensive strategy.

REFERENCES 1. Gheorghe, A. V., Masera, M., Weijnen, M., and De Vries, L. J. (2006). Critical Infrastructures at Risk: Securing the European Electric Power System. Springer, Dordrecht. 2. Council (2008). Council Directive, 2008/114/EC, European Commission, December 8, 2008 . 3. Council (2004a). 10679/2/04 Rev. 2, No. 19 . 4. European Commission (2004a). Communication from the Commission to the Council and the European Parliament, Critical Infrastructure Protection in the Fight Against Terrorism, Brussels, October 20, 2004, COM/2004/702 final . 5. Council (2004b). Conclusions on “Prevention, Preparedness and Response to Terrorist Attacks” and the “EU Solidarity Programme on the Consequences of Terrorist Threats and Attacks”, Adopted on December 2, 2004 . 6. European Commission (2005). Green Paper on a European Programme for Critical Infrastructure Protection, Presented by the Commission on November 17, 2005, COM/2005/576 final. 7. European Commission (2006a). Communication from the Commission to the Council, the European Parliament, the European Economic and Social committee and the Committee of the Regions - A Strategy for a Secure Information Society - “Dialogue, Partnership and Empowerment’’, Presented by the Commission on June 2, 2006 . 8. European Commission (2006b). Proposal for a Directive of the Council on the Identification and Designation of European Critical Infrastructure and the Assessment of the Need to Improve their Protection, Presented by the Commission on December 12, 2006, COM/2006/787 final. 9. European Commission (2007). Communication on Protecting Europe’s Critical Energy and Transport Infrastructure, Adopted by the Commission on February 2, 2007 (restricted).

VULNERABILITY ASSESSMENT METHODOLOGIES FOR INTERDEPENDENT SYSTEMS

1243

10. European Commission (2009). Communication “Protecting Europe from Large Scale Cyber-attacks and Disruptions: Enhancing Preparedness, Security and Resilience”, COM/2009/149. 11. Thissen, W. A. H., and Herder, P. M. (2003). Critical Infrastructures. State of the Art in Research and Application. Kluwer Academic, Dordrecht. 12. European Commission (2003b). Directorate-Generale for Energy and Transport, Memo, Energy Infrastructures: Increasing Security of Supply in the Union, December 2003 . 13. Midttun, A. (1997). European Electricity Systems in Transition. Elsevier Science, Ltd., Amsterdam , The Netherlands. 14. European Commission (2004b). Directorate-Generale for Energy and Transport, Memo, Towards a Competitive and Regulated European Electricity and Gas Market. 15. European Commission (2003). Directive of the European Parliament and the Council of June 26, 2003 Concerning Common Rules for the Internal Electricity Market; Official Journal L 176, 2003/54/EC, July 15, 2003 . 16. European Commission (2003d). Regulation of the European Parliament and the Council of June 26, 2003 Concerning Conditions for Access to the Network for Cross-border Exchange in Electricity, Official Journal L 176, 1228/2003, July 15, 2003 . 17. European Commission (2003c). Proposal for a Directive of the European Parliament and the Council Concerning Measures to Safeguard Security of Electricity Supply and Infrastructure Investment, COM/2003/740 . 18. Gow, G. A. (2005). Policymaking for Critical Infrastructure. A Case Study on Strategic Interventions in Public Safety Telecommunications. Ashgate Publishing Co, Hampshire. 19. U.S. Energy Policy Act (2005). Public Law 109-58 . Available at http://www.gpo.gov/ fdsys/pkg/PLAW-109publ58/content-detail.html.

VULNERABILITY ASSESSMENT METHODOLOGIES FOR INTERDEPENDENT SYSTEMS Wade R. Townsend U.S. Department of Homeland Security, Washington, D.C.

1 INTRODUCTION The importance of infrastructure interdependencies was first highlighted at the national level by the President’s Commission on Critical Infrastructure Protection (PCCIP) [1, 2].

1244

CROSS-CUTTING THEMES AND TECHNOLOGIES

The energy sector (both industry and government) was proactive in recognizing the need to include interdependencies into vulnerability assessments and infrastructure analyses. The National Petroleum Council report, Securing Oil and Natural Gas Infrastructures in The New Economy, identified the need to include interdependencies considerations in all aspects [3]. The new business model (e.g. globalization, increasing reliance on other infrastructures) is complex and requires a broad perspective to include interdependencies analyses. The level of dependency among all critical infrastructures continues to rise due to increasing reliance on one another (e.g. information technology, telecommunications, and electric power). An example of increasing dependencies and interdependencies is the Northeast Blackout in 2003. Even though this event began in the electric sector, other infrastructures were quickly impacted. Cleveland, OH, and Detroit, MI, lost pressure in their water systems and had to issue boil water advisories. Both cities rely on electric power to operate their pumps and had inadequate backup power available to continue pump operations, and thus, could not maintain pressure in their water systems. The 2003 power outage also affected the telecommunications network. Although the telephone systems remained operational in most areas, the increased demand caused some switches to reach their capacity, resulting in some blocked calls. Cell phone users also experienced service disruptions because cellular towers generally have only battery banks with limited battery backup. Many other infrastructures, such as wastewater treatment, transportation systems, gasoline distribution including pumps, and heating, ventilation, and air-conditioning (HVAC), and fire suppression systems were also impacted. Widespread infrastructure disruptions stress the need to look at entire systems and not just individual facilities when conducting vulnerability assessments. Many infrastructures are designed with operational redundancies so the overall system can withstand the loss of any one asset, but when multiple assets are taken offline, an entire infrastructure service can be disrupted. Hurricanes Katrina and Rita crippled several infrastructures with cascading effects to other regions throughout the country. Natural gas prices throughout the nation were impacted by these hurricanes. Even telecommunications networks hundreds of miles away from the impact areas were affected by the storms. In 1988, in response to the PCCIP findings along with the increasing concerns about vulnerabilities from interdependencies, Department of Energy (DOE), coordinating with industry, developed the Vulnerability and Risk Analysis Program (VRAP). VRAP included the development and implementation of a vulnerability assessment methodology for the energy sector that included interdependencies. Interdependencies considerations are crucial to risk analysis in providing a holistic perspective. Teams of national laboratory experts, led by Argonne National Laboratory and working in partnership with the energy industry, successfully applied the methodology to help organizations in the energy sector to identify and understand the threats and vulnerabilities (physical, cyber, and interdependencies) of their infrastructures. Approximately 75 vulnerability assessments were conducted by DOE from 1997 to 2002. Lessons learned from these assessments, as well as best practice approaches to mitigate vulnerabilities, were documented. Several reports were developed and shared with industry to promote risk analysis. These documents include the following. •

Vulnerability Assessment and Survey Program: Overview of Assessment Methodology [4],

VULNERABILITY ASSESSMENT METHODOLOGIES FOR INTERDEPENDENT SYSTEMS

1245

•

Energy Infrastructure Risk Management Checklists for Small and Medium Sized Energy Facilities [5], • Vulnerability Assessment Methodology: Electric Power Infrastructure [6], • Energy Infrastructure Vulnerability Survey Checklists Template [7], and • Vulnerability and Risk Analysis Program: Lessons Learned and Best Practices [8]. Some of the lessons learned from these initial vulnerability assessments in regards to interdependencies are provided below. •

Interdependencies among infrastructures must be thoroughly investigated because they can create subtle interactions and feedback mechanisms that often lead to unintended behaviors and consequences. Problems in one infrastructure can cascade to other infrastructures. • Interdependencies increase the complexity of infrastructures and introduce additional vulnerabilities. • Interdependencies among infrastructures vary significantly in scale and complexity, and they also typically involve many system components. The process of identifying and analyzing these linkages requires a detailed understanding of how the components of each infrastructure and their associated functions or activities depend on, or are supported by, each of the other infrastructures. • Contingency and response plans need to be evaluated from an infrastructure interdependencies perspective, and coordination with other infrastructure providers needs to be enhanced. In March 2003, with the stand up of Department of Homeland Security (DHS), the DOE VRAP was absorbed by DHS/IP, and the core vulnerability assessment methodology (including interdependencies) became the foundation for DHS/IP risk analysis. DHS/IP conducted a survey of existing vulnerability assessment methodologies to identify element areas including interdependencies. This report, Survey of Vulnerability Assessment Methodologies, noted that the interdependencies element area was not considered in most existing government and industrial methodologies [9]. The DHS/IP Site Assistance Visit Program and Buffer Zone Protection Program’s methodologies leveraged the DOE efforts and included the interdependencies element [10, 11]. Other DHS program methodologies (e.g. Risk Analysis and Management for Critical Asset Protection and Comprehensive Reviews) incorporated and refined the interdependencies element area. For example, Comprehensive Reviews include dependencies between critical facilities within a community with first responders and emergency management entities. GIS technologies bolster the DHS program methodologies and assist assessment teams in identifying infrastructure dependencies and interdependencies (e.g. single point failures and common corridors) [12]. 2 PETROLEUM REFINERY INTERDEPENDENCIES In early 2003, a joint industry/government working group was formed to develop a vulnerability assessment methodology for the oil infrastructure that focused on petroleum refineries and included physical and cyber security along with interdependencies. At the time, several oil industry firms were using the Center for Chemical Process Safety

VULNERABILITY ASSESSMENT METHODOLOGIES FOR INTERDEPENDENT SYSTEMS

1247

Components

Assets/Facilities

Functions

Petroleum Refinery

Function 1 Production

• Oil wells • Crude imports • Petroleum reserves

• Drilling rig • Rotary equipment • Platform

Function 2 Gathering

Function 3 Processing

Function 4 Transmission

Function 5 Storage

Function 6 Distribution

• Gathering pipelines • Pumping stations

• Refineries

• Crude pipelines • Product pipelines • Pumping stations

• Petroleum terminals

• Pipelines • Pumping stations • Trucks • Railroads • Water carriers

• • • •

• Marine docks • Process controls • Pipe stills • Catalytic crackers

• Pumps • Valves • SCADA systems

• Tanks • Booster pumps • Fire protection • Valves • Manifolds

• Loading docks • Marine docks • Rail yards • Bridges • Tunnels

Motors Valve Meters SCADA systems • Pipe connections

FIGURE 2 Petroleum fuel cycle.

and result in a shutdown of the refining process if oil production and processing stages do not replenish the on-site supplies. The downstream petroleum refinery impacts are similar. If the transmission, storage, and distribution stages are nonfunctional, petroleum refineries may shut down. Figures 1 and 2 illustrate the broader perspective that is taken through interdependencies analysis. Figure 3 provides a high-level view of petroleum refinery interdependencies to include suppliers and distributors. Petroleum refinery interdependencies include crude oil that can be deliverable by tanker, pipeline, barge, or rail; process chemicals (e.g. hydrogen, alkylation acids, and nitrogen); and other infrastructures (e.g. electric power, natural gas, water, telecommunications, and so on). All of these inputs are required to produce refined petroleum products (e.g. gasoline, heating oil, diesel, and so on) and Petroleum Refinery

Crude Oil Tanker Pipeline Barge Rail

Refined Products

Process Chemicals Hydrogen Nitrogen Alkylation acids

Pipeline Tanker Barge Rail Truck

Infrastructures Electric Power Natural Gas Water Telecommunications

FIGURE 3 Petroleum refinery macro illustration of interdependencies.

1248

CROSS-CUTTING THEMES AND TECHNOLOGIES

the resulting complex dependencies and interdependencies. Since petroleum refineries require many inputs and outputs and rely on multiple infrastructures, they provide an excellent representation of interdependency analysis. Figures 4 and 5 further break down the petroleum refinery interdependencies model. Figure 4 identifies internal interdependencies (inside the petroleum refinery) and Figure 5

Petroleum Refinery MIS

C&I

CRUDE OIL Crude Distillation

DCS

DCS

C&I Vacuum Distillation C

C&I

Delayed Coking

Vacuum Distillation

C&I Lube oil Processing

C&I

C&I Asphalt Processing

Delayed Coking

C&I

C&I Vis Breaking

Electric Ckt Panel

Boiler

LEGEND Steam Fuel Electric Air, CW, H2, water Control/ communication line C&I Control & Instrumentation DCS Distributed Control Sys MIS Management Info Sys

utility

FIGURE 4 Example of petroleum refinery internal interdependency.

· SCADA and emergency shutdown · Lighting · Motor starters and motors · Alarms · UPS · Pumps · Automatic controllers

Natural Gas Feedstock for H2 production Boiler operations and heating Water Steam, cooling, potable uses Process Chemicals

· · ·

(if electric)

· Automated controls for · Crude oil deliveries SCADA and refined product · Emergency shutdown shipments (tanker, pipeline, barge, rail) · Overfill protection · Automatic activation of · Access for repair fire control equipment · Delivery of commodities · Voice intercoms, alarms, signals, telephones, radios

Telecommunications

Transportation

FIGURE 5 Example of petroleum refinery external interdependency.

Natural Gas, Water, Process Chemicals

Electric Power

Petroleum Refinery

VULNERABILITY ASSESSMENT METHODOLOGIES FOR INTERDEPENDENT SYSTEMS

TABLE 1

1249

Interdependencies Survey Questions

Checklist Considerations: Interdependencies Survey (a) Infrastructure Oversight Does the facility have a department responsible for overseeing all or most the infrastructures? (b) Infrastructure Procedures In general, are operating procedures in place for the systems that make up the internal infrastructures and for the physical connections and contracts with the external infrastructures that support them? Describe the extent of these procedures, their format, their availability to relevant staff, and the extent to which they are regularly followed. Are contingency procedures in place for the systems that make up the internal infrastructures and for the physical connections and contracts with the external infrastructures that support them? Describe the extent of these procedures, their format, and their availability to relevant staff (Note: contingencies refer to situations brought about by a failure or disruption within an infrastructure or the infrastructures that support it.). If they exist, have the contingency procedures been tested and are they exercised regularly either as a part of normal operations as through specially designed drills? Describe the drills and their results. (c) Electric Power Supply and Distribution Primary source of electric power If the primary source of electric power is a commercial source, are there multiple independent feeds? If so, describe the feeds and their locations. Also specify who controls the termination points of any multiple feeds. If the primary source of electric power is a system operated by the facility or asset, what type of system is it? Electric distribution system Are the components of the electric system that are located outside of buildings (such as generators, fuel storage facilities, transformers, and transfer switches) protected from vandalism or accidental damage by fences or barriers? If so, describe the type of protection and level of security it provides. Are the various sources of electric power and the components of the internal electric distribution systems such that they may be isolated for maintenance or replacement without affecting the critical functions of the asset/facility? If not, describe the limitations. Have any single points of failure been identified for the electrical power supply and distribution system? If so, list them and describe. Backup electric power systems Are there additional emergency sources of electric supply beyond the primary system (such as multiple independent commercial feeds, backup generators, and uninterruptible power supply [UPSs])? If there are, describe them and who controls them. Commercial electric power sources How many substations feed the area of the asset/facility and the asset/facility itself? That is, is the area supplied by multiple substations? If more than one, which ones have sufficient individual capacities to supply the critical needs of the asset/facility? (continued overleaf)

1250

CROSS-CUTTING THEMES AND TECHNOLOGIES

TABLE 1 (Continued ) Checklist Considerations: Interdependencies Survey Commercial electric power pathways Are the power lines into the area of the asset/facility and into the asset/facility itself above ground (on utility poles), buried, or a combination of both? If both, indicate locations of portions above ground. (d) Petroleum Fuels and Bulk Chemicals Supply and Storage Uses of petroleum fuels and bulk chemicals Are petroleum fuels or bulk chemicals used in normal operations at the asset/facility? If yes, specify the types and uses. Reception facilities How are the various petroleum fuels and bulk chemicals normally delivered to the asset/facility? Indicate the delivery mode and normal frequency of shipments for each fuel type. Supply contracts Are contracts in place for the supply of petroleum fuels and bulk chemicals? Specify the name of the contractors, the types of contracts, the modes of transport (pipeline, rail car, tank truck, etc.), and the frequency of normal shipments. (e) Natural Gas Supply Sources of natural gas How many city gate stations supply the natural gas distribution system in the area of the asset/facility and the asset/facility itself? How may distinct independent transmission pipelines supply the city gate stations? Indicate if an individual gate station is supplied by more than one transmission pipeline and which stations are supplied by independent transmission pipelines. Natural gas contracts Does the asset/facility have a firm delivery contract, an interruptible contract, or a mixed contract with the natural gas distribution company or the transmission companies? Specify the companies involved and specify whether there is a direct physical link (pipeline) to each company. (f) Telecommunications Internal telephone system What types of telephone systems are used within the asset/facility? Are there multiple independent telephone systems? Specify the types of systems, their uses, and specify whether they are copper-wire or fiber-optic based. If there are multiple (from independent systems) or redundant (from built-in backups) switches and cables, are they physically separated and isolated to avoid common causes of failure? Are the telephone switches located in limited-access or secured areas away from potential damage due to weather or water leaks? Specify types of protection provided.

VULNERABILITY ASSESSMENT METHODOLOGIES FOR INTERDEPENDENT SYSTEMS

TABLE 1

1251

(Continued )

Checklist Considerations: Interdependencies Survey Data transfer If there is a separate system for large volume and high-speed data transfer, are there redundant switches and cables. If yes, describe the situation. If there are redundant switches and cables, are they physically separated and isolated to avoid common causes of failure? Are the data transfer switches located in limited-access or secured areas away from potential damage due to weather or water leaks? Specify the types of protection provided. Cellular/wireless/satellite systems Are cellular/wireless/satellite telephones and pagers in widespread use within the asset/facility? If yes, briefly describe their uses. Intranet and e-mail system Is the asset’s/facility’s Intranet and e-mail system dependent on the asset’s/facility’s computers and servers or telephone system? If yes, describe the dependence. Are there any critical operational items that require use of the e-mail system or internet? Redundant access to intranet and e-mail system Does the asset/facility have a backup or redundant Intranet and e-mail system? If yes, describe the system and the amount of backup it provides. Does an outside contractor maintain the backup? If so, what type of security oversight measures does the contractor have in place? On-site fixed components of microwave/radio system Are there multiple or redundant radio communications systems in place within the asset/facility? If yes, specify the types of systems and their uses. Mobile and remote components of microwave/radio system Are there mobile components to the radio communications system (such as on vehicles or vessels)? If yes, describe the mobile components. Are the mobile components of the radio communications system protected from vandalism or accidental damage by locked boxes or lockable vehicle cabs? Specify the types of protection and level of security they provide. Commercial telecommunications’ carriers Are there multiple telecommunications carriers used by the asset/facility (possibly commercial, contracted, or organization-owned)? List them, specify the service they provide or the type of information carried (such as analog telephone voice and FAX, digital telephone voice, Internet connections, and dedicated data transfer), and the type of media used (copper cable, fiber-optic cable, microwave, and satellite) Pathways of commercial telecommunications’ cables Are the telecommunications’ cables into the area of the asset/facility and into the asset/facility itself above ground (on utility poles), buried, or a combination of both? If both, indicate locations of portions above ground. (continued overleaf)

1252

CROSS-CUTTING THEMES AND TECHNOLOGIES

TABLE 1 (Continued ) Checklist Considerations: Interdependencies Survey Are the paths of the telecommunications cables located in areas susceptible to natural or accidental damage (such as overhead cables near highways; cables across bridges, dams, or landslide areas)? If yes, indicate the locations and types of potential disruptions. Backup communications systems Are there redundant or backup telephone systems in place if the primary system is disrupted? Specify the extent to which the secondary systems can support the critical functions and activities at the asset/facility. (g) Transportation Road and rail access Are there multiple roadways or rail routes into the area of the asset/facility? Describe the route or routes and indicate any load or throughput limitations with respect to the needs of the asset/facility. Airports and air routes Are there multiple airports in the area of the site of sufficient size and with sufficient service to support the critical functions and activities at the asset/facility? Enumerate the airports and indicate any limitations. Are there any regular air routes that pass over or near the asset/facility that could present a danger to the asset/facility if there were some sort of an air disaster? Record any concerns. Waterway access Are there multiple water routes to the ports, harbors, or landings used by the asset/facility from the open ocean or major waterway? Describe the route or routes and indicate any load, draft, beam, or throughput limitations with respect to the needs of the organization. Pipeline Access What materials, feedstocks, or products (such as crude oil, intermediate petroleum products, refined petroleum products, or liquefied petroleum gas) are supplied to or shipped from the asset/facility by way of pipeline transportation? Are there multiple pipelines and pipeline routes into the area of the asset/facility from major interstate transportation pipelines? If yes, indicate which pipelines or combinations of pipelines have sufficient capacity to serve the asset/facility. Are the paths of the pipelines colocated with the rights-of-way of other infrastructures? If yes, indicate how often and where they follow the same rights-of-way and the infrastructures that are colocated. Are the paths of the pipelines located in areas susceptible to natural or accidental damage (such as across bridges or dams, in earthquake or landslide areas)? If yes, indicate the locations and types of potential disruptions. If disruptions due to scheduled maintenance or system modifications occur, how is this communicated to your organization? (h) Water and Wastewater Primary domestic/industrial water system Does the asset/facility have a domestic/industrial water system? If yes, specify the uses of the water.

VULNERABILITY ASSESSMENT METHODOLOGIES FOR INTERDEPENDENT SYSTEMS

TABLE 1

1253

(Continued )

Checklist Considerations: Interdependencies Survey Does the water supply for the domestic/industrial water system come from an external source (such as community, city, or regional water mains) or from an internal system (such as wells, river, or reservoir)? If internal, describe the system. Backup domestic/industrial water system Is there an independent backup water source to the primary domestic supply system? If yes, specify the type of backup system (such as wells, river, reservoir, and tank truck), describe the specific source of the water, indicate the adequacy of the backup supply’s capacity, and indicate if it is gravity feed or requires active pumps (generally electric). Primary industrial wastewater system Does the asset/facility have an on-site industrial wastewater system? If yes, specify the types of wastewater that are processed and the processes used. Backup wastewater system Is there an independent backup system that can be used to handle the industrial wastewater? If yes, specify the type of backup system (such as a redundant system, holding ponds, and temporary discharge of unprocessed wastewater), describe the specific process, indicate the adequacy of the backup’s capacity and any limitations on how long it can operate, and indicate if it is gravity feed or requires active lift pumps (generally electric). Commercial/public water/wastewater supply reliability Historically, has the city water/wastewater supply in the area been reliable and adequate? Quantify the reliability and specify any shortfall in the supply pressure or flow rate. Typically, when disruptions in the city water/wastewater supply occur, are they of significant duration (as opposed to just a few hours)? Quantify in terms of potential effects on the critical functions and activities at the asset/facility. (i) Emergency Services (Police, Fire, And Emergency Medical) Local police, county/state police, and federal bureau of investigation (FBI) How are these agencies involved in protecting the asset/facility? What are typical response times and response capabilities? Fire department and emergency medical services How are these agencies involved in protecting or treating the asset/facility? Do they provide inspection and/or certification services? What are typical response times and response capabilities? (j) Computers and Servers (Mainframes, Firewalls, and Router Equipment) Electric power sources Are there provisions within the asset’s/facility’s primary electric power supply and distribution system to supply power for the computers and servers? If yes, indicate under what conditions and for how long. Do the computers and servers have their own backup electric power supply (such as local UPSs or generators)? If yes, specify the types of backup and how long they can operate. (continued overleaf)

1254

CROSS-CUTTING THEMES AND TECHNOLOGIES

TABLE 1 (Continued ) Checklist Considerations: Interdependencies Survey Environmental control Does the asset’s/facility’s central HVAC system provide environment control to the computer and server areas or do the computer and server areas have their own independent environmental control system? If they have their own system, specify the type. Protection Is there special physical security provided for the computer and server areas? If yes, specify the type of security and the level of protection provided. (k) HVAC System (Air Handlers, Heating Plants, Cooling Towers, and Chillers) Primary HVAC system Can critical functions and activities dependent on environmental conditions continue without the HVAC system? If yes, specify which functions and for how long they can continue under various external weather conditions. Backup HVAC systems Is there a separate backup or contingency plan for the HVAC system? If yes, describe the system and the energy and water supply systems it requires. (l) Fire Suppression and Fire Fighting System Alarms Does the entire asset/facility (or at least most of it) have a fire and/or smoke detection and alarm system? If yes, specify the type of system, how it is monitored, and the response procedure. Fire suppression Does the entire asset/facility (or at least most of it) have a fire suppression system such as an overhead sprinkler system? If yes, specify the medium (usually water) and whether it is of the flooded-pipe or prearmed type. Does the water supply for the fire suppression system come from city water mains or an on-site system, such as wells, rivers, or reservoir? Other systems Is there special fire suppression equipment, such as Halon, Inergen, inert gases, or carbon dioxide in certain areas such as computer or telecommunications areas? If yes, indicate the types and adequacies of these special systems. (m) SCADA System Type of system Does the asset/facility make use of a substantial SCADA system (i.e. one that covers a large area or a large number of components and functions)? If yes, indicate what functions are monitored and/or controlled, the type of system, and the extent of the system.

VULNERABILITY ASSESSMENT METHODOLOGIES FOR INTERDEPENDENT SYSTEMS

TABLE 1

1255

(Continued )

Checklist Considerations: Interdependencies Survey Control centers Where is the primary control center for the SCADA system located? Is there a backup control center? If yes, where is it located? Is it sufficiently remote from the primary control center to avoid common causes of failure, such as fires, explosions, or other large threats? (n) Physical Security System Electric power sources Are the asset’s/facility’s monitoring and alarm systems normally dependent on the asset’s/facility’s primary electric power supply and distribution system (i.e. is the asset’s/facility’s primary electric power supply and distribution system the primary electric power source?)? If there a backup system that can support all the functions of the monitoring and alarm systems in terms of capacity? Specify for how long it can operate. Communications pathways Are the asset’s/facility’s monitoring and alarm systems normally dependent upon the asset’s/facility’s telephone system? Computer support Are the asset’s/facility’s monitoring and alarm systems normally dependent upon the facility’s main computers and servers? (o) Financial System (Including Monetary Transactions) Electric power sources Are the asset’s/facility’s financial systems and functions normally dependent on the asset’s/facility’s primary electric power supply and distribution system (i.e. is the facility’s electric power supply and distribution system the primary electric power source?)? Communications pathways Are the asset’s/facility’s financial systems and functions normally dependent upon the asset’s/facility’s telephone system? Computer support Are the asset’s/facility’s financial systems and functions normally dependent upon the facility’s main computers and servers?

identifies external interdependencies (outside the petroleum refinery). Internal interdependencies include on-site energy generation, process control and monitoring, and steam. External interdependencies include commercial electricity, water sources, and feedstock. The primary focus is on critical interdependencies where loss would severely degrade or shut down operations and where no redundancy or limited redundancy exists.

1256

CROSS-CUTTING THEMES AND TECHNOLOGIES

By answering specific questions, assessment teams are able to determine which internal and external infrastructures are critical to operations and the redundancies of these systems. The question areas include infrastructure oversight, infrastructure procedures, and infrastructure considerations. It is important to note that although many questions are the same across all sectors, sector specific questions also have been developed. For example, the Security Vulnerability Analysis Methodology for the Petroleum Industry [14] provides detailed questions associated with each of these categories. A subset of infrastructure dependency questions is provided in Table 1. 3 NEXT STEPS The interdependency element area is evolving and should continue to develop. DOE and DHS programs have provided a foundation for this work, and several current programs within the government and industry continue to leverage this effort. For example, the State of Ohio has adopted the interdependency questions into its statewide vulnerability assessment model in identifying state vulnerabilities and mitigation strategies. The State of Ohio had an existing vulnerability assessment template; however, the template was based on physical security. The state recognized the need for an interdependencies perspective to broaden its perspective and to help prioritize mitigation options. Thus, the state integrated a subset of the interdependency questions presented into its template. Another example is the Pacific Northwest Economic Region (PNWER) that has conducted interdependencies seminars to bring regional stakeholders together. PNWER has developed an Infrastructure Interdependencies Identification and Assessment Tool to identify detailed interdependencies-related information relevant to operations and business continuity, and to determine appropriate ways to share data among stakeholder organizations. The questions implemented in the tool were based on the interdependency questions mentioned. The tool is helping PNWER to better understand, at a regional level, their supply chains and infrastructure dependencies and interdependencies. Taking a regional perspective allows for a more holistic approach to interdependencies and provides insights into bottlenecks within the region. DHS continues to leverage the interdependencies work into various ongoing programs. DHS has evolved from conducting vulnerability assessments to conducting risk assessments. However, interdependencies have become increasingly important since risk comprises threats, vulnerabilities, and consequences. Each of these risk elements requires an interdependencies perspective to properly identify and quantify risk. The various assessment methodologies at DHS/IP (e.g. Site Assistance Visits, Buffer Zone Protection Plans, Comprehensive Reviews, Maritime Security Risk Assessment Model, and Risk Analysis and Management for Critical Asset Protection) continue to evolve interdependencies aspects in different ways. REFERENCES 1. President’s Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America’s Infrastructures, October (1997). 2. Peerenboom, J., Fisher, R. (2008). System and Sector Interdependencies: An Overview , Wiley and Sons, New York. 3. National Petroleum Council (2001). Securing Oil and Natural Gas Infrastructures in the New Economy, June 2001.

ROBUSTNESS, RESILIENCE AND SECURITY

1257

4. U.S. Department of Energy (2001). Vulnerability Assessment and Survey Program: Overview of Assessment Methodology, September 2001. 5. U.S. Department of Energy (2002). Energy Infrastructure Risk Management Checklists for Small and Medium Sized Energy Facilities, August 2002. 6. U.S. Department of Energy (2002). Vulnerability Assessment Methodology: Electric Power Infrastructure, September 2002. 7. U.S. Department of Energy (2002). Energy Infrastructure Vulnerability Survey Checklists Template, February 2002. 8. U.S. Department of Energy (2001). Vulnerability and Risk Analysis Program: Lessons Learned and Best Practices, September 2001. 9. U.S. Department of Homeland Security (2003). Survey of Vulnerability Assessment Methodologies, September 2003. 10. U.S. Department of Homeland Security (2007). Site Assistance Visit Methodology Template. 11. U.S. Department of Homeland Security (2007). Buffer Zone Protection Plan Template. 12. Adduci, A., Bailey, S., Fisher, R. (2008). Geospatial Data Support for Infrastructure Interdependencies Analysis, Wiley and Sons, New York. 13. Center for Chemical Process Safety (2003). Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites. 14. American Petroleum Institute and National Petrochemical & Refiners Association (2003). Security Vulnerability Analysis Methodology for the Petroleum Industry. May 2003.

ROBUSTNESS, RESILIENCE, AND SECURITY OF NATIONAL CRITICAL INFRASTRUCTURE SYSTEMS S. Massoud Amin1 University of Minnesota, Minneapolis, Minnesota

1 NATIONAL CRITICAL INFRASTRUCTURE SYSTEMS: UNDERPINNING OUR ECONOMY, GLOBAL COMPETITIVENESS, SECURITY, AND QUALITY OF LIFE Virtually every crucial economic and social function depends on the secure, reliable operation of energy, telecommunications, transportation, financial, and other infrastructures. 1 Honeywell/H.W.

Sweatt Chair in Technological Leadership, Director of the Technological Leadership Institute, Professor of Electrical & Computer Engineering, and University Distinguished Teaching Professor. Contact information: [email protected], or http://umn.edu/amin.

1258

CROSS-CUTTING THEMES AND TECHNOLOGIES

Indeed, they have provided much of the good life that the more developed countries enjoy. However, with increased benefit has come increased risk. As these infrastructures have grown more complex to handle a variety of demands, they have become more interdependent. The Internet, computer networks, and our digital economy have increased the demand for reliable and disturbance-free electricity; banking and finance depends on the robustness of electric power, cable, and wireless telecommunications. Transportation systems, including military and commercial aircraft and land and sea vessels, depend on communication and energy networks. Links between the power grid and telecommunications and between electrical power and oil, water, and gas pipelines continue to be a lynchpin of energy supply networks. This strong interdependence means that an action in one part of one infrastructure network can rapidly create global effects by cascading throughout the same network and even infiltrating other networks. A growing portion of the world’s business and industry, art and science, entertainment and even crime are conducted through the World Wide Web and the Internet. But the use of these electronic information systems depends, as do the more mundane activities of daily life, on many other complex infrastructures, such as cable and wireless telecommunications, banking and finance, land, water, and air transportation, gas, water, and oil pipelines, and the electric power grid. All of these are, themselves, complex networks, geographically dispersed, nonlinear, and interacting both among themselves and with their human owners, operators, and users. Energy, telecommunications, transportation, and financial infrastructures are becoming increasingly interconnected, thus, posing new challenges for their secure and reliable operation. What is “Infrastructure”? Infrastructure is the linked sociotechnological system of facilities and activities that provides the range of essential services generally necessary to support our economy and quality of life. What is a sociotechnological system? Sociotechnological systems include the physical infrastructure, the people, and organizations who build, run, and use it, as well as the economic and legal conditions for operations. There is reasonable concern that both national and international energy and information infrastructures have reached a level of complexity, and interconnection which makes them particularly vulnerable to cascading outages, initiated by material failure, natural calamities, intentional attack, or human error. The potential ramifications of network failures have never been greater, as the transportation, telecommunications, oil and gas, banking and finance, and other infrastructures depend on the continental power grid to energize and control their operations. Although there are some similarities, the electric power grid is quite different from gas, oil, or water networks-phase shifters rather than valves are used, and there is no way to store significant amounts of electricity. To provide the desired flow on one line often results in “loop flows” on several other lines. Our studies in the areas of stability, robustness, resilience, and security span from marco systems (including interdependent national infrastructure and enterprises), to micro (individuals/people) within these large-scale uncertain systems, which are modeled as complex adaptive systems. As a “micro” example, living beings must constantly adapt to changing environmental conditions and turbulence. Some seem inherently more capable of this resilient adaptation than others. As with leadership in general, there are some innate attributes that predispose

ROBUSTNESS, RESILIENCE AND SECURITY

1259

some to be more resilient than others. And as cumulative life stress increases pushing one to his/her “maximum emotional capacity” we need to learn to diffuse some of this emotion or it will push us beyond our upper control limit (i.e. exceed our maximum emotional bandwidth). The key is to learn to manage our “signal to noise ratio” in such a way that we never lose sight of our own unique inner signal. Similarly, understanding how to transform our complex infrastructure systems to be much more sensitive, discerning yet resilient, robust, and adaptive will represent a breakthrough in systems engineering. As the world becomes increasingly VUCA (volatile, uncertain, complex, and adaptive), resulting in a wide spectrum of opportunities and challenges of complex systems abound, and concerns about the instability of these systems and their potential for large and possible catastrophic regime shifts are a dominant social concern, with “systemic risk” as a generic problem. These concerns are at the leading edge of many environmental and engineering sciences: for example, in atmospheric science in studies of climate change; for financial risk management in the couplings and resultant systemic risks; for fisheries managers concerned with the sudden collapse of certain economically important fish stocks; for communication networks concerned with system reliability and security in the face of evolving cyber risks; in electrical and power engineering concerned with preventing disruptions to the North American power grid. The commonality of the problem of stability and resilience to shocks in complex systems that these examples point to raises the possibility that approaches to risk management in natural and physical systems with pertinence to nearly all aspects of our lives. Some of the methods for managing risk in engineering systems, such as “multi-objective trade-off analysis” in which Pareto-optimal actions are derived by considering the subjective probabilities and payoffs associated with different shocks and their primary, secondary, and tertiary propagation pathways and consequences. Modeling interdependent complex systems and lifeline infrastructures (e.g. the electric power, together with telecommunications, oil/gas pipelines, and energy markets) in a control theory context is especially pertinent since the current movement toward deregulation and competition will ultimately be limited only by the physics of electricity and the topology of the grid. In addition, mathematical models of complex networks are typically vague (or may not even exist); existing and classical methods of solution are either unavailable, or are not sufficiently powerful. For the most part, no present methodologies are suitable for understanding their behavior. In what follows, as examples, we briefly summarize four interdependent infrastructures, and the associated countermeasures for increased robustness, resilience, and security. 1.1 Example: Transportation The backbone of the US transportation system and economy—the road infrastructure system—has continually evolved since the 1930s, but the cost to build and maintain it is rising. The US Department of Transportation estimates that the annual cost of congestion in lost productivity alone is more than $100 billion. In addition, more than 40,000 persons are killed and another five million injured each year in traffic accidents. This infrastructure, faced with the increased density in today’s urban population centers, is becoming increasingly congested. Human population centers have grown dramatically in the past century, creating a “trilemma” of sustainability issues: population, poverty, and pollution. The United States along with many other nations is seeking a solution to

1260

CROSS-CUTTING THEMES AND TECHNOLOGIES

this worsening traffic congestion problem. Such solutions have to be viewed in terms of the economic, social, and political environments, along with the technological capability of the nation. Furthermore, the costs associated with generating and maintaining the road infrastructure are becoming increasingly higher, and the impact of inefficiencies can be measured in quantifiable terms of loss of labor-hours in the work place, loss of fuel, as well as intangibly in terms of pollution, and the general increased stress level of the work force who uses these transportation channels. Where feasible, increasing the number of lanes or building new roads can expand present capacity, but the demand in some areas (both from population growth and travel demand) cannot be met by adding roads. A less expensive and disruptive solution is to intelligently manage the existing road infrastructure. The idea is to create and deploy technologies to improve the safety, capacity, and operational efficiency of the surface transportation system, while simultaneously reducing the burden on the environment and on our energy sources. With these objectives in mind, Congress launched the US Intelligent Transportation Systems (ITS) program in 1991. One of the program’s goals is to develop Advanced Traffic Management Systems (ATMS). ATMS will rely on the consolidation of information, automotive, and highway technology. A wide range of small, complementary systems—from electronic route guidance to preemptive signal control—will essentially automate highways. Sensors and communication devices will be along the roads, as well as in the vehicle. Thus, the road will “know” its operational status, which it will then communicate to the vehicle. The vehicle operator can then make informed decisions about which routes to take to optimize individual trips and daily travel plans. Entities such as traveler information services and fleet management can use the data to plan, implement, and manage their daily operations. Both public and private outfits can also use the road to plan, implement, and manage their daily operations, including traveler information, traffic management, public and rural transportation management, priority vehicle management, and freight and fleet management. Thus, although they pose great analytical challenges, the ATMS thrust offers significant payoff because of its broad geographical coverage and direct impact on regional economies. As complex as it is2 , the road system is only one segment of 2A

few statistics on how we get around in America: • Length of public roads: 46,036 miles of interstate highways (1%); over 112,450 miles of national highway System (3%); and 3.76 million miles of other (96%) • Personal travel by mode: ◦

208 million vehicles: private vehicles 85.9%, public transport 2.8%, other means 11.3%

◦

About 130 million cars, 69 million light trucks, 7 million commercial trucks, and 700,000 buses (e.g. California has 15.5 million motor vehicles, Florida has 7.3 million, . . . )

◦

About 1.2 million rail cars, 68 ferries, 6,000 aircraft

• Half of the total petroleum consumption in the United States is for highway vehicles and another 18% for other transportation: ◦

Fuel consumption: 148 billion gallons of gasoline, 28 billion gallons of diesel, and about 4 billion gallons other

• Fatalities: 22,416 in cars (50.4%), 9,901 truck occupants (22.2%), 2,160 on motorcycles (4.9%), 1,088 on aircraft (3.1%), and 624 on trains (1.4%) • Fatal accident types amenable to technological prevention: off-road (36%), angle collision (18%), head-on collision (17%), rear-end collision (5%), sideswipe (2%).

ROBUSTNESS, RESILIENCE AND SECURITY

1261

the transportation network. As in the other infrastructures, there are diverse sources of complexity and interdependence. Emerging issues include the following: •

•

• • •

Impact of Information Technology: IT and transportation systems’ interrelations. Transportation is increasing links with sensors, telecommunications, and even satellites. Electrification of multimodal transportation systems: for example, rail networks are becoming increasingly dependent on electricity (electric and magnetic levitation trains). Fertile area at the intersection of CE/CS/EnvE/EE/ME/OR/Math/Control/Economics. Traffic modeling, prediction, and management: from operational issues to expansion planning. Multiresolutional simulations; real-time optimization, epsilon-optimality, and provable performance bounds.

In the area of multimodal transportation and distribution networks (air, land, and sea), emerging issues include electrification of transportation; links with sensors, telecommunications and satellites; traffic modeling, prediction, and management; multiresolutional simulations; real-time optimization with provable performance bounds with risk management; and how to develop tools in the intersection of mathematics, risk management, operations research, control theory, system science, computer science, artificial intelligence (AI), economics, and even biology to tackle these problems. Several researchers have referred to this as “intelligent or adaptive control ”; the challenge is how to develop systems that can sense, identify, and build realistic models, and can also adapt, control, and achieve their goals. These are challenges not only in transportation systems, but are the characteristics of any industry made up of many, geographically dispersed components that can exhibit rapid global change as a result of local actions. Prime examples are the highly interconnected and interactive industries, which make up a national or international “infrastructure,” including telecommunications, transportation, gas, water and oil pipelines, the electric power grid, and even the collection of satellites in the earth orbit. 1.2 Example: Telecommunications The globalization of our economy is built on telecommunication networks, including fixed networks (public switched telephone and data networks), wireless (cellular, PCS, wireless ATM), and computers (Internet and millions of computers in public and private use). These networks are growing rapidly and require secure, reliable, and high quality power supplies. This telecommunication infrastructure, like the power grid, is becoming overburdened. The satellite network, just one segment of the infrastructure, is a good example. The satellite network has three main layers: •

low earth orbit (LEO), 200–2,000 km (“little LEOs” at 750–1500 km), operating at VHF, UHF below 500 MHz; low complexity; • medium earth orbit (MEO), 2000–20,000 km (big LEOs/MEOs at 750–11,000 km) operating at L and S microwave (1.6 and 2.5 GHz) with high to very high complexity; and

1262 •

CROSS-CUTTING THEMES AND TECHNOLOGIES

geosynchronous orbit (GEO), at 36,000 km, operating at K microwave (19 and 29 GHz), with variable low to high complexity.

Some of the most familiar services are detailed Earth imaging, remote monitoring of dispersed locations, and highly accurate location and tracking using the continuous signals of the global positioning system (GPS). Satellite-based business and personal voice and data services are now available throughout much of the world. The Internet is rapidly expanding the range of applications for satellite-based data communications; two of the most popular applications are accessing the Internet itself and connecting remote sites to corporate networks. Some satellite systems, including those of satellite TV providers, let users browse Web pages and download data—at 400 kbps—through a 21-in. (53 cm) roof-mounted dish receiver connected to a personal computer with an interface card. This capability could become a valuable tool for expanding an enterprise network to remote offices around the world. Some utilities are diversifying their businesses by investing in telecommunications and creating innovative communications networks that cope with industry trends toward distributed resources, two-way customer communications, and business expansion, as well as addressing the measurement of complex and data-intensive energy systems via wide-area monitoring and control. Challenges include how to handle network disruptions and delays and manage orbits from the satellite. A big source of complexity is the interdependence of the telecommunication networks and the power grid. The telecommunications network and the electric power grid are becoming increasingly interdependent. Issues range from the highest command and control level to the individual power stations and substations at the middle level, and then to the devices and power equipment at the lowest level. 1.3 Example: Financial Systems3 The stability of the financial system and the potential for systemic events to alter the functioning of that system have long been important topics for central banks and the related research community. Developments such as increasing industry consolidation, global networking, terrorist threats, and an increasing dependence on computer technologies underscore the importance of this area of research. Recent events, however, including the terrorist attacks of September 11th and the demise of long-term capital management, suggest that existing models of systemic shocks in the financial system may no longer adequately capture the possible channels of propagation and feedback arising from major disturbances. Nor do existing models fully account for the increasing complexity of the financial system’s structure, the complete range of financial and information flows, or the endogenous behavior of different agents in the system. Fresh thinking on systemic risk is, therefore, required. In order to promote a better understanding of systemic risk, the National Academy of Sciences and the Federal Reserve Bank of New York convened a conference in New York 3 This

section on financial systems is based on my presentation and related discussions at the “New Directions for Understanding Systemic Risk: A report on a Conference Cosponsored by the Federal Reserve Bank of New York and the National Academy of Sciences”; for the NAS book and complete FRBNY report please see: Economic Policy Review, Federal reserve Bank of New York, Vol. 13, Number 2, Nov. 2007, and New Directions for Understanding Systemic Risk, 108 pp, Nat’l Acad. Press, Washington DC, 2007. Input and material from NAS/BMSA and FRBNY is gratefully acknowledged.

ROBUSTNESS, RESILIENCE AND SECURITY

1263

in May of 2006 drawing together a broadly interdisciplinary group of scientists, engineers, and financial practitioners, ranging from electrical engineers and academic economists to risk analysts and asset managers from major investment banks. The primary purpose of the conference was to promote a cross-disciplinary dialogue in order to examine what possible leverage on the topic of systemic risk could be gained from areas of science not directly related to finance or economics. Accordingly, conference participants from the natural and mathematical sciences and from engineering disciplines drew heavily upon research on complex adaptive systems in order to build a framework both to give some substance and definition to the notion of systemic risk and to point to the possible linkages between this research and research on the financial system. Similarly, research economists presented papers that showed how some of these linkages could be leveraged, for example, in studies of international trade and, crucially for the Federal Reserve policy, in the management of the payments system. Participants from the financial industry also highlighted how thinking on systemic risk and actual systemic events affect trading activities in order to provide a context for the discussion. For more information, please see the above-referenced report as well as the prevalence of systemic risk in very diverse areas ranging from biological and natural ecologies to financial, built and engineered complex systems in which prediction and management of systemic failures are critical. In an engineered system, like the electric power grid or a telecommunication network, there is indeed the opportunity for control systems, and these can be quite advanced. Creating such a control capability for the electric grid required a mixture of tools from dynamical systems, statistical physics, information and communication science, along with research to reduce the computational complexity of the algorithms so they can scale up with the large size of the system being controlled. Our earlier work has led to working methods that have been applied to a variety of situations, including the electricity infrastructure coupled with telecommunications and the energy markets, cell phone networks on the Internet, and some biological systems. This is a multiscale challenge: detection of troublesome signals must be done within milliseconds, with some compensatory actions taken automatically, while some load balancing and frequency control on the grid is controlled on a timescale of seconds. At the same time, control functions such as load forecasting and management and generation scheduling take place on a timescale of hours or days. Developing a picture at the atomic level of what is going on in a system and then building up to the macroscale is a challenge that requires multiresolutional modeling in both space and time. Just to give an idea of the complexity of modeling and controlling the electrical grid, in North America, there are more than 15,000 generators, and over 216,000 miles of high voltage lines. The overall grid is divided in several very large interconnected regions, and modeling one of them (which is necessary for understanding the systemic risks) might entail a simulation with 50,000 lines and 3000 generators. The system is typically designed to withstand the loss of any single element. To determine whether the grid can attain that design goal, we need to simulate the loss of each of 53,000 elements and calculate the effects on each of 50,000 lines, leading to over 2.6 billion cases. The analysis of these systemic risks is very challenging, but it can really make a difference in how to operate the system. As an additional illustration of the level of detail that can successfully be modeled, we developed an example of a complex model to predict load and demand for DeKalb,

1264

CROSS-CUTTING THEMES AND TECHNOLOGIES

Illinois, which is a sizeable market with a mixture of commercial and residential customers. Deregulation of the electric system has reduced the correlation between power flow and demand, thus introducing uncertainty into the system, and so there has been a good deal of research to understand this phenomenon and develop the means to monitor and control it. The models and algorithms are now good enough to simulate the demand by customer type (residential, small commercial, and large commercial) on an hour-by-hour basis and attain 99.6–99.7% accuracy over the entire year. One value of these predictions is that they enable the power company to proactively dispatch small generators to meet anticipated high demands. From a broader perspective, any critical national infrastructure typically has many layers and decision-making units and is vulnerable to various types of disturbances. Effective, intelligent, distributed control is required that would enable parts of the constituent networks to remain operational and even automatically reconfigure in the event of local failures or threats of failure. In any situation subject to rapid changes, completely centralized control requires multiple, high data-rate, two-way communication links, a powerful central computing facility, and an elaborate operations control center. But all of these are liable to disruption at the very time when they are most needed (i.e. when the system is stressed by natural disasters, purposeful attack, or unusually high demand). When failures occur at various locations in such a network, the whole system breaks into isolated “islands,” each of which must then fend for itself. With the intelligence distributed, and the components acting as independent agents, those in each island have the ability to reorganize themselves and make efficient use of whatever local resources remain to them in ways consonant with the established global goals to minimize adverse impact on the overall network. Local controllers will guide the isolated areas to operate independently while preparing them to rejoin the network, without creating unacceptable local conditions either during or after the transition. A network of local controllers can act as a parallel, distributed computer, communicating via microwaves, optical cables, or the power lines themselves, and intelligently limiting their messages to only that information necessary to achieve global optimization and facilitate recovery after failure. If organized in coordination with the internal structure existing in a complex infrastructure and with the physics specific to the components they control, these agents promise to provide effective local oversight and control without need of excessive communications, supervision, or initial programming. Indeed, they can be used even if human understanding of the complex system in question is incomplete. These agents exist in every local subsystem—from “horseshoe nail” up to “kingdom”—and perform preprogrammed self-healing actions that require an immediate response. Such simple agents already are embedded in many systems today, such as circuit breakers and fuses as well as diagnostic routines. The observation is that we can definitely account for loose nails and to save the kingdom. Another key insight came out of analysis of forest fires, which researchers in one of the six funded consortia found to have similar “failure-cascade” behavior to electric power grids. In a forest fire the spread of a spark into a conflagration depends on how close together the trees are. If there is just one tree in a barren field and it is hit by lightning, it burns but no large blaze results. But if there are many trees and they are close enough together—which is the usual case with trees because Nature is prolific and efficient in using resources—the single lightning strike can result in a forest fire that burns until it reaches a natural barrier such as a rocky ridge, river, or road. If the barrier is narrow enough that a burning tree can fall across it or it includes a burnable flaw such

ROBUSTNESS, RESILIENCE AND SECURITY

1265

as a wooden bridge, the fire jumps the barrier and burns on. It is the role of first-response wild-land firefighters such as smokejumpers to contain a small fire before it spreads by reinforcing an existing barrier or scraping out a defensible fire line barrier around the original blaze. Similar results hold for failures in electric power grids. For power grids, the “one-tree” situation is a case in which every single electric socket had a dedicated wire connecting it to a dedicated generator. A lightning strike on any wire would take out that one circuit and no more. But like trees in Nature, electrical systems are designed for efficient use of resources, which means numerous sockets served by a single circuit and multiple circuits for each generator. A failure anywhere on the system causes additional failures until a barrier—such as a surge protector or circuit breaker—is reached. If the barrier does not function properly or is insufficiently large, the failure bypasses it and continues cascading across the system. These findings suggest approaches by which the natural barriers in power grids may be made more robust by simple design changes in the configuration of the system, and eventually how small failures might be contained by active smokejumper-like controllers before they grow into large problems. Other research into fundamental theory of complex interactive systems is exploring means of quickly identifying weak links and failures within a system. Work during the past 11 years in this area has developed, among other things, a new vision for the integrated sensing, communications, and control-issues surrounding the power grid. Some of the pertinent issues are why/how to develop protection and control devices for centralized versus decentralized control, as well as issues involving adaptive operation and robustness to various destabilizers. However, instead of performing in vivo societal tests which can be disruptive, we have performed extensive “wind-tunnel” simulation testing (in silico) of devices and policies in the context of the whole system along with prediction of unintended consequences of designs and policies to provide a greater understanding of how policies, economic designs, and technologies might fit into the continental grid, as well as guidance for their effective deployment and operation. This is not meant to imply that ecology and engineering have overcome all the challenges associated with representing and analyzing complex adaptive systems. Sensing the state of such systems is one ongoing challenge, as is the question of what to measure. Validation of models and verification of software remains a major challenge. There are major computational problems, including how to break models into tractable components. Self-similar systems can be reduced, but not complex systems like the electrical grid. One can use approximations to decouple complex systems, but it is difficult to analyze the errors thus introduced. One can find parts of an engineered system—and presumably in other systems—that are weakly coupled in terms of the dynamics transferred through the system and then approximate those portions with stand-alone models. This can help us reduce the complexity by dividing and conquering. It is important to emphasize the difficulty of identifying meaningful signals from complex systems. For example, when monitoring a large fraction of the US electrical grid, how can we discern whether a perturbation in the system (be it financial, physical, communication, or cyber or a combination of them), is a natural fluctuation or the signature of a catastrophic failure. Does it reflect a naturally caused phenomenon, perhaps triggered by heat, high humidity, or a high demand in one portion of the grid, or is it actually an attack on the system or the precursor to major disturbance? How close is it to a regime shift or system flip? That can only be addressed with detection systems that can pull up

1266

CROSS-CUTTING THEMES AND TECHNOLOGIES

all the data, do data mining, pattern recognition, and then statistical analysis to derive the probability that we were sensing a catastrophic failure or a precursor of one. This system monitoring problem is exacerbated if sharing of information is limited, as is the case in the banking sector. For example, I am often asked how one would monitor and control the reliability of the electrical grid under the assumption that companies did not cooperate with each other but, instead, competed and did not share the information. Such a situation would lead to a new control mechanism, and the logical question is whether this would stabilize or destabilize the system. For an Electric Power Research Institute (EPRI) project from the late 1990s, Simulator for Electric Power Industry Agents (SEPIA), we began exploring this case. The analysis was done for four large regions of the United States, and explored whether one could increase efficiency without diminishing reliability. This concept would need to be scaled up in order to reach a definitive conclusion.4 There is also a work on highly optimized tolerance that Professors John Doyle and Jean Carlson have been developing in California, in which they basically use a genetic algorithm, a neural network approach to evolve the properties of systems. They consider a variety of systems with particular structures and feedback properties, expose them to perturbations, observe their recovery, and just as one would train a chess playing program, these systems are modified until they become more tolerant to the disturbances to which they are exposed. So that is a way how even when one can not solve mathematics, but one can improve the structure of systems. The difficulty with these approaches, as Doyle and Carlson point out, is that systems become robust yet fragile in their terminology, meaning, systems that are engineered or have evolved to be tolerant to a particular set of disturbances often do so at the expense of their response to other classes of disturbances, something that we have to be careful about in the design of systems.5 Complex systems abound, and many different disciplines are concerned with understanding catastrophic change in such systems. We focus on three principal areas: risk assessment, modeling and prediction, and mitigation. 1.4 Example: North American Power Grid 1.4.1 Electrification of transportation and enabling a smart self-healing grid. Our economy places increased demand for reliable, and disturbance-free electricity. The electric power grid is quite different from other infrastructure systems, such as gas, oil or water networks. A distinguishing characteristic of electricity, for example, is that there is no way to store significant amounts of energy; thus the system is fundamentally operating in real time. For this and related reasons, energy infrastructure systems have a unique combination of characteristics that makes control and reliable operation challenging like: • •

4 See

Attacks and disturbances can lead to widespread failure almost instantaneously. Billions of distributed heterogeneous infrastructure components are tightly interconnected.

Amin, Massoud, Restructuring the Electric Enterprise: Simulating the Evolution of the Electric Power Industry with Adaptive Agents, Chapter 3 in Market Based Pricing of Electricity, A. Faruqui and M. Crew, eds., Kluwer Academic Publishers, Dec. 2002. 5 See, for example, T. Zhou, J. M. Carlson and J. Doyle, Mutation, specialization, and hypersensitivity in highly optimized tolerance, Proceedings of the National Academy of Sciences 99:2049– 2054. 2002. and J. M. Carlson and J. Doyle, Complexity and robustness, Proceedings of the National Academy of Sciences 99 suppl. 1:2538– 2545. 2002.

ROBUSTNESS, RESILIENCE AND SECURITY

1267

•

A variety of participants—owners, operators, sellers, buyers, customers, data and information providers, data and information users—interact at many points. • The number of possible interactions increases dramatically as participants are added. No single centralized entity can evaluate, monitor, and manage them in real time. • The relationships and interdependencies are too complex for conventional mathematical theories and control methods. These characteristics create unique challenges in modeling, prediction, simulation, cause and effect relationships, analysis, optimization, and control, which have important implications for the use of IT for electric power. This article addresses these challenges by first presenting the technologies involved in the electricity infrastructure and then considers management and policy challenges to the effective performance both in the short and long term. The North American power network may realistically be considered to be the largest and most complex machine in the world—its transmission lines connect all the electric generation and distribution on the continent. In that respect, it exemplifies many of the complexities of electric power infrastructure and how IT can address them. This network represents an enormous investment, including over 15,000 generators in 10,000 power plants, and hundreds of thousands of miles of transmission lines and distribution networks, whose estimated worth is over US$800 billion. In 2000, transmission and distribution was valued at US$358 billion (EIA 2003; EPRI 1999–2003). At its most fundamental level, the network’s transmission lines form a vertically integrated hierarchical network consisting of the generation layer (noted above) and three other network levels. The first is the transmission network, which is meshed networks combining extrahigh voltage (above 300 kV) and high voltage (100–300 kV), connected to large generation units and very large customers and, via tie-lines, to neighboring transmission networks and to the subtransmission level. The second level is subtransmission, which consists of a radial or weakly coupled network including some high voltage (100–300 kV) but typically 5–15 kV, connected to large customers and medium size generators. Finally, the third network level is distribution, which is typically a tree network including low voltage (110–115 or 220–240 V) and medium voltage (1–100 kV) connected to small generators, medium size customers, and local low voltage networks for small customers. In its adaptation to disturbances, a power system can be characterized as having multiple states, or “modes,” during which specific operational and control actions and reactions take place: normal, disturbance, and restorative. In the normal mode, the priority is on economic dispatch, load frequency control, maintenance, and forecasting. In the disturbance mode, attention shifts to faults, instability, and load shedding. And in the restorative mode, priorities include rescheduling, resynchronization, and load restoration. Some authors include an Alert Mode before a disturbance actually affects the system. Others add a System Failure Mode before restoration is attempted. Beyond the risk management note above, the electric power grid’s emerging issues include (i) integration and management of renewable resources and “microgrids”; (ii) use and management of the integrated infrastructure integrated with an overlaid sensor networks, secure communications and intelligent software agents (including dollars/economic factors and watts); (iii) active-control high voltage devices; (iv) developing new business strategies for a deregulated energy market; and (v) ensuring

1268

CROSS-CUTTING THEMES AND TECHNOLOGIES

system stability, reliability, robustness, and efficiency in a competitive marketplace and carbon-constrained world. In addition, the electricity grid faces (at least) three looming challenges: its organization, its technical ability to meet 25-year and 50-year electricity needs, and its ability to increase its efficiency without diminishing its reliability and security. 1.4.2 Smart self-healing grid. The term smart grid refers to the use of computer, communication, sensing and control technology which operates in parallel with an electric power grid for the purpose of enhancing the reliability of electric power delivery, minimizing the cost of electric energy to consumers, and facilitating the interconnection of new generating sources to the grid. The concept for smart grid research and development was originally conceived by this author when I was at the EPRI during 1998–2003. The genesis of the smart grid was in the EPRI/DOD Complex Interactive Networks/Systems Initiative (CIN/SI) that I created and led during 1998–2001. Beginning in 1998, the original concept and tools developed within CIN/SI were referred to as The Self-Healing Grid . This name has undergone several changes and finally emerged as “The Smart grid.” More recently, after joining the University of Minnesota in 2003, my research team and I have been engaged in research and also in telling our colleagues about this concept through publications, lectures, and seminars to diverse stakeholders, which include a wide spectrum from local to international utilities, companies, state and federal organizations, universities and think tanks, to congressional staffers, R&D caucus and committees who have invited our assessments and presentations. The smart grid is a term also built into the Energy Independence and Security Act (EISA) of 2007, and more recently the American Recovery and Reinvestment Act of 2009 (the stimulus bill). The US Congress allocated $11 billion to research and demonstration projects in the smart grid area. This technology is currently an active topic on TV news and is discussed widely in the media. Title XIII of EISA 2007 mandates a “Smart Grid” that modernizes and improves the information infrastructure. The Smart Grid represents the information and control functionality that will monitor, control, manage, coordinate, integrate, facilitate, and enable achievement of many of the benefits of innovations envisioned in national energy policy. Examples of Smart Grid functionality include the following: •

Connecting end user loads to grid information and control to facilitate energy efficiency improvements. • Integrating alternative energy sources and providing the means for mitigating their intermittency. • Providing the necessary information and control to integrate pluggable hybrids into the grid. • Allowing problems to be detected and addressed before they become grid disturbances. Information on these is widely available through EPRI assessments and reports, the US Department of Energy (The Smart Grid—An Introduction, 2008), and the IEEE National Energy Policy Recommendations related to the Smart Grid is a great resource. In summary, an electric power system has two infrastructures:

ROBUSTNESS, RESILIENCE AND SECURITY • •

1269

an electric infrastructure—that carries the electric energy in the power system, and, an information infrastructure that monitors, controls, and performs other functions related to the electric infrastructure.

The existing electric power grid is not dumb. It has long been designed to continue operating even in the face of problems. Equipment breaks, thunderstorms happen, curious animals get into substations, and drivers crash cars into distribution poles. The power grid is designed and operated so that any single situation does not interrupt the flow of power (the so-called “n − 1 criterion”). That requires intelligence, which comes from electromechanical automation, intelligent electronic devices (IEDs), control centers, computers, and communications systems. Such functions have been part of the electric grid for many years. However, because of a combination of cost and operational continuity issues, many of these systems lag, sometimes by decades, advances and capabilities in computer and communications technology. The institutional and economic framework envisioned for the twenty-first century power system ultimately depends upon building new types and levels of functionality into today’s power system. These needed capabilities will be “enabled” by several breakthrough innovations, including, but not limited to the following: •

Digitally controlling the power delivery network by replacing today’s electromechanical switching with real-time and power-electronic controls. This will become the foundation of a new “smart, self-healing power delivery system” that will enable innovative productivity advances throughout the economy. Digital control, coupled with communications and computational ability is the essential step needed to most cost-effectively address the combined reliability, capacity, security, and market-service vulnerabilities of today’s power delivery system. • Integrating communications to create a dynamic, interactive power system for real-time information and power exchange. This capability is needed to enable retail energy markets; power interactive, microprocessor-based service networks; and fundamentally raise the value proposition for electricity. Through advanced information technology coupled with sensors, the system would be “self-healing” in the sense that it is constantly self-monitoring and self-correcting to keep high quality, reliable power flowing. It can sense disturbances and instantaneously counteract them, or reconfigure the flow of power to cordon off any damage before it can propagate. • Automating the distribution system to meet evolving consumer needs. The value of a fully automated distribution system integrated with communication—derives from four basic functionality advantages: 1. Reduced number and duration of consumer interruptions, fault anticipation, and rapid restoration. 2. Increased ability to deliver varying levels of reliable, digital-grade power. 3. Increased functional value for all consumers in terms of metering, billing, energy management, demand control, and security monitoring, among others. 4. Access to selective consumer services including energy-smart appliances, electricity-market participation, security monitoring, and distributed generation. The value of these advantages to consumers, suppliers, and society alike more than justify the needed public/private investment commitment. This transformation

1270

CROSS-CUTTING THEMES AND TECHNOLOGIES

will enable additional innovations in electricity service that are bounded only by our imagination. • Transforming the meter into an EnergyPort (EnergyPort is a service mark of EPRI). EnergyPort is a consumer gateway that allows price signals, decisions, communications, and network intelligence to flow back and forth through the two-way energy/information portal. This will be the linchpin technology that leads to a fully functioning marketplace with consumers responding (through microprocessor agents) to service offerings and price signals. This offers a tool for moving beyond the commodity paradigm of twentieth century electricity service, and quite possibly ushering in a set of new energy/information services as diverse as those in today’s telecommunications. • Integrating distributed energy resources including intermittent and renewable generation and storage systems. The smart power delivery system would also be able to seamlessly integrate an array of locally installed, distributed power generation as power system assets. Distributed power sources could be deployed on both the supply and consumer side of the energy/information portal as essential assets dispatching reliability, capacity, and efficiency. • Accelerating end-use efficiency. The growing trend toward digital control can enable sustained improvements in efficiency and productivity for nearly all industrial and commercial operations. Similarly, the growth in end-use energy consuming devices and appliances, networked with system controls, will afford continuous improvements in productivity and efficiency. Other benefits of the Smart Grid go beyond energy efficiency: •

The Smart Grid will facilitate use of alternative generation that supports energy independence. This is a matter of national security. • Both cyber-security protection and defense against EMP: Components of the Smart Grid will need to be hardened by design. • There are likely to be numerous benefits of the Smart Grid that defy quantification. Examples include the flexibility to accommodate new requirements, the ability to accommodate innovative grid technology, and the ability to support innovative regulatory concepts, all without major replacement of existing equipment. • The flexibility may help avoid future rate increases as new technology or requirements arise, but the exact benefit might not be quantifiable. Revolutionary developments in both information technology and material science and engineering promise significant improvement in the security, reliability, efficiency, and cost-effectiveness of all critical infrastructures. Steps taken now can ensure that critical infrastructures continue to support population growth and economic growth without environmental harm.

2 DIGITAL NETWORK CONTROL: OPERATIONAL SYSTEMS IT has and will play a critical role in ensuring the reliable transmission and distribution of electricity. Electricity’s share of total energy in the world is expected to continue

ROBUSTNESS, RESILIENCE AND SECURITY

1271

to grow, as more efficient and intelligent processes are introduced, such as controllers based on power electronics combined with wide-area sensing and management systems for improved performance. In the next two decades, it is envisioned that the electric power grid will move from an electro-mechanically controlled system to one that is electronically controlled. In this sense, the electrical infrastructure is becoming increasingly intertwined with the IT infrastructure that supports it. Current and future power systems applications for telecommunications include the following: • • • • • •

•

surveying overhead transmission circuits and rights-of-way; transmitting supervisory control and data acquisition (SCADA) system data (usually via telephone circuits); measuring overhead conductor sag; measuring phasors (using a precise timing signal derived from the GPS to time-lag measurements of AC signals); fitting sine waves to AC signals, and determining magnitude and phase of v(t), i(t) in remote locations; enhancing situational awareness by generating real-time pictures of system states and real-time power flow as well as real-time estimation of the systems’ state and topology; using data from LEO satellites for faster-response control (more than 100 times less delay than High Earth Orbit (HEO) satellites) and connecting to existing parallel data stream facilities (effectively a high speed global RS-232 channel).

The technologies support the operational control of electrical networks, ranging from energy management systems (EMS) to remote field devices. Critical systems include those described below. EMS. The objective of the EMS is to manage production, purchase, transmission, distribution, and sale of electrical energy in the power system at a minimal cost with respect to safety and reliability. Management of the real-time operation of an electric power system is a complex task requiring interaction of human operators, computer systems, communications networks, and real-time data-gathering devices in power plants and substations. An EMS consists of computers, display devices, software, communication channels and remote terminal units that are connected to Remote Terminal Units (RTUs), control actuators, and transducers in power plants and substations. The main tasks it performs is dependent upon generator control and scheduling, network analysis and operator training. Control of generation requires that the EMS maintain system frequency and tie line flows while economically dispatching each generating unit. Management of the transmission network requires that the EMS monitor up to thousands of telemetered values, estimate the electrical state of the network, and inform the operator of the best strategy to handle potential outages that could result in an overload or voltage limits violation. EMSs can have real-time two-way communication links between substations, power plants, independent system operators, and other utility EMSs. SCADA system. A SCADA system supports the operator control of remote (or local) equipment, such as opening or closing a breaker. A SCADA system provides three

1272

CROSS-CUTTING THEMES AND TECHNOLOGIES

critical functions in the operation of an electric power system: data acquisition, supervisory control, and alarm display and control. It consists of one or more computers with appropriate applications software connected by a communications system to a number of RTUs placed at various locations to collect data, perform intelligent control of electrical system devices and report results back to an EMS. SCADAs can also be used for similar applications in natural gas pipeline transmission and distribution applications. A SCADA can have real-time communication links with one or more EMSs and hundreds of substations. RTU. RTUs are special purpose microprocessor-based computers that contain analog to digital converters (ADCs) and digital to analog converters (DACs), digital inputs for status and digital output for control. There are transmission substation RTUs and distribution automation (DA) RTUs. Transmission substation RTUs are deployed at substation and generation facilities where a large number of status and control points are required. DA RTUs are used to control air switches and various compensation capacitor banks (that support voltage) on utility poles, control pad-mounted switches, monitor and automate feeders, monitor and control underground networks, and for various uses in smaller distribution substations. RTUs can be configured and interrogated using telecommunication technologies. They can have hundreds of real-time communication links with other substations, EMS, and power plants. Programmable logic controller(PLC). PLCs have been used extensively in manufacturing and process industries for many years and are now being used to implement relay and control systems in substations. PLCs have extended input/output (I/O) systems similar to transmission substation RTUs. The control outputs can be controlled by software residing in the PLC and via remote commands from a SCADA system. The PLC user can make changes in the software without making any major hardware or software changes. In some applications, PLCs with RTU reporting capability may have advantages over conventional RTUs. PLCs are also used in many power plant and refinery applications. They were originally designed for use in discrete applications like coal handling. They are now being used in continuous control applications such as feedwater control. PLCs can have many real-time communication links inside and outside substations or plants. Protective relays. Protective relays are designed to respond to system faults such as short circuits. When faults occur, the relays must signal the appropriate circuit breakers to trip and isolate the faulted equipment. Distribution system relaying must coordinate with fuses and reclosures for faults while ignoring cold-load pickup, capacitor bank switching, and transformer energization. Transmission line relaying must locate and isolate a fault with sufficient speed to preserve stability, reduce fault damage, and minimize the impact on the power system. Certain types of “smart” protective relays can be configured and interrogated using telecommunication technologies. Automated metering. Automated metering is designed to upload residential and/or commercial gas and/or electric meter data. This data can then be automatically downloaded to a PC or other device and transmitted to a central collection point. With this technology, real-time communication links exist outside the utility infrastructure.

ROBUSTNESS, RESILIENCE AND SECURITY

1273

Plant distributed control systems ( DCSs). Plant DCSs are plantwide control systems that can be used for control and/or data acquisition. The I/O count can be as high as 20,000 data points or higher. Often, the DCS is used as the plant data highway for communication to/from intelligent field devices, other control systems such as PLCs, RTUs, and even the corporate data network for enterprise resource planning (ERP) applications. The DCS traditionally has used a proprietary operating system. Newer versions are moving toward open systems such as Windows NT and Sun Solaris. DCS technology has been developed with operating efficiency and user configurability as drivers, rather than system security. Additionally, technologies have been developed that allow remote access, usually via PC, to view and potentially reconfigure the operating parameters. Field devices. Examples of field devices are process instrumentation such as pressure and temperature sensor and chemical analyzers. Other standard types of field devices include electric actuators. Intelligent field devices include electronics to enable field configuration, upload of calibration data, and so on. These devices can be configured off-line. They also can have real-time communication links between plant control systems, maintenance management systems, stand-alone PCs, and other devices inside and outside the facility.

3 DIGITAL INTERDEPENDENCIES AND SECURITY RISKS Recognizing the increased interdependence between IT and electricity infrastructures, along with technical and business opportunities, electric power utilities typically own and operate at least parts of their own telecommunications systems which often consist of backbone fiber optic or microwave connecting major substations, with spurs to smaller sites. The energy industry has historically operated closed, tightly controlled networks. Deregulation and the resulting commercial influences have placed new information sharing demands on the energy industry. Traditional external entities like suppliers, consumers, regulators, and even competitors now must have access to segments of the network. The definition of the network must be expanded to include the external wide-area network connections for these external entities. This greatly increases the security risk to other functional segments of the internal network that must be protected from external connections. This is true whether a private network or the Internet is used to support the external wide-area network. The external entities already have connections to the Internet and as such the Internet can provide the backbone for the External Wide-Area Network. Duplicating this backbone to create a private network requires not only large up front start up costs, but also ongoing maintenance costs and potentially higher individual transaction costs than using the Internet. Information systems and on-line data processing tools include: the Open-Access Same-time Information System (OASIS), which is now in operation over the Internet; and Transfer Capability Evaluation (TRACE) software, which determines the total transfer capability for each transmission path posted on the OASIS network, while taking into account thermal, voltage, and interface limits. Increased use of electronic automation raises issues regarding adequacy of operational security: (i) reduced personnel at remote sites makes them more vulnerable to hostile threats; (ii) interconnection of automation and control systems with public data networks

1274

CROSS-CUTTING THEMES AND TECHNOLOGIES

makes them accessible to individuals and organizations, from any worldwide location using an inexpensive computer and a modem; (iii) use of networked electronic systems for metering, scheduling, trading or e-commerce imposes numerous financial risks. Utility telecommunications often include several media and diversified communications networks which in part provide redundancy; these range from dedicated fiber-optic cables, digital and analog microwave, and VSAT satellite to power line carrier technology as well as the use of multiple address radio, spread spectrum radio, trunked mobile radio, and cellular digital packet data. Security of the cyber and communication networks now used by businesses is fundamental to the reliable operation of the grid; as power systems start to rely more heavily on computerized communications and control, system security has become increasingly dependent on protecting the integrity of the associated information systems. Part of the problem is that existing control systems, which were originally designed for use with proprietary, stand-alone communications networks, were later connected to the Internet (because of its productivity advantages and lower costs), but without adding the technology needed to make them secure. Communication of critical business information and controlled sharing of that information are essential parts of all business operations and processes. If the deregulation of the energy industry resumes, information security will become more important. Energy-related industries will have to balance what appear to be mutually exclusive goals of operating system flexibility with the need for security. Key electric energy operational systems depend on real-time communication links both internal and external to the enterprise. The functional diversity of these organizations has resulted in a need for these key systems to be designed with a focus on open systems that are user configurable to enable integration with other systems both internal and external to the enterprise. In many cases, these systems can be reconfigured for security using telecommunication technologies and in nearly all cases the systems dynamically exchange data in real time. Power plant DCS systems produce information necessary for dispatch and control. This requires real-time information flow between the power plant and the utility’s control center, system dispatch center, regulatory authorities, and so on. A power plant operating as part of a large wholesale power network may have links to an independent system operator, a power pool, and so on. As the generation business moves more and more into market-driven competitive operation, both data integrity and confidentiality will become major concerns for the operating organizations. Any telecommunication link which is even partially outside the control of the organization owning and operating power plants, SCADA systems or EMSs represents a potentially insecure pathway into business operations and to the grid itself. The interdependency analysis done by most companies during Y2K preparations have both identified these links and the systems’ vulnerability to their failures. Thus, they provide an excellent reference point for a cyber-vulnerability analysis. In particular, monitoring and control of the overall grid system is a major challenge. Existing communication and information system architectures lack coordination among various operational components, which usually is the cause for the unchecked development of problems and delayed system restoration. Like any complex dynamic infrastructure system, the electricity grid has many layers and is vulnerable to many different types of disturbances. While strong centralized control is essential to reliable operations, this requires multiple, high data-rate, two-way communication links, a powerful central computing facility, and an elaborate operations control center, all of which are especially vulnerable when they are needed most—during serious system stresses or

ROBUSTNESS, RESILIENCE AND SECURITY

1275

power disruptions. For deeper protection, intelligent distributed control is also required; this would enable parts of the network to remain operational and even automatically reconfigure in the event of local failures or threats of failures. Distributed control capability is becoming available in next-generation integrated sensors that are equipped with two-way communication capability and support “intelligent agent” functions—not just sensing, but data assessment, adaptive learning, decisionmaking, and actuation. The development of IEDs that combine sensors, telecommunication units, computers, and actuators will allow highly automated adjustments to be made at many points on the system and protect substantially against cascading failures. The use of distributed intelligent agents also opens the door to the development of a self-healing power grid that responds adaptively to counteract disturbances at the site of their occurrence. Intelligent sensors will be capable of gathering a wide range of operating data, including time-stamped measurements of voltage, current, frequency, phase angle, and harmonics. This information, that provides input for distributed control, can also be integrated into a real-time system-wide database and coupled with analysis tools that perform dynamic monitoring, state estimation, disturbance analysis, and contingency assessment for the grid as a whole. Unfortunately, simulation-based techniques and mathematical models are presently unable to accurately portray the behavior of interactive networks, whose dynamics can be highly nonlinear. Fine-tuning existing models with real-world input from distributed sensors may offer improvements, but substantial progress will require the formulation of new models. SCADA and EMS system operations are critically dependent on the telecommunication links that gather data from geographically dispersed sources and transmit operational and control instructions to geographically dispersed facilities. In the North American grid, these telecommunications links run the gamut from hardwired private networks to multinetwork systems using a combination of private and public networks for both data acquisition and control. Not all of the networks are hardwired. Microwave and satellite communications links are common alternatives in areas where topography and/or distance makes wireless more cost effective. At first glance it would seem that a private, hardwired network that is totally within the control of the owner organization is a secure system. However, even hardwired private networks will be linked to networks outside the control of the company. Typical outside data sources are bulk power customers, major retail customers, bulk power providers, power pools, independent system operating entities, and so on. These connections can offer a multitude of paths into the SCADA and EMS systems. Without proper security design and management, each link is a potential security risk. Challenges include how to handle network disruptions and delays and manage orbits from the satellite. A major source of complexity is the interdependence of the telecommunication networks and the power grid. Issues range from the highest command and control level to the individual power stations and substations at the middle level, and then to the devices and power equipment at the lowest level. As the readers of this Handbook know, technology is a two-edged sword. In the case of electricity, the aforementioned discussion reveals one edge (i.e. the risk) to be the extent to which IT introduces a new set of security concerns. The other edge (i.e. the promise) remains because of the substantial increases in capacity and efficiency that are made possible through continuing IT advancements. The following is a sample of the emerging technologies that promise continuing gains in the electricity sector:

1276 •

•

•

•

•

•

• • •

CROSS-CUTTING THEMES AND TECHNOLOGIES

Flexible Alternating Current Transmission System (FACTS) devices, which are high voltage thyristor-based electronic controllers that increase the power capacity of transmission lines and have already been deployed in several high value applications (At peak demand, up to 50% more power can be controlled through existing lines.); Unified Power Flow Controller (UPFC), a third-generation FACTS device that uses solid-state electronics to direct power flow from one line to another to reduce overloads and improve reliability; Fault Current Limiters (FCLs), which absorb the shock of short circuits for a few cycles to provide adequate time for a breaker to trip (Preliminary results of post–August 14th outage show that FCLs could have served as “shock absorbers” to limit the size of blackouts.); Innovations in materials science and processing, including high temperature superconducting (HTS) cables, oxide-power-in-tube technology for HTS wire, and advanced silicon devices and wide-bandgap semiconductors for power electronics; Information systems and on-line data processing tools such as the OASIS and TRACE software, which determine total transfer capability for each transmission path posted on the OASIS network, while taking into account thermal, voltage, and interface limits; Wide-Area Measurement Systems (WAMS), which integrate advanced sensors with satellite communication and time stamping using GPSs to detect and report angle swings and other transmission system changes; Enhanced IT systems for Wide-Area Measurement/Management Systems (WAMS), OASIS, SCADA systems, and EMS; Advanced software systems for dynamic security assessment of large/wide-area networks augmented with market/risk assessment; and IEDs with security provisions built in by combining sensors, computers, telecommunication units, and actuators; related “intelligent agent” functions such as assessment, decision, and learning.

However, even if most of the above technologies are developed and deployed, there is still a major management challenge in making such a complex network perform reliably with security. These issues are taken up next.

4 MANAGEMENT Human performance. Infrastructures are systems with “humans in the loop”. This is indeed the case for electricity networks. Several key human resources issues arise in bringing IT to improve the performance of electric power. The first is operator experience. The second is retaining professionals in the field of electric power engineering. The third is how users and consumers can interface with IT-enabled electric power systems. Operator training. Several root causes of the August 14th outage point to lack of operators’ situational awareness and coordination. IT has a key role to play in the optimization of operator interfaces and other human factor issues. Basically, the problem is finding the most effective way for machines and humans to work together, and the data glut and maintaining operator attention is largely at the center

ROBUSTNESS, RESILIENCE AND SECURITY

1277

of the problem. Good operator interfaces provide adequate visualization of the state of the system, and they should be designed so that the user can remain tuned in to many different factors while giving active attention to only a few. Much of the answer is simply a matter of how information is packaged for viewing. IT innovations are expected to have applications in personnel training and optimization of human performance, for example, through the use of virtual reality for training, for maintenance or rapid repair work, especially, those involving hazardous situations. Voice recognition is another technology expected to come into broad use over the next decade; replacement of keyboarding with voice-based input capability could greatly streamline and simplify human interaction with computers and other electronic control equipment. Since humans interact with these infrastructures as managers, operators, and users, human performance plays an important role in their efficiency and security. In many complex networks, human participants themselves are both the most susceptible to failure and the most adaptable in the management of recovery. Modeling and simulating these networks, especially, their economic and financial aspects, will require modeling the bounded rationality of actual human thinking, unlike that of a hypothetical “expert” human as in most applications of AI. Even more directly, most of these networks require some human intervention for their routine control and especially, when they are exhibiting anomalous behavior that may suggest actual or incipient failure. Retaining a trained workforce. A growing concern related to the human network is the erosion of technical knowledge within the power industry. To a large extent this is a matter of the retirement of seasoned power engineers, exacerbated by recent downsizing and reductions of in-house workforce. These key employees take their knowledge with them when they go. It will take a long time to recruit replacements. A second related issue is that new engineers are not entering the field rapidly enough to replace retirees. The average power engineer’s age has increased significantly over the last two decades. A serious shortage of power engineers is developing, and is expected to continue for several decades. Users. Operators and maintenance personnel are obviously “inside” these networks and can have direct, real-time effects on them. But users of a telecommunication, transportation, electric power or pipeline system also affect the behavior of those systems, often without conscious intent. The amounts, and often nature, of demands put on the network can be the immediate cause of conflict, diminished performance, and even collapse. Reflected harmonics from one user’s machinery degrade power quality for all. Long transmissions from a few users create Internet congestion. Simultaneous, lawn watering drops everyone’s water pressure. No one is “outside” the infrastructure. Given that there is some automatic way to detect actual or immanent local failures, the obvious next step is to warn the operators. Unfortunately, the operators are usually busy with other tasks, sometimes even responding to previous warnings. In the worst case, detected failure sets off a multitude of almost simultaneous alarms as it begins to cascade through the system, and, before the operators can determine the real source of the problem, the whole network has shut itself down automatically. Unfortunately, humans have cognitive limitations that can cause them to make serious mistakes when they are interrupted. In recent years, a number of systems have

1278

CROSS-CUTTING THEMES AND TECHNOLOGIES

been designed that allow users to delegate tasks to intelligent software assistants (“softbots”) that operate in the background, handling routine tasks and informing the operators in accordance with some protocol that establishes the level of their delegated authority to act independently. In this arrangement, the operator becomes a supervisor, who must either cede almost all authority to subordinates or be subject to interruption by them. At present, we have very limited understanding of how to design user interfaces to accommodate interruption. Information security. The electric power industry traditionally has been a vertically integrated industry that in some cases operated in pseudo-monopolistic fashion. However, the industry is currently undergoing restructuring, which frequently results in a break-up of the vertical structure. Additionally, there has been a significant move on the part of the control system suppliers to electric and petrochemical industries toward open, user-configurable systems utilizing real-time communications. With a vertical structure, local and wide-area networks were sufficient to maintain a reasonably secure data network. However, deregulation and new networking technologies are making secure communications more important, and more difficult to develop and maintain. Information security is concerned with the relationships between people and information. In these relationships, people are owners, custodians, creators, readers, modifiers, certifiers, or even subjects of the information. It follows then that the information itself is the object of various actions by people—creation, destruction, reading, modification, and certification. Information security is concerned with first defining appropriate relationships between people as actors and information resources as objects; these relationships are usually defined as a set of rules defining permitted actions. Not all threats come from outside the organization nor are all threats malicious. Information security is also concerned with controlling the relationships between people and information so that information is managed according to well-defined rules. Some human agent or institutional agency of authority is usually charged with creating, communicating, applying, monitoring, and enforcing these information security rules. Examples of contemporary information security rules are: rules for handling government classified documents; rules for ensuring client-attorney privilege or privacy of shared information; rules followed by corporate accountants and checked by financial auditors; and rules for ensuring accuracy and completeness of patients’ health records. Generally, these rules define information security controls based on properties of special classes of information; these properties fall into three broad categories: confidentiality of sensitive information; integrity and authenticity of critical information; and availability of necessary information. These principles need to be applied to the management of electricity systems, including the operators and managers of these systems. Complex system failure. Beyond the human dimension, there is a strategic need to understand the societal consequences of infrastructure failure risks along with benefits of various tiers of increased reliability. From an infrastructure interdependency perspective, power, telecommunications, banking and finance, transportation and distribution, infrastructures are becoming more and more congested, and are increasingly vulnerable to failures cascading through and between them. A key concern is the avoidance of widespread network failure because of cascading and

ROBUSTNESS, RESILIENCE AND SECURITY

1279

interactive effects. Moreover, interdependence is only one of the several characteristics that challenge the control and reliable operation of these networks. Other factors that place increased stress on the power grid include dependencies on adjacent power grids (increasing because of deregulation), telecommunications, markets, and computer networks. Furthermore, reliable electric service is critically dependent on the whole grid’s ability to respond to changed conditions instantaneously. Prior to the tragic events of September 11th, the US President’s Commission on Critical Infrastructure Protection in 1997 highlighted growing concern (CIAO 1997). It noted the damaging and dangerous ways cascading failures could unpredictably affect the economy, security, and health of citizens. Secure and reliable operation of these systems is fundamental to our economy, security and quality of life, as noted by the President’s Commission on Critical Infrastructure Protection Report published in October 1997 and the subsequent Presidential Directive 63 on Critical Infrastructure protection, issued on May 22, 1998. Secure and reliable operation of critical infrastructures poses significant theoretical and practical challenges in analysis, modeling, simulation, prediction, control, and optimization. To address these challenges, a research initiative—the EPRI/DOD CIN/SI—was undertaken during 1998–2001 to enable critical infrastructures to adapt to a broad array of potential disturbances, including terrorist attacks, natural disasters, and equipment failures. The CIN/SI overcame the long-standing problems of complexity, analysis, and management for large interconnected systems—and systems of systems—by opening up new concepts and techniques for the strategic management of this infrastructure system. Dynamical systems, statistical physics, information and communication science, and computational complexity were extended to provide practical tools to measure and model the power grid, cell phone networks, Internet, and other complex systems. For the first time, global dynamics for such systems can be understood fundamentally. 5 NEXT STEPS Funding and sustaining innovations, such as the smart self-healing grid, remain a challenge as utilities must meet many competing demands on precious resources while trying to be responsive to their stakeholders, who tend to limit R&D investments to immediate applications and short-term return on investment. In addition, utilities have little incentive to invest in the longer term. For regulated investor-owned utilities there is added pressure caused by Wall Street to increase dividends. Several reports and studies have estimated that for existing technologies to evolve and for the innovative technologies to be realized, a sustained annual research and development investment of $10 billion is required. However, the current level of R&D funding in the electric industry is at an all-time low. The investment rates for the electricity sector are the lowest rates of any major industrial sector with the exception of the pulp and paper industry. The electricity sector invests at most only a few tenths of a percent of sales in research—this in contrast to fields such as electronics and pharmaceuticals in which R&D investment rates have been running between 8% and 12% of net sales—and all of these industry sectors fundamentally depend on reliable electricity. A balanced, cost-effective approach to investments and use of technology can make a sizable difference in mitigating the risk.

1280

CROSS-CUTTING THEMES AND TECHNOLOGIES

ACKNOWLEDGMENTS I developed most of the context and many of the findings presented here while I was at the EPRI in Palo Alto (during 1998–2003), and for the Galvin Electricity Initiative (during 2005–2006). I gratefully acknowledge the feedback from Mr John Voeller (the editor of this series). The support and feedback from numerous colleagues at EPRI, universities, industry, national laboratories, and government agencies with funding from EPRI, NSF, and the ORNL is gratefully acknowledged. FURTHER READING Amin, S. M., and Schewe, P. (2007). Preventing Blackouts. Scientific American, pp. 60–67, www.Sciam.com. Amin, S. M., and Gellings, C. W. (2006). The North American power delivery system: balancing market restructuring and environmental economics with infrastructure security. Energy 31(6–7), 967–999. Amin, S. M., and Wollenberg, B. F. (2005). Toward a smart grid. IEEE Power Energy Mag. 3(5), 34–38. Amin, S. M. (2005). Energy infrastructure defense systems. Proc. IEEE 93(5), 861–875. Amin, S. M. (2002). Restructuring the electric enterprise: simulating the evolution of the electric power industry with adaptive agents. In Electricity Pricing in Transition, A. Faruqui, and K. Eakin, Eds. Kluwer Academic Publishers, Chapter 3, pp. 27–50. Amin, S. M. (2000). National infrastructures as complex interactive networks. In Automation, Control, and Complexity: An Integrated Approach, T. Samad, and J. Weyrauch, Eds. John Wiley and Sons, New York, Chapter 14, pp. 263–286. Amin, S. M. (2000). Toward self-healing infrastructure systems. IEEE Comput. Mag. 33(8), 44–53. Amin, S. M. (2001). Toward self-healing energy infrastructure systems. IEEE Comput. Appl. Power 14(1), 20–28. Amin, S. M. (2000). “Modeling and Control of Electric Power Systems and Markets. IEEE Control Systems Magazine 20(4), 20–25. Amin, S. M., and Ballard, D. (2000). Defining new markets for intelligent agents. IEEE IT Prof. 2(4), 29–35. Special Issue of Proceedings of the IEEE on Energy Infrastructure Defense Systems. (2005). (Guest editor: Amin, S. M.) 93(5), 855–1059. Special issues of IEEE Control Systems Magazine on Control of Complex Networks. (2001). (Guest editor: Amin, S. M.) 21(6); (2002) 22(1). Special issue of IEEE Control Systems Magazine on Power Systems and Markets. (2000). (Guest editor: Amin, S. M.). 20(4), 20–90. (1995). Network, control, communications and computing technologies in intelligent transportation systems. In Mathematical and Computer Modeling, Vol. 22(4–7), (Guest co-editors: S. M. Amin, A. Garcia-Ortiz, and J. R. Wootton). Elsevier Science Ltd, pp. 454. Amin, S. M. (2004). Electricity. In Digital Infrastructures: Enabling Civil and Environmental Systems through Information Technology, R. Zimmerman, and T. Horan, Eds, Chapter 7, pp. 116–140. Amin, S. M. (2004). Balancing market priorities with security issues: interconnected system operations and control under the restructured electricity enterprise. IEEE Power Energy Mag. 2(4), 30–38. Starr, C., and Amin, S. M. (2003). Global transition dynamics: unfolding the full social implications of national decision pathways,11, submitted to the President of the US National Academy of Engineering.

COMMUNICATION NETWORKS FOR REDUCING CASCADING IMPACTS

1281

INHERENTLY SECURE NEXT-GENERATION COMPUTING AND COMMUNICATION NETWORKS FOR REDUCING CASCADING IMPACTS Robert P. Evans Idaho National Laboratory, Idaho Falls, Idaho

Virgil B. Hammond and Shabbir A. Shamsuddin Argonne National Laboratory, Argonne, Illinois

1 INTRODUCTION Security is of vital interest to all participants in the control system sphere of interest. This includes governmental agencies, vendors, users, and consultants, as well as industry advisory groups. The article explores some of the efforts being used by these participants to identify and mitigate security exposures using risk management methodologies, technology tools, and standards.

2 STANDARDS, GUIDELINES, AND BEST PRACTICES Standardization has a major impact on each of us, yet most of us do not understand what it means or how it affects our lives. Standardization is the process of establishing a technical benchmark that may be defined by written documents that lay out the criteria for the standardized measure. This technical benchmark document may take one of several forms, depending on its level of acceptance, and can be described as a set of criteria some of which may be mandatory, voluntary guidelines, and/or best practices.

3 STANDARDS Standards are an important part of the total effort to achieve control system cyber security. As rules or requirements that define accepted operational criteria, they provide a measure of consistency and a means for quantifying quality and reliability. Standards provide a performance framework for hardware and software vendors who build the components for a control system. Standards provide a similar service for the personnel who operate and maintain the control system, once it becomes operational. Standards are most effective when the engineers and operators using the standards understand the capabilities and limitations of each standard and its history. A standard, as defined by the National Standards Policy Advisory Committee is:

1282

CROSS-CUTTING THEMES AND TECHNOLOGIES

“A prescribed set of rules, conditions, or requirements concerning definitions of terms; classification of components; specification of materials, performance, or operations; delineation of procedures; or measurement of quantity and quality in describing materials, products, systems, services, or practices” [1].

Standards are sets of rules or requirements, which define the accepted criteria for a component, procedure, system, and so on. Standards are developed by a consensus of the judgment of volunteers, which pool their knowledge base and experience. 3.1 Guidelines Guidelines are tools that attempt to streamline a process or procedure. They may consist of rules or suggestions that, when applied, may simplify the process or procedure, and provide a level of quality and consistency. Guidelines may be issued by any organization to make the processes more uniform and expectantly, of high quality. By definition, guidelines are not mandatory but attempt to provide a set of knowledge that can be applied [2, 3].

4 BEST PRACTICE Best practices, sometimes referred to as recommended practices, are a management tool that asserts that there is a technique, method, process, and so on, which is more effective at delivering a particular result than any other. As with standards and guidelines, best practices may consist of a set of good and practical industry practices or suggestions, which, when followed, will produce superior performance. As with guidelines, best practices are not mandatory, unless they become a standard and are imposed by a particular organization as a requirement [4, 5]. 4.1 Cyber and Control Systems Security Standards in Common Use The use of cyber security standards (including standards, guidelines, and best practices) can greatly assist in the protection of critical infrastructure by providing requirements, guidelines, and requisite imperatives in the implementation and maintenance of computer-controlled systems. Standards are most effective when the decision-makers, engineers, and operators using the standards understand what each addresses and does not address. There is a link between cyber vulnerabilities and the standards that are intended to provide mitigation opportunities. For example, standards for equipment design and operation offer direction for vendors to use in bringing usable and compatible products to market, while providing companies the specifications required to select and implement the appropriate equipment and procedures. Most of all, these standards ensure that equipment is operated and maintained efficiently [6]. Standards’ organizations are, for the most part, public organizations that have little or no enforcement ability. They rely on educating the users as to the importance of security, and of the potential benefits that standards can add to their operations. Where cyber security standards are implemented, they provide reliable direction toward achieving an acceptable level of cyber security by providing a framework

COMMUNICATION NETWORKS FOR REDUCING CASCADING IMPACTS

1283

on which to construct a viable and rational security policy. They also provide an important frame of reference when performing risk analysis of an operating control system. The cyber security standards issued by these organizations are frequently referred to as either sector-specific or cross-sector in their focus. Sector-specific standards include standards and associated documents, which address cyber security considerations that are specific to operators within the issuing industry. Cross-sector standards are developed and issued by organizations whose focus extends across several discrete and dissimilar operating arenas, whose only common interest may be the prevention and mitigation of cyber attack upon their facilities. These standards address security issues that are of universal concern to infrastructure operators, without regard to the particular industry that may be implementing the standard. Certain of these standards, such as those issued by the Federal Energy Regulatory Commission (FERC) and the Health Insurance Portability and Accountability Act (HIPAA), come from the Federal government and have the driving force of public law. Most others are issued by private and/or public industry organizations, and are dependent upon voluntary compliance.

5 MEASURE AND ASSESS SECURITY POSTURE 5.1

Risk Assessment Factors

Managing the security risks associated with the industry’s growing reliance on control system and information technology (IT) is a continuing challenge. In particular, many private organizations have struggled to find efficient ways to ensure that they fully understand the cyber security risks affecting their operations, and can implement appropriate controls to mitigate these risks. A principal challenge that many companies face is identifying and ranking the cyber and control systems’ security risks to their operations, which is the first step in developing and managing an effective security program. Taking this step helps ensure that organizations identify the most significant risks, and determines what actions are appropriate to mitigate them [7]. The General Accounting Office, in its white paper titled, “Information Security Risk Assessment: Practices of Leading Organizations” [8], has identified a set of common critical success factors that are important to the efficient and effective implementation of the organizations’ information security risk assessment programs. These factors help ensure that the organizations benefit fully from the expertise and experience of their senior managers and staff, that risk assessments are conducted efficiently, and that the assessment results lead to appropriate remedial actions. The critical risk assessment success factors include the following: 1. Obtain senior management commitment, support, approval, and involvement to ensure that the resources are available to implement the program, and that assessment findings result in implementation of appropriate changes to policies and controls. 2. Designate individuals or groups as focal points to oversee and guide the overall risk assessment processes.

1284

CROSS-CUTTING THEMES AND TECHNOLOGIES

3. Define documented procedures for conducting risk assessments, and develop tools to facilitate and standardize the process. 4. Involve business and technical experts including a variety of individuals from the business unit having expertise in business operations, business processes, security, information resource management, IT, and system operations. 5. Hold business units responsible for initiating and conducting risk assessments, as well as evaluating and implementing the resulting recommendations. 6. Limit the scope of individual assessments by conducting a series of narrower assessments on various individual segments of the business and operations. 7. Document and maintain results so that managers could be held accountable for the decisions made, and a permanent record is established that can be used by auditors for compliance to the security policy [8]. 5.2 Risk Measurement The challenge in measuring risk is determining what to measure and how it should be measured. To measure the security posture of a control system, the organization needs to follow a set of rules that focuses the company security goals by applying the risk assessment factors described earlier. When assessing vulnerability, it is worthwhile to be aware of certain qualitative terms. Exposure is about possibility. Risk is about probability. And impact is about consequence. The following equation is sometimes used to express these mathematically: [9] Expected loss × threat × vulnerability = exposure = risk Exposure measurements can be used as a relative comparison within an environment or across companies. If one can assume that risk is constant for like-sized companies (even if we do not know the number itself), this exposure measure can act as a “risk proxy” to measure the relative difference in risk levels. The Department of Homeland Security (DHS) under the FY2007 Homeland Security Grant Guidance describes the DHS approach to risk assessment as follows: risk will be evaluated at the federal level using a risk analysis model developed by DHS in conjunction with other federal entities. Risk is defined as the product of three principal variables: • •

Threat (T)—the likelihood of an attack occurring. Vulnerability and consequence (V&C)—the relative exposure and expected impact of an attack [10]. Risk (R) = T × V × C

5.3 Security Metrics Metrics and measurement are two vastly different concepts. Measurements are generated by counting, and provide specific views of discrete factors. Metrics, on the other hand, are generated through analysis. They are derived from measurements, to which contextual

COMMUNICATION NETWORKS FOR REDUCING CASCADING IMPACTS

1285

information has been added for comparison, to a predetermined baseline, or comparing two or more measurements taken over time [11]. The measure of security policies, processes and products is the much-sought-after solution to this conundrum. Security managers in industry look for a magic formula that calculates risk and effectiveness in reducing risk, but the reality is that security metrics are not that simple. Measuring security is about using common sense. An organization needs to determine what to measure, and to organize the variables in a way that makes them manageable and meaningful. It needs to build repeatable formulas that show the snapshot status of security and how it changes over time. Truly useful metrics indicate the degree to which goals are being met, and then drive actions taken to improve organizational processes. When applied to control system security performance, the metric is the expression of the state and/or quality of a critical aspect of the control system infrastructure. It is the basis for directing investments to areas of high risk, as well as a forum for communication to stakeholders both inside and outside the organization. Applying regular, repeatable metrics to a security performance initiative can benefit organizations in a number of ways. They: 1. 2. 3. 4. 5. 6.

provide a measurement of the effectiveness of controls; identify and target areas for improvement; communicate the effectiveness of risk management programs; drive proper actions in focused areas and extend accountability; provide hard evidence of compliance for internal and external use; and, provide actionable views across the enterprise, lines of business, or specific areas of IT and control systems infrastructures [11].

6 CYBER SECURITY THREATS AND VULNERABILITIES Many companies today have and are conducting security vulnerability analyses to evaluate the risks of physical attacks on their facilities, and many of these facilities have been hardened since 9/11. However, the importance of cyber security for manufacturing and control systems has only recently been recognized, and therefore has not yet been fully addressed by most industrial companies. Appropriate security measures must be taken to avoid events, which could have cascading impacts on other critical infrastructures (Figure 1) [12]. Lesser cyber attacks have and are occurring everyday. Actions are needed now to deal with this threat. Companies must conduct cyber security vulnerability analyses to identify threats to their control and support systems, to determine if vulnerabilities are present, and to evaluate existing countermeasures to determine if they need to be strengthened or new ones implemented. Control systems, and their support systems, are subject to threats from adversaries who may wish to disable or manipulate them by cyber or physical means, or who may want to obtain, corrupt, damage, destroy, or prohibit access to valuable information. The organization should evaluate the risk of these threats in order to decide what protective measures should be taken to protect systems from disruption. The vulnerabilities typically observed in the course of conducting vulnerability assessments are grouped in the following five categories: data, security administration, architecture, network, and platforms. Any given control system will usually exhibit a subset of these vulnerabilities, but may also have some unique additional problems [13]. The

1286

CROSS-CUTTING THEMES AND TECHNOLOGIES

Federal government has played an irreplaceable role in providing support for fundamental, long-term IT research and development (R&D), generating technologies that gave rise to the multibillion-dollar IT industry. The President’s Information Technology Advisory Committee (PITAC) review of current federally supported R&D in cyber security finds an imbalance, however, in the current cyber security R&D portfolio. Most support is for short-term, defense-oriented research; there is relatively little support for fundamental research to address the larger security vulnerabilities of the civilian IT infrastructure, which supports defense systems as well. In the report to the President in 2005, PITAC urged changes in the Federal government’s cyber security R&D portfolio to increase federal support for fundamental research in civilian cyber security, intensify federal efforts to promote recruitment and retention of cyber security researchers and students at research universities, provide increased support for the rapid transfer of federally developed cutting-edge cyber security technologies to the private sector, and strengthen the coordination of the Interagency Working Group on Critical Information Infrastructure Protection and integrate it under the Networking and Information Technology Research and Development Program [14]. The Homeland Security Department has teamed with 13 organizations on a 12-month project to secure the process control systems of the nation’s oil and gas industries against cyber security threats. A cyber attack on the control and data systems that operate electric power plants, oil refineries, and gas pipelines, which are pieces of the nation’s 18 critical infrastructure

Fuels, Lubricants

Fuels, Transport, Shipping

Fuels, Lubricants Power for Pumping Stations, Storage, Control Systems

r Water fo Cooling, s Emission n Reductio

Water Wate r fo Cooli r ng

SCAD

A, Co

mmu

ipp

ing

Fuel transport, Shipping

Power for Compressors, Starage, Natural Control Electric Gas Systems Power r Fuel fo tors Genera SCAD Comm A, t Hea unica tions DA, ns SCAnicatio Po u m w Sw er f Com itch or es Telecom

nicati

ons

SCADA, Communications

Power for Pump and Lift Stations, Control Systems

Transportation

Sh

Water for production, Cooling, Emissions Reduction

SCADA, Communications

Oil

Power for Signaling, Switches

Fuel for Generators, Lubricants

ping

Ship

ors Fuel for Generat

ions Emiss ooling, C , n o i t c u Water for prod

Re d

u c ti o

n

Peerenboom, Fisher, and Whitfield, 2001

FIGURE 1

Illustrative infrastructure interdependencies.

COMMUNICATION NETWORKS FOR REDUCING CASCADING IMPACTS

1287

sectors, could potentially bring the country to a halt. The problem is compounded because private companies control more than 85% of the country’s critical infrastructure, leaving the government few avenues to ensure that IT and control systems are secure. The potential costs of an infrastructure attack are significant. The Northeast Blackout on August 14, 2003, left 50 million customers and parts of eight states and Canada without power. According to a report by an electricity consumers research council, the outage cost an estimated $7–10 billion in financial losses; shut down parts of a 2 million barrel-per-day pipeline; and airports in 13 cities, To combat the cyber threats, the government, industry, research labs, security vendors, and process control technology vendors embarked on the project, “Linking the Oil and Gas Industry to Improve Cyber security”, to come up with technology that could reduce vulnerabilities in infrastructure and could fix system vulnerabilities. The potential solution to such cyber threats is a strong cyber security posture by the entities that may be vulnerable to such attacks. A major challenge to preserve system protection is that system architectures change, technology changes, and threats change, all of which means that defenses must change.

7 CASCADING FAILURE A cascading failure occurs when a disruption in one infrastructure causes a disruption in a second infrastructure (e.g. the August, 2003, blackout led to communications and water-supply outages, air traffic disruptions, chemical plant shutdowns, and other interdependency-related impacts) [12]. The complexity of multiple infrastructure linkages and the implications of multiple contingency events that may affect the infrastructures are apparent even in the highly simplified representation shown in Figure 1. The security, economic prosperity, and social well being of the nation depend on the reliable functioning of our increasingly complex and interdependent infrastructures. These include energy systems (electric power, oil, and natural gas), telecommunications, water-supply systems, transportation (road, rail, air, and water), banking and finance, and emergency and government services. In the new economy, these interconnected infrastructures have become increasingly fragile and subject to disruptions that can have broad regional, national, and global consequences. A disruption in an infrastructure would be magnified by the codependencies in supervisory control and data acquisition (SCADA) systems. An example might be a power loss that affects telecommunication systems upon which banking transactions rely. Vulnerability to these cascading effects was seen during Hurricanes Katrina and Rita in 2005, where a major American city came to a virtual standstill. As we are now seeing, it will take years to rebuild. Failure nodes are repeatedly created at the intersections of our tightly coupled, highly sophisticated transportation, electric power, and telecommunications systems. These failure potentials are compounded by the infrastructures’ reliance on information and control systems’ hardware and software. Understanding, analyzing, and sustaining the robustness and resilience of these infrastructures require multiple viewpoints and a broad set of interdisciplinary skills. For example, engineers (civil, electrical, industrial, mechanical, systems, etc.) are needed to understand the technological underpinnings of the infrastructures, as well as the complex physical architectures and dynamic feedback mechanisms that govern their operation and response (e.g. response to stresses and disruptions). Computer scientists, IT specialists, and network/telecommunication experts are needed to understand the electronic and informational (cyber) linkages among the

1288

CROSS-CUTTING THEMES AND TECHNOLOGIES

infrastructures. IT security, information assurance professionals, and control engineers are needed to ensure information and control system security [15].

8 LEGACY SYSTEMS The term legacy control system is used variously to refer to old mainframe, dumb-terminal applications from the 1970s and 1980s; client/server systems of the 1990s; and even to first generation web-based business applications developed in the late 1990s [16]. In this section we will refer to legacy systems in the context of the first two examples. Legacy control systems were originally designed to be free standing networks without Internet access. These control systems monitored and controlled critical infrastructure processes. They were operated in an isolated or stand-alone environment where computer systems and devices communicated with each other exclusively, and typically did not communicate or share information with systems not directly connected to the control system network. These control systems typically comprised proprietary hardware, software, and protocols designed specifically for control system operations. Knowledge of these proprietary applications and protocols was limited to a small population. Proprietary control system protocols and data were not readily available to the general population and significant effort and resources would have been required to acquire the proprietary information, understand the control system, discover vulnerabilities in the control system, develop the tools to exploit the identified vulnerabilities, and gain sufficient access to the control system so that vulnerabilities could be exploited to carry out unauthorized or malicious activities. For the reasons presented, in particular because access to control systems was greatly limited, critical infrastructure control system security efforts were primarily focused on protecting control systems from physical attacks. More recently, with the vast IT expansion and the drive toward having information readily available from any location, many previously stand-alone control systems are being transitioned to the “always connected” world, where real-time control system information can be readily and easily accessed remotely by vendors, engineers, maintenance personnel, business managers, and others via corporate networks, the Internet, telephone lines, and various wireless devices. Legacy systems that have been retrofitted to incorporate Internet accessibility may be especially vulnerable to attack due to the ad hoc manner of their integration with the network. This imperfect fit between the different software applications could generate more vulnerable code aspects than would be found in a single piece of software. It may be possible, for example, through a poorly defined variable, to force a software program to behave in a way not expected by the author. When two programs are brought together, the potential program weaknesses are multiplied. Thus, legacy systems with network access added may be more prone to security flaws and weaknesses than systems that use a single piece of software for both functions [17]. To reduce operational costs and improve performance, control system vendors and critical infrastructure owners and operators have been transitioning from proprietary systems to less expensive standardized technologies, operating systems, and protocols currently prevalent on the Internet. These widely accepted technologies, protocols, and operating systems, such as Ethernet, Internet Protocol, Microsoft Windows, and web technologies, have a large number of known cyber vulnerabilities, and new vulnerabilities are reported on a daily basis. Exploitation tools, malware, and how-to papers are often readily available shortly after the announcement of a new vulnerability. Significant information on control systems is

COMMUNICATION NETWORKS FOR REDUCING CASCADING IMPACTS

1289

now publicly available, including design and maintenance documents, technical standards for the component interconnections, and standards for communicating between devices. In addition, control system security concerns are elevated because control systems are typically not up-to-date with the latest security patches, fixes, and best practices due to concerns with taking real-time systems off-line and concerns over making system modifications, which might affect the time sensitive operations of the control system or potentially affect existing agreements with control system vendors or others [18]. Legacy system operators must be aware of the vulnerabilities inherent with upgrading to meet today’s networking capabilities, and implement appropriate protection options. Some examples of “best practice” options (that are applicable to all systems, from legacy to state-of-the-art) include: disabling unused ports; encryption; dual authentication; and working with both private sector and government agencies to identify and put into use more robust security measures. 9 INTRUSION DETECTION AND RESPONSE TECHNOLOGY The increasing speed of attacks against IT and control systems highlights a requirement for comparably timely responses. Threats such as malware and scripted exploits often allow a time frame of only a few minutes or even seconds to respond, which effectively eliminates the feasibility of manual intervention and highlights a requirement for automated approaches to provide a solution. However, it can be seen that existing security technologies are often insufficient. For example, although intrusion detection systems (IDS) can be used to identify potential incidents, they have a tendency to produce high volumes of false alarms and consequently cannot be trusted to issue automated responses for fear of disrupting legitimate activity. Intrusion detection has been at the center of intense research in the last decade, owing to the rapid increase of sophisticated attacks on computer systems. Typically, intrusion detection refers to a variety of techniques for detecting attacks in the form of malicious and unauthorized activity. In the event that intrusive behavior is detected, it is desirable to take evasive and/or corrective actions to thwart attacks and ensure safety of the computing environment. Such countermeasures are referred to as intrusion response. Although the intrusion response component is often integrated with the IDS, it receives considerably less attention than IDS research, owing to the inherent complexity in developing and deploying responses in an automated fashion. Development of an effective response mechanism for potential intrusions is inherently complex due to the requirement to analyze a number of “unknown” factors in various dimensions: intrusion cause/effect, identification of optimal response, state of the system, maintainability, and so on. As such, it is necessary to have a complete understanding of the problems that need to be addressed for developing a smart and effective response system. Considerable research has focused on intrusion response specification that addresses the countermeasure steps to sophisticated attacks on the control and computer support systems. For example, the following specifications are being considered as requirements in the development of an ideal intrusion response system: 1. Automatic. The volume and the intensity of intrusions today require rapid and automated response. The system must be reliable to run without human intervention. Human supervision often brings a significant delay into intrusion handling; the response system alone should have means to contain incurred damage and

1290

CROSS-CUTTING THEMES AND TECHNOLOGIES

prevent harmful activity. Although complete automation may not be achievable in practice due to presence of novel intractable intrusions, significant reduction of human effort and expert knowledge is desirable. 2. Proactive. Modern software systems are built on multiple heterogeneously developed components that have complex interactions with each other. Because of these interactions, intrusions are likely to spread rapidly, causing more damage. A proactive approach to response is the most practical in intrusion containment. 3. Adaptable. The presence of multiple components that constitute a software system also results in a dynamic environment owing to the complex interactions between components. As such, intrusive behavior can affect systems in a way that is unpredictable. The intrusion response system should be equipped with means to recognize and react to changes in the dynamic environment. 4. Cost-sensitive. Response to intrusions in dynamic and complex systems requires a careful consideration of the trade-offs among cost and benefits factors. A simple basic response action, triggered every time certain symptoms are observed, might be a wasteful effort and may cause more damage [19]. 10

RESEARCH DIRECTION

Because of the constantly changing threats to control systems, as well as the vulnerabilities of these systems to cyber attack, multiple approaches to security should be undertaken. For one, continued research is needed to develop security policies, guidelines, and standards for control system security. This could include things such as authentication methods and the use of networks. The results of this research should then be incorporated into standards, in order that all stakeholders may benefit from the research. Continued development of strong standards is a key in securing control systems from cyber intrusions. Another approach to be considered is the use of vulnerability assessments. An organization must be able to conduct a comprehensive vulnerability assessment if it intends to successfully measure the security posture of its control systems. A key step in this process is to learn and apply the seven critical risk assessment success factors listed earlier in the article. These factors are important to the efficient and effective implementation of the organizations’ information security risk assessment programs. The Federal government must continue to be in the forefront of programs providing support for fundamental research in civilian cyber security. Organizations should implement effective security management programs that include consideration of control system security. To measure security posture of the control systems, the organization needs to employ a set of rules, or metrics that quantify its achievement in terms of the company security goals. Vulnerability should be determined in terms of exposure to attack, probability of attack, and consequences of an attack. The goal should always be to identify vulnerabilities and then to implement mitigation strategies. Possible strategies include developing or improving the organization security policy. Adherence to one or more recognized security standard should always be part of organization policy. Cascading failures can have broad regional, national, and global consequences. Control systems need to be carefully designed to reduce the interdependence of multiple infrastructures, and to mitigate the effects when a failure occurs.

COMMUNICATION NETWORKS FOR REDUCING CASCADING IMPACTS

1291

Legacy control systems no longer profit from “security through obscurity” [20]. In fact, those that have been retrofitted to incorporate Internet accessibility may be especially vulnerable to attack, due to imperfect matchups between software applications. Legacy system operators must be aware of the vulnerabilities inherent with upgrading to meet today’s networking capabilities, and implement all appropriate protection options. In order to cope with the speed and frequency of today’s cyber attacks, effective intrusion detection and response systems must react in similar rapid fashion. Current research and development efforts focused on new technology and tools to counter such attacks indicate a need for automated, proactive responses, which are adaptable to changing situations and technology, and are cost-effective. REFERENCES 1. National Standards Policy Advisory Committee (1978). National Policy on Standards for the United States and a Recommended Implementation Plan, National Standards Policy Advisory Committee, Washington, DC, p. 6. 2. CPM Resource Center (2007). How to Write Practice Guidelines, CPM Resource Center, http://www.cpmrc.com/events/workshop 17.shtml, accessed 01/22/2007. 3. Guideline, Wikipedia, the Free Encyclopedia, (2007). http://en.wikipedia.org/wiki/Guideline, accessed 01/22/2007. 4. Definition of Best Practices, (2007). Walden 3-D, Inc., http://www.walden3d.com/og1/bp.html, accessed 01/22/2007. 5. Best Practice, Wikipedia, the Free Encyclopedia, (2007). http://en.wikipedia.org/wiki/Best practice, accessed 01/21/2007. 6. Joseph Weiss, P. E., Ed. (2003) IEEE Task Force Revising Equipment Standards to Protect Against Cyber Attacks, Electric Energy T & D Magazine http://realtimeacs.com/?page id=13. 7. U.S. General Accounting Office (1999). Information Security Risk Assessment; Practices of Leading Organizations Exposure Draft , U.S. General Accounting Office (GAO/AIMD99-139)] 08/1999, http://www.gao.gov/special.pubs/ai00033.pdf. 8. U.S. General Accounting Office (1999). Information Security Risk Assessment: Practices of Leading Organizations Exposure Draft , U.S. General Accounting Office (GAO/AIMD-99-139) 08/1999, http://www.gao.gov/special.pubs/ai00033.pdf. 9. Lindstrom, P. “RISK MANAGEMENT STRATEGIES” Security: Measuring Up, CISSP 02/18/ 2005. 10. The Department of Homeland Security’s Risk Assessment Methodology: Evolution, Issues, and Options for Congress, CRS Report for Congress, February 2, 2007. 11. Seven Steps to Security Metrics Success, white paper by ClearPoint Metrics http://www. dreamingcode.com/dc ecomm/DocumentManage/DocumentManagement/56 82doc.pdf, 2008. 12. Peerenboom, J. P., and Fisher, R. E. (2007). Analyzing Cross-Sector Interdependencies, Infrastructure Assurance Center, Argonne National Laboratory, http://ieeexplore.ieee.org/iel5/ 4076361/4076362/04076595.pdf. 13. Stamp, J., Dillinger, J., and Young, W. (2003). Common Vulnerabilities in Critical Infrastructure Control Systems, Sandia National Laboratories, May 22, http://www.oe.netl.doe.gov/ docs/prepare/vulnerabilities.pdf. 14. President’s Information Technology Advisory Committee (PITAC) (2005). Report to the President - Cyber Security: A Crisis of Prioritization, February. 15. Rinaldi, S. M., Peerenboom, J. P., and Kelly, T. K. (2001). Complex Networks: Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies. Infrastructure

1292

16.

17. 18. 19. 20.

CROSS-CUTTING THEMES AND TECHNOLOGIES

Interdependencies—Overview of Concepts and Terminology, Infrastructure Assurance Center, Argonne National Laboratory, http://www.ce.cmu.edu/∼hsm/im2004/readings/ CII-Rinaldi.pdf. Weber C. (2006). Assessing Security Risk in Legacy Systems, Cigital, Inc., Copyright © 2006, Cigital, Inc., https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/legacy/624-BSI. pdf. Shea, D. A. (2003). Critical Infrastructure: Control Systems and the Terrorist Threat Report for Congress (Updated February 21, 2003) Consultant Resources, Science, and Industry Division. Dacey, R. F. (2003). Critical Infrastructure Protection: Challenges in Securing Control Systems, Information Security Issues, US General Accounting Office, October 10. Stakhanova, N., Basu, S., and Wong, J. (2006). A Taxonomy of Intrusion Response Systems, Department of Computer Science Iowa State University, Iowa, USA, February. Furnell, S., and Papadaki, M. (2005). Automated Intrusion Response, Network Research Group, School of Computing, Communications & Electronics, University of Plymouth, for Business Briefing Data Management, Storage, & Security Review, http://www.sciencedirect.com/ science? ob=ArticleURL& udi=B6VJC-4HDWHP7-4& user=1722207& rdoc=1& fmt=& orig=search& sort=d&view=c& version=1& urlVersion=0& userid=1722207&md5= b8a685ed03dfeadde206a5e355f4f2dd.

FURTHER READING Carlson, R. E., Dagle, J. E., Shamsuddin, S. A., and Idaho, P. E. (2005). A Summary of Control System Security Standards Activities in the Energy Sector prepared for Department of Energy Office of Electricity Delivery and Energy Reliability under National SCADA Testbed , October 2005. Balepin, I., Maltsev, S., Rowe, J., and Levitt, K. (2003). Using specification-based intrusion detection for automated response”. Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection, Pittsburgh, PA. Chiles, J. R. (2001). Inviting Disaster: Lessons From The Edge of Technology, HarperCollins Publishers, New York. Critical Foundations: Protecting America’s Infrastructures, The Report of the President’s Commission on Critical Infrastructure Protection, October 1997. Instrumentation, Systems, and Automation Society. (2004). ISA-TR99.00.02-2004, Integrating Electronic Security into the Manufacturing and Control Systems Environment, ISBN: 1-55617-889-1, Research Triangle Park, NC. Instrumentation, Systems, and Automation Society. (2004). ISA-TR99.00.01-2004, Security Technologies for Manufacturing and Control Systems, ISBN: 1-55617-886-7, Research Triangle Park, NC. Kabiri, P., and Ghorbani, A. A. (2005). Research on intrusion detection and response. A survey. Int. J. Netw. Secur. 1. Perrow, C. (1999). Normal Accidents: Living with High-Risk Technologies, Princeton University Press, Princeton, NJ. Petroski, H. (1992). To Engineer Is Human: The Role of Failure in Successful Design, Vintage Books, New York. Petroski, H. (1994). Design Paradigms: Case Histories of Error and Judgment in Engineering, Cambridge University Press, Cambridge. Rinaldi, S., Peerenboom, J., and Kelly, T. (2001). For a more complete description of infrastructure interdependencies, see Complexities in Identifying, Understanding, and Analyzing Critical

REGULATION ON THE PROTECTION OF CRITICAL INFRASTRUCTURES

1293

Infrastructure Interdependencies invited paper for special issue of IEEE Control Systems Magazine on “Complex Interactive Networks,” December. United States Computer Emergency Readiness Team (2005). Control Systems Cyber Security Awareness US-CERT Informational Focus Paper, Produced by, July 7.

IMPLICATIONS OF REGULATION ON THE PROTECTION OF CRITICAL INFRASTRUCTURES Rebecca Haffenden Los Alamos National Laboratory, Los Alamos, New Mexico

1 INTRODUCTION In analyzing the security of a nation’s infrastructure facilities, the impact of the regulatory environment on an infrastructure or a facility must also be considered. Laws and regulations that control both the day-to-day operations and emergency response activities for any facility can originate from a variety of sources. Such regulations are promulgated on the basis of very specific legislation enacted in response to public needs, political forces, or particular events. These regulations, although well written and well thought out for their particular purpose, can have unintended impacts on the security of infrastructure facilities and on the interaction between infrastructures (i.e., interdependencies). Consequently, there should be a mandatory review process for proposed legislation and the corresponding regulations to determine if the legislation or regulation could impact security or emergency response requirements and policies at both the federal and state levels, if the regulation could unintentionally result in increasing the vulnerability of the affected facilities/industries or even if other interdependent facilities/industries will be impacted.

2 THE REGULATORY PROCESS In the United States, the general regulatory process starts with the enactment of legislation granting authority to one or more federal agencies to create, implement, and enforce a regulatory program based on the intent and scope of the legislation (the legislative mandate). The federal agency then drafts its proposed regulations pursuant to that authority.

1294

CROSS-CUTTING THEMES AND TECHNOLOGIES

Under the Administrative Procedures Act, the agency must publish the proposed regulation in the Federal Register to allow the public to comment. The federal agency then reviews the proposed regulation in light of the comments received and issues a final rule. The final rule is also published in the Federal Register and after the indicated effective date, it can be implemented and enforced. In general, regulations are limited to the intent and scope established in the enabling legislation and to the express statutory authority granted to a federal agency.1 This legislative mandate or statutory authority generally addresses either the specific industry or a specific topic within the jurisdiction of the implementing regulatory agency. For example, the Nuclear Regulatory Commission (NRC) issues regulations pertinent to a specific type of facility, namely, nuclear power plants; it does not issue regulations on the operation of airports. The Environmental Protection Agency (EPA) issues regulations on activities that impact the environment; even though the regulatory program may impact a number of different types of infrastructures or industries, they address only the environmental impact, not the stock issuance requirements of those industries. Therefore, it is likely that proposed industry, facility, or activity specific regulations may only be reviewed for their impact on the industry/topical activities they specifically address and not on their unintentional impact on the security of the affected facilities/industries, the emergency planning that may involve the affected facilities/industries, or the impact on other critical interdependent infrastructures. A classic example of this conflict is found in the regulatory implementation of Section 112(r) of the Clean Air Act (CAA) [2]. The accidental and sudden release of methyl isocyanate in an industrial accident at the Union Carbide plant in December 1984 in Bhopal, India spurred the study of the risk of accidental chemical releases in the United States. In 1990, Congress enacted Section 112(r) of the CAA to address the threat of catastrophic releases of chemicals that might cause immediate deaths or injuries in surrounding communities. Pursuant to this legislation, EPA promulgated regulations for the prevention and mitigation of accidental releases of extremely hazardous substances. Covered facilities are required to submit to EPA a risk management plan (RMP) describing the source’s risk management program. Covered facilities are required to conduct potential off-site consequences analysis (OCA) of hypothetical worst case and alternative accidental release scenarios. Under the original rule, facilities were required to include a brief description of this analysis in the executive summary of their RMPs. The RMPs were required to be made available to the public and the executive summaries were to be posted to the EPA Internet site. The Federal Bureau of Investigation and other representatives of the law enforcement and intelligence communities raised concerns that releasing the OCA portions of RMPs via Internet would enable individuals anywhere in the world anonymously to search electronically for industrial facilities in the United States to target for purposes of causing an intentional industrial chemical release. In response to those concerns, EPA posted RMPs on the Internet without the OCA results. However, those OCA sections, and any EPA electronic database created from those sections, were still subject to public release in electronic format pursuant to the Freedom 1

The interpretation put on the statute by the agency charged with administering it is entitled to deference, [1], but the courts are the final authorities on issues of statutory construction. They must reject administrative constructions of the statute, whether reached by adjudication or by rulemaking, that are inconsistent with the statutory mandate or that frustrate the policy that Congress sought to implement.

REGULATION ON THE PROTECTION OF CRITICAL INFRASTRUCTURES

1295

of Information Act (FOIA).2 On August 5, 1999, the Chemical Safety Information, Site Security and Fuels Regulatory Relief Act (CSISSFRRA) was enacted3 to provide at least a one-year exemption from FOIA for the OCA portions of RMPs and any EPA database created from those portions. As required by the CSISSFRRA, assessments were conducted of both the increased risk of terrorist and other criminal activity that would result from posting OCA information on the Internet and the chemical safety benefits of allowing public access to the information. Based on the assessments, the EPA and the Department of Justice (DOJ) issued regulations governing access to, and dissemination of, restricted forms of information about the potential off-site consequences of accidental chemical releases from industrial facilities. That regulation, found at 40 Code of Federal Regulations (CFR) 1400, allows the public with access to paper copies of OCA information through at least 50 federal reading rooms distributed across the United States and its territories. It also provides Internet access to the OCA data elements that pose the least serious criminal risk. In addition, the rule authorizes any member of the public will be able to read at federal reading rooms, although not remove or mechanically reproduce, a paper copy of OCA information for up to ten facilities per calendar month located anywhere in the country, without geographical restriction. In addition, any person will be able to view OCA information for facilities located in the jurisdiction of the Local Environmental Protection Committee (LEPC) where the person lives or works and for any additional facilities with a vulnerable zone extending into that LEPC’s jurisdiction. This rule was effective from August 4, 2000. The regulations promulgated by the EPA under Section 112(r), were intended to carry out the legislative mandate to inform communities from the release of hazardous chemicals in their area; however, only after promulgation and implementation was the impact on chemical facility security recognized. In addition, in the United States, some rule making is accomplished through regulatory negotiation (RegNeg) where the implementing agency works with industry partners, industry associations, or other related entities to formulate regulations in a cooperative atmosphere. These regulations are thus negotiated with a small, narrow group of like partners that may not consider the impact of their decisions on other infrastructures or activities. Another form of rule making is that conducted pursuant to Office of Management and Budget (OMB) Circular A119 and the National Technology Transfer and Advancement Act [3]. OMB Circular A119 directs federal agencies to use voluntary consensus standards in lieu of government-unique standards except where inconsistent with law or otherwise impractical. Voluntary consensus standards bodies are usually made up of interested parties and have the following attributes: openness, balance of interest, due process, an appeals process, and consensus (or general agreement). Therefore, standards developed or adopted by voluntary consensus standards bodies again would be, if adopted by a federal agency, a regulation made up by a small, narrow group of like partners that may not consider the impacts of the regulation on other aspects of the affected infrastructure or other interdependent infrastructures.

2

5 U.S.C. 552. Law No. 106– 40.

3 Public

1296

CROSS-CUTTING THEMES AND TECHNOLOGIES

3 FEDERAL VERSUS STATE/LOCAL LAW Many laws and regulations that impact critical infrastructure industries and facilities originate at the federal level. Some regulatory schemes specifically create a process for states to be authorized to implement and enforce the federal regulatory programs within their individual states, for example, the EPA hazardous waste regulations4 or the Department of Transportation Office of Pipeline Safety pipeline inspection and safety regulations.5 Under most of the state-delegated authority regulatory schemes, the state may adopt more stringent, but not less stringent, requirements than those in the federal regulations. However, states may adopt state-specific requirements for critical infrastructure industries and facilities, such as state permitting or siting requirements for federally licensed energy facilities.6,7 In general, under Article VI of the United States Constitution, the “Supremacy Clause”, federal law is the law of the land “anything in the constitutions or laws of any State to the contrary notwithstanding.” Therefore, states can legislate/regulate only those areas where federal law does not apply or those areas where the federal law specifically delegates authority to the states. Federal preemption of state law can be (i) expressed or directly stated in the federal legislation or regulation, (ii) implied, where it is inferred from the Congressional intent, as revealed by legislative history or statutory language, (iii) where the federal regulatory program is found to be pervasive and there is nothing left for the states to regulate, often called “occupation of the field”, (iv) where the state law frustrates the perceived Congressional policy or program, and/or (v) where there is a direct conflict between the state and the federal regulatory programs. States can also adopt state-specific laws and regulations regarding areas where the federal government has not implemented a regulatory scheme, or where the safety and health of the state citizens is a major factor in regulation [5]. Although the terminology discussed above represents the regulatory process in the United States, most nations have a similar process. For instance, similar to the United States Congress, the Australian Commonwealth Parliament is able to make laws only in relation to a range of specific subjects listed in the Constitution, including defense, external affairs, trade, and immigration, and taxation. The Commonwealth has also legislated by agreement with the states, in areas with Australia-wide application, such as broadcasting, navigation, and food standards. Again, similar to the United States, the Australian Constitution does not limit the subjects on which the states may make laws; however, a state law is invalid to the extent it is inconsistent with a valid Commonwealth law on the same subject [6]. For the European Union (EU), legislation is proposed by the European Commission. Such proposed legislation, depending on the legal basis of the proposal, is either adopted or rejected by the European Council or by the Council and the European Parliament jointly. The legal basis of the proposed legislation also determines whether there should be consultation with other EU institutions or agencies. Once adopted, legislation is applicable 4 40

Code of Federal Regulations (CFR) 260, et seq. CFR. Parts 190, 191, and 192. 6 For example, Oregon Revised Statutes, Chapter 469: Energy Conservation Chapter 345-021-0000 et seq., Oregon Administrative Rules; In 2001, the Colorado Legislature approved House Bill 01-1195. The bill provided a legal means for public utilities to appeal local land use decisions on utility siting issues to the Public Utilities Commission. 7 The regulation of health and safety matters is primarily and historically a matter of local concern [4]. 5 49

REGULATION ON THE PROTECTION OF CRITICAL INFRASTRUCTURES

1297

to all EU members and each nation must adopt its own laws and regulations to implement the legislation. In addition, and often forgotten, local agencies can have local ordinances (e.g. city or county zoning, building, and fire codes) that apply to critical infrastructure assets.8 Local ordinances (i.e., county or municipal), can also impact infrastructure facilities. As with the federal—state regulatory scheme, local ordinances are either based on delegated powers from the state government or are limited to those areas where local jurisdiction is either statutorily established or historically left to local governments. Examples include property zoning regulations; fire, building, and electrical codes; noise limits; and highway requirements (e.g. traffic patterns, speed limits, and road weight restrictions). This regulatory scheme results in multiple layers of regulation for each infrastructure and each facility/asset. Each layer (federal, state, or local) has a different jurisdiction and each agency within each layer has its own statutory mandate.

4 THE REGULATORY ENVIRONMENT FOR CRITICAL INFRASTRUCTURES Regulations may provide for agency oversight (e.g. agency inspections, recordkeeping, and reporting requirements), may be economic based (e.g. rate setting or investment incentives) or may involve very specific, detailed prescriptive or performance-based requirements for operational activities or even physical configuration of a facility. Some regulations are specific to a particular industry (e.g. air emissions from publication rotogravure printing facilities9 ), whereas others affect a number of industries and asset types (e.g. Occupational Safety and Health Administration (OSHA) worker safety10 or American with Disabilities Act (ADA) regulations [7]). In general, most private industry owners resist any governmental regulation of their activities, including security and vulnerability reduction. There are arguments on both sides of the issue with some, including the Congressional Budget Office, stating businesses would be “inclined to spend less on security than might be appropriate for the nation as a whole if they faced losses from an attack that would be less than the overall losses for society;” [8] whereas others would argue companies are motivated to invest in security in order to protect their own continuity of operations, without which the company has no income/profit, which is in their best interest11 . Many critical infrastructure facilities and activities were already heavily regulated before the events of September 11, 2001. However, at this time, only a few critical infrastructures have had in-depth governmental security regulations imposed upon them, generally in the transportation, maritime, and nuclear power industries. However, all 17 critical infrastructures and key resources12 , both governmental and privately owned, are regulated by a variety of overarching health, safety, environmental, 8 40

CFR 63.824. 29 CFR 1900, et seq. 10 28 CFR Part 36. 11 Agriculture & Food, Public Health, Water, Energy, Banking, National Monuments, Defense Industrial Base, Commercial Chemical, Telecommunications, Postal & Shipping, Government Facilities, Transportation, Dams and Nuclear Power. 12 The Guidelines are not however, enforceable requirements, but instead FERC inspectors review the effectiveness of each installation’s protective measures on a case-by-case basis. 9

1298

CROSS-CUTTING THEMES AND TECHNOLOGIES

employee, and privacy regulations (i.e., nonsecurity-related regulations) that impact their day-to-day operations as well as their response to emergency situations. Some infrastructures have deregulated such that economic regulatory control and oversight may have lessened, including telecommunications, electric power, natural gas, and oil production, however, these general overarching regulations would still apply to the activities and facilities of these “deregulated” industries. Table 1 shows the major regulatory agencies for each infrastructure, as well as a list of the general areas of jurisdiction. The commercial sector, which is usually made up of privately owned industrial facilities, commercial buildings, shopping malls, arenas, or stadiums, has few industry-specific security regulations, though they will be subject to worker safety, general zoning, fire protection, and other building safety regulations. In addition, many infrastructures also must meet independent industry association requirements. For instance, since rate deregulation, energy infrastructures must also meet the requirements of the Independent System Operator (ISO) for marketing energy in interstate and intrastate commerce. In addition, the North American Electric Reliability Council requires its members to meet its regulations for safety and security of the electric power transmission grid. The chemical and hazardous materials infrastructure has numerous independent industry associations that impose member requirements for safety and security, including the American Chemical Council’s Responsible Care initiative. These industry self-regulations add another layer of requirements that could impact nonsecurity regulatory requirements and security policy requirements. As discussed above, most federal, state, and local regulations are established on the basis of implementing each agency’s specific statutory scope of authority. Therefore, a critical infrastructure facility may be regulated by various federal, state, and local agencies, each for a separate purpose. In addition, many infrastructures are systems, made up of many assets. For example, the electric power infrastructure has generation facilities (which can be nuclear, fossil fuel, or hydropowered), transmission and distribution facilities, substations, communication networks, marketing activities, personnel, equipment/trucks, and other transportation facilities (e.g. railroads for coal). Regulation by these various local, state, and federal agencies can be additive, duplicative or even conflicting. Figure 1 shows an example of the numerous regulatory interfaces for the electric power infrastructure. 5 THE INTERRELATIONSHIP BETWEEN SECURITY AND NONSECURITY-RELATED REGULATIONS Nonsecurity-related regulations might have an unintentional positive or negative impact on the security of critical infrastructure facilities and assets. Conversely, new security-related regulations may unintentionally impact and even conflict with nonsecurity regulations, rights, or policies. The security of critical infrastructures/key assets is dependent on many factors. Each type of critical asset has a need for a different type of security depending on the type of threat. Some critical assets are susceptible to physical attack; others to cyber infiltration. Nonsecurity regulations may impact both the physical security/vulnerability of the regulated facility, the cyber security/vulnerability of information, the facility/industry operational security/vulnerability (e.g. availability of sensitive information about the regulated facility/industry), or the ability of the facility to recover from a catastrophic incident. On the other hand, security-related regulations may impact health and safety requirements,

REGULATION ON THE PROTECTION OF CRITICAL INFRASTRUCTURES

TABLE 1

1299

Key Regulatory Authorities by Infrastructure

Infrastructure Agriculture and food

Regulating Agencies • Department of Agriculture

• US Food and Drug Administration • Department of Commerce, National

General Areas of Jurisdiction • Crops • • • •

Packaging Additives Animal husbandry Meat processing

Marine Fisheries Service • Fish processing • Pesticide Application/residuals • Environmental Protection Agency • State Agriculture and Pesticide

Regulators Banking and finance

• Department of the Treasury

• Banks

• Federal Reserve • Federal Deposit Insurance Corporation

• • • •

Federal Reserve System Mints Stock trading Commodities future trading

• Securities and Exchange Commission • Commodities Futures Trading

Commission Chemical and hazardous materials

• State Banking Regulators • Department of Transportation

• Air emissions

• Storing and handling of

chemicals/hazardous materials • Environmental Protection Agency • Department of Labor

Commercial

Dams

–Occupational Safety & Health Administration • Local Zoning Boards • Department of Education • Local Building and Fire Codes

• Federal Emergency Management

• Hazardous wastes • Pesticides

• • • • • •

Schools Office buildings Public assembly facilities Residential buildings Stadiums/arenas/raceways Dams

Agency • Levees • United States Army Corps of Engineers • FERC • Department of the Interior

–Bureau of Reclamation –Bureau of Land Management –National Park Service –Fish and Wildlife Service • Department of Agriculture • Tennessee Valley Authority

1300

CROSS-CUTTING THEMES AND TECHNOLOGIES

TABLE 1 (Continued ) Infrastructure

Regulating Agencies

General Areas of Jurisdiction

• Department of Energy • Nuclear Regulatory Commission • International Boundary and Water

Commission Defense industrial base Emergency services

• State Dam Safety Agencies • Department of Defense

• Defense contractor facilities

• Federal Emergency Management

• Police

Agency • Fire • State Emergency Management Agencies • Emergency medical

technicians • Ambulance

Energy Electric

• Department of Energy

• Generation facilities

–Federal Energy Regulatory Commission

–Fossil fuel

• • • • • •

–Hydro –Wind –Solar Transmission lines Distribution lines Substations Switching stations Wells Gathering pipelines

• • • • •

Transmission pipelines Distribution pipelines Compression facilities Storage Liquefied natural gas plants

• State Public Utility Commissions

Natural gas

• Department of Energy

–Federal Energy Regulatory Commission • Department of Transportation • State Public Utility Commissions • State Environmental or

Mineral/Mining/Drilling Agencies Petroleum

• Department of Energy

–Federal Energy Regulatory Commission • Department of the Interior –Minerals Management Service • Environmental Protection Agency (oil

• Wells • Outer continental shelf drilling • • • • •

Gathering pipelines Transportation pipelines Storage terminals Refineries Port facilities

spills) • State Environmental or

Mineral/Mining/Drilling Agencies Government facilities

• General Services Administration

• Personnel-related buildings

• Federal Protective Service

• Research-related buildings

(e.g. Headquarters)

REGULATION ON THE PROTECTION OF CRITICAL INFRASTRUCTURES

TABLE 1

1301

(Continued )

Infrastructure Information technology

Regulating Agencies • Department of Homeland Security

General Areas of Jurisdiction • Internet

• Office of Cyber Security and

Telecommunications National monuments and icons

Nuclear plants

• Department of the Interior

–National Park Service –Bureau of Land Management –Bureau of Reclamation • Department of Agriculture –Park Service • General Services Administration • Nuclear Regulatory Agency

Postal and shipping • United States Postal Service

Public health

• Department of Transportation • Department of Human Health and

• National monuments

• National parks • National forests • Iconic government buildings

• • • • •

Nuclear power plants Radioactive materials Radioactive wastes Post offices Commercial shipping

• Public health system

Services –Public Health Service

• Laboratories • Possession, use, and transfer

of select agents and toxins

Telecommunications

–Centers for Disease Control and Prevention • State Health Departments • Federal Communication Commission

• Hospitals and clinics • Telephone switching facilities

• Department of Commerce, National

• Telephone lines

Telecommunications and Information Administration • • • •

Cellular telephone towers Satellite services Radio communications Underwater cable landings

• Office of Science and Technology

Policy and National Security Council Transportation

• State Public Utility Commissions • Department of Homeland Security

–Transportation Security Administration

• Highways • Tunnels • Bridges

• • • • United States Army Corps of Engineers • • • Department of Transportation

–United States Coast Guard

Railroads Maritime ports Locks and dams Pipelines Trucks and drivers

1302

CROSS-CUTTING THEMES AND TECHNOLOGIES

TABLE 1 (Continued ) Infrastructure

Water and Wastewater

Regulating Agencies –Federal Railroad Administration –Pipeline and Hazardous Materials Safety Administration –Federal Transit Administration –Federal Highway Administration –Federal Motor Carrier Safety Administration –Federal Aviation Administration –Maritime Administration –Surface Transportation Board • State Transportation and Transit Agencies • Environmental Protection Agency

• State Environmental Agencies

General Areas of Jurisdiction

• Potable water treatment • • • •

Portable water distribution Wastewater treatment Wastewater collection Aqueducts

individual or corporate privacy, or interstate commerce. The following section discusses some examples of where regulations may impact the security/vulnerability of critical infrastructure facilities and assets. 5.1 Health and Safety Versus Security An example of safety regulations assisting in protecting critical infrastructure/assets is found in Federal Energy Regulatory Commission (FERC) regulations applied to FERC-regulated dams. Pursuant to FERC regulations, an owner of a project may be required to install and properly maintain any signs, lights, sirens, barriers, or other safety devices necessary to adequately warn and/or protect the public in its use of project lands and waters. Under FERC Guidelines13 for Public Safety at Hydropower Projects certain physical protections are suggested for dam owners, such as restraining devices, fences, or guards. Restraining devices include boat restraining barriers, fences, guardrails, natural barriers, trashracks, debris deflector booms, and other similar devices. Under the Guidelines, boat- restraining barriers, as well as warning devices, should be provided at those projects, where boaters and canoeists are exposed to hazardous spillways, tailrace areas, or intake areas. However, boat restraining barriers are not required at those projects where bridges or other structures constitute an adequate physical barrier, or if it can be assured that hazardous flows and conditions do not occur at the projects during time of the year when boaters or canoeists use the reservoirs. Any type of barrier, such as trash booms, debris deflector booms, log booms, and specially designed barriers that have been placed 13 For Example, City of Chicago Municipal Code, Section 13-196-084, which requires access to the interior of the building and to the second vertical exit from a stairwell.

REGULATION ON THE PROTECTION OF CRITICAL INFRASTRUCTURES

FIGURE 1

1303

Electric power infrastructure regulatory environment.

upstream of dams may be considered as satisfactory boat restraining barriers. In addition, no-boating zones are often established regardless of physical barriers. These requirements are implemented to protect the public from the hazardous areas and components of hydropower projects, though they also serve to restrict maritime avenues of approach to critical assets at the dam. However, other nonsecurity-related regulations might adversely impact the security at critical infrastructure facilities/assets. Local health and safety codes frequently require emergency exit stairwell doors remain unlocked, if not all of the time, at least during a fire emergency (e.g. when the fire alarm is activated), allowing access to all floors of the building during evacuation.14 This, however, also impacts the security of a facility in that, once someone has access to the bottom stairwell door, they have access to the entire facility. Therefore, building security must be adjusted to accommodate the factor that the stairwell doors may not be locked or must be equipped with an electronic mechanism that unlocks all stairwell doors only when the fire alarm is activated. In another example, Title III of the ADA10 prohibits discrimination on the basis of disability by public accommodations and requires places of public accommodation and commercial facilities to be designed, constructed, and altered in compliance with the accessibility standards established by this part. The DOJ has promulgated regulations to implement Title III.15 These regulations require handicapped accessible parking spaces serving a particular building be located on the shortest accessible route of travel from adjacent parking to an accessible entrance and that accessible route cannot have curbs or stairs or other barriers.16 In addition, passenger loading zones shall provide an access 14 42

U.S.C. 12181. CFR Part 36. 15 28 CFR Part 36, Appendix A, Section 4.3 and 4.6. 16 49 CFR Part 171 and 172. 10 28

1304

CROSS-CUTTING THEMES AND TECHNOLOGIES

aisle at least 60 in. (1525 mm) wide and 20 ft (6100 mm) long adjacent and parallel to the vehicle pull-up space and if there are curbs between the access aisle and the vehicle pull-up space, then a curb ramp must be provided. Generally, at public entrances to facilities where there are large gatherings of people (e.g. stadiums, arenas, shopping malls, or convention centers), security policy would require barriers to protect populated main entrances from speeding vehicle-borne improvised explosive devices (VBIEDs). Similarly, security policy would limit parking near public buildings within designated blast effect distances. However, such requirements could impact the accessibility of the facility to those protected under the ADA.

5.2 Public Availability of Information Versus Security Federal DOT regulations require placards to be placed on all shipments of hazardous materials, based on the type and quantity of material in the vehicle/container [9]. There are two placarding hazard classes. One requires placards be displayed to identify any quantity of material in the vehicle/container and the other to identify only when the quantity of material is over 1001 pounds. The first class includes high explosives, poison gas, dangerous when wet material, some organic peroxides, poison inhalation material and certain radioactive materials. The second includes explosives, flammable and nonflammable gases, flammable and combustible liquids, flammable solids, spontaneously combustible materials, oxidizers, some organic peroxides, poisons that do not pose an inhalation hazard, and corrosive materials. The placards are diamond-shaped signs placed on both ends and both sides of trucks, railcars, and intermodal containers that carry hazardous materials. They are coded by color and contain symbols and numbers that designate the hazard class of the hazardous material that is contained in the vehicle/container. In addition, the placarding requirements are based on the United Nations’ (UN) Model Regulation on the Transport of Dangerous Goods, which are widely adopted into national and international regulations. In addition, these regulations may require other markings such as proper shipping names and material identification numbers, including for shipments of certain bulk commodities and for other shipments of materials that are poisonous by inhalation, marine pollutants, and elevated temperature materials. Under the North American Free Trade Agreement, the United States, Canada, and Mexico have harmonized the hazardous materials placarding requirements of the three countries and jointly published the Emergency Response Guidebook (ERG2004). The Emergency Response Guidebook (ERG2004) is available from the DOT website. It allows anyone to search for a chemical by the material identification number or shipping name with reference to a specific hazard guide. It provides fire or explosive and health hazards, public safety information (e.g. personal protective equipment and evacuation), as well as emergency response for fire, spill/leak, or first aid. The DOT has recognized that placards, which are important for communicating the presence of hazardous materials, also might aid a terrorist in identifying hazardous materials in transportation. In this case, DOT has studied this interrelationship between the existing federal hazardous materials regulations and transportation security concerns [10]. At this time, DOT has concluded that placards are a critical source of hazard information to emergency response personnel, transport workers, and to regulatory enforcement personnel and play a critical role in the event of a hazardous materials incident. DOT

REGULATION ON THE PROTECTION OF CRITICAL INFRASTRUCTURES

1305

concluded that there are more appropriate means of enhancing security related to the transportation of hazardous materials rather than entirely replace the placard system. Having discussed situations where nonsecurity-related regulations may impact security policies or requirements, the following section now discusses some examples where security regulations may unintentionally impact the nonsecurity-related regulations of and requirements at critical infrastructure facilities and assets. 5.3 Security Versus Personnel, Health, or Safety A General Accounting Office (GAO) report found that security directives issued by the Department of Homeland Security Transportation Security Administration (TSA) conflicted with certain safety regulations.17 After the bombing of passenger rail facilities in Spain, the TSA, on May 20, 2004, issued emergency security directives applicable to the passenger rail industry (effective May 23, 2004). The directives required rail operators to implement a number of security measures, such as conducting frequent inspections of stations, terminals, and other assets, or utilizing canine explosive detection teams, if available. According to TSA officials, because of the need to act quickly, the rule-making process for these security directives did not include a public comment period. Examples of conflicting provisions include a requirement that the doors of the rail engineer’s compartment be locked. However, according to the Federal Railroad Administration (FRA), the provision conflicts with an existing FRA safety regulation calling for these doors to remain unlocked for escape purposes.18 What follows is as stated by the GAO Report: According to FRA, a locked door pursuant to the directive would not allow the locomotive engineer to quickly exit the cab when faced with an impending highway rail grade crossing collision or other accident. In some cases, the door providing access to the locomotive’s cab also serves as one of only two primary paths for emergency exit by passengers and is marked as an emergency exit. According to FRA, if these doors are locked pursuant to the directives, they may not be usable in an emergency, and passenger evacuation time could be substantially increased.

Another example raised in the report is the requirement to remove trash receptacles at stations determined by a vulnerability assessment to be at significant risk and only to the extent practical, except for clear plastic or bomb-resistant containers. However, the American Public Transportation Association, Association of American Railroads, and some rail operators raised concerns about the feasibility of installing bomb-resistant trash cans in certain rail stations because they could direct the force of a bomb blast upward, possibly causing structural damage in underground or enclosed stations. 5.4 Security Versus Privacy Closed-circuit television (CCTV) systems typically involve a camera or cameras linked to monitors and recording devices. A CCTV system allows the remote cameras to be viewed and operated from a centralized control room. CCTV systems have been installed 17 49

CFR 238.235. Arkansas, California, Delaware, Georgia, Hawaii, Kansas, Maine, Michigan, Minnesota, New Hampshire, South Dakota, and Utah.

18 Alabama,

1306

CROSS-CUTTING THEMES AND TECHNOLOGIES

at many types of infrastructure facilities, including commercial establishments, schools, and places of employment. In addition, more Police departments in the United States now use CCTV to deter and detect crime. Since September 11, 2001, law enforcement has also begun to use CCTV to combat terrorism. There are currently no specific federal regulations concerning the use of CCTV cameras in public places, such as public streets, parks, and subways, or semipublic, such as schools and workplaces. However, the laws of 13 states [11] expressly prohibit the unauthorized installation or use of cameras in private places without permission of the people photographed or observed. A private place is defined by the courts as one where a person may reasonably expect to be safe from unauthorized surveillance. The Fourth Amendment protects people from unreasonable searches and seizures. According to the Supreme Court, if the person under surveillance has a reasonable expectation of privacy, the Fourth Amendment applies, and a warrant is generally required to conduct a lawful search. Conversely, if the person under surveillance does not have a reasonable expectation of privacy, the Fourth Amendment does not apply, and no warrant is required for police surveillance [12]. A recent GAO report found that civil liberties advocates have raised issues concerning CCTV’s potential impact on individual privacy as well as the potential for inappropriate use of CCTV systems and the mishandling of CCTV images [13]. The Security Industry Association (SIA) and International Association of Chiefs of Police (IACP) and other organizations have developed guidelines for CCTV users that address some of the issues raised by civil liberties advocates through the use of management controls [14]. These include developing written operating protocols, establishing supervision and training requirements, providing for public notification, and requiring periodic audits. These legal issues will continue to be raised as more schools, workplaces, subways, shopping malls, and other areas install and use CCTV to monitor employees and visitors. Fear of criminal prosecution may deter some institutions from installing CCTV for security purposes. 6 INTERDEPENDENCY BETWEEN INFRASTRUCTURE REGULATORY SCHEMES In addition, interdependency of infrastructures adds another layer of overlapping and possibly conflicting regulatory schemes. Interdependency refers to the failure in one asset or infrastructure which can cascade to cause disruption or failure in others, and the combined effect could prompt far-reaching consequences affecting government, the economy, public health and safety, national security, and public confidence [15]. This interdependency impact can affect the performance of other infrastructures under normal and stressed operations, due to disruptions (including coincident events), or during repair and restoration. Interdependencies also change as a function of outage duration, frequency, and other factors. Backup systems or other mitigation mechanisms can reduce interdependency problems. There are also linkages between critical infrastructures and community assets (for response and recovery) (Figure 2). Interdependency can be •

physical (e.g. material output of one infrastructure used by another), cyber (e.g. electronic, informational linkages), • geographic (e.g. common corridor), and • logical (e.g. dependency through financial markets). •

REGULATION ON THE PROTECTION OF CRITICAL INFRASTRUCTURES

1307

FIGURE 2 Electric power infrastructure interdependencies.

Interdependency impacts can be caused by the following: •

Common cause failure. A disruption of two or more infrastructures at the same time because of a common cause. • Cascading failure. A disruption in one infrastructure causes a disruption in a second infrastructure. • Escalating failure. A disruption in one infrastructure exacerbates a disruption of a second infrastructure. An example of the impact of regulations on geographic interdependency can be seen in the application of environmental and zoning regulations for siting infrastructure assets. As stated in the Congressional Research Service Report to Congress on Vulnerability of Concentrated Critical Infrastructure the Background and Policy Options are as follows:19 When infrastructure is physically concentrated in a limited geographic area it may be particularly vulnerable to geographic hazards such as natural disasters, epidemics, and certain kinds of terrorist attacks. Whereas a typical geographic disruption is often expected to affect infrastructure in proportion to the size of an affected region, a disruption of concentrated infrastructure could have greatly disproportionate—and national—effects.

Geographic concentrations of national critical infrastructure have developed for multiple reasons—typically some combination of resource proximity, agglomeration economies, scale economies, capital efficiency and federal, state, and local regulations. For instance, state environmental and local zoning or health regulations can limit the siting of industries that use hazardous materials near sensitive areas (e.g. schools) 19 For

example, Massachusetts regulations on Wellhead Protection Zoning and Non-zoning Controls, found at 310 CMR 22.21 (2).

1308

CROSS-CUTTING THEMES AND TECHNOLOGIES

and environmental regulations regulate the operation of facilities handling hazardous materials in groundwater (wellhead) protection zones.20,21 Regulatory limitations on the siting of critical infrastructure tend to group infrastructure assets together along roadways and other established corridors or public utility rights-of-way or in specific zoning districts. For example, in many communities, zoning regulations/ordinances allow transmission lines utilizing multiple-legged structures, generating or treatment plants, substations, pumping, or regulator stations to be built only in certain zoning districts. In other cases, utility siting is encouraged only in existing corridors, which forces utilities to share existing corridors.22 This clustering of infrastructure assets into close proximity can result in escalating failures of these geographically interdependent infrastructures. An example of cascading failure is the disruption in rail service for coal deliveries to power plants. This would result in determining alternative transportation infrastructure options. However, local road restrictions on load weights could prevent the transportation of coal by truck, particularly given the amount of coal required to replace one coal unit train delivery.23 Another such example, may be the need to haul heavy replacement transformers by truck rather than the usual specialized rail cars could require a permit or a waiver.

7 CONCLUSION Since September 11, 2001 (9/11), there has been an impetus to evaluate the vulnerabilities of the nation’s critical infrastructures and to implement programs to reduce or mitigate those vulnerabilities. Over the last five years, a flurry of legislation, regulatory rule making, policy directives, and federal agency guidance documents have created security-related requirements applicable to some critical infrastructure facilities. Therefore, at this time, vulnerability mitigation activities can take the form of strict governmental security regulation, governmental information-gathering-and-assistance programs aimed at the private sector, governmental policies, and programs for implementation at governmental facilities, industry association developed and implemented security programs (both voluntary and mandatory) for their members (e.g. North American Electric Reliability Council and American Chemical Council), and, finally, security planning, policies, and technology installations by private businesses using in-house personnel and outside security consultants. However, there are also many nonsecurity-related regulations that are promulgated every month that could also impact the security of critical infrastructure assets or impede mitigation or emergency response. These proposed regulations are not reviewed in light of the security laws, regulations, and policies being enacted at the federal level. 20 For

example, Wellesley, Massachusetts Zoning Bylaws Section XIVE, Water Supply Protection Districts. Aberdeen, Maryland Zoning Regulations, Appendix A—Table of Use Regulations or Alameda, California, Chapter XXX—Development Regulations, Article I—Zoning and District Regulations, Section 30-4—District Uses and Regulations. Both regulations limit the construction of transmission lines, generating plants, substations and other infrastructure facilities without approval in some districts. 22 For example, City of Redmond, Washington, Comprehensive Plan, Utilities Chapter. 23 The usual unit train has about 100 cars, each holding about 100 tons of coal. The maximum weight for interstate highway trucks is 80,000 pounds gross weight (tractor/tare weight/cargo weight) (29 CFR 658.17). It may be lower on non-interstate (state or country) roads. However, in general, for 40’ equipment this would equal a cargo weight of 45,000 depending on tractor weight. Thus, it would take approximately 450 legal interstate truck shipments to make up for one unit train delivery. 21 See,

REGULATION ON THE PROTECTION OF CRITICAL INFRASTRUCTURES

1309

Section 603(b) of the Regulatory Flexibility Act of 1980 (5 U.S.C. 601 et seq.) specifies that the contents of the Regulatory Flexibility Analysis (RFA) include the following five requirements: •

description of the reasons why action by the agency is being considered; statement of the objectives of, and legal basis for, the final rule; • description of and, where feasible, an estimate of the number of small entities to which the final rule will apply; • description of the projected reporting, recordkeeping and other (Page 39, 362) compliance requirements of the rule, including an estimate of the classes of small entities which will be subject to the requirement and the type of professional skills necessary for preparation of the report or record; and • identification, to the extent practicable, of all relevant Federal rules that may duplicate, overlap, or conflict with the final rule. •

Therefore, under the Regulatory Flexibility Act, all proposed federal regulations should be reviewed for conflict with or impact to the security of critical infrastructure facilities and assets. It should be recognized by those conducting the RFA that any regulation could impact not only the security, including physical, cyber, and sensitive information, of critical infrastructures and assets. In fact, it may have an impact on an infrastructure other than the one for which the proposed regulations was intended to regulate. In addition, proposed state and local regulations, as well as federal policy and guidance documents from a wide variety of federal regulatory agencies, could also impact the security of critical infrastructure facilities and assets. However, there is no requirement for these to be analyzed against existing security regulations or existing knowledge of vulnerability reduction and mitigation programs. This chapter only presents a few examples of regulations that could impact the security of critical infrastructure assets. A review of existing regulations could also be prudent to determine if there are regulations that could be unintentionally increasing critical infrastructure vulnerabilities or impeding mitigation or emergency planning. In addition, nonsecurity-related regulations should be reviewed and their impact should be determined before developing infrastructure security/vulnerability assessment methodologies, recommending protective measures, and/or undertaking research and development activities. REFERENCES 1. (a) FEC vs. Democratic Senatorial Campaign Comm., 454 U.S. 27 (1981); (b) NLRB v. Bell Aerospace Co., 416 U.S. 267, 275 (1974); (c) Udall v. Tallman, 380 U.S. 1, 16 (1965); (c) SEC v. Sloan, 436 U.S. 103, 118 (1978); (d) FMC v. Seatrain Lines, Inc., 411 U.S. 726, 745–746 (1973); (e) Volkswagenwerk v. FMC , 390 U.S. 261, 272 (1968); (f) NLRB v. Brown, 380 U.S. 278, 291 (1965). 2. 42 United States Code (U.S.C.) Section 7401 et seq. (1990). 3. National Technology Transfer and Advancement Act of 1995, Pub. L. No. 104-113, 110 Stat. 775 (codified as amended in scattered sections of 15 U.S.C.). 4. Hillsborough County, Florida v. Automated Med. Lab., Inc., 471 U.S. 707, 719 (1985). 5. Australian Constitution, Chapter I, Part V, http://www.aph.gov.au/senate/general/constitution. 6. For example, Chicago Zoning Ordinance, Chapter 17 available at http://webapps.cityofchicago. org/zoning/default.jsp, 2007.

1310

CROSS-CUTTING THEMES AND TECHNOLOGIES

7. Congressional Budget Office (2004). Homeland Security and the Private Sector, December 2004, Section 3 of 7, available at www.cbo.gov. 8. Lewis, T. G., Darken, R. (2005). Homeland Security Affairs, Volume I, Issue 2, Article 1. 9. U.S. Department of Transportation Research and Special Programs Administration Office of Hazardous Materials Safety (2003). The Role of Hazardous Material Placards In Transportation Safety and Security, John A. Volpe National Transportation Systems Center, January 15, 2003. Available at: http://hazmat.dot.gov/riskmgmt/hmt/0803RedactedPlacardingReportSSI.pdf 10. General Accounting Office (2005). Passenger Rail Security: Enhanced Federal Leadership Needed to Prioritize and Guide Security Efforts. Report number GAO-05-851, October 7, 2005. 11. Katz v. United States, 389 U.S. 347, 360–61 (1967). (Harlan, J., concurring). 12. General Accounting Office (2003). Information on Law Enforcement’s Use of Closed-Circuit Television to Monitor Selected Federal Property in Washington, D.C.. Report number GAO-03-748, June 2003. 13. Closed Circuit Television (CCTV) (2000). GUIDELINE: Closed Circuit Television (CCTV) for Public Safety and Community Policing, issued by Security Industry Association (SIA) and International Association of Chiefs of Police (IACP), Final Revision Number 9, January 1, 2000. 14. National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, February 2003. 15. Parfomak, P. W., Congressional Research Service (CRS) Report for Congress (2005). Vulnerability of Concentrated Critical Infrastructure: Background and Policy Options, Order Code RL33206, December 21, 2005.

CHARACTERIZING INFRASTRUCTURE FAILURE INTERDEPENDENCIES TO INFORM SYSTEMIC RISK Timothy McDaniels and Stephanie Chang University of British Columbia, Vancouver, BC, Canada

Dorothy A. Reed University of Washington, Seattle, Washington

1 SCIENTIFIC OVERVIEW Critical infrastructure systems, sometimes referred to as lifelines, provide vital services for societal functions. Until recently, planning and management for provision of these

CHARACTERIZING INFRASTRUCTURE FAILURE INTERDEPENDENCIES

1311

services has focused on individual infrastructure systems. Yet, analysts, planners, and decision makers increasingly recognize that these systems are highly interconnected and mutually interdependent in a number of ways [1, 2]. For example, the US government established the National Infrastructure Simulation and Analysis Center to examine infrastructure interdependencies through modeling and simulation [3]. Infrastructure systems have become more congested and thus increasingly vulnerable to failures due to interactions within and between systems. The electrical power delivery system is a prime example. It has increased risk of large-scale failures, due to increasing demands on the system that have not been met by a corresponding increase in capacity [4]. Major power outages, affecting 1 million or more people, occur about every 4 months on an average in the United States [3]. This research examines infrastructure interdependencies by focusing on major outages in the electrical system and the effects these outages have on other infrastructures. Extreme events, as defined by the National Science Foundation, are typified by nonlinear responses, low probabilities, high consequences, and the potential for systems interaction that leads to catastrophic losses [5]. Models of outage impacts in which the power delivery system is treated as an individual civil infrastructure system are common. Recently, new conceptual models and simulation approaches have been developed as a means of representing complex, interconnected systems. Examples include the infrastructure risk analysis model [6], hierarchical holographic modeling [7], and agent-based simulation [8]. Additionally, models that integrate civil engineering, electrical engineering, and social science dimensions of infrastructure failures are becoming more common [4, 9, 10]. We employ an empirical approach to understand infrastructure interdependencies, which we refer to as infrastructure failure interdependencies (IFI). We define IFIs as failures in interdependent infrastructure systems, which are due to an initial infrastructure failure stemming from an extreme event. When major power outages affect other infrastructures, the interdependencies among the systems prolong and greatly exacerbate the consequences of the initial outage. Planning to address extreme events should take into account these interdependencies because they are the pathways through which indirect impacts of a major outage ripple through societal interactions and economic activity. As framed at present, ours is not a predictive model but rather an ex post risk analysis approach derived from observation of actual events. This model can be used to help clarify IFI patterns. Such information is important for setting priorities about potential ways to mitigate the likelihood and the consequences of these infrastructure interactions. The next section outlines relevant concepts and presents a framework for characterizing the nature, extent, and severity of IFIs. This framework is applied in Section 3 to IFIs occurring in two extreme outage events, the August 2003 blackout and the 1998 ice storm, both of which affected northeastern North America. Section 4 discusses the implications of this analysis and a conclusion is reached in Section 5. 2 CONCEPTS AND FRAMEWORK 2.1 Partitioning Patterns and Consequences Haimes and his colleagues have addressed fundamental aspects of the analysis of extreme events and interdependent systems. Their approach recognizes the pitfalls of simple

1312

CROSS-CUTTING THEMES AND TECHNOLOGIES

expected value calculations as a means of characterizing the implications of extreme events within an overall distribution for a given random variable [11]. Their work on the conditional expected value (e.g. conditional on exceeding some threshold value) (e.g. [12, 13]) helps focus the attention of decision makers and analysts on the tails of a probability distribution. This work is similar in spirit to the approach of Haimes and his colleagues, by partitioning both patterns of occurrence and consequences, but with a different emphasis. Here we deal with a vector of events, which are all the potential IFIs (defined above) that could arise, given an extreme event occurrence within a given system of infrastructure systems. This approach partitions a vector defining all specific kinds of IFIs, by considering their patterns of occurrence, given that an extreme event to trigger IFIs has occurred. It also partitions consequences, by considering the consequences of a vector containing each specific kind of IFI, separate from the direct consequences of the initial extreme event. In this respect, the approach here also partitions the patterns and consequences in time. It is an approach that is effectively ex post, conditional on the occurrence of an extreme event. 2.2 A Matrix of Infrastructure Failure Relationships Haimes and Jiang [14] developed a Leontief-based model of risk in interconnected infrastructure systems. Their risk measure is cast as the risk of inoperability of a given infrastructure system, which is the product of the probability and degree (percentage) of inoperability for that system. They provide a model definition, drawing on what is termed the A matrix in input–output analysis, cast in terms of inoperability or failure relationships among infrastructure systems, rather than economic interdependencies as the Leontief work. In this article, we proceed in the spirit of the Haimes and Jiang framework, with somewhat different terminology, notation, and emphasis. We adopt the following definitions: X is defined as an overall system of interdependent, nonredundant infrastructure systems Xi , where i = 1, 2, 3 . . . , n. X could be defined for spatial or physical units ranging from a building to a neighborhood, city, region, nation, or even a continent, depending on the scale of interest. Systems Xi and Xj within X have an interdependent relationship defined as Aij , which characterizes the extent to which a failure of operability in Xi could lead to operability failures in Xj . An operability failure C could render the system Xi completely or partially inoperable, as in Haimes and Jiang [14]. An IFIij is a specific failure event C (Xi ) within a specific infrastructure system Xi , given a specific failure of a different infrastructure system C (Xj ) where both Xi and Xj are within X. The matrix C contains all the specific IFI events C (Xi ) that could arise within a defined system of infrastructure systems X, given that the initial extreme event triggers opportunities for the IFIij events in C. The dimensions of C include the specific system that fails and the degree of impairment of the functions of the system. 2.3 Event Patterns as Ex Post Risk Analysis Risk is sometimes defined as a triplet of conditions: what could go wrong, how likely it is to go wrong, and the consequences if it does go wrong [15, 16]. Here we add an additional initiating event C (Xj ), which has already gone wrong, as the conditional basis for examining this triplet approach to define risk of IFI. We use patterns of events to explore the nature of C (Xj )|C (Xj ). Characterizing probabilities in terms

CHARACTERIZING INFRASTRUCTURE FAILURE INTERDEPENDENCIES

1313

of P (C (Xi )|C (Xj )) would require data from (i) databases to characterize the relative frequency of P (C (Xi )|C (Xj ); (ii) expert judgments informed by these databases; or (iii) simulation efforts again informed by such databases. Yet, to our knowledge, the efforts discussed here are among the first to empirically examine such interactions. Hence, we provide an early step toward characterizing such probabilities in future studies by exploring the patterns of these IFIij events in specific contexts and their broad social consequences. In effect, we use these patterns as a basis for characterizing event patterns to help inform planning. This approach characterizes IFIs in terms of an ex post version of systematic risk analysis. 2.4 A Framework for Characterizing IFIs We discuss this framework in terms of infrastructure systems Xi that could be affected due to interrelationships Aij , given that a large scale failure C (X e ) in the electrical system X (e) has occurred. This electrical system failure could be the result of an extreme event involving equipment failure within the electrical system, as in the case of the August 2003 blackout that affected northeastern North America. It could also be the effect of an extreme event outside the electrical system such as the ice storm in Quebec in 1998. The framework will be applied to these outages in the next section. The basis for this framework is the observation that an IFI arising from an outage leads to certain societal consequences. The framework is thus divided into three sections characterizing the outage itself, the IFIs resulting from the outage, and the consequences of those IFIs as shown in Table 1. The outage is characterized by date, a description of the event, whether the initiating event was internal or external (to the electrical system), the spatial extent and duration of the event, and the weather conditions and temperature at the time of the event. This information remains constant for any one event. For example, the Northeast blackout is characterized as beginning on August 14, 2003, initiated by an event internal to the power system. Because it affected both the United States and Canada, the spatial extent is considered to be international. The blackout lasted for days in some areas and the weather conditions were moderate, though the temperature was hot. In contrast, the 1998 ice storm occurred in winter with extreme weather conditions causing the blackout. The initiating event in this case is deemed to be external to the power system; in some locales, the system was out for weeks (Also, a storm is a “continuous” event that lasts a minimum of hours, possibly days, or weeks.). The second part of our framework characterizes the infrastructure failure interactions. The values associated with this part of the framework, many of which are drawn from key concepts in the work of Peerenboom et al. [17], Nojima and Kameda [18], and Yao et al. [19], are shown in Table 2. The four interdependency characteristics—physical, cyber, geographic, and logical—are discussed by Peerenboom et al. [17]. Human actions play a particular role in interdependencies categorized as logical. The IFI types cascading and escalating also come from their work, as well as the characteristics’ complexity, operational state, and adaptive potential . The research of Nojima and Kameda in lifeline interactions in the Kobe earthquake yields the IFI types, compound damage propagation and restoration. Yao et al. [19] use multiple earthquakes to develop their classification of lifeline interactions, containing all of the categories used by the other two groups, but with different names. In addition, they include a category called substitute interaction or substitutive in our framework. Rinaldi et al. [9] distinguish between dependency and interdependency, where dependency is a unidirectional relationship and interdependency is a bidirectional relationship

1314

CROSS-CUTTING THEMES AND TECHNOLOGIES

TABLE 1 Infrastructure Failure Interdependencies Characteristic Impacted system

Specific system Description Types of interdependency

Values Building support, business, education, emergency services, finance, food supply, government, healthcare, telecommunications, transportation, utilities Various Various Physical Geographic Cyber

Logical

Types of IFI

Cascading

Escalating

Restoration Compound damage propagation

Substitutive

Order

Direct Second order Higher order

System failure leading to this effect

See impacted systems’ list

Complexity

Linear

Explanation The infrastructure systems

A subdivision of the impacted system A brief summary of the impact on the system The system requires electricity to operate The system is colocated with electrical infrastructure The system is linked to the electrical system electronically or through information sharing The system depends on the electrical system in a way that is not physical, cyber, or geographic The disruption of the power system directly causes the disruption in the impacted system The disruption of the power system exacerbates an already-existing disruption in the impacted system, increasing the severity or outage time The power outage hampers the restoration of the impacted system The power system disruption leads to a disruption that then causes serious damage in the impacted system A system is disrupted due to demands placed on it to substitute for the power system The IFI is a direct result of the power outage The power outage is once removed as the cause of the system disruption The power outage is twice or more removed as the cause of the system disruption Electrical in the case of direct order events; the system that caused the disruption in the impacted system for second- and higher order events Expected and familiar interactions, often intended by design

CHARACTERIZING INFRASTRUCTURE FAILURE INTERDEPENDENCIES

TABLE 1

(Continued )

Characteristic

Values Complex

Feedback

Yes No

Operational state

At capacity

Near capacity

Below capacity

Adaptive potential

High Low

Restart time

1315

Minutes, hours, days, weeks

Explanation Unplanned or unexpected sequences of events The impacted system affects the power system The impacted system does not affect the power system The impacted system was operating at 100% when the power outage occurred The impacted system was operating above 90% when the power outage occurred The impacted system was operating at 90% or below when the power outage occurred The system has ways to respond quickly in a crisis An inflexible system that cannot quickly respond The amount of time required for the impacted system to return to preoutage operating capacity once electric power has been restored

between systems. We make no such distinction in our framework, except for the inclusion of a feedback characteristic that indicates whether a particular IFI has a return effect on the power system. The division into direct, second, and higher order effects is important due to the complex interactions that can occur between systems. Often the direct impacts of a power outage can be anticipated, such as electrical machinery and appliances not working. Failure to understand the higher order impacts leaves decision makers unprepared to effectively deal with these disruptions [1]. The final five characteristics in the framework as shown in Table 1, explained in Table 2, relate to the consequences of the IFI. These characteristics are most important for designing mitigation strategies, as will be shown in the analysis and comparison in Section 3 of two major outage events.

3 APPLICATIONS OF THE IFI FRAMEWORK 3.1 Database and Applications This section discusses two applications of the framework described above. The intent is to explore how the patterns of C (Xi ) arise in real events, within a defined X for each event, where the triggering event C (X e ) is a major electrical outage X (e) stemming from either an extreme event within or external to the electrical system. In order to characterize IFIs from various power outages, we constructed a database employing the characteristics

1316

CROSS-CUTTING THEMES AND TECHNOLOGIES

TABLE 2 Consequence Characteristics Characteristic Severity

Value Minor

Moderate

Major

Type Spatial extent

Economic, health, safety, social, environmental Local Regional National

Number of people

International Few

Many

Most

Duration

Minutes, hours, days, weeks

Explanation Minor modifications in daily routine or plans that cause negligible hardship to the person or entity A few modifications in daily routine or plans that cause some hardship to the person or entity Significant modifications in daily routine or plans that cause considerable hardship to the person or entity Primary category under which the consequence falls One city or area affected More than one city or area within a province or state affected More than one state or province affected More than one country affected In the spatial extent of the consequence, one neighborhood or isolated individuals were affected In the spatial extent of the consequence, up to 50% of the population was affected In the spatial extent of the consequence, at least 50% of the population was affected The amount of time the consequence endures, which may be greater than the restart time

and values in the conceptual framework. Each record in the database consists of an observed IFI, from a societal standpoint, reported in major media or in technical reports. The database contains hundreds of IFIs from a number of recent outages, including the August 2003 Northeast blackout and the 1998 Quebec ice storm. Searches were conducted on the Nexus–Lexus database and other search engines to identify information and published sources related to the events. The data sources include major newspapers, such as the Montreal Gazette, Ottawa Citizen, New York Times, and Toronto Star and technical reports regarding these events (e.g. [20]). Figures 1 and 2 illustrate the kinds of interactions and consequences in the database. The first figure characterizes the consequences of the 2003 Northeast blackout while the second portrays consequences that occurred during the 1998 ice storm. These diagrams show that we divide impacts by the infrastructure affected (e.g. transportation) and the specific subsystems (e.g. mass transit). Each also includes a table with a coding system to generally indicate the severity and extent of impacts.

1317

CHARACTERIZING INFRASTRUCTURE FAILURE INTERDEPENDENCIES

Nuclear power

Sanitation

Water

Oil

Elevators

Security

HVAC

Plumbing

Wastewater

Air

Rail

Roads

Gas stations

Mass transit

Manufacturing

Mines

Restaurants

Hotels

Retail

Computer systems

Building support

Insurance

Business

Utilities

Bus

Police

911

Fire

Ambulance Shelters

Emergency services

Transportation 2003 Northeast blackout Telecommunications

Finance ATM

Cable

Land lines

Cellular

Media

Banks Credit cards

Food supply

Health care

Stock exchange

Internet

Government Hospitals

Public health

Offices

Services

Major disturbances to a large percentage of the population

Storage

Production

Preparation

Transportation

Event

Major disturbances to a small percentage of the population Minor to moderate disturbances to a large percentage of the population Minor to moderate disturbances to a small percentage of the population No entries

FIGURE 1 blackout.

Affected infrastructure Affected subsystem

Infrastructure failure interdependencies and their consequences for the 2003 Northeast

For analysis, we developed indices of consequences using the weights shown in Table 3. The weights were assigned in terms of subjective three-point scales (e.g. 1–3), and were treated as cardinal numbers to serve as a basis for differentiating the IFIs. The impact value (ranging from 1 to 9) is the product of the IFIs duration and severity weights. For example, a moderately severe IFI (weight = 2) that lasted for weeks (weight = 3) would have an impact value of 6. The midpoint for the scale is 5; hence values above that indicate more severe consequences with longer duration than those less than 5. The extent value (ranging from 1 to 9) is the product of the IFIs spatial extent and number of people affected. An IFI that affects only a few people (weight = 1) regionally (weight = 2) would have an extent value of 2. Values of extent greater than 5 indicate that large numbers of people were affected over an extensive geographic area. It is also

1318

CROSS-CUTTING THEMES AND TECHNOLOGIES

Nuclear power

Water

Sanitation Oil

Elevators

Security

HVAC

Plumbing

Wastewater

Air

Rail

Roads

Gas stations

Mass transit

Bus

Mines

Manufacturing

Restaurants

Hotels

Retail

Computer systems

Building support

Insurance

Business

Utilities

Police

911

Fire

Ambulance Shelters

Emergency services

Transportation

1998 Ice storm Telecommunications

Finance ATM

Cable

Land lines

Cellular

Media

Banks Credit cards

Food supply

Health care

Stock exchange

Internet

Government Hospitals

Public health

Offices

Services

Major disturbances to a large percentage of the population

Storage

Production

Preparation

Transportation

Event

Major disturbances to a small percentage of the population Minor to moderate disturbances to a large percentage of the population Minor to moderate disturbances to a small percentage of the population No entries

Affected infrastructure Affected subsystem

FIGURE 2 Infrastructure failure interdependencies and their consequences for the 1998 ice storm blackout.

important to note that the impact and extent indices can only take on certain discrete values (i.e. 1, 2, 3, 4, 6 . . . , 9). 3.2 August 2003 Blackout On August 14, 2003, the largest blackout in North American history occurred, with over 50 million people in Ontario, Canada, and parts of the Northeast and Midwest United States affected by the power outage. Our initial examination of this event has focused on the four major cities most affected by the blackout: New York City, Detroit, Cleveland, and Toronto. Figure 1 characterizes the 2003 Northeast blackout in terms of first and second order failure interdependencies and degree of disruption.

CHARACTERIZING INFRASTRUCTURE FAILURE INTERDEPENDENCIES

TABLE 3

1319

Weights for Consequence Indices

Weights 3 2 1

Duration

Severity

Spatial Extent

Weeks Days Hours, minutes

Major Moderate Minor

International, national Regional Local

Impact

Quandrant 2

2 Economic 1 Health

Most Many Few

Quandrant 1

9 High

1 Economic

Number of People

8

7

2 Economic 1 Health 1 Safety

1 Economic 1 Health

2 Economic 4 Health 2 Safety 2 Social

1 Safety 1 Social

3 Economic 1 Health 1 Safety 5 Social

6

2 Health 1 Safety

Small 1

2

3

4

5

6

7

8

Large 9

5 3 Economic 1 Health 3 Safety 4 Social

Extent 6 Economic 1 Health 1 Safety 3 Social

2 Health 1 Safety 1 Social

8 Economic 1 Health 2 Safety

4

11 Economic 6 Health 1 Safety 3 Social

5 Health 2 Safety

1 Environment

1 Economic 1 Health

1 Environment

3

1 Health 1 Social

2 Economic 1 Environment 4 Health 3 Social

2 Economic 2 Environment 3 Health 1 Social

2 Economic 2 Health 1 Safety

1 Economic

2

2 Economic 1 Health 1 Social

2 Safety

2 Economic

Quandrant 3

5 Economic 1 Environment 4 Health 1 Safety 3 Social

3 Economic 2 Health

2 Economic 2 Health

1 Low

Quandrant 4

FIGURE 3 Consequence indices for infrastructure failure interdependencies and their consequences for the 2003 Northeast blackout.

Figure 3 provides a compact summary of information in Figure 1, but disaggregated in terms of the nature of the consequences of the IFI. The colors indicate the types of consequences and the number indicates how many times that particular consequence was reported. Figure 3 also separates the IFIs into four quadrants or categories. Axes separating the quadrants are located at the respective midpoint values of the potential range of impact and extent values (i.e. 5 on a scale of 1–9). Quadrant 1 represents major disturbances to a majority of the population, while Quadrant 2 includes major disturbances to a small percentage of the population. Quadrant 3 indicates minor inconveniences to a small percentage of the population. Quadrant 4 represents IFIs that caused minor inconveniences to a large percentage of the population. From a societal point of view, IFIs in Quadrant 1 are of greatest concern. This quadrant includes IFIs that have both high impact and broad extent of impact.

1320

CROSS-CUTTING THEMES AND TECHNOLOGIES

Out of the 162 IFIs in the database for the Northeast blackout, 13 are in Quadrant 1, which contain IFIs of large extent and high impact. In the far right of this quadrant are the three most serious IFIs. The two consequences to health are (i) water delivery systems malfunctioning or failing in some areas and (ii) the resulting boil water advisories that were issued. Compliance with the advisories was especially difficult for those who had electric stoves. Safety problems were created by numerous traffic signals being inoperable, resulting in traffic jams and collisions. A joint US—Canadian task force traced the origin of the 2003 outage to northern Ohio, where a series of electrical, human, and computer incidents led to cascading failures in the North American electrical grid [21]. The next event analyzed was not caused by human and mechanical errors, but by a natural hazard. 3.3 Ice Storm In January 1998, parts of Ontario, Quebec, and New Brunswick and the northeastern United States experienced one of the worst ice storms in recent history. The storm started on January 4 and continued for 6 days. In Canada, the weight of the ice caused 1000 transmission towers and 30,000 distribution poles to collapse [22], and at the peak of the outage, close to 1.4 million people in Quebec and 230,000 in Ontario were without power. Some people in rural areas went without power for more than 30 days. The ice storm consequences are summarized in Figure 4. The ice storm database contains 102 IFIs, two of which are of large extent and high consequence in Quadrant 1. The two most serious IFIs in the ice storm were major employers shutting down for up to 2 weeks and communication problems for emergency services. In entering IFIs into the ice storm database, it was sometimes difficult to distinguish between problems caused by the storm itself and problems caused by the power outage. This is one of the differences between analyzing internally and externally initiated events. The next subsection has further comparison of the two events. 3.4 Comparative Analysis In both these events, less than one percent of the total IFIs captured in the database are found in Quadrant 1; the majority of IFIs are contained in Quadrant 3. These are all minor disturbances that probably do not require mitigation attention but could become more serious in outages of longer duration. Reporting is also less likely to be complete with minor disturbances. In the financial system, for example, many bank branches were closed and bank machines did not work because of the outages. While this is an inconvenience if it lasts only for a short period of time, it could become a major disturbance in an outage of longer duration. Also, blood supplies dwindled in both events and could become a serious public health issue over a longer outage period. Figure 5 shows the distribution of types of consequences for the two events. In the ice storm, there are more health consequences than any other type, while a higher percentage of consequences in the Northeast blackout are economic. The season and the longer duration of the ice storm outage are two possible explanations for this difference. IFIs associated with the ice storm outage had no environmental consequences, and the Northeast blackout very few, none of which are rated high on the impact index. The consequence characteristics, as explained in Table 3, are related to the direct, immediate effect the IFI has on people, instead of long-term effects that could result from environmental degradation.

1321

CHARACTERIZING INFRASTRUCTURE FAILURE INTERDEPENDENCIES

Impact

Quandrant 2 2 Economic 4 Health

1 Health

Quandrant 1

9 High

1 Economic

1 Economic

8

7 4 Economic 4 Health 1 Safety 1 Social

1 Economic 1 Health 1 Safety

5 Health 1 Social

1 Economic 1 Health

1 Economic 1 Health 2 Safety

6

1 Economic 1 Social

Small 1

2

3

4

5

6

7

8

Large 9

5 2 Economic 2 Health 2 Safety 2 Social

Extent 4 Economic 6 Health 2 Safety 1 Social

1 Economic 1 Health

9 Economic 1 Health 1 Safety 1 Social

1 Economic

3 Health 1 Safety

3 Economic 1 Health 3 Safety 4 Social

4

2 Economic 1 Health 1 Safety 1 Social

3

2 Economic 1 Social

1 Economic 2

1 Health 4 Social

1 Low

Quandrant 3

Quandrant 4

FIGURE 4 Consequence indices for infrastructure failure interdependencies and their consequences for the 1998 ice storm.

Figure 6 compares the infrastructure systems disrupted by IFIs in Quadrants 1, 2, and 4 and shows notable differences between the two events. In the ice storm event, from the standpoint of societal impacts, emergency services and building support were the systems most affected by the blackout. Building support includes plumbing, heating, ventilation, and elevators, among other functions. The Northeast blackout had significantly more IFIs in the transportation system than did the ice storm event, which may be a result of the internal nature of the outage event. In an external event like the ice storm, weather causes initial problems in the transportation system that are only minimally exacerbated by the outage. Further analysis of these and other extreme events will help determine which systems are more likely to be affected by outages internal to the electrical system and those affected more by external events, such as storms and earthquakes.

4 DISCUSSION We noted earlier that risk analysis often begins by asking what can go wrong, how it can go wrong, and what the consequences are. The analysis of the 2003 Northeast blackout and the 1998 ice storm is the first step in answering those questions, more specifically framed as follows. What consequences matter most when examining the potential for failures in interconnected infrastructure systems? What consequences matter most for decisions about managing these failures?

1322

CROSS-CUTTING THEMES AND TECHNOLOGIES

Northeast blackout

Ice storm 17%

21% 40%

10%

32%

11%

28%

40%

1%

Economic

Environment

Health

Safety

Social

FIGURE 5 Consequence indices for infrastructure failure interdependencies in Quadrants 1, 2, and 4 by type.

25%

Northeast blackout Ice storm

20%

15%

10%

es iliti

n rta

Ut

tio

on

po ns

Tra

om

mu

nic

ati

are

t

Te

lec

He

alt

hc

en

ly

rnm ve

Go

Fo

od

su

pp

ce

s

an

ce rvi se

Fin

s es sin

cy

erg

en

Bu Em

Bu

ild

ing

su

pp

ort

0%

s

5%

FIGURE 6 Disruptions of infrastructure failure interdependencies in Quadrants 1, 2, and 4 by affected system.

How can one judge the severity of the consequences of IFIs? What patterns of IFIs are the most significant sources of concern? In order to answer Question 2, we developed the consequence indices, which took into account the severity, duration, spatial extent, and number of people affected by an IFI. These calculations were matched with the type of consequence and are shown in Figures 2 and 3 to answer Question 1. For Question 3, the comparative analysis of the two events in Section 3.3 is the initial step toward identifying patterns. Moreover, applications in two very different outage events—a summer short duration event originating in the electric power transmission system versus a winter long duration natural disaster

CHARACTERIZING INFRASTRUCTURE FAILURE INTERDEPENDENCIES

1323

affecting primarily the power distribution system—provide many useful insights. While our particular focus here is on electric power failures, the framework could be generalized to any source of IFIs.

5 FUTURE RESEARCH The analysis conducted thus far suggests several areas for further research. For example, duration of outage is a key difference that should be further explored. We have found that IFIs are expected to exhibit nonlinear and threshold effects in relation to power outage duration. Preliminary analysis also indicates that impacts on transportation tend to be severe and widespread across different types of outage events. The transportation system is therefore an important system to target for mitigation purposes. Further data collection and analysis across a broader range of disasters and disaster-affected communities will help develop more robust findings. Lastly, our analysis does not incorporate weights or value judgments across types of IFI impacts. Developing frameworks for addressing differences in types of consequences will be important in future research studies. Some of the results produced by this study may also be of use to other similar research projects. For example, the empirical approach we adopted can be used to provide a complimentary approach (based on IFIs that have actually occurred) to probabilistic, system-based, and simulation models for power outages and their impacts. A robust empirical basis that incorporates experiences across a range of event and community types is also needed. Commonalties and differences in IFIs that occur across types of natural, technological, and willful disasters should also be explored. For example, identifying IFIs that occur in many types of events would be promising targets of mitigation from a multihazard perspective. Further, while this study focuses on IFIs deriving from electric power failure, the framework can be readily extended to assess other types of infrastructure interdependencies and for setting priorities about potential ways to mitigate the likelihood and the consequences of their interdependent failures. REFERENCES 1. Peerenboom, J. P., Fisher, R. E., Rinaldi, S. M., and Kelly, T. K. (2002). Studying the chain reaction. Electric Perspect. 27(1), 22–35. ` P., and Sabourin, J. P. (2003). Characteriza2. Robert, B., Senay, M.-H., Plamondon, M. E. tion and Ranking of Links Connecting Life Support Networks, Public Safety and Emergency Preparedness Canada, Ontario. 3. Lave, L. B., Apt, J., Farrell, A., and Morgan, M. G. (2005). Increasing the security and reliability of the USA electricity system. In The Economic Impacts of Terrorist Attacks, H. W. Richardson, P. Gordon, J. E. MooreII, Eds. Edward Elgar Publishing, Inc., Cheltenham, pp. 57–70. 4. Amin, M. (2004). North American Electricity Infrastructure: System Security, Quality, Reliability, Availability, and Efficiency Challenges and their Societal Impacts, National Science Foundation, Arlington, VA. 5. Stewart, T. R., and Bostrom, A. (2002). Workshop Report: Extreme Event Decision Making, Arlington, VA. 6. Ezell, B. C., Farr, J. V., and Wiese, I. (2000). Infrastructure risk analysis model. J. Infrastruct. Syst. 6(3), 114–117.

1324

CROSS-CUTTING THEMES AND TECHNOLOGIES

7. Haimes, Y. Y., and Horowitz, B. M. (2004). Modeling interdependent infrastructures for sustainable counterterrorism. J. Infrastruct. Syst. 10(2), 33–42. 8. Thomas, W. H., North, M. J., Macal, C. M., and Peerenboom, J. P. (2002). From Physics to Finances: Complex Adaptive Systems Representation of Infrastructure Interdependencies, Naval Surface Warfare Center, Dahlgren Division Technical Digest. 9. Rinaldi, S. M., Peerenboom, J. P., and Kelly, T. K. (2001). Critical infrastructure interdependencies. IEEE Control Syst. 11–25, December issue. 10. Nozick, L. K., Turnquist, M., Jones, D., Davis, J., and Lawton, C. (2004). Assessing the Performance of Interdependent Infrastructures and Optimizing Investments. Proceedings of the 37th Hawaii International Conference on System Sciences, Hawaii, January. 11. Beir, V., Ferson, S., Haimes, Y., Lambert, H., and Small, M. (2004). Risk of extreme and rare events lessons from a selection of approaches. In Risk Analysis and Society: An Interdisciplinary Characterization of the Field , T. McDaniels, and M. Small, Eds. Cambridge, New York, pp. 74–118. 12. Asbeck, E., and Haimes, Y. (1984). The partitioned multiobjective risk method. Large Scale Syst. 6, 13–38. 13. Haimes, Y. (1998). Risk Modeling, Assessment, and Management, Wiley, New York. 14. Haimes, Y. Y., and Jiang, P. (2001). Leontief-based model of risk in complex interconnected infrastructures. J. Infrastruct. Syst. 7(1), 1–12. 15. Kaplan, S., and Garrick, B. J. (1981). On the quantitative definition of risk. Risk Anal. 1, 11–27. 16. Pikus, I. (2003). Critical infrastructure protection: are we there yet? J. Infrastruct. Syst. 9(4), 1–5. 17. Peerenboom, J., Fisher, R., and Whitfield, R. (2001). Recovering from disruptions of interdependent critical infrastructures. CRIS/DRM/IIIT/NSF Workshop on Mitigating the Vulnerability of Critical Infrastructures to Catastrophic Failures. Alexandria, Virginia. 18. Nojima, N., and Kameda, H. (1996). Lifeline interactions in the Hanshin-Awaji earthquake disaster. In The 1995 Hyogoken-Nanbu Earthquake Investigation into Damage to Civil Engineering Structures, Committee of Earthquake Engineering, Japan Society of Civil Engineers, Tokyo, pp. 253–264. 19. Yao, B., Xie, L., and Huo, E. Study effect of lifeline interaction under seismic conditions. Proceedings of the 13th World Conference on Earthquake Engineering. Vancouver, BC. 20. Argonne National Laboratory (2003). Infrastructure Interdependencies Associated with the August 14, 2003, Electric Power Blackout , Infrastructure Assurance Center, Argonne, Illinois. 21. U.S.-Canada Power System Outage Task Force (Task Force) (2004). Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations. 22. Lecomte, E. L., Pang, A. W., and Russell, J. W. (1998). Ice Storm ’98 , Institute for Catastrophic Loss Reduction, Toronto.

NOTATION C = operability failure IFI = infrastructure failure interdependencies A = matrix of interdependent relationships among systems X = system of interdependent infrastructure systems X (e) = electrical system outage

MANAGING CRITICAL INFRASTRUCTURE INTERDEPENDENCIES

1325

MANAGING CRITICAL INFRASTRUCTURE INTERDEPENDENCIES: THE ONTARIO APPROACH Bruce D. Nelson Emergency Management Ontario, Ministry of Community Safety and Correctional Services, Toronto, Ontario, Canada

1 INTRODUCTION In Canada, the federal government has developed a draft national strategy for critical infrastructure (CI) protection, which respects the jurisdictional prerogatives of the provincial and municipal levels of government and the propriety interests of the private sector. As such, the federal government uses a collaborative risk management–based strategy that aims to increase the resiliency of the national infrastructure through the development of trusted partnerships, the adoption of an all-hazards risk management approach, and the timely sharing of information. The national strategy recognizes the prerogative of provinces and territories to develop their own CI activities or programs and, as such, is highly supportive of these initiatives. Within this national context, the province of Ontario developed the Ontario Critical Infrastructure Assurance Program (OCIAP). To properly understand OCIAP’s approach, we must understand the environment in which it was developed; the context of CI in Ontario’s emergency management program; the relationship of the three functions of public safety: preparedness and response, counterterrorism, and CI; and the development of the program itself. This article then describes a program whose aim is to make Ontario’s CI more disaster resilient and sustainable during threats from all hazards through the collaboration effort of government and the private sector in a sectorial approach. 2 CANADIAN ENVIRONMENT In Canada, the responsibility for civil emergencies lies with the regions (provinces and territories) and the principal responsibility for war-related preparedness and emergency planning rests with the Federal Government [1–3]. This has been established by the division of powers, which articulated the Constitution Act of 1867 and Memorandums of Agreement between the Federal Government and the regions. Public Safety Canada (PS Canada) supports OCIAP through their regional office. The collaboration between this group and the Emergency Management Ontario (EMO) Critical Infrastructure Assurance Program (CIAP) Staff has aided the development and success of the Ontario Program.

1326

CROSS-CUTTING THEMES AND TECHNOLOGIES

PS Canada also supports the Ontario CI program through cost sharing arrangements that sustain sector working group (SWG) meetings, awareness workshops, the annual conference, the production of CI materials and tools, and a modeling project.

3 THE PROVINCE OF ONTARIO AS A MAJOR REGION The Province of Ontario has the largest and most concentrated population compared to other provinces and territories of Canada. One third of all Canadians live in Ontario, most of those within an hour’s drive of the Canada–US border. Ontario is home to the nation’s capital in the city of Ottawa and 40% of the federal government’s infrastructure. Toronto, the capital of Ontario, is the largest city in Canada and the center for many head offices of major corporations. Ontario is Canada’s manufacturing leader producing 58% of all manufactured goods that are shipped out of the country. The US is Ontario’s biggest trading partner: more than 90% of exports are sent there. Every day, more than $700 million in goods crosses the Ontario–US border by highway. Ontario has 14 Canada–US border crossings, the most of Canada’s provinces and territories. Approximately, 110 million tonnes of cargo move between Canada and the United States via waterways and coastal ports every year. Ontario is the largest nuclear jurisdiction in North America and more than 50% of Canada’s chemical industry is located in Ontario. Within this context, the development of the Ontario program occurred as a result of significant infrastructure failures, which required two other public safety functions to be addressed: CI and counterterrorism. Following the Eastern Ontario Ice Storm of 1998, EMO laid the foundation for an increase in capacity and the need to address CI; the September 11, 2001 terrorist attacks broadened the view of threats facing Ontario’s infrastructure. Although the CI program was developing, the SARS epidemic and the Blackout of 2003 demonstrated the vulnerabilities of networks and their interdependencies. These events caused political leaders to engage actively in the EMO-led reforms. At the heart of these reforms was the movement toward the adoption of comprehensive emergency management programs based on a risk management approach, including activities in the five core components of emergency management: prevention, mitigation, preparedness, response, and recovery. As part of the reforms, Ontario requires provincial ministries and communities to develop, implement, and maintain comprehensive emergency management programs (Figure 1). The Emergency Management Act requires ministries and municipalities to conduct hazard identification and risk assessment, as prescribed by the Act and Regulation, and identify CI. The Act went on to change the Freedom of Information legislation at the provincial and municipal level allowing for protection of CI information—recognizing the need to demonstrate its commitment to creating a secure and trusted information-sharing network amongst governments and the private sector.

4 GETTING STARTED In March 2002, a planning team, ably assisted by my federal counterpart from the PS Canada regional office in Toronto, was established to develop and implement a CIAP

MANAGING CRITICAL INFRASTRUCTURE INTERDEPENDENCIES

1327

for the province. The program was to be a province-wide program that will identify and assess Ontario’s key facilities, systems, and networks, and their interdependencies, and develop a strategy to protect their vulnerabilities from physical and cyber threats. In developing the program, it became readily apparent that we would have to reconcile the public safety functions of counterterrorism, emergency management, and critical infrastructure assurance into a coherent approach. This conceptual understanding of the mutually supportive interrelationship of functions has proven to be a valuable intellectual tool, particularly when engaging in discussions with police and intelligence agencies. In Figure 2, time flows from the top to the bottom. The event line represents the moment that the adverse event occurs, whether that is a natural hazard, a technological failure, or a human-caused event. The three “circles” represent the three core functions of public safety and security that directly relate to the successful implementation of the program. Counterterrorism is a police and intelligence function that responds to human-induced threats. Most counterterrorism functions occur before the anticipated event. And, although consequence-based emergency management planning occurs before the anticipated event, most emergency management activities are consequence based, and occur as a response after the event takes place. CI assurance is a science-based risk management analysis of specifically identified infrastructure to assure its continued functioning. Like counterterrorism, it is a prevention or mitigation strategy intended to reduce the impact of adverse events. CI assurance differs from counterterrorism in that it focuses on the overall vulnerability of systems rather than specific, imminent threats. However, as the diagram shows, there is considerable overlap among the three functions, emergency management, counterterrorism, and critical infrastructure assurance. The star indicates the position where the circles overlap

Concept, key principles, how all the parts fit together Comprehensive emergency management programs Essential, comprehensive NFPA 1600/2007

Doctrine Concept translated to legislation Legislation (emcpa)

Order in council regulations

Requirements for programs set out in regs “What” (Mandatory) “What” (Voluntary)

Standards “How to”

Community/ provincial guidelines

Guidelines, recommended practices

Ministry/ community plans

Plans

Supporting procedures

Procedures

Plans created

Supported by procedures

FIGURE 1 Hierarchy of emergency management documents in Ontario.

1328

CROSS-CUTTING THEMES AND TECHNOLOGIES

Critical infrastructure assurance Systems vulnerability based

Counter terrorism Threat based

Pre event Post event

Event line

Emergency Management Consequence based preparedness and response

FIGURE 2 The functional approach.

and it is at this position the decision makers, during an emergency, must bring the three circles together.

5 PROGRAM DEVELOPMENT—THE CONCEPT The CIAP planning team started with a clean sheet and began researching CI programs nationally and internationally. The planners realized that it is more difficult and costly to protect against all hazards or threats than to take the business continuity process (BCP) approach and assure the continuance of key facilities. The program then became the CI assurance program addressing vulnerability and resilience. The program takes a strategic approach when it comes to sector working group (SWG) networks. The owner/operators retain the specific location of a networks’ critical infrastructure; the program requires an understanding of the networks in general and their types of critical infrastructure in order to facilitate informed emergency management decisions, and enable senior leaders to set appropriate response priorities. Determining that it takes a network to address a network, the program concept developed required a program that would bring the three levels of government together (federal, provincial, and municipal) with the private sector (owner/operators) to address critical infrastructure. The challenge is to remain within the requirements of legislation and, in particular, respecting the divisions of authority each government has and the regulatory requirements placed on the private sector. The program would bring regulators, inspectors, and owner/operators together as equals in a trusted information-sharing network. The question of categorizing human resources and cyber as sectors remained an issue until they were determined to be enablers that play a key role in all sectors. The program stressed the need for key personnel and safeguards to the cyber component of systems and networks that permeate through all the sectors. The CIAP concept was approved by management and moved to the implementation stage in the spring of 2003. The program continues to evolve as the sector work progresses.

MANAGING CRITICAL INFRASTRUCTURE INTERDEPENDENCIES

1329

6 THE CRITICAL INFRASTRUCTURE ASSURANCE PROGRAM The following outlines the program as designed by the CIAP planning team. 6.1 Program Vision Ontario’s critical infrastructure will become disaster resilient and sustainable during threats from all hazards through the collaborative effort of government and the private sector. 6.2

Program Aim and Objectives

The aim of the OCIAP is to increase the resiliency of the province’s critical infrastructure, so that it is more sustainable during an adverse event. The central objectives of the OCIAP are to •

engage the owners and operators of critical infrastructure (public and private) in a comprehensive provincial approach; • focus efforts to assure infrastructure assets of the greatest criticality and vulnerability; • increase communication and collaboration within and between sectors to share information on critical infrastructure risks and interdependencies and to address threats and hazards; and • collaborate with all levels of government and the private sector to develop and promote best practices to assure critical infrastructure.

6.3 Definitions The following definitions were developed for the program: CI defined as follows. interdependent, interactive, interconnected networks of institutions, services, systems, and processes that meet vital human needs, sustain the economy, protect public health, safety and security, and maintain continuity of and confidence in government. Since the Ontario program is an assurance program that assists practitioners in understanding the assurance concept, the following definition became important: CI assurance defined as follows. the application of risk management and business continuity processes for the purpose of reducing the vulnerabilities of critical infrastructure by decreasing the frequency, duration, and scope of disruption and facilitating preparedness, response, and recovery. The program’s key principles are risk management, business continuity, and collaboration. As part of comprehensive emergency management, the program is integral to the five components of emergency management: prevention, mitigation, preparedness, response, and recovery. However, the majority of work in critical infrastructure assurance occurs before an event, and the majority of the work addresses prevention and mitigation.

1330

CROSS-CUTTING THEMES AND TECHNOLOGIES

Emergency Management Coordinating Committee (EMCC) A coordinating committee for the coordination and development of emergency management policies, programs, plans, and operating procedures in Ontario

Critical infrastructure assurance steering committee (CIASC) A steering committee overseeing the coordination and development of the Ontario Critical Infrastructure Assurance Program

Telecommunication systems

Food and water

FIGURE 3

Financial institutions

Electricity

Public safety and security

Gas and oil

Transportation

Continuity of government

Health

Ontario’s Critical Infrastructure Assurance Program Committee structure.

CI can be damaged, destroyed, or disrupted by natural hazards, negligence, accidents, criminal activity, and terrorist activity. Accordingly, the program assesses the potential likelihood and impact for both human-induced and natural hazards and relates this to the resiliency of the province’s critical infrastructure. 6.4 Managing Interdependencies Consistency of the CIAP with a comprehensive provincial emergency management program will be ensured through the following structure. There will be an SWG for each of the identified critical infrastructure sectors. The program requires the SWG to meet four times a year at a minimum during the development stage. In practice, some sectors meet monthly to complete the required work. SWGs report to the Critical Infrastructure Assurance Steering Committee (CIASC), which oversees the coordination and development of the program. The EMO Deputy Chief, Operations and Analysis, chairs the CIASC. The committee oversees the coordination and development of the program and addresses the issues concerning research and funding. It comprises EMO CI staff, SWG lead/coleads, representatives from PS Canada, and the provincial Ministry of the Attorney General to address freedom of information issues, Ministry of Infrastructure Renewal to address funding issues, and others as required. This committee meets four times a year. The CIASC reports to the Emergency Management Coordinating Committee (EMCC), which is tasked with the coordination and development of emergency management programs, policies, plans, and procedures in Ontario. The Chair of the CIASC reports to the EMCC, (Figure 3).

7 SECTOR WORKING GROUPS The SWGs are the key to the program and their composition reflects the federal, provincial, municipal, and private owner/operator stakeholders of their defined sector. The

MANAGING CRITICAL INFRASTRUCTURE INTERDEPENDENCIES

TABLE 1

1331

The Sectors and their Respective Lead/Colead Ministries SWG Lead/Co-Lead Ministries

Food and Water Sector Electricity Sector Transportation Sector Gas and Oil Sector Financial Institutions Sector Telecommunication Systems Sector Public Safety and Security Sector Continuity of Government Sector Health Sector

Ministry of Agriculture and Food (food) Ministry of the Environment (water) Ministry of Energy Ministry of Transportation Ministry of Energy Ministry of Finance Ministry of Economic Development and Trade Ministry of Government Services Ministry of Community Safety and Correctional Services Ministry of Government Services Ministry of Health and Long-term Care

objectives for each SWG are to meet regularly to outline the industry within the sector, identify and assess they key elements of critical infrastructure within their particular sector having considered vulnerabilities, threats, and ensuing risks, identify assurance indicators, and facilitate mitigation to reduce the vulnerability or lessen the consequence created by a particular threat or hazard. All these will be documented in the model and assurance document for the sector. The assurance document is meant to provide senior management leaders comfort that the owners and operators are applying the appropriate due diligence to ensure that their systems are resilient to physical and cyber threats. The success of the SWGs and ultimately the entire program will result in and depend upon the development of an open and trusting communication network of participants. CI information is protected under the Emergency Management and Civil Protection Act as indicated previously. It is important that information flow seamlessly among SWGs in order to address interdependencies; however, that information must be treated as confidential. To assist participants in the SWGs, the assurance document contains a section on communication protocol for SWG information sharing and communication protocols during an emergency. The program identified nine broad CI sectors, and assigned a ministry lead, in some case coleads, to chair the sector and direct its activities. The determination of lead ministries was based upon the business lines and responsibilities (Table 1). 7.1 Establishing a Sector Working Group Each sector lead and colead is responsible for forming the SWG, establishing their own individual protocols, and for keeping files and records related to the working group. SWG lead/coleads report to sit on the CIASC. The following steps have proved successful in forming the groups: •

The EMO Staff and PS Canada CI Coordinator (facilitating group) meet with the assigned lead representative and outline the concept of the program and their work. Program information and guide materials are provided. • The facilitation group and the lead determine the ministries that should be involved and are invited to a CI information meeting with presentations by the facilitation group and the lead. The ministries participating then develop a relationship.

1332

CROSS-CUTTING THEMES AND TECHNOLOGIES

•

The group now determines the federal representation based upon their normal business connections and existing federal responsibilities. The PS Canada CI Coordinator facilitates the inclusion of federal regional department representatives who would have a responsibility to the sector. • The next step is to include the municipal representatives who have an interest in the sector. • Finally, the private sector (owner/operators) is included. Because of the sheer number of potential representatives, the private sector is normally represented by regional associations.

7.2 SWG Deliverables 7.2.1 Sector Model. The sector model is a generic systems map of the sector depicting its network, critical nodes, and dependencies/interdependencies. This model will provide decision makers with a better understanding of the sector and its interdependencies, as well as serve as a tool to work with scenarios during exercises and real-time emergencies. From this model, a risk matrix for the sector can be produced, which will show the vulnerable nodes in the sector; assurance solutions and best practices can then be developed to mitigate against those vulnerabilities. The model is then used in the interdependencies modeling software program under development at this time. 7.2.2 Assurance Document. The assurance document outlines the sector industry, identifies CI, addresses vulnerabilities, identifies assurance indicators, and provides assurance solutions. The assurance document will give decision makers a good understanding of the sector, and its vulnerabilities and dependencies, and will ultimately aid in decision making during an emergency. EMO provides a template for the assurance document, which includes the following: • • • • • • • • •

vision and mandate resiliency statement background on the sector SWG participants list terms of reference communication protocol (SWG information sharing in committee and during an emergency) CI assurance indicators that support the resiliency statement sector risk management process assurance solutions/best practices (next steps).

7.3 Sector Working Group Interdependency Exercises An important component to the program’s development and the determining of sector dependencies/interdependencies and strength of relationships is the exercise component. The program conducts an annual fall conference, which includes an interdependency

MANAGING CRITICAL INFRASTRUCTURE INTERDEPENDENCIES

1333

exercise involving all sectors. The program also conducts smaller workshops where a number of sectors get together to address a particular vulnerability and determine best practices to increase the sectors’ resiliencies. Scenarios at these exercises range from pandemic to fuel shortage. 7.4 Modeling Project The program includes the Ontario Critical Infrastructure Modeling Project, which aims to produce a dynamic interdependencies model of Ontario’s critical infrastructure. It is a 5-year joint pilot project with the federal government that ends in March 2010. The primary software is RiskOutLook, a software developed in Canada for national level Y2K application and which is now being further developed to depict the cascading effects of interdependencies over time. RiskOutLook creates a model of CI and its interdependencies, and using the assigned impact, vulnerability, and dependency ratings creates a risk matrix. The risk matrix identifies the CI with the highest impact, and the most vulnerable CI in the system; assurance solutions and best practices can then be developed to mitigate these vulnerabilities. The model will also allow for scenarios to be played out in order to study the impact of the disruption or destruction of a particular node of CI. Along with the assurance document, the model will provide a better understanding of Ontario’s infrastructure and its interdependencies and will be used during emergencies and exercises to aid in decision making. This project is dependent upon the mapping work done by the sectors. As each SWG provides input, a true determination of the software’s capabilities can be documented.

8 CONCLUSION The OCIAP is managing Ontario’s complex interrelated infrastructure. The program’s design allows it to start at a strategic level and become more granular as the program matures. With this approach, the program has had good support from the participants and they have not been overwhelmed by the complexity. The most important part of the program is the information-sharing network and from that network the SWG deliverables are attained. Senior managers have recognized work being done in the program and its importance as a prevention/mitigation program that provides input into the emergency management functions of preparedness, response, and recovery. Once implementation is completed, the program will be fully proactive identifying vulnerabilities and preventing/mitigating threats to raise the resiliency of Ontario’s critical infrastructure.

REFERENCES 1. Part VI, Constitution Acts 1867 to 1982, Distribution of Legislative Powers, Department of Justice, Canada, 1982. 2. Memorandum of Understanding on Emergency Planning between the Government of Canada and the Government of Ontario, February 25, 1985. 3. Emergency Management Doctrine for Ontario, Emergency Management Ontario, August 2005.

1334

CROSS-CUTTING THEMES AND TECHNOLOGIES

ANALYSIS OF CASCADING INFRASTRUCTURE FAILURES Ian Dobson University of Wisconsin-Madison, Madison, Wisconsin

1 SCIENTIFIC OVERVIEW Cascading failure is the primary mechanism by which an attack or accident of limited scale can yield a major and widespread failure of networked infrastructures. For example, disabling a limited number of components of an electric power grid can induce a cascade of failures leading to a widespread blackout, and this blackout can lead to further failures in other infrastructures, such as transportation, communication, and water supply. The characteristic feature of cascading failure is that a series of failures weakens the system and makes further failures increasingly more likely as the failures become widespread. Cascading failure is of interest to terrorists because a modest attack on a suitably chosen set of system components can propagate via cascading failure to become a widespread failure that is much more visible and destructive. Strategies of preventing and deterring an attack need to be augmented with strategies of limiting the propagation of infrastructure failures consequent to the attack. We think of cascading failure as having some initial failures that are followed by the propagation of a series of further failures. The failures may propagate within a single infrastructure or between infrastructures [1, 2]. The initial failures can arise from different causes, such as terrorism, sabotage, errors, accidents, weather, or system overload but the subsequent propagation of the failures is a property of the design and operation of the infrastructure. It is desirable to design and operate infrastructures to be resistant to cascading failure so that, regardless of the cause of the initial failures, the risk of the initial failures cascading to a much more widespread infrastructure failure is managed and minimized. To realize this goal, we need to be able to quantify the extent to which failures propagate and relate this to the risks of infrastructure failure. This chapter gives an overview of a method that is emerging to quantify failure propagation and estimate the risk of infrastructure failure from simulations of cascading failure. The method is first being developed and tested for cascading blackouts of large-scale electric power networks. Catastrophic cascading events in large networked infrastructures are a challenge to risk analysis, as the astronomical number and variety of ways in which failures interact in realistic large networks preclude any exhaustive analysis of the detail of long and intricate sequences of cascading failures. Indeed, many of the ways in which failures interact in actual incidents are of low probability or unanticipated [3]. The reason these interactions occur in practice is owing to the vast number of possible rare or unanticipated interactions and the fact that good engineering practice tends to eliminate the likely and anticipated interactions. It is possible, with effort, to do a detailed analysis of the sequence

ANALYSIS OF CASCADING INFRASTRUCTURE FAILURES

1335

of failures after the cascade has occurred [4]. Indeed this is one useful way to identify weak components or problematic interactions in the system that could be upgraded or mitigated. However, one sample from a vast number of possibilities gives no guidance to predicting the overall risk of the other possible cascades. To quantify the overall risk, it is necessary to take a top-down approach that neglects many of the details and to study the essential and hopefully universal features of cascading failure. 1.1 Review Of Cascading We briefly review the literature related to quantifying cascading failure in large interconnected infrastructures (the established risk analysis that applies to a smaller number of components and interactions that can be analyzed in detail is not addressed). Cascading failure leading to widespread loss of infrastructure is well recognized and there has recently been much progress both in modeling the physical and operational details of the interactions and in recognizing and qualitatively describing cascading between infrastructures as surveyed in [1, 5, 6]. There are several approaches to developing more quantitative methods. An analytically tractable probabilistic model of cascading failure in which overloaded components fail and successively load other components is described in [7]. A critical loading of the model produces a probability distribution of the total number of failures with a power law region consistent with the observed frequency of North American blackout sizes [8] and blackout simulations [9–12]. The model can be approximated by a probabilistic branching process model [13]. Branching processes have been routinely applied to cascading processes in many fields such as epidemics, cosmic rays, and population growth but have only recently been applied to the risk analysis of cascading failure [13–16]. North American data for the distribution of electric power transmission line outages are fit with several probabilistic models, including an exponentially accelerating cascading model in [17]. There are Markov models for abstract graphs representing interactions between idealized system components [18]. The percentages of inoperability of interdependent infrastructures are obtained as a linear function of the disturbance by solving a Leontief input–output model in [19, 20]. A network of influence factors between system components is considered in [21] and ratios of infrastructure impacts are obtained in [2]. There are many simulations of electric power systems using Monte Carlo and other methods that can be used to estimate the risk of blackouts such as in [9, 10, 12, 22–24]. Another useful approach to blackout risk is to identify and mitigate only the high risk or likely failures as for example in [25]. There are complex system approaches to blackout risk [10, , 26–28] that account for self-organizing dynamics such as network upgrades. There is an extensive literature on cascading in graphs surveyed in [29, 30] that is partially motivated by idealized models of propagation of failures in infrastructure networks such as the Internet. The dynamics of cascading is related to statistical topological properties of the graphs. Work on phase transitions and network vulnerability that accounts for forms of network loading includes the references [31–33]. 1.1.1 Galton–Watson Branching Processes. In this section, an informal and introductory overview of Galton–Watson branching processes for their application to the risk of cascading failure is given; for a detailed and elegant formal treatment of these classical probabilistic models, see [34, 35]. Galton–Watson branching processes apply to discrete

1336

CROSS-CUTTING THEMES AND TECHNOLOGIES

numbers of failures of system components. For simplicity, we suppose that the failure of only one type of component is being tracked. The failures are produced in stages or generations starting from some initial failures, and if the number of failures in a stage becomes zero, then all subsequent stages have zero failures and the cascade of failures stops. Each failure in each stage (a “parent” failure) produces a probabilistic number of failures (“children” failures) in the next stage according to the offspring distribution. For example, the offspring distribution can be a Poisson distribution. The children failures then become parents to produce the next generation and so on. A key property making branching processes tractable is that the parents in each generation produce their respective children in a manner statistically independent of each other. The intent of the modeling is not that each parent failure in some sense “causes” its children failures; the branching process simply produces random numbers of failures in each generation that can match the outcome of cascading processes. To model the initial disturbance produced by terrorism or otherwise, we assume an initial distribution of failures for the first stage that is different from the offspring distribution assumed for the generation of all the following stages. A key parameter of the branching process is λ, which is the mean of the offspring distribution or the average number of children failure per parent failure. If λ < 1, then the cascading process will die out to zero failures at some stage and usually corresponds to an infrastructure failure of small or modest size. If λ > 1, then the cascading process can possibly die out, but it can also propagate to a catastrophe with all components failed. Another parameter is θ , the mean number of initial failures. We consider cascading failure in infrastructures with a large but finite number of interconnected components. Therefore, if all components fail, the cascade stops and is said to saturate. More generally, there may be a tendency for the cascades to be inhibited when a certain number of components S less than or equal to the total number of components is reached and this can also be roughly modeled as a saturation. The branching process produces a random total number of failures Y considering all the stages; that is, Y is the total family size. If we measure the disturbance size by Y, then the main data produced by the branching process model is the probability distribution of Y . If the cost of the disturbance as a function of Y is known, then the distribution of risk as a function of disturbance size can be obtained by multiplying the distribution of Y by the cost. The distribution of risk as a function of disturbance size is basic to a quantitative approach to managing the risk [26].

1.2

Behavior of A Cascading Model

We illustrate the qualitative behavior of the saturating branching process model of cascading failure as the amount of propagation λ and the average number of initial failures θ are varied. This behavior is similar to the behavior of other probabilistic cascading failure models [7]. Suppose that the failures propagate in a large number of components S so that each failure has approximately a small uniform probability of independently causing failure in a large number of other components. Then the offspring and initial failure distributions can be approximated by Poisson distributions, and the distribution of the total number of failures Y has an analytic formula given by a saturating form of the generalized Poisson distribution [13, 14]:

ANALYSIS OF CASCADING INFRASTRUCTURE FAILURES

1337

1

Probability

0.1 0.01 0.001 0.0001 0.00001

1

10

100 Total number of failures

1000

FIGURE 1 Log–log plot of probability distribution of the total number of failures Y in branching process model for three values of propagation λ. λ = 0.6 is indicated by the diamonds. λ = 1.0 (criticality) is indicated by the boxes. λ = 1.2 is indicated by the triangles (note the triangle in the upper right indicating a high probability of all components failing). The mean number of initial failures is θ = 1 and there are S = 5000 components.

P [Y = r] =

⎧ e−rλ−θ ⎪ ⎪ θ (rλ + θ )r−1 ; 1≤r <S ⎪ ⎪ ⎨ r!(1 − e−θ ) S−1  ⎪ ⎪ ⎪ 1 − P [Y = i]; r = S ⎪ ⎩

(1)

i=1

First we assume a small initial attack with a mean number of initial failures θ = 1. Then Figure 1 shows the probability distributions obtained for S = 5000 components and three values of propagation λ. For subcritical λ = 0.6 well below 1, the probability of a large number of failures less than 5000 is exponentially small. The probability of exactly 5000 failures (all components failed) is also very small. As λ increases in the subcritical range λ < 1, the mechanism by which there develops a significant probability of large number of failures near 5000 is that the power law region of approximate slope −1.5 extends toward 5000 failures [36]. (A straight line of slope −1.5 on a log–log plot indicates the power relationship probability ∝ (number of failures)−1.5 .) For the near critical λ = 1, there is a power law region extending to 5000 failures. For supercritical λ = 1.2, there is an exponential tail. This again implies that the probability of large number of failures less than 5000 is exponentially small. However, there is a significant probability of exactly 5000 failures that increases with λ. If we assume a fixed propagation λ = 0.6 and increase the mean number of failures in the initial attack to θ = 20, then the distribution of the total number of failures changes as shown in Figure 2. Consider in Figure 3 how the mean number of total failures EY increases with increasing propagation λ. The mean number of total failures at first increases slowly and then increases much more rapidly at the critical point near λ = 1. It is called a critical point because the sharp change in gradient in Figure 3 and corresponding power law in the distribution of the number of failures in Figure 1 is analogous to a type 2 phase transition in statistical physics.

1338

CROSS-CUTTING THEMES AND TECHNOLOGIES

1 0.1

Probability

0.01 0.001 0.0001 0.00001

1

10

100 Total number of failures

1000

FIGURE 2 Log–log plot of probability distribution of total number of failures Y in branching process model for average number of initial failures θ = 10 and propagation λ = 0.6. There are S = 5000 components.

Mean total number of failures

EY 2000

1500

1000

500

0.6

FIGURE 3

0.8

1 Propagation λ

1.2

1.4

Mean total number of failures EY as a function of propagation λ.

1.3 Estimating Propagation from Simulations There are many infrastructure simulations that can produce samples of cascading failures in stages. Without quantitative statistical analysis of these sample cascades, it is not clear how robust the infrastructure is to cascading failure. For example, if one of the sample cascades is a very large failure, does this indicate a vulnerable infrastructure, an unrepresentative rare event, or simply bad luck? We briefly indicate how propagation and the distribution of total failure size can be estimated from a relatively small sample of simulated cascades. If we assume that the cascading in the infrastructure is approximated by a branching process model, we can estimate the parameters λ and θ of the branching process model from the simulated cascades. In the branching process model, the propagation λ is the mean of the offspring distribution or the average number of children failures per parent failure. In fact, λ may be estimated from a sample of cascades by dividing the total

ANALYSIS OF CASCADING INFRASTRUCTURE FAILURES

1339

1

Probability

0.1

0.01

0.001

1

2

5

10

20

50

100

Number of lines failed

FIGURE 4 Probability distributions of total number of electric power transmission lines failed obtained by different methods. The dashed line is obtained by estimating parameters (λ = 0.4 and θ = 1.5) from simulation data and assuming a branching process model of the cascading. The dots are obtained empirically from the same simulation data. The simulation is the OPA model of cascading line outages in blackouts [9] and the test case is the IEEE 118 bus system with loading factor 1.0. Figure reprinted with permission from [15].

number of children failures in the sample cascades by the total number of parent failures. (Failures arising in stages after the first stage are children failures and failures arising in the stages before the last stage are parent failures. The last stage may be a stage with zero failures at which the cascade ends.) However, this standard computation [37, 38] may require adjustment to account for saturation effects [15]. The mean θ of the number of initial failures is estimated simply as the total number of initial failures divided by the number of sample cascades. The propagation λ and mean initial failures θ are useful metrics describing the cascading in the simulation data. Moreover, estimation of these parameters provides an estimate of the distribution of the total number of failures using equation (1). This provides a way to verify the assumption that a branching process approximates the simulation results. One can simply run the simulation exhaustively to obtain an empirical distribution of total number of failures. This empirical distribution can then be compared to the estimated distribution of the total number of failures. If the match is acceptable, then the estimation via the branching process can be used to approximate the estimated distribution of total number of failures. An example of the match obtained in a subcritical test case from [15] is shown in Figure 4. Why use an approximate estimation of the distribution of the total number of failures by estimating λ and θ when an empirical distribution can be produced simply by running the simulation exhaustively? The estimation of the distribution via estimating λ and θ is much more efficient in that it requires many fewer simulated cascades. The distribution of total number of failures for a cascading process can have a heavy tail (power law region of exponent about −1.5). Estimating these heavy tails takes a large number of simulated cascades to obtain accurate statistics. On the other hand, the offspring distribution does not have a heavy tail and each stage of each cascade contributes data about the offspring distribution. Moreover, if the form of the offspring distribution is known (for example, a Poisson distribution), then estimating the mean of the distribution is quicker

1340

CROSS-CUTTING THEMES AND TECHNOLOGIES

than estimating the entire offspring distribution. Therefore, estimating the mean of the offspring distribution λ and thereby computing the distribution of total number of failures is expected to require much fewer simulation runs [15]. 1.4 More General Branching Processes Tracking the numbers of one type of component that have failed in each stage of the cascade gives an integer number of failures in each stage. This is modeled by the Galton–Watson branching process explained above. However, it is also useful to track continuously variable quantities in each stage of the cascade, especially those quantities that determine the impact of the failures. For example, in a blackout one can track the electrical power that is disconnected. Cascades of continuously varying quantities are modeled by continuous state branching processes [39, 40]. These can be applied in a similar way to estimate branching process parameters and compute the probability distribution of the quantity determining the impact of the failures [16]. There are many generalizations of branching processes that could potentially model such factors as multiple types of component and variations in amount of propagation. The initial work is investigating and testing the simplest modeling assumptions. The limits of application of the method and the potential need for more sophisticated models are not yet clear.

2 CRITICAL NEEDS ANALYSIS Cascading failure is fundamental to the rare but high-impact failures of substantial portions of infrastructures. Although there has been considerable progress in detailed modeling and qualitative descriptions of cascading failure in and between large networked infrastructures, there remains a need to understand and quantify the essential features of cascading processes and deduce the probability and risk of various sizes of failure events. To manage the risk of cascading failure, it is necessary not only to inhibit the initial attack or accident, but also to design and operate the system to limit the propagation of failures so that initial failures are less likely to propagate much further. It would be valuable to be able to efficiently predict the distribution of cascade sizes from a modest number of simulated cascades and also to monitor real infrastructure failures to determine the extent to which failures propagate after an initial attack or accident. Note that although the initial failures may differ for an intentional attack and an accident, the extent to which the failures propagate after the initial failures should be similar. Thus, estimates of propagation of infrastructure failure arising from accidents should be effective in estimating how much the rarer terrorist attacks are magnified by cascading.

3 RESEARCH DIRECTIONS Initial work on cascading in simulations of electric power system blackouts shows how overall cascading failure risk could be quantified. We have proposed the simplest branching process models of cascading failure and can fit parameters to quickly determine the

ANALYSIS OF CASCADING INFRASTRUCTURE FAILURES

1341

amount of propagation of failures and the distribution of total failure size. Initial testing is promising but much more testing and development is needed on more elaborate simulations of blackouts and on more general models of cascading infrastructure failure. Once efficient methods for predicting cascading failure risk from simulated cascades are established, the next step is to adapt these methods to monitor cascading failures in the actual infrastructures. The observed data would provide a benchmark for the necessarily simplified simulation models. The monitoring would in effect predict the frequency of catastrophic infrastructure failures much more quickly than the empirical approach of simply waiting for a very long time for enough rare catastrophic events to occur in order to get accurate statistics to quantify the risk.

REFERENCES 1. Rinaldi, S. M., Peerenboom, J. P., and Kelly T. K. (2001). Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Contr. Syst. Mag. 21, 11–25. 2. Zimmerman, R., and Restrepo C. E. (2006). The next step: Quantifying infrastructure interdependencies to improve security. Int. J. Crit. Infrastruct . 2(2/3), 215–230. 3. Perrow, C. (2002). Normal Accidents, Princeton University Press, Princeton. 4. U.S.-Canada Power System Outage Task Force. (2004). Final Report on the August 14th blackout in the United States and Canada. United States Department of Energy and National Resources, Canada. 5. Peerenboom, J. P., and Fisher, R. E. (2007). Analyzing cross-sector interdependencies. 40th Hawaii International Conference on System Sciences. January, Hawaii. 6. Kr¨oger, W. (2006). Critical infrastructure at risk: Securing electric power supply. Int. J. Crit. Infrastruct . 2(2-3), 273–293. 7. Dobson. I., Carreras, B. A., and Newman D. E. (2005). A loading-dependent model of probabilistic cascading failure. Probab. Eng. Inform. Sci . 19(1), 15–32. 8. Carreras, B. A., Newman, D. E., and Dobson, I., Poole A. B. (2004). Evidence for self organized criticality in a time series of electric power system blackouts. IEEE Trans. Circuits-I . 51(9), 1733–1740. 9. Carreras, B. A., Lynch, V. E., Dobson, I., and Newman D. E. (2002). Critical points and transitions in an electric power transmission model for cascading failure blackouts. Chaos. 12(4), 985–994. 10. Carreras, B. A., Lynch, V. E., Dobson, I., and Newman, D. E. (2004). Complex dynamics of blackouts in power transmission systems. Chaos. 14(3), 643–652. 11. Nedic, D. P., Dobson, I., Kirschen, D. S., Carreras, B. A., and Lynch, V. E. (2006). Criticality in a cascading failure blackout model. Int. J. Electr. Pow. Energy Syst . 28, 627–633. 12. Chen, J., Thorp, J. S., and Dobson, I. (2005). Cascading dynamics and mitigation assessment in power system disturbances via a hidden failure model. Int. J. Electr. Pow. Energy Syst . 27(4), 318–326. 13. Dobson, I., Carreras, B. A., and Newman, D. E. (2004). A branching process approximation to cascading load-dependent system failure. 37th Hawaii International Conference on System Sciences. January, Hawaii. 14. Dobson, I., Carreras, B. A., and Newman, D. E. (2005). Branching process models for the exponentially increasing portions of cascading failure blackouts. 38th Hawaii International Conference on System Sciences. January, Hawaii.

1342

CROSS-CUTTING THEMES AND TECHNOLOGIES

15. Dobson, I., Wierzbicki, K. R., Carreras, B. A., Lynch, V. E., and Newman, D. E. (2006). An estimator of propagation of cascading failure. 39th Hawaii International Conference on System Sciences. January, Kauai, HI. 16. Wierzbicki, K. R., and Dobson I. (2006). An approach to statistical estimation of cascading failure propagation in blackouts. CRIS, Third International Conference on Critical Infrastructures. September; Alexandria, Virginia. 17. Chen, Q., Jiang, C., Qiu, W., and McCalley, J. D. (2006). Probability models for estimating the probabilities of cascading outages in high-voltage transmission network. IEEE Trans. Pow. Syst . 21(3), 1423–1431. 18. Roy, S., Asavathiratham, C., Lesieutre, B. C., and Verghese, G. C. (2001). Network models: growth, dynamics, and failure. 34th Hawaii International Conference on System Sciences. Hawaii, 728–737. 19. Jiang, P., and Haimes, Y. Y. (2004). Risk management for Leontief-based interdependent systems. Risk Anal . 24(5), 1215–1229. 20. Reed, D., Chang, S., and McDaniels, T. (2006). Modeling of infrastructure interdependencies. CRIS, Third International Conference on Critical Infrastructures. September, Alexandria, Virginia. 21. Vamanu, B., and Masera, M. (2006). Vulnerability of networked infrastructures: anomalies, errors, interdependencies. CRIS, Third International Conference on Critical Infrastructures. September, Alexandria, Virginia. 22. Hardiman, R. C., Kumbale, M. T., and Makarov, Y. V. (2004). An advanced tool for analyzing multiple cascading failures. Eighth International Conference on Probability Methods Applied to Power Systems. September, Ames, Iowa. 23. Kirschen, D. S., Jawayeera, D., Nedic, D. P., and Allan, R. N. (2004). A probabilistic indicator of system stress. IEEE Trans. Pow. Syst . 19(3), 1650–1657. 24. Anghel, M., Werley, K. A., and Motter, A. E. (2007). Stochastic model for power grid dynamics. 40th Hawaii International Conference on System Sciences, Hawaii, January. 25. Ni, M., McCalley, J. D., Vittal, V., and Tayyib, T. (2003). Online risk-based security assessment. IEEE Trans. Pow. Syst . 18(1), 258–265. 26. Carreras, B. A., Lynch, V. E., Newman, D. E., and Dobson, I. (2003). Blackout mitigation assessment in power transmission systems. 36th Hawaii International Conference on System Sciences. January, Hawaii. 27. Dobson, I., Carreras, B. A., Lynch, V., and Newman, D. E. (2007).Complex systems analysis of series of blackouts: cascading failure, criticality, and self-organization. chaos. 17, 026–103. 28. Newman, D. E., Nkei, B., Carreras, B. A., Dobson, I., Lynch, V. E., and Gradney, P. (2005). Risk assessment in complex interacting infrastructure systems. Thirty-eighth Hawaii International Conference on System Sciences. January, Hawaii. 29. Newman, M. E. J. (2003). The structure and function of complex networks. SIAM Rev. 45(2), 167256. 30. Boccaletti, S., Latora, V., Moreno, Y., Chavez, M., and Hwanga, D.-U. (2006). Complex networks: structure and dynamics. Phys. Rep. 424, 175–308. 31. Watts, D. J. (2002). A simple model of global cascades on random networks. Proc. Natl. Acad. Sci. USA. 99(9), 5766–5771. 32. Motter, A. E., and Lai, Y.-C. (2002). Cascade-based attacks on complex networks. Phys. Rev. E . 66(6), 065102. 33. Crucitti, P., Latora, V., and Marchiori, M. (2004). Model for cascading failures in complex networks. Phys. Rev. E . 69, 045104(R). 34. Harris, T. E. (1989). Theory of Branching Processes, Dover Publications, New York.

WATER INFRASTRUCTURE INTERDEPENDENCIES

1343

35. Athreya, K. B., and Ney, P. E. (2004). Branching Processes, Dover Publications, New York; (Reprint of Springer-verlag Berlin 1972). 36. Dobson, I., Carreras, B. A., Lynch, V. E., Nkei, B., and Newman, D. E. (2005). Estimating failure propagation in models of cascading blackouts. Probab. Eng. Inform. Sci . 19(4), 475–488. 37. Dion, J.-P., and Keiding, N. (1978). Statistical inference in branching processes. Branching Processes, A. Joffe, and P. Ney, Eds. Marcel Dekker, New York. 38. Guttorp, P. (1991). Statistical Inference for Branching Processes, Wiley, New York. 39. Kallenburg, P. J. M. (1979). Branching Processes with Continuous State Space. Mathematical Centre Tracts 117, ISBN 90 6196 188 2, Mathematisch Centrum, Amsterdam. 40. Nanthi, K. (1983). Statistical estimation for stochastic processes. Queen’s papers in pure and applied mathematics. 62.

WATER INFRASTRUCTURE INTERDEPENDENCIES Neil S. Grigg Colorado State University, Fort Collins, Colorado

1 INTRODUCTION Managers of water and electric systems are more concerned about security failures of the infrastructures they depend on than about failures in their own systems. Their concerns were reported in a workshop on water, electricity, and transportation managers, where they expressed confidence in their own security plans but sought guidance on managing interdependencies [1]. This article identifies the interdependencies among water and other infrastructure systems and explains how to reduce the corresponding risk and improve infrastructure security. Other articles in the volume explain the nature of water infrastructure and how to address direct security issues.

2 OVERVIEW OF WATER SYSTEM INTERDEPENDENCY As other articles in this volume explain, water system managers face threats to their systems from natural causes such as earthquakes and from human-induced causes such as attacks on their supervisory control and data acquisition (SCADA) systems. To respond,

1344

CROSS-CUTTING THEMES AND TECHNOLOGIES

these managers must assess vulnerabilities and mitigate risk by multiple actions to strengthen emergency plans and response capabilities. Water system managers also face vulnerabilities from interdependencies with elements of the water infrastructure that they may not control (such as their raw water supplies) and with other infrastructures (such as with electric power). These two sources of vulnerabilities represent different situations that require distinct types of responses. In addition, water system managers must take actions to reduce the risk that failures of their systems will harm those that depend on them. Study of these interdependencies involves relationships between elements and levels of systems. Interdependency can be explained at a high level of systems aggregation, but security threats and responses require explanations at detailed levels to create a valid picture. The many types of interdependencies do not fit well into a classification system, and discussions about them can seem ad hoc and without unifying themes. To clarify these interdependencies, the article uses two models to explain the situations that water managers face. The first model explains interdependencies among elements of the water infrastructure itself and those between the water infrastructure and other infrastructures. For the purposes of this article, these are named intrasystem interdependencies among water system elements and intersystem interdependences where water systems have relationships to other infrastructures. The framework of the model is shown in Figure 1, which illustrates the two types of interdependencies. On the left side of the figure, water infrastructure is shown as having five parts or subsystems. These illustrate the supply chain of the water supply system and shows how irrigation is linked to the water supply system in parts of the nation. On the right hand side of Figure 1 are shown five infrastructure sectors with close links to water. These are the sectors from among the critical infrastructures and key resources identified in the National Infrastructure Protection Plan that exhibit the greatest degrees of interdependence with water infrastructure [2]. The terms (intrasystem and intersystem) can be confusing, but the concept of interdependency is inherently complex and the concepts are explained in Figure 1.

Streamflow

Public health Stored by

Release Dams Pollutes

Transportation

Water supply Mixes with

Supplies

Supply

Energy

Becomes

Wastewater

Industry

Irrigation

Food

FIGURE 1 Water infrastructure interdependency model.

WATER INFRASTRUCTURE INTERDEPENDENCIES

1345

The second model maps the supply chain of water production and the provision of direct and indirect water services to customers. This enables the explanation of interdependencies that arise from supply chain disruption and impacts on other sectors from failures in water services. This model will be illustrated later.

3 KNOWLEDGE BASE ABOUT INTERDEPENDENCIES IN THE WATER SECTOR The knowledge base about interdependencies among water sector elements resides in the broad field of water resources management. In this field, the concept of integrated water resources management (IWRM) has been developed to explain the many interdependencies that arise in water systems management [3]. Managers of water systems are aware of these, and have formulated conceptual frameworks to explain them, but the institutional capacity to respond is lacking [4]. The knowledge base about technologies for integrated water resources management is rich, and includes advanced computer-based methods involving large databases and simulation models. For example, the State of Colorado is developing an extensive set of advanced decision support systems for management of its river basins [5]. The serious knowledge gap is in development of institutional responses to overcome barriers among water system managers and their governing boards [6]. International research about needed institutional responses focuses on shared governance, but achieving effective methods for it involves overcoming political challenges. Examples can be seen in the many water wars and transboundary conflicts that arise over sharing of water supplies. Given these institutional difficulties, water system managers are forced to develop security plans that do not depend on the success of their partners in managing shared waters. Research about relationships between water and other infrastructures focuses on intergovernmental relations. Current trends toward privatization and downsizing of government work against the kind of cooperative planning and mutual aid arrangements needed to bolster intersystem security. The responsibilities of water system managers to address cross-system issues differ from those of their water system partners.

4 INTRASYSTEM INTERDEPENDENCIES Although they are operated as distinct utility services, water and wastewater systems are inextricably linked to other elements of the overall water system. This overall water system includes a number of subsectors as follows [7]: • • • • • • •

municipal and industrial water supply and wastewater; irrigation and drainage for farming and landscaping; environmental water for natural systems or habitat; water-based recreation; dam and reservoir management; aquifer management for groundwater systems; hydropower generation;

1346 • •

CROSS-CUTTING THEMES AND TECHNOLOGIES

waterborne transportation and navigation; stormwater and flood control.

Management of water resources within the subsectors involves links among hydrologic subsystems, between water quantity and quality, and between the physical processes of water use. The left side of Figure 1 shows a simplified view of these. Water and wastewater utilities are the organized units with the most influence on overall water management. In the United States, there are over 50,000 water supply systems and nearly as many wastewater systems. Although most of these are small, they are the management organizations with most authority and responsibility to manage water through its hydrologic cycle. The other group with great influence comprises the agencies that manage the nation’s some 75,000 dams and reservoirs. These involve a much smaller number of management units, such as the Corps of Engineers, Bureau of Reclamation, and many hydroelectric producers, among others [8]. The interdependences among these elements of the overall water resources system occur because water flows under natural forces through its hydrologic cycle. This cycle takes water from the atmosphere, deposits precipitation that becomes runoff or ground water and flows to various receiving waters, from which it is evaporated. Sometimes the water is diverted from one basin to another using tunnels and other infrastructure. However the water flows, its continually flowing nature creates intrasystem interdependences. Briefly, streamflow is stored in reservoirs by dams, which are in turn operated to control the release of flows downstream. Streamflow and dam releases provide raw water supplies to cities, industries, and irrigators. Water supply releases become wastewater that affects the quality of streamflow and mixes with water supply through discharge–diversion sequences. These elements may be operated by different management agencies and require numerous administrative arrangements and communication channels to identify vulnerabilities and manage risk. For example, a federal agency may operate a reservoir that provides water supply to a city. The city is thus dependent on the agency to deliver raw water reliably. Many details must be supplied to describe these interactions fully. Although a valid watershed model can illustrate the important linkages among subsystems, it will not be able to replicate all processes at the micro level. For example, groundwater–surface water interactions are important but difficult to model accurately. The interactions shown in Figure 1 illustrate important intrasystem interdependencies and vulnerabilities. For example, raw water must be available and transported to points of storage, treatment, and/or use. Wastewater systems also involve treatment plants and pipes, and have vulnerable components. However, their purposes differ from drinking water and the consequences of security breaches are different. Their security is addressed in a separate article in this volume. Irrigation systems can be disrupted but the direct consequences to water systems are normally not as critical as they are for drinking water. Examples of important intrasystem interdependences among parts of the overall water system are shown in Table 1.

5 INTERDEPENDENCIES WITH OTHER INFRASTRUCTURES Although, at a high level, water has clear interdependencies with other infrastructures, the nature of the relationships must be defined at the subsystem level. The discussion in

WATER INFRASTRUCTURE INTERDEPENDENCIES

TABLE 1

1347

Examples of Intrasystem Interdependencies for Water Systems

Intrasystem Interdependency Disruption of transportation routes for raw water Drought to reduce raw water supplies

Flood to damage water handling facilities Intentional or unintentional contamination of raw or treated water

Dam safety

Treated water systems

Example An earthquake might block a tunnel and cut off raw water supplies Water supply systems can extend for long distances, and drought in an upper basin can reduce supplies lower down River flooding may disrupt operation of raw or treated water facilities Intentional contamination of treated water is an obvious threat. Contamination of raw water supplies is normally not a major threat because of its volume, but it is important to keep watersheds clean and contaminated reservoirs are difficult to clean Security of dams is critical because their failure can affect water supplies, public safety, and the environment. Dams can be threatened by sudden events or lack of maintenance Treated water may be distributed to wholesale customers, thus disruptions can propagate through the systems. Security of treated water is addressed in a separate article in this volume

this section is organized around the six critical infrastructure sectors shown on the right side of Figure 1. The water service most closely aligned with public health is drinking water. Wastewater and irrigation water are also linked to health issues. Contaminated drinking water or failed water systems have many links to public health, which are explained in another article. The public health system also presents threats to water systems. For example, a source of pharmaceuticals in drinking water is the disposal of outdated medicines in hospitals and other health care facilities. Another example is that inadequate regulation of public activity in swimming and fishing areas can pollute water that the public is exposed to. Food security is another health-related water issue because water is an ingredient in food, from the farm to the dining room table. Contaminated irrigation water can create hazards up the wholesale to retail chain and lead to outbreaks of waterborne disease. Failure of raw water systems can also lead to crop failures and economic hardship. Water and industry exhibit interdependencies because industrial production requires large inputs of high quality water. This dependency can be quickly noted by examining categories of NAICS industries as published by the US Census Bureau. NAICS is the North American Industry Classification System, see Reference [9] for an explanation. In particular, the chemical industry exhibits interdependencies with water in several ways. It produces water treatment chemicals such as phosphates and chlorine gas. Shortages of these will impede water treatment and transportation of some of them can create hazardous conditions, as with transportation of chlorine gas to water treatment plants. Water

1348

CROSS-CUTTING THEMES AND TECHNOLOGIES

is also linked to critical industries. For example, during World War I, the Muscle Shoals dam facility on the Tennessee River produced nitrates for ammunition and explosives. The facility is now part of the Tennessee Valley Authority system. As water must be transported to points of use, its infrastructure has a number of interdependences with transportation systems. For example, vulnerable bridges and tunnels may form part of water conveyance systems. If a dam fails, it will often fail downstream transportation arteries. If roadways and bridges are not protected against floods, they can be failed by water forces. Waterborne transportation has obvious links to water management. During drought, water utilities often call for reduced navigation flows for barges that may be used for transporting vital commodities. Energy systems and water are linked because if raw or treated water is pumped, the systems are vulnerable to power outages. Also, control of many water systems has become automated and loss of energy can fail critical monitoring and control systems. Hydroelectricity is produced from flowing water. Cooling water is required for all electricity generation, and thermoelectric cooling is a large user of water for once-through cooling and cooling towers. 6 RESPONSES TO INTERDEPENDENCIES Although water system interdependencies are inherently complex and difficult to manage, they can be explained with the metaphor of the business corporation’s supply chain and customer relations. The supply chain models the water utility’s ability to produce high quality finished water using inputs of raw water, electric power, chemicals, and other resources. The customer base comprises direct and indirect water users. Direct water users are people who drink water, swim in it, cook with it, or use it for other purposes. Indirect users are people who use any product that requires water as an input, such as food that is produced through irrigation. This model can be illustrated with a simple diagram (Figure 2) that shows the producer of water services as receiving supply chain inputs from within the water industry (such as raw water) and from outside the industry (such as electric power or chemicals). The producer then provides water services to its customers, who will be impacted by any failures in water quantity or quality. These customers will then produce their products, which often depend on high quality and reliable water. As shown in Figure 2, water service providers often lack control over all the resources they require. This is the same situation faced by any production unit that relies on others for its supply chain. The water utility normally cannot gain ownership and complete control over all of its supply chain, and coordination strategies are its main tool to strengthen security of supply chain interdependencies. These strategies will involve different measures and combinations of stakeholders for intrasystem water elements, such as between raw water and treated water, than they will for intersystem infrastructures, such as between water and its electric power inputs. Coordination can be modeled by forms of business organization based on relationships between a business and its suppliers and production units. Three types of supply relationships help visualize interdependencies: •

A vertically integrated water utility with its supply chain within the span of control of one executive. An example could be a water supply utility serving 50,000 customers in a single city.

WATER INFRASTRUCTURE INTERDEPENDENCIES

Water services

Water customers

1349

Products

Supply chain

Internal to water industry

External to water industry

FIGURE 2 Supply chain and outputs of water service providers. •

A horizontally integrated water utility with divisions under separate executives who treat each other as “customers.” An example could be an integrated utility with its own raw water supplies, treatment and distribution systems, and wastewater services. • A water utility that contracts with suppliers in independent organizations in similar and different industries. An example could be a water utility that performs business operations but does not own or control its own water or infrastructure. Supply chain interdependencies must be managed through relationships between water system managers and their suppliers. For a smaller, vertically integrated utility, these relationships can probably be managed through day-to-day meetings and shared problem-solving. For larger, horizontally integrated utilities it is more difficult to achieve effective communication and it might be necessary to make more formal arrangements through contracts and working agreements that are audited through performance reports. When the water utility operates by contracting with independent organizations for its supply chain, formal contracts and agreements become essential. Coordination does not have to occur in formal and informal venues inside of organizations. When water services are provided by different agencies, the participants may see each other in regional planning meetings, at professional associations, and at other occasions. Coordination presents different challenges, as in the case of intersystem infrastructures where the managers may not know each other at all. For example, public health officials who receive reports of waterborne disease outbreaks are normally not in touch with water officials on a regular basis. By the same token, the chain-of-responsibility for food contamination from irrigation water is long and convoluted. Even the more direct link between electric power and water systems does not involve regular communications between managers. It is not reasonable to rely simply on more communication and coordination among managers of disparate infrastructures to improve security. Rather, managers of these infrastructures must take matters into their own hands to mitigate threats from failures in the infrastructures they depend on. They must assess the risk of failure of other systems and take measures to mitigate the risk or create redundancies. Barriers to coordination occur among interdependent water systems from the same problems that occur within organizations, where coordination requires frequent communication, meetings, sharing of information, and other means to improve cooperative work. Coordination and communication are always more difficult between organizations than

1350

CROSS-CUTTING THEMES AND TECHNOLOGIES

within them, but both cases present barriers. Examples of barriers might include not being aware of interdependencies, being busy and overloaded with other work, not wanting to work together, and lack of incentives from governing boards.

7 CRITICAL NEEDS ANALYSIS The model of water system risk used in the article shows vulnerabilities from interdependencies among elements of the water infrastructure and between water and other infrastructures. The interdependencies go two ways: those that affect the supply chain of water and those that exhibit impacts on others from water system failures. One example of intrasystem interdependency is failure of raw water supplies, which prevents water treatment organizations from performing their missions. Another would be uncontrolled river flooding that disrupts operation of water infrastructures. An example of a supply chain failure from another category of infrastructure is loss of electric power to a water system. Examples of impacts from failure of water services include public health incidents and contamination of food supplies from polluted water. Also, industrial and energy systems depend on reliable water supplies to function. Planning for interdependencies requires the water system manager to recognize categories of relationships that include supply chain inputs from within and outside of the water industry. These supply chain interdependencies must be managed through coordination among water system managers and their suppliers. The coordination can range from informal arrangements to formal contracts and agreements. In the case of intersystem infrastructures, managers may not be able to coordinate well because they are not in frequent contact and may not even be aware of each other’s activities. In these cases, infrastructure managers must take matters into their own hands, and consider threats from failures in other infrastructures just the same as other uncontrolled threats. Regardless of the type of interdependency, threats from failures within the water industry or outside of it can be included in a vulnerability analysis. To include them, the analyst must recognize the threats from interdependencies in the same way as a direct threat is recognized, whether from natural or human causes. Once the threats are recognized, they can be mitigated by direct actions or coordinated arrangements with partner organizations.

8 RESEARCH DIRECTIONS Management of threats that arise to water systems from interdependencies among themselves and with other infrastructures requires responses in technological, management, and institutional arenas. The technological responses involve the same types of instrumentation, control devices, and other tools that are needed for ongoing security programs and have been described in Reference [10]. Required management responses range across governance, organizational planning, data management, coordination with partnership organizations, and reporting. Research into these topics is robust for business and government organizations but little research has been conducted specifically for water utilities and their interdependencies [11].

WATER INFRASTRUCTURE INTERDEPENDENCIES

1351

The most difficult arena for enhanced security is in institutional responses that include organizational structures, incentives, and relationships. For example, the United States has some 85,000 units of local government, many of which are involved in infrastructure services [12]. In addition to working effectively among themselves, they must work with many independent private water and energy companies. The regulatory structure that governs water and related infrastructures involves a patchwork of federal and state agencies and local governing boards. Research needed focuses on improving intergovernmental arrangements within the existing structure of the water industry as it relates to the management structure of other infrastructures.

REFERENCES 1. Department of Homeland Security (2008). National Infrastructure Protection Plan. US Government, Washington, DC, August 23, 2008. http://www.learningservices.us/DHS/NIPP/. 2. Colorado State University (2003). Workshop Summary: Infrastructure in Northern Colorado: Measuring Performance and Security for Water, Electricity, and Transportation Systems. Colorado, Fort Collins, CO. 3. Global Water Partnership (2008). Managing Water, Accessed August 25, 2008. http://www. gwpforum.org/. 4. Grigg, N. S. (2008). Total Water Management: Practices for a Sustainable Future, American Water Works Association, Denver, CO. 5. Colorado Water Conservation Board (2008). Colorado’s Decision Support Systems, August 25, 2008. http://cwcb.state.co.us/WaterInfo/DecisionSupport/dss.htm. 6. Young, J. (2006). Challenges and benefits of total water management. J. Am. Water Works Assoc. 98(6), 32–34. 7. Grigg, N. S. (2005). Water Manager’s Handbook , Colorado, Aquamedia Publications Denver, CO. 8. Grigg, N. (2007). Water sector structure, size and demographics. J. Water Resour. Plann. Manage. 133(1), 60–66. 9. U.S. Census Bureau (2008). North American Industry Classification System, August 23, 2008. http://www.census.gov/epcd/www/naics.html. 10. Department of Homeland Security (2005). CIP R&D Workshop for Academic and Federal Laboratory R&D Providers, June 29, 2005 Session Report. September 2005. 11. US Government Accountability Office (2005). Protection of Chemical and Water Infrastructure. Federal Requirements, Actions of Selected Facilities, and Remaining Challenges, GAO-05-327 Washington, DC. March 2005. 12. USBOC (2008). Census of Governments. May 6, 2008. http://www.census.gov/govs/www/ cog2002.html.

FURTHER READING American Water Works Association (2004). Emergency Planning for Water Utilities. Colorado, Denver, CO. American Water Works Association Research Foundation (2004). Security Practices Primer for Water Utilities. Colorado, Denver, CO.

1352

CROSS-CUTTING THEMES AND TECHNOLOGIES

INFRASTRUCTURE DEPENDENCY INDICATORS Theresa Brown Sandia National Laboratories, Albuquerque, New Mexico

1 INTRODUCTION Interdependencies are created by multiple dependencies between two or more infrastructures. Hence, dependencies are the fundamental building block of interdependencies and models of these interconnected, interdependent systems. This article provides an overview of the state of the art in identifying infrastructure dependencies and analyzing their importance with respect to infrastructure protection measures.

2 SCIENTIFIC OVERVIEW Infrastructures evolved with society and technology. Infrastructure dependency analysis for homeland security applications is a relatively new field of study encouraged in the United States by the National Research Council [1], endorsed and funded by the federal government [2]. Funding over the last 6–10 years, primarily by government agencies, produced new interdisciplinary programs and centers at universities (e.g. Department of Homeland Security Centers of Excellence at Michigan State University, University of Southern California, John Hopkins University, University of Minnesota, Texas A&M University, and the University of Maryland; the Critical Infrastructure Modeling and Assessment Program at the Virginia Tech Center for Energy and the Global Environment); new analysis centers at national laboratories (e.g. National Infrastructure Simulation and Analysis Center at Sandia and Los Alamos National Laboratories and Infrastructure Assurance Center at Argonne National Laboratory); and private research organizations. Each of these research and analysis centers is focused on improving our understanding of infrastructures, how they interact and influence one another, the overall well-being of the populations they serve, and the economies they support. Since this is a new area of study, there are relatively few publications devoted to the broad field of infrastructures. Two journals, Journal of Infrastructure Systems published by the American Society of Civil Engineers (since 1984) and International Journal on Critical Infrastructures published by Inderscience (since 2004), focus on new contributions to infrastructure design, protection, and management. The literature for this field is just developing. Rinaldi et al. [3] provide a useful classification system for infrastructures, defined by four major categories of interdependencies: geographical, physical, logical, and cyber. Since interdependencies imply multiple, interrelated dependencies between two or more elements, dependencies are the more fundamental relationship. Dependencies can be classified using the same categories as interdependencies, or in this case, with cyber

INFRASTRUCTURE DEPENDENCY INDICATORS

1353

dependencies as a subset of physical dependencies. The fundamental indicators of dependencies can also be classified as geographical, physical, and logical. In the following sections, examples of work in the area of infrastructure dependency identification and analysis are provided, along with areas for improvement.

3 GEOGRAPHICAL DEPENDENCY INDICATORS The easiest dependencies to identify are geographical dependencies, when elements of multiple infrastructures are close enough to be damaged by the same event. The only complication in identifying these dependencies is in defining the events of concern, including the location or potential locations and obtaining locations for all of the nearby infrastructure elements to identify which are the ones within the potential damage zone. For many events, the infrastructure elements must be in very close proximity for geographical dependencies to exist. When infrastructures use a common right-of-way, such as a dam, bridge, tunnel or sewer pipeline, catastrophic accidents or failures at those locations can disrupt multiple infrastructures at the same time. The presence of multiple infrastructures in a single location (colocation) is the indicator of geographic dependency for isolated incidents (e.g. tanker truck accident and explosion that leads to the collapse of a bridge). As we understand the potential threats, the vulnerability of infrastructure elements to each of those threats, and the likelihood of the threat at any location, we can develop risk-based indicators of dependencies. Large, destructive events such as hurricanes create geographical dependencies across multiple infrastructures, populations, industries, and commercial sectors due to damage and injuries caused by high winds and flooding. The map in Figure 1 depicts the relative risk (by county) posed by hurricane strikes. A risk indicator was calculated by multiplying a likelihood factor by a consequence factor. The likelihood factor is a combination of the probability of hurricane occurrence and probability of damage to infrastructure. An estimate of the probability of a hurricane impacting a county is based on the historic frequency of hurricanes. The probability of damage to infrastructures within each county was estimated using a wind damage contour for each historical hurricane path based upon its intensity. A consequence factor was developed as a function of the population living in each county. Risk indicator = population[1000s] × hurricane frequency × damaging-wind frequency The result is a geographical distribution of the risk of direct damage due to hurricanes. Similar indicators exist for other natural threats, such as seismic activity, flooding, landslides, and wild fire. The US Geological Survey publishes seismic hazard maps that can be used in conjunction with fragility curves for specific engineered structures to estimate the risk of damage due to ground motion. The Federal Emergency Management Agency provides maps of flood, fire, geologic, and other hazards in the United States. More refined indicators can be developed to represent the risk to specific infrastructures or assets, the duration of the expected disruption, or the total consequences. These refinements would be the first step toward developing indicators of the risk due to propagating effects created by physical and logical dependencies.

1354

CROSS-CUTTING THEMES AND TECHNOLOGIES

Risk of category 1–category 5 Hurricane High risk (22.9)

Low risk (0.000221)

FIGURE 1 Geographical dependency indicator: relative risk to infrastructure by county due to hurricane; on the basis of frequency of occurrence, category of hurricane and population density (risk indicator developed by the National Infrastructure Simulation and Analysis Center in 2006 for prioritizing off-season hurricane planning scenarios and analyses).

4 PHYSICAL DEPENDENCY INDICATORS Physical dependencies are created when two or more systems are physically connected and one is dependent on the other to function. Interdependencies are created if there are mutual dependencies or if the state of their interaction influences the state of another infrastructure. Connectedness is the basic physical dependency indicator. If a compressor station for a natural gas pipeline is connected to the electric power distribution system, the compressor is likely electric powered. However, it does not indicate if electric power is the primary or only energy source for the compressor or how the loss of power at that compressor station influences the flow of gas in the pipeline. Connectedness only indicates the potential for dependency. Even simple indicators like connectedness may be difficult to verify on a large scale, because many forms of connection cannot be easily observed (underground utilities), alternative sources may exist (e.g. backup electric power generation capabilities, fuels in onsite storage, and water storage system), and utility data are generally proprietary. In some cases surrogate information exists, such as economic supply and demand data, allowing inference of physical or logical connections. Developing more refined indicators of physical dependencies requires knowledge of the operational impacts of infrastructure input disruptions. The most connected infrastructures, the ones that create the greatest number of dependencies, are energy (includes electric power, coal, natural gas, nuclear fuels, and petroleum, oils, and lubricants (POL)), communications (includes telecommunications,

INFRASTRUCTURE DEPENDENCY INDICATORS

1355

information systems, and broadcast), transportation (includes water, rail, pipeline, road, and air transportation systems), and banking and finance (includes federal and commercial banking systems, insurance, commodity markets, and other financial institutions) [4–6]. The overall connectivity of the network is an indicator of system robustness. Abstract models of power networks with different topologies indicate that the greater the overall connectivity, the more robust the network [6]. This implies that while the connected systems are more dependent on each other, the dependency comes with a benefit if it leads to greater connectivity. The connectivity within each of these systems and with other infrastructures depends on which systems and locations are evaluated. The road system in the United States is one of the most highly connected networks, yet it has zones of low connectivity at the edges and in isolated portions of the network. In models of banking transactions, the topology and behaviors are required to estimate system robustness [7]. A general understanding of specific infrastructure processes allows us to develop dependency models and begin the process of refining dependency indicators to include the dynamics of the problem. Only a few of the physical dependencies for energy, telecommunications and transportation, and indicators of those dependencies are provided here. 4.1 Electric Power Dependencies Electric power generation and system control are the processes creating dependencies for the electric power infrastructure. Hydroelectric generation is dependent on the sufficient supply of water and environmental conditions that allow the release of water. Other types of power generation are dependent on water for cooling, specific fuels (coal, natural gas, nuclear, and refined products e.g. diesel and jet fuel), regulatory limits on emissions, and the transportation of fuels from the production region to the generator facility. Indicators of dependencies between electric power generation in a particular location (or region) and fuel production in another location (or region) are developed based on the type of generator(s) and connectivity of the generator to the production region via feasible transportation system(s) for the fuel or fuels. Transport feasibility requires an economically viable route and mode. In this case, connectivity occurs via the transportation network, making electric power generation dependent on transportation and fuel production. If the generator is connected to multiple fuel production locations (or regions) the dependency on a specific fuel source or specific transportation route is reduced. Figure 2 shows the natural gas pipelines (transportation) and electric power generation plants in the Midwest, focusing on Illinois. The region is able to import natural gas from Canada and the central and southeast regions of the United States. Even more crucial is the fact that natural gas generation is not the primary source of power in this area. Coal-fired generation and nuclear power plants provide most of the power in Illinois [8]. The dependency of a specific facility or region on a specific electric power generator is a little more difficult to quantify than a geographical dependency because of all the factors that influence the steady supply of electric power. First, it must be determined whether the generator has or could have a substantial impact on the electric power supply in the region of concern. In order to understand the influence of a single generator, knowledge about the state of the system is required. The best indicator is the ratio of the plant’s generation capacity to the region’s reserve margin (the expected amount of

1356

CROSS-CUTTING THEMES AND TECHNOLOGIES

Imports of natural gas to the Midwest from Canada

From central US

From southeast US

FIGURE 2 Natural gas pipelines (≥ 10 in. in diameter) and natural gas fired generation in the Midwest US illustrates connectivity to multiple supply regions (based on 2005 data from Plants (power plants) and Penwell (on-shore pipelines)).

available capacity that is greater than the expected peak demand). The reserve margin is an indicator of the state of the electric power system within a specific region, reflecting the likelihood that the region is self-sufficient, can export power to other regions, or will be dependent on power imports from other regions. The indicator for specific generators provides an estimate of how close the system would be moving from one state to another (e.g. self-sufficient to power importer) if that particular generator is taken off-line. Peak demand is used to provide a bounding case, since the regional demand for electric power varies diurnally and seasonally. The indicator has to be updated because peak demand and aggregate generation capacity change over time as changes in population, behaviors, and technology alter power demands and as generation capacity is built or taken off-line (for repairs or permanently retired). Electric power transmission and distribution system operations are highly automated, human-in-the-loop, remote control systems. Control systems are dependent on reliable communications and data. The power outage in the northeastern United States in August 2003 was due in part to unreliable and missing information [9].

4.2 Communication Dependencies Communication systems can change state very quickly due to a wide variety of reasons, tied to both logical and physical dependencies. Within the telecommunication system there are a large number of system operators that constantly monitor to anticipate conditions that may lead to sudden, prolonged high call volume that creates network congestion and call blocking. It is not clear whether the telecommunication operation indicators will

INFRASTRUCTURE DEPENDENCY INDICATORS

1357

be of use for the power operation systems, because power operation systems utilize multiple communication systems that are not part of the public telecommunication network. The difference between data system dependencies and other physical dependencies is that data systems are vulnerable to more threats, such as denial of service attacks or malicious software programs (sent from remote sites, using information or wireless communication networks) or electromagnetic disturbances. The best indicator of dependency on specific communication assets is geographical, local service areas called local access and transport areas (LATAs). Maps of publicly available LATAs are relatively well known. They correspond to the region of an area code, but some have multiple area codes. The impact of telecommunication disruptions on the operation of other infrastructures requires more evaluation, but may depend on whether the systems have sufficient volume of critical inputs. Just-in-time management of inventories creates systems that are less robust to supply disruptions [6]. 4.3

Transportation Dependencies

Transportation systems are dependent upon the physical transportation networks (pipelines, roads, rail, and waterways), fuels for the combustion engines that power the transport (natural gas or electric power for pipeline compressors; diesel for trucks, tankers, and barges; jet fuel for airplanes), specialized labor (commercial drivers, pilots, longshoremen, engineers, and airline pilots), and communication systems for logistics. Given the ubiquity and connectedness of most of the transportation networks anything more than delay in transportation is unlikely for any of the modes, with a few exceptions at the edges and in sparsely populated regions of the networks. Multiple transportation modes mean demand can shift to another mode. Whether that shift occurs, depends on the economics of the shift relative to the cost of the delay. Fuel supplies are also difficult to disrupt on a large scale because there are significant amounts of fuel of all types distributed around the country in storage systems. Price may be the best indicator of fuel supply, or at least the perceived risks of short supply, and transportation costs. Local fuel shortages can occur when perceived shortages in supply or concern about the reliability of supply lead to hoarding (a logical dependency).

5 LOGICAL DEPENDENCY INDICATORS Logical dependencies, when one infrastructure influences another without being physically connected, are due to human decisions and actions. The state of, or perceived risks in, one infrastructure could influence behaviors/operations in another infrastructure due to loss of confidence in supply; through competition for labor or market share; or due to shifts to alternate inputs as a result of price or regulatory changes. Economic relationships represent logical dependencies. Input–output models based on sales and production data compiled by government agencies provide indicators of long-term equilibrium conditions between sectors of the economy. They are often used to evaluate the net economic impact of the decline or loss of output in one sector on the other sectors and country or region as a whole. They indicate logical dependencies for a specific period of time, but do not account for production limitations, the ability to offset disruptions through withdrawals from storage, or other adaptations. Without

1358

CROSS-CUTTING THEMES AND TECHNOLOGIES

physical connections, logical dependencies can change suddenly, creating uncertainty and significant instability in supply that ripples through the connected systems. Inventory or production oscillations can be caused by unexpected time delays in receiving shipments or orders [9]. Labor is a logical dependency for all infrastructures. Local labor shortages have occurred during renegotiation of union contracts due to labor walkouts and/or lockouts. Labor has been impacted on a broader scale by large military deployments (World War II and the call for women to enter the manufacturing workforce to offset labor shortages) and pandemics. Infrastructures have continued to function through all those situations because of adaptive behaviors. Change in demand due to price (demand elasticity) is an indicator of the logical response that moderates the impacts’ supply disruptions. Demand elasticity for infrastructure services may be a function of the capability to switch to an alternative supply, implementation of conservation measures, or delaying purchases or production. Unless a situation has historical precedent, it is difficult to develop proven indicators for this class of dependency. If the event has historical precedent, the reactions may be vastly different, given the knowledge of the previous event or events. And, if the disruption had caused severe problems, effective protective measures may have been put in place. It is not clear that system dynamics models of logical dependencies are predictive but they provide a better indicator of possible outcomes because they are able to represent all types of dependencies in a single, functioning, representation of the complex system. Figure 3 shows the structure of the dependencies in a model developed to evaluate the

Beef Inventory

Beef Production

Beef Coverage

Beef Consumption

Corn Inventory

Beef Price Corn Production

Corn Coverage

Animal Feed Consumption Dairy Inventory

Corn Price Dairy Production

Hog and Poultry Production (not modeled)

Dairy Coverage

Dairy Consumption

Dairy Price

FIGURE 3 Model structure of dynamic dependencies between livestock, corn, and dairy production showing the logical dependencies between production sectors, created through the price of feed, influencing the characteristics of each production cycle.

INFRASTRUCTURE DEPENDENCY INDICATORS

1359

dynamic dependencies between beef, dairy, and corn production. The beef–dairy–corn dynamics model was developed as part of the National Infrastructure Interdependency Model in the Critical Infrastructure Protection Decision Support System (CIPDSS) by Sandia, Los Alamos, and Argonne National Laboratories for the Department of Homeland Security Office of Science and Technology, to evaluate the impacts of disease outbreak in the beef cattle industry. The interactions between the three sectors shown in Figure 3 illustrate some of the new, logical dependencies developing between agriculture and energy. Recently, concern over crude oil prices and supply led to increased use of corn for ethanol production [10], which has increased the price of corn for animal feed. This is causing a switch to cheaper, soy-based feeds in livestock industry. Soy and corn are grown in the same fields (a geographical dependency); high prices for corn reduced the amount of soy grown (a logical dependency) [11]. Short supplies increase soy prices, putting increased pressure on the livestock industry. Beef prices increase. The result being, the prices of all commodities depending on fuels or transportation, physically and logically, increase. The only way to anticipate all these changes is to understand the dependencies and dynamics of this system. Simple indicators do not provide that kind of insight.

REFERENCES 1. National Research Council. (2002). Making the Nation Safer, National Academy Press. 2. Department of Homeland Security. (2006). National Infrastructure Protection Plan 2006 , Department of Homeland Security. 3. Rinaldi, S., Peerenboom, J., and Kelly, T. (2001). Identifying, understanding and analyzing critical infrastructure interdependencies. IEEE Control Syst. Mag. 21, 11–25. 4. Min, H.-S. J., Beyeler, W. E., Brown, T. J., Son, Y. J., and Jones, A. T. (2007). Toward Modeling and simulation of critical national infrastructure interdependencies. IIE Trans. 39, 57–71; Special issue on Industrial Engineering of Operations Research in Homeland Security. 5. Beyeler, W. E., Conrad, S. H., Corbet, T. F., O’Reilly, G. P., and Picklesimer, D. D. (2005). Inter-infrastructure modeling–ports and telecommunications. Bell Labs Tech. J. 9(2), 91–105. 6. Conrad, S. H., and O’Reilly, G. P. An Overview of Energy and Telecommunications Interdependencies Modeling at NISAC . 7. Beyeler, W. E., Glass, R. J., Bech, M., and Soram¨aki, K. (2007). Congestion and Cascades in payment systems, Physica A. 8. Energy Information Administration. (2007). Electric Power Monthly Data, for February (downloaded from EIA website http://www.eia.doe.gov/cneaf/electricity/epm/epm ex bkis.html) in May 2007. 9. U.S.-Canada Power System Outage Task Force. (2003). Final Report on the August 14, Blackout in the United States and Canada: Causes and Recommendations, pp. 18–19. U.S. Department of Energy and Natural Resources Canada. 10. Baker, A., and Zahniser, S. (2007). Ethanol Reshapes the Corn Market , Amber Waves: Special Issue 66(5). Economic Research Service/USDA (WWW.ERS.USDA.GOV/AMBERWAVES). 11. Ash, M., and Dohlman, E. (2007). Oil Crops Outlook , Economic Research Service Report OCS-07d, May 14, USDA (WWW.ERS.USDA.GOV).

1360

CROSS-CUTTING THEMES AND TECHNOLOGIES

OBJECT-ORIENTED APPROACHES FOR INTEGRATED ANALYSIS OF INTERDEPENDENT ENERGY NETWORKS Rodrigo Palma-Behnke and Luis S. Vargas Department of Electrical Engineering, University of Chile, Santiago, Chile

1 INTRODUCTION In many fields, there is a growing interest for tools to study the interdependencies of different areas of activity or production. Driven forces in this process have been security, economy, and environmental problems, where the cross effects of policies are highly linked [1]. In the literature, an important part of the investigation is dedicated to the study of critical infrastructure in order to prevent possible catastrophes [2], whereas another line of research is given by environmentally sustainable development [3, 4]. The underlying objective of those works is to study the cross effects of policies in different fields in order to measure their effect on environmental conditions [5]. All these studies recognize the high complexity of the problem, which is characterized by multiple agents and decision makers, large-scale systems with numerous components, nonlinear coupled subsystems, spatially distributed, adaptive in time, and investment decisions of discrete nature. Another aspect of complexity is the need of know-how integration of different disciplines. The mathematical formulation of these problems usually leads to extremely complex systems. In addition, the trend of market liberalization toward decentralized decision process has increased even further the complexity of the problem [6, 7]. This article is organized in seven sections. Section 2 presents the general models used to represent the transportation and energy networks. Section 3 presents the classes and objects relationship. Section 4 describes the software developed according to the system models. In Section 5, the methodology to state the scenarios for the studies is presented. In Section 6, a case study considering the network in the Chilean territory is developed. Finally, in Section 7, the main conclusions of this section are summarized.

2 SCIENTIFIC OVERVIEW In the literature, an important part of the investigation is dedicated to the study of critical infrastructure in order to prevent possible catastrophes [8]. This topic was particularly sensitive during 1999 due to the Y2k effect. Another line of research is given by environmentally sustainable development, where the cross effects of policies in different fields on the improvement of environmental conditions are studied [9]. It is recognized that the high complexity of the problem is characterized by

INTEGRATED ANALYSIS OF INTERDEPENDENT ENERGY NETWORKS • • • • • • • • •

1361

large-scale systems with numerous components; hierarchical multiple noncommensurable, conflicting, and competing objectives; multiple agents and decision makers; multiple governmental agencies with different missions, resources, timetables, and agendas; multiple constituencies; multiple transcending aspects and functions; nonlinear coupled subsystems; spatially distributed, adaptive in time; and investment decisions of discrete nature.

Overall, analysis and design of complex, large-scale nonlinear dynamic interacting systems constitute an open theoretical challenge. The object-oriented programming (OOP) offers a methodological alternative to deal with the problem of interactions among energy and transportation. Specifically, in this article the development of activity models for each sector and a method for studying their effects on the environment is proposed. This methodology should be capable of measuring the impact due to the future implementation of technological improvements and policies at a country-wide level.

3 SYSTEM MODELING The modeling approach presented in this section is inspired by previous research work [6, 7, 10] based on two main criteria. The first criterion imposes that the main feature of the modeling technique is versatility, that is, it must be capable of being used for the electricity, fuel, and transportation sectors. In addition, a systematic approach to deal with the problem of interdependencies among those sectors is required. To achieve these tasks, the modeling must fulfill the following needs: •

consistent system and component modeling (scaling, databases, and granularity); well-defined system frontiers; • adequate modeling of the interdependencies among different sectors; • activity models and tools (i.e. agent-based and game theory) inside each sector; • data mining and visualization. •

In the field of software development, two advancements have gained wide spread importance and acceptance: the OOP [11, 12] and the graphical user interface (GUI) [13]. The OOP has recognized advantages that concern flexibility, expandability, maintainability, and data integrity. In this field, the unified/universal modeling language (UML) is a standardized visual specification language for object modeling. UML is a general-purpose modeling language that includes a graphical notation used to create an abstract model of a system, referred to as a UML model [10, 12]. This approach is the conceptual base for several popular OOP languages. Likewise, the GUI improves the user interaction with the computer allowing a more comprehensive analysis tools manipulation and data interpretation. Accordingly, this work

1362

CROSS-CUTTING THEMES AND TECHNOLOGIES

Transportation network

Gas and fuel network

Electricity network

FIGURE 1

Interdependencies among large-scale infrastructures.

applies an OOP methodology to the new energy market structure in order to create a simulation software package. The second criterion states that, from a physical point of view, the interdependencies among large-scale infrastructures, such as electric power, transportation, and fuel sectors, often have a network structure (Fig. 1). This structure reflects an explicit, physical set of network interconnected devices. Also, it can handle implicit interconnections created by communications, control, and functional dependence. Thus, according to the above criteria a model based on the object-oriented (OO) paradigm was chosen in this work. The large box in the center of Figure 2 represents the physical models (urban and interurban) where each network physically and functionally interacts. The regulatory, economic, and technological frameworks are also highlighted as relevant inputs to the two major models. The outputs of the modeling framework are the transport activity levels that are used to compute the fuel and energy consumptions and the environmental impact of the emissions resulting from future economic and technological developments.

Urban transport model

Interurban transport model

Technology

Economy framework

Regulatory framework

Activity

Fuel consumption

FIGURE 2

Energy consumption

System network model.

Fuel emissions

INTEGRATED ANALYSIS OF INTERDEPENDENT ENERGY NETWORKS

1363

The individual characteristics of power, fuel, and transportation components are described by object attributes. On the other hand, the information exchange among objects is represented by messages following the OOP paradigm. The object modeling technique has been used for developing the object models for each network. They are shown in Figure 3. In the OOP terminology, generalization of a data object along with its data variables and methods is a class of data objects. The data variables are referred to as class attributes and an instance of a class is called an object. The concept of inheritance makes it possible to define subclasses of a class, which share characteristics of the parent class and so on. The proposed modeling breaks down a “system component” object into three subclasses: namely, “fuel component”, “power component”, and “transportation component”. Each of these components makes a further use of inheritance to encompass all the components of its network. For example, the power system is represented by 1-pole and 2-pole elements. In the list of attributes for each object, there are emission factors in order to estimate their environmental pollution features. The pollutants considered in this work are CO, HC, Nox , particle material (MP)10, SO2 , CH4 , N2 O, NH3 , and CO2 . 4 CLASSES AND OBJECTS RELATIONSHIPS In this section, a description of the classes together with the interdependencies among them is presented. System component

Fuel component

Power component

...

...

: inheritance

Transportation component ...

FIGURE 3 Object model of the system.

Power component

1-Pole

Injection

Network feeder

Node

2-Pole

Load

Transformer

Line

Generator

FIGURE 4 Hierarchy chart of power system classes.

1364

CROSS-CUTTING THEMES AND TECHNOLOGIES

4.1 Power System Classes Figure 4 shows the hierarchy chart of the power system classes, which corresponds to a simplified version of the hierarchy presented in Ref. [12]. Power component is the most general class and its attributes and methods are available for all subclasses [10–12]. Since simulation models are typically based on a node/branch-representation, these classes are explicitly included in the OO data model. The 1-pole subclass encompasses all elements connected between a bus and the neutral (or ground). The subclass 2-pole contains all branch facilities having impedance such as transmission lines and transformer subclasses. Note that a three winding transformer may be represented by the 2-pole subclass by using a wye-star transformation. Some Flexible Alternate Current Transmission Systems (FACTS) devices like UPFC can also be modeled through this concept [14]. All the technical parameters of the power system devices are stored in attributes. These attributes include location, economical data, and the set of emission factors. 4.2 Hydro Database Catchment models that are very important in hydrothermal power systems can be incorporated as an additional OO class hierarchy. The set of classes that compound the hydro database (HDB) is depicted in the hierarchy class of Figure 5. With it, it is possible to model the hydrographic basin or catchments involved in hydro generation in a simplified way. An inflow of water in a natural regime is characterized by the “natural inflow” class, so objects of this kind usually stand at the head of a basin. The “hydro unit” constitutes a decision or an action taken over the water flow, a decision that is specialized in child classes. From the connectivity point of view, the “natural inflow” objects have one output and the “hydro unit” has one input and two output attributes, while the connection between input–output pairs is performed by a “link” object. Following the hierarchy, the “hydro unit” is split into three classes to implement the hydrothermal coordination modeling. While a “series unit” allows full connectivity and could be associated to an network database (NDB’s) “generator”, an “isolated run of the river” can only receive water from a “natural inflow” and must be associated to a “generator”. On the other hand, the “irrigation constraint” class represents extractions from a river course with irrigation purposes, so neither can be related to electrical generation nor can the extractions be the inflow of another object. A more specialized class is the “reservoir unit”, which adds to HDB component

Natural inflow

Link

Hydro unit

Irrigation agreement

Isolated run of river

Series unit

Irrigation constraint

Reservoir unit

FIGURE 5 Hierarchy chart of the hydro database (HDB).

INTEGRATED ANALYSIS OF INTERDEPENDENT ENERGY NETWORKS

1365

Fuel component

Station

Fuel injection

Storage

Link

Fuel customer

FIGURE 6 Hierarchy chart of fuel network classes.

the “series unit” the capability to store water attributes. Finally, an abstract class “irrigation agreement” has been created to include a set of rules that comprise water use rights. An “irrigation agreement” object usually restricts the administration of reservoirs and drives the extractions of “irrigation constraint” based on information such as reservoir storage height, period of the year, and caudal measurements at predefined basin points.

4.3 Fuel Network Classes The hierarchy chart of the fuel network classes is shown in Figure 6. Two abstract classes and four final subclasses represent the whole network. A fuel injection system, a storage system, and a customer system can be generalized in a station class with common attributes like position and capacity. A fuel injection subclass manages simultaneously different fuel sources in the network. This model can handle 27 different fuel types such as crude oil, city gas, liquefied petroleum gas (LPG), natural gas (NG), gas oil, gasoline (81, 86, 91, 93 lead and unlead), different diesel types, and petcoke. A storage object subclass manages just one of the fuel types. It keeps an initial, current, and final state of stored volume. A more realistic model of a storage can be built with several storage objects. A fuel customer subclass is characterized by the type and amount of each fuel. It can manage simultaneously all possible fuel types coming from the fuel stations. The link represents a union element between two station objects. The main attributes are the fuel type, the capacity, and length. Additional links are differentiated by the transportation mode of the fuel: pipeline, train, truck, and ship.

4.4 Transportation Network Classes The hierarchy chart of the transportation network classes defines an arc and a generic node class. The generic node is further specialized into two classes called node and centroid , as shown in Figure 7. For transportation networks, a first conceptual separation between urban and interurban networks must be made [15]. A strategic planning study with a national coverage must include an interurban traffic representation. Therefore, in the context of the proposed model, a centroid is associated with a conurbation or a vast urban area around and including a large city. The transportation activity of a conurbation is stored in attributes,

1366

CROSS-CUTTING THEMES AND TECHNOLOGIES

Transportation component

Arc

Generic node

Centroid

Node

FIGURE 7 Hierarchy chart of transportation network classes.

which register the number of attracted and generated travels, the rate of growth, and other relevant parameters. The node component intends to represent only bifurcation and convergence points of transportation ways (with or without population). A node either generates or attracts travels. The transportation ways are modeled through a generic class called Arc, considering only one-way travels. Arcs define capacity, flow, length and speed for each of the following transportation modes: train, electric train, light vehicle, bus, heavy duty vehicle, ship, and plane. 4.5 Objects Relationship One of the main objectives of the proposed modeling is to capture the interdependencies among different sectors. This is accomplished easily by using the classes of each OOP database (power, fuel, and transportation). In fact, a direct relationship between objects, from different databases, occurs through references to objects in the OOP. These references, as shown in Figure 8, are given as attributes, of the individual classes. Let us see some examples: •

A combined cycle generating plant is represented as a NG customer in the fuel network. • Electricity consumption of arcs, centroids, injections, and links of the transportation network are represented by loads in the electric power network. • Fuel consumption, resulting from the activity of centroids and arcs in transportation networks, is represented by customers in the fuel network. In the case of HDB, hydro units processed water is electrically generated by generators and/or network feeders from NDB. These references define information that is directly available to objects. Thus, the fuel customer “knows” the electrical behavior of a generator, the electrical load “knows” the energy consumption of an oil refinery, and so on.

5 INFORMATION PLATFORM On the basis of the preceding models, the PIET (an acronym in Spanish for Transportation and Energy Information Platform) software was developed using Java technology

INTEGRATED ANALYSIS OF INTERDEPENDENT ENERGY NETWORKS

Centroid

1367

Node Arc Generator G Busbar

Injection

Storage

Load

Customer Transformer Link

Line

FIGURE 8 Physical relationship between objects.

(Fig. 9) [10].1 The OO database (server), which is required by the rest of the platform components, constitutes the core of the application. Source-file and specific power, fuel, and transportation editors allow user interaction with the system information and options. The gray arrows represent the transmission of required services from clients to their respective servers and the black arrows represent data exchange flows. The design deals with critical aspects of the data management requirements for commercial software and energy companies by building a bridge to existing databases in different source/data file formats.

6 SCENARIO DESCRIPTION The proposed model has the ability to generate, simulate, and analyze global potential scenarios. In this work, we define scenario as a “case study”, expressed in words and numbers, about the way future events and the alternatives can develop. Although uncertainties dominate what really will happen, it is possible to write interesting and believable histories regarding the future. The generation of a scenario usually involves the following steps: •

Defining the limit of space analysis (global, regional, etc.), thematic (sectors to cover, etc.), and temporal (time horizon). • Describe the current economic, demographic, environmental, and institutional situation. • Incorporating the driving and conditioning forces of the system and sectors. 1 The

final code (around 400 classes) runs efficiently on a Pentium IV computer with 512 MB RAM.

1368

CROSS-CUTTING THEMES AND TECHNOLOGIES

Man–machine interface

Event process update

Analysis tools

Client and server

Client

Energy model

Client and server

Object oriented database Energy

Fuel Hydro

Transportation Server

Client

urban transportation Model

Source/data files

Source/data Interurban transportation

Geographic information system GIS

Macroeconmics variables

Model Client Client

Client

FIGURE 9 PIET client-server architecture. •

Setting up a narrative that gives the context to the scenario. Often quantitative indicators are used to point out certain aspects. • Drawing an image of the future. This involves specifying conditions and constraints for one or more points in the time horizon. The outcome of this procedure is the definition of the following variables: demography, economy, social variables, culture, technology, environment, structures of administration (governance), and infrastructure. These variables work as the entry parameters defining a scenario in PIET. In practical terms, the OO design of PIET allows the following four ways to configure scenarios: 1. Through a direct linking with a support model . Support models, refers to those tools (computational programs, rules, databases, etc.) that allow the definition of a scenario. This can be a specific model usually used in the sector (i.e. transportation, energy, or environment) that can provide directly the information for the operation of the PIET. 2. A second alternative is through the use of activity models to obtain specific values for variables or entrance parameters to PIET. An example of an activity model is the calculation of fuel price profiles and deviations for a given scenario. 3. By using directly PIET dialogs and frames, that is, objects, system, and tools attributes. 4. Finally, structural changes in networks (for example, the expected generation expansion plan) can be incorporated in PIET by using the respective Editor. Typically it consists of drawing new objects in the networks.

INTEGRATED ANALYSIS OF INTERDEPENDENT ENERGY NETWORKS

1369

Once the scenario has been incorporated into PIET, specific activity models for each network are run in order to obtain the quantification of interdependencies and the emissions of the scenario. The following studies can be carried out with PIET: •

fuel price variation effects; new technology impact; • effects on energy sector produced by an efficient use of the transportation network; • identification of network capacity constraints (critical expansion sectors); • map with possible locations for power plants. •

7 CASE STUDY EXAMPLE For a validation of the proposed model, PIET was applied to Chile including the whole national territory. In this case, the hydro network was not considered. 7.1

Physical Chilean Networks

The Chilean mainland territory covers an area of 750,000 km2 with a population of nearly 16 million. Chile has a market-oriented economy characterized by a high level of foreign trade. As a consequence, the electric, fuel, and transportation infrastructure come mainly from private investors. The electricity production was 39.577 billion kWh in 2000, which comprised fossil fuel (51.17%), hydro (46.36%), and others (2.47%). The transmission system, conformed by two main interconnected systems, includes voltage levels up to 500 kV. NG is imported from neighbor countries using a pipeline system, while fuel and coal arrive in ships from different countries. In summary, the fuel network encompasses a pipeline system of crude oil (755 km), petroleum products (785 km), and NG (320 km). In the transportation sector, all transport services are privately owned and/or operated with the exceptions of the interurban passenger trains and the urban railroad (Metro). Overall, the railroad system has 6702 km of railways, including 2831 km of broad gauge (1317 km electrified), 117 km narrow gauge (28 km electrified), and 3,754 km of meter gauge (37 km electrified). The highway system covers 79,800 km. Because of data availability and geographical features of the country, the territory information is described at a province level by 51 zones. Nevertheless, major projects in any network, for example, a new mining site or a new combined cycle unit, are modeled explicitly in the networks (new objects). In summary, as shown in Table 1, the modeling into PIET of the previous described networks (power system, transportation, and fuel network) can be translated in a collection of 1927 objects: 1127 objects are defined for representing the transportation sector, 492 for the electric sector, and 308 for the fuel network. 7.2 Network Dependencies Network dependencies can be classified into two main categories: activity and physical dependencies. On the one hand, the activity of each network—annual flow (vehicle·km/year) in transportation, annual energy (MWh/year) in electricity sector, and annual consumption

1370

CROSS-CUTTING THEMES AND TECHNOLOGIES

TABLE 1 Objects in the Chilean Case Power system network Number of nodes Number of lines Number of transformers Number of generators Number of loads Total

103 106 39 42 202 492

Transportation network Number of centroids Number of nodes Number of arcs Total

272 183 672 1127

Fuel network Number of fuel Number of fuel Number of fuel Number of fuel Total

injections storages Centers links customers centers

20 0 257 31 308

(barrel/year or ton/year) in fuel and NG—in the case of Chile can be related with a common set of economic indices. These indices are as follows: gross domestic product (GDP)/year for each province, international and domestic fuel prices, fuel taxes, population (inhabitants/province), and average income. These indices simultaneously shape the behavior of each network. On the other hand, several physical interactions among the different networks are detected. A diagram with the main physical interdependencies among the networks in the Chilean territory is shown in Figure 10. Figure 10 shows that in the whole Chilean territory, there are 133 links among electric, fuel, and transportation networks. As these links are geographically referenced, this information is useful for many purposes such as mapping of pollution in zones, energy consumption, available transfer capabilities of lines, pipelines, and so on. The national power network is further divided into two main interconnected systems covering the north (Spanish the Northern Interconnected System (SING) with 800 km length) and the central part of the territory (Spanish the Central Interconnected System (SIC) with 2000 km length). As stated before, a major advantage of this representation is that it can be used for planning studies. For example, a new power plant may be drawn in the editor and the impact of this new project is seen inside the power grid and in the fuel network that will provide oil or NG for that plant. In addition, the pollution that this new project will produce will be displayed accordingly. 7.3 Specific Activity Models On the basis of the studies carried out by the government and independent institutions, activity indices and physical dependencies are estimated for each year in the time horizon. A specific activity model is developed for each network.

INTEGRATED ANALYSIS OF INTERDEPENDENT ENERGY NETWORKS

1371

Fuel network (308 fuel objects)

Customer

Electricity network

7

(492 electricity objects)

Generator

23

Load

85 18

Transportation network (1127 transporting objects)

Centroid Arc

FIGURE 10 Diagram with links among sectors.

7.3.1 Power Systems. A multinodal, multireservoir dynamic stochastic model, with monthly stages and a time horizon of 10 years is used. Energy production and fuel consumption of each generating unit and their related emissions are obtained. The active power flow pattern for peak demand is computed [10]. 7.3.2 Transportation. It consists of two interrelated models. The first model encompasses urban transportation, that is, it renders the annual flow (vehicle·km/year) for each transportation mode (train, electric train, light vehicle, bus, and heavy duty vehicle) in any centroid (conurbation in a province). Most methodologies of calculating urban transportation emissions are based on emissions factors and operational parameters that represent real-world traffic conditions [15–18]. The emissions factors represent emissions of each pollutant as a function of vehicle speed under normal traffic conditions. These factors are obtained experimentally with transient tests conducted on chassis dynamometers with a representative sample of technologies, vehicle types, and driving patterns [19–20]. Operational parameters are a function of link flow densities, average speed, and activity levels measured in kilometer per year per vehicle. These operational parameters are normally obtained from strategic transportation models, traffic surveys, and vehicle fleet databases [20]. However, for long-term and large-scale strategic studies, the data collection and parameter calibration components of these emission estimation methodologies are highly time consuming. The second model represents the interurban transportation, which estimates the total flow between centroids for each transportation mode. This is a synthetic model that combines generation, distribution, and modal partition in one single stage. Mathematically, it corresponds to an econometric polynomial model. The total vehicular activity associated with passengers is estimated through a two-stage sequential model that should reach a system-wide equilibrium: generation-attraction (G-A: stage 1) and joint distribution-modal split (D-M: stage 2). Separately, the freight movement is modeled with a direct demand model that simultaneously calculates the trip

1372

CROSS-CUTTING THEMES AND TECHNOLOGIES

generation, distribution, and mode choice. The assignment stage in both cases is carried out by a shortest path algorithm on the interurban network. Because data from Chile is available at the province level, the models are specified at the province level. A province is a subdivision of a larger area called a region, and Chile is made up of 15 regions 7.3.3 Fuel Network. Fuel consumption is determined by using existing historical data, which is used to adjust a logarithmic model to the activity indices. 7.4 Results A scenario with an electric growth rate of 7%, for years 2003 and 2004, and 8% from year 2005 to 2011, considering hydro and thermal technologies in generation is presented in Figure 11. The scenario of Figure 11 is built under the assumption that no new hydro projects are carried out. Accordingly, the increase in demand is satisfied mainly by NG generating units. Simultaneously, the fuel network activity model detects the expected capacity requirements for the pipeline infrastructure. As a consequence of this development, expected emissions increase in the system as shown for the NOx case in Figure 12. A summary of the urban transportation activity for the main provinces of the Chilean territory in the year 2002 is shown in Figure 13 to show the geographical capability of the model. The corresponding emissions (ton/year) of the transportation activity for MP, NOx , HC, and CO are shown in Figure 14. From Figure 14 it can be seen that Cachapoal, Iquique, and San Antonio provinces have high degrees of CO emissions, which can be related with public transportation (Fig. 13). This suggests that CO and NOx mitigation could be achieved by converting the public transportation technology, for instance, to electric vehicles for the whole public

90,000 80,000 70,000

(GWh)

60,000

Other Natural Gas Diesel Coal Hydro

50,000 40,000 30,000 20,000 10,000 0 2002

2003

2004

2005

2006 2007 (year)

2008

2009

FIGURE 11 Annual energy by technology [GWh].

2010

2011

INTEGRATED ANALYSIS OF INTERDEPENDENT ENERGY NETWORKS

1373

12,000 10,000 8000 6000 4000 2000 0 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011

FIGURE 12 Annual NOx emission in power network [ton/year].

700.0 commercial light vehicles trucks light vehicles public transportation

600.0

[M veh·km/year]

500.0 400.0 300.0 200.0 100.0

An

to

fa

ga

st a Ar Bí ica o ac B C hap ío ol ch oal a C gu op a ia C pó ur ic o El qu El i Iq loa ui qu Li e m Li arí n an are qu s i M hue al le c Ñ o ub O Sa s le n orn An o to Q ni Sa uill o n ota Fe lip Ta e Va lca ld iv ia

0.0

[Province]

FIGURE 13 Transportation activity in year 2002 by technology [M vehicle·km/year].

transportation system. The impact of these changes in the electric and fuel networks is summarized in Table 2. Rows 1–3 of Table 2 show the base case information for provinces Cachapoal, Iquique, and San Antonio in year 2002. In these provinces, the public transportation activity is entirely diesel based (39 × 106 ga/year). After the proposed change, diesel consumption is replaced by electric energy, which means an important increase in NG consumption in combined cycle units. In fact, a new combined cycle unit is necessary (400 MW). The conversion scenario achieved a dramatic reduction in CO emission of 89%. In addition,

1374

CROSS-CUTTING THEMES AND TECHNOLOGIES

4000 MP NOx HC CO

3500

[ton/year]

3000 2500 2000 1500 1000 500

Valdivia

Talca

San Felipe

San Antonio

Osorno

Quillota

Ñuble

Malleco

Llanquihue

Linares

Limarí

Iquique

El loa

Elqui

Curico

Copiapó

Col chagua

Cachapoal

Arica

Bío Bío

Antofagasta

0

[Province]

FIGURE 14 Transportation emissions in year 2002 [ton/year].

TABLE 2 Public Transportation Technology Conversion Provinces information (base case 2002) Public transportation activity Diesel consumption

446 × 106 vehicle km/year 39 × 106 ga/year

Energy balance after conversion Natural gas consumption Electric energy generation

+1716 × 106 m3 /year +6460 GWh/year

CO and NOx balance after conversion CO emissions NOx emissions

–4529 ton/year (–89%) –107 ton/year (–5%)

PIET shows that existing NG pipeline system supports the new requirements without new investments.

8 CONCLUSION The OOP approach is useful to perform analysis of energy and transportation networks in the context of strategic planning. OOP and Java technology allow both flexible scenario definitions and a friendly GUI. Thus, a platform like PIET is flexibly adapted as a server

INTEGRATED ANALYSIS OF INTERDEPENDENT ENERGY NETWORKS

1375

structure for the development of several analysis tools. Ongoing research is focused on identifying critical requirements for the energy and transportation infrastructure, and the improvement on activity models for each network and their relationships.

REFERENCES 1. Cole, M. A., and Neumayer, E. (2004). Examining de impact of demographic factors on air pollution. Popul. Environ. 26(1), 5–21. 2. Alson, J., DeCicco, J., Delucchi, M., Greene, D., Johnson, L., McNutt, B., Patterson, P., Santini, D., Sperling, D., and Turrentine, T. (1999). Transportation energy and environmental policy for the 21st century, Asilomar Conference Center, Monterrey, California, pp. 24–27. 3. Delucchi, M. A. (1991). Emissions of Greenhouse Gases from the Use of Transportation Fuels and Electricity 1 , Center for Transportation Research, Argonne National Laboratory, Argonne, IL. ANL/ESD/TM-22. 4. EIA (2007). Annual energy outlook 2008 with projections to 2030 (Early Release), Report #:DOE/EIA-0383(2008), December 2007. 5. Zografos, K. G., Madas, M. (2003). Optimizing intermodal trip planning decisions in interurban networks, Proceedings of the 82nd Annual Transportation Research Board Meeting, January 12–16, 2003, Washington, DC. 6. Handschin, E., Heine, M., K¨onig, D., Nikodem, T., Seibt, T., and Palma, R., (1998). Object-oriented software engineering for transmission planning in open access schemes. IEEE T. Power Syst. 13(1), 94–100. 7. Palma R., Moya, O., and Vargas, L. (2001). Object-oriented simulation software for a competitive environment—application to transmission expansion planning, The First EPRI Latin American Conference & Exhibition: Toward a Mature Electricity Market Through Technology, R&D, and Business Vision, Rio de Janeiro, Brasil, 28–30 November, 2001. 8. Department of Energy—DOE , White House Office of Science and Technology Policy-OSTP (2000). Workshop on Infrastructure Interdependencies Research and Development Workshop, McLean, IL, June, 2000. 9. York, R., Rosa, E. A., and Dietz, T. (2003). STIRPAT, IPAT and ImPACT: analytical tools for unpacking the driving forces of environmental impacts. Ecol. Econ. 46(3), 351–365. 10. Palma, R., Vargas, L., Flatow, F., and Oyarce, N. (2003). Object oriented platform for an integrated analysis of energy and transportation networks. IEEE T. Power Syst. 18, 1062–1069. 11. Rumbaugh, J., Jacobson, I., and Booch, G. (2004). The Unified Modeling Language reference manual , 2nd Ed. Addison-Wesley Professional, Boston, Massachusetts, ISBN: 0321245628. 12. UML Resource Page of the Object Management Group (2008). Resources that Include the Latest Version of the UML Specification. Available at http://www.uml.org/. 13. Foley, M., Bose, A., Mitchell, W., and Faustini, A. (1993). An object based graphical user interface for power systems. IEEE T. Power Syst., 8(1), 97–104. 14. Palma-Behnke, R., Vargas, L. S., P´erez, J. R., N´un˜ ez, J., and Torres, R. A. (2004). OPF with SVC and UPFC modeling for longitudinal systems. IEEE T. Power Syst. 19(4), 1742–1753. 15. Lyons, T. J., Kenworthy, J. R., Moy, C., and Dos Santos, F. (2003). An international urban air pollution model for the transportation sector. Transport. Res. D-Tr. E. 8, 159–167. 16. Sharma, P., and Khare, M. (2001). Modelling of vehicular exhaust—a review. Transport. Res. D-Tr. E. 6, 179–198. 17. Zachariadis, T., and Zamaras, Z. (1999). An integrated modeling system for estimation of motor vehicle emissions. J. Air Waste Manage. Assoc. 49, 1010–1026.

1376

CROSS-CUTTING THEMES AND TECHNOLOGIES

18. Corval´an, R. M., Osses, M., Urrutia, C. M., and Gonzalez, P. A. (2005). Estimating traffic emissions using demographic and socio-economic variables in 18 chilean urban areas. Popul. Environ. 27(1), 63–87. 19. Ntziachristos, L., Samaras Z., Eggleston, S., Goriben, N., Hasse, l. D. Hickman, J., Joumard, R., Rijkeboer, R., and Zierock, H. (1999). Computer Programme to Calculate Emissions from Road Transport, COPERT III. Methodology and Emission Factors. European Environmental Agency. European Topic Centre on Air Emission, Thessaloniki. 20. De Cea, J., Fern´andez, E., Dekock, V., Soto, A., and Friez, T. (2003). ESTRAUS: a computer package for solving supl´ı-demand equilibrium problems on multimodal urban transportation networks with multiple user classes, Proceedings of Transportation Research Board Annual Meeting, Washington, DC, January 2003 (CD-ROM).

FURTHER READING Bakkes, J. (2000). Global Dynamics and Sustainable Development Programme, RIVM Report no. 402001018, October 2000.

GEOSPATIAL DATA SUPPORT FOR INFRASTRUCTURE INTERDEPENDENCIES ANALYSIS Anthony F. Adduci, Scott D. Bailey, and Ronald E. Fisher Argonne National Laboratory, Argonne, Illinois

1 INTRODUCTION Geospatial data provide a unique and rich source of information on the distribution of both environmental and man-made assets and reveal specific themes of the earth’s surface. Such data are an element in almost all public decision-making processes [1]. Nonspatial data provide key attributes, such as the facility owner, size, and operational information, that augment geospatial data and provide additional insight for analysts. Geographic information system (GIS) and other visualization technologies are optimal solutions for displaying geospatial and nonspatial data. By providing a user-friendly, yet powerful, framework to quickly display data in varying layers at a variety of zoom levels, GIS presents a wide range of unique capabilities, such as thematic mapping, data overlay and synthesis, network analysis, geospatial modeling, and visual data exploration. Thus,

GEOSPATIAL DATA SUPPORT FOR INFRASTRUCTURE INTERDEPENDENCIES ANALYSIS

1377

the use of geospatial data and GIS are essential to the analysis of the many components that make up critical infrastructures and key resources (CIKR).

2 TECHNOLOGY OVERVIEW Infrastructure interdependencies are complex to identify and analyze because of the vast infrastructure components that are involved and the complex interactions among them. (GISs) and other visualization technologies provide innovative ways to identify and analyze infrastructure interdependencies because they give analysts the ability to overlay, zoom, pan, query, and manipulate geospatial and nonspatial data sets. These techniques also allow analysts to view infrastructure for any selected area, to determine its criticality to other infrastructures, and to identify and quantify interdependencies, such as proximity, connectivity, common corridor sharing, etc. Computer and software advancements have greatly enhanced the area of geospatial visualization technology used in infrastructure interdependency analysis. Several types of tools are available to analysts, including stand-alone GIS, shared GIS, Web-based GIS, open source GIS, three-dimensional (3D) visualization, aerial imagery, and aerial flyover. Each of these tools offers unique advantages in the analysis of infrastructure interdependencies. They are described below. •

Stand-alone GIS. Although GIS capabilities have been available for many years, it has been only since the mid-1990s that GIS has been part of the mainstream. In the past, GISs were predominantly housed on Unix workstations, and data were limiting and expensive. However, rapid advancements have made GIS available on the personal computer (PC). As software capabilities have increased, data sets have become more readily available and less expensive. Furthermore, GIS has become much more user-friendly. Once, only trained geographers were able to apply GIS technologies, but now, nontechnical users can use GIS software. Today’s GIS market includes several vendors, such as Environmental Systems Research Institute (ESRI), MapInfo, Intergraph, and Autodesk. Additionally, Microsoft has a GIS product called Microsoft Streets and Trips, and several global positioning system (GPS) units come with GIS software (i.e. DeLorme). • Shared GIS. As the quantity of GIS data has increased so has its user base. Shared GIS applications became available that allowed for shared licensing among users and shared systems to house software and data. This development opened the door to an expanded group of users, especially those who do not use GIS enough to acquire their own licenses or who do not have the PC requirements to support these systems. Subsequently, this development led to the expansion of Web-based GIS, which will be addressed in the next section. Information about three examples of shared GIS products is provided in the following paragraphs. ArcIMS is a server-based GIS developed by ESRI that allows users to create, publish, and share maps over the Internet or within an organization. This product provides GIS access to users that do not have stand-alone GIS. Once the final product is published, it is available on the Internet and is accessible to numerous users. With ArcIMS, the end user can interactively view a map and have the ability to zoom, pan, identify layer attributes, and find and turn layers on and off. ArcIMS can be useful, particularly for infrastructure analysts who are knowledgeable in a

1378

CROSS-CUTTING THEMES AND TECHNOLOGIES

particular field, but do not have an extensive background in GIS that is required to operate most GIS software. ArcGIS server is a more advanced server-based ESRI product. Like ArcIMS, the primary function of this tool is to deliver GIS data and maps to customers or clients using a browser-based environment. ArcGIS server is more advanced than ArcIMS because it provides users with not only the ability to publish interactive maps, but also the ability to publish more functionality, such as advanced geoprocessing, 3D visualization, and more enhanced analysis options. Users do not need to have expensive stand-alone GIS to perform analysis or previous experience with GIS to use this product. With ArcGIS server, users can create user-friendly and self-explanatory maps and tools, which are especially useful in the field of infrastructure analysis because they allow infrastructure analysts to have access to GIS functionality without possessing the software or extensive GIS knowledge. GeoPDF by TerraGo is another example of a shared GIS product. GeoPDF provides GIS capabilities to anyone with access to Adobe Reader. Users can view GIS-produced maps and coordinates, pan, zoom, identify features, obtain attribute information, measure distances, and turn data layers on and off. The functionality of this product is not as advanced as ArcGIS server, but it is the easiest to use of the three examples of shared GIS products. The GeoPDF file is originally created in a GIS environment and there is a fee for the software license, but viewing a GeoPDF document is of no cost to the end user. The main advantage of this tool is that users can create interactive maps for other infrastructure analysts who do not have access to costly GIS software but can readily access widely used Adobe products. • Web-based GIS. As web site capabilities expanded, GIS became a mainstream application for web site developers. Many sites, such as Geography Network, GeoComm, iMAP, Mapserver, United States Geological Survey (USGS) seamless site, and Google Earth, now offer key services that use Web-based GIS technologies as their backbone. Google Earth, for example, is a free service that offers a limited but useful range of GIS capabilities that are not as powerful as stand-alone GIS end products, but are still powerful and highly useful. The capabilities of Web-based GIS are combining various infrastructure layers with high resolution aerial imagery, terrain, 3D buildings, the ability to search for locations using GPS coordinates or keywords, and Keyhole Markup Language (KML) capabilities. KML is an XML language that allows users to view geographic data on Google Earth and web browsers. Other sites also include GIS capabilities that have become commonplace. For instance, numerous web sites, such as Mapquest, Google Maps, and Yahoo! Maps, use geocoding to allow users to find site locations or to obtain driving directions to specific locations. Such Web-based GIS tools have greatly increased the number of developers and users of GIS technologies. The main advantages to these tools are the same as those listed above for stand-alone and shared GIS: infrastructure analysts do not have to purchase expensive GIS software to analyze geospatial data. Instead, interactive GIS web sites and applications allow users to perform limited GIS analysis and data manipulation at a lower cost. • Open source GIS. In addition to the proliferation of GIS technology as a whole, there has been recent growth in the development and use of open source GIS tools, libraries, and standards. Many common GIS tasks can now be accomplished with free or open source software. The biggest advantage of open source GIS is that these tools are typically free to users and provide a source code that can be customized

GEOSPATIAL DATA SUPPORT FOR INFRASTRUCTURE INTERDEPENDENCIES ANALYSIS

1379

and integrated with other tools. Additionally, nonproprietary and open data formats, such as the shapefile format for vector data and the GeoTIFF format for raster data, have been widely adopted. The Open Geospatial Consortium (OGC) protocols, such as web mapping service (WMS) and web feature service (WFS), provide protocols that further encourage the continued development of open source software, especially for Web and Web service oriented applications. Examples of open source GIS tools are BASINS, Demeter, Geocoder, GRASS, ImageMagick, libGRASS, MP2KML, and VGMap. These products contain various GIS capabilities, including image processing, 3D analysis, interpolation, and access to geospatial libraries. As open source GIS technology continues to mature, users will be afforded greater flexibility in analyzing infrastructure interdependencies and in linking GIS tools to other crucial analysis capabilities, such as modeling and simulation, visualization, and data mining. • 3D visualization. In the past, geographers were bound by the limits of technology and confined to two-dimensional (2D) views for analyzing geographic data. Three-dimensional modeling enables a real-world representation of geospatial data to interact with physical land feature data in terms of terrain and surrounding environment. A leading product in this area is ArcGIS 3D Analyst developed by ESRI [2]. Three-dimensional applications change the way analysts view geospatial data and allow users to view and analyze data in new dimensions, which greatly benefits the infrastructure interdependency analysis. Traditionally, users have been limited to static maps and forced to use their imaginations to visualize what a landscape, city, or terrain look like. With 3D tools users can view elevation, depth, buildings, terrain, and bathymetry, which are not easily discernible on static maps. Three-dimensional applications are powerful tools for interdependency analysis because they allow users to portray enhanced depictions of how relationships exist between various infrastructure assets. • Aerial imagery. Aerial imagery is a key data source to GIS applications and visualization. Integrating relevant imagery with GIS technologies allows for additional visualization options previously available through only high-resolution maps, photographs, or site visits. Infrastructure analysts commonly use aerial imagery to validate and verify facility locations in relation to other infrastructure assets. Aerial imagery also increases the reliability of GIS data by allowing users to verify geospatial and nonspatial data. • Aerial flyover. Aerial flyover, which provides users a bird’s-eye view of the region of analysis, is available in applications, such as ArcGIS 3D Analyst and ArcView 3D Analyst. Such tools are useful in the presentation and representation of geospatial analysis as viewed from a perspective that was previously unavailable to analysts. Prior to the availability of aerial flyover, photographers were limited to using 2D maps and were forced to use their imaginations to visualize GIS work. Aerial flyover technology combines 3D capabilities with an aerial perspective similar to that from an airplane or helicopter. Recent advancements in the GIS field have brought this new tool to the forefront. From an interdependencies perspective, the wide array of GIS tools available provides methods to 1. accurately locate facilities within a geographic region;

1380

CROSS-CUTTING THEMES AND TECHNOLOGIES

2. identify the critical infrastructure within that region; 3. visualize and quantify relationships between critical infrastructures; and 4. support infrastructure interdependencies analysis. Table 1 summarizes the GIS tool types identified in this section; identifies the strengths and weaknesses associated with each tool type; and addresses the applications of each tool type to interdependency analysis.

3

GEOSPATIAL AND NONSPATIAL GAPS

As noted in the preceding section, many modeling and visualization tools are available to analysts, but without complete and accurate data, these tools are limited in their application. This problem became evident within the US Department of Energy’s Visualization Working Group, which discovered the limiting factor to the visualization of the energy infrastructure was the lack of available geospatial and nonspatial data [3]. Although much geospatial data currently is available (e.g. highways, streets, waterways, rail lines), limited geospatial data exists on the energy infrastructure (e.g. oil and gas pipelines, electric substations). In some cases, geospatial data exists but lacks attributes, completeness, or sufficient accuracy for interdependency analysts. Infrastructure interdependency analysis requires vast amounts of data across CIKR, as well as a high level of data fidelity. Data accuracy and precision are critical to problem solving and decision making in this field. Limitations include lack of required data (data gaps) and erroneous data, which include existing but misleading data. Geospatial data used for interdependency analysis often contain errors that are not always obvious to users, and some examples of geospatial data pitfalls are provided below. Erroneous data are more difficult to identify than data gaps. Such data are not always misleading upon examination, because the specific limitations to the data set may not be clear. For example, a map reader may not be aware that newer streets are not included on a map and that some of the streets may be slightly off in their placement. The producer of the map may be aware of the flaws, but they are not obvious to the map reader. Errors in geospatial data are well documented in the geospatial community but are not well known to external users of the data. Goodchild states, “The process by which a geospatial database is created from a source map is complex, and error of various types is introduced at each step [4].” The larger the area involved, the more important the mapping errors due to projection become [5]. Many of the sources of error are due to the method and process of geocoding, which is the key component in processing geospatial data. Many researchers have stressed the need to deal with issues of geospatial data quality, as the risk of misuse of geospatial data has greatly increased [6]. Significant causes of the enhanced risk of misuse include the increased availability of geospatial data, the greater possibility that the data have been manipulated, and a growing group of inexperienced users [7]. Furthermore, producers of geospatial data sets provide little information regarding the quality of their data [8]. Understanding errors and their propagation during data manipulation and processing is becoming one of the major issues in geospatial analysis [9]. If uncorrected, these errors can lead to erroneous interdependency analyses. For example, an infrastructure analyst studying shared right-of-way corridors may not correctly identify collocated infrastructures if the geospatial layers display infrastructure

GEOSPATIAL DATA SUPPORT FOR INFRASTRUCTURE INTERDEPENDENCIES ANALYSIS

TABLE 1

1381

GIS Tool Types for Interdependency Analysis

GIS Tool Type Stand-alone

Strengths Full GIS functionality

Weaknesses Software cost

Interdependency Applications Offers robust GIS capabilities for interdependencies analysis by GIS trained staff

Learning curve (GIS/data) Extensive analytical geospatial tools and extensions

Shared

Low cost

Requires significant digital storage space and high-performance computers Limited functionality for end user

Provides basic GIS capabilities for use in interdependencies analysis with little or no background in GIS

Ability to control end user functionality Limited integration with other programs Web-based

Published products Ease of use

Limited geoprocessing functionality

Quickly provides data for critical facilities and surrounding areas for interdependencies analysis

Low cost Readily available Lack of metadata Open source

Interactive Low cost

Steep learning curve

Provides a solution for extending legacy interdependencies tools to include GIS capabilities

Ease of customizing and integrating 3D visualization Specialized functionality

Programming skills required Increased computational requirements

Allows for correlating interdependencies attributes and gives users an improved perspective of infrastructure interdependencies

Improved visual perspective Aerial imagery

Aerial flyover

Provides excellent insights and reference points

Real-world perspective Interactive

Combines raster and vector data in a virtual environment

Access and ability to create 3D data Large files and datasets

Availability and cost Quality/resolution Limited data coverage

Increased computational requirements

Allows users to quickly zoom to areas of interest and determine first-order interpretation Offers an excellent tool for viewing infrastructure dependencies and interdependencies

1382

CROSS-CUTTING THEMES AND TECHNOLOGIES

assets miles apart due to data errors. The same can be true if infrastructure assets on a map show they are collocated when in reality they are miles apart. Thus, accuracy is critical to GIS interdependency applications. Table 2 provides a list of five common errors made in geospatial data processing, including a description of each error and potential corrections. A sample map of each of the five errors is provided to illustrate its significance. Figure 1 shows a typical error caused by the difference in the number of decimal places used in representing a facility’s absolute location. An accurate absolute location (latitude/longitude) should include four to eight decimal places. Figure 1 shows two different locations for what should be the same site. One shapefile is built by using five decimal places and accurately represents the location of the Advanced Photon Source building at Argonne National Laboratory. Although the other point is supposed to represent the same facility, it is actually located one-half mile southeast of the correct location because the latitude/longitude fields were truncated from five decimal places to two. This type of error is quite common to GIS users because of either manipulation or lack of knowledge in the construction of the database. GIS data inherently contain errors due to the wide range of variables involved in the data collection process. Infrastructure analysts should be knowledgeable about the source of the data they use and about how the data were obtained. A commonly used practice in the creation of geospatial data is the use of geocoding or address matching. This method assigns geographic coordinates to a data table based on nonspatial information, such as addresses or ZIP codes. In the GIS field, this is a quick, primitive, and simple method of designating a geographic point to a data set. This method is useful because a user can take a large amount of nonspatial information, for example, a Microsoft Office Excel spreadsheet, and produce a geospatially registered dataset. The GIS tool will quickly assign geographic coordinates (x ,y) to a data set based solely on the relationship between the address and the street or reference layer. Rather than placing a feature point directly on the actual facility, the GIS tool will place the feature point on the point of reference, which is, in most cases, a street segment. Thus, the geographic coordinates will always be located on a street adjacent to a facility or site if the reference data is a street layer, rather than on the site of interest. Although this method of site location is adequate for some purposes (e.g. driving directions), it could produce misleading results for infrastructure analysts. For example, Figure 2 displays the Argonne complex and a red star produced by using street-referenced geocoding. The address provided by Argonne is the business office, which is typically used by large facilities. In this case, the business address is beyond the physical parcel boundary of Argonne’s property and does not provide the most accurate location of the facility. A more useful absolute location for an infrastructure analyst would be the centroid of the facility, which is represented in Figure 2 by a green star. Furthermore, since the complex is comprised of many facilities located across several acres, the complex would be better represented by a polygon rather than a point. The yellow lines demonstrate the best way to represent the complex, that is, by outlining the boundaries. This process consumes more time because the boundary of the site needs to be determined, but for positional purposes, it is a superior method for representing location. However, geocoding points is easier than creating polygons; while geocoding provides an effective way to initiate the process of representing absolute location, it should not be the final method of site location if user of the data.

GEOSPATIAL DATA SUPPORT FOR INFRASTRUCTURE INTERDEPENDENCIES ANALYSIS

TABLE 2 Figure 1

2

3

4

5

1383

Five Common Errors Made in Spatial Data Processing Common Error

Numerical spatial data decimal places truncated

Description

Correction

Original created data contained latitude Use the number of and longitude values with a higher original decimal values number of decimal places than the derived from the data used in map production. In this original data collection example, the original spatial to obtain the most information (latitude/longitude accurate location of values) contained five decimal facility. places, which were reduced to two. Exact site location Street addresses are used to locate Use methods such as identified with facility in geocoding. However, this GPS, which use geocoding method does not provide accurate satellites for coordinate method site location due to its emphasis on accuracy. Other address ranges rather than physical methods include locations. verification using imagery and Web-based programs. Outdated imagery Outdated imagery is used to represent Use updated imagery, as used in current geographic features within shown in Figure 3b in cartographic an area. In this example, a 1999 cartographic production aerial photograph of the Millennium production. In this Park area in Chicago is used. In imagery produced in Figure 3a notice the evidence of 2005, signs of construction taking place within the construction are no boundary of the site. longer visible. Updated imagery allows for a better representation of the area under analysis. Incorrect map The incorrect map projection that Investigate metadata projection renders a geographic region into its associated with the applied to data true shape was applied to the data in dataset to verify and for display Figure 4. Using a projection that apply correct map was not used in creating the data projection. The green causes location inaccuracies that can circle in Figure 4 be either severe or more locally represents data with distorted, depending on the spatial correct map projection. difference between the projections. Data digitized at A 1 : 50,000 scale of digitization was Match the scale of the scale not optimal used to create road infrastructure in area being analyzed for region of Fig. 5a. This scale produced with the scale of analysis inaccurate and distorted results, digitization to produce because the scale of the area being more accurate and drawn (1 : 5,000, large scale) did precise results, as not match the scale of digitization shown in Figure 5b. (1 : 50,000, small scale).

1384

CROSS-CUTTING THEMES AND TECHNOLOGIES

FIGURE 1 Map example of error from truncating decimal places from five places to two places.

FIGURE 2

Map example of error from geocoding.

Figure 3 represents a third pitfall shared by GIS users. Knowledge of the most recent available data is of utmost importance when it comes to visually displaying the location of a facility by using aerial imagery. Figure 3 shows two aerial photographs taken 6 years apart. Figure 3a represents the location from aerial photography taken in 1999, whereas Figure 3b represents the same location taken in 2005. The location is Millennium Park

GEOSPATIAL DATA SUPPORT FOR INFRASTRUCTURE INTERDEPENDENCIES ANALYSIS

1385

(a)

(b)

FIGURE 3 Map example of error from using outdated imagery.

in Chicago, IL, which was completed in 2004. The 1999 imagery does not accurately represent the current land use. Figure 3b, which is from the USGS seamless site, is a more appropriate choice of imagery for GIS purposes. This imagery allows for a more accurate site portrayal that will aid in a higher quality GIS analysis and cartographic production.

1386

CROSS-CUTTING THEMES AND TECHNOLOGIES

FIGURE 4 Map example of error from incorrect map projection usage.

As previously discussed, differing map projections can lead to geospatial data errors. Figure 4 shows the same point represented by three different projections: the North American Datum 1983 projection, the Illinois State Plane Projection, and the Universal Transverse Mercator 15 Projection. If the projections are not converted to a common map projection, the same point and address place the point in Illinois, Iowa, and Canada. In this case, the inaccuracy results in a point hundreds of miles away, due to map projection error. As illustrated, differing projections, if not corrected, can lead to errors in facility identification and GIS analysis. Figure 5 represents the final common error term—differing data scales. Figure 5a shows imagery at a 1 : 24,000 scale; the streets (represented in red) were digitized at a higher scale (1 : 500,000). The result is that the red lines do not correctly match the actual road locations. The red lines are coarse and do not capture all the curves in the road; and they are not continuous. Figure 5b shows imagery at a 1 : 24,000 scale; the streets (represented in yellow) were digitized at the same scale. The result is accurately placed and continuous lines. Thus, it is important to use consistently scaled data for the level of analysis being conducted.

4 METADATA GAPS A major issue in GIS data consideration is the lack of or completeness of metadata. The term “metadata record” is defined by the Federal Geographic Data Committee (FGDC) as “a file of information, usually presented as an XML document, which captures the basic characteristics of a data or information resource [10].” The FGDC has developed a set of standards and guidelines for metadata, but these tools are often neglected during the production of GIS data. The objective of these standards is to provide users with a

GEOSPATIAL DATA SUPPORT FOR INFRASTRUCTURE INTERDEPENDENCIES ANALYSIS

(a)

(b)

FIGURE 5 Map example of error from using differing levels of scale.

1387

1388

CROSS-CUTTING THEMES AND TECHNOLOGIES

general set of terms and definitions for the documentation of digital geospatial data [10]. They were developed to be used by all levels of government and the private sector. Data containing proper FGDC metadata are more legitimate in infrastructure interdependencies analyses than data that contain limited or no metadata at all, but having access to FGDC metadata does not guarantee that infrastructure GIS analysis is going to be of high quality. All GIS data have some type of error. The goal of the GIS or infrastructure analyst should be to use data with a minimized room for error and maximized accuracy. Available metadata give users the ability to assess data based on imperative information such as source, date, resolution, and method of collection. Properly created metadata guide the analysts in choosing data that will produce quality results and in turn, could lead to more effective decision making. Missing metadata may include the following: • • • • • • • • • •

unknown organization/source/author of data; unknown method of data collection; unknown scale of data creation; unknown date of production; unknown projection and geospatial extent of data; unknown supporting data or web sites affiliated with data; unknown copyright and distribution restrictions; absence of definitions describing attribute table associated with data; unknown data classification; or unknown contact information for questions pertaining to data.

Other metadata initiatives have been developed by the USGS, ESRI, National Oceanic & Atmospheric Administration, US Department of Agriculture Forest Service North Central Research Station, and countless other agencies [10]. Two of the more common tools used for creating metadata are ESRI’s ArcCatalog and Tkme or Tk metadata editor [11]. ESRI’s ArcCatalog is a commercial data management tool that performs a number of functions, one of which is the creation and editing of metadata [10]. Although ArcCatalog is a highly useful and effective tool in metadata creation and editing, it is not a free software. However, most of the software is available at no cost, and one such is Tkme. This common, user-friendly tool is used to create metadata in a Windows-based environment and follows the guidelines set forth by the FGDC [11]. Numerous metadata tools are available to GIS users, and the choice of the tool depends on available resources, as well as on the nature of the data and the purpose of the project. The essential objective of metadata is to provide GIS users with information that legitimizes the quality of the data being used and assures users that their data are sound. The use and creation of metadata are imperative entities of GIS data management, but the lack of its creation and misuse have resulted in data inaccuracies. Thus, interdependency analysts should convey their need for proper metadata to geospatial vendors and give preference to those geospatial datasets with complete metadata.

5 NEXT STEPS Three recommendations are offered to increase the usefulness and accuracy of geospatial and nonspatial data to interdependency analysis: data investment, data documentation,

GEOSPATIAL DATA SUPPORT FOR INFRASTRUCTURE INTERDEPENDENCIES ANALYSIS

1389

and data validation. Continued geospatial and nonspatial data investments are needed to alleviate data gaps by both public and private stakeholders. Some infrastructure layers such as roadways have sizable investments, regular updates, and high levels of accessibility. Other infrastructure layers, such as agriculture, energy, and telecommunications, lack investment and data stewardship. Data investments lead to more accurate and updated geospatial data. As the geospatial features of the world change rapidly because of population growth, advancements in technology, and evolving political and cultural boundaries, the geospatial data attributed with these features must also change rapidly. Proper data investment ensures reliable, up-to-date data that create optimal standardization and awareness when distributed to the proper agencies. Data documentation helps to inform the user of data limitations. The absence of GIS metadata creates risks that could influence decision makers in making poor choices that depend on potentially inaccurate data [12]. Analysts may use inaccurate data if they misunderstand the data limitations. Data uncertainty leads to erroneous assumptions that data are correct. Key documentation factors, such as data collection methods, date of creation, and attribute definitions, are crucial to the usage and accuracy of the data. For example, knowledge of the type of data collection used provides insights into the potential accuracy of the data. If a GPS receiver has been used in the data collection process, the user can expect a high degree of data accuracy because the data were collected by using highly accurate satellite systems. However, if the method of data collection has been geocoding, the user can expect a greater variance in the range of errors. The lack of proper data documentation erodes users’ confidence in the data implemented in their research. Data documentation includes widespread adoption of metadata standards. All data providers, public and private, should be required to include appropriate metadata. Geospatial data users, in particular, should require GIS data vendors to provide sufficient documentation. A strong front by GIS users will send a message to vendors that documentation is mandatory to conducting business. When none or limited documentation exists, users cannot be sure of the completeness and accuracy of their data. Data validation involves understanding common errors, identifying them, and fixing them. Data validation may require a great deal of time and significant cost; it may also require manipulating the data to fix errors. When sufficient metadata are not available, users can take several steps to better understand the quality of the data they are using and to validate these data. These steps include the following actions: • • • • • •

overlay high-resolution imagery to verify that geospatial data matches the accessible imagery. Public software is available from web sites such as Google Earth; use Web-based GIS applications that display land/parcel information to verify geospatial data. City and county web sites may provide such information; use GPS equipment to verify specific site locations. Low-cost GPS units are available for less than $500; verify sample data by visits or phone calls to facility owners; overlay duplicate geospatial data layers and analyze differences when duplicate sources are available; and geocode addresses and compare the addresses to provided geospatial data. Most GIS software includes user-friendly geocoding capabilities for nontechnical GIS users.

1390

CROSS-CUTTING THEMES AND TECHNOLOGIES

GIS tools (stand-alone, shared, Web-based, open source, 3D visualization, aerial imagery, and aerial flyover) provide infrastructure analysts with tremendous capabilities for interdependencies analyses. As discussed in this article, data investment, documentation, and validation are crucial to the quality of geospatial and nonspatial data. A high level of data fidelity is required to support the GIS and visualization tools needed for analyzing infrastructure interdependencies. Improvements in data investment, documentation, and validation will increase the value of GIS and visualization tools to infrastructure interdependencies analyses. Several GIS forums continue to support data development and maintenance. An example of such a forum is Homeland Infrastructure Foundation-Level Data Working Group. This group is “a coalition of federal, state, and local government organizations, federally funded research and development centers (FFRDC), and supporting private industry partners who are involved with geospatial issues related to Homeland Security (HLS), Homeland Defense (HD), Civil Support (CS), and Emergency Preparedness and Response (EP&R)” [13]. This working group meets on a bimonthly basis and has a primary focus on geospatial information and its standards and presentation, as well as its accuracy. Such working groups promote a better understanding of data development and maintenance. They also create data uniformity among government agencies due to extensive collaboration, data sharing, and cooperative agreements on how to more accurately create and standardize data. Other GIS forums include vendor- specific, industry-specific, and state-level GIS forums. These forums are useful to all users of GIS tools and geospatial data. REFERENCES 1. Burrough, P. A., and McDonnell, R. A. (1998). Principles of Geographical Information Systems, Oxford University Press, Oxford, p. 333. 2. ArcGIS 3D Analyst. Dec. 13 2006. Accessed Feb. 2 (2007). http://www.esri.com/ software/arcgis/extensions/3danalyst/index.html. 3. U.S. Department of Energy. (2004). Data Subgroup Recommendations for Improving Energy Emergency Visualization Capabilities, April 2004. 4. Goodchild, M. (1989). Modeling error in objects and fields. In Accuracy of Spatial Databases, M. Goodchild, and S. Gopal, Eds. Taylor and Francis, London, pp. 107–113. 5. Clarke, K. C. (2001). Getting Started with Geographic Information Systems, Santa Prentice Hall, Santa Barbara, CA. 6. Heuvelink, G. B. M., and Lemmens, M. J. P. M. (2000). Proceedings of the 4th International Symposium Spatial Accuracy Assessment in Natural Resources and Environmental Sciences, University Press, Delft, Netherlands, p. 772. 7. Morrison, J. L.. (1995). Spatial data quality. In Elements of Spatial Data Quality. International Cartographic Association, S. C. Guptill, and J. L. Morrison, Eds. Elsevier Science, Tokyo. 8. Jakobsson, A., and Vauglin, F. (2001). Status of data quality in European national mapping agencies. Proceeding of the 20th International Cartographic Conference, Beijing, Vol. 4, pp. 2875–2883. 9. Siska, P. P., and Hung, I. K.. (2000). Data quality on applied spatial analysis. In Papers and Proceedings of the Applied Geography Conferences, F. A. Schoolmaster, Ed. Kent State University, Ohio, Vol. 23, pp 199–205. 10. FGDC.gov. 7 Nov. 2006. Federal Geographic Data Committee. 29 Dec (2006). http://www. fgdc.gov/metadata.

GEOSPATIAL DATA SUPPORT FOR INFRASTRUCTURE INTERDEPENDENCIES ANALYSIS

1391

11. USGS.gov. 29 Aug 2006. United States Geological Survey. 29 Dec. (2006). http://geology. usgs.gov/tools/metadata. 12. Van Oort, P. A. J., and Bregt, A. K. (2005). Do users ignore spatial data quality? A decision-theoretic perspective. Risk Anal. 25(6), 1599–1609. 13. HIFLDWG.org. Homeland Infrastructure Foundation-Level Data Working Group. 16 Jan. 2007.

FURTHER READING Carmel, Y., Dean, D. (2004). Performance of a spatio-temporal error model for raster datasets under complex error patterns. Int. J. Remote Sens. 25(23), 5283–5296. Chrisman, N. R. (1991). The Error Component in Spatial Data. Geographic Information Systems, 1st ed., John Wiley & Sons, New York. Cressie, N., Kornak, J. (2003). Spatial statistics in the presence of location error with an application to remote sensing of the environment. Stat. Sci. 18(4), 436–456. Foote, K. E., and Huebner, D. (1995). The Geographer’s Craft Project , Department of Geography, University of Texas, Austin. (Available at http://www.forestry.umt.edu/academics/ courses/for503/GIS Errors.htm#Content). Harrower, M. (2003). Representing Uncertainty: Does it help People m Better Decisions?, University of Wisconsin-Madison, (Available at http://www.cs.princeton.edu/courses/archive/ spr04/cos598B/bib/Harrower.pdf). Jakobsson, A., Vauglin, F. (2001). Status of data quality in European national mapping agencies. Proceeding of the 20th International Cartographic Conference, Beijing, Vol. 4, pp. 2875– 2883. Jinfeng, Ni, Ravishankar, Chinya V., and Bhanu, Bir. (2003). Probabilistic spatial database operations. Advances in Spatial and Temporal Databases: Lecture Notes in Computer Science, Springer-Verlag, New York, Vol. 2750, pp. 140–159. Quon, S. (2006). Moving towards a more accurate parcel base. Presented at the 26th Environmental Systems Research Institute International User Conference. San Diego, CA, 7–11 Aug. 2006. Rapp, J., Wang, D., Capen, D., Thompson, E., and Lautzenheiser, T. (2005). Evaluating error in using the national vegetation classification system for ecological community mapping in Northern New England, USA. Nat. Areas J. 25, 46–54. Steiner, R., Bejleri, I., Yang, X., and Kim, D. (2003). Improving geocoding of traffic crashes using a custom ArcGIS address matching application. Presented at the 22nd Environmental Systems Research Institute International User Conference. San Diego, CA, 7–11, July 2003. Ubeda, T., Egenhofer, M. (1997). Topological error correcting in GIS. Lect Notes in Computer Science, Springer-Verlag, New York, Vol. 1262, pp. 283–297. Wang, S., Shi, W., Yuan, H., and Chen, G. (2005). Attribute uncertainty in GIS data. Fuzzy Syst. Knowl. Discov. 3614, 614–623. Witschey, W. R. T., and Brown, C. (2002). The electronic atlas of ancient Maya sites. Presented at the Symposium on Current Applications of Remote Sensing and GIS in North America and Mesoamerican Archaeology, 67th Annual Meeting of the Society for American Archaeology. Denver, CO, 22 March, 2002. Yeh, A. G., and Li, X. (2003). Error Propagation and Model Uncertainties of Cellular Automata in Urban Simulation with GIS . (Available at http://www.geocomputation.org/2003/ Papers/Yeh And Li Paper.pdf)

1392

CROSS-CUTTING THEMES AND TECHNOLOGIES

THE MILITARY ROOTS OF CRITICAL INFRASTRUCTURE ANALYSIS AND ATTACK Steven M. Rinaldi Sandia National Laboratories, Albuquerque, New Mexico

1 INTRODUCTION Critical infrastructures underpin the political, military, economic, and social fabrics of societies. In recent years, it has become widely recognized that infrastructure disruptions could disproportionately affect the normal functioning of a nation. Disruptions from natural disasters, major strikes, attacks, and other mechanisms have amply demonstrated that critical infrastructures are highly interdependent, complex adaptive systems. Of import is the intricate, highly interdependent character of today’s infrastructures. A disruption in one infrastructure, such as the electric power grid, can spread to other infrastructures such as communications networks and the Internet, thereby creating cascading disturbances and magnifying the effects far beyond those of the original disruption [1]. Since the mid-1990s, the US government has placed increasing emphasis on protecting the nation’s critical infrastructures and associated key resources as matters of national and economic security. In 1996, President William J. Clinton issued Executive Order 13010, Critical Infrastructure Protection[2].1 This order recognized that “(c)ertain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States.” The order directed the establishment of the President’s Commission on Critical Infrastructure Protection (PCCIP), with the mission of examining vulnerabilities of and threats to critical infrastructures, determining legal and policy issues associated with protecting critical infrastructures, recommending a comprehensive national policy and implementation strategy to protect critical infrastructures, and proposing statutory or regulatory changes required to enable its recommendations. The PCCIP submitted its report [3] to the President in October 1997. In particular, the PCCIP stated that infrastructures are interdependent, that the destruction of key nodes and linkages in one infrastructure could ripple over and affect other infrastructures, and that coordinated attacks upon critical infrastructures could severely impact national and economic security [4]. 1 Executive

Order 13010, Critical Infrastructure Protection, The White House, 15 July 1996. This executive order recognized eight critical infrastructures: telecommunications, electrical power systems, gas and oil storage and transportation, banking and finance, transportation, water supply systems, emergency services (including medical, police, fire, and rescue), and continuity of government. Today, the Department of Homeland Security recognizes 17 critical infrastructures and key resources (agriculture, food, defense industrial base, energy, public health and healthcare, national monuments and icons, banking and finance, drinking water and water treatment systems, chemical facilities, commercial facilities, dams, emergency services, commercial nuclear reactors, information technology, telecommunications, postal and shipping, transportation systems, and government facilities).

THE MILITARY ROOTS OF CRITICAL INFRASTRUCTURE ANALYSIS AND ATTACK

1393

Yet the understanding that the destruction of certain key nodes and linkages could disproportionately affect national and economic security is not new. In fact, the roots of this insight can be traced to the early 1900s. As early as 1911, the French Lieutenant Poutrin wrote in the Revue G´en´erale de l’A´eronautique Militaire that German aerial attacks on key ministries, transportation networks, and communication centers in Paris would shut down essential public services, thereby preventing France from mobilizing [5]. During World War I, British, French, and American air planners clearly recognized that attacks upon certain sectors of the German war industry could disrupt the manufacture and flow of war materiel to the Front, thereby affecting the ability of the German military to operate. American air warfare doctrine developed in the 1920s and 1930s by the Air Corps Tactical School (ACTS) significantly extended this line of thinking with the development of the “industrial web” theory of economic attack. This doctrine was put to test in World War II in the Allied bomber offensives against the Axis powers. Fifty years later, the air war waged against Iraq during Operation Desert Storm demonstrated refinements of the theory and the understanding and employment of critical infrastructure attack. Subsequent detailed academic studies of critical infrastructures and their interdependencies at the US Air Force’s Air University in the 1990s indicate the emphasis placed by that Service on infrastructure attack to obtain specific strategic and operational effects and objectives. This article traces the development of the theory and application of infrastructure attack in the 1900s. By and large, this development has occurred in air forces. Freed of the necessity to penetrate opposing surface forces, airmen realized early on that aircraft could range far beyond the terrestrial, tactical battle lines and directly attack strategic targets, including critical infrastructure. The objective of war was no longer engaging and destroying the enemy surface forces; rather, the air forces had an independent strategic mission of carrying the war to the enemy nation itself. The ability of airmen to identify, target, attack, and destroy key nodes and linkages is largely a story of the complex interplay of military doctrine and theory, wartime experience, and technological advancement. Initially, the ability to attack key nodes and linkages was limited by crude bombsights and small, dumb bombs. Operational considerations, such as the inability to bomb in adverse weather, decreased nighttime bombing precision, and primitive navigation capabilities, severely hampered and limited the effectiveness of counter-infrastructure operations in World War I. These issues were overcome by the end of the century with precision-guided weapons and all-weather, day–night attack capabilities. Furthermore, engineering and mathematical advancements, such as modeling, simulation, and analysis of critical infrastructures and operations research, enabled planners to better identify key nodes and linkages, all while driving the need for precision intelligence on adversary systems. The sections below do not examine nuclear targeting doctrine and issues. Further, the analysis will focus predominantly on the development of American theory and doctrine of critical infrastructure attack.

2 INITIAL DEVELOPMENTS: WORLD WAR I With the advent of military aviation in the first decades of the 1900s, nations at war had the ability to directly attack targets throughout their adversaries’ homelands. World War I saw the first major operational analysis and application of this capability. Although the initial application of airpower during World War I was primarily limited to tactical

1394

CROSS-CUTTING THEMES AND TECHNOLOGIES

reconnaissance for the land forces, by the end of the conflict, strategic bombardment and targeting theories were coming into being. British, French, and American airmen believed that airpower could be employed against both moral and material objectives. With respect to moral objectives, the British Admiralty theorized that bombing targets in Germany would force the recall of German aircraft from the front to defend the homeland. Further, the Admiralty hoped that bombardment would undermine the will of the German populace, and “optimistically attributed” an immense moral effect to every bomb that fell on Germany [6]. For General Hugh M. Trenchard, the first Chief of Staff of the British Air Ministry, the moral effect of bombing was critical. In a 26 November 1917 memo to the War Cabinet, he noted that bombardment had both a direct (material) and indirect (moral) effect: That purpose is to weaken the power of the enemy both directly and indirectly—directly by interrupting his production, transport and organization through infliction of damage to his industrial, railway and military centres, and by compelling him to draw back his fighting machines to deal with the menace—indirectly by producing discontent and alarm amongst the industrial population. In other words, it aims at achieving both a material and a moral effect [7].

The French had a different view of the moral effect of bombardment. Official policy held that the French would bomb German towns as reprisals for German bombardment of French towns. In one specific case of a reprisal, the French raided Freiberg on 14 April 1917 in retaliation for German submarine attacks on the hospital ships Asturias and Gloucester Castle the previous month. Interestingly, the French dropped leaflets upon Freiberg explaining the purpose of the raid [8]. With respect to the material effects of bombardment, the three allied nations sought to disrupt the ability of the German war industries to supply that nation’s military forces. The British and French target sets can roughly be categorized as economic/industrial, infrastructural, and military: •

Economic/industrial. These targets would be termed the defense industrial base in today’s parlance. They included iron and steel works, blast furnaces, gasworks, chemical works, benzene stores, and munitions factories. At the most fundamental level, these targets represent two primary commodities supporting the military—iron and explosives [9]. • Infrastructural. The primary targets in this set were rail assets, including rail yards, stations, lines, and rolling stock. These targets affected not only the ability of the German economy to produce war materiel but also that nation’s ability to move finished goods to the front. In the last year of the war, the British also attacked at least three German electrical power grid targets [10].2 • Military. Targets included not only the lines of communication to the front but also aerodromes, fielded forces, and the German naval bases along the Belgian coast. Beyond reprisals, the French developed bombardment plans that solely focused upon material objectives, primarily the factories and stations of the Saar Valley [11]. The 2 The appendix of this source provides a detailed listing of raids by the British long-range bombing units (41st Wing, Eighth Brigade, Independent Forces) from 17 October 1917 to 11 November 1918. Information includes raid dates, target locations and descriptions, and bomb loads dropped. The target descriptions provide excellent insight into the types of targets considered important to crippling the German war industry.

THE MILITARY ROOTS OF CRITICAL INFRASTRUCTURE ANALYSIS AND ATTACK

1395

French aimed at isolating the raw material producing regions, particularly iron ore, from the German factories. In a detailed analysis in January 1918, French planners determined that the Germans had altered rail traffic patterns for two primary reasons: “(1) to strip the area without using and consequently without burdening the main arteries of supply to the front and (2) to use the shortest possible route, in view of the shortage of rolling stock (locomotives and wagons), and in order to economize pit coal” [12]. The analysts concluding that attacking only four rail targets would isolate the iron ore regions, a significant aid to French operational planning. American thinking was similar. A key goal of the US Air Service was to develop a bomber force capable of striking strategic targets in Germany. Targeting efforts concentrated on determining those assets without which Germany could not carry on its war effort [13]. Then-Major William “Billy” Mitchell believed that aviation could be divided into two types: tactical (observation for friendly artillery fire and control) and strategic (attacks on enemy materiel of all types behind the lines). He believed that the strategic attacks, if properly applied, would have the greatest effect upon the war effort [14].3 Major Frank Parker, the US Liaison Officer to the French General Headquarters, reported to the US Board of Officers in July 1917 that the Air Service had a strategic function, acting independently of the ground forces to attack sources supplying the German military. This function included a military component (destroying aircraft, air depots, and the defensive air organization) and an economic component (destroying enemy depots, factories, lines of communications, and personnel) [15]. Major Edgar S. Gorrell, Chief of the Technical Section, Air Service, American Expeditionary Forces, developed a bombardment plan for the Air Service, dated 28 November 1917 [16]. He noted, The object of strategical bombing is to drop aerial bombs upon the commercial centers and the lines of communications in such quantities as will wreck the points aimed at and cut off the necessary supplies without which the armies in the field cannot exist. . . When we come to analyze the targets, we find that there are a few certain indispensable targets without which Germany cannot carry on the war.

Gorrell stated that a few “specific, well-known factories” were crucial to the manufacture of munitions. He noted that the destruction of the Mercedes engine and Bosch magneto plants in Stuttgart would cause the output of aircraft to drop in proportion to the damage done. He also called out rail, ammunition, and steel works for attack in the plan. Following the end of the war, British and American intelligence services assessed the effects of bombardment from German records and interviews [17]. The Germans kept detailed records of the raids, including the resultant physical damages and estimates of their costs. Allied aircrew reports after raids were generally optimistic and overstated. One survey, which entailed extensive interviews with German plant directors, noted that the directors did not consider the bombardments effective, having created insignificant material damage and not affecting the war outcome. The effects of bombing munitions and chemical works did not meet the British expectations. The attacks upon the rail system were more of an annoyance, without ever producing a long-term isolation of rail stations or major dislocation of traffic. 3 Memorandum

Signal Corps.

for the Chief of Staff, US Expeditionary Forces, from Major Wm Mitchell, Aviation Section,

1396

CROSS-CUTTING THEMES AND TECHNOLOGIES

A number of factors, driven in large part by the state of technology, contributed to the limited strategic results of bombardment. These factors included the following: • • • • • • • • • •

limited bomb loads per aircraft; the generally small sizes of the bombs (anything under 112 pounds was ineffective, according to Germans interviewed after the war); failures of the bombs to detonate (e.g. 25% of the bombs dropped on the Saarbr¨ucken region did not explode); poor radial blast effects of the bombs; limited combat radius of the aircraft; open cockpits, which exposed the pilots to environmental conditions; primitive bombsights and the inability to bomb accurately, particularly during night raids; navigation difficulties, particularly at night; mechanical difficulties and maintenance issues with the aircraft; and inexperienced and insufficiently trained aircrews [18].

Nevertheless, the stage had been set for strategic bombardment of the sources of war materiel, including supporting critical infrastructures such as transportation networks. Air planners clearly recognized the importance of attacking the adversary’s defense industrial base. And, importantly, the first steps were taken toward analyzing that industry to determine chokepoints, bottlenecks, and key nodes for attack.

3 THE INTERWAR YEARS: THEORY AND DOCTRINE The interwar period saw an intensive development of strategic bombardment theory and doctrine. Two early pioneers of airpower theory and vocal advocates for independent air forces with decisive strategic missions were the Italian General Giulio Douhet and the American Brigadier General William Mitchell. Both officers wrote extensively following World War I, arguing for independent air forces with their own respective strategic missions. Each discussed strategic target sets for bombardment, given that aircraft could fly over armies and navies and directly attack the interiors of adversarial nations. Douhet argued that obtaining “command of the air”—essentially air supremacy—was a prerequisite and vital to victory. Once an air force had command of the air, it was free to range over the adversary and attack military, economic, and civil targets as well as the population itself at will: To have command of the air means to be in a position to wield offensive power so great it defies human imagination. It means to be able to cut an enemy’s army and navy off from their bases of operation and nullify their chances of winning the war. It means complete protection of one’s own country, the efficient operation of one’s army and navy, and peace of mind to live and work in safety. In short, it means to be in a position to win. To be defeated in the air, on the other hand, is finally to be defeated and to be at the mercy of the enemy, with no chance at all of defending oneself, compelled to accept whatever terms he sees fit to dictate [19].

THE MILITARY ROOTS OF CRITICAL INFRASTRUCTURE ANALYSIS AND ATTACK

1397

Douhet believed that the moral and material effects of bombardment would be tremendous, once command of the air was established. Receiving a relentless “pounding from the air”, a nation’s social structure would break down. The populace would rise up and demand an end to war, potentially even before the army and navy could mobilize [20]. Douhet clearly saw military utility in attacking critical infrastructure, both for its material and moral value. He wrote, In general, aerial offensives will be directed against such targets as peacetime industrial and commercial establishments; important buildings, private and public; transportation arteries and centers; and certain designated areas of civilian population as well. To destroy these targets three kinds of bombs are needed—explosive, incendiary, and poison gas—apportioned as the situation may require. The explosives will demolish the target, the incendiaries set fire to it, and the poison-gas bombs prevent fire fighters from extinguishing the fires [21].

Targeting civil infrastructure would spread confusion and panic among the populace. Douhet called for the rapid and complete destruction of rail, communications (including telegraph, telephone and radio), banks, public services, and government targets [22]. To hamper the ability of the army to mobilize, the air force should attack “railroad junctions and depots, population centers at road junctions, military depots, and other vital objectives”. Naval operations would be degraded by “bombing naval bases, arsenals, oil stores, battleships at anchor, and mercantile ports ” [23]. To Douhet, critical infrastructure was tightly intertwined with the ability of a nation to mobilize for and prosecute a war, and airpower provided the means to directly attack it. Nonetheless, Douhet recognized that determining the specific targets to attack was not an easy task. He noted, The choice of enemy targets, as I have already pointed out, is the most delicate operation of aerial warfare, especially when both sides are armed with Independent Air Forces. . .The truth of the matter is that no hard and fast rules can be laid down on this aspect of aerial warfare. It is impossible even to outline general standards, because the choice of enemy targets will depend upon a number of circumstances, material, moral, and psychological, the importance of which, though real, is not easily estimated [24].

To Douhet, the selection of enemy targets would show the true abilities of the future air commanders. From his experience in World War I, Mitchell was convinced that an air force should have an independent mission that would carry the war directly to the heartland of the enemy [25]. In his 1925 book Winged Defense, he argued that airpower should destroy the ability and will of the adversary to make war: To gain a lasting victory in war, the hostile nation’s power to make war must be destroyed—this means the manufactories, the means of communication, the food products, even the farms, the fuel and oil and the places where people live and carry on their daily lives. Not only must these things be rendered incapable of supplying armed forces but the people’s desire to renew the combat at a later date must be discouraged [26].

Sites manufacturing war material would be particularly inviting targets, as they took “months” to build and “if destroyed, cannot be replaced in the usual length of a modern war” [27]. While acknowledging that air forces would attack centers of production, he

1398

CROSS-CUTTING THEMES AND TECHNOLOGIES

did not believe that they should target the personnel per se. However, bombing could so terrorize a population that “the mere threat of bombing a town by an air force will cause it to be evacuated, and all work in munitions and supply factories to be stopped.” In short, Mitchell proposed that war industries—and supporting systems such as the food and rail infrastructures—could be shut down by direct bombardment as well as worker absenteeism due to the threat of attack [28]. In contrast to Douhet, Mitchell almost always came out against directly attacking civilians, preferring to break the morale of the adversary indirectly by destruction of its vital centers [29]. Mitchell argued against the traditional view that destroying the enemy military forces constituted the main objective of war. “Vital centers” within the adversary nation were the true objective of a conflict: The advent of air power which can go to the vital centers and entirely neutralize or destroy them has put a completely new complexion on the old system of war. It is now realized that the hostile main army in the field is a false objective and the real objectives are the vital centers. The old theory that victory meant the destruction of the hostile main army, is untenable. Armies themselves can be disregarded by air power if a rapid strike is made against the opposing centers [30].

Mitchell believed that with airpower, it was no longer necessary to destroy an enemy’s army in order to render the enemy incapable of waging war and induce him to sue for peace. Rather, by eliminating a nation’s ability to manufacture and supply its forces with materiel, the nation would be unable to sustain a war—particularly a protracted conflict. Mitchell’s views would strongly influence the next generation of air strategists and planners at the US Army’s ACTS. Economic attack and the concomitant destruction of critical infrastructures rose to an entirely new level at ACTS in the 1930s. Established as the Air Service Tactical School at Langley Field, VA, in November 1922, the school originally covered the tactics and techniques of the Air Service and other branches of the army and navy. In 1926, the school was renamed the Air Corps Tactical School. During the summer of 1931, the school relocated to Maxwell Field, AL, where it became the center of development of American airpower doctrine [31]. The doctrine of economic attack, along with a detailed methodology for target selection, developed at ACTS in the 1920s and 1930s. The fundamental precept of economic attack was that modern nations relied upon their economic and industrial systems for military weapons and supplies as well as the products and services required by a highly industrialized society. Destruction or paralysis of the economic and industrial systems would lead to a collapse of the enemy’s military capability to fight and its social and political will to resist [32]. The 1926 ACTS text Employment of Combined Air Force argued that airpower could strike directly at vital centers in an enemy nation, thereby avoiding exhaustive wars of attrition and obtaining military victory at the minimum cost. If the enemy morale could not be destroyed, at least the enemy’s military strength could be. The most suitable objectives for this purpose were the hostile air force; troops, supplies, and lines of communications in the combat zone; and industrial and transportation centers in the interior zone of the adversary [33]. By 1933, bombardment was firmly established as the primary means of employment of airpower at ACTS. At this junction, however, suitable surface targets were still vaguely designated. Instructor Major Donald Wilson undertook a more detailed approach to target

THE MILITARY ROOTS OF CRITICAL INFRASTRUCTURE ANALYSIS AND ATTACK

1399

selection. Targets should be selected such that they would disrupt the adversary’s entire economic fabric (supporting both the military and civilian sectors), thereby affecting normal civilian life to the point where faith in the military was lost and public outrage would force the government to sue for peace. The key was to locate those targets whose destruction could unravel this fabric—in other words, those key nodes or links that were vital to the functioning of the economy. That such targets existed was not doubted by the instructors: a prime example was a highly specialized spring used in controlled-pitch propellers. The spring was manufactured by only one firm, whose destruction would have meant the loss of the majority of production of aircraft in the United States. Determination and selection of such targets became central to ACTS theory [12]. During the period 1934–1940, the ACTS faculty refined its theory of economic warfare and target selection, known as the industrial web theory. As they were strictly forbidden to analyze foreign nations, the faculty surveyed American industry to locate those bottlenecks or nodes that would cause the destruction of the social, economic, political, and military fabric—or web—of a modern nation [34]. The 1934–1935 ACTS lecture Air Force Objectives stated that the ultimate objective in warfare was the destruction of national courage or morale [35]. Although the military arms of the nation might lose morale, the lecture noted that “loss of morale in the civil population is decisive. . .Morale is the pivotal factor. Its disintegration is the ultimate objective of all war.” The resources to wage war were locked up in social, economic, political, and military spheres of a nation, so that pressure against these systems would lead to the destruction of morale and the defeat of the nation. Furthermore, the lecture noted that these spheres obtained an absolute interdependence during war, so disturbances in one sphere would affect all others. Those elements of an economy that supported the production of military goods were intricately intertwined with those elements supporting civilian life; pressure on one would affect the other. The lecture then laid out in detail target sets in each of the spheres. The course provided a sophisticated analysis of the target sets including the interdependencies among them. •

The social sphere. Noting that “(t)he object here is the dislocation of normal life to the extent that the people are willing to surrender in the hope that they can at least regain a normal mode of living,” the lecture discussed attacks against: ◦ food supplies (which in turn relied upon lines of communication, transportation, and storage); ◦ public utilities, including water-supply systems (linked to sanitation, public health, and firefighting), electric power (linked to modern conveniences and electric transportation modes), illuminating gas, and gasoline refining (linked to transportation); and ◦ industry and transportation, which in turn would affect finances through loss of income, increase psychological pressure though worker idleness, and disrupt lines of communications. • The economic sphere. The lecture stated that modern warfare placed an enormous load on an economy, which if it were to break down would “seriously influence the conduct of war by that nation, and greatly interfere with the social welfare of its nationals”. The lecture examined in detail six primary target sets: ◦ bottlenecks of specific commodities that entered into the production of many goods;

1400

CROSS-CUTTING THEMES AND TECHNOLOGIES ◦

energy, including electricity (linked to manufacturing) [36], petroleum (linked to civil and military transportation and lubricants needed by industry), and coal (required for steel production and electric power generation); ◦ raw materials, such as food, steel, fuel, nitrates, sulfuric acid, rubber, nonferrous metals, and cotton; ◦ transportation, including rail, highways, and inland waterways; ◦ manufacturing facilities; and ◦ financial systems underpinning the economy. • The political sphere. The lecture described government departments as the nervous system of the adversary, which if attacked would add confusion to the war effort. The lecture called for balance in attacking this sphere, as the political establishment would need to sense and react to the sentiments of the population. • The military sphere. The lecture considered bombing military targets as strategically defensive, other than direct attacks against enemy airpower. Attacks against armies should be designed to prevent mobilization or strategic concentration; naval objectives included aircraft carriers, battleships, naval bases, docks, dry docks, shops, naval stores, and fuel oil reserves. Other lectures that year amplified the themes of paralyzing the interdependent economic structures of a nation.4 Bottlenecks received particular emphasis; the instructors sought those points that could unravel multiple sectors supporting both the war effort and civilian society. One lecture on the principles of war as applied to airpower postulated that the results of bombardment were sufficiently permanent that they would accumulate. It stressed that missions should have sufficient rapidity that the enemy could not repair and recover between attacks. Finally, and critically, the theory assumed that during a war, an economy would be stressed to its maximum point as it supported both civil and military needs. Without slack, the economy would be highly vulnerable to attack. Although the destruction of morale was considered crucial, the faculty was opposed to direct attacks on civilians [37]. This presented a problem in that population centers frequently held industrial concentrations. The faculty believed that if certain systems supporting civil society were destroyed, then the cities would be rendered untenable and have to be evacuated. This could force the unraveling of the social sphere and morale of the nation, without the need to directly attack civilians. To this end, a 1939 lecture provided a detailed analysis of New York City, with specific target systems including the financial markets, transportation system, water supply, foodstuffs, and electric power [38]. In conjunction with its detailed analysis of targets, timing, mechanisms and objectives, the ACTS faculty also spent considerable effort considering the operational aspects of bombardment. By 1935, the preferred method of attack was high altitude, daylight precision bombardment of pinpoint targets. To carry out such missions, several technological innovations were required. Most notable were the development of long-range bombers with sufficiently heavy payload capacities. The B-17 bomber, successfully tested in 1935, provided this capability and profoundly affected the thinking of the ACTS faculty. Bombsights required marked improvements from the primitive devices of World War I. An 4 These

ACTS lectures included Lecture—Air Force, General , Lecture AF-2; General Air Force Principles, Lecture AF-6; Lecture—Principles of War Applied to Air Force Action, Lecture AF-7. These lectures were part of the 1934-35 Air Force course and were likely written by either Lieutenant Colonel Harold L. George or Captain Robert M. Webster.

THE MILITARY ROOTS OF CRITICAL INFRASTRUCTURE ANALYSIS AND ATTACK

1401

improved Sperry bombsight appeared in 1933 and was followed by the more advanced Norden Mark XV bombsight. The Air Corps now had the ability to range widely over an enemy and attack individual targets [39]. ACTS came to its end in the summer of 1941. By this time, the faculty had developed a detailed airpower and targeting theory that focused on attacking the social, economic, political, and military spheres of an adversary, in which critical infrastructure attack played the central role. Locating and attacking bottlenecks would lead to an unraveling of this highly interconnected and stressed web, with an attendant loss of morale. The dislocation of civilian life under wartime conditions would be sufficient to cause the enemy to sue for peace. Although highly developed, the doctrine was theoretical with little basis in actual warfare. It awaited its test in the cauldron of World War II.

4 TRIAL BY FIRE: WORLD WAR II AND ECONOMIC TARGET SELECTION In the years immediately before World War II, the British government began serious war planning, including collecting data on and analyzing the German economy. The Air Ministry developed a series of war plans, called the Western Air Plans, that focused on specific elements of the Germany economy [40]. WA-4 called for the destruction of the German railroad system, which by 1939 was deemed too dense for the existing British forces to make much of an impact. WA-5 planned the destruction of the Ruhr industrial region by primarily attacking power plants and coking plants. Subsequent analyses showed that it would be perhaps easier to shut down the Ruhr region by bombing the M¨ohne and Sorpe dams, which supplied water to industry. Unfortunately, the British did not possess sufficiently large bombs to destroy the dams. WA-6 focused on the German fuel supply, with 28 synthetic oil plants and refineries comprising the target list. Some target systems such as the German fuel supply contained too many targets to be practical for the available British forces. Consequently, the British Ministry of Economic Warfare (MEW) sought out bottlenecks, particularly those critical items that were made only in a few isolated plants. Two such targets identified in 1941 were ball bearings and synthetic rubber. By late November 1942, the MEW identified other bottlenecks included alkalis, fuel injection pumps and electrical equipment for aircraft, and optical and laboratory glasses and instruments [41]. However, the British were hampered by several problems. Bomber range and payloads limited those targets that could be attacked. British bombers were not sufficiently armed and armored for daylight bombing of precision targets; the force had difficulty penetrating German fighters. The British switched to night bombing, which presented its own difficulties with navigation and accurate target identification. As a result, the British focused on area bombing as opposed to the destruction of precision targets until late in the war [42]. In 1940, the US Army Air Corps’ Strategic Air Intelligence Section was also analyzing the industrial-economic structure of Germany. The Section initially focused on the following: •

electric power, including sources of fuel and the distribution system; steel, including raw materials; • petroleum products, including the synthetic processes; •

1402 • •

CROSS-CUTTING THEMES AND TECHNOLOGIES

the aircraft industry, including aluminum production and engine plants; and transportation networks, including railways, canals, and highways.

The section also examined the nonferrous metals supplies, machine tool production, and food processing and distribution [22]. In July 1941, then-Major Haywood Hansell visited the British as an observer. The express purpose of his visit was to explore British intelligence and bring home what material he could. Hansell, a former instructor at ACTS and member of the Strategic Air Intelligence Service, was impressed with the similarity of British and American targeting philosophies. Like the Americans, the British sought the collapse of German industry by destroying carefully selected targets. Hansell brought with him digests of American intelligence and found that he had much to offer. He noted that the Americans were better informed on the German electric power system and petroleum and synthetic products; the British had better information on the German aircraft industry including engine production, transportation, and the German Air Force. The British shared a considerable amount of information with Hansell, and he returned to the United States “loaded down” with targeting information [43]. In July 1941, the US Army Air Corps established its Air War Plans Division (AWPD). Lieutenant Colonel Harold L. George led the small staff, comprised of Lieutenant Colonel Kenneth N. Walker, Major Laurence S. Kuter, and Major Hansell. Each of these officers had been an ACTS faculty member. On 9 July 1941, President Franklin D. Roosevelt tasked the Secretaries of War and Navy to provide an estimate of “the overall production requirements required to defeat our potential enemies” [44]. In turn, General Henry H. “Hap” Arnold, Chief of the Army Air Force, tasked AWPD to develop the Air Annex for the requirements estimate. The guidance for the plan was quite broad and included four principal tasks: (1) (T)he provision of air forces in the defense of the Western Hemisphere; (2) the prosecution of an unremitting air offensive against Germany and lands occupied by German forces, including air preparation for a final invasion of the continent if that should be necessary; (3) the provision of strategic and close support air operations for such a land invasion; and (4) the provision of air defense and air support for strategic defensive operations elsewhere [45].

George’s approach to developing the Air Annex was to plan a strategic offensive to debilitate the German war industry, defeat Germany if possible, and if necessary support an eventual invasion of the continent and Germany itself. Further, the planning effort assumed that the main burden for the strategic defensive in the Pacific region would lie on the Navy and that there would be no strategic offensive against Japan until Germany was defeated. Using the methods developed at ACTS, the officers examined in detail the German economy and military for vital links. As Hansell later recounted, several questions formed the basis of their analysis: •

What were the vital links? Among those links, which were the most vulnerable to air attack? • Among those vulnerable to air attack, which would be the most difficult to replace or harden by dispersal or by going underground? [46]. •

THE MILITARY ROOTS OF CRITICAL INFRASTRUCTURE ANALYSIS AND ATTACK

1403

The German economy was assumed to be highly stressed and drawn taut by the war effort. In the end, the plan focused on electric power, transportation (railways, canals, and highway networks), and the petroleum system (particularly synthetic oil production processes and the oil sources in Ploesti, Romania). An “intermediate objective” of overcoming the German fighter aircraft forces was established in order to permit the optimum effectiveness of the strategic attack against the German homeland. This could be accomplished by destroying the aircraft and engine manufacturing facilities, by elimination or curtailment of fuel supplies, or by attrition in air-to-air combat. The Germans were resourceful and their responses to the attacks would need to be anticipated. Further, the Germans would repair damaged targets so that revisiting targets would be necessary. The plan designated 154 targets in several systems, listed in Table 1 [47]. The resultant plan, AWPD-1, was accepted by the Combined Chiefs of Staff at the Acadia Conference in December 1941–January 1942. Of critical note is that AWPD-1 was essentially an aircraft production requirements plan and schedule, based upon a strategic campaign against Germany and Japan. The acceptance of the plan by the Combined Chiefs of Staff was interpreted as an acceptance of the strategic air campaign as well: Major General Carl Spaatz, Commanding General of Eighth Air Force, and Brigadier General Ira Eaker, Commanding General of VIIIth Bomber Command, accepted AWPD-1 (and its successor plan, AWPD-42) as the authoritative strategic guidance for the air campaign in the European theater [48]. A year after its delivery, AWPD-1 underwent the first of two modifications. In August 1942, the American air planning group modified it based on changes in the strategic situation and lessons learned to date. The new plan, AWPD-42, was delivered to the President on 24 August 1942. Like its predecessor, it was a requirements plan for aircraft TABLE 1

Targeting Priorities in World War II

AWPD-1 1. German Air Force • Aircraft factories • Aluminum plants • Magnesium plants • Engine factories 2. Electric power • Power plants • Switching stations 3. Transportation • Rail • Water 4. Petroleum • Refineries • Synthetic plants 5. Morale

AWPD-42

Combined Bomber Offensive

1. German Air Force • Aircraft factories • Aircraft engine plants • Aluminum plants

1. German Air Force • Fighter aircraft factories • Aircraft engine plants • Combat attrition

2. Submarine building yards

2. Submarine building yards and bases

3. Transportation • Rail • Water 4. Electric Power • Power plants • Switching stations 5. Petroleum • Refineries • Synthetic plants 6. Rubber • Synthetic plants

3. Ball bearings

4. Petroleum • Refineries • Synthetic plants 5. Rubber • Synthetic plants 6. Military transportation • Armored vehicle factories • Motor vehicle factories

1404

CROSS-CUTTING THEMES AND TECHNOLOGIES

production. Its fundamental strategic philosophy called for a strategic offensive against Germany and a strategic defensive against Japan. As with AWPD-1, the primary strategic purpose was to undermine and destroy the capability and will of Germany to prosecute the war by destroying those industries supporting the war effort and associated structures that supported both the war industries and the civilian economy. The secondary purpose of the plan was to provide air support to forces operating in Mediterranean and the Pacific. It was a combined US–British air plan, with the US Army Air Forces focused on daylight bombing of precision targets, and the Royal Air Force taking on nighttime bombing of area objectives associated with munitions manufacturing. The targeting systems were similar to those of AWPD-1 and are detailed in Table 1 [49]. In December 1942, General Arnold issued a directive establishing the Committee of Operations Analysts (COA), an organization of respected American businessmen, economists, and military air planners. Unfortunately, the memo did not make clear the purpose of the COA and the objective of the air campaign. Subsequently, the Casablanca Directive clarified the COA’s mission by calling for an air offensive against Germany to “bring about the progressive destruction and dislocation of the German military, industrial and economic system and the undermining of the morale of the German people to a point where their capacity for armed resistance is fatally weakened” [50].5 The COA analyzed potential target sets, applying available intelligence information. It submitted its initial report in March 1943. The report, endorsed and slightly modified by MEW, contained the following list of priority target sets: • • • • • • • • • • • • • • • • • • • 5 This

German aircraft industry, with first priority on fighter aircraft, including assembly plants and engine factories; ball bearings; petroleum; grinding wheels and crude abrasives; nonferrous metals—copper, aluminum, zinc; synthetic rubber and tires; submarine construction yards and bases; military motor transport vehicles; transportation systems in general; coking plants; steel; machines tools; electric power; electrical equipment; optical precision instruments; chemicals; food production; nitrogen and the chemical industry; and antitank machinery and antiaircraft machinery.

directive was amended in late April/early May 1943 to include a final sentence that read, “This is construed as meaning so weakened as to permit initiation of final combined operations on the Continent.”

THE MILITARY ROOTS OF CRITICAL INFRASTRUCTURE ANALYSIS AND ATTACK

1405

This list was similar in target selection and philosophy to the targeting lists compiled for AWPD-1 and AWPD-42 [51]. The inputs of the COA were used by an American–British joint planning team headed by Brigadier General Hansell in VIII Bomber Command. This team developed its final list of targets based upon operational considerations that it believed would create the most damage to Germany given the existing and planned bomber force. This plan, which formed the basis of the US–British Combined Bomber Offensive (CBO), differed from AWPD-1 and AWPD-42, in that it was primarily a capabilities plan based on existing aircraft and those in the production pipeline as opposed to an aircraft requirements plan. The target sets of the CBO Plan are listed in Table 1. This plan was briefed to and accepted by the Eighth Air Force Commander, the European Theater Commander, and the Joint Chiefs of Staff, as well as their British counterparts [52]. The CBO, code-named POINTBLANK, got underway in May 1943. The strategic concept for the air war against Japan paralleled the approach with Germany: defeat the Japanese air force and so weaken Japan’s capability and will to fight that it would either capitulate or permit occupation against disorganized resistance, or, failing this, would enable an invasion at minimal cost [53]. The experiences in Europe heavily influenced the selection of target systems in Japan. In late 1943, General Arnold asked the COA for its recommended list of targets for a final offensive in Japan. The COA recommended seven target systems, although not in priority order: • • • • • • •

merchant shipping in harbors and at sea; iron and steel production, via the coke ovens; urban industrial areas vulnerable to incendiary attack; aircraft plants; antifriction bearing plants; the electronics industry; and the petroleum industry [54].

The following year, the Air Staff and ultimately the Joint Chiefs of Staff gave the overriding priority to the destruction or neutralization of the Japanese air force. Aircraft and engine plants were designated as the top priority targets for the newly formed XXI Bomber Command, led by Hansell. Targets in Japan fell into two broad categories: select targets to be attacked with precision bombardment and urban area targets slated for incendiary attack. Hansell preferred precision attack. However, much of the Japanese industry was dispersed in small shops in the highly flammable urban areas, which made incendiary attacks attractive. In fact, in late 1944, the COA raised urban attacks to a higher priority than economic and industrial systems [55]. Given the critical importance of shipping, the XXI Bomber Command also executed aerial mining operations [56]. The selection of targets for attack in the two theaters followed a rigorous, scientific approach. Colonel Guido R. Perera, a member of the COA, described the process followed by that group in selecting targets in a 1943 memorandum to General Arnold: The Committee has arrived at certain conclusions in regard to target selection. It is better to cause a high degree of destruction in a few really essential industries or services than to cause a small degree of destruction in many industries. Results are cumulative and the plan once

1406

CROSS-CUTTING THEMES AND TECHNOLOGIES

adopted should be adhered to with relentless determination. In the determination of target priorities, there should be considered (a) the indispensability of the product to the enemy war economy; (b) the enemy position as to current production, capacity for production and stocks on hand; (c) the enemy requirements for the product for various degrees of activity; (d) the possibilities of substitution for the product; (e) the number, distribution and vulnerability of vital installations; (f) the recuperative possibilities of the industry; (g) the time lag between the destruction of installations and the desired effect upon the enemy war effort [57].

Similarly, a RAND memorandum written shortly after the war provides insights into the analyses behind the selection of military and economic targets for bombardment by the Enemy Objectives Unit (EOU). The London-based EOU was comprised of US Army Air Corps officers and members of several intelligence units, including the Office of Special Studies and the Board of Economic Warfare. It assisted the 8th and 15th Air Forces with target selection and target intelligence. For each item or service considered for targeting, the EOU examined the following: • • • •

• •

the military importance of the item (e.g. frictionless bearings were essential for military vehicles); the percentage of direct military usage of the item; the depth, defined as the time elapsed between the end of production of an item and the occurrence of its shortage in tactical units; the economic vulnerability of an item or service, including the following: ◦ the ratio of capacity to output (excess capacity, slack in the system, etc.); ◦ substitutability for processes and equipment; ◦ substitutability for the product (or service); ◦ vulnerability of process and plant layout to attack; and ◦ recuperability following attack; the physical vulnerability of the targets; and the location and size of the target sets.

The EOU gave preference to those targets with relatively small depth, that is, those items whose effects would show up rapidly. The relative size of the target set to the capabilities of the available air forces also influenced target selection [58]. Clearly, such analyses required insights from military planners, industrialists, and economists, all supported by the most detailed intelligence available. How effective was the economic targeting of Germany and Japan? In November 1944, the Secretary of War established the United States Strategic Bombing Survey (USSBS), based on a directive from President Roosevelt. The Survey comprised civilians, officers, and enlisted personnel. The Survey was tasked to enter Germany and Japan as soon as possible and to assess the effectiveness of bombardment and its contribution to the victory over the Axis powers. Teams made close inspections of plants, cities, and areas; amassed statistical data and documentation; and interviewed and interrogated thousands of persons, including political, military, and industrial leaders in Germany and Japan. The Survey wrote several hundred highly detailed reports on the effectiveness of the bombardment campaigns [58]. In the conclusion section of its summary report on the war against Germany, the USSBS made a number of key observations about the effectiveness of bombing. In the words of the Survey,

THE MILITARY ROOTS OF CRITICAL INFRASTRUCTURE ANALYSIS AND ATTACK •

•

•

•

•

1407

“A first-class military power—rugged and resilient as Germany was—cannot live long under full-scale and free exploitation of air weapons over the heart of its territory.” “As the air offensive gained in tempo, the Germans were unable to prevent the decline and eventual collapse of their economy. Nevertheless the recuperative and defensive powers of Germany were immense; the speed and ingenuity with which they rebuilt and maintained essential war industries in operation clearly surpassed Allied expectations. . .” The German economy was undermobilized throughout much of the war, allowing it to recover and rebuild facilities to some levels of pre-attack production between raids, particularly in the early days of the war. The Germans employed numerous means to support their industrial operations, including camouflage, smoke screens, shadow plants, dispersal, and underground factories. The Germans were also able to make strategic substitutions for critical products [59], and employed means to increase industrial efficiencies. Dispersal, however, increased the importance of transportation networks, and thus multiplied the problems created by Allied air attacks against those networks. “The importance of careful selection of targets for air attack is emphasized by the German experience. The Germans were far more concerned over attacks on one or more of their basic industries and services—their oil, chemical, or steel industries or their power or transportation networks—than they were over attacks on their armament industry or the city areas. The most serious attacks were those which destroyed the industry or service which most indispensably served other industries.” “The Germany experience showed that, whatever the target system, no indispensable industry was permanently put out of commission by a single attack. Persistent re-attack was necessary.” Between attacks, the Germans worked to recover those destroyed facilities. For example, following the attacks on the ball bearing facilities at Schweinfurt, the Germans dispersed facilities, redesigned equipment where possible, and drew down existing stocks of frictionless bearings. An important lesson was that frequent reattack to ensure destruction of the industry was necessary. “In the field of strategic intelligence, there was an important need for further and more accurate information, especially before and during the early phases of the war.” Much critical intelligence and analytic capability came from civilian experts not associated with the military before the war [60].

The USSBS examined the impacts of bombardment on specific target systems. With respect to the German transportation networks, the railroad system was unable to meet its transportation requirements after October 1944. This disorganized the flows of raw materials, components, and finished goods. Dispersal of industry only complicated the situation [61]. Coal was a particularly crucial commodity, as it was used for the manufacture of steel, electric power generation, and by the locomotives of rail system itself. One detailed analysis of the collapse of the German war economy concluded that the coal-rail nexus was the foundation of all economic activity in Germany, and its destruction created dire short-term effects on the economy, led to the disintegration of Germany’s division of labor, created serious declines in armaments production, and caused a major decrease in supplies to the Wehrmacht [62]. Grinding wheels and abrasives were critical commodities in the German economy. During interrogations after the war, Albert Speer, the German Minister of Armaments

1408

CROSS-CUTTING THEMES AND TECHNOLOGIES

Production, stated that the entire armaments industry would have come to a standstill in 6 months if the production of abrasives had been destroyed. Furthermore, the complete loss of the ball bearing industry would have halted armaments production in 4 months [63].6 Speer was likewise concerned about the potential loss of electricity. Noting that “electricity alone could not be stockpiled,” Speer stated that the destruction of the electric power grid would have been “the most radical measure, as it would at once lead to a breakdown of all industry and support of public life”. The chief engineer in charge of the electric power grid observed that “the war would have been finished two years sooner if you concentrated on the bombing of our power plants” [64]. The destruction of the petroleum infrastructure had critical implications for the German economy and war effort. Significant declines in 1945 of petroleum stocks affected the ability of German ground and air forces to operate. From an infrastructure interdependencies perspective, loss of the synthetic petroleum industry killed nitrogen production, which itself was required for synthetic rubber and ammunition production [65]. In the Pacific theater, the Japanese economy was strangled by the destruction of its shipping industry by submarine and air attack as well as mining operations. Shipping logistically supported the fielded Japanese military forces and was vital to Japanese industry. Japan was critically dependent upon imports, which were cut off by the antishipping campaign. Steel production, for example, was directly affected by the destruction of shipping. Oil imports began declining in mid-1943 and were eliminated by April 1945. The USSBS report stated that even without air attacks on industry, the overall level of Japanese production in August 1945 would have been 40–50% below the peak levels of 1944 [66]. To paraphrase the USSBS, the air campaign against Japan destroyed its economy a second time over. The precision attacks against the aircraft and engine plants forced dispersal of those industries, including moving some manufacturing underground. The dispersal coupled with the destruction wrought by the bombing campaign crippled the Japanese aircraft industry. The electric power distribution system, though not explicitly targeted, and its associated load were largely destroyed by the urban incendiary attacks. The urban incendiary attacks severely damaged smaller urban industrial plants. Attacks against the rail system were beginning at the end of the war; consequently, the rail system was in reasonably good condition at the war’s end. The labor force declined inefficiency due to malnutrition, fatigue, destruction of urban housing areas, and local transportation problems. Approximately 30% of the entire urban population of Japan lost their homes and possessions. The targeting of industry, both through area bombing and precision attacks, reduced prewar production by the following amounts: • • • • • •

oil refineries: 83%; aircraft engine plants: 75%; airframe plants: 60%; electronics and communications equipment: 70%; army ordnance plants: 30%; naval ordnance plants: 28%;

6 Some

have questioned Speer’s motivation behind his statements—was he stating what he honestly believed, or was he providing inputs that the USSBS and airpower advocates wanted to hear?

THE MILITARY ROOTS OF CRITICAL INFRASTRUCTURE ANALYSIS AND ATTACK

1409

•

merchant and naval shipyards: 15%; light metals: 35%; • ingot steel: 15%; and • chemicals: 10%. [67]. •

The Survey concluded that “heavy, sustained and accurate attack against carefully selected targets is required to produce decisive results when attacking an enemy’s sustaining resources. . .no nation can long survive the free exploitation of air weapons over its homeland. For the future it is important fully to grasp the fact that enemy planes enjoying control of the sky over one’s head can be as disastrous to one’s country as its occupation by physical invasion” [68]. Technology was a major enabling factor in air campaigns of World War II. Long-range bombers able to deliver heavy bomb loads, the turbosupercharger, the Norden bombsight, radar bombing, and improved navigation all contributed to the ability to attack and destroy precision targets. Nonetheless, “precision” was limited during the war: the average miss distance for a 2000-lb bomb in the European campaign was 3300 feet. An Eighth Air Force assessment concluded that only 7% of the bombs dropped from September through December of 1944 fell within 1000 feet of their aimpoints. Numerous factors contributed to bombing problems, including inherent limitations in the bombsights, poor weather, dispersion of bomber formations when attacked by fighters, training, and poor aerodynamic designs of the bombs themselves [69]. By the end of the century, however, advanced technologies would largely resolve these issues, enabling truly precision attack.

5 MODERN THEORY AND PRACTICE By the late 1980s to early 1990s, the confluence of technical developments, theory, and the Iraqi invasion of Kuwait drove a new test of critical infrastructure attack. The first driver, technology, had advanced to the point where the early promise of attacking precision targets on a global scale could finally be achieved. Bombing accuracies for unguided weapons had significantly improved, due to improved navigation, better aerodynamic designs of the bombs, improved weapons-release technologies, and better cockpit displays. Table 2 illustrates the improvement in bombing accuracy, for the case of hitting with a 90% probability a 60 × 100 feet target with an unguided 2000-lb bomb from medium altitude. CEP is the circular error probable, defined as the radius of a circle inscribed around a target inside of which 50% of the bombs fall [70]. Precision-guided weapons, introduced during the Vietnam War, completely redefined the military principle of mass. At the end of the century, laser- and global positioning system (GPS) guided weapons had advanced to the point where CEPs were measured in feet [71].7 With this level of precision, the size of the weapon required to destroy a target could potentially be smaller. Reduced weapon sizes in principle meant that a single aircraft could carry more weapons, accurately attack multiple targets per sortie, and potentially reduce collateral damage. In fact, by the Gulf War of 1991, planners talked of “targets per sortie” 7 As an example, F-117 fighters dropped 2041 tons of bombs during Operation DESERT STORM in 1991. One thousand six hundred and sixteen tons, or 79%, hit their targets, implying that they landed within 10 feet of the desired aimpoints. One well-publicized video showed a smart bomb flying down the ventilation shaft of the Iraqi Air Force headquarters building near Al Muthenna airfield.

1410

CROSS-CUTTING THEMES AND TECHNOLOGIES

TABLE 2 Bombing Accuracy in the 1900s War World War II Korean War Vietnam War Fall 1990

Number of Bombs

Number of Aircraft

CEP (feet)

9070 1100 176 30

3024 550 44 8

3300 1000 400 200

rather than “sorties per target” [72]. With aerial refueling, aircraft such as the B-1 and B-52 bombers had by this time achieved truly global range. Technologies such as GPS eliminated the navigation problems that had plagued bomber crews during the two world wars. The combination of accurate navigation and precision weaponry opened the night to precision attack operations, which during World War II had been used primarily for area attacks. Stealth technology enabled attacks against heavily defended targets. Finally, computer modeling of critical infrastructures and sophisticated engineering and operations research techniques opened the door to understanding the effects of destroying individual elements in a critical infrastructure—as well as potentially planning attacks to create very specific operational or strategic level effects [73].8 Airpower doctrine and theory had likewise advanced by the end of the 1900s, in large part due to the significant contributions of US Air Force Colonels John Boyd and John A. Warden III. Both men shared a common theme of defeating an adversary through strategic paralysis, or the incapacitation of the enemy, although from distinctly different perspectives and approaches. Further, both colonels emphasized a shift from the economic warfare of ACTS and World War II to forms of control warfare. Boyd emphasized the mental, moral, and temporal aspects of war, arguing that one could induce strategic paralysis in an adversary by operating inside the adversary’s observe-orient-decide-act (OODA) loop. Warden developed a detailed airpower theory that focused on the physical aspects of warfare and considered in detail the question of targeting. His “Five Rings” model included critical infrastructure attacks and their influence upon the overarching objective of forcing strategic paralysis [74]. As Boyd did not consider in depth critical infrastructure targeting, we do not explore his theories below. While a student at the National Defense University, Warden published his theories of air warfare at the strategic and operational levels in his book The Air Campaign: Planning for Combat [75]. In the 1990s, he published a series of articles that concisely described his theories [76]. Warden argued that the ultimate aim of all military operations was to control the civil and military command structures of the adversary. This could be accomplished by causing changes in one or more parts of the enemy’s physical systems in such a manner as to force the adversary to adopt one’s objectives as his own or by making it physically impossible for the adversary to offer opposition. To Warden, 8 At

the end of the century, Sandia National Laboratories and Los Alamos National Laboratory jointly established the National Infrastructure Simulation and Analysis Center (NISAC), with the mission of modeling, simulating, and analyzing critical infrastructures, key assets, and infrastructure interdependencies. NISAC employs highly sophisticated engineering and computer models to simulate infrastructures and the effects of disturbances, including high-order and cascading effects. In 2003, NISAC became a formal program of the Department of Homeland Security. NISAC has a homeland security mission focused on critical infrastructure protection and defense, as opposed to offensive military mission. See http://www.sandia.gov/mission/homeland/ programs/critical/nisac.html.

THE MILITARY ROOTS OF CRITICAL INFRASTRUCTURE ANALYSIS AND ATTACK

1411

making the adversary incapable of offering opposition was the essence of imposing strategic paralysis. Warden recognized that warfare had both a physical and morale side and suggested that war could be visualized in terms of the equation: (Physical) × (Morale) = Outcome The physical side of war was, in principle, completely knowable and predictable, whereas the morale side involved humans and their reactions and therefore was not predictable. Consequently, Warden argued that one’s efforts in war should be directed at the physical side. Warden viewed an adversary from a systems engineering perspective with his “Five Rings” model. This model postulated that any strategic entity—whether a state, business, or terrorist organization—could be represented by five concentric rings (Fig. 1). The rings, from the innermost outward, and in order of importance, are as follows: • •

•

•

•

Leadership, containing the enemy command structure and command communications. Organic essentials (or key production), comprised of more than just war-related industry. The electric power and petroleum industries are organic essentials; Warden noted that these systems had relatively few targets and were generally fragile. Infrastructure, with a focus on the adversary’s transportation networks, including key nodes, railroads, and bridges. He noted that the targets in these systems were more numerous and redundant than the organic essentials and would likely take more effort to effectively damage. Population, including its food sources. Warden did not advocate directly targeting people, given that there were too many to effectively target, moral objections notwithstanding. However, he believed that indirectly attacking populations, such as the North Vietnamese did to the American populace during the Vietnam War, could be effective under certain circumstances. Field military forces. Warden emphasized that the fielded military forces were just means to an end and not the proper objective in war. He noted that fielded forces were often the “hardest” of all targets, given that they were designed for combat.

Leadership Organic essentials Infrastructure Population Fielded forces

Airpower can attack across all rings, simultaneously

FIGURE 1 Warden’s Five Rings model.

1412

CROSS-CUTTING THEMES AND TECHNOLOGIES

Warden noted that the rings are not independent entities; rather, they are interdependent with one another. Like his predecessors, Warden was clear that an air force could attack targets within and throughout any of the rings. Nonetheless, he stressed that all actions must be aimed at the mind of the enemy command and that the essence of war was to apply pressure to the central ring—the enemy’s command structure. Targeting this ring alone would generally not be sufficient, but all actions against targets in other rings must be focused on affecting the command structure. To Warden, this was “inside-out warfare”, in that the traditional concept of attacking fielding forces was replaced with an emphasis on directly affecting and influencing the innermost leadership ring. Warden also maintained that attacks should be compressed in time. Given that an air force could attack across an entire strategic entity, parallel attacks against many target sets were preferred to a serial attack stepping sequentially through target sets. He likened this to “death by a thousand cuts”, which would only hasten strategic paralysis (and in the sense of Boyd, would enable one to get inside the adversary’s OODA loop). With stealth and precision weaponry, many targets could be attacked simultaneously, thus enabling parallel warfare throughout the entire depth of an adversary. Given the time-compressed nature of parallel war and his experience in the Gulf War of 1991, Warden termed this form of conflict hyperwar. The Gulf War put Warden’s theories to the test. In August 1990, as Iraq invaded Kuwait, Colonel Warden led CHECKMATE, an office under the Air Force Deputy Chief of Staff for Plans and Operations. CHECKMATE was primarily tasked with long-range planning. Following the invasion, General Norman Schwarzkopf, the Commander in Chief (CINC) of Central Command, sent Lieutenant General Charles Horner, Commander of Ninth Air Force, to the theater as the onsight commander and the Joint Force Air Component Commander (JFACC). The JFACC was responsible for developing and executing the air campaign. However, in the days immediately following the Iraqi invasion, General Horner’s staff was consumed with logistics and aircraft deployment and beddown issues. On August 8th, General Schwarzkopf consequently called upon the Air Force Chief of Staff for assistance in developing the air campaign. This tasking flowed down to Colonel Warden and his CHECKMATE staff. The staff developed the concept for a strategic air war within 2 days and on August 10th, briefed the plan to General Schwarzkopf at MacDill AFB in Florida. The air campaign, named INSTANT THUNDER, was accepted with some changes by US officials, General Horner, and General Schwarzkopf. In the theater, General Horner placed Brigadier General Buster C. Glosson in charge of planning and directed him to turn INSTANT THUNDER into an operational plan [77]. Warden’s Five Rings provided the framework for the CHECKMATE planners. Their initial target breakout by ring is given in Table 3. The initial breakout, which changed little during the planning, provided a framework for determining individual targets. The planners considered interdependencies among target sets. Generally, they did not search for bottlenecks as did the World War II planners, as they were not constrained to serial attacks. Instead, the planners sought to attack simultaneously across the entirety of Iraq, aiming to impose strategic paralysis. For individual targets such as refineries, the planners took advantage of precision-guided weapons by seeking those specific aimpoints that would debilitate the target [78]. The objectives of the strategic campaign were to isolate

THE MILITARY ROOTS OF CRITICAL INFRASTRUCTURE ANALYSIS AND ATTACK

TABLE 3

1413

Breakout of the Five Rings in the Gulf War

Leadership

Organic Essentials

Infrastructure

Population Psychological operations

Communications

Electricity

Railroad bridges

Internal control mechanisms

Oil refining

Civilian airfields

Nuclear technology Weapons production facilities

Fielded Forces Strategic air defense system Strategic offensive forces Republican Guard

the Iraqi leadership, degrade key production, disrupt the infrastructure through transportation attacks, turn the population and the military forces against the Iraqi regime, and destroy Iraq’s offense and defensive capabilities [79]. Airpower during the Gulf War had a decisive effect. By striking several dozen targets in the Baghdad area, the regime lost its ability to command and control its forces. In effect, the regime was rapidly rendered blind to the ongoing war. Air strikes against 27 selected electric power targets across the nation shut down the grid in the Baghdad area. Because electricity cannot be stockpiled, and given that other infrastructures depend upon electricity, the loss of power affected many Iraqi military facilities. The oil campaign reduced Iraq’s production to near zero, with slightly more than 500 sorties against 28 targets. In 3 days of attacks against the oil infrastructure, Iraq’s refined oil production was halved; after 13 days, production was reduced to zero. The transportation campaign reduced the flow of supplies to Basra, a major transshipment point, to a level well below that required to sustain Iraqi combat operations. The combination of stealth, precision, and parallel warfare reduced the Iraqi regime’s ability to command its forces to near zero and rendered the Iraqi military ineffective before the commencement of ground operations [80]. Following the Gulf War, Colonel Warden was appointed as Commandant of Air Command and Staff College (ACSC) and the School of Advanced Airpower Studies (SAAS), the US Air Force’s professional military schools for midgrade officers. His influence on the curriculum was profound; he oriented it toward the operational level of war with a heavy emphasis on air campaign planning. He instituted student research projects, again at the operational level of war [81]. A number of student papers and SAAS theses during his tenure examined critical infrastructure analysis and attack. These papers included analyses of telecommunications systems [82], the petroleum sector [83], electric power [84], and social networks [85]. One thesis provided a detailed examination of infrastructure interdependencies, postulating that modern economies are complex adaptive systems and must be targeted as such [86]. Chaos theory was applied to critical infrastructures, social systems, and campaign-level planning in an ACSC student research project [87]. Another detailed analysis of electric power grids included computer software that demonstrated effects-based targeting of that infrastructure [88]. Although these papers included detailed information on the functioning, structure, and architectures of their respective infrastructures, they were primarily studies of the strategic and operational utility of critical infrastructure attacks in the age of modern warfare. By the end of the twentieth century, a new technology of warfare was emerging on the horizon: information or cyber warfare. Many have speculated in the open literature

1414

CROSS-CUTTING THEMES AND TECHNOLOGIES

about the possibility of cyber attacks against the computerized control systems that manage and operate the nation’s critical infrastructures [89].9 If disrupted, these supervisory control and data acquisition (SCADA) systems could directly affect the infrastructures they control. Adversarial control or attack of SCADA systems and the subsequent infrastructure disruptions could have important economic and national security ramifications. Today, the Departments of Homeland Security and Energy both have programs with the objectives of increasing the security of SCADA and other process control systems to reduce the risks and consequences of such attacks. 6 OBSERVATIONS The above-mentioned historical survey demonstrates that airpower theory and practice in the 1900s leaned heavily upon critical infrastructure attacks to obtain national and military objectives. Analyzing the air campaigns and theories, we can make the following observations on military thought concerning specific critical infrastructures: •

•

•

•

•

•

Defense industrial base. Attacks against this infrastructure were employed primarily to deny an adversary the physical means to sustain a war. ACTS theorized that many industries were actual dual use; hence, their destruction would also undermine the social fabric of a nation. Electricity. Electric power is vital to the normal operation of a nation, including the functioning of its defense industrial base. Planners believed that disrupting electric power would affect the ability of the adversary government to carry out its essential functions and prosecute the war, degrade the military’s ability to operate, and disrupt normal civilian life. Petroleum. Loss of refined petroleum products would preclude the operation of military vehicles, disrupt transportation networks, and deny raw materials used in many manufacturing processes vital to the production of war materiel. Communications. Disruption of communications would directly affect the ability of the national and military leadership to command and control military operations, add confusion to the war effort, and potentially panic and confuse the population. Transportation. Loss of transportation networks would hamper the ability to mobilize and concentrate forces, affect the ability to move raw materials to the defense industrial base, degrade the ability of dispersed industries to produce war materiel, and potentially affect the ability of the labor force to get to work. Food. Destruction of food supplies, including agricultural areas, would lead to malnutrition, with a particular target of the labor force of the defense industrial base.

Although this list is not exhaustive, particularly with respect to cascading and higher order effects, it is representative of the thought that went into targeting infrastructures throughout the 1900s. 9 The

massive cyber attacks on Estonia in April–May 2007 illustrate a means of attacking critical infrastructures that do not use SCADA systems yet rely upon the Internet to function. Targets included banks, newspapers, and the government— representative elements of several critical infrastructures. For example, the attacks forced Estonia’s largest two financial institutes to severely restrict online access. Of note is that Estonia is one of the most wired European nations.

THE MILITARY ROOTS OF CRITICAL INFRASTRUCTURE ANALYSIS AND ATTACK

1415

Despite the detailed development of economic and infrastructure attack theories and plans, the ability to carry out such attacks was tightly linked to the state of technology. Attacks in World War I were largely viewed by the Germans as ineffective; technology and operational considerations precluded the air services from obtaining their desired operational and strategic effects. Improvements in technology were a critical enabling factor for aerial bombardment in World War II; infrastructure attacks yielded decisive effects against the German and Japanese economies and warmaking abilities. Nevertheless, technological limitations were apparent in that war, such as the degree of precision that could be obtained by bombing. By the end of the century, these limitations had largely been overcome, thereby opening up new operational possibilities for infrastructure attack as demonstrated in the Gulf War.

7 CONCLUSIONS While protection of critical infrastructures has risen to the level of a national priority only during the past 15 years, attacking critical infrastructures during conflicts is hardly new. With the advent of the airplane, air forces were able to fly over fielded surface forces and directly attack strategic objectives throughout an adversary’s homeland. Target sets originally concentrated on the defense industrial base and transportation networks. By World War II, with improved aircraft, bombs, and bombsights, the Allied forces attacked “precision” targets throughout the Axis nations, including many critical infrastructures. By the end of the century, precision weapons had come to the forefront, enabling surgical attacks on critical infrastructure targets. Indeed, during the Gulf War of 1991, Coalition forces conducted rapid, parallel attacks against infrastructure targets throughout Iraq. Theory and technology contributed heavily to the use of critical infrastructure attack during conflicts in the twentieth century.

REFERENCES 1. Rinaldi, S. M., J. P. Peerenboom, and Kelly, T. K. (2001). Complexities in identifying, understanding, and analyzing critical infrastructure interdependencies. Invited paper, IEEE Control Syst. Mag. 21(6), 11–25. 2. Department of Homeland Security (2006). National Infrastructure Protection Plan. Department of Homeland Security, Washington, DC, p. 3. 3. PCCIP (1997). Critical Foundations: Protecting America’s Infrastructures. The Report of the President’s Committee on Critical Infrastructure Protection, October 1997. 4. Ibid, 15. 5. Kennett, Lee (1991). The First Air War: 1914-1918 . The Free Press, New York, p. 44. 6. Williams, G. K. (1999). Biplanes and Bombsights: British Bombing in World War I . Air University Press, Maxwell Air Force Base, AL, p. 11. 7. Ibid., 53. 8. Ibid., 11. 9. Ibid., 44, 97, 102, 10. Ibid., 271–287.

1416

CROSS-CUTTING THEMES AND TECHNOLOGIES

11. Ibid., 15. 12. Ibid., 65. 13. Huston, J. W. (1978). Major General, USAF. Forward in The U.S. Air Service in World War I , Vol. II, M. Maurer, Ed. The Office of Air Force History, Headquarters USAF, Washington, DC. 14. Ibid., 108. 15. Parker, Frank. Major. (1917). The Role and Tactical and Strategical Employment of Aeronautics in an Army, Report to the Board of Officers, 2 July 1917. Ibid., 119–121. 16. Ibid., 141–157. 17. Williams, G. K. (1999). Biplanes and Bombsights: British Bombing in World War I . Air University Press, Maxwell Air Force Base, AL, pp. 111–118. 18. Ibid., 9, 17, 24, 102, 120, 121, 123. 19. Douhet, G. (1942). The Command of the Air. Coward-McCann, New York. Translation by Dino Ferrari. Ferrari’s translation includes five separate works of Douhet, originally published between 1921 and 1930. The version cited in this article is the 1983 reprint of Ferrari’s translation by the Office of Air Force History, Washington, DC. Page 23, emphasis in original. 20. Ibid., 58. 21. Ibid., 20. 22. Ibid., 51. 23. Ibid., 57. 24. Ibid., 59–60. 25. Maurer, M. (1917). Memorandum for the Chief of Staff, U.S. Expeditionary Force, from Major Mitchell, Aviation Section, Signal Corps, dated 13 June 1917, p. 111. 26. Mitchell, W. (1925). Winged Defense: The Development and Possibilities of Modern Air Power Economic and Military. Putnam’s, New York, pp. 126–127. The version cited in this article is the 1988 Dover Publications, Inc., reprint. 27. Mitchell, W. (1925). Winged Defense, 17. 28. Ibid., 5–6. 29. Metz, D. R. (1998). The Air Campaign: John Warden and the Classical Airpower Theorists. Air University Press, Maxwell Air Force Base, AL, p. 35. 30. Mitchell, W. (1930). Skyways. J.B. Lippincott, Philadelphia, PA, p. 253. 31. Finney, R. T. (1992). History of the Air Corps Tactical School 1920-1940 . Center for Air Force History, Washington, DC, pp. iii, 11, 25. 32. Hansell, H. S. Jr. (1986). The Strategic Air War Against Germany and Japan. United States Air Force Office of Air Force History, Washington, DC, pp. 9–11. Hansell was a member of the ACTS faculty from 1935-1938. 33. Finney, R. T. (1992). History of the Air Corps Tactical School 1920-1940. Center for Air Force History, Washington, DC, p. 63. 34. Hansell, H. S. (1986). The implicit assumption was that the economies of modern, industrialized nations would share many characteristics. Strateg. Air War 12, 22. 35. Air Corps Tactical School (1934). Air Force Objectives. Lecture AF-5 from the 1934-35 course entitled Air Force. Air Corps Tactical School, Maxwell Field, AL. 36. Hansell, H. S. Jr. The Strategic Air War Against Germany and Japan. United States Air Force Office of Air Force History, Washington, DC, p. 12. Hansell was a member of the ACTS

THE MILITARY ROOTS OF CRITICAL INFRASTRUCTURE ANALYSIS AND ATTACK

37.

38. 39. 40. 41. 42. 43. 44. 45. 46. 47. 48. 49. 50. 51. 52. 53. 54. 55. 56. 57.

58.

59. 60. 61. 62.

1417

faculty from 1935-1938. Hansell considered the electric power system to be the “very heart of our industrial system”. Hansell, H. S. Jr. The Strategic Air War Against Germany and Japan. United States Air Force Office of Air Force History, Washington, DC, p. 12. Hansell was a member of the ACTS faculty from 1935–1938. Fairchild, M. S. (1939). Lecture—New York Industrial Area, Lecture AF-11-C from the 1939 course Air Force. This lecture was developed by Major Muir S. Fairchild. Finney, R. T. (1992). History of the Air Corps Tactical School 1920-1940. Center for Air Force History, Washington, DC, p. 68. Levine, A. J. (1992). The Strategic Bombing of Germany, 1940-1945 . Praeger, Westport, CN, p. 9. Ibid., 38. Hansell, H. S. Jr. (1972). The Air Plan that Defeated Hitler. Higgins-McArthur/Longino & Porter, Inc., Atlanta, GA, p. 53. Hansell, H. S. (1986). Strategic Air War, pp. 24–25. Ibid., 30. Hansell, H. S. (1972). Air Plan, p. 69. Ibid., 79–80. Ibid., 163. Ibid., 144. Ibid., 102. Ibid., 147–153, 158. Ibid., 158. Ibid., 158–168. Hansell, H. S. (1986). Strategic Air War, p. 141. Ibid., 147, 167. Ibid., 219. Ibid., 177, 198. Perera, G. R. (1944). History of the Organization and Operations of the Committee of Operations Analysts, 16 November 1942–10 October 1944 , Air Force Historical Research Agency. Document 118.01, Volume II, Tab 22. This particular quotation was taken from the Memorandum to Lt Gen Arnold, 8 March 1943, Subject: Report of the Committee of Operations Analysts with Respect to Economic Targets Within the Western Axis. (a) United States Strategic Bombing Survey. (1945). The United States Strategic Bombing Survey Summary Report (European War). September 30, 1945, pp. 3–4; (b) United States Strategic Bombing Survey. (1946). The United States Strategic Bombing Survey Summary Report (Pacific War). July 1, 1946, pp. 46–67. The versions of these reports cited in this paper are from the October 1987 reprint by Air University Press, Maxwell Air Force Base, AL. Olson, M. Jr. (1962). The economics of target selection for the combined bomber offensive. RUSI J. CVII, 308–314. USSBS, (1945). Summary Report , pp. 37–40. Hansell, H. S. (1986). Strategic Air War, p. 125. Mierzejewski, A. C. (1988). The Collapse of the German War Economy, 1944-1945 . The University of North Carolina Press, Chapel Hill, NC, pp. 161–162.

1418 63. 64. 65. 66. 67. 68. 69. 70. 71. 72.

73.

74.

75. 76.

77. 78. 79. 80. 81. 82. 83.

84. 85. 86. 87.

CROSS-CUTTING THEMES AND TECHNOLOGIES

Hansell, H. S. (1986). Strategic Air War, p. 130. Ibid., 131–133. Ibid., 122. USSBS, (1946). Summary Report , pp. 77–82. Ibid., 86–90. Ibid., 110. Hallion, R. P. (1992). Storm Over Iraq: Air Power and the Gulf War. Smithsonian Press, Washington, DC, pp. 9–10. Ibid., 282–283. Table 2 is adapted from Hallion’s Appendix Table 2, page 283. Ibid., 174, 177. Deptula, D. A. Brigadier General. (2001). Brigadier General, Effects-Based Operations: Change in the Nature of Warfare. Aerospace Education Foundation, Air Force Association, Arlington, VA, p. 7 (Figure 4). For the military application of computer modeling to target selection, see Rinaldi, S. M. Major (1995). Beyond the Industrial Web: Economic Synergies and Targeting Methodologies, Masters Thesis, School of Advanced Airpower Studies. Air University Press, Maxwell AFB, AL. A detailed examination and comparison of Boyd and Warden’s theories can be found in Major Fadok, D. S. (1995). John Boyd and John Warden: Air Power’s Quest for Strategic Paralysis, Masters Thesis, School of Advanced Airpower Studies. Air University Press, Maxwell AFB, AL. Warden, J. A. III (1988). The Air Campaign: Planning for Combat . National Defense University Press, Washington, DC. (a) Warden, J. A. III (1992). Employing air power in the twenty-first century. In The Future of Air Power in the Aftermath of the Gulf War, R. H. Shultz Jr., and R. L. Pfaltzgraff Jr., Eds. Air University Press, Maxwell AFB, AL, pp. 57–82; (b) Warden, J. A. III (1994). Air theory for the twenty-first century. In Challenge and Response: Anticipating US Military Security Concerns, K. P. Magyar Ed. Air University Press, Maxwell AFB, AL, pp. 311–332; (c) Warden, J. A. III (1995). The enemy as a system. Airpower J. IX(1), Spring, 40–55. Metz, D. R. (1998). The Air Campaign: John Warden and the Classical Airpower Theorists. Air University Press, Maxwell Air Force Base, AL, pp. 142–143. Author interview with Colonel Warden, J. A. III (1994). 28 March 1994, Maxwell AFB, AL. Hallion, R. P. (1992). Storm Over Iraq: Air Power and the Gulf War. Smithsonian Press, Washington, DC, p. 151. Ibid., 188–196. Author recollection as an ACSC and SAAS student during the 1992-1994. Hulst, G. R. Major (1993). Taking Down Telecommunications, Masters Thesis, School of Advanced Airpower Studies. Air University Press, Maxwell AFB, AL. Wuesthoff, S. E. Major (1994). The Utility of Targeting the Petroleum-Based Sector of a Nation’s Economic Infrastructure, Masters Thesis, School of Advanced Airpower Studies Air University Press, Maxwell AFB, AL. Griffith, T. E. Major (1994). Strategic Attack of National Electrical Systems, Masters Thesis, School of Advanced Airpower Studies. Air University Press, Maxwell AFB, AL. Tolbert, J. H. Major (2006). Crony Attack: Strategic Attack’s Silver Bullet? Masters Thesis, School of Advanced Air and Space Studies. Air University Press, Maxwell AFB, AL. Rinaldi, S. M. (1995). Beyond the Industrial Web. Carpenter, M. P. Major et al. (1993). Chaos Primer for the Campaign Planner, unpublished student research paper. Air Command and Staff College, Maxwell AFB, AL.

NETWORK FLOW APPROACHES

1419

88. DeBlois, B. M. Major, Reid, M. A. Major, Walsh, S. J. Major, Werner, S. J. Major and Combs, G. (1994). Dropping the Electric Grid: An Option for the Military Planner, student research paper, Air Command and Staff College. Air University Press, Maxwell AFB, AL. 89. Grant, R. (2007). Victory in Cyberspace. Air Force Association, Arlington, VA.

FURTHER READING Keysen, C. (1949). Note on Some Historical Principles of Target Selection, RAND Memorandum RM-189, July 15.

NETWORK FLOW APPROACHES FOR ANALYZING AND MANAGING DISRUPTIONS TO INTERDEPENDENT INFRASTRUCTURE SYSTEMS Earl E. Lee University of Delaware, Newark, Delaware

John E. Mitchell and William A. Wallace Rensselaer Polytechnic Institute, Troy, New York

1 INTRODUCTION The American way of life relies on the operations and interactions of a complex set of infrastructure networks. These networks include transportation, electric power, gas and liquid fuels, telecommunications, wastewater facilities, and water supplies. This set of civil infrastructures has also been included in the broader set of critical infrastructures defined by the USA Patriot Act of 2001 [1]. In the Patriot Act, critical infrastructures are those “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such would have a debilitating impact on security, national economic security, national public health or safety or any combination of these matters [1].”

Each of these infrastructure systems evolved independently. However as technology advanced, the systems became interconnected. The reliance of any of these systems

1420

CROSS-CUTTING THEMES AND TECHNOLOGIES

on electric power is obvious. Failures, by whatever cause, within the communications networks in one locale may have far-reaching effects across many systems. Infrastructure management systems did not allow a manager of one system to “see” the operations and conditions of another system. Therefore, emergency managers would fail to recognize this “interconnectedness” or interdependence of infrastructures in responding to an incident, a fact recognized by The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets [2]. This research provides a model of this “system of systems.” Each system is explicitly modeled and the manager could be provided with a familiar view of their system. Additionally, the model captures how these systems rely on each other. The model and its associated decision support system becomes a tool for emergency and system managers to improve post-disruption response and better understand vulnerability due to this interconnectedness. In the sections to follow, this article provides a brief discussion of the policy documents and past studies in system modeling; a description of the model and its associated decision support system; and an overview of how the model can be used for post-disruption system restoration and vulnerability analysis. 2 BACKGROUND/PAST STUDIES This literature and past studies relevant to this research fall into one of the three categories. These are the policy documents, the past research on single system modeling, and the work involving modeling multiple systems or a system of systems. In the interest of brevity, a lengthy discussion of this past study is not being presented in this article. An extensive review of the literature relating to this study can be found in [3] and [4]. The policy documents [1, , 5–12] have framed the discussion, recognizing the need for models to aid in decision making and discussing how models can provide better understanding of the behavior of these complex, interconnected systems. Single system research [13–25] has focused on mitigating disruptions due to willful act or natural events. In general, this work has not included detailed discussions on how these systems are vulnerable due to their reliance on other networks. Past research [26–30] has also studied vulnerability and reliability as they relate to interconnected systems. Some of these have been at the macroscopic levels of detail that are suitable for analyses relating to system vulnerability, but would not easily translate to restoration activities following a disruptive event. Other work has focused on just two specific systems and are not easily extendable across the system of systems. Again, a more detailed discussion of this work is found in [4]. Models of national scale are being developed by the national laboratories and within Department of Homeland Security-sponsored research. These models are useful in assessing impacts to quality of life, the economy, and national security. They can also aid in developing national response strategies. However, they lack the detail to be useful in guiding system restoration or identifying system vulnerabilities within smaller regions, a gap which is filled by this research, which is discussed in the next section. 3 THE INTERDEPENDENT LAYERED NETWORK MODEL This research has developed a formal, mathematical representation of the set of civil infrastructure systems that explicitly incorporates the interdependencies among them and

NETWORK FLOW APPROACHES

1421

is called the Interdependent Layered Network model (ILN). The ILN is a mixed-integer, network-flow-based model, which is implemented in a software that enables the resulting model to be exercised. The detailed mathematical formulation of the model can be found in [3] and [4]. The ILN is embedded in a prototype decision support system, that is, Multi-Network Interdependent Critical Infrastructure Program for Analysis of Lifelines (MUNICIPAL). MUNICIPAL consists of a geographic information system (GIS) interface for the user, a database with the attributes of the set of infrastructures, the ILN module, and a vulnerability and system design module. The model provides the capability to understand how a disruptive event affects the interdependent set of civil infrastructures. This capability improves a society’s ability to withstand the impact of and respond to events that can disrupt the provision of services that are required for the health, safety, and economic well being of its citizens. Managers of infrastructure systems are able to assess the vulnerability of their own system due to its reliance on other systems. Organizations responsible for coordinating emergency response efforts will also be able to model different event scenarios and assess their impact across the full set of systems and the services they provide. With this broader perspective of impact, mitigation, and preparedness strategies can be formulated and evaluated for their ability to reduce their effects on society. MUNICIPAL is not based upon a unique configuration of infrastructures, but is generic and therefore, applicable to more than one location. It is also not specific to a particular type of event, such as an earthquake or hurricane. The only requirements are that the event is of sudden onset and the event causes damage to the physical components of the infrastructure system. The intended use of MUNICIPAL was for response and restoration efforts following a disruptive event and as a training tool for personnel who would be guiding response and restoration efforts. As the research progressed, MUNICIPAL was found to be useful in supporting system design, assessing the vulnerability of a system, measuring the benefits of pre-staging resources, or installing backup power systems, and even changing the physical design of the existing systems. This research has developed a network flow formulation of interdependent networks, which clearly identifies effects of a disruptive event across the set of infrastructure systems. 3.1 The General Construction of the Model Interdependent infrastructures are viewed as networks, with movement of commodities (i.e. material) corresponding to flows and with services corresponding to a desired level of these flows. For ease of representation, each network, or infrastructure system, is defined as a collection of nodes and arcs with commodities flowing from node to node along paths in the network. Fundamentals of network flow problems are fairly uniform within the literature and texts on the subject [31]. For each commodity, each node is either a supply node which is a source for the commodity; a demand node which is a point that requires some amount of the commodity; or a transshipment node which is a point that neither produces nor requires the commodity but serve as a point through which the commodity passes. Arcs may, of course, have limited capacities. Infrastructure systems operate in an environment subject to disruptions. These disruptions could be caused by a natural phenomenon, human error or willful act. Based upon performance criteria, an infrastructure system can be designed to minimize possible service degradation following a disruption. In addition, once a disruption occurs,

1422

CROSS-CUTTING THEMES AND TECHNOLOGIES

alternative ways of restoring service can be determined. Included in the model are flow conservation constraints that (i) for supply nodes ensure that total flow out of the node is no greater than the available supply, (ii) for demand nodes ensure that demand is met, and (iii) for transshipment nodes ensure that flow into the node equals flow out of the node. The structural requirements are modeled by constraints on the capacities of arcs and transshipment nodes. Network flow models can also be characterized as single-commodity or multicommodity systems. Infrastructures such as water, power, gas, and sewer would be single-commodity systems, where material moves from one or more supply points, through a set of arcs and nodes, subject to constraints on capacity, and reaches one of more demand points in an optimal fashion. However, systems like transportation and telecommunications have additional requirements. In these cases, commodities moving across the system have specific origin and destination requirements. For example, passengers arriving at a subway station may each have unique destinations and the needs of each passenger must be met. However, these multiple commodities are not moving independently of each other. Associated with each origin–destination (O–D) pair is a market, the amount of a commodity which must flow between that O–D pair. Between each O–D pair is a set of possible paths. Each path is comprised of a subset of the arcs. The flows across all the paths for a particular O–D pair must equal the market. If the flow is less than the market, then there is an unmet demand for service. The flow on an arc is determined by summing the flows on all paths which contain the arc and is constrained by the arc’s capacity. One common formulation of a network flow model is the minimization of service delivery (minimum cost incurred to move the material across the arcs) while minimizing the unmet demands for service. Following a disruption, the flow into demand nodes may be insufficient. This unmet demand is commonly referred to as slack. At points of interdependency, this unmet demand occurs at the parent node. In the case of a pump and motor combination, the motor would be the parent node and the pump would be the child node (the node in the dependent system which is relying on the parent node in order to be able to deliver service). All demand nodes in every system would be provided a weighting factor, indicating their relative importance. These weights could be decided on well in advance of a disruptive event and would let system and emergency managers decide the relative importance of various demands for service. These weights would tend to push service toward those with higher importance. The weights would also guide restoration (discussed later in this article) by focusing priority on these high importance nodes. How managers would decide on the importance of one facility or area over another, considering social factors and critical service needs, is a topic for future study and is not included in this article. 3.2 Types of Interdependence Rinaldi et al. [9] formalized the definitions of interdependence within this ongoing discussion of critical infrastructure and defined four classes of interdependency. Due to the number of different types of dependencies and interdependencies, these authors classified the entire family of interrelationships among systems as interdependencies, an approach retained in this article. This research identified five types of interrelationships between infrastructure systems—input, mutual, shared, exclusive-or, and co-located. A discussion of these is provided below. The mathematical details of each can be found in [3] and [4].

NETWORK FLOW APPROACHES

1423

3.3 Input An infrastructure is input interdependent when it requires as input one or more services from another infrastructure in order to provide some other service. In the case of a telephone switching station, the switching station itself is a transshipment node within the telecommunications network. However, this same switching station, from the perspective of the electrical network, is seen as a demand node since it needs an adequate source of electricity to operate. If insufficient power is available for the switching center, then it will be unable to operate and this change of capacity will affect the telecommunications system. The effect on any set of systems can be analyzed in a similar manner. The existence of slack at a parent node of interdependent systems acts as a control switch for a connector variable. This binary connector variable works to turn the child node on or off, altering its capacity, depending on the conditions at the parent. When a parent node has unmet demand, the corresponding capacity of its child node in the dependent system is reduced. (Note that some interdependent infrastructure system failures may result in reducing the system’s capacity to some value other than zero. For example, loss of supervisory control systems in a subway system may result in operators exercising greater care and slowing trains. So the post-disruption capacity may be lower than normal.) 3.4 Mutual A collection of infrastructures is said to be mutually interdependent if at least one of the activities of one infrastructure system is dependent upon any other infrastructure system and at least one of the activities of this other infrastructure system is dependent upon the first infrastructure system. Consider a natural gas system compressor and a gas-fired electric power generator. From the perspective of the natural gas system, the compressor is a transshipment node and the generator is a demand node. From the perspective of the electrical network, the generator is a supply node and the compressor is a demand node. The generator needs gas to produce electricity; the compressor needs electric power to deliver gas through the system to the generator. If the compressor were to fail, supply of gas to the generator would be inadequate. If the capacity of the generator is set to zero, all flows on the arcs (i.e., the power lines) leaving the generator would be zero. Alternately, a lack of power at the compressor’s demand node in the electrical generating network causes its capacity to be set to zero. To correct his situation, either an alternate source of gas must be found for the generator or an alternate source of power must be found for the compressor. 3.5 Shared Shared interdependence occurs when some physical components and/or activities of the infrastructure used in providing the services are shared. Phone lines could be considered in the shared interdependence. Each phone line carries two types of calls, incoming and outgoing. Therefore, if a cable section contains 50 lines, they could be 50 incoming calls or 50 outgoing calls or some combination totaling 50. This type of interdependence is common in modeling of multicommodity systems. This is modeled mathematically by limiting the sum of the flows of the various commodities across the component to not exceed the total capacity.

1424

CROSS-CUTTING THEMES AND TECHNOLOGIES

3.6 Exclusive-Or Exclusive-or interdependence occurs when multiple services share infrastructure component(s), but the component can only be used by one service at a time. In the first few days following the World Trade Center (WTC) attacks, streets (i.e., shared components) could not be used by both the emergency response personnel and financial district workers. This conflict had to be resolved prior to reopening the New York Stock Exchange [32]. Exclusive-or interdependencies are modeled by selecting additional constraints to restrict flow to one commodity or the other. 3.7 Co-Located The co-located interdependency occurs when any of the physical components or activities of the civil infrastructure systems are situated within a prescribed geographical region. It was previously noted that managers of individual infrastructure systems would identify the components of their respective system at or near the site of the incident that may have been affected by the event. Based on further investigation, the status of these components will be adjusted. However, since only those emergency response agencies who are responsible for coordinating activities across multiple agencies maintain the complete view of all civil infrastructure systems, it is ultimately their responsibility to ensure that all co-located interdependencies have been considered and the models of the affected infrastructures revised as appropriate.

4 THE COMPONENTS OF MUNICIPAL 4.1 The User Interface and Database A GIS was selected as the user interface as this seemed to be the most natural method of displaying systems and determining affected areas. The interface allows the operator to update the conditions of the modeled systems’ components and to add temporary systems during restoration and when the display areas are affected by inabilities to meet demands. The database contains the component attributes such as name, their capacity and their priority, as well as spatial attributes such as location and length. These spatial characteristics are generated automatically by the GIS software, ESRI’s ArcGIS [33] in this case. The remaining attributes are added by the modeler. Changes to attributes, caused by disruption, can easily be made. 4.2 The Manhattan Dataset In Manhattan, the goal was to develop highly detailed models in the area south of 60th Street of the power, telecommunications and subway systems, three major infrastructure systems impacted by the September 11 attacks. While unable to obtain details on specific components and their locations, Consolidated Edison, Verizon, and the Metropolitan Transit Authority were very open in discussing the general construction and operation of their respective systems and have provided a feedback during the model’s construction. The subway system includes 115 stations and 338 local and express track sections. The phone system includes 18 switching centers and their associated service areas, 72 controlled environmental vaults where distribution cables are joined into larger feeder

NETWORK FLOW APPROACHES

1425

cables and all the associated wiring. Below Canal St, approximately 500 blocks of phone service were modeled in detail. The power system as modeled includes 16 substations and 32 service areas. Each substation distributes power along 8–24 feeders to 18 phone switching centers, 178 AC/DC rectifiers for the subways, and service to all residences and businesses in the area.

5 USING MUNICIPAL DURING SYSTEM DISRUPTIONS When an event occurs which disrupts any of the infrastructure systems included in MUNICIPAL, the operators would first use the GIS interface to identify components in and around the area of the disruption that may have been affected. Crews could then be dispatched to determine the actual condition of these possibly affected components. Outage reports from customers could also be entered in a separate database and linked to the GIS. On-scene reports would ascertain the actual condition of these components and the GIS would be used to update the component database. The operator would update the capacity of links and nodes based upon these reports. With the direct impact of the disruption entered, MUNICIPAL can be run to determine where demands for service are not being met. In the case of the Manhattan data set, these unmet demands could include the number and location of electric power outages, number of telephone system calls that cannot be completed, and the number of subway system passengers who cannot reach their destinations. These outages would be due to failures of components in a system as well as outages caused by failure between interdependent systems. With the full extent of the disruption modeled, the operators can use MUNICIPAL to begin restoration planning. Priorities can be set for each customer outage and plans can be developed in a collaborative environment. A complete example of the use of MUNICIPAL for a disruption is found in [3] and [4]. When a restoration plan is decided upon, MUNICIPAL can then develop work schedules based upon available resources, cost, and priorities.

6 USING MUNICIPAL FOR VULNERABILITY ANALYSIS System managers are limited in their ability to evaluate the resilience of the systems they control because they cannot take into account the interdependencies of their systems with other infrastructures. In Lee et al. [34] and in [3], a procedure was introduced to evaluate the vulnerability of current or proposed designs of infrastructures that considers their interdependence to other systems. This procedure allows a system engineer to evaluate existing paths which are considered to provide redundancy for example, two existing paths in a telecommunications network between two important government or corporate offices. Since these two paths do not share any telecommunications components, they would appear to be redundant. However, using MUNICIPAL and its interconnected system model, the system engineer can conduct a backward trace into each system that telecommunications relies on. If these backward traces find single components in other systems whose failure causes both telecommunications paths to fail, then no redundancy has been provided. Examples could include single points in a power system that could lead to failure of redundant paths in telecommunications or single

1426

CROSS-CUTTING THEMES AND TECHNOLOGIES

components in a gas system that provide fuel to both the normal and backup generators for a facility or region. MUNICIPAL can also aid in designing redundant paths. By conducting its backward trace along any path considered vital into all systems the path relies on, MUNICIPAL can be used to determine if a new, redundant path can be provided, utilizing the components not used by the current path and new connections or components, when appropriate.

7 CONCLUSIONS This article has provided an overview of the ILN and MUNICIPAL and the capabilities of each. Our research continues and includes alternative formulations and solvers, extension of the study from the civil infrastructure systems to service systems such as supply chains and public safety. There is also an intent to improve the method by which priorities are established during system restoration, based upon methods found in the social sciences and economic impacts. Future research will also include the improvement of the decision support system and user interfaces.

ACKNOWLEDGMENT The authors wish to acknowledge the valuable assistance of the Manhattan offices of Consolidated Edison and Verizon, as well as the New York City Office of Emergency Management and the New York State Emergency Management Office. This study was supported by the National Science Foundation under Grant CMS 0139306, Impact of the World Trade Center Attack on Critical Infrastructure Interdependencies; Grant DMII 0228402, Disruptions in Interdependent Infrastructures: A Network Flows Approach; and Grant CMS 0301661, Decision Technologies for Managing Critical Infrastructure Interdependencies. REFERENCES 1. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001 , Public Law 107-56, October 26, (2001). 2. The White House. (2003). The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, Washington, DC. 3. Lee, E. E. (2006). Assessing Vulnerability and Managing Disruptions to Interdependent Infrastructure Systems: A Network Flows Approach, Doctoral Thesis, Department of Decision Sciences and Engineering Systems, Rensselaer Polytechnic Institute, Troy, NY. 4. Lee, E. E., Mitchell, J. E., and Wallace, W. A. (2007). Restoration of services in interdependent infrastructure systems: a network flows approach. IEEE Trans. Syst. Man Cybern. C Appl. Rev. 37(6), 1303–1317. 5. Office of Homeland Security. (2002). The National Strategy for Homeland Security, Washington, DC. 6. President’s Commission on Critical Infrastructure Protection. (1997). Critical Foundations— Protecting America’s Infrastructures, October, 1997. Available from www.ciao.gov. 7. The White House. (1998). The Clinton Administration’s Policy on Critical Infrastructure Protection: Presidential Decision Directive 63 , May 22, 1998, Washington, DC.

NETWORK FLOW APPROACHES

1427

8. National Research Council. (2002). Making the Nation Safer: The Role of Science and Technology in Countering Terrorism. The National Academy Press, Washington, DC. 9. Rinaldi, S. M., Peerenboom, J. P., and Kelly, T. K. (2001). Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Contr. Syst. Mag. 21(6), 11–25. 10. Heller, M. (2001). Interdependencies in civil infrastructure systems. The Bridge 31(4), 9–15. 11. Little, R. (2002). Controlling cascading failure: understanding the vulnerabilities of interconnected infrastructures. J. Urban Technol. 9(1), 109–123. 12. Robinson, C. P., Woodard, J. B., and Varnado, S. G. (1998). Critical infrastructure: interlinked and vulnerable issues. Sci. Technol. 15(1) 61–68. 13. Hasse, P. (2001). Of horseshoe nails and kingdoms. EPRI J. Spring, 1–10. 14. Amin, M. (2000). Toward self-healing infrastructure systems. Computer 33(8) 44–53. 15. Amin, M. (2000). Modeling and control of Electric Power Systems and Markets. IEEE Contr. Syst. Mag., 20(4) 20–24. 16. Amin, M. (2001). Toward self-healing energy infrastructure systems. IEEE Comput. Appl. Pow. 14(1), 20–28. 17. Amin, M. (2002). Toward secure and resilient interdependent infrastructures. J. Infrastruct. Syst. 8(3) 67–75. 18. Amin, M. (2002). Modeling and control of complex interactive networks. IEEE Contr. Syst. Mag., 22(1) 22–27. 19. Salmeron, J., Wood, K., and Baldick, R. (2004). Analysis of electric grid security under terrorist threat. IEEE Trans. Power Syst. 19(2), 905–912. 20. Haimes, Y. Y., Matalas, N. C., Lambert, J. H., Jackson, B. A., Fellows, J., (1998). Reducing vulnerability of water supply systems to attack. J. Infrastruct. Syst. 4(4), 164–177. 21. National Petroleum Council Committee on Critical Infrastructure Protection. (2001). Securing Oil and Natural Gas Infrastructures in the New Economy, Washington, DC. 22. Kuhn, D. R. (1997). Sources of failure in the public switched telephone network. Computer 31–36. 23. Klincewicz, J. G. (1998). Hub Location in backbone/tributary network design: a review. Location Science 6(1), 307–355. 24. Chamberland, S. and Sanso, B. (2001). On the design of multitechnology networks. INFORMS J. Comput. 13(3), 245–256. 25. Cremer, J., Rey, P., and Tirole, J. (2000). Connectivity in the commercial internet. J. Ind. Econ. 48(4), 433–472. 26. Haimes, Y., and Jiang, P. (2001). Leontief-based model of risk in complex interconnected infrastructures. J Infrastruct. Syst. 7(1), 1–12. 27. Haimes, Y. Y., Horowitz, B. M., Lambert, J. H., Santos, J. R., Lian, C., and Crownther, K. G., (2005). Inoperability input-output model for interdependent infrastructure sectors. J. Infrastruct. Syst. 11(2), 67–79. 28. Carullo, S. P., and Nwankpa, C. O. (2003). Experimental studies and modeling of an information embedded power system. In 36th Hawaii International Conference on System Sciences. IEEE, Hawaii. ˚ Molin, S., and Thed´een, T. (2001). Vulnerability of complex infrastructure. The 29. Holmgren, A., 5th International Conference on Technology, Policy and Innovation, Delft, The Netherlands. 30. Jha, S., and Wing, J. M. (2001). Survivability analysis of networked systems. Proceedings - The 23rd International Conference on Software Engineering, Toronto, Ontario, Canada, pp. 307–317. 31. Ahuja, R. K., Magnanti, T. L., and Orlin, J. B. (1993). Network Flows: Theory, Algorithms and Applications. Prentice Hall, Englewood Cliffs, NJ.

1428

CROSS-CUTTING THEMES AND TECHNOLOGIES

32. Lohr, S. (2001). Financial district vows to rise from the ashes. In New York Times, New York, NY, pp. A-6. 33. ESRI. (2004). ArcGIS . ESRI, Redlands, CA. 34. Lee, E. E., Mitchell, J. E., and Wallace, W. A. (2004). Assessing vulnerability of proposed designs for interdependent infrastructure systems. 37th Hawaii International Conference on System Science, Hawaii.

SOCIAL AND BEHAVIORAL RESEARCH

SOCIAL AND PSYCHOLOGICAL ASPECTS OF TERRORISM Fathali M. Moghaddam and Naomi Lee Georgetown University, Washington, D.C.

1 INTRODUCTION Claims that “one person’s terrorist is another person’s freedom fighter” have made it notoriously difficult to define terrorism [1]. From a social psychological perspective, terrorism can be defined as politically motivated violence, perpetrated by individuals, groups, or state-sponsored agents, intended to bring about feelings of terror and helplessness in a population in order to influence decision making and to change behavior [Reference 2, p. 161]. Social and psychological processes are at the heart of terrorism, because it is through bringing about particular feelings and perceptions (terror and helplessness) that terrorists attempt to change actual behavior of victim individuals and societies.

2 SOCIAL ROOTS OF TERRORISM In order to explain why people commit terrorist acts, a variety of socio-psychological explanations have been put forward [3, 4]. These include irrationalist explanations influenced by Freud, as well as rationalist, materialist explanations. An overlooked factor is functionality: terrorism is adopted as a tactic because it sometimes works effectively. For example, it is generally agreed that the March 11, 2004, terrorist attacks in Madrid, resulting in close to 200 deaths and over 1000 serious injuries, led to the ruling party in Spain being voted out of power because of their close alliance with the Iraq policies of the Bush administration. Of course, this kind of political impact tends to be short term and limited in scope. In this discussion, our focus is on terrorism carried out by fanatical Muslims, particularly violent Salafists, because at the dawn of the twenty-first century this type of terrorism poses the greatest threat at the global level, as reflected by the focus of research [5–12]. On the other hand, other types of terrorism, such as by members of Euskadi ta Askatasuna, Basque Homeland and Freedom (ETA) in Spain or the Tamil Tigers in Sri 1431

1432

CROSS-CUTTING THEMES AND TECHNOLOGIES

Lanka, have not ended, but tend to be confined to particular regions and separatist causes, and are a less serious threat globally. We outline the social and psychological aspects of terrorism in two main parts. First, we examine the roots of terrorism; second, we explore the consequences of terrorism. In order to better understand the roots of terrorism, it is useful to adopt a staircase metaphor [3]: imagine a narrowing staircase winding up a multistory building. Everyone begins on the ground floor, and it may be that people are sufficiently satisfied with conditions to remain on the ground floor. However, under certain conditions, people will feel they are being treated unjustly and some individuals will start climbing up the staircase, searching for ways to change the social–economic–political situation. The climb up the staircase to terrorism involves radicalization. The challenge is to transform the conditions, to facilitate deradicalization, so that people are not motivated to climb up, and those who have climbed up become motivated to climb back down. The weight of evidence suggests that contextual rather than dispositional factors best explain movement up and down the staircase to terrorism (e.g. see 13–15). Terrorism is not explained by psychopathology, illiteracy, or poverty [3, 16, 17]. Under certain conditions, individuals with “normal” psychological profiles will do harm to others [18]. The staircase metaphor helps to highlight the role of context, as well as the psychological processes that characterize thought and action on each floor of the staircase to terrorism. 2.1 Radicalization: Moving Up the Staircase Radicalization typically involves a step-by-step process, well documented in almost a century of research on conformity and obedience (see Reference 19, Articles 15 and 16). As individuals move up the staircase, step-by-step, they gradually adopt those attitudes, beliefs and morality that condone terrorism, and some of them eventually become recruited to carry out terrorist attacks. This process begins with the radicalization of entire communities on the ground floor. Ground floor. The ground floor is occupied by about 1.2 billion Muslims. Psychological processes central to thought and action on this floor are relative deprivation and identity. In the Near and Middle East, as well as in North Africa—including other important Islamic countries such as Egypt, Saudi Arabia, and Pakistan—Muslims are ruled by governments that cannot be voted out by popular will, yet they are supported by Western powers (e.g. United States). This support comes in the form of political and military interventions (as in the case of Kuwait and Saudi Arabia) and economic aid (as in the case of Egypt and Pakistan). Oil producing countries have suffered from an “oil paradox” [Reference 3, pp. 74–76): instead of improving the lives of the masses, oil revenue has allowed despotic ruling groups, such as the Saudis, to pay for a stronger security apparatus and to win the support of Western powers through enormous arms purchases and promises of reliable, cheaper oil supplies. Two factors have helped to raise expectations and to create fraternal (collective) relative deprivation among the populations on the ground floor. First, the global mass media has presented the impoverished Islamic masses with images of an opulent life that is available to people in some countries. Secondly, Western politicians have promised

SOCIAL AND PSYCHOLOGICAL ASPECTS OF TERRORISM

1433

democratization and reform. Consequently, the expectation has been raised among the Islamic masses for great choice and greater participation. In practice, most people in the Near and Middle East lack choices both in economic and political spheres. In the economic arena, wealth disparities are enormous and the standard of educational and social services have remained poor. In the political sphere, little actual progress has been made toward giving people a voice in government, although there has been considerable publicity about “democratic changes” in places such as Egypt and Saudi Arabia. Globalization has also helped to create an identity crisis in Islamic communities [3]. In the midst of social–economic–technological global changes, one set of extremists in Islamic societies are urging the abandonment of traditional life-styles and the copying of the West; other extremists push for a return to “pure Islam” as it was (supposedly) practiced in its original form 1400 years ago. The “become copies of the West” strategy has led to the “good copy problem” [3] because following this option means Muslims will lack an authentic identity, and at best can only become “good copies” of a Western ideal. The “return to pure Islam” option is also associated with enormous problems because it is being used by fundamentalists to implement regressive interpretations of Islam. An alternative, secular “middle ground” needs to be constructed, but for this to happen the governments of Islamic societies must allow greater political freedom. At present, procedures to allow people to participate in decision making about the cultural, social, economic, and political future of their societies are still not in place. Social psychological research suggests that procedural justice is vitally important, and influences how fair people believe a system is, independent of the actual outcome of decision making. First floor. Individuals climb to the first floor particularly motivated to achieve individual mobility, and central to their experiences is procedural justice. The importance of openness and circulation has been emphasized by thinkers from Plato to modern theorists: closed systems lead to corruption, a sense of injustice, and eventual collapse [2]. Individuals who feel that paths for progress are not available, now move further up the staircase. Second floor. Those who arrive on the second floor are experiencing tremendous frustration because the paths to change and improvement seem blocked to them. They become vulnerable to the influence of radical preachers as well as government propaganda, displacing aggression onto Westerns, the United States and Israel in particular, as the “cause of all problems”. Research demonstrates that displacement of aggression is a powerful factor in redirecting frustrations onto external targets [20]. Third floor. Individuals who climb to the third floor already perceive their own societies to be unjust, and perceive external targets (particularly the United States) as the root cause of injustice. On the third floor, these individuals gradually “disengage” from moderate policies and morality, and engage with a morality supportive of terrorism, often seeing terrorist tactics as the only weapon at the disposal of Muslims fighting for justice. Fourth floor. Recruitment takes place on the fourth floor, where individuals become integrated into the culture of small, secretive terrorist cells. The new recruits are trained to view the world in a rigidly categorical, us versus them, good versus evil manner, and to see the terrorist organization as legitimate. Unfortunately, the categorical thinking of extremist Islamic groups tends to mirror, and be reinforced by, the categorical “us versus them” thinking of extremists in the West.

1434

CROSS-CUTTING THEMES AND TECHNOLOGIES

Fifth floor. In the animal kingdom, intraspecies aggression is limited by inhibitory mechanisms brought on by one animal’s display of submission to another. Inhibitory mechanisms prevent serious injury and death. In order to carry out terrorist acts, often resulting in multiple deaths and injuries, individuals must learn to sidestep the inhibitory mechanisms that function to prevent human aggression under normal circumstances. This “learning” takes place on the fifth floor, and in part involves further distancing and dehumanizing of targets. Having to live in isolation, separated from the rest of society by secrecy and fear, results in even tighter bonds within terrorist cells. 2.2 Deradicalization: Moving Down the Staircase Using the staircase metaphor, as well as insights from earlier research on deradicalization [16, 21, 22], we arrive at important general guidelines for deradicalization programs. First, research suggests that for any given individual, the path to deradicalization is not necessarily the opposite of the path that person took to radicalization; the path down is not always the same as the path up. Secondly, deradicalization programs need to be designed for each set of individuals depending on the floor they have reached on the staircase to terrorism. For example, individuals on the top floor are ready to carry out terrorist attacks, and deradicalization can be most effective after the terrorist has been captured. However, individuals who reach the third floor are in the process of adopting terrorist morality, and they can be influenced by deradicalization programs without necessarily first being captured. Thirdly, resources should be focused particularly on the ground floor, where the vast majority of people reside. International surveys reveal that the populations of many important Islamic societies have become radicalized on the ground floor [23]. This is associated with a rise in conspiratorial thinking. For example, in 2006 the percentages of people who believed that Arabs did not carry out the 9/11 attacks were: Indonesia 65%, Egypt 59%, Jordan 53%, and Pakistan 41%. In the traditionally “pro-Western” society of Turkey, the percentage of Muslims who expressed disbelief that Arabs carried out the 9/11 attacks went up from 43% in 2002 to 59% in 2006. In Egypt 28% and in Jordan 29% of Muslims believe that violence against civilian targets in order to defend Islam is sometimes justified [23]. These findings reflect a broad radicalization processes associated with some support for terrorism and generally higher anti-Western sentiment.

3 SOCIAL PSYCHOLOGICAL CONSEQUENCES OF TERRORISM Research attention to the effects of terrorism on civil society and psychological well-being was ignited after the attacks of September 11, 2001. This research can be organized into three general topics: political attitudes, prejudice, and mental health. 3.1 Political Attitudes Terrorism is associated with demonstrable changes in political attitudes, as both experimental studies and surveys have shown. Research linking terrorist attacks in support of more authoritarian political policies and abdication of civil liberties, is discussed.

SOCIAL AND PSYCHOLOGICAL ASPECTS OF TERRORISM

1435

Authoritarianism is a personality trait popularized by Adorno [24] and subsequently refined by Altemeyer [25] as consisting of submissiveness to authority, aggressiveness toward outgroups, and conventionalism. This personality trait appears to both predict people’s responses to aggression and increase in response to aggression. In a quasi-experimental study of the effects of Islamic terrorist attacks in Madrid (March 11, 2004), right-wing authoritarianism and conservatism were measured in Spanish citizens both before and after the attacks [26]. Right-wing authoritarianism increased, and Spanish citizens reported a stronger attachment to traditional conservative values. Since the study was quasi-experimental, a causal link between the attacks and changes in political beliefs could not be established. In a controlled laboratory experiment [27], the presence of a terrorist threat was manipulated. Results showed that the more authoritarian participants were prior to the threat, the less they supported democratic values, the more they supported military aggression. It was concluded that threats increase the activation of an authoritarian response. Repeated attacks (whether terrorist or military) appear to elicit support for escalating retaliatory actions among young, voting-age US citizens in controlled experiments [28]. Retaliatory responses were stronger when the attacks were perpetrated by terrorists rather than a militia. The signing of a peace treaty prior to attacks led males to retaliate more than females, supporting the thesis that men act with vengeance after a transgression while women pursue conciliation. In all permutations of their experiment (terrorist vs. military attack, peace treaty vs. no peace treaty, democratic vs. nondemocratic adversary), repeated attacks corresponded with responses that eventually matched or surpassed the conflict level of the initial attack. These studies have important implications for policies designed to contain conflicts. The issue of civil liberties in the context of the US “War on Terror” has received extensive media coverage. The scholarly literature on this topic, however, is limited to correlational analyses based on public polling. Although these analyses do not permit causal inferences, they are highly informative. In a review of all the major political polls conducted pre- and post-September 11th, 2001, US respondents expressed increased willingness to abdicate civil liberties, increased confidence in the government’s ability to protect the United States from terrorist threats, and increased support for the use of ground troops in combating terrorism [29]. In the months following the attacks, however, perceived threat declined, as did support for surveillance of Americans’ communications and respondents’ confidence in the US government’s ability to prevent future attacks. 3.2

Prejudice and Social Cohesion

Well-established social psychological research on intergroup relations demonstrates that people placed into groups will discriminate against outgroup members and favor ingroup members [30]. When placed into groups, people also exaggerate the homogeneity of their ingroup and its distinctiveness from outgroups. These effects are even present when groups are formed on the basis of such trivial dimensions as one’s estimation of how many dots appear on a piece of paper. These well-established research findings provide a backdrop to reports of rising anti-Arab and anti-Muslim prejudice in the United States since September 11th, 2001.

1436

CROSS-CUTTING THEMES AND TECHNOLOGIES

Nearly all studies of prejudice in the United States concern White prejudice toward Blacks. This focus warrants broadening, particularly in the light of evidence suggesting that prejudice directed more toward Arabs than Blacks [31]. Both immediately after 9/11 and one year later, American college students reported higher levels of prejudice toward Arabs than Blacks. Those students with higher levels of media exposure displayed higher levels of overall minority prejudice, whether toward Arabs or Blacks. Anti-Arab prejudice was also higher among those who more strongly endorsed social hierarchies, more strongly identified as “American”, and believed future terrorist attacks are likely [32]. Terrorism is also linked to increased social cohesion, as international research demonstrates. Akhahena [33] documented how the terrorist bombing in Kenya (August 1998) helped Kenyans forge a new national identity that united previously fractured social identities. A negative aspect of increased social cohesion, however, is decreased intergroup contact. Persistent violence between Catholics and Protestants in Northern Ireland over the past 30 years has led to segregation in the areas of education, residence, and personal life. This segregation limits contact between Catholic and Protestant communities and arguably plays a major role in maintaining intergroup conflict [34]. 3.3 Mental Health Mental health has been the most intensively researched aspect of terrorism’s psychological consequences, with posttraumatic stress disorder (PTSD) comprising the majority of studies. The most common psychological effects of a traumatic event such as a terrorist attack are acute stress disorder (in the short term) and PTSD (in the longer term), with depression, anxiety disorders, and substance abuse as the next most frequent effects [35]. Which factors determine who will suffer psychologically after a terrorist attack? This matter has been disputed. Silver et al. [36] conducted a nationally representative longitudinal study of US residents’ psychological response to the attacks of September 11th, 2001. They found that proximity or degree of exposure was not a necessary precondition for high levels of acute and posttraumatic stress symptoms at 2 weeks and 12 months post-9/11. These results indicate the need to study the effects of indirect exposure to terrorism. In contrast, Schlenger’s [37] review of the major studies of psychological distress post-9/11 concluded that PTSD following the attack was concentrated in the New York City metropolitan area. Furthermore, PTSD prevalence was strongly associated with direct connection to the attacks. Though many adults across the United States were distressed by the attacks, Schlenger [37] concludes that much of this distress resolved over time without professional treatment. It is important to recognize that the vast majority of mental health literature follows a Euro-American academic traditional and adopts a Western medical perspective. It follows that important cross-cultural differences in response to terrorism may exist that are not captured by predominant methods. De Jong [38], for instance, has asserted that the predominant diagnostic criteria (DSM-IV and ICD-10) are not always appropriate for non-Western cultures. Research on the effects of terrorism is little, but growing. The more expansive literature on traumatic events such as war and natural disasters can complement and further enrich our understanding of terrorism’s social psychological consequences.

SOCIAL AND PSYCHOLOGICAL ASPECTS OF TERRORISM

1437

REFERENCES 1. Cooper, H. H. A. (2001). The problem of definition revisited. Am. Behav. Sci. 44, 881–893. 2. Moghaddam, F. M. (2005a). The staircase to terrorism: A psychological exploration. Am. Psychol. 60, 161–169. 3. Moghaddam, F. M. (2006). From the Terrorists’ Point of View: What They Experience and Why They Come to Destroy, Praeger International Security, Westport, CT. 4. Pyszcznski, T., Solomon, S., and Greenberg, J. (2003). In the Wake of 9/11: the Psychology of Terror, American Psychological Association, Washington, DC. 5. Booth, K., and Dunne, T. Eds. (2002). Worlds in Collision: Terror and the Future Global Order. Palgrave Mamillan, New York. 6. Davis, J. (2003). Martyrs: Innocence, Vengeance, and Despair in the Middle East , Palgrove Macmillan, New York. 7. Kegley, C. W. Jr. Ed., The New Global Terrorism: Characteristics, Causes, Controls. Prentice Hall, Upper Saddle River, NJ. 8. Khosrokhavar, F. (2005). Suicide Bombers: Allah’s New Martyrs, (Translator Macey, D. Ed). Pluto Press, London. 9. Pape, R. A. (2005). Dying to Win: The Strategic Logic of Suicide Bombing, Random House, New York. 10. Pedahzur, A. (2005). Suicide Terrorism, Polity Press, London. 11. Sageman, M. (2004). Understanding Terror Networks, University of Pennsylvania Press, Pennsylvania, PA. 12. Silke, A. Ed. (2003). Terrorism, Victims, and Society: Psychological Perspectives on Terrorism and its Consequences. Wiley, Hoboken, NJ. 13. Atran, S. (2003). Genesis of suicide terrorism. Science 299, 1534–1539. 14. Bongor, B., Brown, L. M., Beutler, L. E., Breckenridge, J. N., and Zimbardo, P., Eds. (2006). Psychology of Terrorism. Oxford University Press, New York. 15. Stout, C. E. Ed. (2002). The Psychology of Terrorism, Vol. 4, Praeger Publishers, Westport, CT. 16. Horgan, J., and Taylor, M. (2003). The Psychology of Terrorism, Frank Cass & Co., London. 17. Ruby, C. L. (2002). Are terrorists mentally deranged? Anal. Soc. Issues Public Policy 2, 15–26. 18. Zimbardo, P. (2007). The Lucifer Effect: Understanding How Good People Turn Evil , Random House, Inc., New York. 19. Moghaddam, F. M. (2005b). Great Ideas in Psychology: A Cultural And Historical Introduction, Oneworld, Oxford. 20. Miller, N., Pederson, W. C., Earlywine, M., and Pollock, V. E. (2003). A theoretical model of triggered displaced aggression. Pers. Soc. Psychol. Rev. 7, 75–97. 21. Bernard, C. Ed. (2005). A Future for the Young: Options for Helping Middle Eastern Youth Escape the Trap of Radicalization. Rand Corporation, Santa Monica, CA. 22. Crenshaw, M. (1991). How terrorism declines. Terrorism Polit. Violence 3, 69–87. 23. Pew Research Center. (2006). Conflicting views in a divided world . Retrieved at http:// pewglobal.org/. 24. Adorno, T. W., Frenkel-Brunswik, E., Levinson, D. J., and Sanford, R. N. (1952/1982). The Authoritarian Personality, W.W. Norton & Company, Inc, New York. 25. Altemeyer, B. (1996). The Authoritarian Spectre, Harvard University Press, Cambridge, MA.

1438

CROSS-CUTTING THEMES AND TECHNOLOGIES

26. Echebarria-Echabe, A., and Fern´andez-Guede, E. (2006). Effects of terrorism on attitudes and ideological orientation. Eur. J. Soc. Psychol. 26, 259–265. 27. Hastings, B. M., and Schaffer, B. A. (2005). Authoritarianism and sociopolitical attitudes in response to threats of terror. Psychol. Rep. 92, 623–630. 28. Bourne, L. E., Helay, A. F., and Beer, F. A. (2003). Military conflict and terrorism: General psychology informs international relations. Rev. Gen. Psychol. 7, 189–202. 29. Huddy, K., Khatib, N., and Capelos, T. (2002). Reactions to the terrorist attacks of September 11, 2001. Public Opin. Q. 66, 418–450. 30. Taylor, D. M., and Moghaddam, F. M. (1994). Theories of Intergroup Relations: International Social Psychological Perspectives, 2nd ed., Praeger Publishers, Westport, CN. 31. Persson, A. V., Musher, E., and Dara, R. (2006). College students’ attitudes toward blacks and Arabs following a terrorist attack as a function of varying levels of media exposure. J. Appl. Soc. Psychol. 35, 1879–1893. 32. Oswald, D. L. (2006). Understanding anti-Arab reactions post 9/11: The role of threats, social categories, and personal ideologies. J. Appl. Soc. Psychol. 35, 1775–1799. 33. Akhahenda, E. F. (2002). When Blood and Tears United a Country: The Bombing of the American Embassy in Kenya, University Press of America, Lanham, MD. 34. Campbell, A., Cairns, E., and Mallet, J. (2005). Northern Ireland: the psychological impact of “the Troubles”. In The Trauma of Terrorism: Sharing Knowledge and Shared Care. An International Handbook , Y. Danieli, D. Brom, and J. Sills, Eds. Haworth Press, New York, NY, pp. 175–184. 35. Danieli, Y., Engdahl, B., and Schlenger, W. E. (2004). The psychosocial aftermath of terrorism. In Understanding terrorism: Psychosocial roots, consequences, and interventions, F. M. Moghaddam, and A. J. Marsella, Eds. American Psychological Association, Washington, DC, pp. 223–246. 36. Silver, R. C., Poulin, M., Holeman, E. A., McIntosh, D. N., Gil-Rivas, V., and Pizarro, J. (2004). Exploring the myths of coping with a national trauma: A longitudinal study of responses to the September 11th Terrorist Attacks. J. Aggress. Maltreat. Trauma 9, 129–141. 37. Schlenger, W. E. (2004). Psychological impact of the September 11, 2001 terrorist attacks: Summary of empirical findings in adults. J. Aggress. Maltreat. Trauma 9, 97–108. 38. De Jong, J. T. V. M. (2002). Public mental health, traumatic stress and human rights violations in low-income countries. In Trauma, war, and violence: Public mental health in socio-cultural context , J. T. V. M. De Jong, Ed. New York, Luwer Academic/Plenum Publishers, pp. 1–92.

FURTHER READING Alexander, Y. (2002). Combating terrorism: Strategies of ten countries, University of Michigan Press, Ann Arbor, MI. Bloom, M. (2005). Dying to Kill: The Allure of Suicide Terror, Columbia University Press, New York. Crenshaw, M., Ed. (1995). Terrorism in Context . Pennsylvania University Press, University Park. Horgan, J. (2005). The Psychology of Terrorism, Routledge (UK), London. Hunter, S. T., and Malik, H., Eds. (2005). Modernization, Democracy, and Islam. Praeger Publishers, Westport, CT. McDermott, T. (2005). Perfect Soldiers: The Hijackers-Who They Were, Why They Did It., Harper Collins Publishers, New York. Moghaddam, F. M. and Marsella, A. J., Eds. (2004). Understanding Terrorism: Psychosocial Roots, Consequences, and Interventions. American Psychological Association, Washington, DC.

HUMAN SENSATION AND PERCEPTION

1439

HUMAN SENSATION AND PERCEPTION Robert W. Proctor Department of Psychological Sciences, Purdue University, West Lafayette, Indiana

Kim-Phuong L. Vu Department of Psychology, California State University, Long Beach, California

1 INTRODUCTION Str¨ater begins his book Cognition and Safety with the statement “Human society has become an information processing society” [1, p. 3]. This statement is as true for homeland security tasks as for any other tasks that require people to interact with machines and other people in complex systems. Homeland security involves people interacting with information technology, and use of this technology to communicate effectively is an important aspect of security [2]. For communication to be effective, human–machine interactions must conform to users perceptual, cognitive, and motoric capabilities. In particular, because all information that a person processes enters by way of the senses, sensory and perceptual processes are going to be critical factors. These processes are relevant to detecting a weapon in luggage during screening, identifying vulnerable targets for which risk is high, and communicating warnings to individuals. Given the masses of data extracted from intelligence gathering activities of various types, these data need to be integrated and displayed to appropriate security personnel in an easy to perceive form at the proper time. These and other aspects of homeland security systems require an understanding of fundamental concepts of sensation and perception.

2 BACKGROUND Much is known about the methods for studying perception, the structure and function of the sensory systems, and specific aspects of perception such as the role of attention [3]. Understanding how people sense, perceive, and act on the information they receive is essential for homeland security because many of the surveillance tasks involve monitoring, detecting, and reporting events. This article provides an overview of sensation and perception, with emphasis on topics that seem relevant to homeland security. Five sensory modalities are typically distinguished: vision, hearing, touch, smell, and taste—all of which are relevant to certain aspects of homeland security. For the sake of brevity, we cover vision and hearing in most detail, describing the other senses only briefly. The reader is referred to longer and more specialized review chapters [4], as well as to textbooks on sensation and perception [3]. All sensory systems have receptors that convert physical stimulus energy into electrochemical energy in the nervous system. The sensory information is coded in the activity of neurons and travels to the brain via structured pathways consisting of interconnected

1440

CROSS-CUTTING THEMES AND TECHNOLOGIES

Parietal lobe (skin senses)

Central fisure

Occipital lobe (visual cortex)

Taste Frontal lobe Temporal lobe (Auditory cortex)

Olfaction Olfaction

Spinal cord

FIGURE 1 Illustration of the primary sensory receiving areas in the cerebral cortex.

networks of neurons. For most senses, two or more pathways operate in parallel to analyze and convey different kinds of information from the sensory signal. The pathways project to primary receiving areas in the cerebral cortex (Fig. 1) and then to many other areas within the brain. The study of sensation and perception involves not only the anatomy and physiology of the sensory systems, but also behavioral measures of perception. Psychophysical data obtained from tasks in which observers detect, discriminate, rate, or recognize stimuli provide information about how the properties of the sensory systems relate to what is perceived. They also provide information about the functions of higher-level brain processes that interpret the sensory input through mental representation, decision-making, and inference. Thus, perceptual experiments provide evidence about how the sensory input is organized into a coherent percept on which actions are based.

3 METHODS FOR INVESTIGATING SENSATION AND PERCEPTION Many methods for studying sensation and perception exist. We emphasize behavioral and psychophysiological methods because of their relevance to homeland security. 3.1 Threshold Methods and Scaling Classical psychophysical methods for measuring detectability and discriminability of stimuli are based on the concept of a threshold, the minimum amount of stimulation necessary for an observer to detect a stimulus (absolute threshold) or distinguish a stimulus from another one (difference threshold). Examining how thresholds change in different settings can tell us much about perception and whether specific stimuli such as alarms

HUMAN SENSATION AND PERCEPTION

1441

may be effective. Many techniques have been developed for measuring thresholds in basic and applied settings [5]. Classical psychophysics also provides methods for building scales of perceived magnitude [6]. Indirect methods construct scales from an observer’s accuracy at discriminating stimuli, whereas direct methods construct scales from an observer’s magnitude estimates. Scaling methods can be used to quantify perceptual experience on any dimension that varies in magnitude, such as perception of risk. They can be used as design tools in development of new methods for displaying information, for example, data sonifications (representations of data by sound; [7]). 3.2 Signal Detection Methods An observer’s judgments, when stimuli are difficult to detect or discriminate, are influenced by the willingness to give one response or another. Signal detection methods allow measurement of this response criterion, or bias, separately from detectability or discriminatiblity [8]. Situations for which signal detection is applicable involve a “signal” (e.g. a weapon in luggage) that an observer must discriminate from “noise” (e.g. other items in luggage). If the observer is to respond “yes” when a signal is present and “no” when it is not, the outcome can be classified as a hit (“yes” to signal), false alarm (“yes” to noise), miss (“no” to signal), or correct rejection (“no” to noise). Measures of detectability (how accurately a weapon can be discriminated from other items) can be calculated based on the difference between hit and false alarm rates, and measures of response bias (the tendency to open the luggage regardless of whether a weapon is present) on overall rate of responding “yes” versus “no”. For a given level of detectability, the possible combinations of hit and false-alarm rates vary as a function of the observer’s response criterion. For example, immediately after a terrorist attempt, screeners may adopt a liberal criterion and open any luggage that they think might possibly contain a weapon, yielding a high hit rate coupled with a high false alarm rate. Detectability can be improved by providing better screening equipment and operator training, whereas a desired response bias can be induced by an appropriate reward system. Signal detection methods and theory provide powerful tools for investigating and conceptualizing performance of other security-related tasks such as maintaining vigilance [9]. 3.3 Psychophysiological Methods and Brain Imaging Methods for measuring physiological reactions to stimuli are useful in studying perception [10]. Measures of electrical brain activity, electroencephalograms, can be recorded from the scalp. Event-related potentials, which measure brain activity locked to an event such as stimulus onset, provide detailed information about the timecourse of brain activation. Functional neuroimaging techniques, which measure brain activity indirectly through bloodflow, provide insight into the spatial organization of brain functions. These methods can be used to determine whether a particular behavioral phenomenon has its locus in processes associated with sensation and perception or with subsequent response-selection and execution. Their use for applied purposes is being explored in the areas of neuroergonomics [11] and augmented cognition [12], which have the goals of implementing

1442

CROSS-CUTTING THEMES AND TECHNOLOGIES

and adapting high-technology interfaces to facilitate communication of large amounts of information. 4 VISION Vision is arguably the most vital sense for interacting with the world. It provides detailed information about objects in the surrounding environment, and their locations and movements. Complex information can be depicted in high fidelity displays that mimic the external environment, more abstract graphical formats that represent data or interactions among system components, and alphanumerically to convey verbal messages and numerical values. 4.1 Visual Sensory System The stimulus for vision is light energy generated by, or reflected from, objects in the environment. Light travels in waves, with the wavelengths of the visual spectrum varying from 400 to 700 nm. Light enters the eye through the cornea and passes through the pupil and lens (Figure 2). The pupil adjusts between 8 and 2 mm diameter in dim and bright light, respectively, allowing a larger percentage of light to enter when it is scarce. The cornea and lens focus images on the photoreceptors, located on the retina at the back of the eye. The cornea provides a fixed focusing power, and the lens changes its shape through a process of accommodation to provide increased focusing power as the distance of a fixated object changes from far to near. The amount of rotation of the eyes inward, the vergence angle, also increases as the distance of a fixated object is reduced. Because accommodation and vergence require muscular activity, tasks that necessitate rapid and numerous changes in them will cause visual fatigue. The retina contains two types of photoreceptors, rods and cones, which have photopigments that begin a process of converting light into neural signals. Rods are responsible for night vision and do not support color perception. Cones are responsible for daylight vision and for perception of color and detail. The image of a fixated object will fall on the fovea, a small retinal region containing only cones. The retina also contains another region, the blind spot, where the optic nerve leaves the eye and there are no photoreceptors. The nerve fibers leaving the eye form two pathways. One is devoted to rapid transmission of global information across the retina. It carries high temporal frequency information Optic nerve fibers Iris

Pupil Fovea Cornea Lens

Optic nerve Retina

Retina

Rods Cones

FIGURE 2 Illustration of the primary structures of the eye, with an object’s image focused on the retina. (Adapted from E. B. Goldstein (2002). /Sensation and Perception/ (6th ed.). Pacific Grove, CA: Wadsworth.)

HUMAN SENSATION AND PERCEPTION

1443

needed for motion perception and detection of abrupt changes. The other is devoted to slower transmission of detailed features from the fovea and plays a role in color and pattern perception. The optic nerve projects into the lateral geniculate nucleus and then into the primary visual cortex, located at the back of the brain. More than 30 cortical areas subsequent to the primary visual cortex are involved in the processing of visual information [13]. Two different pathways play distinct roles in perception. The ventral pathway, which goes to a region in the temporal lobe, is involved in identifying objects. The dorsal pathway, which goes to a region in the parietal lobe, is involved in determining where objects are located. This dissociation of what and where processing affects performance as well; for example, navigational tasks that rely on “where” information are performed well under low lighting levels at which pattern recognition is impaired [14]. 4.2 Visual Perception Sensitivity to light increases for a period after entering the dark (see Figure 3). Several factors contribute to this dark-adaptation process: larger pupil size, photopigments returning to a light sensitive state, and shift from cones to rods. Because cones have a spectral sensitivity function that peaks at higher wavelengths than that for rods, short wavelength stimuli appear relatively brighter when dark adapted. Displays intended for use in the field need to be designed with the different sensitivities of day and night vision taken into account. Acuity is high in the fovea and decreases as stimulus location becomes more peripheral. The acuity function is due to the density of cones being greatest in the fovea (see Figure 4) and to less convergence of foveal than peripheral photoreceptors in the sensory pathway. Acuity can be measured in several ways, including with a standard Snellen eye chart, that are not perfectly correlated. Resolution acuity can be specified by a spatial Low

Rod

Logarithm of sensitivity

Light adapted sensitivity

Maximum cone sensitivity

Cone Dark adapted sensitivity (maximum rod sensitivity)

High 10

20

Time in dark (min)

FIGURE 3 Dark adaptation function illustrating sensitivity to visual stimuli as a function of time in the dark for cone and rods.

1444

CROSS-CUTTING THEMES AND TECHNOLOGIES

100%

Relative acuity

80% Blind spot 60%

40%

20%

0%

−60° −40° −20°

0°

20°

40°

60°

Degrees from fovea Side of retina near ear

Side of retina near nose

FIGURE 4 Visual acuity as a function of retinal location.

contrast sensitivity function, which for an adult shows maximum sensitivity at a spatial frequency of 3–5 cycles/degree of visual angle. Because high spatial frequencies convey detail and low frequencies the global properties of stimuli, acuity tests based on contrast sensitivity provide a more detailed analysis than standard acuity tests about aspects of vision necessary for performing various tasks. For example, contrast sensitivity at intermediate and low spatial frequencies predicts detectability of signs at night [15]. An abrupt change in a display to signal a change in system mode may go undetected. The change is more likely to attract attention if it is signaled by a flickering stimulus. Conversely, stimuli such as displays on cathode ray tube (CRT) screens may flicker but with the intent of being seen as continuous. The highest rate at which flicker can be perceived is called the critical flicker frequency. A display intended to be seen as flickering should be well below the critical flicker frequency, whereas a display intended to be seen as continuous should be well above that frequency. People show good lightness constancy, which is that a stimulus appears to be constant on a white-to-black dimension under different amounts of illumination. However, lightness contrast, for which an object looks darker when a surrounding or adjacent object is white rather than black, may occur when the intensity of local regions is changed, as in displays or signs. Because color perception is a function of the output of the three cone types, color vision is trichromatic: Any spectral color can be matched by a combination of three primary colors from the short, middle, and long wavelength regions of the spectrum. This fact is used in the design of color televisions and computer monitors, for which all colors are generated from combinations of pixels of three different colors. For many perceptual phenomena, blue and yellow are paired in opposing manners, as are red and green: One color of the pair may produce an afterimage of the other; a background of one color may induce the other in a figure that would otherwise be seen as a neutral color; combinations of the two colors are not perceived. These complimentary color relations are based in the visual sensory pathways. That is, output from the cones is rewired

HUMAN SENSATION AND PERCEPTION

1445

into opponent-process neural coding in the optic nerve. A given neuron can signal, for example, blue or yellow, but not both at the same time. Finally, 8% of males are color blind and cannot distinguish all colors that a person with trichromatic vision can, which may cause objects in those colors to be less conspicuous [16]. The use of color to convey information, thus, must be done with care. 4.3 Higher-Level Properties of Visual Perception The patches of light stimulating the photoreceptors must be organized into a perceptual world of meaningful objects. This is done effortlessly in everyday life, with little confusion. However, organization can be critical for constructed displays. A symbol on a sign that is incorrectly grouped may not be recognized as intended. Similarly, if a warning signal is grouped perceptually with other displays, then its message may be lost. The investigation of perceptual organization was begun by Gestalt psychologists. According to the Gestalt psychologists, perceptual organization follows the principle of pr¨aagnanz : The organizational processes will produce the simplest possible organization allowed by the conditions [17]. The first step in perceiving a figure requires separating it from the background. The importance of figure-ground organization is seen in figures with ambiguous figure-ground organizations, as the well-known Ruben’s vase (see Figure 5). When a region is seen as figure, the contour appears to be part of it, the region seems to be in front of the background, and it takes on a distinct form. Several factors influence figure-ground organization: Symmetric rather than asymmetric patterns tend to be seen as figure; a region surrounded completely by another tends to be seen as figure and the surround as background; the smaller of two regions tends to be seen as figure and the larger as ground. Figure-ground principles can be used to camouflage targets in the field. The way that the figure is grouped is also important to perception. Grouping principles include: proximity—display elements that are located close together will tend to be grouped together; similarity—display elements that are similar in appearance, for example, orientation or color, will tend to be grouped together; continuity—figures will tend to be organized along continuous contours; closure—display elements that make up a closed figure will tend to be grouped together; and common fate—elements with a common motion will tend to be grouped together; connectedness—elements can be grouped

FIGURE 5

Ruben’s vase: An illustration of reversible figure-ground relations.

1446

CROSS-CUTTING THEMES AND TECHNOLOGIES

by lines connecting them; and common region—a contour drawn around elements will cause those elements to be grouped together. Another distinction is between integral and separable stimulus dimensions [18]: Stimuli composed from integral dimensions are perceived as wholes, whereas those composed from separable dimensions are perceived in terms of their component dimensions. Speed of classification on one dimension is unaffected by the relation to the other if the dimensions are separable. However, for integral dimensions, classifications are slowed when the value of the irrelevant dimension is uncorrelated with that of the relevant dimension but speeded when the two dimensions are correlated. Combinations of hue, saturation, and lightness, and of pitch and loudness have been classified as integral, and size with lightness or angle as separable. The distinction between integral and separable dimensions is incorporated in the proximity compatibility principle [19]: If a task requires information to be integrated mentally (i.e. processing proximity is high), then that information should be presented in an integral display (i.e. one with high display proximity). High display proximity can be accomplished by increasing the spatial proximity of the display elements so that the elements are integrated and appear as a distinct object. The idea is to replace the cognitive computations that someone must perform to combine the pieces of information with a less mentally demanding pattern-recognition process. To survive, a person must be able to perceive locations of objects accurately. Moreover, representational displays should provide the information necessary for accurate spatial perception. Many cues play roles in the perception of distance and spatial relations [20, see Figure 6], and the perceptual system constructs the three-dimensional percept using these cues. Among the possible depth cues are accommodation and vergence angle, which, at relatively close distances, vary systematically as a function of the distance of the fixated object from the observer. Binocular disparity is a cue that is a consequence of the two eyes viewing objects from different positions. A fixated object falls on corresponding points of the two retinas. For objects in front of or behind a curved region passing through the fixated object, the images fall on disparate locations. The direction and amount of disparity indicate how near or far the object is from fixation. Binocular disparity is a strong cue to depth that can enhance the perception of depth relations in displays of naturalistic scenes and may be of value to scientists and Depth information

Oculomotor

Accommodation

Visual

Convergence

Binocular

Monocular

Static cues Interposition

Size

Motion parallax

Perspective

FIGURE 6 Diagram of oculomotor and visual depth cues. (Adapted from R. Sekuler and R. Blake (1994). /Perception/ (3rd ed.). New York: McGraw Hill.)

HUMAN SENSATION AND PERCEPTION

1447

others in evaluating multidimensional data sets (e.g. a three-dimensional data set could be processed faster and more accurately to answer questions that required integration of the information if the display was stereoptic than if it was not [21]). There are many static, or pictorial, monocular cues to depth. These include retinal size—larger images appear to be closer—and familiar size—for example, a small image of a car provides a cue that the car is far away. The cue of interposition is that an object that appears to block part of the image of another object located in front of it. Other cues come from shading, aerial perspective, and linear perspective. Texture gradient, which is a combination of linear perspective and relative size, is important in depth perception [22]. Depth cues become dynamic when an observer moves. If fixation is maintained on an object and as location changes, as when looking out a train window, objects in the background will move in the same direction in the image as you are moving, whereas objects in the foreground will move in the opposite direction. This cue is called motion parallax . When you move straight ahead, the optical flow pattern conveys information about how fast your position is changing with respect to objects in the environment [23]. The size of the retinal image of an object varies as a function of the object’s distance from the observer. When accurate depth cues are present, size constancy results: Perceived object size does not vary as a function of changes in retinal image size that accompany changes in depth. Size constancy breaks down and illusions of size appear when depth cues are misleading. Misperceptions of size and distance also can occur when depth cues are minimal, as when navigating at night. For displayed information to be transmitted accurately, the objects and words must be recognized. Pattern recognition is typically presumed to begin with feature analysis. Alphanumeric characters are analyzed in terms of features such as vertical or horizontal line segments (see Figure 7). Confusion matrices obtained when letters are misidentified indicate that an incorrect identification is most likely to be a letter whose features overlap with the one that was displayed. Letters are components of syllables and words. Numerous studies have provided evidence for the need to distinguish several different levels of reading units [24]. Pattern recognition is also influenced by “top-down” information of several types [25]: regularities in mapping between spelling and spoken sounds and orthographic, syntactic, semantic, and pragmatic constraints. For accurate pattern recognition, the possible alternatives need to be physically distinct and consistent with expectancies created by the context. Features

Image

FIGURE 7 Pattern (letter) recognition through analysis of features.

1448

CROSS-CUTTING THEMES AND TECHNOLOGIES

For a skilled reader, the pattern recognition involved in reading occurs almost instantaneously and relatively automatically. This is true for other pattern recognition skills as well (e.g. identifying enemy tanks or intrusion detection patterns). The important point is that, with experience, people can come to recognize very complex patterns that would seem meaningless to a novice. In fact, it is generally that efficient pattern recognition underlies expertise in most domains [26]. Some stimuli, such as faces, are special in that they are processed by different areas of the brain from other objects and their recognition is more sensitive to global configuration and orientation [27]. 5 HEARING The sense of hearing is also used extensively to convey information [2]. It is an effective modality for warnings, due to sound being able to be heard from any direction and because rapid onsets tend to attract attention. 5.1 Auditory Sensory System Sound waves are fluctuations in air pressure produced by mechanical disturbances; the frequency of oscillations correlates with the sound’s pitch and the amplitude with its loudness. A sound wave moves outward from its source at 344 m s –1 , with the amplitude being a decreasing function of distance. When sound reaches the outer ear, it is funneled into the middle ear (see Figure 8). The eardrum, which separates the outer and middle ears, vibrates in response to the fluctuations in air pressure produced by the sound wave. The middle ear contains a system of three bones that move when the eardrum vibrates, and this movement gets transferred to the fluid-filled inner ear. A flexible membrane, the basilar membrane, runs the length of the inner ear. Movement of this membrane bends hair cells, which are the sensory receptors that initiate neural signals. The pathways from the auditory nerve project to the primary auditory cortex in the temporal lobe after first passing through several neuroanatomical structures. The auditory cortex contains neurons that extract complex features of auditory stimulation. Outer ear Eardrum Ossicles Inner ear

Cochlea

Middle ear

Pinna Auditory canal

FIGURE 8 Illustration of the major structures of the ear.

HUMAN SENSATION AND PERCEPTION

1449

5.2 Auditory Perception Loudness is affected by many factors in addition to amplitude. Humans are insensitive to tones below 200 Hz and, to a lesser extent, to tones exceeding 6 kHz. This is illustrated by equal loudness contours, which show that low and high frequency sounds must be of higher amplitude to be of equal loudness to tones of intermediate frequency (see Figure 9). Extraneous sounds can mask targeted sounds. This is important for work environments, in which audibility of auditory input must be evaluated with respect to the level of background noise. The amount of masking depends on the spectral composition of the target and noise stimuli. Masking only occurs from frequencies within a critical bandwidth. A masking noise will exert a much greater effect on sounds of higher frequency than on sounds of lower frequency, with this asymmetry due to properties of the basilar membrane. 5.3

Higher-Level Properties of Auditory Perception

The principles of perceptual organization apply to auditory stimuli. Grouping can occur on the basis of similarity (e.g. frequency) and spatial and temporal properties (see Figure 10). Tones can be grouped into distinct streams based on similarities on various dimensions [28]. Being able to identify where a threat is coming from is important to survival. Two different sources of information, interaural intensity and time differences, are relied on to

Intensity level (db above threshold of hearing)

Equal loudness curves (based on Fletcher and Munson) 140 130 120 110 100 90 80 70 60 50 40 30 20 10 0 −10 −20 20

100

1K Frequency (Hz)

10K 20K

FIGURE 9 Equal loudness contour curves. Each curve indicates the intensity for tones of different frequencies required for the tones to sound equally loud as a 1KHz tone at the indicated intensity level.

CROSS-CUTTING THEMES AND TECHNOLOGIES

Upp

er lip

Leg

Hip

es

To

Ge n

ita

Trunk Neck Head Shoulder Arm Elbow Forearm t Wris d Han tle Lit g n Ri le idd M ex d In

Th Ey um No e b se Fac e

ot

Fo

lia

1450

Midsagittal sulcus

Lips Lower lip Teeth, gums, jaw Tongue Pharynx l mina abdo a r t In

Sylvian fissure

FIGURE 10 Somatotopic map of the cerebral cortex. (Based on one from W. Penfield & T. Rasmussen (1950). “The cerebral cortex of man.” New York: Macmillan.)

perceive the location of sound around us. At the front and back of the listener, the intensity of the sound and the time at which it reaches the ears is equal. As the sound moves progressively toward one side or the other of the listener’s head, the sound becomes increasingly more intense at the closer ear than at the farther one, and it also reaches the ipsilateral ear first. The interaural intensity cue is most effective for high frequency tones, and the interaural time cue for low frequency sounds. Localization accuracy is poorest for tones between 2 and 4 kHz, where neither cue is effective. Because both cues are ambiguous at the front and back, front-back confusions of the location of brief sounds often occur. 6 BODY SENSES, SMELL, AND TASTE Though we cannot go into detail on the remaining sensory modalities, they have important implications for homeland security as well. 6.1 Touch, Proprioception, Pain, and Temperature The body senses are composed of four distinct modalities [29]—touch, proprioception, pain, and thermal sensations—that are elicited respectively by mechanical stimulation

HUMAN SENSATION AND PERCEPTION

1451

of the skin, mechanical displacements of the muscles and joints, stimuli of sufficient intensity to damage tissue, and cool and warm stimuli. The receptors for these senses are the endings of neurons located in the back side of the spinal cord. The fibers follow two major pathways, dorsal and anterolateral. The former pathway conveys information about touch and proprioception, and the latter information about pain and temperature. The fibers project to the somatosensory cortex, which is organized as a homunculus representing the opposite side of the body. Areas of the body for which sensitivity is greater have larger areas devoted to them than areas with lesser sensitivity (see Figure 10). Some of the cells respond to complex features of stimulation, such as movement of an object across the skin. Vibrotaction is an effective way for transmitting complex information [30]. When mechanical vibrations are applied to a region of skin, the frequency and location of the stimulation can be varied. For frequencies of less than 40 Hz, the size of the contactor area does not influence the absolute threshold for detecting vibration. For higher frequencies, the threshold decreases with increasing size of the contactor, indicating spatial summation of the energy within the stimulated region. For multicontactor devices, which can present complex spatial patterns of stimulation, masking stimuli presented in close temporal proximity to the target stimulus can degrade identification. However, with practice, pattern recognition capabilities with these types of devices can become quite good. As a result, they can be used as reading aids for the blind and to a lesser extent as hearing aids for the hearing impaired [30]. A distinction is commonly made between active and passive touch [31]. Passive touch refers to situations in which the individual does not move her hand, and the touch stimulus is applied passively, as in vibrotaction. Active touch refers to situations in which the individual intentionally moves the hand to manipulate and explore an object. Pattern recognition with active touch is superior to that with passive touch. However, the success of passive vibrotactile displays for the blind indicates that much information can also be conveyed passively. 6.2 Smell and Taste Smell and taste can communicate information about potential danger. The smell of a toxic substance or taste of rancid potato chips may be noxious and convey that they should not be consumed. Contaminated water also may have a noxious smell and taste, and a chemical attack may produce a burning sensation in the throat and nose. Both sensory modalities can be used for warning signals. For example, ethylmercaptan is added to natural gas to warn of gas leaks because humans are sensitive to its odor. The sensory receptors for taste are groups of cells called taste buds located on the tongue, throat, roof of the mouth, and inside the cheeks. Sensory transduction occurs when a taste solution comes in contact with the taste buds. The nerve fibers from the taste receptors project to several nuclei in the brain and then to the insular cortex, located between the temporal and parietal lobes, and the limbic system. Four basic tastes can be distinguished: sweet, sour, salty, and bitter, though many sensations fall outside of their range [32]. For smell, molecules in the air that are inhaled affect receptor cells located in a region of the nasal cavity. Different receptor types have different proteins that bind the odorant molecules to the receptor. The fibers from the smell receptors project to the olfactory

1452

CROSS-CUTTING THEMES AND TECHNOLOGIES

bulb, located in the front of the brain. From there, the fibers project to a cluster of neural structures called the olfactory brain. Although odors are useful as warnings, they are not very effective at waking someone from sleep, which is why smoke detectors that emit a loud sound are needed. The sense of smell shows considerable plasticity, with associations of odors to events readily learned and habituation occurring to odors of little consequence [33]. 7 MULTIMODAL SENSORY INTERACTIONS AND ROLE OF ACTION In everyday life, we receive input constantly through the various senses. This input must be integrated into a coherent percept. It is important, therefore, to understand how the information from different senses is weighted and combined in perception, and how processing of input from one modality is affected by processing of input from another [34]. Many systems tend to overload the visual system with displays. As a result, there is an increased interest in using multimodal display technologies, which uses other modalities to augment visual perception. For example, auditory and tactile displays have been used to direct an observer’s attention to certain areas of a visual display that require further analysis [35]. Multimodal displays also allow information to be presented to users in virtual worlds that represent real-world interactions of the senses [36]. The use of multiple display and control modalities enables different ways of presenting and responding to information, the incorporation of redundancy into displays, and emulation of real-life environments. Multimodal interfaces can reduce mental workload and make human-computer interactions more naturalistic. However, designing effective multimodal interfaces is a challenge because many interactive effects between different modalities may arise. These effects must be taken into account if the full benefits of multimodal interfaces are to be realized. There is a tendency to think of perception independent from action because “input precedes output.” However, a close relation between perception and action exists. For example, it is natural to orient attention to the location of a sound, making auditory displays a good choice for actions that require users to respond to the location of the sound (e.g. fire alarms should be place close to the exit). As a result, the decisions and actions that need to be made in response to a signal or display must be taken into account when designing to optimize perception [37]. 8 CONCLUSION Many of the technical devices that have been, and are being, developed to aid in homeland security depend on successful human-system interactions. Human perception is an important aspect of such interactions. Operators must be able to sense and perceive the displayed information accurately and efficiently, and in a way that maps compatibly onto the tasks and actions that they must perform, for the system to achieve its goals. Regardless of the exact forms that future security technologies take, as long as humans are in the system the basic principles and concepts of sensation and perception must be taken into account.

HUMAN SENSATION AND PERCEPTION

1453

REFERENCES 1. Str¨ater, O. (2005). Cognition and Safety: An Integrated Approach to Systems Design and Assessment . Ashgate, Burlington, VT. 2. Robinson, D. (2006). Emergency planning: the evolving role of regional planning organizations in supporting cities and counties. In The McGraw-Hill Homeland Security Book , D. G. Kamien, Eds. McGraw-Hill, NY, pp. 297–310. 3. Wolfe, J. M., Kluender, K. R., Levi, D. M., Bartoshuk, L. M., Herz, R. S., Klatzky, R. L., and Lederman, S. J. (2006). Sensation and Perception. Sinauer, Sunderland, MA. 4. Proctor, R. W., and Proctor, J. D. (2006). Sensation and perception. In Handbook of Human Factors and Ergonomics, 3rd ed., G. Salvendy, Ed. John Wiley & Sons, Hoboken, NJ, pp. 53–88. 5. Gescheider, G. A. (1997). Psychophysics: The Fundamentals, 3rd ed. Lawrence Erlbaum Associates, Hillsdale, NJ. 6. Marks, L. E., and Gescheider, G. A. (2002). Psychophysical scaling. In Stevens’ Handbook of Experimental Psychology, Methodology in Experimental Psychology, H. Pashler, and J. Wixted, Eds. John Wiley & Sons, New York, pp. 91–138. 7. Walker, B. N. (2002). Magnitude estimation of conceptual data dimensions for use in sonification. J. Exp. Psychol. [Appl.] 8, 211–221. 8. Macmillan, N. A., and Creelman, C. D. (2005). Detection Theory: A User’s Guide, 2nd ed. Cambridge University Press, New York. 9. See, J. E., Howe, S. R., Warm, J. S., and Dember, W. N. (1995). Meta-analysis of the sensitivity decrement in vigilance. Psychol. Bull. 117, 230–249. 10. Kanwisher, N., and Duncan, J., Eds. (2004). Functional Neuroimaging of Visual Cognition: Attention and Performance XX . Oxford University Press, New York. 11. Parasuraman, R., and Rizzo, M. (2007). Neuroergonomics: The Brain at Work . Oxford University Press, New York. 12. Schmorrow, D. D., Ed. (2005). Foundations of Augmented Cognition. Lawrence Erlbaum Associates, Mahwah, NJ. 13. Frishman, L. J. (2001). Basic visual processes. In Blackwell Handbook of Perception, E. B. Goldstein, Ed. Blackwell, Malden, MA, pp. 53–91. 14. Andre, J., Owens, A., and Harvey, L. O., Jr., Eds. (2003). Visual Perception: The Influence of H. W. Leibowitz . American Psychological Association, Washington, DC. 15. Evans, D. W., and Ginsburg, A. P. (1982). Predicting age-related differences in discriminating road signs using contrast sensitivity. J. Opt. Soc. Am. 72, 1785–1786. 16. O’Brien, K. A., Cole, B. L., Maddocks, J. D., and Forbes, A. B. (2002). Color and defective color vision as factors in the conspicuity of signs and signals. Hum. Factors 44, 665–675. 17. Palmer, S. E. (2003). Visual perception of objects. In Experimental Psychology, Handbook of Psychology, A. F. Healy, and R. W. Proctor, Eds., Vol. 4. John Wiley & Sons, Hoboken, NJ, pp. 179–211. 18. Garner, W. (1974). The Processing of Information and Structure. Lawrence Erlbaum Associates, Hillsdale, NJ. 19. Wickens, C. D., and Carswell, C. M. (1995). The proximity compatibility principle: its psychological foundation and relevance to display design. Hum. Factors 37, 473–494. 20. Proffitt, D. R., and Caudek, C. (2003). Depth perception and the perception of events. In Experimental Psychology, in Handbook of Psychology, A. F. Healy, and R. W. Proctor, Eds., Vol. 4. John Wiley & Sons, Hoboken, NJ, pp. 213–236.

1454

CROSS-CUTTING THEMES AND TECHNOLOGIES

21. Wickens, C. D., Merwin, D. F., and Lin, E. (1994). Implications of graphics enhancements for the visualization of scientific data: dimensional integrality, stereopsis, motion, and mesh. Hum. Factors 36, 44–61. 22. Gibson, J. J. (1950). The Perception of the Visual World . Houghton Mifflin, Boston, MA. 23. Bruno, N., and Cutting, J. E. (1988). Minimodularity and the perception of layout. J. Exp. Psychol. Gen. 117, 161–170. 24. Healy, A. F. (1994). Letter detection: a window to unitization and other cognitive processes in reading text. Psychon. Bull. Rev. 1, 333–344. 25. Massaro, D. W., and Cohen, M. M. (1994). Visual, orthographic, phonological, and lexical influences in reading. J. Exp. Psychol. Hum. Percept. Perform. 20, 1107–1128. 26. Ericsson, K. A., Charness, N., Feltovich, P. J., and Hoffman, R. R., Eds. (2006). The Cambridge Handbook of Expertise and Expert Performance. Cambridge University Press, New York. 27. Farah, M. J., Wilson, K. D., Drain, M., and Tanaka, J. (1998). What is “special” about face perception? Psychol. Rev. 105, 482–498. 28. Bregman, A. S. (1990). Auditory Scene Analysis: The Perceptual Organization of Sound . MIT Press, Cambridge, MA. 29. Gardner, E. P., Martin, J. H., and Jessell, T. M. (2000). The bodily senses. In Principles of Neural Science, E. R. Kandel, J. H. Schwartz, and T. M. Jessell, Eds., Vol. 4. Elsevier, Amsterdam, pp. 430–450. 30. Summers, I. R., Ed. (1992). Tactile Aids for the Hearing Impaired . Whurr Publishers, London. 31. Gibson, J. J. (1966). The Senses Considered as Perceptual Systems. Houghton Mifflin, Boston, MA. 32. Schiffman, S. S., and Erickson, R. P. (1993). Psychophysics: Insights into transduction mechanisms and neural coding. In Mechanisms of Taste Transduction, S. A. Simon, and S. D. Roper, Eds. CRC Press, Boca Raton, FL. 33. Doty, R. L., Ed. (2003). Handbook of Olfaction and Gustation, 2nd ed. Marcel Dekker, New York. 34. Calvert, G., Spence, C., and Stein, B. E., Eds. (2004). The Handbook of Multisensory Processes. MIT Press, Cambridge, MA. 35. Proctor, R. W., Tan, H. Z., Vu, K. P. L., Gray, R., and Spence, C. (2005). Implications of compatibility and cuing effects for multimodal interfaces. In Foundations of Augmented Cognition, D. D. Schmorrow, Ed. Lawrence Erlbaum Associates, Mahwah, NJ, pp. 3–12. 36. Stanney, K. M., Ed. (2002). Handbook of Virtual Environments: Design, Implementation, and Applications. Lawrence Erlbaum Associates, Mahwah, NJ. 37. Proctor, R. W., and Vu, K. P. L. (2006). Stimulus-Response Compatibility Principles: Data, Theory, and Application. CRC Press, Boca Raton, FL.

FURTHER READING Bolanowski, SJ., and Gescheider, GA., Eds. (1991). Ratio Scaling of Psychological Magnitude. Lawrence Erlbaum Associates, Hillsdale, NJ. Macmillan, N.A. (2002). Signal detection theory. In Stevens’ Handbook of Experimental Psychology, Methodology in Experimental Psychology, H. Pashler, and Wixted, J., Eds. Vol. 4. John Wiley & Sons, New York, pp. 43–90. Wickens, TD. (2001). Elementary Signal Detection Theory. Oxford University Press, New York.

HUMAN BEHAVIOR AND DECEPTION DETECTION

1455

HUMAN BEHAVIOR AND DECEPTION DETECTION Mark G. Frank and Melissa A. Menasco University at Buffalo, State University of New York, Buffalo, New York

Maureen O’Sullivan University of San Francisco, San Francisco, California

1 INTRODUCTION Terrorism at its core is a human endeavor. Human beings cultivate what they hate, plan, and then execute terrorist attacks. Thus, any information that can aid the intelligence or security officer to weigh the veracity of the information he or she obtains from suspected terrorists or those harboring them would help prevent attacks. This would then not only add another layer to force protection but would facilitate future intelligence gathering. Yet the face-to-face gathering of information through suspected terrorists, informants, or witnesses is replete with obstacles that affect its accuracy such as the well-documented shortcomings of human memory, honest differences of opinion, as well as what is the focus of this article—outright deception [1]. The evidence suggests that in day-to-day life most lies are betrayed by factors or circumstances surrounding the lie, and not by behavior [2]. However, there are times when demeanor is all a Homeland security agent has at his or her disposal to detect someone who is lying about his or her current actions or future intent. Because a lie involves a deliberate, conscious behavior, we can speculate that this effort may leave some trace, sign, or signal that may betray that lie. What interests the scientist, as well as society at large, is (i) are there clues perceptible to the unaided eye that can reliably discriminate between liars and truth tellers; (ii) do these clues consistently predict deception across time, types of lies, different situations, and cultures?; and if (i) and (ii) are true, then (iii) How well can our counter-terrorism professionals make these judgments, and can they do this in real time, with or without technological assistance? 2 SCIENTIFIC OVERVIEW—BEHAVIORAL SIGNS OF DECEPTION To date no researcher has documented a “Pinocchio response”; that is, a behavior or pattern of behaviors that in all people, across all situations, is specific to deception (e.g. [3]). All the behaviors identified and examined by researchers to date can occur for reasons unrelated to deception. Generally speaking, the research on detecting lies from behavior suggests that two broad families of behavioral clues are likely to occur when someone is lying—clues related to liar’s memory and thinking about what they are saying (cognitive clues), and clues related to liar’s feelings and feelings about deception (emotional clues) [3–8].

1456

CROSS-CUTTING THEMES AND TECHNOLOGIES

2.1 Cognitive Clues A lie conceals, fabricates, or distorts information; this involves additional mental effort. The liar must think harder than a truth teller to cover up, create events that have not happened, or to describe events in a way to allow multiple interpretations. Additional mental effort is not solely the domain of the outright liar; however, a person who must tell an uncomfortable truth to another will also engage in additional mental effort to come up with the proper phrasing while simultaneously reducing the potential negative emotional reaction of the other. This extra effort tends to manifest itself with longer speech latencies, increased speech disturbances, less plausible content, less verbal and vocal involvement, less talking time, more repeated words and phrases, and so forth [9]. Research has also shown that some nonverbal behaviors change as a result of this mental effort. For example, illustrators—hand or head movements that accompany speech, and are considered by many to be a part of speech (e.g. [10])—will decrease when lying compared to telling the truth [11, 12]. Another way in which cognition is involved in telling a lie is through identification of naturalistic memory characteristics. This means that experienced events have memory qualities that are apparent upon description that are different from events that have not been experienced (the “Undeutsch hypothesis” [13]). Events that were not actually experienced feature more ambivalence, have fewer details, a poorer logical structure, less plausibility, more negative statements, and are less embedded in context. Liars are also less likely to admit lack of memory and have less spontaneous corrections (reviewed by [8, 9]), and may use more negative emotion words and fewer self and other references [14]. Mental effort clues seem to occur more in the delivery of the lie, whereas memory recall clues tend to rest more in the content of the lie. We note that not all lies will tax mental effort; for example, it is much less mentally taxing to answer a close ended question like “Did you pack your own bags?” with a yes or no than to answer an open ended “What do you intend to do on your trip?” Moreover, a clever liar can appear more persuasive if he or she substitutes an actual experienced event as their alibi rather than creating an entirely new event. This may be why a recent general review paper [9] found consistent nonhomogeneous effect sizes for these mental effort and memory-based cues across the studies they reviewed, as the particular paradigms used by researchers varied greatly in the extent to which the lies that were studied mentally taxed the liars. 2.2 Emotional Clues Lies can also generate emotions, ranging from the excitement and pleasure of “pulling the wool over someone’s eyes” to fear of getting caught to feelings of guilt [4]. Darwin [15] first suggested that emotions tend to manifest themselves in the facial expressions, as well as in the voice tones, and that these could be reliable enough to accurately identify emotional states. Research has since shown that for some expressions—e.g. anger, contempt, disgust, fear, happiness, sadness/distress, or surprise—cultures throughout the planet recognize and express these emotions in both the face and voice similarly [16]. To the extent that a lie features higher stakes for getting caught, we would expect to see more of these signs of emotion in liars compared to truth tellers. If the lie is a polite lie that people tell often and effortlessly, there would be less emotion involved (e.g. [17]). Meta-analytic studies suggest that liars do appear more nervous than truth tellers, with

HUMAN BEHAVIOR AND DECEPTION DETECTION

1457

less facial pleasantness, higher vocal tension, higher vocal pitch, greater pupil dilation, and fidgeting [9]. If the lie itself is about emotions—e.g. telling someone that one feels calm, when in fact one is nervous—the research shows that signs of the truly felt emotion appear in the face and voice despite attempts to conceal, although these signs are often subtle and brief [18, 19]. 2.3 Measurement Issues One issue in measuring lie signs is to make clear what is meant by the terms cognition and emotion. For example, in deception research, the term arousal is used interchangeably with emotion, but often refers to many different phenomena: an orienting response [20], an expression of fear [21], a more indeterminate affect somewhere between arousal and emotion ([22]; see also discussion by Waid and Orne [23]), as well as physiological states as different as stress, anxiety, embarrassment, and even anger [24]. A second issue in measuring lie signs is to clarify the level of detail of measurement as well as to specify why that level of detail may or may not correlate with lying [25]. Many meta-analyses of behavioral deception clues report insignificant effect sizes, but the variance among effect is not homogeneous (e.g. [3, 9, 26–28]). For example, some studies investigated behavior at the most elemental physical units of measurement such as counting the movements in the hands, feet, arms, legs, torso, eye movements, eye blinks, pupil dilation, lip pressing, brow lowering or raising, lip corner puller (smiling), fundamental frequency, amplitude, pauses, filled pauses, response latency, speech rate, length of response, connector words, unique words, self-references, and so forth. Other studies investigated behavior at the most elemental psychological meaning units of measurement. Some of these included manipulators—which involve touching, rubbing, etc., of various body parts—which could be composed of a number of hand, finger, and arm movements, but which were scored for theoretical rather than merely descriptive reasons. Other psychologically meaningful units of measurement include illustrators, which accompany speech to help keep the rhythm of the speech, emphasize a word, show direction of thought, etc. or emblems, which are gestures that have a speech equivalent, such as a head nod meaning “yes”, or a shrug meaning “I am not sure”, or facial emblems such as winking. The psychological meaning units might also include vocal tension, speech disturbances, negative statements, contextual embedding, unusual details, logical structure, unexpected complications, superfluous details, self-doubt, and so forth. Finally, other studies investigated behavior at the most interpretative/impressionistic unit level, which are further unarticulated composites of the physical and the psychological meaning units described earlier. Some of these impressionistic variables of the behaviors include fidgeting, involvement, body animation, posture, facial pleasantness, expressiveness, vocal immediacy and involvement; and spoken uncertainty; plausibility; and cognitive complexity (see review by [9]). The problem of course is that as one moves from physical to impressionistic measures, it would seem to become harder to make those judgments reliably. This is not always the case though, for example, the term “smile” has rarely been defined in research reports, yet independent coders are typically above 0.90 reliability when coding smiles (see [29] for a review). Although research works suggest that people can be more accurate when they employ indirect inferences to deception (e.g. does the person have to think hard? [30]), “gut” impressions tend to be uncorrelated with accuracy [26]. This suggests that we must be cautious about clues at the impressionistic level, and

1458

CROSS-CUTTING THEMES AND TECHNOLOGIES

that it may be more productive to study them at their psychological level where they might be more meaningful to understanding deception. 2.4 Prognosis on Generalizability of Deception Findings Across Time, Lies, Situations, and Cultures It is safe to conclude that although there are some clues that betray a lie at rates greater than chance, none of them are exclusive to deception. This conclusion applies to machine based physiological approaches as well. However, the origins of these signs—mental effort, memory, and emotion—are universal. This suggests that if the context in which the information is gathered is controlled, and designed to differentially affect liars and truth tellers, it would increase greatly the chances of being able to distinguish people with deceptive intent from those with truthful intent. Polygraph examination has done this by controlling their question style to improve hit rates, but to date this has not been done systematically in behavioral studies. Thus its effects are unknown, but we can speculate based upon what we know about normal, truthful human behavior. If the lie is of no significance to the person, with no costs for getting caught, and involves a simple yes or no answer, odds are there will not be many clues to distinguish the liar from the truth teller. If the situation has significance to the person, there are consequences for getting caught, and the person is required to recount an event in an open ended question, then we would expect more clues to surface that would distinguish the liar from the truth teller. This may be a curvilinear relationship; a situation of extraordinary high mental effort and emotion—e.g. one in which a person is being beaten, screamed at, and threatened with execution—will generate all the “lie clues” described earlier, but equally in liar and truth teller. Nonetheless, information about mental effort, experienced memory, and emotion can be very useful clues to Homeland Security personnel to identify behavioral “hot spots” [4] that can provide information about issues of importance to the subject. A counter-terrorism Intelligence officer who knows when a subject is feeling an emotion or thinking hard can know what topics to pursue or avoid in an interview, whether the subject is fabricating, concealing information, or merely feeling uncomfortable with the topic, although truthful. 3 SCIENTIFIC OVERVIEW—ABILITIES TO SPOT LIARS Research over the past 30 years suggests that the average person is slightly statistically better than chance at identifying deception, but not practically better. The most recent review of over 100 studies has shown that when chance accuracy is 50%, the average person is approximately 54% accurate [31]. There are a number of reasons for this poor ability; among them poor feedback in daily life (i.e. a person only knows about the lies they have caught); the general tendency among people to believe others until proven otherwise (i.e. a “truth bias”; [32]), and especially a faulty understanding of what liars actually look like (i.e. the difference between people’s perceived clues to lying, compared to the actual clues; [26]). 3.1 General Abilities of Specialized Groups Most of the studies reviewed were laboratory based and involved observers judging strangers. But similar results are found even when the liars and truth tellers are known

HUMAN BEHAVIOR AND DECEPTION DETECTION

1459

to the observers (also reviewed by [31]. If the lies being told are low stakes, so that little emotion is aroused and the lie can be told without much extra cognitive effort, there may be few clues available on which to base a judgment. But even studies of high stakes lies, in which both liars and truth tellers are highly motivated to be successful, suggest an accuracy level that is not much different from chance. Researches that examined unselected professionals involved in security settings—police, federal agents, and so forth—have typically found that they too are not any more accurate in their abilities to spot deception than laypeople (e.g., [27, 33–36]). However, within these studies there have been a handful of groups that have performed better than 60% accurate on both lies and truths, and what these groups are doing might be informative for Homeland Security applications. The first group identified was a group of Secret Service agents who not only were superior, as a group, in detecting lies about one’s emotions, but those who were more accurate were more likely to report using nonverbal clues than those who were less accurate. The authors [33] speculated that the Secret Service agents were more accurate than the other groups because they were trained in scanning crowds for nonverbal behaviors that did not fit, and they also dealt with assassination threats, many of which were made by mentally ill individuals. Unlike most police officers whose assumption of guilt in suspects is high [37], reflecting the experience of their daily work, Secret Service agents interviewed suspects where they knew the base rate of true death threats was low. The second set of groups identified included forensic psychologists, federal judges, selected federal law enforcement officers, and a group of sheriffs [34]. A commonality among these groups seemed to be their very high motivation to improve their lie detecting skills. A third set of groups identified were police officers examining real-life lies, who showed 65% overall accuracy in detecting lies and truths [38]. 3.2 Individual Differences As with any ability, research suggests that some people are better able to detect deception than others in high-stake lies (e.g. [39]); this skill does not seem to translate to lower-stake lies [32]. One element of better skill in higher-stake settings is the ability to judge micromomentary displays of emotion [33, 39]. Other groups who showed better than 60% accuracy included people with left hemisphere brain lesions that prevented them from comprehending speech [40], and those subjects who scored higher on a test of knowledge of clues to deceit were also more accurate than those who did not [41]. A different approach has been to identify individuals who obtain high scores on lie detection tests and studying them in detail [42]. After testing more than 12,000 people using a sequential testing protocol involving three different lie detection accuracy measures, O’Sullivan and Ekman identified 29 highly accurate individuals. These individuals had a kind of genius with respect to the observation of verbal and nonverbal clues, but since genius often connotes academic intelligence, the expert lie detectors were labeled “truth wizards” to suggest their special talent. Although this term is unfortunate in mistakenly suggesting that their abilities are due to magic rather than talent and practice, the term does reflect the rarity of their abilities. One of the first findings of the Wizard Project was a profession-specific sensitivity to certain kinds of lies. About one-third of the wizards were highly accurate on all three of the tests used. Another third did very well on two of the tests, but not on the third, in which people lied or told the truth about whether they had stolen money. Nearly all of these wizards were therapists who had little, if

1460

CROSS-CUTTING THEMES AND TECHNOLOGIES

any, experience with lies about crime. On the other hand, the remaining third of the wizards were law enforcement personnel—police and lawyers—who did very well on the crime lie detection test, but not on a test in which people lied or told the truth about their feelings. Compared with a matched control group, expert lie detectors are more likely than controls to attend to a wide array of nonverbal behaviors and to be more consciously aware of inconsistencies between verbal and nonverbal behaviors. Although expert lie detectors make almost instantaneous judgments about the kind of person they are observing, they are also more cautious than controls about reaching a final decision about truthfulness.

4 CRITICAL NEEDS ANALYSIS Research on human behavior and deception detection can make a useful contribution to Homeland Security needs as long as scientists and practitioners understand what it is they are observing—signs of thinking or signs of feeling. This rule applies to automated approaches that measure physiology as well. Even with this limitation, training in behavioral hot spot recognition may make security personnel better at spotting those with malfeasant intent. Other critical needs are discussed below. 4.1 More Relevant Laboratory Paradigms and Subjects We must recognize that general meta-analyses of the research literature, although useful, are limited in their applicability to security contexts, since such analyses tend to combine studies that feature lies told with few stakes and cognitive demands with those with higher stakes and stronger cognitive demands. Thus, we should be more selective about which studies to examine for clues that may be useful or relevant to security contexts. This also means it is important for scientists to develop research paradigms that more closely mirror the real-life contexts in which security personnel work. Although laboratory settings are not as powerful as real-world settings, high-stake laboratory deception situations can provide insights with the best chance of applicability. Consistent with this approach, two current airport security techniques capitalize on behaviors identified by research studies on stress, with anecdotal success (i.e. Transportation Security Administration (TSA)’s Screening Passengers by Observation Techniques and the MA State Police Behavioral Assessment System). One way to facilitate this type of progress is to have Homeland Security personnel advise laboratory research, as well as allow researchers to spend on-the-job time with them. We believe that pairing the researchers and practitioners would eventually result in calls for laboratory studies featuring higher stakes to the liars, different subject populations beyond US/Europeans (as research suggests that people can detect deception in other cultures at rates greater than chance; [43, 44]), and differing interview lengths such as examining shorter interviews (i.e. a 30–90 s security screening) and longer interviews (i.e. a 1–4 h intelligence interview). 4.2 Examination and Creation of Real-World Databases There have been very few studies of real-world deception (e.g. [38]), yet the technological capability exists to create many more. The biggest problem with real-world data is determining the ground truth (was the person really lying, or did he or she truly

HUMAN BEHAVIOR AND DECEPTION DETECTION

1461

believe what he or she just stated?). Estimating ground truth—as compared to knowing ground truth—will slow down the identification of any patterns or systems. Clear criteria must be established a priori to determine this ground truth. For example, confessions of malfeasance are a good criterion, but false confessions do happen. Catching someone with contraband (i.e. a “hit”) is also a good criterion, but occasionally the person may be truthful when he or she states that someone must have snuck it into his or her luggage. Moreover, academics should advise on the capture and recording of these databases, to ensure that the materials are able to be examined by the widest number of researchers and research approaches. For example, most of the police interview video we have seen is of such poor quality that we cannot analyze facial expressions in any detail. It is only when these databases are combined with the laboratory work that we can more sharply identify behaviors or behavioral patterns that will increase the chances of catching those with malfeasant intent. To optimally use this information though, we must also examine in detail known cases of false negatives and false positives as well as correct hits to determine why mistakes were made in these judgments. 4.3 Ground Truth Base Rates Security personnel do not know the base rates for malfeasance in their settings. Although it may be logistically impossible to hand-search every piece of hand luggage in a busy airport, or follow every investigative lead, it would be essential to know this base rate in order to ascertain the effectiveness of any new behavioral observational technique. This would also permit more useful cost–benefit analyses of various levels of security and training. A less satisfying but still useful way to ascertain effectiveness is to compare hit rates for contraband for those using various behavioral observation techniques with those who are stopped randomly (as long as the day of the week and time of the day/year are scientifically controlled). 4.4 Optimizing Training The most recent meta-analysis of the research literature on training people to improve deception detection from behavior has shown that across over 2000 subjects, there was a modest effect for training, despite the use of substandard training techniques [45]. This obviously suggests that better training techniques will yield larger improvements in people’s abilities to sort out truth from lie. One training change would be to train on behavioral clues that are derived from similar situations and supported by research. For example, one study trained research subjects to recognize a set of behavioral clues that are believed to be indicative of deception, and are often taught to law enforcement personnel as signs of deception, although many of these signs are not supported by the scientific literature [46]. This study reported a 10% decrease in accuracy for the groups receiving such training. Therefore, the first step in adequate training is to identify what information is useful for training (see above). The second step is to determine the most effective way to deliver that information. For example, what is the training duration that maximizes comprehension—one full day, three full days, or more? Should it be done in a group or self-study? Does it need simple repetition, or more creative approaches, and how many training items are needed? Does it need to be reinforced at particular intervals? How many clues should be taught—i.e. at what point do you overwhelm trainees? How do you train in such a way as to improve accuracy without overinflating confidence? These are just a few of the questions with unknown answers.

1462

CROSS-CUTTING THEMES AND TECHNOLOGIES

4.5 Identifying Excellence Another critical need is to identify who within relevant organizations shows signs of excellence, through their higher hit rates or whatever other clear criteria can be applied. This strategy is similar to the strategy of the “wizards” study [42]. One caution is that to date, most testing material will be laboratory experiment based, and the generalizability of that information to real-world contexts is not perfect. An examination of the convergent validity of laboratory tests of deception detection and other more naturalistic approach measures (peer ratings, field observations in airports, or other points of entry with accuracy determined by the rate of contraband “hits” by individuals compared to random selection) would be a great start.

5 FUTURE RESEARCH DIRECTIONS The aforementioned critical needs suggest several research questions, but by no means is that section comprehensive. As we peer into the future, there is much work to do. A partial list of future directions shown below suggests what we should do. •

•

•

•

•

•

Examine the role of technology in facilitating behavioral observation. A number of computer vision algorithms are now available that can aid observation, such as recognizing emotional expressions in the face (e.g. [47]). What is unknown is how robust these algorithms are in real-world contexts. What is also unknown is how best to combine technological observation of behavior with human judgment. Would there be a tendency for humans to overrely upon the technology over time? Identify the optimal environmental set up for surveillance, whether with technology or the unaided eye. This includes proxemic placement of tables, lines, stanchions, other individuals, and so forth. One goal would be to create an environment that would reduce the typical stress felt by the normal traveler, which would hopefully increase the salience of any sign of stress exhibited by the malfeasant to increase the chances of its being observed. Identify optimal interaction style between security agents and the public. One can aggressively question and threaten travelers, but that might render behavioral observation useless due to the overall stress engendered. A rapport-building approach (e.g. [48]) might be better, but this needs more research. Identify the optimal interview style. Phrasing of questions is important in obtaining information, but this has not been researched in the open literature. Small changes in phrasing—e.g. open versus close ended—might add to the additional cognitive burden of the liar and thus could be useful. The order of questions will also be important, as well as whether one should make a direct accusation. But only additional research will tell. Identify the optimal way to combine behavioral clues. Research tends to examine individual behavioral clues to ascertain their effectiveness, yet more modern neural network and machine learning approaches may be successful in identifying patterns and combinations of behaviors that better predict deception in particular contexts. Identify the presence of countermeasures. An inevitable side effect of the release of any information about what behaviors are being examined by security officers, to

HUMAN BEHAVIOR AND DECEPTION DETECTION

1463

identify riskier individuals in security settings, is that this information will find its way onto the Internet or other public forums. This means a potential terrorist can learn what to do and what not to do in order to escape further scrutiny. The problem is that we do not know yet whether one can conceal all their behaviors in these real-life contexts. Moreover, some of these behaviors, like emotional behavior, is more involuntary [16] and should be harder to conceal than more voluntary behavior like word choice. Thus it remains an open question as to whether a potential terrorist can countermeasure all of the critical behaviors. Space limitations preclude an exhaustive list of needs, future directions, and research. In general, the research suggests that there are limited clues that are useful to sorting out liars and truth tellers, but most people cannot spot them. However, a closer examination of this literature suggests that some behavioral clues can be useful to security personnel, and some people can spot these clues well. We feel that it may be ultimately most productive to expand our thinking about behavioral clues to deceit to include thinking about behavioral clues to a person’s reality—clues that someone is recounting a true memory, thinking hard, or having an emotion he or she wishes to hide. This would enable a security officer to make the most accurate inference about the inner state of the person they are observing, which, when combined with better interaction and interviewing techniques, would enable them to better infer the real reasons for this inner state, be it intending us harm, telling a lie, or telling the truth.

REFERENCES 1. Haugaard, J. J., and Repucci, N. D. (1992). Children and the truth. In Cognitive and Social Factors in Early Deception, S. J. Ceci, M. DeSimone-Leichtman, and M. E. Putnick, Eds. Erlbaum, Hillsdale, NJ. 2. Park, H. S., Levine, T. R., McCornack, S. A., Morrison, K., and Ferrar, M. (2002). How people really detect lies. Commun. Monogr. 69, 144–157. 3. Zuckerman, M., DePaulo, B. M., and Rosenthal, R. (1981). Verbal and nonverbal communication of deception. In Advances in Experimental Social Psychology, L. Berkowitz, Ed. Academic Press, San Diego, CA, Vol. 14, pp. 1–59. 4. Ekman, P. (1985/2001). Telling Lies. W. W. Norton, New York. 5. Ekman, P., and Frank, M. G. (1993). Lies that fail. In Lying and Deception in Everyday Life, M. Lewis, and C. Saarni, Eds. Guilford Press, New York, pp. 184–200. 6. Hocking, J. E., and Leathers, D. G. (1980). Nonverbal indicators of deception: A new theoretical perspective. Commun. Monogr. 47, 119–131. 7. Knapp, M. L., and Comadena, M. E. (1979). Telling it like it isn’t: A review of theory and research on deceptive communication. Hum. Commun. Res. 5, 270–285. 8. Yuille, J. C., Ed. (1989). Credibility Assessment . Kluwer Academic Publishers, Dordrecht. 9. DePaulo, B. M., Lindsay, J. J., Malone, B. E., Muhlenbruck, L., Charlton, K., and Cooper, H. (2003). Cues to deception. Psychol. Bull. 129, 74–112. 10. McNeill, D. (1992). Hand and Mind. What Gestures Reveal about Thought. Chicago of University Press, Chicago. 11. Ekman, P., and Friesen, W. V. (1972). Hand movements. J. Commun. 22, 353–374. 12. Vrij, A. (1995). Behavioral correlates of deception in a simulated police interview. J. Psychol. 129, 15–28.

1464

CROSS-CUTTING THEMES AND TECHNOLOGIES

13. Undeutsch, U. (1967). Beurteilung der glaubhaftigkeit von aussagen. In Handbuch derPsychologie. Bd. II: Forensische Psychologie, U. Undeutsch, Ed. Verlag fur Psychologie, Goettingen, pp. 26–181. 14. Newman, M. L., Pennebaker, J. W., Berry, D. S., and Richards, J. M. (2003). Lying words: predicting deception from linguistic styles. Pers. Soc. Psychol. Bull. 29, 665–675. 15. Darwin, C. (1872/1998). The Expression of the Emotions in Man and Animals, 3rd ed. (w/ commentaries by Paul Ekman). Oxford University Press, New York. 16. Ekman, P. (2003). Emotions Revealed . Henry Holt, New York. 17. DePaulo, B. M., Kashy, D. A., Kirkendol, S. E., Wyer, M. M., and Epstein, J. A. (1996). Lying in everyday life. J. Pers. Soc. Psychol. 70, 979–995. 18. Ekman, P., Friesen, W. V., and O’Sullivan, M. (1988). Smiles when lying. J. Pers. Soc. Psychol. 54, 414–420. 19. Ekman, P., O’Sullivan, M., Friesen, W. V., and Scherer, K. (1991). Invited article: face, voice, and body in detecting deceit. J. Nonverbal Behav. 15, 125–135. 20. deTurck, M. A., and Miller, G. R. (1985). Deception and arousal: isolating the behavioral correlates of deception. Hum. Commun. Res. 12, 181–201. 21. Frank, M. G. (1989). Human Lie Detection Ability as a Function of the Liar’s Motivation, Unpublished doctoral dissertation, Cornell University, Ithaca. 22. Burgoon, J. E., and Buller, D. B. (1994). Interpersonal deception: III. Effects of deceit on perceived communication and nonverbal behavior dynamics. J. Nonverbal Behav. 18, 155–184. 23. Waid, W. M., and Orne, M. T. (1982). The physiological detection of deception. Am. Sci. 70, 402–409. 24. Steinbrook, R. (1992). The polygraph test: a flawed diagnostic method. N. Engl. J. Med. 327, 122–123. 25. Frank, M. G. (2005). Research methods in detecting deception research. In Handbook of Nonverbal Behavior Research, J. Harrigan, K. Scherer, and R. Rosenthal, Eds. Oxford University Press, London, pp. 341–368. 26. DePaulo, B. M., Stone, J., and Lassiter, D. (1985). Deceiving and detecting deceit. In The Self and Social Life, B. R. Schlenker, Ed., McGraw-Hill, New York, pp. 323–355. 27. Vrij, A. (2000). Detecting Lies and Deceit: The Psychology of Lying and the Implications for Professional Practice. John Wiley & Sons, Chichester. 28. Zuckerman, M., and Driver, R. E. (1985). Telling lies: verbal and nonverbal correlates of deception. In Multichannel Integration of Nonverbal Behavior, W. A. Siegman, and S., Feldstein, Eds. Erlbaum, Hillsdale, NJ, pp. 129–147. 29. Frank, M. G. (2003). Smiles, lies, and emotion. In The Smile: Forms, Functions, and Consequences, M., Abel, Ed. The Edwin Mellen Press, New York, pp. 15–43. 30. Vrij, A., Edward, K., and Bull, R. (2001). Police officers’ ability to detect deceit: the benefit of indirect deception detection measures. Leg. Criminol. Psychol. 6, 185–196. 31. Bond, C. F. Jr., and DePaulo, B. M. (2006). Accuracy of deception judgments. Pers. Soc. Psychol. Rev. 10, 214–234. 32. DePaulo, B. M., and Rosenthal, R. (1979). Telling lies. J. Pers. Soc. Psychol. 37, 1713–1722. 33. Ekman, P., and O’Sullivan, M. (1991). Who can catch a liar? Am. Psychol. 46, 913–920. 34. Ekman, P., O’Sullivan, M., and Frank, M. G. (1999). A few can catch a liar. Psychol. Sci. 10, 263–266. 35. DePaulo, B. M., and Pfeifer, R. L. (1986). On-the-job experience and skill at detecting deception. J. Appl. Soc. Psychol. 16, 249–267. 36. Kraut, R. E., and Poe, D. (1980). Behavioral roots of person perception: the deception judgments of customs inspectors and laymen. J. Pers. Soc. Psychol. 39, 784–798.

SPEECH AND VIDEO PROCESSING FOR HOMELAND SECURITY

1465

37. Meissner, C. A., and Kassin, S. M. (2002). :“He’s guilty!”: investigator bias in judgments of truth and deception. Law Hum. Behav. 26, 469–480. 38. Mann, S., Vrij, A., and Bull, R. (2004). Detecting true lies: police officers’ abilities to detect suspects’ lies. J. Appl. Psychol. 89, 137–149. 39. Frank, M. G., and Ekman, P. (1997). The ability to detect deceit generalizes across different types of high stake lies. J. Pers. Soc. Psychol. 72, 1429–1439. 40. Etcoff, N. L., Ekman, P., Magee, J. J., and Frank, M. G. (2000). Superior lie detection associated with language loss. Nature 405(11), 139–139. 41. Forrest, J. A., Feldman, R. S., and Tyler, J. M. (2004). When accurate beliefs lead to better lie detection. J. Appl. Soc. Psychol. 34, 764–780. 42. O’Sullivan, M., and Ekman, P. (2004). The wizards of deception detection. In The Detection of Deception in Forensic Contexts, P. A. Granhag, and L. Stromwell, Eds. Cambridge University Press, Cambridge, pp. 269–286. 43. Bond, C. F. Jr., and Atoum, A. O. (2000). International deception. Pers. Soc. Psychol. Bull. 26, 385–395. 44. Bond, C. F., Omar, A., Mahmoud, A., and Bonser, R. N. (1990). Lie detection across cultures. J. Nonverbal Behav. 14, 189–204. 45. Frank, M. G., and Feeley, T. H. (2003). To catch a liar: challenges for research in lie detection training. J. Appl. Commun. Res. 31, 58–75. 46. Kassin, S. M., and Fong, C. T. (1999). “I’m innocent!”: effects of training on judgments of truth and deception in the interrogation room. Law Hum. Behav. 23, 499–516. 47. Bartlett, M. S., Littlewort, G., Frank, M. G., Lainscsek, C., Fasel, I., and Movellan, J. (2006). Fully automatic facial action recognition in spontaneous behavior. J. Multimedia 6, 22–35. 48. Collins, R., Lincoln, R., and Frank, M. G. (2002). The effect of rapport in forensic interviewing. Psychiatry Psychol. Law 9, 69–78.

SPEECH AND VIDEO PROCESSING FOR HOMELAND SECURITY Mark Maybury Information Technology Center, The MITRE Corporation, Bedford, Massachusetts

1 SPEECH AND VIDEO FOR HOMELAND SECURITY As articulated in the National Strategy for Homeland Security (www.whitehouse.gov/ homeland/book) [1], homeland security requires effective performance of a number of

1466

CROSS-CUTTING THEMES AND TECHNOLOGIES

primary missions such as border and transportation security and critical infrastructure protection. These activities are human intensive, both in terms of the objects of focus (e.g. citizens or foreigners crossing a border) as well as the government or contractor personnel performing these function (e.g. TSA at US airports). Automation is necessary to ensure effective, objective, and affordable operations. Speech and video processing are important technologies that promise to address some of the severe challenges of the homeland security mission. Furthermore, there is some hope that the detection of visual or acoustic anomalies (e.g. unnatural human motion and voice stress) could yield improved deception detection. With thousands of miles of border with Mexico and Canada and 95,000 miles of shoreline, border and transportation security is a daunting challenge. Some important applications include the following: •

Video surveillance for anomalous and/or hostile behavior detection has important applications at border crossings as well as monitoring remote border areas. • Identification and tracking of individuals using biometrics (e.g. speech, face, gait, and iris). For example, speaker identification can be used for authentication for both physical access control and computer account access. While details of biometrics are beyond the scope of this article, we refer the reader to an overview text [2] or a more detailed algorithmic approach [3]. Other critical homeland security applications are as follows: •

Critical infrastructure protection to include key site monitoring (e.g. transportation, energy, food, and commerce) or video surveillance of public areas. This could include automated video understanding, in particular the detection, classification, and tracking of objects such as cars, people, or animals in time and space in and around key sites. Beyond object detection and tracking, it would include recognition of relationships and events. • Automated processing of audio and video to understand broadcast news and/or index video surveillance archives. • Audio hot spotting for surveillance at a border crossing or large-scale public events. • The use of audio or video analysis to detect deception (e.g. irregular physical behavior and/or speech patterns) but also audio and video cryptography to obscure message content or audio and video stenography to hide its very existence, and countermeasures thereof. Some of the requirements for these applications are severe. These include • • • • • • •

broad area surveillance; long duration: 24 × 7 detection; real-time detection; high accuracy and consistency; completely autonomous operation; low or intermittent communications bandwidth (e.g. for storage and exfiltration); low acquisition and maintenance cost.

SPEECH AND VIDEO PROCESSING FOR HOMELAND SECURITY

1467

Some deployments may also require low power consumption (and/or long battery life), limited storage, and intermitted connectivity.

2 THE CHALLENGE OF SPEECH The ability to detect and track criminal or adversary communications is essential to homeland security. Whether for law enforcement or intelligence, searching conversational speech is a grand challenge. Telephone conversations alone illustrate the scale of the challenge with over a billion fixed lines worldwide creating 3785 billion minutes (63B hours) of conversations annually, equivalent to about 15 exabytes of data (ITU 2002). Add to this rapidly growing mobile and wireless communication. In addition, 47,776 radio stations add 70 million hours of original radio programming per year. Further complicating this, approximately 6800 languages and as much as 10,000 dialects are spoken globally. In spite of this untapped audio gold mine, audio search requirements are only beginning to appear. As Figure 1 illustrates, there are over 300 spoken languages with more than one million speakers, but only 66 of these are written and for which we have a translation dictionary. Of these, we have ASR and MT for only 44, and only 20 of these are considered “done” in the sense that systems exist for automated transcription and translation. In addition to the challenge of lack of written materials, which we will return to subsequently, there are many challenges beyond scale. These include challenges with language in general, such as polysemy, ambiguity, imprecision, malformedness, intention, and emotion. And in addition to the traditional set of challenges with automated speech recognition such as noise, microphone variability, and speaker disfluencies, the kind of conversational speech that occurs in telephone calls, meetings, interviews has the following additional challenges:

•

Multiparty. Multiple, interacting speakers. Talkover. Multiple simultaneous speakers talk over speaker turns.

334 Language count

•

Javanese Urdu Telugu Min Nan Gujarati Sindhi Amharic Igbo

Indonesian Uyghur Turkmen Tagalog Swahili

66

>1 M Speakers

Written + Translation Dictionary

Hausa Burmese Korean Hindi Russian

43

All ASR + MT Prereqs.

French German Spanish Mandarin

20 “Done”

(Source: Linguistic Data Consortum’s DARPA Surprise Language Experiment assessment of FL resources, 2003)

FIGURE 1 Spoken foreign language systems and needs.

1468 • •

• •

• •

• •

CROSS-CUTTING THEMES AND TECHNOLOGIES

Spontaneity. Unpredictable shifts in speakers, topics, and acoustic environments. Diverse settings. Conversation is found in many venues including outdoor border crossings, indoor meetings, radio/TV talk shows, interviews, public debates, lectures or presentations that vary in degree of structure, roles of participants, lengths, degree of formality, as well as variable acoustic properties. Acoustic challenges. Spoken conversations often occur over cell phones or handheld radios which come in and out of range and have highly variable signal to noise ratios. Nonacoustic conversational elements. Speakers use clapping, laughing, booing, whistling, and other sounds and gestures to express agreement, disagreement, enjoyment, and other emotions, as well as outdoor noise (e.g. weather and animals) and indoor noise (e.g. machinery and music). Real time and retrospective. Access during the speech event (e.g. real-time stream processing) or after. Tasks. Speaker identification, word hot spotting, audio document routing (doc/passage/fact), retrieval or question/answering, tracking entities and events, and summarization (e.g. speakers and topics) Multilingual. Multiple languages, sometimes from the same speaker. References. Since conversations are often performed in a physical context, the language often contains references to items therein (exophora).

Compounding these challenges, expert translators, particularly for low density languages are expensive and scarce. In addition to the challenges with speech, for large collections of audio, there exist many retrieval challenges such as triage, storage, query formulation, query expansion, query by example, results display, browsing, and so on.

3 AUTOMATED SPEECH PROCESSING Figure 2 illustrates the significant progress made over the years in spoken language processing. The figure shows best systems each year in evaluations administered by NIST to objectively benchmark performance of speech recognition systems over time. The graph reports reduction of word error rate (WER) over time. The systems were assessed based on a wide range of increasingly complex and challenging tasks moving from read speech, to broadcast (e.g. TV and radio) speech, to conversational speech, to spontaneous speech, to foreign language speech (e.g. Chinese Mandarin and Arabic). Over time, tasks have ranged from understanding read Wall Street Journal text, to understanding foreign television broadcasts, to the so-called “switchboard” (fixed telephone and cellphone) conversations. Future plans include meeting room speech recognition (NIST; [4]). As Figure 2 illustrates, while recognition, rates of word error for English (clean, well-formed, single speaker, speaking clearly to computer) are well below 10%. For example, computers can understand someone reading the Wall Street Journal with a 5% word error rate (WER) (1 word in 20 wrong). Conversations are harder, with broadcast news often achieving only a 15–20% WER and the CALLHOME data collection (phone calls) achieving 30–40% WER.

SPEECH AND VIDEO PROCESSING FOR HOMELAND SECURITY

100%

NIST STT Benchmark Test History (May. '07) Switchboard

Conversational speech Meeting speech

(Non-English)

WordErrorRate

1469

Read speech

CTS Arabic (UL) Meeting - SDM OV4 Meeting - MDM OV4

Switchboard II Broadcast speech

Switchboard Cellular

CTS Mandarin (UL) Meeting - IHM News Mandarin 10x

+

Air Travel Planning Kiosk Speech

Varied microphone

Non-English

+

20k

News English unlimited

10% 5k

+ News Arabic 10x

+ +

+ +

CTS fisher (UL) News English 1x

+

+ News English 10x

Noisy

[]

1k

4%

2%

Range of Human Error in Transcription

Date 1% 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011

FIGURE 2

NIST benchmarks over time. (http://www.nist.gov/speech/history.)

4 AUDIO HOT SPOTTING As an illustration of the state of the art, the Audio Hot Spotting project [5–7] aims to support natural querying of audio and video, including meetings, news broadcasts, telephone conversations, and tactical communications/surveillance. As Figure 3 illustrates, the architecture of AHS integrates a variety of technologies including speaker ID, language ID, nonspeech audio detection, keyword spotting, transcription, prosodic feature and speech rate detection (e.g. for speaker emotional detection), and cross language search. An important innovation of AHS is the combination of word-based speech recognition with phoneme-based audio retrieval for mutual compensation for keyword queries. Phoneme-based audio retrieval is fast, more robust to spelling variations and audio quality, and may have more false positives for short-word queries. In addition, phoneme-based engines can retrieve proper names or words not in the dictionary (e.g. “Shengzhen”) but, unfortunately, produces no transcripts for downstream processes. In contrast, word-based retrieval is more precise for single-word queries in good quality audio and provides transcripts for automatic downstream processes. Of course it has its limitations too. For example, it may miss hits for phrasal queries, out-of-vocabulary words, and in noisy audio, and is slower in preprocessing.

1470

CROSS-CUTTING THEMES AND TECHNOLOGIES

FIGURE 3 AHS architecture.

FIGURE 4

AHS search interface.

Figure 4 illustrates the user interface for speech search, and includes a speaker and keyword search facility against both video and audio collections. The user can also search by nonspeech audio (e.g. clapping and laughter). For crosslingual needs, a query in English is translated to a foreign language (e.g. Spanish and Arabic) and is used to retrieve hot spots in a transcription of the target media, which is then retrieved and translated into the query language. This process is illustrated in Figure 5. The user typed in word “crisis” is translated into Arabic query term and is used to search the target media, which is subsequently translated as shown.

SPEECH AND VIDEO PROCESSING FOR HOMELAND SECURITY

1471

FIGURE 5 AHS crosslingual audio hot spotting.

5 DECEPTION DETECTION Detection of deception is important for assessing the value of informants, identifying deception at border crossing, and for antifraud, and can be revealed by face, voice, and body [8]. Evidence of increased pitch and vocal tension in deceptive subjects has been found from the literature survey [9]. The most widely cited sources of evidence of deception using speech include latency, filled pauses, discourse coherence, and the use of passive voice and contractions. However, most research on deceptive behavior has focused on visual cues such as body and facial gestures or on descriptive as opposed to empirical studies much less automated means of detection. Hirschberg et al. [10] and Graciarena et al. [11] report on the use of a corpus-based machine learning approach to automated detection of deception in speech. Both leverage the Columbia-SRI-Colorado (CSC) corpus that consists of 22 native American English speakers who were motivated by financial reward to deceive an interviewer on two tasks out of six in sessions lasting between 25 and 50 min. Using a support vector machine based on prosodic/lexical features combined with a Gaussian mixture model based on acoustic features, Graciarena et al. [11] report 64.4% accuracy in automatically distinguishing deceptive from nondeceptive speech. Although these efforts are promising, one national study [12] argues for the need for significant interdisciplinary research in this important area.

6 THE CHALLENGE OF VIDEO Just as acoustic information provides vital information for homeland security, so too visual information is a critical enabler. Although static images are commonly used to

1472

CROSS-CUTTING THEMES AND TECHNOLOGIES

identify suspects, characterize facilities, and/or describe weapons and threats, motion pictures have become increasing valuable because of their ability to capture not only static objects and their properties but also dynamic events. The following are the challenges faced by video processing: •

•

•

•

• •

•

• •

Broad area coverage. 24 × 7 video surveillance of a broad area poses challenges with processing, storage, power, and sustainability. For example, ◦ thousands of cameras are deployed in the United Kingdom for tasks such as facility surveillance, traffic monitoring, and environmental observations (e.g. river levels). Real-time processing. Events (e.g. border crossing and crimes) occur in real time and frequently require immediate intervention. For example, ◦ a new nationwide network of cameras at the National Automatic Number Plate Recognition Data Centre north of London will record up to 50 million license plates a day to detect duplicates and track criminals. Massive volume. Video requires roughly 10 times as much storage as audio therefore methods for compression should be efficient for storage and dissemination. Moreover, real-time or retrospective human review of material is tedious and an ideal opportunity for automation. Accuracy and consistency of detection, identification, and tracking. Object and event detection and recognition in a broad range of conditions (lighting, occlusion, and resolution) are severe challenges. Privacy preservation. The broad deployment of cameras raises challenges for privacy as well as cross boundary sharing identical systems. Processing. Effective understanding of video requires many subchallenges including format conversion, detection, segmentation, object/face recognition, gesture and gait recognition, and event understanding. Nature. Occlusion (e.g. fog and rain), lighting, object orientation, and motion require size, rotation, shape, and motion invariant detection that are robust to natural variation. Noise. Noise from lenses, cameras, the environment (e.g. lighting and smoke/fog/ snow), storage, and transmission. Variability. The natural variability in foreground, background, objects, relationships, and behaviors as well as wide variations in illumination, pose, scale, motion, and appearance.

There are many benefits of automated video processing including the followin: •

Automated identification and tracking. Correlation. Storage and indexing can enable correlation of objects across time and space, pattern detection, forensics as well as trend analysis. • Cross cuing. Initial detection of objects or events can cue more complete or higher quality tracking. • Compression. Object ID and tracking can dramatically reduce storage and dissemination needs. •

SPEECH AND VIDEO PROCESSING FOR HOMELAND SECURITY

1473

There are many important application areas of video processing, from interview deception detection to monitoring of border crossings or facilities (e.g. airport and military base entrances). For example, the Bordersafe project [13] automatically extracts license plate numbers from video as cars travel in and around Tucson, Arizona. The Tuscon Customs and Border Protection (CBP) has captured over 1 million records of license plate numbers, state, date, and time from over 225,000 distinct vehicles from both the United States and Mexico. Comparison revealed that plates from over 13,000 of those border crossing vehicles (involved in nearly 60,000 border crossings) were associated with criminal records from Tuscon and Pima County law enforcement.

7 AUTOMATED VIDEO PROCESSING The key elements necessary for automated understanding of video have been explored since the early days of vision research in robotics in artificial intelligence. In addition to systems to process imagery from security surveillance cameras, algorithms are needed to analyze the 31 million hours of original television programming per year from over 20,000 broadcast stations around the world. For example, as illustrated in Figure 6, using an integration of text, audio, imagery, and video processing, the Broadcast News Navigator [14] enables a user to browse and perform content-based search on videos personalized to their interests. Users can find content two and one half times faster over sequential video search with no loss in accuracy by searching directly for specific content. The related Informedia system (www.informedia.cs.cmu.edu) has explored video privacy protection via methods such as face pixelizing, body scrambling, masking, and body replacement. Homeland security users may need to monitor not only broadcast news, but other video sources such as security cameras. As illustrated in Figure 7, research at MIT has

FIGURE 6 Broadcast news navigation.

1474

CROSS-CUTTING THEMES AND TECHNOLOGIES

(a)

(b)

50 50

100 150

100

200 250

150

300 350

200

400 450 100

200

300

400

500

600

50

100

150

200

250

300

FIGURE 7 Motion tracks detected on airport tarmac (a) and office park (b).

integrated question answering technology together with video understanding methods to create a video question answering system. Figure 7 illustrates motion tracks detected in two different settings: an airport tarmac (a) and an entrance gate to an office park (b). This is used by Katz et al. [15] in a prototype information access system, called Spot, that combines a video understating system together with a question answering natural language front end to answer questions about video surveillance footage taken around the Technology Square area in Cambridge, Massachusetts. Spot can answer questions such as the following: • • • • • •

“Show me all cars leaving the garage.” “Show me cars dropping off people in front of the white building” “Did any cars leave the garage toward the north?” “How many cars pulled up in front of the office building?” “Show me cars entering Technology Square.” “Give me all northbound traffic.”

This kind of intuitive, query-based access to information can dramatically enhance both facility situational awareness and enable focused investigation.

8 MULTICAMERA VIDEO ANALYSIS In addition to moving object detection, identification, and tracking, employment of active multicamera systems enables wide area surveillance, mitigates occlusion, and reveals 3D information [16]. However, multicamera systems require solutions for emplacement and use, selection of best views, cross camera handoff of tracked objects, and multisensor fusion. These have been successfully used for surveillance of people at the SuperBowl or for traffic monitoring. Active cameras—that support active pan, tilt, and zoom—allow automated focus attention on objects of interest in scenes. In addition to the visible spectrum, infrared sensors can help track humans, animals, and vehicles hidden in dense foliage. Multicamera environments can enable, for example, continuous monitoring of critical infrastructure (e.g. air or seaport, military facility, and power plant), detect

SPEECH AND VIDEO PROCESSING FOR HOMELAND SECURITY

1475

perimeter breaches, track moving people or vehicles, pan/tilt/zoom for identification, and issue alerts.

9 STATE OF THE ART With all of the rapid advances in video processing, how well do these systems work? As illustrated in Figure 8, NIST organizes an annual benchmarking activity to compare the performance of video understanding systems. As can be seen, this annual event has grown from a few participants in 2001 processing about a dozen hours of video to dozens of participants processing hundreds of hours worth of video to support search for particular video segments. For example, in the 2004 NIST TRECVID benchmarking activities [17], participants included IBM Research, Carnegie Mellon University, University of Amsterdam. They applied their systems to four tasks required to find relevant segments in video data sets: shot boundary, story boundary, and feature detection as well as search. The video data set contained over 184 h of digitized news episodes from ABC and CNN with the task of discovering 10 types of segment, in particular: • • • • • • •

Boat/ship. Segment contains video of at least one boat, canoe, kayak, or ship of any type. Bill Clinton. Segment contains video of Bill Clinton. Madeleine Albright. Segment contains video of Madeleine Albright. Train. Segment contains video of one or more trains or railroad cars that are part of a train. Beach. Segment contains video of a beach with the water and the shore visible. Airplane takeoff. Segment contains video of an airplane taking off, moving away from the viewer. People walking/running. Segment contains video of more than one person walking or running. Video Hours

Participants

250 200

150 100 50 0 01

20

02

20

03

20

04

20

05

20

06

20

07

20

FIGURE 8 TRECVID trends.

08

20

1476

CROSS-CUTTING THEMES AND TECHNOLOGIES

•

Physical violence. Segment contains video of violent interaction between people and/or objects. • Road. Segment contains video of part of a road, any size, paved or not. • Basket scored. Segment contains video of a basketball passing down through the hoop and into the net to score a basket—as part of a game or not. To address the diversity of potential video data and to continually challenge researchers, each year the data sets grow and the evaluation tasks are expanded. For example, the TRECVID 2005 data set added multilingual video (Chinese and Arabic in addition to English) and the topics were slightly different and ranged from finding video segments of people (e.g. prisoner), places (e.g. mountain, building exterior, and waterscape/waterfront), things (e.g. car, map, and US flag) to events (e.g. people walking/running, explosion or fire, and sports). In 2007, a video summary task was added to the existing shot boundary, search, and feature detection tasks and in 2008 surveillance event detection was added along with 100 h of airport surveillance video. Effectiveness on video segment retrieval is measured primarily using mean average precision (the mean of the average precision of each query), which ranges widely by topic. Other measures include search processing time and precision at various depths. For interactive searches, participants are encouraged to collect data on usability as seen by each searcher. For example, in 2006, interactive retrieval of Tony Blair segments were achieved at nearly 90% mean average precision, whereas segments of people entering or leaving a building were recognized at only the 10% level.

10

FUTURE RESEARCH

The challenges of audio and video analysis are daunting but with the rapid growth of sources, the need is equally great. Spoken dialog retrieval is an exciting research area precisely because it contains all the traditional challenges of spoken language processing together with the challenges imposed by the retrieval task. Some important spoken conversation processing challenges include [18] •

dealing with multiple speakers; dealing with foreign language and associated accents; • incorporating nonspeech audio dialog acts (e.g. clapping and laughter); • conversational segmentation and summarization; • discourse analysis, such as analyzing speaking rates, turn taking (frequency and durations), concurrence/disagreement, which often provides insights into speaker emotional state, attitudes toward topics and other speakers, and roles/relationships. •

Some important speech retrieval challenges include the following: •

How can we provide a query by example for a speech or audio signal, for example, find speech that sounds (acoustically and perceptually) like this? (See Sound Fisher in Reference 19.) • How can we provide (acoustic) relevancy feedback to enhance subsequent searchers?

SPEECH AND VIDEO PROCESSING FOR HOMELAND SECURITY

1477

•

How do we manage whole story/long passage retrieval that exposes users to too much errorful ASR output or too much audio to scan? • Because text-based keyword search alone is insufficient for audio data, how do we retain and expose valuable information embedded in the audio signal? • Are nonlinguistic audio cues detectable and useful? • Can we utilize speech and conversational gists (of sources or segments) to provide more efficient querying and browsing. Some interesting application challenges are raised, such as dialog visualization, dialog comparison (e.g. call centers), or dialog summarization, simultaneously with the challenge of addressing speech and dialog. Like audio analysis, video analysis has many remaining research challenges. These include •

scalable processing to address large-scale video collections; processing of heterogeneous video sources from cell phone cameras to handheld video cameras to high definition mobile cameras; • robustness to noise, variability, and environmental conditions; • bridging the “semantic gap” between low level features (e.g. color, shape, and texture) and high level objects and events. •

The combination of both audio and video processing is an area of research that promises combined effects. These include •

cross modal analysis to support cross cuing for tasks such as segmentation and summarization; • cross modal sentiment analysis for detection of bias and/or of deception; • cross media analysis for biometrics for identity management to overcome the noise and errorful detection in single media (e.g. audio and video) identification; • utilization of speech and conversational gists (of video sources or segments) to provide more efficient video querying and browsing. In conclusion, speech and video processing promise significant enhancement to homeland security missions. Addressing challenges such as scalability, robustness, and privacy up front will improve the likelihood of success. Mission-oriented development and application promises to detect dangerous behavior, protect borders, and, overall, improve citizen security.

REFERENCES 1. Office of Homeland Security (2002). National Strategy for Homeland Security. http://www. whitehouse.gov/homeland/book. 2. Woodward, J., Orlans, N., and Higgins, P. (2003). Biometrics: Identity Assurance in the Information Age. McGraw-Hill, Berkely, CA. 3. Gonzales, R., Woods, R., and Eddins, S. (2004). Digital Image Processing using MATLAB. Prentice-Hall, Upper Saddle River, NJ.

1478

CROSS-CUTTING THEMES AND TECHNOLOGIES

4. Zechner, K., and Waibel, A. (2000). DiaSumm: flexible summarization of spontaneous dialogues in unrestricted domains. Proceedings of the 18th Conference on Computational Linguistics, Saarbr¨ucken, Germany, pp. 968–974. 5. Hu, Q., Goodman, F., Boykin, S., Fish, R., and Greiff, W. (2003). Information discovery by automatic detection, indexing, and retrieval of multiple attributes from multimedia data. The 3rd International Workshop on Multimedia Data and Document Engineering. September 2003, Berlin, Germany, pp. 65–70. 6. Hu, Q., Goodman, F., Boykin, S., Fish, R., and Greiff, W. (2004). Audio hot spotting and retrieval using multiple audio features and multiple ASR engines. Rich Transcription 2004 Spring Meeting Recognition Workshop at ICASSP 2004 . Montreal. 7. Hu, Q., Goodman, F., Boykin, S., Fish, R., and Greiff, W. (2004). Audio hot spotting and retrieval using multiple features. Proceedings of the HLT-NAACL 2004 Workshop on Interdisciplinary Approaches to Speech Indexing and Retrieval . Boston, USA, pp. 13–17. 8. Ekman, P., Sullivan, M., Friesen, W., and Scherer, K. (1991). Face, voice and body in detecting deception. J. Nonverbal Behav . 15(2), 125–135. 9. DePaulo, B. M., Lindsay, J. J., Malone, B. E., Muhlenbruck, L., Charlton, K., and Cooper, H. (2003). Cues to deception. Psychol. Bull . 129(1), 74–118. 10. Hirschberg, J., Benus, S., Brenier, J., Enos, F., Friedman, S., Gilman, S., Girand, C., Graciarena, M., Kathol, A., Michaelis, L., Pellom, B., Shriberg, D., Stolcke, A. (2005). Distinguishing deceptive from non-deceptive speech. Interspeech 2005 . September 4–8, Lisbon, Portugal, pp. 1833–1836. 11. Graciarena, M., Shriberg, E., Stolcke, A., Enos, F., Hirschberg, J. and Kajarekar, S. (2006). Combining prosodic, lexical and cepstral systems for deceptive speech detection. Proceedings of IEEE ICASSP. Toulouse. 12. Intelligence Science Board (2006). Educing Information. Interrogation: Science and Art . National Defense Intelligence Council Press, Washington, DC, http://www.dia.mil/college/ pubs/pdf/3866.pdf. 13. Chen, H., Wang, F.-Y., and Zeng, D. (2004). Intelligence and security informatics for homeland security: information, communication, and transportation. IEEE Trans. Intell. Transp. Syst . 5(4), 329–341. 14. Maybury, M., Merlino, A., and Morey, D. (1997). Broadcast news navigation using story segments, ACM International Multimedia Conference. November 8–14, Seattle, WA, pp. 381–391. 15. Katz, B., Lin, J., Stauffer, C., and Grimson, E. (2004). Answering questions about moving objects in videos. In New Directions in Question Answering, Maybury, M., Ed. MIT Press, Cambridge, MA, pp. 113–124. 16. Trivedi, M. M., Gandhi, T. L., and Huang, K. S. (2005). Distributed interactive video arrays for event capture and enhanced situational awareness. IEEE Intell. Syst . 20(5), 58–66. 17. Smeaton, A. F., Over, P., and Kraaij, W. (2006). Evaluation campaigns and TRECVid. In Proceedings of the 8th ACM international Workshop on Multimedia information Retrieval (Santa Barbara, California, USA, October 26–27, 2006). MIR ’06. ACM, New York, NY, pp. 321–330. 18. Maybury, M. (2007). Searching conversational speech. Keynote at workshop on searching spontaneous conversational speech. International Conference on Information Retrieval (SIGIR-07). 27 July 2007. Seattle, WA. 19. Maybury, M. Ed. (1997). Intelligent Multimedia Information Retrieval. AAAI/MIT Press, Menlo Park, CA, ( http://www.aaai.org:80/Press/Books/Maybury-2/).

TRAINING AND LEARNING DEVELOPMENT FOR HOMELAND SECURITY

1479

FURTHER READING Maybury, M. Ed. (2004). New Directions in Question Answering. AAAI/MIT Press, Cambridge, MA. NIST Meeting Room Project: Pilot Corpus. http://www.nist.gov/speech/test beds. Popp, R., Armour, T., Senator, T., and Numrych, K. (2004). Countering terrorism through information technology. Commun. ACM 47(3), 36–43. Tao, Li., Tompkins, R., and Asari, V. K. (2005). An Illuminance-Reflectance Nonlinear Video Enhancement Model for Homeland Security Applications, aipr, 34th Applied Imagery and Pattern Recognition Workshop (AIPR’05), pp. 28–35.

TRAINING AND LEARNING DEVELOPMENT FOR HOMELAND SECURITY Eduardo Salas and Elizabeth H. Lazzara University of Central Florida, Orlando, Florida

1 INTRODUCTION On December 22, 2001, Richard Colvin Reid hid explosives in his shoes in an effort to destroy American Airlines Flight 63 bound to the United States from Paris (BBC News 2008) [1]. His attempt was ultimately unsuccessful because other passengers were able to resolve the situation; however, the world would come to know this man as the “shoe bomber”. This incident marked a drastic change in the policies and procedures for commercial airlines in order to ensure the safety of all people onboard. Due to the high-risk nature of the situation and the consequences of possible outcomes, all employees responsible for screening passengers boarding aircrafts would be mandated to undergo intense training to be able to detect any clues to prevent another such occurrence happening in the future. This example illustrates the importance of training and learning development in Homeland Security (HS). Recently, Salas and colleagues [2] define training as “the systematic acquisition of knowledge (i.e. what we need to know), skills (i.e. what we need to do), and attitudes (i.e. what we need to feel) (KSAs) that together lead to improved performance in a particular environment” (p. 473). Learning occurs when there is a permanent cognitive and behavioral change by acquiring the requisite competencies to perform the

1480

CROSS-CUTTING THEMES AND TECHNOLOGIES

job. We submit that learning is facilitated when the training design and delivery is guided by the findings from the science of learning (and training). The purpose of this article is to provide some insights about the science and offer some principles to help in designing, developing, implementing, and evaluating training.

2 THE PHASES OF TRAINING The design of training is a process that consists of a set of interrelated phases that have to be effective; it must be applied systematically. In this article, we discuss four general training phases. These phases, and associated principles and guidelines, represent what we know from the science that works and must be done when designing and delivering training in any organization. We hope that these will guide those in the practice of designing and implementing training for HS purposes. As noted, effective training requires attention to four phases [3]. These are discussed below with specific principles to guide the focus and shape the actual elements in each phase. 2.1 Phase 1: Analyze the Organizational Training Needs This is one of the most critical phases of training because many important decisions are made at this juncture. It is in this phase where skill deficiencies are determined and where the environment is prepared and set for learning and transfer to occur in the organization. Therefore, before training can be successfully designed and implemented, it is necessary to assess the needs of the organization. This is done in order to properly set up the learning environment to uncover the necessary KSAs and prepare the organization for the training. 2.1.1 Uncover the Required KSAs. To determine what KSAs are needed, all of the required tasks to be performed must be analyzed. Ideally, the analysis focuses on the competencies that must be acquired and not on the actual tasks to be performed because competencies are common throughout a variety of tasks. To uncover the requisite KSAs, organizations should conduct a task analysis and/or cognitive task analysis. Task analyses are needed to determine what competencies are needed to perform a job successfully. Cognitive tasks analysis goes deeper and uncovers the knowledge or cognitions underneath job performance. These analyses set the foundation for designing a successful training program. It helps in establishing the training objectives, the learning outcomes, and provides the learning expectations for both trainers and trainees. Furthermore, the training objectives outline the conditions that will take place during job performance, and they provide the acceptable criterion to measure performance [4]. In addition to uncovering and analyzing the necessary competencies, it is also critical to determine who exactly needs to be trained and what they need to be trained on. Conducting a person analysis ensures that the right people get the appropriate training. Employees possess and need different KSAs; therefore, they do not necessarily require the same kind of training. More experienced employees would not need an extensive, intense training session compared to new, inexperienced employees.

TRAINING AND LEARNING DEVELOPMENT FOR HOMELAND SECURITY

1481

2.1.2 Prepare the Organization. Before a training system can be designed and implemented, the organization needs to be prepared. Goldstein and Ford [5] proposed that some aspects of the organization to be considered include “an examination of organizational goals, resources of the organization, transfer climate for training, and internal and external constraints present in the environment” (p. 41). In other words, do the goals of the organization and training program align? Does the training support the strategic goals of the organization? What are the available resources (e.g. finances, technology, and so on)? What are the possible limitations that the training might encounter based upon the existing resources? Lastly, is the organizational climate fostering learning and the importance of the training? That is, is the climate and culture conducive in transferring the newly acquired KSAs to the actual operating environment? Is the organization motivating the trainees to attend training? To set up the appropriate climate, organizations need to send out positive messages about training so that trainees will see the value of the training. Trainees will also be more supportive of the training system if it is voluntary rather than being mandatory. If training must be mandatory, make it with as few obstacles as possible. Overall, the organizational climate should support and encourage the training to ensure its success. In total, determining the precise training needs is imperative. Knowing what, why, who, when, and how to train before designing training is a must. Organizations get the most out of training when the required KSAs are uncovered and the organizations prepare the training and set its climate to support learning. 2.2 Phase 2: Design and Develop Instruction The second phase is about designing and developing the instructional content, storyboards, lesson plans, materials, curriculum, and preparing all the resources needed to deliver and implement the training. A number of factors are important here; most notably, the reliance of the science of training to drive the decision as much as possible. This science has produced many guidelines, tips and examples that can be applied [3, 6, 7]. 2.2.1 Rely on Scientifically Rooted Instructional Principles. Clearly, effective training is about applying pedagogically sound principles to the design of instruction. It is about using the science to create a learning environment that will engage, motivate, propel, and immerse the trainee in acquiring KSAs. Thus, it is critical when designing training to consider individual factors (e.g. cognitive ability, self efficacy, and motivation) as well as organizational factors (e.g. policies, procedures, prepractice conditions, and feedback) because they are extremely influential in the learning outcomes. For example, a trainee’s motivation level can determine their ability to acquire, retain, and apply trained skills; therefore, training should be designed to enhance the motivation to learning of the trainees [8, 9]. 2.2.2 Set up Prepractice Conditions. In addition to establishing a positive organizational climate, organizations must set up prepractice conditions to enhance the effectiveness of the training system [10]. The efforts made prior to training will positively affect learning and ultimately performance; therefore, trainees should be prepared even before training begins. They should receive preparatory information about the training

1482

CROSS-CUTTING THEMES AND TECHNOLOGIES

(e.g. brochures and pamphlets) or advanced organizers to manage the information [11]. Furthermore, providing trainees with attentional advice can guide them in deciding what strategies will foster learning [3]. The benefit of setting up the prepractice conditions is that not only will it benefit trainees by optimizing learning but it is also a cost-effective way to facilitate the success of the training system. 2.2.3 Create Opportunities to Practice and Receive Feedback. Any training seeks to give information about needed concepts, demonstrate required cognitions and behaviors, and creates opportunities to practice and receive feedback. The instructional delivery should be guided by training objectives; and the information, demonstration, and/or practice-based strategy demonstrations should target the wanted KSAs. The practice opportunities should be challenging and vary in difficulty because it is not the quantity of practice per se that is important but rather the quality of practice. Mere repetition does not necessarily enhance learning; therefore, as trainees learn and improve their KSAs, the scenarios should be more difficult and varied. To ease comparisons and ensure standardizations, scenarios should be designed a priori [12]. Moreover, developing the scenarios prior to training eases the burden on trainers by allowing them more control. In addition, instructors can focus on providing trainees with feedback because it will foster training by providing guidance on what areas are lacking and still need improvement [13]. 2.2.4 Seek to Diagnose KSAs’ Deficiences. In order to establish whether trainees learned the requisite KSA, performance measures must be created to assess the trained competencies against the stated objectives. Ideally, performance measures evaluate processes as well as outcomes on both the individual and team level (if applicable; [3]). The effectiveness of the training lies heavily on the ability to assess and diagnose performance [14]. Therefore, organizations should take careful consideration when deciding what tool to use to evaluate performance against the trained objectives. One approach is to utilize a behavioral checklist (e.g. Targeted Acceptable Responses to Generated Events or Tasks (TARGETS)—), which evaluates trainees by recording the presence or absence of desired behaviors to scripted events [15]. Other approaches are available as well (see [16]). 2.3 Phase 3: Implement the Training The third phase is the implementation or actual execution of the training program or system. This is the more “mechanical” part, but pay attention to the location, resources, instructor, and the delivery of the instructional system (e.g. information or practice based). 2.3.1 Put Everything into Action. After the training has been designed, it is time to implement it. Now, it is time to identify the training site and ensure that it is prepared prior to training. The training site should be a comfortable setting and equipped with the proper resources. Instructors must also be trained and prepared to be able to address any issues/concerns that may arise during training. At this point, any instructional materials are finally carried out and the training is completely functional. Preferably, the fully

TRAINING AND LEARNING DEVELOPMENT FOR HOMELAND SECURITY

1483

functioning training should be pilot tested to discover any potential problems and to be able to make the appropriate adjustments [17]. Because of the possibility that things will go wrong, relapse prevention procedures should be created in order to solve any dilemmas. 2.4 Phase 4: Evaluate the Training The fourth phase is one that most organizations want to implement; however, most avoid it altogether or just simply do not go deep enough to truly determine the effectiveness of the training. Evaluations are designed to determine what worked and to assess the impact of the training system on the organization. 2.4.1 Use a Multilevel Approach. Incorporating a training program into an organization does not stop once it has been implemented. The training must be evaluated to truly determine its effectiveness. Ideally, researchers suggest taking a multilevel approach to evaluation in order to obtain the complete picture. Kirkpatrick [18] devised a popular evaluation strategy measuring reactions, learning, behavioral change, and organizational impact. A multilevel approach will identify the successful aspects of the training program as well as the elements that are still lacking and need further adjustments in order to improve. When evaluations are based on only one dimension, it is easy to obtain an inaccurate assessment of the impact of the training intervention. For example, it is possible that trainee reactions are positive, yet learning did not take place [19]. Therefore, it is beneficial to examine at higher levels (e.g. learning and behavioral change; [20]). Assessments at the behavioral level will indicate whether the trained KSAs will be transferred to on the job performance [5]. Thus, it is not only crucial that trainees react positively and learn the material, but it is also important that they apply the trained KSAs to the job. 2.4.2 Ensure Transfer of the Acquired KSAs. Training is only beneficial to the organization when the learned KSAs are not only learned during the training but also applied and maintained on the job [7, 21]. Hence, organizations must prepare the climate to facilitate using the KSAs learned during training [22]. For example, trainees need opportunities to perform [23] because a substantial delay between training and job performance can lead to significant skill decay [24]. Supervisors should also encourage trainees to use their trained skills on the job by providing positive reinforcement (e.g. verbal praise and monetary reward; [25]). Positive reinforcement when applied appropriately (i.e. immediately following behavior) will lead to repetition [26]. Having supervisory support and providing reinforcements sends out a positive message to trainees, which is imperative to the success and effectiveness of training.

3 LEARNING DEVELOPMENT Now that we have an understanding of the science behind designing, developing, implementing, and evaluating a training program, we can discuss some of the possible training strategies. Because employees must implement a variety of information and skills on a

1484

CROSS-CUTTING THEMES AND TECHNOLOGIES

daily basis, it is necessary to possess a variety of training strategies in your arsenal to be able to customize and adapt to all of the different requisite competencies required to perform each task. As technology permeates throughout businesses, more complex skills are required to complete tasks in the work environment; therefore, it is necessary that our training strategies become more complex as well to adjust to the growing changes. Due to the popularity of technology and the growing demand of organizations to use teams to perform complex tasks, we will elaborate on simulation-based training (SBT) and games as a learning development strategy. Moreover, because organizations often lack the time to implement a formal training program, we will discuss an informal technique called on-the-job training (OJT). 3.1 Simulation-based Training SBT is an interactive, practice-based instructional strategy which provides opportunities for trainees to develop the requisite competencies and enhance their expertise through scenarios and feedback [12]. The scenarios serve as the “curriculum”. In other words, the learning objectives derived from the training needs analysis are embedded within the scenarios. The SBT “life cycle” consists of a number of interrelated and critical stages and each step is fundamental to the next [27]. The first step is to verify trainees’ existing skills and their previous performance record. Next, determine the tasks and competencies that will be emphasized during training. As a result of the second step, the training/learning objectives can be established. Upon the completion of all of these steps, scenarios can be created. The scenarios are scripted and designed to elicit the requisite competencies by incorporating “trigger” events. Afterwards, performance measures must be developed to assess the effectiveness of the training. Then, the performance data is collected and compared to the existing, previous data. The collected data serves as the foundation and guide for providing feedback to the trainees. Lastly, all of the information can then be used to make any adjustments or modifications to the training program. SBT can be an optimal instructional strategy because it has many benefits. First, SBT mimics the job environment; therefore, it is very realistic, which makes transferring skills to the job easier [28]. In addition, SBT allows an organization to explore training with a variety of scenarios, which facilitates and accelerates expertise [2]. Third, SBT is interactive and engaging. Being engrossed in training is influential to motivation, and researchers have shown that motivation enhances learning [29]. Last, SBT when utilizing carefully crafted scenarios and measures, can facilitate the diagnosis of performance. 3.2 Games Recently, the military along with other organizations have started to use games as instructional tools to acquire knowledge, skills, and attitudes applicable in the work place as well as other settings. Games can be defined as “a set of activities involving one or more players. It has goals, constraints, payoffs, and consequences. A game is rule-guided and artificial in some respects. Finally, a game involves some aspect of competition, even if that competition is with oneself” [30], p. 159. Although the definition of what constitutes

TRAINING AND LEARNING DEVELOPMENT FOR HOMELAND SECURITY

1485

a game is being debated by researchers because they are available in a wide array of formats (e.g. board games, console-based games PC-based games), there is agreement that games provide educational benefits to learning as a training tool. For example, Vogel and colleagues [31] conducted a meta-analysis and found that cognitive and attitudinal abilities were enhanced in participants when they used interactive games and simulations as opposed to traditional instruction methods. Games have become a popular instructional tool because they not only benefit the learner but are also advantageous for the developers and instructors. Users benefit by “playing” because the skills necessary to accomplish the goals within the game are applicable to other situations. Furthermore, games elicit motivation in users because they are interactive, fun, and engaging [32]. Developers and instructors benefit from leveraging games as well because they are modifiable (i.e. instructional features can be added in some cases with ease) and a cost-effective approach to learning. 3.3 On-the-Job Training Frequently, in HS and in other organizations there is not sufficient time or resources to implement a formal training because new policies and procedures must be integrated immediately; therefore, OJT is one possible solution. OJT is “job instruction occurring in the work setting and during the work” [33] p.3. Because it occurs on the job and does not require instructors or trainees to leave the job site, it is a very economical alternative. Moreover, occurring in the actual work environment has the added benefit of facilitating training transfer since trainees can see that the training is relevant and applicable to completing the job tasks. Therefore, the KSAs have more significance. However, in order to reap the benefits of such an applicable, customizable, low cost alternative, OJT needs to be executed correctly. All OJT is not created equal. Practitioners need to abide by several learning principles in order to optimize the effectiveness of OJT. First, as with any other training, the top of the organization and its leaders needs to support the OJT. For example, as noted, earlier organizations can show support through rewards and incentive programs [34]. Second, OJT facilitators also need to be included throughout the process [35]. OJT facilitators need to be involved in designing and developing the program as well as being trained on instructional techniques (e.g. coaching and mentoring). Often, facilitators are knowledgeable in their field; however, they lack the expertise to effectively teach others. Once the organization and the training facilitators are supportive, the trainees must be prepared. Preparatory information about the content of the upcoming OJT will not only establish the appropriate expectations, it will also foster motivation [10]. Third, it is absolutely critical that the OJT be structured and guided to be optimally effective. A structured OJT ensures standardizations reducing discrepancies in the way training is delivered and executed. OJT is a useful strategy when guided by the science of learning as well.

4 CONCLUDING REMARKS Regardless of the strategy (e.g. SBT, games, and OJT) being implemented, training must follow the basic principles to ensure its success [6]. It must be developed

1486

CROSS-CUTTING THEMES AND TECHNOLOGIES

systematically because all of the facets are interrelated, serving as the foundation for the next component—assessing the needs of the organization, identifying the necessary resources, developing the practice scenarios, evaluating the effectiveness, and providing feedback to make adjustments. But to ensure that trainees learn the requisite KSAs, the design, delivery, implementation, and evaluation of the training must be provided with the science of learning and training. REFERENCES 1. BBC News (2008). Who is Richard Reid? (2001, December 28). Retrieved January 14, from http://news.bbc.co.uk/1/hi/uk/1731568.stm. 2. Salas, E., Priest, H. A., Wilson, K. A., and Burke, C. S. (2006). Scenario-based training: Improving military mission performance and adaptability. In Minds in the Military: The Psychology of Serving in Peace and Conflict , Vol. 2, Operational Stress, A. B. Adler, C. A. Castro, and T. W. Britt, Eds. Praeger Security International, Westport, CT, pp. 32–53. 3. Salas, E., and Cannon-Bowers, J. A. (2000a). Design training systematically. In The Blackwell Handbook of Principles of Organizational Behavior, E. A. Locke, Ed. Blackwell Publisher Ltd, Malden, MA, pp. 43–59. 4. Goldstein, I. L. (1993). Training in Organizations, 3rd ed., Brooks, Pacific Grove, CA. 5. Goldstein, I. L., and Ford, J. K. (2002). Training in Organizations: Needs Assessment, Development, and Evaluation, 4th ed., Wadsworth, Belmont, CA. 6. Salas, E., and Cannon-Bowers, J. A. (2000b). The anatomy of team training. In Training and Retraining: A Handbook for Business, Industry, Government, and the Military, S. Tobias, and J. D. Fletcher, Eds. MacMillan Reference, New York, pp. 312–335. 7. Salas, E., and Cannon-Bowers, J. A. (2001). The science of training: A decade of progress. Annu. Rev. Psychol. 52, 471–499. 8. Quinones, M. A. (1995). Pretraining context effects: training assignment as feedback. J. Appl. Psychol. 80, 226–238. 9. Quinones, M. A. (1997). Contextual influencing on training effectiveness. In Training for a Rapidly Changing Workplace: Applications of Psychological Research, M. A. Quinones, and A. Ehrenstein, Eds. American Psychological Association, Washington, DC, pp. 177–200. 10. Cannon-Bowers, J. A., Rhodenizer, L., Salas, E., and Bowers, C. A. (1998). A framework for understanding pre-practice conditions and their impact on learning. Pers. Psychol. 51, 291–320. 11. Cannon-Bowers, J. A., Burns, J. J., Salas, E., and Pruitt, J. S. (1998). Advanced technology in scenario-based training. In Making Decisions Under Stress: Implications for Individual and Team Training, J. A. Cannon-Bowers, and E. Salas, Eds. American Psychological Association, Washington, D.C., pp. 365–374. 12. Fowlkes, J., Dwyer, D. J., Oser, R. L., and Salas, E. (1998). Event-based approach to training (EBAT). Int. J. Aviat. Psychol. 8(3), 209–221. 13. Salas, E., and Cannon-Bowers, J. A. (1997). Methods, tools, and strategies for team training. In Training for a Rapidly Changing Workplace: Applications of Psychological Research, M. A. Quinones, and A. Ehrenstein, Eds. APA, Washington, DC, pp. 249–280. 14. Salas, E., Wilson, K. A., Priest, H. A., and Guthrie, J. W. (2006). Training in organizations: the design, delivery and evaluation of training systems. In Handbook of Human Factors and Ergonomics, 3rd ed., G. Salvendy, Ed. John Wiley & Sons, Hoboken, NJ, pp. 472–512. 15. Fowlkes, J. E., and Burke, C. S. (2005). Targeted acceptable responses to generated events or tasks (TARGETs). In Handbook of Human Factors and Ergonomics Methods, N. Stanton, H. Hendrick, S. Konz, K. Parsons, and E. Salas, Eds. Taylor & Francis, London, pp. 53-1–53-6.

TRAINING AND LEARNING DEVELOPMENT FOR HOMELAND SECURITY

1487

16. Brannick, M. T., Salas, E., and Prince, C., Eds. (1997). Team Performance Assessment and Measurement: Theory, Methods, and Applications, Lawrence Erlbaum Associates, Mahwah, NJ. 17. Clark, D. (2000). Introduction to Instructional System Design, Retrieved January 17, 2008 from http://www.nwlink.com/∼donclark/hrd/sat1.html#model. 18. Kirkpatrick, D. L. (1976). Evaluation of training. In Training and Development Handbook: A Guide to Human Resource Development , 2nd Ed., R. L. Craig, Ed. McGraw-Hill, New York, pp. 1–26. 19. Howard, S. K., Gaba, D. M., Fish, K. J., Yang, G., and Sarnquist, F. H. (1992). Anesthesia crisis resource management training: Teaching anesthesiologists to handle critical incidents. Aviat. Space Environ. Med. 63, 763–770. 20. Salas, E., Wilson, K. A., Burke, C. S., and Wightman, D. (2006). Does CRM training work? An update, extension, and some critical needs. Hum. Factors 48(2), 392–412. 21. Balwin, T. T., and Ford, J. K. (1988). Transfer of training: a review and directions for future research. Pers. Psychol. 41, 63–105. 22. Tracey, B. J., Tannenbaum, S. I., and Kavanagh, M. J. (1995). Applying trained skills on the job: the importance of the work environment. J. Appl. Psychol. 80, 239–252. 23. Ford, J. K., Quinones, M. A., Sego, D. J., and Sorra, J. S. (1992). Factors affecting the opportunity to perform trained tasks on the job. Pers. Psychol. 45, 511–527. 24. Arthur, W., Bennett, W., Stanush, P. L., and McNelly, T. L. (1998). Factors that influence skill decay and retention: a quantitative review and analysis. Hum. Perform. 11, 79–86. 25. Rouiller, J. Z., and Goldstein, I. L. (1993). The relationship between organizational transfer climate and positive transfer of training. Hum. Resour. Dev. Q. 4, 377–390. 26. McConnell, C. R. (2005). Motivating your employees and yourself. Health Care Manag. (Frederick) 24(3), 284–292. 27. Salas, E., Wilson, K. A., Burke, C. S., and Priest, H. A. (2005). Using simulation-based training to improve patient safety: What does it take? Jt. Comm. J. Qual. Patient Saf. 31(7), 363–371. 28. Oser, R. L., Cannon-Bowers, J. A., Salas, E., and Dwyer, D. J. (1999). Enhancing human performance in technology-rich environments: Guidelines for scenario-based training. In Human/technology Interaction in Complex Systems, E. Salas, Ed. JAI Press, Greenwich, CT, Vol. 9, pp. 175–202. 29. Colquitt, J. A., LePine, J. A., and Noe, R. A. (2000). Toward an integrative theory of training motivation: A meta–analytic path analysis of 20 years of research. J. Appl. Psychol. 85(5), 678–707. 30. Dempsey, J. V., Haynes, L. L., Lucassen, B. A., and Casey, M. S. (2002). Forty simple computer games and what they could mean to educators. Simul. Gaming 33(2), 157–168. 31. Vogel, J. J., Vogel, D. S., Cannon–Bowers, J., Bowers, C. A., Muse, K., and Wright, M. (2006). Computer gaming and interactive simulations for learning: A meta–analysis. J. Educ. Comput. Res. 34(3), 229–243. 32. Garris, R., Ahlers, R., and Driskell, J. E. (2002). Games, motivation and learning: a research and practice model. Simul. Gaming 33(4), 441–467. 33. Rothwell, W. J., and Kazanas, H. C. (1994). Improving on-the-job Training: Hw to Establish and Operate a Comprehensive OJT Program, Jossey–Bass, San Francisco. 34. Levine, C. I. (1996). Unraveling five myths of OJT. Techn. Skills Train. 7, 14–17. 35. Derouin, R. E., Parrish, T. J., and Salas, E. (2005). On-the-job training: Tips for ensuring success. Ergon. Des. 13(2), 23–26.

1488

CROSS-CUTTING THEMES AND TECHNOLOGIES

TRAINING FOR INDIVIDUAL DIFFERENCES IN LIE DETECTION ABILITY Maureen O’ Sullivan University of San Francisco, San Francisco, California

Mark G. Frank University of Buffalo, State University of New York, Buffalo, New York

Carolyn M. Hurley University of Buffalo, State University of New York, Buffalo, New York

1 INTRODUCTION Catching terrorists is a multilayered process. Although technological sensors are both rapid and reliable, as in the use of thermographic or facial and body analysis programs (see Human Behavior and Deception Detection), there are points in the process of assessing deception where only a human lie detector can be used. This may occur after the automated system shows a “hit” on an individual, which subjects him or her to further scrutiny, or in other security domains where access to technology is limited or nonexistent. Given these situations, it is important to determine who should interview such potential terrorists. Should we train all security personnel to improve their basic abilities? Or, should we select those most amenable to training, because of their motivation, skill, or other characteristics? Or, should we select already expert lie catchers; and if we do, how do we find them? The literature on how to increase lie detection accuracy through training has been sparse, although an increasing number of scientists are addressing this issue. This overview will enumerate some of the factors involved in designing a good training study and examine the current state of knowledge concerning training for improved lie detection accuracy.

2 INDIVIDUAL DIFFERENCES IN LIE DETECTION ABILITY Over the last 50 years, a general presumption has been that lie detection accuracy is a particular ability or cognitive skill [1] that might be an aspect of social-emotional intelligence [2]. This widely held belief implies something approximating a normal distribution of lie detection accuracy scores, with most scores in the average range and a few being very high or very low. However, a recent study questioned this assumption. A 2008 meta-analysis [3] of 247 lie detection accuracy samples concluded that although there was reliable evidence that people vary in the ease with which their lies can be detected,

TRAINING FOR INDIVIDUAL DIFFERENCES IN LIE DETECTION ABILITY

1489

there is no evidence of reliable variance in the ability to detect deception. This rather controversial conclusion was criticized on a variety of grounds [4, 5]: most of the studies used college students, not professional lie catchers; the statistical model did not satisfy the classical test theory on which it was based; the metric used was standard deviations without reference to means, a highly misleading unit of measurement; and the authors ignored a substantial literature demonstrating convergent validity between lie detection accuracy and various social and psychological variables. Furthermore, in the last several years, as researchers use lie scenarios more appropriate to security personnel in their research, the number of reports in which highly accurate groups have been identified has increased [6]. The study of highly accurate individual lie detectors has been less common [7–9]. These studies suggest, however, that practice and motivation to detect deception are important variables. Moreover, expert lie detectors are more accurate with lies relevant to their profession [5, 9, 10]. Frank and Hurley [10] found that among law enforcement personnel, accuracy was greater for those with more experience in different domains of law enforcement. Homicide investigators, for example, were more accurate than fraud investigators who were more accurate than patrolmen walking a beat. Similarly, O’Sullivan [11] found, as predicted, that college administrators were more accurate in detecting the lies of college students than other non-faculty college personnel. In addition to supporting the view that experience makes a difference in lie detection accuracy, some of these studies support the view that experience with a particular kind of lie is important in lie detection. By extension, training to enhance lie detection accuracy should emphasize the particular lie of interest. Evidence relating to this point is reviewed below.

3 HOW EFFECTIVE IS TRAINING TO INCREASE LIE DETECTION ACCURACY? In a review of 11 lie detection training studies completed between 1987 and 1999, Frank and Feeley [12] reported a small, but significant, positive effect of training. Their methodological review suggested that the literature was hindered by several weaknesses in the research designs of most of the studies performed. They emphasized the importance of several variables in designing training programs and evaluating them: (i) the relevance of the lie to the lie detectors being trained. Training college students to detect lies about friends told by other college students may not generalize to training law enforcement personnel about lies about past or present crimes; (ii) whether the lie scenario uses high stakes lies—lies that involve strong rewards and punishments for successful and unsuccessful deceiving—may affect both lie detection accuracy, and training conducted with them. A recent meta-analysis [6] suggests that even professional lie catchers, such as police personnel, will not be accurate in detecting low stakes lies, lies that are not important to the liars’ or the truth tellers’ self-identity, or lies without significant rewards or punishments. Their meta-analysis found that the average lie detection accuracy of police tested with high stakes lies was significantly higher than that of police tested with low stakes lies; (iii) in many studies, training consists of a brief, written description of potential cues to deception with no actual examples of the behaviors, no feedback, and no practice with similar or related kinds of behavior. Adequate training needs practice, feedback, and exemplars similar to the materials; (iv) basic experimental protocol should be followed, ideally, through the use of randomly determined experimental (trained) and control (untrained) groups with pre- and post-testing of both the experimental and

1490

CROSS-CUTTING THEMES AND TECHNOLOGIES

the control groups. Different liars and truth tellers should be included in the pre- and post-testing measures. And, of course, the difficulty of the two measures should be calibrated for equivalence; (v) assuming that a bona fide training effect is found (based on a standard experimental protocol), and that training with one kind of lie has been shown to increase accuracy with that lie, another issue is whether the training is lie-specific or generalizes to increased accuracy with other kinds of lies; (vi) in addition to generalization to other kinds of lies (what Frank and Feeley [12] called Situational Generality), a related issue is time generality. How long does such increased accuracy last? Is it a permanent learning effect? Or one that dissipates outside of the training environment? These six factors are sine qua nons for lie detection training research. In a more recent methodological review, Frank [13] expanded the discussion of these topics and included many suggestions about ways in which to improve lie detection accuracy studies. In the present overview, however, we use the Frank and Feeley [12] paradigm to examine the nine lie detection training studies that were completed from 2000 to 2007. Table 1 summarizes the strengths and defects of these studies in the light of the Frank and Feeley paradigm. In conclusion, we will discuss the importance of individual differences in designing training programs, over and above the variation in individual lie detection accuracy. As Table 1 shows, of the nine training studies, three found no significant training effect; in one of these studies the lie scenario may have been irrelevant to the test takers [14]. In the others, the training may have been inadequate [18, 20]. Among 16 different groups tested, nine (Table 1, groups 4–8, 12,13, 15, 16) showed a significant lie detection accuracy increase, ranging from 2% to 37% (median increase = 20%).

4 RELEVANCE Frank and Feeley [12] argued that training should be on lies relevant to the trainees. We agree, but in a recent publication [6] we refined this argument. It may be even more important that the lie scenario used for training contains the kinds of behaviors, both verbal and non-verbal, that provide clues to deception than that the lie superficially looks like a lie of interest. This distinction is what test psychologists call face validity versus construct validity and what experimental psychologists term mundane realism versus experimental realism. A lie scenario may seem relevant to a law enforcement lie detection situation because it shows a felon being interviewed by a police officer (face validity, mundane realism). But if the lie is about a topic of no importance to the felon, the emotional and cognitive aspects of a high stakes lie will not be present. Conversely, a college student discussing a strongly held belief, who will receive substantial rewards if he tells the truth successfully or lies successfully and who will be punished if he is unsuccessful, may better simulate the behaviors seen in a law enforcement interview (construct validity, experimental realism). So while the construct validity or experimental realism of a scenario is the more important variable, the relevance or interest of the lie to the lie catcher (its face validity or mundane realism) must also be considered. In screening expert lie detectors from several different professional groups including law enforcement personnel and therapists, O’Sullivan [5] found that about one-third of the experts were at least 80% accurate on each of three different lie detection tasks. The remaining two-thirds of the experts obtained 80% on two of the three tests. For this second group, their lowest score was either on a test in which young men lied about

1491

Crews [15] Crews [15]

George [16] George [16]

Hartwig [17]

Levine Levine Levine Levine

O’Sullivan [19]

Porter [20]

Porter [21]

Santarcangelo [22]

4 5

6 7

8

9 10 11 12

13

14

15

16

97

20

151

78

256 90 96 158

164

177

29

26 14 18

n

College

Parole officers

College

College

College College College College

Police trainees

Air Force Air Force

College College

Police Social workers College

Sample Trained

65/69

40/77

Ns

57/61

Yes

No

Yes

Yes

Yes Yes Yes Yes

Yes

56/85a Ns Ns Ns 56/58a

Unknown Unknown

Yes Yes

No No No

Relevance of Test

54/60 47/61

42/69 44/64

Ns Ns Ns

Accuracy Pre/Post

No

Yes

Yes

Yes

No No No No

Perhaps

Unknown Unknown

No No

No No No

High Stakes of Test

Note: College: college students; Accuracy: pretest accuracy/post-test accuracy scores for same individuals. a Accuracy for post-test only design: untrained accuracy/trained accuracy scores.

[18] [18] [18] [18]

Akehurst [14] Akehurst [14] Akehurst [14]

Study

Lie Detection Accuracy Training Studies, 2000–2007

1 2 3

Group

TABLE 1

Perhaps

Yes

No

Yes

No No No Yes

Yes

Yes Yes

Yes Yes

Yes Yes Yes

Training Adequacy

Yes

Yes

Yes

No

No No No No

Yes

Unknown Unknown

Yes Yes

Yes Yes Yes

Testing Adequacy

No

No

No

No

No No No No

No

No No

No No

No No No

Situational Generality

No

Perhaps

No

No

No No No No

No

No No

No No

No No No

Time Generality

1492

CROSS-CUTTING THEMES AND TECHNOLOGIES

stealing a significant amount of money or a test in which young women lied or told the truth about whether they were watching a gruesome surgical film or a pleasant nature film. Not surprisingly, the lowest of the three scores for therapists was on the crime test; for law enforcement personnel, their lowest score was on the emotion test. This finding was highly significant. Among recently published lie detection accuracy studies, several meet the criterion of relevance, whether this term is used to refer to importance to the trainees (mundane realism, face validity) or actual validity for the lies that lie catchers need to be accurate on (experimental realism, construct validity). Hartwig [17] tested police officers using a mock theft scenario and allowed the trainees to interview the experimental suspects. Akehurst [14], on the other hand, used test stimuli in which children lied or told the truth about an adult taking a photograph. Since it is unlikely that much arousal happened, whether this scenario had either mundane or experimental realism for the subjects is doubtful. All of the other studies used college students as target liars and truth tellers. Insofar as the trainees were students or therapists, who work with clients in that age group, such materials are probably relevant to them.

5 HIGH STAKES LIES Among the nine training studies published between 2000 and 2007, four used what we consider to be high stakes lies. Porter [20, 21] used a scenario in which targets lied or told the truth about highly emotional events in their personal lives. We consider lies with a strong self-identity aspect to be high stakes. O’Sullivan [19] used a scenario in which both personal identity and a large cash reward were involved. Although the Hartwig study [17] used a sanctioned mock theft scenario which reduces the stakes for the liars and truth tellers, the targets also received a lawyer’s letter which may have “bumped up” the stress of the situation. (Three of these four studies achieved a significant learning effect.) The other studies included scenarios in which college students told social lies about friends or lied about whether they had headphones hidden in their pockets. (They had been directed to do so by the experimenter, so little emotional arousal could be expected.)

6 TRAINING Outstanding expertise in lie detection is likely the result of a host of individual difference variables such as interest, extensive and varied life experience, motivation, practice, and feedback with professionally relevant lies that most expert lie detectors seem to share. In addition, there are probably particular kinds of skills such as visual or auditory acuity, pattern recognition and social or emotional memory that vary from expert to expert and that will cause them to be more or less expert on different kinds of lies, depending on their particular subset of skills. So while expert lie detection employs a host of skills, training for lie detection accuracy in a particular course or a particular study might more efficiently proceed by training in a focused skill or set of skills known to be related to lie detection. Many of the recent lie detection studies used this approach, narrowing their focus and evaluating the effectiveness of training with a particular kind of knowledge or subset of cues.

TRAINING FOR INDIVIDUAL DIFFERENCES IN LIE DETECTION ABILITY

1493

Santarcangelo [22] found that informing trainees about either (i) verbal content cues (plausibility, concreteness, consistency, and clarity which are included in the more extensive Criteria-Based Content Analysis (CBCA) protocol); (ii) nonverbal cues (adaptors, hand gestures, foot and leg movements, and postural shifts) or (iii) vocal cues (response duration, pauses, speech errors, and response latency) resulted in lie detection accuracy greater than a no-cues control group. Levine [18] conducted a series of studies on how to increase lie detection accuracy that also used mere verbal description of cues. In three of the studies, a lecture describing general behavioral cues comprised one condition. A second condition was a bogus training group in which incorrect information about lie detection clues was given to the subjects. The control group received no information about lie detection clues. None of the three studies obtained significant results in the predicted direction. In the fourth study, behavioral cues actually occurring in the stimulus materials were used for the lecture condition. In this condition, a significant result was found between the training lecture (58%) and the control condition (50%). However, the bogus training also resulted in significantly increased training (56%) which was not significantly different from the authentic training condition. Interpretation of this study is complicated by the use of only two different stimulus persons as the target liars and truth tellers. Other researchers are also designing training studies which teach those behavioral cues actually existing in the training and testing materials [15, 23]. For studies using this training method, situational generality (testing on other lie detection tests as well) is particularly important. Hartwig [17] took a novel approach by training police trainees to adjust the timing of their questions. Rather than assessing the nonverbal behaviors of the liars and truth tellers, actual evidence (eyewitness testimony, fingerprints, etc.) was available and the liars and truth tellers were informed of this during the interview. The Hartwig study found that if interviewers held back knowledge of the evidence until later in the interview, liars were more likely to make inconsistent statements which increased detection accuracy for the interviewers. This training is much more like the kind of interview situation in which law enforcement officers decide the honesty of suspects. Such training, however, may not generalize to interview situations in which no evidence is available. An unusual feature of deception research, although certainly not new in other kinds of training, is the use of computer programs in lieu of instructor presentation or printed materials. Crews [15] and George [16] demonstrated that there was no difference between a computer-based training program and the same material presented by a human instructor. In both cases, significantly increased accuracy was achieved. Although most of the studies provided examples of honest and deceptive behaviors for trainees, some did not. Subjects in the Levine [18] and Santarcangelo [22] studies, for example, only received a written sheet of cue information that could be read rather quickly. It is interesting that these studies found a significant, albeit small (4%) increase in accuracy, whereas studies using more lengthy training procedures [15, 17] reported gains in excess of 20%. 7 TESTING (a) Randomization. Trainees were randomly assigned in all of the studies. Most of the studies used a pre—post design except those of Hartwig [17] and Levine [18] which utilized a random assignment, post-group comparison design. Random assignment in a post-group-only design assumes that all assigned interviewers or judges are

1494

CROSS-CUTTING THEMES AND TECHNOLOGIES

alike prior to training and that differences afterwards are due to the training alone. A post-test-only design does not completely rule out the possibility that trained and untrained interviewers or judges, even if randomly assigned, were different before the experiment. (b) Independence of items in the stimulus materials. Although most of the lie detection materials used different liars or truth tellers for each “item” some did not. Levine [18], for example, used only two targets, who both lied and told the truth about items on a test. When “items” are not independent, the effect of biases, personal likes and dislikes with particular kinds of people, familiarity with particular kinds of people or particular kinds of behavioral styles can all affect the final scores. These biases may reflect factors other than lie detection accuracy. (c) Independence of targets in pre—post designs. All of the pre- and post studies, except O’Sullivan’s [19], used different liars and truth tellers for their pre- and post-tests. Although a control group ameliorates the effect of mere familiarity on increased lie detection accuracy, it is preferable to have different individuals as targets in the pre- and post-test measures and to ensure that the tests are of equivalent difficulty. The Crews study [15] did an especially careful job of determining that their pre- and post tests were equivalent in difficulty, establishing their norms in a pilot study. None of the other studies did this, or if they did, they did not mention it. (d) Numbers of targets. Except for Levine [18] who used only two test subjects, most of the studies used 6 to 12 subjects for the pre-test and/or post-test measures. 8

SITUATIONAL GENERALITY

All of the studies used a single kind of lie so the generalizability of training for lie detection accuracy is unknown. Given that some of the studies with the greatest increase in accuracy taught and emphasized the cues that were actually contained in the materials [15, 16], the issue of situational or lie generality is an important one. 9 TIME GENERALITY None of the studies reviewed examined the temporal stability of any gain in lie detection accuracy, so we have no way of knowing whether gains in lie detection accuracy survive the time span of the training course. Researchers are aware of this issue, however. Porter [21] spread the training over five weeks, and found a highly significant increase in detection accuracy. Whether this gain would last longer than five weeks, however, is unknown. Marett [24] was specifically interested in the effect of lie detection history (training over time) on final accuracy, but the small number of subjects and items did not allow them to reach any conclusions. (This study is not reviewed since no accuracy means were reported.) 10 INDIVIDUAL DIFFERENCES RELATED TO LIE DETECTION ACCURACY In training to increase lie detection accuracy, a variety of individual difference abilities need to be considered. The already existing ability of the trainees is one that has

TRAINING FOR INDIVIDUAL DIFFERENCES IN LIE DETECTION ABILITY

1495

often been overlooked. It seems reasonable, however, that training which provides new information to mediocre lie detectors, may be superfluous to expert ones. And providing specialized training, in verbal content analysis or facial expression recognition or other nonverbal cues, might be more advantageous for those already at an average or above average lie detection accuracy level. No research exists which examines the role of pre-existing lie detection accuracy on the efficacy of different lie detection training paradigms. In our work with expert lie detectors who have been trained in facial expression recognition, several of them have reported a disruption of their ability to assess truthfulness in the months immediately following the training. With practice, however, according to their self-reports, they were able to incorporate the new information into their skill set. Kohnken [25] and Akehurst [14] also described reports from police trainees that they needed more time to incorporate the new information provided. (In these studies it was verbal content training rather than facial expression recognition.) A difficulty in examining this hypothesis (that more expert lie detectors may have an initial disruption effect, resulting in a decrement in lie detection accuracy) may occur due to the ceiling effect or regression to the mean for the lucky guessers in the first testing. If trainees are already highly accurate prior to training (70% or better), there is little room for improvement as measured by most existing lie detection accuracy measures. Many lie detection accuracy tests are relatively brief; the median number of items is ten. Clearly, new tests containing more items of greater difficulty are necessary. The issue of item difficulty is also an important one. Many items in existing lie detection measures are difficult because the lies are trivial and there are no emotional and/or cognitive clues to discern. Item difficulty should be based on subtle cues that are present although, difficult to distinguish, or should reflect the kinds of personality types (outgoing, friendly) that are particularly difficult for American judges to perceive as liars. Other individual difference variables that have been largely overlooked in studies of lie detection accuracy training are the intelligence and cognitive abilities of the lie detector. O’Sullivan [26] demonstrated that the fundamental attribution error was negatively related with accurate detection of liars. Whether such cognitive biases can be corrected through training has not been examined. Although many people seem to believe that lie detection is a natural ability unrelated to education or training, O’Sullivan noted [27] that more than half of her 50 expert lie detectors have advanced degrees and all have at least a two year associates degree. The interpretation of the many cognitive and emotional cues that occur while lying and telling the truth may take a superior baseline level of intelligence to decipher. This hypothesis has also not been examined. On the other hand, Ask and Granhag [28] found no relationship between cognitive or personality variables such as need for closure, attributional complexity, and absorption. The lie scenarios they used, however, may not have provided sufficient score variance to examine their hypotheses adequately. Many expert lie detectors seem to have an ongoing life commitment to seeking the truth [5]. This kind of commitment and practice cannot be taught in a single training program, which suggests that selecting already accurate lie detectors might be a more sensible approach to use when staffing personnel to perform lie detection interviews. This option, however, may be difficult to implement given the relative rarity of expert lie detectors (from 1 per thousand in some professional groups to 20% in others [5]) and the personnel restrictions in some agencies.

1496

CROSS-CUTTING THEMES AND TECHNOLOGIES

In addition to individual differences in lie detection accuracy as a factor to be considered in designing and implementing lie detection accuracy training courses, the role of other individual difference factors needs to be considered. Deception researchers [9] have noted the extraordinary motivation of expert lie detectors to know the truth. Porter [29] attempted to examine motivation by randomly assigning subjects to one of two levels of motivation to succeed at a lie detection task. This motivation manipulation had no impact on consequent lie detection accuracy. An experimentally manipulated motivation to detect deception, however, may not be a sufficient analog for the life-long commitment to discern the truth in one’s profession and one’s life that some expert lie detectors show. To date there is mounting evidence that certain law enforcement personnel groups [6, 30, 31] and individuals [5, 7] are accurate at least with certain kinds of lies. There is replicated evidence that groups of forensic specialists (psychologists and psychiatrists), federal judges [31], and dispute mediators [5] are also significantly above chance in their ability to discern the truth. In all of these studies, comparison groups, usually of college students, have average accuracies at the chance level on the tests used. This provides some support for the view that the lie detection tests are not easy, which rules out one explanation for their high accuracy. While commitment to lie detection is an aspect of some expert lie catcher’s professional lives, O’Sullivan [19] found that even among college students, concern for honesty was significantly related to lie detection accuracy. Students who reported rarely lying to friends obtained higher accuracy on a lie detection measure than students who lied to friends frequently. In this same study, a high rating for honesty as a value when compared with other values (such as a comfortable life) also distinguished more and less accurate lie detectors. Given the importance of emotional clues in detecting deception, it is not surprising that a number of studies have reported significant correlations between emotional recognition ability and lie detection accuracy. Warren, Schertler, and Bull [32], for example, demonstrated that accuracy at recognizing subtle facial expressions using the SETT (Subtle Expression Training Tool [33]) was positively related to accuracy in detecting emotional lies, but not nonemotional ones. (This study underscores the need for situational generality of lie scenarios as discussed earlier.) Ekman and O’Sullivan [30], Frank and Ekman [34], and Frank and Hurley [10] all found a significant relationship between micro-expression detection accuracy and lie detection accuracy using precursors of the Micro-Expression Training Tool (METT) [35]. Frank [36] also found that being trained on micro-expressions significantly improved detecting emotions that occurred while lying. Many IQ tests are highly saturated with verbal content, so it is likely that the ability to apply one type of verbal system (e.g., CBCA) in improving lie detection accuracy may be related to verbal intelligence. Vrij [37] found individual differences in the ability to learn CBCA in order to lie or tell the truth more effectively. While the ability to learn CBCA may have a cognitive component, the study also found that ability to use CBCA in truth and lie performance was related to social anxiety. Porter’s [29] report of a significant correlation between handedness and lie detection accuracy (left-handed lie catchers being superior) also suggests a biologically based individual difference that should be considered in lie detection accuracy programs. Etcoff and her colleagues [38] also reported a similar right brain advantage in lie detection.

TRAINING FOR INDIVIDUAL DIFFERENCES IN LIE DETECTION ABILITY

1497

Other individual difference variables of interest have included gender and personality variables such as social skill and Machiavellianism. For all of these variables, conclusions are difficult to draw because of the widely varying adequacy of the lie detection scenarios used, or the lack of variance in lie detection accuracy of some of the subjects. For example, in one study [39] which reported an interaction effect between gender and increased accuracy with training, the differing mean accuracies of the two genders at the start of the study compromises this conclusion. Before training, average accuracy for males was 47% which increased to 70% after training. For females, pretraining accuracy was 68% which decreased to 62% after training. Pretraining performance for females was significantly higher than for males, giving females less headroom for improvement. Even though the males’ accuracy increased significantly while the females did not, the difference in their final accuracy levels was not significant. This effect might reflect a room-for-improvement phenomenon rather than a gender one. Some low-scoring females might have shown some improvement. The confounding of base accuracy level and gender would need to be clarified before conclusions can be drawn about gender effects. Over all, no consistent gender superiority in lie detection accuracy or in training effectiveness has been demonstrated. Training studies with relevant tasks, focused training programs, and reliable test materials known to contain behavioral clues or other evidence relevant to lie detection, have resulted in a growing body of research demonstrating that lie detection is difficult for most people, but that improvement is possible with well-honed training programs. Selecting the best detectors within an organization may be more cost-effective, but it too is fraught with problems. The tasks used to determine who goes forward need to mirror the structural features of the scenarios to which these personnel will apply their skills. And, ideally it would be useful to develop some metric as to how well they do in the real world, compared to those not selected. For example, we can consider criteria such as how much contraband is confiscated, or how many cases go to trial and result in a conviction, or other goals specific to the agency may be useful. This would require a new way of thinking about security, but it may violate assumptions about equal treatment for all agency personnel.

11 CONCLUSION We end on an optimistic note. Increasingly, researchers are identifying highly accurate lie catchers. This increased range of lie detection accuracy can provide a proving ground for developing lie-specific training. Research on how expert lie detectors do what they do can suggest materials to be included in lie detection courses. Researchers have also become increasingly sophisticated about the need for experimental validity in their work. They have also become more sophisticated about the value of training on one particular skill or clue domain at a time (e.g., CBCA, METT). We believe the tools of the scientist can be successfully applied to real-world security settings. But more work is needed in order to calibrate the cost/benefit ratio because so much of the science is not directly relevant to security personnel. We see this as a call for increased cooperation between scientists who are sympathetic to the pressures on security personnel and practitioners who desire scientific help in their professions. Once we achieve that combination of forces, we can move this issue forward to identify the optimal way to deploy people in the lie detection process.

1498

CROSS-CUTTING THEMES AND TECHNOLOGIES

REFERENCES 1. Ekman, P. (2001). Telling Lies: Clues to Deceit in the Marketplace, Politics, and Marriage. W. W. Norton & Co, New York. 2. O’Sullivan, M. (2005). Emotional intelligence and detecting deception. Why most people can’t “read” others, but a few can. In Applications of Nonverbal Communication, R. E. Riggio, and R. S. Feldman, Eds. Erlbaum, Mahwah, NJ, pp. 215–253. 3. Bond, C. F. Jr., and DePaulo, B. M. (2008). Individual differences in judging deception: accuracy and bias. Psychol. Bull. 134(4), 501–503. DOI: 10.1037/0033-2909.134.4.477. 4. Pigott, T. D., and Wu, M. (2008). Methodological issues in meta-analyzing standard deviations: comment on Bond and DePaulo (2008). Psychol. Bull. 134(4), 498–500. DOI: 10.1037/0033-2909.134.4.498. 5. O’Sullivan, M. (2008). Home runs and humbugs: comment on Bond and DePaulo (2008). Psychol. Bull. 134(4), 493–497. DOI: 10.1037/0033-2909.134.4.493. 6. O’Sullivan, M., Frank, M. G., Hurley, C. M., and Tiwana, J. Police lie detection accuracy: the effect of lie scenario. Law Hum. Behav., In press. 7. Bond, G. A. (2008). Deception detection expertise. Law Hum. Behav. 32(4), 339–351. DOI: 10.1007/s10979-007-9110-z. 8. O’Sullivan, M. (2007). Unicorns or Tiger Woods: are lie detection experts myths or rarities? A response to On lie detection ‘Wizards’ by Bond and Uysal. Law Hum. Behav. 31(1), 117–123. DOI: 10.1007/s10979-006-9058-4. 9. O’Sullivan, M., and Ekman, P. (2004). The wizards of deception detection. In The Detection of Deception in Forensic Contexts, P. A. Granhag, and L. Stromwell, Eds. Cambridge University Press, Cambridge, pp. 269–286. 10. Frank, M. G., and Hurley, C. M. (2009). Detection Deception and Emotion by Police Officers. Manuscript in preparation. 11. O’Sullivan, M. (2008). Lie detection and aging. Annual Conference Society for Personality and Social Psychology. Albuquerque, NM . 12. Frank, M. G., and Feeley, T. H. (2003). To catch a liar: challenges for research in lie detection training. J. Appl. Commun. Res. 31(1), 58–75. 13. Frank, M. G. (2005). Research methods in detecting deception research. In Handbook of Nonverbal Behavior Research, J. A. Harrigan, K. R. Scherer, and R. Rosenthal, Eds. Oxford University Press, New York, pp. 341–368. 14. Akehurst, L., Bull, R., Vrij, A., and Kohnken, G. (2004). The effects of training professional groups and lay persons to use criteria-based content analysis to detect deception. Appl. Cogn. Psychol. 18(7), 877–891. DOI: 10.1002/acp.1057. 15. Crews, J. M., Cao, J., Lin, M., Nunamaker, J. F. Jr., and Burgoon, J. K. (2007). A comparison of instructor-led vs. web-based training for detecting deception. J. STEM Educ. 8(1/2), 31–40. 16. George, J. F., Biros, D. P., Adkins, M., Burgoon, J. K., and Nunamaker, J. F. Jr. (2004). Testing various modes of computer-based training for deception detection. Proc. Conf. ISI. 3073, 411–417. 17. Hartwig, M., Granhag, P. A., Stromwall, L. A., and Kronkvist, O. (2006). Strategic use of evidence during police interviews: when training to detect deception works. Law Hum. Behav. 30(5), 603–619. DOI: 10.1007/s10979-006-9053-9. 18. Levine, T. R., Feeley, T. H., McCornack, S. A., Hughes, M., and Harms, C. M. (2005). Testing the effects of nonverbal behavior training on accuracy in deception detection with the inclusion of a bogus training control group. West. J. Commun. 69(3), 203–217. DOI: 10.1080/10570310500202355.

TRAINING FOR INDIVIDUAL DIFFERENCES IN LIE DETECTION ABILITY

1499

19. O’Sullivan, M. (2003). Learning to detect deception. Annual Conference of the Western Psychological Association. Vancouver, BC . 20. Porter, S., McCabe, S., Woodworth, M., and Peace, K. A. (2007). ‘Genius is 1% inspiration and 99% perspiration’ . . . or is it? An investigation of the impact of motivation and feedback on deception detection. Leg. Criminol. Psychol. 12(2), 297–309. DOI: 10.1348/135532506X143958. 21. Porter, S., Woodworth, M., and Birt, A. R. (2000). Truth, lies, and videotape: an investigation of the ability of federal parole officers to detect deception. Law Hum. Behav. 24(6), 643–658. DOI: 10.1023/A:1005500219657. 22. Santarcangelo, M., Cribbie, R. A., and Hubbard, A. S. (2004). Improving accuracy of veracity judgment through cue training. Percept. Motor Skill. 98(3), 1039–1048. 23. Cao, J., Lin, M., Deokar, A., Burgoon, J. K., Crews, J. M., and Adkins, M. (2004). Computer-based training for deception detection: What users want? Proc. Conf. ISI. 3073, 163–175. 24. Marett, K., Biros, D. P., and Knode, M. L. (2004). Self-efficacy, training effectiveness, and deception detection: a longitudinal study of lie detection training. Proc. Conf. ISI. 3073, 187–200. 25. Kohnken, G. (1987). Training police officers to detect deceptive eyewitness statements: Does it work? Soc. Behav. 2(1), 1–17. 26. O’Sullivan, M. (2003). The fundamental attribution error in detecting deception: the boy-who-cried-wolf effect. Pers. Soc. Psychol. Bull. 29(10), 1316–1327. DOI: 10.1177/ 0146167203254610. 27. O’Sullivan, M. (2009). Are there any “natural” lie detectors? Psychol. Today. Available at http://blogs.psychologytoday.com/blog/deception/200903/are-there-any-natural-lie-detec1tors. 28. Ask, K., and Granhag, P. A. (2003). Individual determinants of deception detection performance: Need for closure, attribution complexity and absorption. Goteborg Psychol. Rep. 1(33), 1–13. 29. Porter, S., Campbell, M. A., Stapleton, J., and Birt, A. R. (2002). The influence of judge, target, and stimulus characteristics on the accuracy of detecting deceit. Can. J. Behav. Sci. 34(3), 172–185. DOI: 10.1037/h0087170. 30. Ekman, P., and O’Sullivan, M. (1991). Who can catch a liar? Am. Psychol. 46(9), 189–204. 31. Ekman, P., O’Sullivan, M., and Frank, M. G. (1999). A few can catch a liar. Psychol. Sci. 10(3), 263–266. 32. Warren, G., Schertler, E., and Bull, P. (2009). Detecting deception from emotional and unemotional cues. J. Nonverbal Behav. 33(1), 59–69. DOI: 10.1007/s10919-008-0057-7. 33. Ekman, P., and Matsumoto, D. (2003). Subtle Expression Training Tool . 34. Frank, M. G., and Ekman, P. (1997). The ability to detect deceit generalizes across different types of high-stake lies. J. Pers. Soc. Psychol. 72(6), 1429–1439. 35. Ekman, P., Matsumoto, D. M., and Frank, M. G. (2003). Micro Expression Training Tool v1 . 36. Frank, M. G., Matsumoto, D. M., Ekman, P., Kang, S., and Kurylo, A. (2009). Improving the Ability to Recognize Micro-expressions of Emotion. Manuscript in preparation. 37. Vrij, A., Akehurst, L., Soukara, S., and Bull, R. (2002). Will the truth come out? The effect of deception, age, status, coaching, and social skills on CBCA scores. Law Hum. Behav. 26(3), 261–283. DOI: 10.1023/A:1015313120905. 38. Etcoff, N. L., Ekman, P., Magee, J. J., and Frank, M. G. (2000). Lie detection and language comprehension. Nature 405(6783), 139. DOI: 10.1038/35012129. 39. deTurck, M. A. (1991). Training observers to detect spontaneous deception: the effects of gender. Commun. Rep. 4(2), 79–89.

1500

CROSS-CUTTING THEMES AND TECHNOLOGIES

FURTHER READING Ekman, P. (2003). Emotions Revealed . Henry Holt, New York. Harrington, B., Ed. (2009). Deception: From Ancient Empires to Internet Dating. Stanford University Press, Stanford, CA. Lindsay, R. C. L., Ross, D. F., Read, J. D., and Toglia, M. P., Eds. (2007). The Handbook of Eyewitness Psychology Vol I Memory for People. Lawrence Erlbaum, Mahwah, NJ. Toglia, M. P., Read, J. D., Ross, D. F, and Lindsay, R. C. L., Eds. (2007). The Handbook of Eyewitness Psychology Vol I Memory for Events. Lawrence Erlbaum, Mahwah, NJ.

DETERRENCE: AN EMPIRICAL PSYCHOLOGICAL MODEL Robert W. Anthony Institute for Defense Analyses, Alexandria, Virginia

1 INTRODUCTION Although deterrence has not led to a strategic victory to date against the entire loosely knit network of cocaine traffickers. However, it has shut down nearly all direct smuggler flights into the United States [1, 2], eliminated Peru as a major cocaine producing country [2, 3], and recently closed down nearly all Caribbean go-fast boat traffic. Section 3 recounts how data obtained from these various success stories facilitated the derivation and calibration of an unexpectedly simple mathematical function representing the psychology of deterrence [1, 3]. It goes on to explain how these tactical victories teach several practical lessons and reveal operational dilemmas. To apply these results to terrorism, Section 4 summarizes an analysis of terrorist preparations for the 9/11 attacks. This analysis suggests that “deterrence” influences decision making for terrorists perpetrating complex plots. The section also explains the methods for estimating the deterrent effect of a mixture of several possible consequences and methods for estimating the deterrence contribution of multilayer defenses. Section 5 introduces several testable hypotheses concerning the generality of these findings and possible explanations for the willingness function. It also emphasizes the importance of interdisciplinary, integrated research to focus all available knowledge on understanding the risk judgments of criminals, insurgents, and terrorists.

DETERRENCE: AN EMPIRICAL PSYCHOLOGICAL MODEL

1501

2 DEFINITIONS AND SOURCES A great deal of deterrence research addresses the prisoner’s dilemma gaming of the cold war standoff, rate of loss models of military attrition, or guidance to law enforcement in various situations, often with the underlying assumption of a linear relationship between effort and effect. By contrast, this work focuses on the psychology of perpetrators represented as a fraction of a pool willing to act. Therefore, this approach does not discriminate between individual behavior and distributions across a perpetrator population. The US military has formally defined both deterrence and strategic deterrence; the first applies to thwarting terrorists in general, while the second applies to complex plots that could damage the vital interests of the United States. Remarkably, these definitions include a psychological interpretation of deterrence. Primary data sources in the public domain are cited at the end of this section. Unfortunately, many organizations applying deterrence in their operations cannot publicly release their classified data, and others with fewer restrictions are reluctant to do so. Moreover, these organizations also do not see their mission as one of justifying support for sustained applied research or any basic science. 2.1 Definition of Deterrence The US Department of Defense (DoD) defines deterrence as “the prevention from action by fear of consequences—deterrence is a state of mind brought about by the existence of a credible threat of unacceptable counteraction” [4]. Even suicide terrorists must fear some consequences, especially risks that undermine their motives for taking such drastic action. For example, some terrorists might fear failure, arrest, or loss of life without completing their mission; dishonoring or bringing retribution upon their families; embarrassing their cause and supporters of their cause; or revealing a larger scheme or its supporting network. 2.2 Definition of Strategic Deterrence Recently, the DoD introduced a related concept: “strategic deterrence is defined as the prevention of adversary aggression or coercion threatening vital interests of the United States and/or our national survival; strategic deterrence convinces adversaries not to take grievous courses of action by means of decisive influence over their decision making” [5]. This definition should exclude individuals who are mentally ill, act impulsively, or act alone. Strategic deterrence primarily applies to complex plots and networks with sufficient resources to threaten national vital interests. Although the empirical quantitative model reveals that deterrence will not thwart everyone, its cumulative and systemic impact on complex plots or networks should be capable of debilitating virtually all of them. 2.3 Information from Operational Sources Operational organizations provided an interview report summarizing the responses of a very diverse population of 109 imprisoned drug smugglers. Analyses of these data led to the development of a simple mathematical expression representing the psychology of deterrence [1, 3]. Two reports provide more details on the interviews and operational data from major countercocaine operations [3, 6] used to verify and calibrate the deterrence model. Unfortunately, other data sets are not available for public release.

1502

CROSS-CUTTING THEMES AND TECHNOLOGIES

3 PRINCIPAL FINDINGS Deterrence is essential for amplifying limited interdiction capabilities to thwart hostile activity. For example, lethal consequences can amplify interdiction effort by more than a factor of 10. The following quantitative representation of the psychology of deterrence and associated tactical lessons has been used to size forces, guide operations, and assess operational effectiveness in counterdrug and counterterrorism operations. Although the references provide more detail, one case is summarized: the air interdiction operations against smugglers flying cocaine from Peru to Colombia. This case illustrates the effectiveness of deterrence, verifies essential features of the mathematical form of the willingness function, and provides calibration for lethal consequences. 3.1 Willingness Function The “willingness function” expresses the psychological aspects of deterrence in mathematical terms. It facilitates an estimate of the fraction of all would-be perpetrators willing to challenge the risks of interdiction. It has one independent variable, the probability of interdiction, P I , and one constant parameter, the threshold of deterrence, P 0 , calibrated to the specific perceived consequences of interdiction. Figure 1 plots the willingness functions for three different values of the deterrence threshold. The vertical axis represents the fraction of perpetrators and the horizontal axis represents the probability of interdiction. To interpret a willingness function, consider the light curve. As the interdiction probability increases from zero, all would-be perpetrators remain willing to continue until their perception of the interdiction probability reaches the deterrence threshold at a probability of interdiction of 0.13. Beyond the deterrence threshold, the fraction of the perpetrators still willing to perpetrate, W (P I ), declines in proportion to the inverse of the perceived 10 Material loss to capture Capture to prison

0.8

Prison to loss of life

Willingness

Self caught Associate caught

0.6

Self imprisoned Associate imprisoned

0.4

0.2

0.0 0.0

0.2

0.4 0.6 Probability of interdiction

FIGURE 1

0.8

The willingness function.

1.0

DETERRENCE: AN EMPIRICAL PSYCHOLOGICAL MODEL

1503

probability of interdiction: W=

P0 . PI

(1)

As the interdiction probability approaches 1.0, however, a small fraction, P 0 , of the perpetrators persist, even expecting certain interdiction. In interviews with imprisoned drug smugglers, some commented that they would continue smuggling knowing they would be imprisoned since one fee, given in advance, would more than compensate for their prison time [3]. Scofflaw fishermen violating restrictions that protect living marine resources also behave according to the deterrence model and show no indication of quitting out to an 80% probability of interdiction [1]. Heavy, medium, and light curves in Figure 1 illustrate willingness functions bounding the ranges of four different types of consequences. The heavy curve represents the boundary between “lethal” consequences and “imprisonment” and is determined by a threshold of deterrence of 0.02. The medium weight curve separates “imprisonment” from “capture followed by release” and has a threshold of 0.05. The light curve separates “capture and release” from “loss of material assets” and has a threshold of 0.13. Figure 1 also shows four sets of data obtained from voluntary interviews of imprisoned smugglers. Each was asked whether he or she would be willing to continue to smuggle if the chance of interdiction equaled successively higher values as indicated by data symbols along the trend lines. The same willingness questions were asked for different consequences, for example, being caught then released or being imprisoned, and for two different perceptual orientations, answering for themselves and answering as if they were a former associate smuggler. As the researchers anticipated, the interviewees estimated their associates would be more willing to continue smuggling than they would be now that they have experienced incarceration. These cumulative trends illustrate how well the willingness function boundaries parallel and bracket the interview responses. In such very high-risk activities, perpetrators appear to decide whether the risks are acceptable before even considering the adequacy of the rewards. For example, all inmates stated their willingness to smuggle without any reference to wages. On separate questions exploring the sensitivity of willingness to wage levels, significantly higher wage offers did not increase the previously declared fraction of the smugglers willing to face the risks. However, if risks do increase, the wage necessary to sustain smuggler willingness at their previously declared levels increases quadratically relative to the increased risk. 3.2 Surge Operations Surge operations typically consist of doubling or more the interdiction pressure and sustains it long enough to convince perpetrators that they cannot simply outwait the interdictors (typically 2–5 months for counterdrug operations). Surges have effectively communicated risks to perpetrators and caused lasting deterrence, even as interdiction efforts substantially relax from surge levels [1, 3]. A surge operation can provide valuable intelligence since it can induce perpetrators to react, thereby revealing their clandestine activity and the level of their deterrence threshold. Focusing surges on criminal hot spots should amplify the visibility of criminal reaction to deterrence, and has proven capable of doing so in urban areas [7]. However, if perpetrators can change their mode of operation or shift their location, the interview

1504

CROSS-CUTTING THEMES AND TECHNOLOGIES

data suggests they will change whenever interdiction risk reaches only approximately one-half of the deterrence threshold [1, 3]. Thus, operators must take this possibility into account in their subsequent planning. 3.3

Breakouts from Deterrence

A mathematical property of the willingness function shows that deterrence, once established, is at risk of instability. After deterrence has suppressed attempts, the estimated fraction of perpetrators actually interdicted tends to remain constant at a magnitude equal to the deterrence threshold:   P0 W · PI = · PI = P0 . (2) PI Under normal conditions, defenders need only interdict this constant fraction to deter. However, any diversion of interdiction effort elsewhere or additional recruitment expanding the pool of potential perpetrators, possibly as the result of an external event, could cause the fraction interdicted to drop below the deterrence threshold. This would most likely trigger a burst of perpetrator attempts, threatening a breakout from deterrence. Interdictors, therefore, need to maintain a reserve capacity, or other overwhelming threat of counteraction, to prevent breakout or reestablish deterrence. 3.4 Deterrence Model The deterrence model estimates the fraction of all perpetrators thwarted by interdictors, P t , that is, those who are either interdicted or deterred. Pt = 1 − (1 − PI ) · W (PI∗ )

(3)

where PI∗ is the perceived probability of interdiction. Under steady conditions with well-informed perpetrators, the willingness function represents the subjective aspects of perceived risk, and PI∗ equals P I . During surges or other transition periods, however, there might be a diversity of perceptions with many misunderstandings of the real situation. Since the probability of thwarting an attempt equals the probability of unsuccessful attempts, it is one minus the probability of those willing and able to avoid interdiction. 3.5 Example—Peruvian Drug Flights A series of operations to interdict and deter air traffickers flying cocaine base from Peru to Colombia provided an estimate of the deterrence threshold for lethal consequences [1, 3]. These operations also demonstrated the impact of an initial surge and proved that perpetrators will ignore even lethal consequences under some conditions. The US detection and monitoring support to the Peruvians provided nearly perfect coverage of trafficker flights, and the combined capacities of those flights closely matched satellite estimates of the coca crop during periods without deterrence. This enabled an estimate of those willing, while complete and verified interdiction records gave probability of interdiction.

DETERRENCE: AN EMPIRICAL PSYCHOLOGICAL MODEL

1.0

1505

Final After

Fraction thwarted

0.8

During Early

0.6

0.4 Nonlethal periods Lethal periods Fit to lethal periods

0.2

Prison to loss of life

Before 0.0 0.00

Interdiction only

0.05

0.10

0.15

0.20

0.25

Probability of interdiction

FIGURE 2 Deterrence model for lethal interdiction showing operational periods intended to stop smuggler flights from Peru to Colombia.

Figure 2 shows the principal operational periods plotted over two deterrence model curves. The vertical axis is the fraction of flights thwarted and the horizontal axis shows the probability of interdiction. Each operational period lasted from 7 to 11 months, identified 100–500 smuggler flights, and involved 6–17 interdictions. Ovals represent conservative estimates of the asymmetric uncertainty ranges from both statistical and systematic sources. Open circles represent periods of nonlethal consequences during which air traffickers carried all cocaine base destined for Colombia. Filled circles represent periods with lethal consequences. Three periods of lethal interdiction illustrate the transition from no deterrence to full deterrence, after passing through an intervening surge. Figure 2 labels these as “before,” “during,” and “after.” In the 10-month “before” period, there is no evidence for deterrence; smugglers simply ignored lethal consequences. Since the Peruvians did not have US detection and monitoring support, they only shot down seven smugglers. This is well within the statistical uncertainty range of the deterrence threshold for lethal interdiction indicated by the heavy curve. To aid the Peruvians in protecting their national security against an ongoing insurgency, the US Presidential Directive resumed intelligence support to their air force. This initiated the surge period “during” the transition. In the first month, Peruvian interceptors interdicted eight trafficker flights. Unusually high levels of lethal interdiction continued, and smuggling flights plummeted as trafficker pilots communicated and adjusted their perception of the risks. Full deterrence had set in by the period labeled “after.” Since the probability of interdiction in the transition period exceeded the trafficker pilots’ perceptions of that probability, the point labeled “during” is out of equilibrium and does not lie on the deterrence model curves. In the first month of the “after” period, interdictors relaxed their pressure, and smuggler flights increased fourfold. Interdiction support resumed the next month, and once again,

1506

CROSS-CUTTING THEMES AND TECHNOLOGIES

traffickers were deterred. Thereafter, intelligence reports indicating depressed coca prices sustained the support for interdiction. Illicit Peruvian coca cultivation eventually declined to less than one-third of its previous levels. The best-fit value for the deterrence threshold for lethal consequences, excluding the “during” period, is 1.2 ± 0.2%. Since the distribution of interdictions by month is a Poisson distribution, the operational variation about the threshold is comparable to the threshold itself. Consequently, operational planners adopt a conservative value of 2.0% for the lethal threshold to cover this variation. 3.6 Interdictor’s Dilemma The Peruvian experience illustrates the interdictor’s dilemma: is deterrence working or are perpetrators avoiding detection? In the general case, the only resolution to this dilemma is convincing corroborating intelligence proving damage to the illicit activity. Often this is supplemented by intelligence indicating perpetrator intent, consequences perpetrators fear, and clandestine attempts. 3.7 Defender’s Dilemma Defense can be a thankless task. If there are no explicit hostile acts, why do we need to continue operations? If deterrence fails and there are attacks, who do we hold accountable? Defensive operations driven by concerns over accountability promote routine activities that become vulnerable to terrorist probes. Two potential sources of information can transform passive and reactive defenses into dynamic ones taking the initiative. First, deterrence operations can be augmented with intelligence collection on perpetrator attempts to probe or defeat our defenses, and, second, red teams, exercises, and gaming can be employed to continually introduce new and adaptive elements into our defenses. These activities could also provide credible information for evaluating effectiveness and justifying resources. 4 IMPORTANT APPLICATIONS Do lessons learned from criminals transfer to insurgents and terrorists? Analysis of the preparations for the 9/11 attacks indicates consistency between the drug smugglers’ deterrence threshold for lethal consequences of 0.012 and the inferred subjective criterion used by Mohamed Atta to initiate the attack. Although factors other than psychological ones might also have applied, there was evidence of deterrence further up the leadership hierarchy. The 9/11 Commission Report stated on page 247, “According to [Ramzi] Binalshibh, had Bin Laden and [Khalid Sheikh Mohammed] KSM learned prior to 9/11 that Moussaoui had been detained, they might have canceled the operation.” A second application of the willingness function extends it to estimate the deterrence effect of combinations of consequences. A third application extends the deterrence model to estimate the contribution of deterrence to multiple layers of defense. 4.1 Deterrence of 9/11 Terrorists Although dedicated suicide terrorists perpetrated the 9/11 attacks, analysis reveals that they were probably deterred from hasty action until they developed confidence in their

DETERRENCE: AN EMPIRICAL PSYCHOLOGICAL MODEL

1507

plan [8]. Terrorists must exercise extreme caution day-to-day while preparing for a complex attack, and risk aversion provides a basis for deterrence. Their cautious preparations and practice flights were analyzed as a system reliability problem: for a plot consisting of all four hijacked flights reaching their targets, how many unchallenged “practice” flights would be necessary to reduce their perceived risk of failure to a level comparable to the deterrence threshold for lethal interdiction derived from studies of drug smugglers? By this criterion, in addition to the flights necessary to assemble the team in the United States, the 9/11 plot leaders would have had to practice 20–40 more times to be confident of the success of the attack. After this analysis was published, Chapter 7 of the 9/11 Commission Report mentions at least 80 flights, half of which are domestic, and 8 of those use the hijacking routes, box cutters and all. This analysis illustrates how our imperfect deterrence of individuals could have compounded to undermine their complex plot.

4.2 Deterrence through Combining Consequences Interdictors need a means of estimating the deterrence effect of a combination of risks, especially for anticipating the effect of multiple layers of defense. A logically consistent method for doing this is obtained by drawing an analogy with expressions for expected utility and related models from the psychology of decision making under risk: N  PI,i i=1

P0,i

= PI ·

N  (PI,i /PI ) i=1

P0,i

 PI 1 where PI = = PI,i . P0 W N

=

(4)

i=1

This represents a combination of N risks, each with probability of interdiction, P I , i , and deterrence threshold, P 0, i . The combination also recovers the mathematical form of an inverse willingness function by identifying the following expression as a deterrence threshold: P0 =

−1 N  (PI,i /PI ) i=1

P0,i

.

(5)

Since W ≤1.0 implies deterrence, the corresponding condition is 1/W ≥1.0. Note that the individual risks, P I , i /P 0, i , all can be below their respective thresholds, yet their combination can deter. Since the consequences represent losses, the inverse willingness, 1/W , can be interpreted as a measure of risk. Those familiar with economics of choice among lotteries or the psychology of judgment under uncertainty will recognize the left-hand expression in Eq. (4) as similar to that for estimating risk, with 1/P 0, i corresponding to the utility function or more generally the subjective utility. Other than the Peru–Colombia flights, all of the operations, for which there are data, involved a combination of consequences [1, 3], and these followed the willingness function. As an example of mixed consequences, consider the wide range of consequences faced by cocaine smugglers at each of the five transactional steps required to breakdown multiton loads from Colombia into gram-sized purchases by millions of users in the United States. Remarkably, traffickers at all levels share the risk since traffickers lose

1508

CROSS-CUTTING THEMES AND TECHNOLOGIES

on average 12% of their loads at each step [2]. The following equation illustrates how a plausible mixture of consequences could result in a 12% deterrence threshold: PI,Drugs PI,lethal 0.12 PI,Pr ison 0.004 0.022 0.094 PI = 1.0 = + + = + + = P0 0.12 P0,lethal P0,Pr ison P0,Drugs 0.02 0.05 0.25

(6)

Here, a 0.4% chance of death, a 2.2% chance of being imprisoned, and a 9.4% chance of losing the drugs and most likely the smuggling vehicle could combine to yield the 12% threshold. Note that each of the individual contributions is below its respective deterrence threshold. Although the logical consistency and plausibility of this method for combining consequences can be verified, in general, one must exercise caution and plan to verify the estimated combination since the research on descriptive risk judgments describes many deviations from the simple prescriptive form of the expected utility [9–11]. Mathematical simplicity is an overriding practical consideration for counterterrorism operations, and the simplicity of the willingness function is remarkably relative to other models from the literature that require several parameters to represent subject responses. A fundamental difference, however, between the willingness function and expressions found in the literature is that acceptance or attractiveness of a gamble is generally interpreted as the negative of risk rather than its reciprocal [12]. Why the willingness function fits the available data so well remains a mystery. Possibly perpetrator preoccupation with extreme risk reduces the complex general case to a simpler asymptotic form. 4.3 Defense in Depth Estimating the ability of several layers of defense to thwart terrorists requires an understanding of how terrorists might perceive those defenses. Some circumstances might cause terrorists to perceive all of the layers as one barrier (e.g. if penetrating the first layer required penetrating all layers, as with passengers on a ship, or if terrorist planners required several members of a cell to be able to penetrate all of the layers). By contrast, other situations would allow perpetrators to attempt penetrations one layer at a time. If all layers are perceived as one barrier, each layer becomes a separate risk, and all layers a combination of those risks. Again, for such a combination, individual layers might not pose sufficient risk to exceed the deterrence threshold, yet together they could. This advantage of layers perceived as one barrier is offset by the high rate of undeterrables, numerically equivalent to the deterrence threshold for only one barrier. If, however, the layers are viewed as independent risks, some or all must pose a risk above the deterrence threshold if deterrence is to contribute. Since the layers each thwart a fraction of the perpetrators, their effects compound multiplicatively to suppress residual leakage. This also assumes that undeterrables at one layer might be deterred by a risk at a subsequent layer. If it were otherwise, terrorist planners employing a team of less cautious undeterrables for a complex plot would risk revealing it before it could be executed. Figure 3 shows the deterrence model for two-layer defenses plotted against the probability of interdiction for one layer that is assumed representative of both layers. A large deterrence threshold of 0.2 expands the graphic scale to ease visualization. With two layers perceived as one barrier, deterrence begins at approximately one-half the deterrence thresholds of the individual layers. (With very large thresholds at each layer, the

DETERRENCE: AN EMPIRICAL PSYCHOLOGICAL MODEL

1509

0.10

Fraction thwarted

0.8

0.6

0.4 Individual layer 2-Layers interdiction only

0.2

2-Layers perceived as one barrier 2-Layers perceived separately

0.0 0.0

0.2

0.4

0.6

0.8

0.10

Probability of interdiction for each layer

FIGURE 3 Comparison of deterrence models for two-layered defenses.

probability of confronting deeper layers would be discounted by the chances of being interdicted at earlier ones.) Also, in Figure 3, the two layers acting separately compound to thwart relatively more perpetrators beyond an interdiction rate of approximately 0.33. Correlations among layers could undermine or enhance deterrence relative to these baseline cases. Perpetrators might view both layers as equivalent—after crossing one, the other is an assured passage—hence undermining deterrence. Alternatively, the first layer could alert interdictors at subsequent layers to suspicious individuals for a more in-depth examination or perpetrators falsifying statements at one layer might increase the consequences if interdicted at a subsequent layer; both of these possibilities would enhance deterrence if they were known to would-be perpetrators.

5 RESEARCH DIRECTIONS How broadly does the willingness function apply? How might the willingness function be knit into the body of established psychological and behavioral findings? Future research should integrate these findings and other work on deterrence into a unified area of study so that lessons transfer and deeper understanding informs our ongoing counterterrorism efforts. 5.1 General Result Several testable hypotheses suggest that the understanding of deterrence presented here applies to those taking extreme risks, including drug traffickers, insurgents, and terrorists: •

People can judge risk directly [1, 3, 9–11], and with simple mathematical regularity in extreme situations.

1510

CROSS-CUTTING THEMES AND TECHNOLOGIES

•

Underlying motives are more common than different. Even drug traffickers seek respect from their reference group, need to maintain a lifestyle, pursue the thrill of risk taking, and, in some cases, fund insurgencies and terrorism. • The mathematical simplicity of the willingness function is difficult to explain without appealing to some overriding principle, given the intricacies of the psychological theories and models as well as the diversity of subjects and situations covered by the willingness function. 5.2 Explaining the Willingness Function Future research might examine two alternative explanations of the willingness function and connect them with the study of decision under uncertainty: •

In the psychology of persuasion, the persuasiveness of a communication is a sum over salient novel arguments; thus, the constant fraction interdicted might represent a constant rate of persuasive argumentation against perpetrating acts [13]. • If the decline of those willing represents the distribution of those with greater needs than the likely consequences of deterrence, then the decline might parallel the Pareto distribution that extends toward lower incomes [14]. Extensive research into the psychology of judgment under risk should be applicable to deterrence, yet the models and methods address acceptance as the negative rather than the reciprocal of risk. Might there be a universal asymptotic distribution converging on an inverse power law? 5.3 Integrating the Research Community Understanding the psychology of deterrence as it applies to terrorists requires information on, among other things, terrorist perspectives, intentions, perceptions of risk, and behavior. Results presented here indicate that it appears possible to relate deterrence of terrorists and insurgents to criminals and extreme risk takers. A national research effort to understand deterrence would have to integrate intelligence sources, operational experience, and various social science research communities. Today, the barriers between these three communities are formidable. Hopefully, this handbook will raise awareness of the value of, and need for, a synthesis across these institutional barriers, and catalyze efforts toward that end.

REFERENCES 1. Anthony, R.W. United Nations Office on Drugs and Crime. (2004). A calibrated model of the psychology of deterrence. Bull. Narc.: Illicit Drug Markets LVI(1 and 2), 49–64. 2. Anthony, R.W., and Fries, A. United Nations Office on Drugs and Crime. (2004). Empirical modeling of narcotics trafficking from farm gate to street. Bull. Narc.: Illicit Drug Markets LVI(1 and 2), 1–48. 3. Anthony, R.W., Crane, B.D., and Hanson, S.F. (2000). Deterrence Effects and Peru’s Force-Down / Shoot-Down Policy: Lessons Learned for Counter-Cocaine Interdiction Operations. Institute for Defense Analyses, p. 252. IDA Paper P-3472.

DETERRENCE: AN EMPIRICAL PSYCHOLOGICAL MODEL

1511

4. Department of Defense Dictionary of Military and Associated Terms. (2000). JCS Pub 1–02 , Joint Chiefs of Staff Publication. 5. U.S. Strategic Command. (2004). Strategic Deterrence Joint Operating Concept , Director, Policy, Resources and Requirements, Offutt AFB, NE, p. 77. 6. Crane, B.D. (1999). Deterrence Effects of Operation Frontier Shield , Institute for Defense Analyses, IDA Paper P-3460, (25) March 1999. 7. Sherman, L.W., and Weisburd, D. (1995). General deterrent effects of police patrol in crime “Hot Spots”: a randomized, controlled trial. Justice Q. 12(4), 625–648. 8. Anthony, R.W. (2002). Deterrence of the 9-11 Terrorists, Institute for Defense Analyses, Document D-2802, (15) December 2002. 9. Kahneman, D., and Tversky, A. (1979). Prospect theory: an analysis of decision under risk. Econometrica 47(2), 263–291. 10. Weber, E.U. (1997). The utility of measuring and modeling perceived risk. In Choice Decision and Measurement: Essays in Honor of R. Duncan Luce, A.A.J. Marley, Ed. Lawrence Erlbaum Associates, pp. 45–56, 472. 11. Jia, J., Dyer, J.S., and Butler, J.C. (1999). Measures of perceived risk. Manage. Sci. 45(4), 519–532. 12. Weber, E.U., Anderson, C.J., and Birnbaum, M.H. (1992). A theory of perceived risk and attractiveness. Organ. Behav. Hum. Decis. Process. 52, 492–523. 13. Perloff, R.M. (2003). The Dynamics of Persuasion: Communication and Attitudes in the 21st Century. 2nd ed., Lawrence Erlbaum Associates, New Jersey and London, p. 392. 14. Reed, W.J. (2001). The Pareto, Zipf and other power laws. Econ. Lett. 74, 15–19.

FURTHER READING The references to the psychological literature and “Research Directions” section provide a starting point on further reading.

DECISION SUPPORT SYSTEMS

TECHNOLOGIES FOR REAL-TIME DATA ACQUISITION, INTEGRATION, AND TRANSMISSION Charles K. Huyck and Paul R. Amyx Imagecat, Inc., Long Beach, California

1 INTRODUCTION Real-time sources typically stream raw data for a given hazard tied to collection of specific locations. This data is useful not only for engineers and scientists studying natural phenomena, but when the data is processed correctly, it can aid in emergency management decisions. Real-time data can be used in a planning capacity to determine the likelihood of disaster striking a specific area, as with the monitoring of hurricanes tracks, or fault slip rates. Real-time data is essential in tracking events which are slow to evolve and provide ample time to respond, such as tracking hurricanes and flood stages. In some cases, real-time sensors provide immediate access to warning data, such as in situ hazardous material sensors or earthquake early warning systems. Immediately after an event, when the extent of damage is unclear, raw data from accelerometers and anemometers provide data to estimate the spatial extent of damage, and can be used to provide responders with a road map for response. During response, real-time data allows managers to monitor the public, asses traffic congestion, assess damage, and monitor progress. The following section provides a description of select real-time data sources in the United States. 2 AVAILABILITY OF REAL-TIME DATA Real-time data acquisition should include data from the proliferation of mobile phone devices that can be used to record images, video, and send text, and data sent to a general repository from the general public. Increasingly, information and communication sources are becoming far more prevalent in the form of distributed GPS, video, mobile phones, and humans as sensors. This direction is sure to continue as wireless Internet devices and MEMS are integrated into commercial off-the-shelf (COTS) products. The communication and security equipment available on 11 September 2001 did not prevent United Airlines Flight 93 from being hijacked, but mobile phones played a crucial role in 1515

1516

CROSS-CUTTING THEMES AND TECHNOLOGIES

preventing the ultimate goal of the hijacking. Successful real-time data integration should consider both in situ sensors sponsored by the government and informal multimodal real-time and near real-time data streams, including humans as sensors. This is particularly important in developing countries and when coordinating international response, where formal real-time data may not be available. Real-time data can be critical in triggering decisions such as whether to evacuate, deploy personnel, and stage resources. With proper preparation, real-time data can be combined with modeling programs to estimate projected impact of a disaster in near real time. The next section explores how real-time data can be integrated into decision support systems (DSS) where they can effectively be used to make decisions.

3 UTILIZING REAL-TIME DATA FOR DECISION-MAKING Typically it is not effective to stream raw hazard data directly to emergency managers. Although these data are critical to measuring the magnitude and spatial extent of an event, first responders and government officials generally lack the expertise to interpret raw numbers indicating contamination levels, wind speeds, and ground motions [1]. Raw data need to be interpreted by experts and converted into meaningful metrics, such as projected losses and casualties. In many cases, utilizing this data (Table 1 and Table 2) requires manually gleaning real-time data from web sites, FTP sites, or RSS feeds. The data must then be verified, processed, and massaged before it can be loaded into DSS. Real-time data is most effective when it is automatically processed, run through a DSS, and verified before dissemination. The knowledge required to massage raw data can be time-consuming, when timing is critical, and the expertise required to process data may be known by a limited number of people, who may not be available when disaster strikes. Table 3 presents several modeling platforms, highlighting the availability of real-time data. The Federal Emergency Management Agency’s (FEMA’s) loss estimation tool, haz ards United States (HAZUS), does not incorporate real-time data feeds, but is capable of importing data derived from real-time sources [2]. Processing this data requires careful consideration, and can be problematic. HAZUS supported HurrEvac data in MR 1 and supports alerts in MR 3, but the functionality was not included in MR 2. Engineers adjusted the program in MR 3 to adjust wind speeds for the overly conservative assumptions from direct interpretation of broad maximum wind speeds, without interpolation. For the flood model real-time data must be heavily processed before it is suitable for analysis. The “Quick Look” feature enabling calculations from a polygon with a single depth of flooding is difficult to produce, and can generate highly inaccurate results. With the “Enhanced Quick Look” feature, a user is able to generate a depth of flooding grid from a DEM and an inundation boundary. However, this provides only a “quick look” and should not be mistaken for a full hydrologic analysis. Expert users, if not software developers, should be on call to assure real-time data is used correctly within HAZUS. Prompt Assessment of Global Earthquakes for Response (PAGER) is an example of a system developed to work directly with real-time data and provides notification of population exposure to significant groundshaking directly after an event. PAGER does not provide loss estimates, largely because it is designed to work internationally where building exposure and vulnerability may be unknown, although this is the ultimate goal

1517

United States Geological Survey

United States Geological Survey

National Oceanic and Atmospheric Administration National Aeronautics and Space Administration National Oceanic and Atmospheric Administration National Oceanic and Atmospheric Administration

Water Watch

ShakeCast

Deep-ocean Assessment and Reporting of Tsunamis (DART)

SeaWinds QuikSCAT

National Climatic Data Center—extreme wind speed data sets

National Weather Service—Doppler radar

Agency

Weather radar

Peak gust wind speeds from a network of anemometers

Scatterometer

Network of buoys

Accelerometer network

Stream gauge data providing water levels on major streams

Description

Real-Time Data Feeds from US Government Sources

Real-Time Data Source

TABLE 1

Probable weather for extreme weather hazards

Hurricane advisories

Track hurricane wind speeds and direction

Early warning for tsunamis

Real-time ground motion following an earthquake

Early warning for flooding

Use

http://radar.weather.gov/

http://www.ncdc.noaa.gov/oa/ land.html

http://winds.jpl.nasa.gov/missions/ quikscat/index.cfm

http://www.ndbc.noaa.gov/ dart/dart.shtml

http://earthquake.usgs.gov/ resources/software/shakecast/

http://water.usgs.gov/ waterwatch/

Web Site

1518

CROSS-CUTTING THEMES AND TECHNOLOGIES

of the program. The information provided by PAGER allows emergency managers to deduce whether they are facing a large event with significant exposure or a small event, which would not be possible based on earthquake magnitude alone. INLET (INternet-based Loss Estimation Tool) is a technology testing tool developed for the National Science Foundation, based on exposure databases for Los Angeles and Orange counties [3, 4]. Damage and casualties are produced after ShakeCast pushes a ShakeMap onto the hard drive of the server. A ShakeMap is an array of ground motion data easily converted into a GIS file. ShakeCast supports automatic determination of ground motion levels for a collection of locations, and can be configured to trigger a Perl script when data arrives at the computer [5]. In Inlet, ShakeCast determines ground motion for a collection of census tract centroids. When completed, a Perl script feeds these data into the INLET database and triggers INLET loss estimation routines. Because the ground motion recordings are more accurate than the ground motions that would be calculated from the attenuation functions, INLET is able to produce better results. The estimated distribution of damaged structures and casualties allows emergency responders to immediately understand the potential ramifications of the event [6, 7]. When results from programs like HAZUS and INLET are ported to an on-line environment, they can be merged with disaster portals that integrate spatial data. Ideally, this data will be linked with technologies presented in Table 2, where the general public provides text, messages, photos, and videos that enable emergency managers to rapidly verify loss estimates. Table 2 provides a list of COTS products that can supplement sensor networks to monitor an event and coordinate response. Some, such as radio frequency identification (RFID), have not been extensively used for emergency response but hold great promise if the preparatory measures are taken to integrate the data into emergency response. Internet and cell phone use have provided tremendous amounts of information through Internet blogs, video posting on You Tube, and the media. The use of this data can be highly problematic due to verifiability and unstructured formats, but avoiding the use of these sources of data because they are problematic, is a mistake. These sources will continue to provide damage assessment data for events as they unfold, and devising clever strategies to harness humans as sensors can potentially yield much greater information than sensors alone. The United States Geological Survey (USGS) “Can you feel it” program allows the general public to provide feedback in the form of a short questionnaire. When combined with geo-referencing, observations from the general TABLE 2 Real-Time Data Feeds from Public and Private Sources Source

Description

Mobile phones and wireless Internet devices

Voice, SMS text messages, photos, video, and location

Closed-circuit television (CCTV)

Video stream for security and crowd control

Internet

Webcams, blogs, chats, emails

Radio frequency identification (RFID)

Product inventories

Potential Use Monitoring traffic flow, situational awareness, damage assessment Monitoring traffic flow, situational awareness, damage assessment Situational awareness at the local level Emergency resource allocation

1519

Description

Software Programs Utilizing Real-Time Data to Support Decision-Making Hazard

USGS RSS extended to generates custom reports of Earthquake ground shaking by facility in real time GIS intersection between ground shaking and Earthquake global population databases

HPAC (Hazard Prediction and Assessment Capability) CWMS (Corps Water Management System)

PAGER (USGS Prompt Assessment of Global Earthquakes for Response) MIDAS (Metrological Information and Dose Assessment System)

DTRA plume modeling software military, and civil Plume modeling government applications United States Army Corps of Engineers (USACE) Reservoir real-time data management system for the management HEC-RAS hydrologic modeling platform

Plume modeling software for commercial, military, Plume modeling and civil government applications

Multihazard

ShakeCast

CATS (Consequence Assessment Toolkit)

Earthquake loss estimation tool to test integration of technologies into emergency response. For NSF Loss estimation program. Developed for FEMA. Currently supported by Defense Threat Reduction Agency (DTRA)

INLET (INternet-based Loss Estimation Tool)

Flood Earthquake

HAZUS-MH™ (HAZards Multihazard loss estimation software developed for Earthquake United States, Multi-Hazard) FEMA by National Institute of Building Sciences (NIBS) Hurricane

Tool

TABLE 3

Meteorological data, plant effluent monitor data, National Oceanic and Atmospheric Administration (NOAA) data, and other RSS feeds Wind speed from National Weather Service (NWS) Various NWS, USGS, and USACE readings of river stage, reservoir elevation, gauge precipitation, and other hydrological data sets

NEIC

Global Disaster Alert and Coordination System (http://www.gdacs.org/), uses National Earthquake Information Center (NEIC) RSS for earthquakes ShakeCast RSS feed

No real-time link, National Hurricane Center forecast/advisory data download from HurrEvac FTP site No real-time link, inundation boundary import ShakeCast

No real-time link, USGS ShakeMap import

Real-Time Data Link

1520

CROSS-CUTTING THEMES AND TECHNOLOGIES

public are used to adjust and verify ground motions where accelerograms are sparse. Real-time data feeds benefit substantially when merged spatially with real-time observed data utilizing humans as sensors. Although the estimates still need to be verified and accurate inventory data is critical, the availability of this data, directly after an event when no other information is available, has the potential to optimize the use of resources and reduce the likelihood that lack of information will lead to an inappropriate level of response [8]. Real-time data is routinely used in transportation, and this could possibly be extended to disasters. Before an event makes landfall, real-time data can be used to trigger evacuation and monitor evacuation routes [9]. Real-time data can be used to reverse the evacuation process. Before Hurricane Rita made landfall in 2005, the National Hurricane Center (NHC) posted data confirming that it was highly unlikely that Houston would be affected, but the evacuation continued. When there is advance notice to an impending disaster, such as an earthquake or tsunami, warnings could be disseminated through ITS and text messaging systems. Directly after an event, real-time data can be used to confirm the state of critical transportation infrastructure. Bridge-health monitoring can be used not only to monitor safety, but to prioritize restoration, such as through incentives programs rewarding the early completion of construction [10]. Given a widespread disaster, real-time data can be an essential component in data dissemination for situational awareness. Locations of roads that are obstructed or destroyed can be disseminated through a variety of handheld and Internet resources. Mobile phones and portable devices are routinely equipped with mapping applications. These applications could be modified to adapt instructions based on collapsed bridges and blocked roadways. These alternate routes would be available to first responders, many of which may be from out of town. Under rapidly evolving conditions, situation awareness could be disseminated to the public on the roadways through text messaging and reverse 911. Additionally, text messages from the public can be used to inform emergency responders about the extent of damage.

4 IMPLEMENTATION ROAD-BLOCKS Even under normal driving conditions, integration of real-time data into transportation is problematic. Although ITS message boards placed on freeways provide estimated drive times so that drivers can plan for delays, drivers must rely on their own experience to determine alternate routes, and since information is not provided for local roadways, their decisions are not well-informed. The key to resolving this problem may be cell phones and wireless Internet devices. As these devices begin to track congestion on the roadways, they will be capable of relaying this information back to a centralized system that can combine information from other commuters to suggest alternative routes. It is not clear, however, that this information will reduce congestion. When drivers receive information, they attempt to assess: (i) the status of an event; (ii) the expected duration of disruption; and (iii) the best action to take. With more accurate information, drivers are expected to behave in a more predictable manner. However, a transportation system with no information may be more efficient than a transportation system which advises an inordinate number of users to take a specific alternate route. Transportation models suitable for routing traffic optimally in real time will be required to optimize the use of real-time traffic data. This basic research is required before the models can be extended to address homeland security, where the models will need to be informed by research

REAL-TIME DATA ACQUISITION, INTEGRATION, AND TRANSMISSION

1521

into how drivers will react to routing instructions in the face of conflicting priorities, such as their perceived safety and the safety of their children. With the surge in wireless bandwidth and the advent of low-cost sensors, it is very likely that managers will face a torrent of data for making critical decisions. Transforming raw, multimodal data streams into meaningful information will require new tools for analyzing and finding patterns in information; it will require algorithms that not only fuse disparate data sources, but proactively seek patterns in the data. These patterns must be presented through intuitive visual interfaces with analytical capabilities so that urban planners and other decision-makers can monitor events as they unfold. Data mining and data fusion algorithms need to be brought into the emergency management arena to address the potential flood of real-time data available from the proliferation of wireless and embedded devices. In many instances, there are legal implications complicating the application of real-time data [11]. Emergency responders are in new territory with advanced technologies that allow very rapid response, live tracking, or even prediction of events. Emergency managers need clear legal and legislative support to empower decisions to pursue or reject advanced technologies. Without this support, it is very difficult for emergency managers to integrate advanced technologies with confidence. The risk of false alarms, missing alerts, and sensor error needs to be addressed thoroughly before systems are developed to work in conjunction with real-time data [11]. There should always be a backup method to verify records. This may be from in situ videos, security personnel, or volunteers from the public. Technology is evolving rapidly and best practices have a short window of opportunity to arise, before the next innovation occurs. Open Internet mapping applications such as Virtual Earth and Google Earth greatly simplify the process of disseminating real-time information gleaned from a variety of web sites [12]. The Southern California fires of 2007 revealed a very high level of sophistication of the media in geocoding burnt structures and displaying them with on-line maps. But given the limited spatial accuracy and conservative approach of delineating burn areas, maps depicted many more burnt structures than detailed surveys could confirm. Given the amount of data verification and interpretation required to correctly use real-time data for loss estimation, the emergency response community needs to establish the best way to use these data sets so that they are not misinterpreted. This requires not only building the IT infrastructure to process real-time data, but funding development in areas such as transportation, where the optimal use of real-time data is not clear. Real-time data combined with DSS and Internet support systems can give emergency managers the tools they need to make informed decisions if data are effectively collected, verified, processed, and disseminated. Automation of these tasks assures that the data are available when they are needed. If real-time data is processed using well-known standards it can disseminate results and DSS routines, allowing calculations to occur and maps to be produced in the first half hour following an event, when they are most useful. DSS results need to be combined with data supplied from the general public using mobile phones and other devices. These data sources will continue to provide damage assessment data for events as they unfold, and devise clever strategies to harness humans as sensors, since they can potentially yield much greater information than sensors alone. Further research into multimodal data collection and information dissemination is needed to guide the use of real-time data in emergency response, particularly in the field of transportation.

1522

CROSS-CUTTING THEMES AND TECHNOLOGIES

5 WEB SITES http://www.fema.gov/plan/prevent/hazus/index.shtm http://www.nibs.org/hazusweb/ http://rescue-ibm.calit2.uci.edu/inlet/default.asp http://cats.saic.com http://earthquake.usgs.gov/resources/software/shakecast/ http://earthquake.usgs.gov/eqcenter/pager/ http://www.absconsulting.com/midas/index.html http://www.dtra.mil/rd/programs/acec/hpac.cfm http://nereids.jpl.nasa.gov/cgi-bin/nereids.cgi http://radar.weather.gov/GIS.html http://podaac.jpl.nasa.gov/DATA PRODUCT/OVW/index.html

ACKNOWLEDGMENTS This study is supported by National Science Foundation (NSF) Grants through the University of California, Irvine. (NSF Award Number IIS-0331707). Thanks to Paul Earle and Frank Lavelle for information regarding HAZUS and PAGER.

REFERENCES 1. Huyck, C. K., and Adams, B. J. (2002). Emergency Response in the Wake of the World Trade Center Attack: The Remote Sensing Perspective, MCEER Special Report Series on Engineering and Organizational Issues Related to the World Trade Center Terrorist Attack , Vol. 3. Multidisciplinary Center for Earthquake Engineering Research, Buffalo, NY. 2. Seligson, H., Huyck, C. K., Ghosh, S., and Bortugno, E. (2004). Data Standardization Guidelines for Loss Estimation–Populating Inventory Databases for HAZUS®99 . California Governor’s Office of Emergency Services, Sacramento, CA. 3. Chung, H., Huyck, C. K., Cho, S., Mio, M. Z., Eguchi, R. T., Shinozuka, M., and Mehrotra, S. (2005). A centralized web-based loss estimation and transportation simulation platform for disaster response. Proceedings of the 9th International Conferences on Structural Safety and Reliability (ICOSSAR’05). 4. Huyck, C. K., Chung, H., Cho, S., Mio, M. Z., Ghosh, S., and Eguchi, R. T. (2006). Centralized web-based loss estimation tool. Proceedings of SPIE . 5. Huyck, C. K., Chung, H., Cho, S., Mio, M. Z., Ghosh, S., Eguchi, R. T., and Mehrotra, S. (2006). Loss estimation on-line using INLET (Internet-based Loss Estimation Tool). Proceedings of the Eighth National Conference on Earthquake Engineering (8NCEE). 6. Eguchi, R. T., Goltz, J. D., Seligson, H. A., Flores, P. J., Blais, N. C., Heaton, T. H., and Bortugno, E. (1997). Real-time loss estimation as an emergency response decision support system: the early post-earthquake damage assessment tool (EPEDAT). Earthquake Spectra, 13(4), 815–833. 7. Eguchi, R. T., Goltz, J. D., Seligson, H. A., and Heaton, T. H. (1994). Real-time earthquake Hazard assessment in California: the early post-earthquake damage assessment tool and the Caltech-USGS broadcast of earthquakes. Proceedings, Fifth US National Conference on Earthquake Engineering, Vol. 1, 55–63.

MULTI-OBJECTIVE DECISION ANALYSIS

1523

8. Chung, H., Adams, B. J., Huyck, C. K., Ghosh, S., and Eguchi, R. T. (2004). Remote sensing for building inventory update and improved loss estimation in HAZUS99. Proceedings of the 2nd International Workshop on Remote Sensing for Post-Disaster Response. 9. Cho, S., Huyck, C. K., Ghosh, S., and Eguchi, R. T. (2006). Development of a web-based transportation modeling platform for emergency response. Proceedings of the Eighth National Conference on Earthquake Engineering (8NCEE). 10. Werner, S. D., Lavoie, J. P., Eitzel, C., Cho, S., Huyck, C. K., Ghosh, S., Eguchi, R. T., Taylor, C. E., and Moore, J. E. II. (2003). REDARS 1: Demonstration Software for Seismic Risk Analysis of Highway Systems. Research Progress and Accomplishment 2002-2003 . Multidisciplinary Center for Earthquake Engineering Research, Buffalo, NY. 11. Tierney, K. J. (2000). Implementing a Seismic Computerized Alert System (SCAN) for Southern California: Lessons and Guidance from the Literature on Warning Response and Warning Systems. Disaster Research Center, University of Delaware. 12. Huyck, C. K. (2005). Suggestions for the effective use of remote sensing data in emergency management. NRC Planning for Catastrophe Study Workshop on Geospatial Information for Disaster Management . National Academy of Sciences.

FURTHER READING ABS Consulting/EQE International, Inc. (2001, 2002). TriNet Studies and Planning Activities in Real-time Earthquake Early Warning V1-4 , Irvine, California. Shoaf, K. I., and Bourque, L. B. (2001). Survey of Potential Early Warning System Users. Center for Public Health and Disasters, University of California, Los Angeles, CA.

MULTI-OBJECTIVE DECISION ANALYSIS Gregory S. Parnell Department of Systems Engineering, United States Military Academy, West Point, New York Innovative Decisions Inc., Vienna, Virginia

1 INTRODUCTION Multiobjective decision analysis (MODA) is an appropriate operations research technique to determine the best alternative when we have complex alternatives, multiple conflicting objectives, and significant uncertainties. Other names for this type of technique are multiple attribute utility theory, multiple attribute value theory, multiple attribute preference theory, and multiple criteria decision analysis. Keeney and Raiffa published the seminal

1524

CROSS-CUTTING THEMES AND TECHNOLOGIES

book in 1976 [1]. Kirkwood wrote an excellent contemporary textbook [2]. Value-focused thinking (VFT) is a philosophy to guide decision makers to create higher value alternatives [3]. It has three major ideas: start with values, use values to generate better alternatives, and use values to evaluate those alternatives. VFT is usually implemented using the mathematics of MODA. Since MODA requires an understanding of theory and the art of modeling, experienced decision analysts are required to effectively use the technique.

2 TYPES OF DECISION PROBLEMS A decision is an irrevocable allocation of resources [4]. It is useful to distinguish two types of decision problems: a single decision and a portfolio of decisions. In a single-decision problem, we select the best alternative from a group of potential alternatives. An example is selecting the best vaccine for a bioagent that could be used by terrorists. In portfolio decision making, we select the best group of decisions. Examples include selecting the best set of vaccines to develop and protect the nation against the most likely bioagents that terrorists might use in the United States, selecting the best portfolio of research and development (R&D) projects to fund from a large set of projects, annually allocating an organization’s budget to the best projects (or programs) from a large set of potential projects, and systems design using multiple subsystems and components. In this article, we illustrate the first type of decision. Kirkwood [2] describes how to use MODA for resource allocation decision making and Parnell et al. [5] describe how to use MODA for systems design.

3 DEFINITIONS Analysts should use precise technical language to define key MODA terms. Here are the terms used in this article in logical order. • •

• •

• •

Fundamental objective. The most basic objective we are trying to achieve. Example: select the best vaccine for a bioagent. Functions. A function is a verb–object combination, for example, detect bioagents. When multiple decisions are involved, you may want to identify functions before identifying the objectives. An alternative term is missions or tasks. Objective. A preference statement that expands on the fundamental objective. Example: maximize effectiveness of the vaccine. Value measure. Scale to assess how well we attain an objective. For example, we may measure the time to detect the dispersal of a bioagent. Alternative terms are evaluation measures, measures of effectiveness, measure of performance, measures of merit, and metrics. Range of a value measure. The possible variation of the scores of a value measure, such as probability of detection in 24 h after dispersal may range from 0.0 to 1.0. Score (level). A specific numerical rating of the value measure, such as a time to detect a bioagent dispersal. A score may be on a natural or a constructed scale. (We avoid using the term value for scores because the value function uses that term.)

MULTI-OBJECTIVE DECISION ANALYSIS • • • •

• • • • •

1525

Qualitative value model. The complete description of our qualitative values, including the fundamental objective, functions (if used), objectives, and value measures. Value hierarchy (value tree). Pictorial representation of the qualitative value model. Tier (layer). Levels in the value hierarchy. Weights. The weight assigns a value measure depending on the measure’s importance and the range of the value measure. Weights are our relative preference for value measures. They must sum to one. Value function. A function that assigns value to a value measure’s score. Quantitatively, value is defined as returns to scale on the value measure [2]. Quantitative value model. The value functions, weights, and mathematical equation (such as the additive value model) to evaluate the alternatives. Value model. The qualitative and quantitative values models. Utility. Utility is different from value. It includes returns to scale and risk preference. Kirkwood [2] covers methods for assessing utility functions. Utility function. A function that assigns utility to a value-measure score. We assess utility functions using lotteries [2].

We should modify our lexicon to use terms that are familiar to our decision makers and stakeholders. For example, the problem domain may use criteria and performance measures instead of objectives and value measures.

4 QUALITATIVE VALUE MODELING Qualitative value modeling is critical to the success of an analysis. If we do not get the decision makers’ and stakeholders’ values qualitatively right, they will not (and should not) care about our quantitative analysis. The key to successful value modeling is to determine whose values to model. In analyzing commercial decisions, the decision makers usually want to produce the highest shareholder value or net present value. When customers buy the product or service, future shareholder value will increase. Similarly, for many homeland security decisions, the values may be the future values of national, state, and local decision makers; private companies; and our citizens. Value models usually include several key aspects of value: • • • • • •

Why we are making this decision (fundamental objective) What we value (functions and objectives) Where we achieve an objective (location) When we achieve an objective (time preference) How well we attain an objective (value measures and value functions) How important is the objective (weights)

Notice that value models do not include how one does an activity. Instead, we care about how well the alternative works. For example, a vaccine could be a pill, a shot, or an aerosol. We do not score directly how it is used, but we might have a value measure that scores ease of use. Structured techniques based on clear criteria are the key to credible and defensible qualitative value modeling.

1526

4.1

CROSS-CUTTING THEMES AND TECHNOLOGIES

Criteria for Developing a Successful Value Model

Qualitative value models must satisfy four criteria by being collectively exhaustive, mutually exclusive, operable, and as small as possible—though Kirkwood describes the first two criteria differently [2]. By collectively exhaustive, it means that value models must consider all essential types of evaluation. Their criteria are mutually exclusive if they do not overlap. Further, the value measures must be operable, which means the data is available and everyone interprets them in the same way. Finally, we should use as few value measures as possible to limit the model’s size. Only include those values that can be affected by the decision and those values that are essential to the decision. Parnell [6] provides four structured techniques for value modeling. The amount of effort to develop a value model corresponds directly to the number of measures. Each value measure must have a defined scale and a value function. Thus, more value measures result in more time for model development and scoring. 4.2 Developing a Qualitative Value Model It is useful to distinguish between models that use functions and objectives, and models that use only objectives. For portfolio decisions, it is useful to identify the functions first and then the objectives. Step 1: Identify the fundamental objective. Identifying the fundamental objective is the essential first step that guides how we develop the value model. It must be a clear, concise statement of the most basic reason for the decision. In practice, we take time and apply thought to properly specify the fundamental objective. Once we understand it, we can determine if we have single or multiple functions. If we have a single function, we can skip step 2 and start to identify the objectives. Step 2: Identify functions that provide value. We can get functions from documents or develop them using functional analysis [5]. Affinity diagramming is an excellent technique for identifying functions [7]. We use research and brainstorming to discover action verb–object combinations (e.g. detect attack and provide warning) that describe potential future functions. Then, we group verb–object combinations by affinity (similarity). Sometimes, it is useful to establish functions and subfunctions before identifying the objectives. Affinity diagramming has two major benefits for value-model development. First, affinity groups are mutually exclusive (each function different) and collectively exhaustive (all necessary functions identified). Secondly, affinity diagramming usually identifies new functions required for our fundamental objective. Step 3: Identify the objectives that define value. For each function, we need to identify the objectives that define value. Objectives can come from documents, interviews with senior leaders, or workshops with stakeholders (or stakeholders’ representatives). Again, affinity diagrams are excellent for developing mutually exclusive and collectively exhaustive objectives. Step 4: Identify the value measures. We can identify value measures by research and interviews with decision makers, stakeholders, and subject-matter experts. Access to stakeholders and subject-matter experts is the key to developing good value measures. Kirkwood [2] identifies two useful dimensions for value measures: alignment with the objective and type of measure. Alignment with the objective can be direct or by

MULTI-OBJECTIVE DECISION ANALYSIS

1527

TABLE 1 Preference for Types of Value Measure Type

Direct Alignment

Proxy Alignment

1 2

3 4

Natural Constructed

proxy. A direct measure focuses on attaining the objective, for example, efficacy of the vaccine against the bioagent. A proxy measure focuses on attaining an associated objective, for example, the number of casualties is a proxy for the consequences of a bioagent attack. The type of measure can be natural or constructed. A natural measure is in general use and commonly interpreted, such as cost in dollars. We develop a constructed measure (such as homeland security advisory system classifications [8]) when natural measures do not exist. Table 1 reflects the author’s preferences for types of value measures. Priorities 1 and 4 are obvious. Direct and constructed measures to proxy and natural for two reasons are preferred. First, alignment with the objective is more important than the type of scale. Secondly, one direct and constructed measure can replace many natural and proxy measures. Keeney and Raiffa [1], Kirkwood [2], and Keeney [3] provide useful information on how to develop value measures. Step 5: Vet the qualitative value model with key decision makers and stakeholders. We must ensure that our model has captured the values of the decision makers and stakeholders. Vetting the qualitative value model and incorporating their comments is critical to ensuring that they will accept the analysis results. Figure 1 provides a terrorist value hierarchy. The terrorist organization’s fundamental objective is to remove US presence in the Middle East. The three objectives of a terrorist attack are to maximize economic impact (measured in dollars), maximize people killed (measured in number of deaths), and maximize citizen fear (measured in a constructed citizen fear scale).

Employ terrorism to remove the U.S. from the Middle East

Fundamental Objective

Objectives

Value Measures

Maximize Economic Impact

Maximize People Killed

Maximize Citizen Fear

Dollars

Number of Deaths

Citizen fear Scale

FIGURE 1 Terrorist value hierarchy.

1528

CROSS-CUTTING THEMES AND TECHNOLOGIES

5 QUANTITATIVE VALUE MODELING Once we have vetted the qualitative value model with our decision makers and key stakeholders, we are ready to develop the quantitative value model. It includes the mathematical model, value functions, and weights. 5.1 Mathematical Model MODA uses many mathematical equations to evaluate alternatives [1]. The simplest and most commonly used model is the additive value model [2]. This model uses the following equation to calculate each alternative’s value: v(x) =

n 

wi vi (xi )

i=1

where v (x ) is the alternative’s value, i = 1 to n is the number of the value measure, x i is the alternative’s score on the i th value measure, v i (x i ) is the single-dimensional value function that converts  a score of x i to a normalized value, w i is the weight of the i th value measure, and ni=1 wi = 1 (all weights sum to one). The additive value model has no index for the alternatives because our values do not depend on the alternative since we do not put “how” in the model. We use the same equations to evaluate every alternative. 5.2 Value Functions Measure Returns to Scale Value functions measure returns to scale on the value measures [2]. They have four basic shapes: linear, concave, convex, and an S curve (Fig. 2). The linear value function has constant returns to scale: each increment of the measure is equally valuable. The concave value function has decreasing returns to scale: each increment is worth less than the preceding increment. The convex value function has increasing returns to scale: each 1 Linear Concave Convex S-Curve

0.9 0.8 V(x) [Value]

0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

x [Value Measure]

FIGURE 2 Four types of value functions.

0.9

1

MULTI-OBJECTIVE DECISION ANALYSIS

1529

increment of the measure is worth more than the preceding increment. The S curve has increasing, then decreasing, returns to scale on the measure. We have several techniques to develop value curves from subject-matter experts [2]. Our first step is to have the experts determine the shape of the value curve: linear, concave, convex, or S curve. Next, we use value increments to identify several points on the curve—asking experts the relative value of increments in the value-measure scale. Kirkwood [2] provides Excel macros that can be used to easily implement value functions. 5.3 Weights Depend on Importance and Range of the Value-Measure Scales Weights play a key role in the additive value model. MODA quantitatively assesses the trade-offs between conflicting objectives by evaluating the alternative’s contribution to the value measures (a score converted to value by single-dimensional value functions) and the importance of each value measure (weight). The weights depend on the measure scales’ importance and range. If we hold constant all other measure ranges and reduce the range of one of the measure scales, the measure’s relative weight decreases, and the weight assigned to the others increases since the weights add to 1.0. The only mathematically correct way to do weights is bottom-up using the variation of the value measures. A very effective weighting technique is the swing weight matrix [9].

6 ALTERNATIVE SCORING USING VALUE-FOCUSED THINKING Once we have vetted the quantitative value model and developed alternatives, we must score the alternatives on the value measures. VFT [3] has three major ideas: start with your values, use your values to evaluate alternatives, and use your values to generate better alternatives. VFT is a tool to foster creativity. Since we use values to develop the value hierarchy, alternative scoring has two purposes: evaluating alternatives and generating better ones. The second purpose is most important. When we begin to score our alternatives, we will identify value gaps—chances to improve the alternatives (create better scores) to achieve higher value. It is prudent to consider who will score the alternatives and how we will resolve scoring disagreements. Three scoring approaches have been successful: alternative champions, a scoring panel, and alternative champions reviewed by a scoring panel. •

Scoring by alternative champions. This approach is useful because it provides information about values from the value model directly to “champions” as they do the scoring. A disadvantage is the perception that a champion of an alternative may bias a score to unduly favor it or that scores from different champions will be inconsistent. • Scoring by a scoring panel. To avoid the perception of scoring bias and potential scoring inconsistencies, subject-matter experts can convene as a panel to assign scores and improve the alternatives. Champions of alternatives can present scoring recommendations to the panel, but the panel assigns the score. • Scoring by alternative champions reviewed by a scoring panel. Having the idea champion score the alternative and modify it to create more value is the essence of VFT. A scoring review panel can then ensure that the scores are unbiased and consistent.

1530

CROSS-CUTTING THEMES AND TECHNOLOGIES

Once we have the scores, we can start evaluating the alternatives—typically through deterministic analysis and probabilistic (or uncertainty) analysis. 7 ANALYSIS OF ALTERNATIVES Analysis of alternatives using MODA involves deterministic and probabilistic analysis. In deterministic analysis, all the parameters are known for certain. In probabilistic analysis some of the parameters can be uncertain. Probabilistic analysis can provide insights about deterministic and stochastic domination [10]. 7.1 Deterministic Analysis of Alternatives In deterministic analysis, uncertainty is not a factor. We can determine the dominant alternatives and their values without probabilities. See Parnell [6] for deterministic analysis of portfolio decisions. In addition to scoring our alternatives, we should always include the current (or baseline) alternative and the ideal (or perfect) alternative. Several types of analysis are useful to obtain insights about the alternatives, and many software packages have built-in features that “automate” do sensitivity analysis. •

Stacked bar. Stacked bar graphs are a useful way to compare alternatives. The “stacks” show the contribution for one level in the hierarchy. We can plot the stacked bar graphs for any level in the hierarchy. Analysis usually begins top down to identify insights. • Value gaps. Value gaps are one of the key insights that we can extract from stacked bar graphs. Values gaps are the differences between the best alternative and the ideal alternative. We can examine them at all levels in the value hierarchy, so they “shine a light” on areas for VFT. • Value versus cost. It is always find it useful to separate cost and benefits (value) typically by plotting the value versus the cost of the alternatives. This chart helps to quickly identify the dominant alternatives and enables decision makers to see the value added for the additional cost. • Sensitivity analysis. Sensitivity analysis is useful for key parameters, including some weights and scores. 7.2 Probabilistic Analysis of Alternatives The additive value model allows for three sources of uncertainty—alternative scores, value functions, and weights. Risk is the probability of a low value (utility). We can model our uncertainty about alternative scores using probability distributions. We can sequence the decisions and uncertainties using decision trees. Using distributions, the additive value model gives us the probability distribution of value (utility), from which decision makers can directly assess the alternative’s risk. We also can do sensitivity analysis to weights or value functions that might change depending on the future scenario [6]. The usual approach to uncertainty analysis is to put probability distributions on the scores (or variables affecting the scores) that reflect our uncertainty about the alternative’s future score on the value measures. The additive value model can then assess how uncertainty affects value (or utility). Two approaches are common: MODA with decision trees and Monte Carlo simulation.

MULTI-OBJECTIVE DECISION ANALYSIS

1531

•

MODA with decision trees. We can add the uncertain variables (exogenous variables or alternative scores) as nodes in a decision tree. Then, we use the additive value model to assess value (utility) at the end of the tree. The best alternative comes from the decision tree’s “average out/fold back” algorithm [10]. This method works equally well for independent and dependent uncertain variables. • Monte Carlo simulation. Monte Carlo simulation is useful to assess how uncertainty affects alternative value (or utility). It has four main steps: develop probability distributions for uncertain variables, draw a random number for each uncertain variable and for each distribution, calculate the value (or utility) using all simulated scores, and do numerous runs and plot a value (utility) distribution to assess the alternative’s risk. This method works for independent and dependent uncertain variables, but we must express the dependent variables as functions of the independent variables. Parnell [6] provides additional techniques for probabilistic analysis. 8 USES OF MODA FOR HOMELAND SECURITY Decision analysis using MODA/VFT has been used in many problem domains [11, 12]. Parnell et al. [5] describe a systems decision-making framework that can be applied to homeland security challenges. Recent applications include the following homeland security capabilities [13]: ports and harbors [14], information assurance [15–17], commercial airlines [18], and general terrorist attacks [19]. In this section, we briefly describe a probabilistic decision analysis application of an adversary threat scenario for bioterrorism to illustrate how MODA, using decision trees, can be applied to homeland security challenges. Usually, we are the decision makers and we use our assessment of our values and our uncertainties. However, since terrorists are intelligent adversaries, it may be useful to consider their values and uncertainties. The terrorist’s influence diagram [20] is shown in Figure 3. Squares are decisions, circles are uncertain nodes, rounded squares are deterministic nodes, and terrorist value is the multiobjective value node used to solve the diagram. In this very simplified model, the terrorist has three decisions: the target, the agent, and the acquisition decisions. The terrorist has three major uncertainties: does he obtain the agent, is he detected before attack, and is the attack successful. The decision alternatives and the sequence of the decisions and events are shown in the decision tree in Figure 4. The probabilities are conditioned on the assumption that the terrorist has decided to attack. In addition, the probability of an event can depend on the terrorist’s decisions and other uncertain events. For example, the probability that he obtains the agent depends on the type of agent and how he acquires the agent. In this simplified model, the migration effectiveness depends on the target and the agent. Finally, the terrorist has two objectives: maximize deaths and maximize economic impact. An additive value model with linear value functions and equal weights is assumed. Using the DPL software [20], we can solve for the preferred terrorist decision. The highest value strategy for the terrorist is shown in Figure 5. On the basis of this (notional) data, the terrorist prefers to produce agent C to attack location Y. In addition to the decision, we can use decision analysis tools to learn significant additional information. For example, location Y is twice as good as location X; location Y stochastically dominates [10] locations X, and his probability of obtaining the agent is higher (0.42) than his probability of being detected before the attack (0.4).

1532

CROSS-CUTTING THEMES AND TECHNOLOGIES

Deaths Mitigation Effectiveness

Terrorist Influence Diagram

Max Deaths Weight Deaths

Bioterrorism Target

Acquire Agent

Bioterrorism Agent

Obtain Agent

Attack Success

Terrorist Value

Detect Pre-attack

Weight Economic Impact Max Economic Impact

Economic Impact

FIGURE 3 Terrorist influence diagram.

Bioterrorism Target

Bioterrorism Agent

Acquire Agent

Detect Pre-attack

Produce

Yes 0 No

Agent A Location A Agent B Location B

Procure

Obtain Agent

Attack Success

No 0

Agent C

Yes

Not Successful Terrorist_Value Low Terrorist_Value High Terrorist_Value

FIGURE 4 Terrorist decision tree.

Bioterrorism_Agent [0023709]

Location X

Agent_A

Bioterrorism_ Target [0.0474138]

Agent_B

Acquire_Agent [00353835] Acquire_Agent [003008]

Bioterrorism_ Agent [00474138]

Location_Y

Agent_C

Acquire_Agent Produce [00474138]

Produce

Detect_Pre _attack [00474138]

Yes 400

[0]

0 [0] No 0 Clotein_Agent 300 [0] No Success Attack_Success [0078023] No 250 0 0.11280] Yes [0.10000] Low 800 500 0.10000 700 [02515] High 02515 250 Detect_Pre_attack [00406401]

FIGURE 5 Terrorist’s highest value strategy.

MULTI-OBJECTIVE DECISION ANALYSIS

1533

0.09

Terrorist Value

0.08 0.07 0.06 0.05 0.04 0.03 0.02 0.01 0

0.1

0.2

0.3

0.4 0.5 0.6 Weight_Deaths

0.7

0.8

0.9

1

FIGURE 6 Location sensitivity to weight assigned to deaths.

Decision analysis also provides useful tools for sensitivity analysis. Figure 6 shows the sensitivity of the target location decision to the assumption about weights. If the terrorist assigns a weight of less than 0.85 to deaths, he would prefer location Y. If the weight is greater than 0.85, he would prefer X. If we had considered multiple locations, some may never be preferred. In addition, two-way sensitivity plots and tornado diagrams can also be used to assess the sensitivity to assumptions.

9 SUMMARY In this article, we have introduced and illustrated MODA. MODA is an appropriate operations research technique to determine the best alternative when we have complex alternatives, multiple conflicting objectives, and significant uncertainties. MODA asks the right questions: what we can value, what are the major uncertainties, and what can we do to achieve our values? We have seen that MODA can be used to analyze complex homeland security alternatives using value models (our values or our adversaries’ values) of conflicting objectives, probability models of uncertainty, and decision trees to determine the best alternative. MODA provides a logically consistent, credible, and defensible methodology to provide analysis insights for decision makers.

ACKNOWLEDGMENT The anonymous reviewers provided useful suggestions to improve the clarity of this article. REFERENCES 1. Keeney, R. L., and Raiffa, H. (1976). Decision Making with Multiple Objectives: Preferences and Value Tradeoffs, John Wiley & Sons, New York. 2. Kirkwood, C. W. (1997). Strategic Decision Making: Multiobjective Decision Analysis with Spreadsheets, Duxbury Press, Pacific Grove, CA,

1534

CROSS-CUTTING THEMES AND TECHNOLOGIES

3. Keeney, R. L. (1992). Value-Focused Thinking: A Path to Creative Decisionmaking, Harvard University Press, Cambridge, MA. 4. Howard, R. (1983). Decision Analysis Class Notes, Stanford University, California, CA. 5. Parnell, G. S., Driscoll, P. J., and Henderson, D. L., eds. (2008). Systems Decision Making for Systems Engineering and Management. John Wiley & Sons, Inc. 6. Parnell, G. S. (2007). Chapter 19. Value-Focused Thinking Using Multiple Objective Decision Analysis in Methods for Conducting Military Operational Analysis: Best Practices in use Throughout the Department of Defense, R., Larry, and A. Loerch, Eds. Military Operations Research Society. Washington, DC. 7. (2006). Affinity Diagrams, Basic Tools for Process Improvement , accessed June 1, 2006. http://www.saferpak.com/affinity articles/howto affinity.pdf. 8. Homeland Security Advisory System. (2006). www.dhs.gov, accessed September 3, 2006. 9. Ewing, P. L., Tarantino, W. J., and Parnell, G. S. (2006). Use of decision analysis in the army base realignment and closure (BRAC) 2005 military value analysis. Decision Anal. 3(1), 33–49. 10. Clemen, R. T., and Reilly, T. (2001). Making Hard Decisions with Decision Tools Suite update 2004 Edition, Duxbury Press, Pacific Grove, CA. 11. Corner, J. L., and Kirkwood, C. W. (1991). Decision analysis applications in the operations research literature, 1970–1989. Oper. Res. 39, 206–219. 12. Keefer, D. L., Corner, J. L., and Kirkwood, C. W. (2004). Perspectives on decision analysis applications, 1990–2001. Decision Anal. 1(1), 4–22. 13. Pruitt, K. A., Deckro, R. F., and Chambal, S. P. (2004). Modeling homeland security. J. Def. Model. Simulat. 1(4), 187–200. 14. Parnell, G. S., Figueira, J. R., and Bennett, S. (2007). Decision analysis tools for safety, security, and sustainability of ports and harbors in NATO workshop: risk management tools for port security, critical infrastructure, and sustainability, Springer, Netherlands. 15. Buckshaw, D. L., Parnell, G. S., Unkenholz, W. L., Parks, D. L., Wallner, J. M., and Saydjari, O. S. (2005). Mission oriented risk and design analysis of critical information systems. Mil. Oper. Res. 10(2), 19–38. 16. Hamill, J. T., Deckro, R. F., and Kloeber, J. M. (2005). Evaluating information assurance strategies. Decis. Support. Syst. 39(3), 463–484. 17. Hamill, J. T., Deckro, R. F., Kloeber, J. M., and Kelso, T. S. (2002). Risk management and the value of information in a defense computer system. Mil. Oper. Res. 7(2), 61–81. 18. Von Winterfeldt, D., and O’Sullivan, T. M. (2006). Should we protect commercial airplanes against surface-to-air missile attacks by terrorists? Decision Anal. 3(2), 63–75. 19. Pat´e-Cornell, M. E.. Guikema, S. D.. (2002). Probabilistic modeling of terrorist threats: a systems analysis approach to setting priorities among countermeasures. Mil. Oper. Res., 7(4), 5–20. 20. Syncopation Software.(2006).DPL Decision Analysis Software,http://www.syncopationsoftware.com/, accessed November 9, 2006.

FURTHER READING Parnell, G.S., Dillon-Merrill, R.L., and Bresnick, T.A. (2005). Integrating risk management with homeland security and antiterrorism resource allocation decision-making. in The McGraw-Hill Handbook of Homeland Security, D. Kamien, ed. McGraw-Hill, New York, pp. 431–461. Watson, S. R.. Buede, D. M. (1987). Decision Synthesis: the Principles and Practice of Decision Analysis, Cambridge University Press, Cambridge.

NATURALISTIC DECISION MAKING, EXPERTISE, AND HOMELAND SECURITY

1535

NATURALISTIC DECISION MAKING, EXPERTISE, AND HOMELAND SECURITY Eduardo Salas and Michael A. Rosen Department of Psychology, Institute for Simulation and Training, University of Central Florida, Orlando, Florida

1 INTRODUCTION Homeland Security (HS) is a “people business”. It is fundamentally about the interaction of people with other people and understanding the intent of other people. It is about psychology, communication, deception, recognition, coordination, teamwork, situation assessment, and decision making. This is completely evident on the frontlines of HS where police officers, transportation security administration (TSA) agents, and border patrol agents come face to face with possible threats to security. However, it is equally the case in complex intelligence analysis where agents may be working behind several layers of sophisticated technology. No matter how elaborate a system of information collection, analysis, and representation may be, as long as there remains a human in the loop, the expertise of that human will play a role in HS. The decision-making effectiveness of people from the frontline law enforcers to intelligence analysts will impact these national goals. Therefore, understanding how people perceive, integrate, process, disseminate, communicate, and execute decision making in these types of complex environments is of critical importance. This knowledge can be used to train better decision makers and to design systems that support the way experts make decisions to further boost performance and safety. So, if HS is about people, about interactions, decision making, and expertise, what are the means available to ensure the highest possible levels of safety and security? What should be the scientific basis of efforts to build and maintain safeguards against threats to the nation? This article is dedicated to reviewing the naturalistic decision making (NDM) approach and, more generally, the present understanding of the role of expertise in organizations. Also, we propose that the NDM approach and the scientific understanding of human expertise make valuable contributions to HS efforts. The substantial and continually growing scientific literature concerning how people develop, maintain, and leverage expertise in complex and stress-filled environments can provide information on the design and analysis of sociotechnical systems supporting HS. To this end, we pursue three main goals in this article: (i) provide a definition and general overview of NDM, (ii) review current methodological approaches and tools in NDM, and (iii) briefly highlight findings from the NDM literature that describe expert individual and team decision making. Before addressing these goals, we provide some illustrative examples of NDM applications to HS.

1536

CROSS-CUTTING THEMES AND TECHNOLOGIES

2 WHAT DO EXPERTISE AND NDM HAVE TO DO WITH HOMELAND SECURITY? One of the defining features of NDM is a commitment to improving decision-making performance. This begs the question: how can NDM help HS efforts? In general, the NDM approach contributes to organizational effectiveness by providing an understanding of how expert decision makers perform effectively (i.e. What processes and knowledge does the expert use? What coordination strategies are used?). This understanding can be leveraged into better training programs [1] to create more expert decision makers at a faster rate as well as better system design [2] to facilitate the performance of experts. Specific applications of the NDM approach to HS are numerous. Two brief examples are provided below: information analysis and baggage screening. The task of intelligence analysis is extremely complex. The analyst must “sort through enormous volumes of data and combine seemingly unrelated events to construct an accurate interpretation of a situation, and make predictions about complex dynamic events” [3, pp. 281–282]. During this process, a multitude of decisions must be made concerning the validity, reliability, and significance of various pieces of information, as well as how information may fit complex patterns extended over time [4]. To further complicate matters, this task is conducted in an environment where uncertainty and deception are pervasive, time is frequently scarce, and there are costly consequences for failing to detect (or misinterpreting) patterns in the data and draw faulty inferences and predictions [5]. All of these factors produce an “unfriendly” environment for decision making; however, human decision makers are robust and manage to do well in such circumstances. In fact, information analysts have developed numerous methods for accomplishing their task, and the process has been characterized as highly idiosyncratic [6]. No doubt, some analysts’ processes are better than others, and the NDM approach can be used to identify methods that are more effective. This can serve as the foundation for the development of a set of formalized methods and processes (as called for by Johnston [6]). This would be a monumental contribution that would expedite the development of experts within the domain. Additionally, Hutchinson et al. [7] applied NDM methods to the information analysts’ task and found that the use of analysis tools that forced analysts to make decisions without a context for information was a major source of poor performance. This finding, along with the specifications of the contextual information that is necessary, can be used to develop tools that facilitate rather than encumber decision-making processes. Like information analysis, baggage screening is a vital component to defenses against terrorist attacks. Though in many senses, baggage screening does not involve the “cognitive complexity” of intelligence analysis, there is a great deal of perceptual expertise involved in effective baggage screening. Detecting a pattern indicating a threat, in a long sequence of patterns containing primarily innocuous items, requires not only sustained attention, but the capacity to detect subtle visual cues [8]. Understanding what cues are used by expert baggage screeners can facilitate tools (e.g. augmented displays that emphasize critical information) as well as training programs to build perceptual expertise. The two types of tasks discussed above are different in many critical ways. However, they share a commonality in that success depends on the expertise of human decision makers. Consequently, the nature of expertise and decision making can serve as a valuable scientific knowledge base to build and maintain effective HS sociotechnical systems.

NATURALISTIC DECISION MAKING, EXPERTISE, AND HOMELAND SECURITY

1537

3 WHAT IS NATURALISTIC DECISION MAKING? In 1988, the USS Vincennes, a US Navy-guided missile cruiser, mistook a commercial Iranian flight for an attacking military jet. The crew of the Vincennes fired two missiles at what they thought was an imminent threat to their safety. The immediate result of this decision by the Vincennes crew was the tragic death of the 290 innocent passengers and crew members aboard the Iranian flight. However, this event was to have an enormous impact on the study of human decision making as well. A major research project called the Tactical Decision Making Under Stress (TADMUS) program, was launched with the aim of better understanding how decisions are made in high-stress, high-stake military environments. This project [see Ref. 9], in conjunction with preexisting research efforts [10] helped to advance what has come to be known as the NDM community, a group of researchers working to understand decision making in contexts where traditional decision-making research is not applicable. In the following sections, we provide an overview of this field and related work in the study of expertise. There are many parallels between the situation experienced by the Vincennes crew and those encountered by HS personnel: intense time pressure, high stakes outcomes, and uncertain information. NDM seeks to understand and support decision making in these types of environments and is therefore well suited to contribute to the scientific basis of HS.

3.1 NDM and Traditional Decision-Making Research Spurred by the practical implications of the topic, decision making has been an subject of scientific inquiry for centuries. The prolonged attention given to decision making has produced an extensive theoretical and empirical literature base, which can generally be understood through one of the three paradigms: the formal-empiricist, the rationalist, and the naturalistic [11]. The formal-empiricist paradigm is typified by the classical decision making (CDM) approach and the rationale paradigm by the judgment and decision making (JDM), and behavioral decision theory (BDT) threads of research. Although each of these research traditions have made unique contributions, they all share fatal flaws that have rendered them ineffectual at explaining “real-world” decision performance in high-stress, high-stake environments like the Vincennes incident and many others common to HS [12]. First, the rationalist and formal-empiricist traditions both viewed decision making as selection of an alternative from a set of concurrently available options, which were all evaluated by the decision maker. Essentially, this amounted to imposing an idealized structure (i.e. exhaustive search and evaluation of decision alternatives) on the decision-making process. Most people do not actually use this approach when given ample time, and it is impossible to use while making decisions under time pressure and other stressors. Second, the rationalist and formal-empiricist traditions do not account for the expertise of the decision maker nor do they address complex multicomponent decisions [13]. Decisions were viewed as isolated from one another, and the past experience of the decision maker was viewed as irrelevant. In contrast to these two prescriptive traditions, which are both based upon an unrealistic ideal decision-making process, the naturalistic paradigm seeks to describe how effective decisions are made by professionals working in complex situations, where time is scarce and information incomplete or uncertain. The naturalistic paradigm is typified by NDM and organizational decision making (ODM) traditions, both of which are based on observational and descriptive research,

1538

CROSS-CUTTING THEMES AND TECHNOLOGIES

focus on what real decision makers actually do (cf. artificial laboratory tasks), and reject a view of decision making as choice from an exhaustive set of decision alternatives [14]. 3.2 Defining the NDM Approach The NDM approach can be defined most succinctly as an investigation of “the way people use their experience to make decisions in field settings” Zsambok [15], p. 4. There are two important implications of this definition that form the basis of the NDM approach. First, the expertise of the decision maker is fundamental to the decision-making process. An understanding of how decisions are made within a particular domain cannot be divorced from an understanding of the expertise of the decision maker [16]. Second, the NDM approach emphasizes the real-world context of decision making. NDM research happens “in the field” because decision making and expertise are tightly bound to the context of work [17]. Providing guidance on how to improve HS effectiveness involves generating an understanding of how effective HS personnel do their jobs and make good decisions. Because of this focus on the context of work, descriptions of environmental factors that define NDM research have been proposed. These include the presence of ill-structured problems, uncertain and dynamic environments, shifting and ill-defined or competing goals, action/feedback loops, time stress, high stakes for decision outcomes, multiple players, and the influence of organizational goals and norms [12]. Although not all of these factors are present in all NDM research, several usually play an important role. To further illustrate the nature of the NDM approach, Lipshitz et al. [18] provide five essential characteristics of NDM research: (i) an emphasis on proficient decision makers, (ii) an orientation toward the process of decision making (not just outcomes), (iii) the development of situation–action matching decision rules, (iv) context-bound informal modeling, and (v) empirical-based prescription. As previously noted, the expertise of the decision maker is at the center of inquiry [19]. NDM emphasizes the processes of decision making [20] and developing descriptions of these processes that are practically useful. As reflected in the recognition-primed decision (RPD) model described below, emphasizing expertise and describing the process leads to an understanding of decision making as a process of matching features of a situation to past experience to retrieve rules and possible courses of action. Similarly, the importance of context becomes salient; experts use features of a particular situation that are causally or correlationally related to the problem at hand. Ultimately, NDM is concerned with improving a decision-making performance. To this end, all prescriptions resulting from NDM research focus on realistic actions and strategies that are feasible to apply in the real world. 3.3 Defining Expertise By this point, it should be clear that human expertise is the center of the NDM approach and the primary tool of decision makers in complex environments. But what is expertise? In general, expertise is thought of as high levels of skill or knowledge in a specific area. This conceptualization is apparently simple, but a scientific explanation of expertise has undergone a long evolution. Initially, expertise was considered to be the result of the application of superior general reasoning strategies [21]; however, this was found to be a flawed approach for reasons similar to those which rendered rationalist and formal-empiricist approaches ineffectual to decision making. Specific domain knowledge, and not general reasoning strategies, was found to play a major role in expert performance

NATURALISTIC DECISION MAKING, EXPERTISE, AND HOMELAND SECURITY

1539

[22]. This finding shifted expertise research into the knowledge-based phase; it is the novice’s performance that is best characterized by the use of general reasoning strategies, not the expert’s. However, it is not just the amount of knowledge (or even organization) that determines expert performance. Expertise has come to be viewed as the result of the many adaptations (e.g. skilled memory, automaticity, specialized reasoning strategies) to the constraints of a domain and set of tasks [23]. Consequently, experts use different performance processes from those of novices, and do not just reach higher levels of performance outcomes by being better at using the same processes. 3.4

Exemplar NDM Theoretical Models

Nothing is more practical than a good theory. This section provides a brief description of several theoretical models and approaches discussed in the NDM literature. 3.4.1 Recognition-Primed Decision Making. The RPD model is grounded in the scientific understanding of expertise and developed through extensive field observations of fireground commanders [17]. This model was developed to explain these fireground commanders’ ability to make effective and extremely rapid decisions without performing an exhaustive analysis of the situation. The RPD provides a two-process description of expert decision making: (i) pattern recognition and (ii) mental simulation. In the pattern matching process, decision makers scan the environment to build an understanding of the present situation. This situation representation is used to match cues in the environment to a past experience. When a match is found, the course of action associated with that past experience can be retrieved. This represents a course of action that was successful in the past and hence may be effective in the current situation. In addition to a course of action, the decision maker retrieves expectancies associated with the situation, information about cues that are most critical to attend to, and goals for the situation. If a successful match is not found, the decision maker searches for more information to build a better representation of the situation. Once a course of action has been retrieved through this pattern recognition process, the decision maker evaluates the likely effectiveness of the retrieved course of action considering the unique aspects of the present situation. This is accomplished through mental simulation wherein the decision maker does a “cognitive walkthrough” of the implementation of the course of action and considers how the unique features of the present situation will impact the effectiveness of the course of action. Mental simulation results in either the adoption of the retrieved course of action unchanged or modified to the new situation, or rejection of the course of action. If the option is rejected, the decision maker returns to pattern recognition activities. 3.4.2 Heuristics and Bounded Rationality. A complimentary yet distinct line of research has produced an explanation of decision-making performance in terms of fast and frugal heuristics [24]. This approach is known as the study of bounded rationality [25] and is the analysis of heuristics used by people, the structure of the decision-making environment, and the fit between these two things (called ecological rationality; [24]). By using adaptive heuristics with high levels of “ecological rationality”, decision makers can engage in satisficing (i.e. taking the first acceptable solution) in complex environments where optimization is unobtainable [26]. From this perspective, an expert decision maker is one who possesses an “adaptive toolbox” [27], a set of heuristics well suited to the information structure of the environment. NDM and the bounded rationality

1540

CROSS-CUTTING THEMES AND TECHNOLOGIES

approach share much in common [28]. However, whereas the RPD (and other NDM models) relies on informal and descriptive models, the bounded rationality approach focuses on the formal modeling of the rules that decision makers actually use [29]. 3.4.3 Shared Mental Models. The preceding two theoretical approaches deal with individual decision making. Shared mental model theory is a dominant explanation of how expert teams make decisions effectively [30]. A shared mental model is an organized knowledge structure that enables the coordination of interdependent teamwork processes [31]. On the individual level, mental models are knowledge structures involved in the integration and comprehension of information. On the team level, a shared mental model is a knowledge structure that is partially shared and partially distributed throughout a team. By sharing and distributing these knowledge structures, team members are able to interpret incoming information in a similar or compatible manner. This, in turn, facilitates effective coordination; team members develop similar causal explanations of information and inferences about possible future states of the environment. Additionally, shared mental models enable the implicit communication patterns characteristic of expert teams [32]. HS security operations frequently require the coordination of multiple individuals and possibly even multiple teams (e.g. maritime interdictions). Shared mental model theory is an important theoretical perspective to understanding and subsequently boosting the effectiveness of performance in these types of situations.

4 WHAT METHODS ARE USED IN NDM RESEARCH? Methods in the NDM approach require tools and techniques for eliciting, analyzing, and representing the knowledge and cognitive processes involved in task performance. Fortunately, many methods rooted in the theory and methods of cognitive psychology and the other cognitive sciences have been developed to this end. Broadly, these methods have been grouped under the label cognitive task analysis (CTA). Table 1 provides a summary of the primary types of methods used in NDM research (for comprehensive reviews of these techniques, see Rosen et al. [33] and [2, 34]). CTA is a loose set of methods and tools and not a codified and unitary “one-size-fits-all” method. Any one specific CTA approach must be developed considering the purpose of the CTA, practical constraints (e.g. time and access to experts), and the relative strengths and weaknesses of each specific method and tool. A comprehensive review of the methods used by NDM researchers is outside the scope of this article. However, these methods fall into one of the four general categories. First, process tracing techniques involve capturing the external processes of task performance in a way that enables inferences to be made about the internal cognitive processes of the person performing the task [36]. Protocol analysis, information monitoring (i.e. capturing keystroke data), and eye tracking are examples of process tracing techniques. These methods provide a very robust and rich data set, but frequently require substantial time and effort to analyze. Second, interview and observation techniques provide direct access to the full range of social, organizational, and physical factors influencing cognitive work; however, field observations can be difficult to arrange due to security, safety, or logistical reasons. Interview approaches include the critical decision method [37], and techniques from ethnography and cognitive anthropology have been adapted to facilitate field observations [38]. Third, there are several indirect and conceptual methods available that, in

NATURALISTIC DECISION MAKING, EXPERTISE, AND HOMELAND SECURITY

TABLE 1

1541

Overview of Methods Used in NDM Research

Category of Methods Process tracing techniques

Interview and observation

Indirect/Conceptual methods

Examples

General Strengths

Protocol analysis

Rich quantity and quality of information

Decision analysis

Readily applicable to “real-world” settings

Information sampling

Methods are process-oriented; they focus on the sequences of activity

Verbal reports Nonverbal reports Critical decision method

General Weaknesses Data collection and analysis can be time consuming for many of the methods Some methods used concurrently with task performance may alter performance processes (e.g. verbalizing aspects of performance not generally verbalized)

Rich data

Time consuming to analyze Critical incident Techniques have face Retrospective technique validity to experts; techniques produce they are familiar data with uncertain with them reliability due to memory degradation Structured/semistructured/ Techniques are highly Gaining access to field unstructured interviews flexible and observations can be applicable in most difficult contexts Field observations Focusing on critical Access to time with incidents is highly experts is generally efficient limited Gives “real-world” Observation can be perspective on work reactive processes Effectively identifies individual differences in performance Concept maps Can be very efficient Methods do not have (especially when high “face validity” combined with for most domain interview experts techniques) (continued overleaf)

1542

CROSS-CUTTING THEMES AND TECHNOLOGIES

TABLE 1 (Continued ) Category of Methods

Examples

Pairwise relatedness ratings Abstraction hierarchies

Simulations and contrived tasks

General Strengths

General Weaknesses

Helps experts make “tacit” knowledge explicit Knowledge elicitation and analysis are combined for concept mapping

Repertory grid technique Sorting techniques Multidimensional scaling, network scaling, and cluster analysis Simulated task Allows for merger of Risk of collecting data environment (ranging experimental that is not valid in from high to low control and real context of fidelity) real-world task performance complexity Tasks that deviate from Allows for observation Construction and real-world task of performance for validation of (hypotheticals) tasks that occur at a simulation takes low frequency on time, effort, and the job money Allows for observation of performance during events that would be unsafe in the real world

Adapted from Ref. 35.

general, attempt to assess the structure or organization of expert knowledge. Examples include concept mapping and paired comparison ratings [39]. These methods are very efficient and effective; however, they tend to lack face validity for domain experts. Fourth, the simulations and contrived tasks can be used to “bring the real world into the lab.” Simulations offer a compromise between the complexity of the real world and experimental control and afford the ability to observe low-frequency events (e.g. observing how an expert flight crew handles a critical failure during a flight is not feasible in the real world but is possible and practical using simulations; [40]). However, simulations can be costly to develop and no matter how much effort is dedicated to replicating critical aspects of the real world, there will be some differences between the real world and the simulation that may influence a decision-making performance. Each of the types of methods has general strengths and weaknesses and any specific method will have its own trade-offs. Any one NDM investigation will likely use a combination of these methods in order to generate a robust understanding of the decision maker’s expertise through triangulation while working within the practical constraints.

NATURALISTIC DECISION MAKING, EXPERTISE, AND HOMELAND SECURITY

1543

5 WHAT HAVE WE LEARNED FROM NDM AND EXPERTISE RESEARCH? The NDM approach is solidly rooted in field research, and as such has been criticized for generating results with low levels of generalizability. The nature of expertise is domain specific; therefore, an understanding of one type of expert is not directly applicable to experts in other domains. However, a consistent pattern of findings has emerged from studies in many domains. These patterns represent a “prototype” of expert decision making; they are a set of mechanisms that individuals and teams use to make effective decisions. The importance of any one of the mechanisms will vary depending on the features of the decision-making task and environment. These mechanisms can be used as a framework for understanding expert decision making across domains, but must be contextualized to the specific task features of any one domain. We briefly review these patterns for expert individual and team decision making below. The mechanisms of expert individual and team decision making are listed in Tables 2 and 3, respectively.

TABLE 2

Mechanisms of Expertise and Individual Decision Making Expert Decision Makers . . .

Are tightly coupled to cues and contextual features of the environment . . . They develop psychological and physiological adaptations to the task environment They are sensitive to and leverage contextual patterns of cues in decision making Have a larger knowledge base and organize it different than nonexperts . . . They have a more conceptually organized knowledge base They have more robust connections between aspects of their knowledge They have a more abstracted and functional knowledge base Engage in pattern recognition . . . They perceive larger and more meaningful patterns in the environment They are able to detect subtle cue configurations They are able to retrieve courses of action based on situation/action matching rules Have better situation assessment and problem representations . . . They spend more time evaluating the situation They create deeper, more conceptual, more functional, and more abstracted situation Representations Have specialized memory skills . . . They functionally increase their ability to handle large amounts of information They anticipate what information will be needed in the decision making Automate the small steps . . . They quickly and effortlessly do what requires large amounts of attention for nonexperts They have more cognitive resources available for dealing with more complex aspects of decision making Self-regulate and monitor their processes . . . They evaluate their own understanding of a situation They judge the consistency, reliability and completeness of their information They make good decisions about when to stop evaluating the situation Adapted from Ref. 33.

1544

CROSS-CUTTING THEMES AND TECHNOLOGIES

TABLE 3 Prototypical Mechanisms of Expert Team Performance and Decision Making Members of Expert Teams They develop shared mental models They anticipate each other’s needs and actions They can communicate implicitly They interpret cues in a complimentary manner Learn and adapt They self-correct They learn from past decision-making episodes They adapt coordinating processes to dynamic environments They compensate for each other Maintain clear roles and responsibilities They mange expectations. They understand each others’ roles and how they fit together They maintain clarity of roles while maintaining flexibility Possess clear, valued, and shared vision They develop their goals with a shared sense of purpose They guide their decisions with a common set of values Develop a cycle of prebrief → performance → debrief They regularly provide individual and team level feedback to one another They establish and revise team goals and plans They dynamically set priorities They anticipate and review issues/problems of members They periodically diagnose team decision making “effectiveness”, including its results, and its processes Are lead by strong team leaders They are led by someone with good leadership skills and not just technical competence They believe the leaders care about them Leaders of expert teams provide situation updates Leaders of expert teams foster teamwork, coordination and cooperation Leaders of expert teams self-correct first Have a strong sense of “collective,” trust, teamness, and confidence They manage conflict well; they confront each other effectively They have a strong sense of team orientation They trust other team members’ “intentions” They strongly believe in the team’s collective ability to succeed Cooperate and coordinate They identify teamwork and task work requirements They ensure that, through staffing and/or development, the team possesses the right mix of competencies They consciously integrate new team members They distribute and assign work thoughtfully They examine and adjust the team’s physical workplace to optimize communication and coordination Adapted from Ref. 41.

NATURALISTIC DECISION MAKING, EXPERTISE, AND HOMELAND SECURITY

1545

5.1 Individuals With experience, decision makers adapt their psychological processes to fit the decision-making task and environmental constraints [42]. The ability to leverage contextual structure into decision-making processes [43] and a larger and more organized knowledge base [22] enables the expert decision maker’s pattern recognition ability—the primary means of making effective decisions without exhaustive search and evaluation of options. As previously discussed, pattern recognition is critical in a broad range of HS tasks, including baggage screening and information analysis. The expert decision maker realizes the importance of having a good representation of the current situation and uses self-monitoring and metacognitive processes to ensure their representations are complete and accurate [44, 45]. For example, expert information analysts are able to assess their understanding of the situation and know the quality of the situation representation they are dealing with. This will prompt them to search for more information or know when they have an understanding that can be used to make a good decision. Expert decision makers manage overwhelming amounts of information by developing automaticity of low level task components as well as specialized memory skills [46, 47]. For a detailed review of the mechanisms of individual expert decision making, see Rosen et al. [33], Ross et al. [48], Phillips et al. [49], and Klein [17]. 5.2 Teams Having individual expertise is necessary, but frequently insufficient to ensure high levels of performance in modern organizations and HS. Few decisions are made in isolation from other individuals, and consequently decision making has become a team effort for most people. Just as there are general mechanisms that enable expert individual decision making, teams too develop a set of mechanisms to achieve high levels of effectiveness. Expert teams are defined as “a set of interdependent team members, each of whom possesses a unique and expert level knowledge, skills, and experience related to task performance, and who adapt, coordinate, and cooperate as a team, thereby producing sustainable and repeatable team functioning at superior or at least near-optimal levels of performance” [41, p. 440]. In order to achieve these high levels of performance, members of expert teams develop shared mental models [50]. Shared mental models allow team members to anticipate the needs of their fellow team members and interpret environmental cues in a compatible manner. Expert teams continuously learn from past experiences and adapt their coordination processes to meet changing task demands [51, 52]. To this end, they develop cycles of prebrief → performance → debrief, wherein team members establish and revise team goals and plans as well as provide developmental feedback to one another [53]. Expert teams have clear roles and responsibilities; everyone knows the part they play and how it fits together with their fellow team members’ roles [54]. For example, TSA agents responding to an immediate and high-level threat in an airport terminal should all know what they are responsible for doing and what their fellow team members will be doing. This facilitates coordination of efforts and adaptation to unique situations. Definition of these roles and responsibilities is clear, but they are not rigid. They change, shift, and adapt as necessary; this process is guided by a shared vision and a sense of the team’s purpose [55]. Leadership plays a major role in establishing this vision and other critical aspects of expert team decision making, such as providing situation updates, fostering coordination, and self-correcting and modeling a good decision-making performance [56].

1546

CROSS-CUTTING THEMES AND TECHNOLOGIES

6 CONCLUDING REMARKS The NDM approach has already contributed to the understanding of the role of human expertise in HS; hopefully, this is just the beginning with more to come. From baggage screening, to maritime interdictions, to border patrol and intelligence analysis, human expertise and decision making drive the effectiveness of HS operations. The emergent science of NDM and expertise are poised to contribute scientifically based and practically relevant guidance for maximizing performance on HS tasks.

ACKNOWLEDGMENTS The views herein are those of the authors and do not necessarily reflect those of the organizations with which they are affiliated or their sponsoring agencies. Research and writing of this article was partially supported by grant number SBE0350345 from the National Science Foundation awarded to Eduardo Salas and Stephen M. Fiore, and by grant number SES0527675 from the National Science Foundation awarded to Glenn Harrison, Stephen M. Fiore, Charlie Hughes, and Eduardo Salas.

REFERENCES 1. Ross, K. G., Lussier, J. W., and Klein, G. (2005). From the recognition primed decision model to training. In The Routines of Decision Making, T. Betsch and S. Haberstroh, Eds. Erlbaum, Mahwah, NJ, pp. 327–341. 2. Crandall, B., Klein, G., and Hoffman, R. R. (2006). Working Minds: A Practitioner’s Guide to Cognitive Task Analysis. MIT Press, Cambridge, MA. 3. Hutchins, S. G., Pirolli, P. L., and Card, S. K. (2007). What makes intelligence analysis difficult?: A cognitive task analysis. In Expertise Out of Context . R. R. Hoffman, Ed. Erlbaum, New York, pp. 281–316. 4. Hoffman, R. R. and Fiore, S. M. (2007). Perceptual (Re)learning: a leverage point for human-centered computing. IEEE Intell. Syst. 22(3), 79–83. 5. Cook, M., Adams, C., and Angus, C. (2007). Intelligence, uncertainty, interpretations and prediction failure. In Decision Making in Complex Environments, M. Cooke, J. Noyes, and Y. Masakowski, Eds. Ashgate, Burlington, VT, pp. 389–409. 6. Johnston, R. (2005). Analytic Culture in the United States Intelligence Community: An Ethnographic Study. U.S. Government Printing Office, Washington, DC. 7. Hutchins, S. G., Pirolli, P. L., and Card, S. K. (2007). What makes intelligence analysis difficult?: A cognitive task analysis. In Expertise out of context , R. R. Hoffman, Ed. Erlbaum, New York, pp. 281–316. 8. Fiore, S. M., Scielzo, S., and Jentsch, F. (2004). Stimulus competition during perceptual learning: training and aptitude considerations in the X-ray security screening process. Int. J. Cogn. Technol. 9(2), 34–39. 9. Cannon-Bowers, J. A. and Salas, E., Eds. (1998). Making Decisions Under Stress. American Psychological Association, Washington, DC. 10. Klein, G., Orasanu, J., Calderwood, R., and Zsambok, C. E., Eds. (1993). Decision Making in Action. Ablex, Norwood, NJ.

NATURALISTIC DECISION MAKING, EXPERTISE, AND HOMELAND SECURITY

1547

11. Cohen, M. S. (1993). Three paradigms for viewing decision biases. In Decision Making in Action: Models and Methods, G. Klein, J. Orasanu, R. Calderwood, and C. E. Zsambok, Eds. Ablex, Norwood, NJ, pp. 36–50. 12. Orasanu, J. and Connolly, T. (1993). The reinvention of decision making. In Decision Making in Action: Models and Methods, G. Klein, J. Orasanu, R. Calderwood,and C. E. Zsambok, Eds. Ablex, Norwood, CT, pp. 3–20. 13. Cannon-Bowers, J. A., Salas, E., and Pruitt, J. S. (1996). Establishing the boundaries of a paradigm for decision-making research. Hum. Factors 38(2), 193–205. 14. Lipshitz, R., Klein, G., and Carroll, J. S. (2006). Naturalistic decision making and organizational decision making: exploring the intersections. Organ. Stud. 27(7), 917–923. 15. Zsambok, C. E. (1997). Naturalistic decision making: where are we now? In Naturalistic Decision Making, C. E. Zsambok and G. Klein, Eds. Erlbaum, Mahwah, NJ, pp. 3–16. 16. Salas, E. and Klein, G., Eds. (2001). Linking Expertise and Naturalistic Decision Making. Erlbaum, Mahwah, NJ. 17. Klein, G. (1998). Sources of Power: How People Make Decisions. MIT Press, Cambridge, MA. 18. Lipshitz, R., Klein, G., Orasanu, J., and Salas, E. (2001). Taking stock of naturalistic decision making. J. Behav. Decis. Making 14(5), 331–352. 19. Pruitt, J. S., Cannon-Bowers, J. A., and Salas, E. (1997). In search of naturalistic decisions. In Decision Making Under Stress: Emerging Themes and Applications, R. Flin, E. Salas, M. Strub, and L. Martin, Eds. Ashgate, Aldershot, pp. 29–42. 20. Pliske, R. and Klein, G. (2003). The naturalistic decision-making perspective. In Emerging Perspectives on Judgment and Decision Research, S. L. Schneider and J. Shanteau, Eds. Cambridge University Press, New York, pp. 559–585. 21. Newell, A. and Simon, H. A. (1972). Human Problem Solving. Prentice-Hall, Englewood Cliffs, NJ. 22. Chase, W. G., and Simon, H. A. (1973). Perception in chess. Cognit. Psychol. 4, 55–81. 23. Ericsson, K. A., and Lehmann, A. C. (1996). Expert and exceptional performance: evidence of maximal adaptation to task constraints. Annu. Rev. Psychol. 47, 273–305. 24. Gigerenzer, G., Todd, P. M., and ABC Research Group. (1999). Simple Heuristics that Make us Smart . Oxford University Press, Oxford. 25. Simon, H. A. (1996). The Sciences of the Artificial , 3rd ed., The MIT Press, Cambridge, MA. 26. Klein, G. (2001). The fiction of optimization. In Bounded rationality: The Adaptive Toolbox , G. Gigerenzer and R. Selten Eds. The MIT Press, Cambridge, MA. pp. 103–121. 27. Gigerenzer, G. and Selten, R., Eds. (2001). Bounded Rationality: the Adaptive Toolbox . The MIT Press, Cambridge, MA. 28. Todd, P. M., and Gigerenzer, G. (2000). Precis of simple heuristics that make us smart. Behav. Brain Sci. 23, 727–780. 29. Todd, P. M., and Gigerenzer, G. (2001). Putting naturalistic decision making into the adaptive toolbox. J. Behav. Decis. Mak. 14, 353–384. 30. Cannon-Bowers, J. A., Salas, E., and Converse, S. (1993). Shared mental models in expert team decision making. In Individual and Group Decision Making, N. J. Castellan Jr., Ed. Erlbaum, Hillsdale, NJ, pp. 221–246. 31. Klimoski, R., and Mohammed, S. (1994). Team mental model: construct or metaphor? J. Manage. 20(2), 403–437. 32. Mohammed, S., and Dummville, B. C. (2001). Team mental models in a team knowledge framework: expanding theory and measure across disciplinary boundaries. J. Organ. Behav. 22(2), 89–103.

1548

CROSS-CUTTING THEMES AND TECHNOLOGIES

33. Rosen, M. A., Salas, E., Lyons, R., and Fiore, S. M. (2008). Expertise and naturalistic decision making in organizations: mechanisms of effective decision making. In The Oxford Handbook of Organizational Decision Making: Psychological and Management Perspectives, G. P. Hodgkinson and W. H. Starbuck, Eds. Oxford University Press, Oxford. 34. Schraagen, J. M., Chipman, S. F., and Shalin, V. L., Eds. (2000). Cognitive Task Analysis. Erlbaum, Mahwah, NJ. 35. Rosen, M. A., Salas, E., Lazzara, E. H., and Lyons, R. (2007). Cognitive task analysis: methods for capturing and leveraging expertise in the workplace. In Job Analysis: Studying the World of Work in the 21st Century, W. Bennett Jr., G. M. Alliger, W. J. Strickland, and J. L. Mitchell, Eds. (under review). 36. Ford, J. K., Schmitt, N., Schechtman, S. L., Hults, B. M., and Doherty, M. L. (1989). Process tracing methods: contributions, problems, and neglected research questions. Organ. Behav. Hum. Decis. Process. 43(1), 75. 37. Klein, G. A., Calderwood, R., and MacGregor, D. (1989). Critical decision method for eliciting knowledge. IEEE Trans. Syst. Man Cybern. 19(3), 462–472. 38. Hutchins, E. (1995). Cognition in the Wild . The MIT Press, Cambridge, MA. 39. Hoffman, R. R. and Lintern, G. (2006). Eliciting and representing the knowledge of experts. In The Cambridge Handbook of Expertise and Expert Performance, K. A. Ericsson, N. Charness, P. J. Feltovich, and R. R. Hoffman, Eds. Cambridge University Press, Cambridge, pp. 203–222. 40. Ward, P., Williams, A. M., and Hancock, P. A. (2006). Simulation for performance and training. In The Cambridge Handbook of Expertise and Expert Performance, K. A. Ericsson, N. Charness, P. J. Feltovich, R. R. Hoffman, Eds. Cambridge University Press, Cambridge, pp. 243–262. 41. Salas, E., Rosen, M. A., Burke, C. S., Goodwin, G. F., and Fiore, S. (2006). The making of a dream team: when expert teams do best. In The Cambridge Handbook of Expertise and Expert Performance, K. A. Ericsson, N. Charness, P. J. Feltovich, and R. R. Hoffman, Eds. Cambridge University Press, New York, pp. 439–453. 42. Chi, M. T. H. (2006). Two approaches to the study of experts’ characteristics. In The Cambridge Handbook of Expertise and Expert Performance, K. A. Ericsson, N. Charness, R. R. Hoffman, P. J. Fletovich, Eds. Cambridge University Press, New York, pp. 21–30. 43. Shanteau, J. (1992). Competence in experts: the role of task characteristics. Organ. Behav. Hum. Decis. Process. 53, 252–266. 44. Randel, J. M., Pugh, H. L., and Reed, S. K. (1996). Differences in expert and novice situation awareness in naturalistic decision making. Int. J. Hum. Comput. Stud. 45(5), 579–597. 45. Orasanu, J. (1990). Shared Mental Models and Crew Decision Making, Vol. 46. Cognitive Sciences Laboratory, Princeton University, Princeton, NJ. 46. Ericsson, K. A., and Kintsch, W. (1995). Long-term working memory. Psychol. Rev. 102(2), 211–245. 47. Moors, A., and De Houwer, J. (2006). Automaticity: a theoretical and conceptual analysis. Psychol. Bull. 132(2), 297–326. 48. Ross, K. G., Shafer, J. L., and Klein, G. (2006). Professional judgement and naturalistic decision making. In The Cambridge Handbook of Expertise and Expert Performance, K. A. Ericsson, N. Charness, P. J. Feltovich, and R. R. Hoffman, Eds. Cambridge University Press, Cambridge, pp. 403–419. 49. Phillips, J. K., Klein, G., and Sieck, W. R. (2004). Expertise in judgment and decision making: A case for training intuitive decision skills. In Blackwell Handbook of Judgement and Decision Making, D. J. Koehler and N. Harvey, Eds. Blackwell Publishing, Victoria, pp. 297–315.

CLASSIFICATION AND CLUSTERING FOR HOMELAND SECURITY APPLICATIONS

1549

50. Orasanu, J. and Salas, E. (1993). Team decision making in complex environments. In Decision Making in Action: Models and Methods, G. A. Klein and J. Oarsaun,Eds. Ablex Publishing, Westport, CT. 51. Edmondson, A. C., Bohmer, R. M., and Pisano, G. P. (2001). Disrupted routines: team learning and new technology implementation in hospitals. Adm. Sci. Q. 46, 685–716. 52. Burke, C. S., Stagl, K., Salas, E., Pierce, L., and Kendall, D. (2006). Understanding team adaptation: a conceptual analysis and model. J. Appl. Phycol. 91(6), 1189–1207. 53. Smith-Jentsch, K., Zeisig, R. L., Acton, B., and McPherson, J. A. (1998). Team dimensional training: a strategy for guided team self-correction. In Making Decisions Under Stress: Implications for Individual and Team Training, E. Salas and J. A. Cannon-Bowers, Eds. APA, Washington, DC, pp. 271–297. 54. LaPorte, T. R., and Consolini, P. M. (1991). Working in practice but not in theory: theoretical challenges of “High Reliability Organizations”. J. Public Adm. 1(1), 19–48. 55. Castka, P., Bamber, C., Sharp, J., and Belohoubek, P. (2001). Factors affecting successful implementation of high performance teams. Team Perform. Manage 7(7/8), 123–134. 56. Salas, E., Burke, C. S., and Stagl, K. C. (2004). Developing teams and team leaders: strategies and principles. In Leader development for transforming organizations: Growing Leaders for Tomorrow , D. Day, S. J. Zaccaro, and S. M. Halpin, Eds. Lawrence Erlbaum Associates, Mahwah, NJ, pp. 325–355.

CLASSIFICATION AND CLUSTERING FOR HOMELAND SECURITY APPLICATIONS Jiawei Han and Xiaolei Li University of Illinois at Urbana-Champaign, Champaign, Illinois

1 REPRESENTATION Proper representation is the first step to utilize methods from classification and clustering [1]. To put it plainly, one has to take information from the real world, the analog world so-to-speak, and store them inside a computer, the digital world. Only after this, classification and clustering algorithms can operate on the real-world problem. This may seem like a simple step, but it can often be the most difficult part of the problem. A proper representation requires an accurate, concise, and static representation of something that can be dynamic and fluid in the real world. And without a good representation, the best algorithms will not be able to operate effectively.

1550

CROSS-CUTTING THEMES AND TECHNOLOGIES

Color/ type

Sedan

SUV

Truck

Motorcycle

Red Green Blue

x y

Black

FIGURE 1 Feature space with “color” and “type”.

To better explain, consider the example of a computer system observing vehicles at a border crossing. The goal of the system might be to automatically flag suspicious vehicles for the border agents to examine more closely. In order for this system to work, the first step is to represent the features of the vehicles inside the computer. This is not like how a border agent might describe a vehicle to his or her colleague. Some features he or she might use include the vehicle’s brand, year, color, size, weight, and so on. The computer system uses a similar process. Each vehicle is described by a set of features, which make up the so-called feature space. This space contains all possible vehicles that can be described by the set of associated features. Figure 1 shows a simple example where there are exactly two features: “color” and “type”. In this two-dimensional feature space shown in Figure 1, vehicles are distinguished only by color and type. Their combinations, which come up to 16, make up the feature space. Each vehicle in the real world can be described by a point in this feature space. A “green sport utility vehicle (SUV)” is point x in Figure 1 and a “blue truck” is point y. Points in the feature space are sometimes called “feature vectors,” because they can be written out as a vector. For example, x can be written as . From this example, one might begin to get a sense of the importance of a proper feature space. The two-dimensional feature space in Figure 1 lacks much information valuable to border agents. The “year” and “make” are obvious misses. Without them, the agent will not be able to make an informed decision. At the same time, a feature space that includes everything under the sun is not a brilliant idea either. Suppose the feature space included information such as the fabric type of the seats or whether the vehicle has a CD player. These features are unlikely to have any impact on the decision-making process, but the inclusion of them in the feature might cause unnecessary confusion. To a computer algorithm, these extra features could reduce performance both in terms of accuracy and speed.

2 CLASSIFICATION Classification or supervised learning is a problem from the field of machine learning that aims to learn a function (classifier) that maps a data point to a class label. For example, a data point could be a vehicle and the class label could either be “normal” or “suspicious.” By using previously labeled data points, a classifier is able to tune its internal parameters such that in the future, it can correctly label previously unseen data points. Research in

CLASSIFICATION AND CLUSTERING FOR HOMELAND SECURITY APPLICATIONS

1551

classification mainly focuses on which classifiers to use and how to adjust the parameters inside the classifier. 2.1

Basic Concepts

Supervised learning entails the learning of a classifier from training data. The typical classification problem consists of the following components: 1. 2. 3. 4. 5.

feature space classification model learning algorithm training data testing data.

The first item, feature space, has already been described in the previous section. To reiterate, it is the representation of the real-world data. The second item, the classification model, is described in detail later in this section. To put it bluntly, it is the brains in the computer that will automatically assign class labels to new objects. The third item, the learning algorithm, is in charge of “tuning” the classification model for optimal performance. Learning algorithms and classification models are often paired together. That is, each classification model has its own unique learning algorithm. The fourth item, training data, is previously labeled data given to the learning algorithm. Training data consists of labeled data points in the given feature space. Each data point has assigned to it a class label. The set of class labels could either be binary (e.g. “normal” or “suspicious”) or n-ary (e.g. “normal”, “suspicious”, “alarming”, or “emergency”). With such data, the learning algorithm teaches the classification model how to recognize the features correlated with each different class label. Lastly, the testing data is a separate set of labeled data used to test the performance of the classification model after training. That is, after the classification model has been trained using the training data by the learning algorithm, it is tested using the testing data. The classification model will produce its own class labels for the data points in the testing data. These labels are compared with the true labels and the accuracy is reported back as the classification accuracy. Note that the training data and testing data are two different data sets. It is usually unwise to use the same data set for both training and testing. This leads to the undesirable result of the learning algorithm “over-fitting” the classification model just for the training data and not the general problem. The training and testing process is similar to how human training occurs. Consider how a new border agent is trained to spot suspicious vehicles at a border crossing. The first few days on the job, he or she is probably trained by a more experienced agent, who teaches him or her the important skills in pinpointing suspicious vehicles. After a while, the new agent can proceed on his or her own after the supervisor is satisfied with his or her performance. The analogy to machine learning is something like the following. The new border agent is the classification model. Initially, it has a “blank” brain and does not really know how to identify suspicious behavior. The more experienced agent can be viewed as the learning algorithm since it teaches the new agent the knowledge required for the job. During the teaching process, the examples the experienced agent might use to teach the new agent are the training data. And finally, the supervisor might evaluate the new agent on some new cases, which are the testing data.

1552

CROSS-CUTTING THEMES AND TECHNOLOGIES

Color /type

Sedan

SUV

Truck

Motorcycle

Red Green Blue

x y

Black

FIGURE 2 Feature space with decision boundary for vehicles with four or more wheels versus vehicles with less than four wheels.

2.2 Classification Model So far, the description of a classification model has largely been a black box. Somehow, it is able to put a class label on an object after some training. The exact method of how a model is able to do this depends on the classification model, but the general ideas are common across all models. A brief overview is given in this section. At a high level, a classification model simply divides the feature space such that data points of different classes fall into separate regions. This division is sometimes called the classification or decision boundary. Figure 2 shows a classification boundary in the feature space of Figure 1 if the problems were to differentiate vehicles with four wheels or more versus vehicles with less than four wheels. The red decision boundary divides the feature space in a way such that all vehicles with four wheels or more are on the left-hand side of the boundary, while vehicles with less than four wheels are on the right-hand side. Points x and y fall on the left-hand side of the boundary. Given a decision boundary or possibly a set of them, classification on a new object is easy. One just has to find out which side of the boundary the object resides in and make the appropriate decision. The role of the learning algorithm is to find the decision boundary for the given classification model and training data. Recall that points in the training data are labeled. Using these labels, the learning algorithm adjusts the decision boundary of the classification such that points of different class labels lie on different sides of the boundary. In practice, finding the perfect decision boundary is often impossible. There is usually no clear boundary that can clearly separate the data points of different classes. Because of noise or just the inherent difficulty of the problem, some training data will lie on the incorrect side. It is the duty of the learning algorithm to position the decision boundary such that this error is minimized. 2.3 Types of Classifiers In the previous section, the classifier was discussed in general terms: it learns a decision boundary in the feature space. In practice, this could take shape in many forms. The “boundary” can be a line, a square, or any other shape. Different classifiers use different types of boundaries, and some boundaries might be more effective than others depending on the problem. There is no universal best. Furthermore, different classifiers use different learning algorithms to adjust its decision boundary. These algorithms have different characteristics as well. With respect to efficiency, some scale very nicely with the number of features and others scale very nicely with the number of points in the training data. In the next few paragraphs, several popular classifiers are discussed.

CLASSIFICATION AND CLUSTERING FOR HOMELAND SECURITY APPLICATIONS

1553

2.3.1 Decision Tree. Decision trees, one of the most basic and intuitive classifiers, are both accurate and easy to use. A decision tree’s decision boundary is essentially a list of rules where each rule is a set of conditions. If a data object matches the conditions in the rule, then it is labeled according to the rule. For example, “Color = Black AND Type = SUV → Suspicious” could be a rule. In this case, all black SUVs would be labeled as suspicious. With these rules, the classifier can either make the decision automatically or the rules can be given to human agents for training [2]. Learning these rules is also relatively straightforward. The details are beyond the scope of this article but the intuitions are as follows. The classifier starts with a blank rule, that is, it applies to all data objects. Then, for every feature and its set of feature values, the classifier checks how useful it is with regard to classification. The measure of usefulness comes from information theory, and it essentially measures how discriminative it is alone at separating data points in the training set according to their class labels. The feature value that is most useful according to this measure is then added to the empty rule. At this point, this rule has split the training data, so the process continues recursively within each split. There are many different decision tree algorithms but all of them basically work from the principles given above. Some of the more advanced techniques involve how to better measure the usefulness of a feature value and how to consolidate many rules together such that they are more accurate in the general case. 2.3.2 Na¨ıve Bayes. Bayes’ rule is a basic equation from probability theory. Roughly speaking, it states that the probability of an event A conditional on another event B is related to event B conditional on A. If one lets A represent the event that an object is suspicious and B represent the event that feature X is present, Bayes’ rule would state the following: An object being suspicious conditional on feature X is related to feature X conditional on a suspicious object. From the training data, one can gather “evidence” on how often a suspicious object exhibits feature X. Then, through Bayes’ rule, the same evidence can be used to guess how likely an object is suspicious given that it exhibits feature X [2]. This describes how a single feature can be used to decide the class label. When there are multiple features, the same process is repeated independently and the final classification decision is a simple combination of them all. This independent feature assumption is often not true in the real world but it is used for the sake of simplifying the problem and making learning tractable. 2.3.3 Support Vector Machine. In recent years, support vector machines (SVMs) have become the classifier of choice for many researchers. It has been shown to be more efficient and accurate when there are many features to consider (for example, text classification). It works by positioning its decision boundary in the feature space as close to the “middle” as possible. The intuition is that this boundary will work the best for future data points. In cases where a simple linear decision boundary cannot be found, SVMs can project the data points to a feature space with more dimensions such that it can be [3]. 2.4 Applications of Classification in Homeland Security The running example of labeling an object as being normal or suspicious is the most natural application of automated classification. The set of class labels does not have to be binary; there could be many classes. For instance, each class could be a different level of

1554

CROSS-CUTTING THEMES AND TECHNOLOGIES

alarm. Further, the object in question could be anything; the only question would be how to represent the object in a feature space. For example, if the object is a vehicle, some features would be the brand of the vehicle, the size of the vehicle, the license number, the year of the vehicle, the speed of travel, and so on. If the object is a person, some features would be age, height, hair color, and maybe other background information. If the object is a cargo container, some features would be the owner of the container, the source of the container, the destination, and so on. The representation of a real-world problem as a classification problem is not difficult. Often, human beings already make these classification decisions; the only difference would be replacing a human by a classifier. However, there are two major issues that often prevent a classifier from being deployed. First and foremost, the exact representation and extraction of features of the object are difficult task. A person might look at a vehicle and say that it is a red truck; however, for an automated camera system to make that same decision is difficult. Any feature that requires the system to visually identify something is difficult. Although the most advanced vision algorithms can achieve a great degree of precision, 100% accuracy is still unreachable. Additionally, the “sixth sense” that humans have is simply impossible to represent in machine form. Second, in order to train a classifier, training data must exist. A set of data points that have the correct class labels must be given to the classifier so that it can learn the right decision boundaries. In humans, this corresponds to experience one person might pass to another. In machines, this set of training data can be hard to obtain. Employee training programs might have case studies for training new hires, but they hardly cover the entire gambit of cases. Further, in many real-world “classification” problems, the answer is not always black-and-white. To translate such scenarios to a discrete world of machine learning is not always straightforward. All these problems make obtaining clean training data a tricky problem. And just like a new employee, without proper training, a classifier can never reach its full potential. 2.5 Semisupervised Learning Supervised learning’s paradigm is that there is a set of labeled data that is presented to the classifier for training. As mentioned, this is often difficult to achieve in practice. Labeled data might be very hard to obtain or simply may not exist. If there are too few training examples, the classifier will not be able to learn the correct decision boundary. However, there are many cases where unlabeled data exist in abundance. In these situations, semisupervised learning is more appropriate. In this new paradigm, the human user is involved in the training process of the classifier. For instance, the classifier might ask the user to classify a few data points that it finds difficult to process. The goal is for the classifier to maximize its learning while minimizing the number of interactions it must have with the human. Semisupervised learning can often achieve better accuracy than supervised learning because it essentially has more training data. Further, these additional training data are selected based on their usefulness to the classifier. However, it does require more human intervention. 2.6 Incremental Learning So far, the discussion has been focused on a classical learning system where all the training data are presented up front. Once the training is complete, the classifier is

CLASSIFICATION AND CLUSTERING FOR HOMELAND SECURITY APPLICATIONS

1555

“fixed.” To borrow from the human learning analogy one more time, this learn-once paradigm is definitely untrue for humans. As new experiences and evidences become available, one would continuously readjust his or her thinking. For this paradigm, there are some classifiers that can do what is called incremental learning or lifetime learning. When new evidence becomes available, the classifier can consolidate it with its previous knowledge. This is more efficient than starting from scratch (that is, combine the new evidence with previous evidence and retrain from scratch).

3 CLUSTERING Clustering or unsupervised learning is another problem from the field of machine learning. Compared to classification, the most obvious difference is that there are no longer training examples given. In other words, there is no supervision to guide the learning of parameters in the function. This is often the case in the real world where no labels are available. Clustering algorithms allow the user to see some natural groupings of data to gain some insight. 3.1 Basic Clustering Concepts Much like classification, data points are first put into a feature space. Figure 3 shows a sample two-dimensional feature space with some points in it. The goal of clustering is to find natural groupings (clusters) of data points in this space. It is quite obvious in Figure 3 that there are two clusters. In fact, an automated clustering algorithm is likely to find them as well. In situations where the user knows very little about the data set, clustering can often reveal interesting information. Just like classification, choosing of features is an important step. The same challenges there exist as here; however, there is one additional issue clustering has to consider. That is, how does one define similarity between two objects? This is known as the similarity measure in clustering. Theoretically, similar objects should be in the same cluster and dissimilar ones should be in different clusters. Therefore, the similarity measure is crucial in forming the right clustering. In Figure 3, the similarity function is the Euclidean distance between points. This is very natural in applications where data points represent physical locations. For example, if one wants to cluster all the gas stations in a city, Euclidean distance would be a good fit. However, in other situations, the similarity measure is tricky to choose. For example, suppose one is clustering the following three people: John, Jane, and Mary. If the similarity measure is the edit distance between the text string, John and Jane would likely be in one cluster and Mary be in another.

Color / type

Sedan

SUV

Red

x1

x2

Truck

Motorcycle

Green

x3

x4

Blue

y1

y2

Black

y3

FIGURE 3 Feature space with “color” and “type”.

1556

CROSS-CUTTING THEMES AND TECHNOLOGIES

However, if the similarity measure is the gender of the person, Jane and Mary would be in one cluster (female) and John would be in his own cluster. Clearly, the similarity measure is highly application-specific and should be chosen with careful consideration. With a similarity measure defined, one can then choose from a plethora of clustering algorithms. In other words, the choosing of the similarity measure and the clustering algorithm is somewhat independent. Both are important decisions and can affect the final outcome in many different ways. 3.2 Types of Clustering Algorithms There are many types of clustering algorithms. Giving a single global taxonomy of all clustering algorithms would be impossible. There are, however, some properties that distinguish one from another. Some of the basic clustering algorithms fall into the Partitioning group. The idea is to partition a data set into k distinct groups. K-means and K-medoids are the classical examples in this. K-means is probably the most popular clustering algorithm [2]. It works as follows. Given a data set, it first randomly chooses k points to be the centers of clusters, otherwise known as centroids. The value of k is given in advance to the algorithm. Then, for all points in the data set, it is assigned to the closest centroid. This partitions the data into k clusters, though it is rather random since the centroids are chosen randomly. Then, for each cluster, the algorithm recomputes a new centroid by taking the “average” or “mean” of all points that belong to that cluster. With these new centroids, all points in the data set are reassigned to their closest centroid. This process iterates until some stopping criterion, which could be when the recomputation of centroids does not alter their positions anymore. Though this process might seem rather random (the initial k centroids are randomly chosen), it is guaranteed theoretically to converge. The K-means algorithm and the similar K-medoids form the foundation of many clustering algorithms. It is relatively efficient and works quite well when the clusters are compact and isolated. It does, however, have several weaknesses. First and foremost, the value of k is an input to the algorithm. The user must have some prior clue about the distribution of data. Although many works have focused on automatic selection of k , the results are still not perfect. Secondly, to compute the “average” of a cluster, numerical values are assumed. Many real-world data sets have categorical features that do not have an easy definition of average. Thirdly, outliers and noise can often confuse the algorithms to form unnatural clusters. Another class of clustering algorithms is density-based clustering. As the name suggests, the density of data points at a local region dictate how clusters are formed. This has several advantages. First, clusters of arbitrary shapes can be formed. In partitioning algorithms, the distance metric or similarity measure often restricts the cluster shape. For example, using the Euclidean distance in K-means restricts cluster shapes to spheres. Secondly, density-based clustering is more robust with respect to noise. In it, the point in the upper-right corner is designated an outlier because its local region is sparse. A partitioning algorithm would either assign it to its own cluster or to a near-by cluster, thus stretching a cluster unnecessarily. One of the first density-based clustering algorithms is DBSCAN [4]. It works as follows. Instead of defining the distance between two points in space as the Euclidean distance, it is defined as being “density-connected.” Without going into the details, it roughly means that two points are either close to each other or connected via a sequence

CLASSIFICATION AND CLUSTERING FOR HOMELAND SECURITY APPLICATIONS

1557

of points that are also close to each other. While observing some other parameters, DBSCAN simply follows chains of density-connected points and mark each chain as being its own cluster. If a point is not density-connected to any other point, it is marked as an outlier. Partitioning and density-based clustering algorithms produce “flat” clusters. That is, clusters are equal with respect to another. But in many real-world applications, a hierarchical structure to the clusters is more applicable. For example, shoes, socks, and boots might be clustered together in the “footwear” cluster, but the “footwear” cluster would belong to the apparel cluster, and so forth. This hierarchy makes organization easier and is often more natural. The very basic hierarchical clustering algorithm is called hierarchical agglomerative clustering. It starts by assigning each data point to its own cluster (or after some basic clustering). Then, the most similar pair of clusters is merged together. This process iterates until all original clusters are in the same cluster. The intermediate merge paths then form a binary hierarchy. One major issue in this algorithm is defining similarity between clusters. Two competing choices are single link and complete link. Single link uses the minimum of all similarity measures between a pairs of points between the two clusters and complete link uses the maximum. The choice between the two and possibly others is largely application dependent. Lastly, we briefly examine one clustering algorithm that is particularly adept at dealing with large data sets. Algorithms like K-means or DBSCAN are only efficient up to a point. If there are millions or billions of data points, running K-means could require hours or days of computation. To this end, BIRCH was invented to handle very large data sets [4]. It works by the principle of “microclustering.” That is, if a set of points is in a very tight cluster, they can essentially be treated as a single point or microcluster. The microclusters would then replace the original big data set and be presented to a clustering algorithm as input. The idea is that the number of microclusters is much smaller than the number of raw data points, and thus clustering can be completed in a reasonable time. Constructing microclusters is fairly straightforward. It relies basically on a user-defined maximum radius threshold. If the circle formed by a set of points has a radius smaller than the threshold, it is marked as a microcluster. Otherwise, points are redistributed to new microclusters such that the threshold value is not violated. After the microclusters are constructed, any other clustering algorithm can be run on top of it. 3.3 Outlier Detection Related to clustering is outlier detection. One sometimes views it as a by-product of clustering. That is, if a cluster contains very few data points, it is regarded as an outlying cluster. This by-product can sometimes be gotten with no extra effort on the clustering algorithm; however, some assert that a dedicated outlier detection algorithm is better suited. One such algorithm is based on DBSCAN. Essentially, data points that are not density-connected to other points are marked as outliers. 3.4 Applications of Clustering to Homeland Security Clustering is often applied to data about which little is known. It gives the user some preliminary ideas about some natural groupings in the data. The same case is true in homeland security. When there is so much data that one cannot make sense of it, clustering is helpful in shedding some light. For instance, clustering all vehicles at a busy border crossing can be helpful in dividing workload.

1558

CROSS-CUTTING THEMES AND TECHNOLOGIES

More applicable to homeland security is outlier detection. The majority of objects in question are normal and only a very subset is abnormal. In the border crossing example, the vast majority of vehicles are normal ones. The goal of the border agent is to seek out the small minority that is abnormal. This fits the model of outlier detection very well and is likely the common problem in homeland security.

4 FEATURE SELECTION As mentioned previously, representation is just as important, if not more so, than the actual learning of the classifier. Consider the learning of a classifier for labeling the color of a vehicle. This is trivial if color is in the feature space; however, if it were not, the problem would be impossible regardless of the classifier. In this case, the feature space is not rich enough to capture the discriminating features. One might suggest to just throw all possible features to the classifier and might allow the classifier decide which ones are useful. This can also be problematic due to time constraints; a classifier could take an unrealistic amount of time to tune its parameters. To this end, there is a field of research called feature selection that deals with this exact problem. Given a set of features, a feature selection algorithm chooses a subset, which can be just as good, if not better, than the full feature space with regard to classification accuracy. For instance, if the classifier is to label the color of a vehicle, the “number of wheels” feature can probably be dropped from the feature space. A properly pruned feature space can make the learning more efficient and also more accurate. A common approach is to rank the features according to some goodness measure and select the best features one-by-one until some stopping criteria is satisfied. REFERENCES 1. Russell, S. and Norvig, P. (2002). Artificial Intelligence, A Modern Approach, 2nd ed. Prentice Hall, NJ. 2. Mitchell, T. (1997). Machine Learning. McGraw-Hill, Columbus, OH. 3. Cristianini, N. and Shawe-Taylor, J. (2000). An Introduction to Support Vector Machines and Other Kernel-based Learning Methods. Cambridge University Press, Cambridge, UK. 4. Han, J. and Kamber, M. (2005). Data Mining, Concepts and Techniques, 2nd ed. Morgan Kaufmann, San Francisco.

FURTHER READING Bishop, C. M. (2007). Pattern Recognition and Machine Learning. Springer, New York, NY. Duda, R. O., Hart, P. E., and Stork, D. G. (2000). Pattern Classification, 2nd ed. Wiley-Interscience; New York, NY. Hastie, T., Tibshirani, R., and Friedman, J. H. (2003). The Elements of Statistical Learning. Springer, New York, NY. Kearns, M. J. and Vazirani, U. V. (1994). An Introduction to Computational Learning Theory. MIT Press, Cambridge, MA. Witten, I. H. and Frank, E. (2005). Data Mining: Practical Machine Learning Tools And Techniques, 2nd ed. Morgan Kaufmann, San Francisco.

EXPERIENCE WITH EXPERT JUDGMENT: THE TU DELFT EXPERT JUDGMENT DATA

1559

EXPERIENCE WITH EXPERT JUDGMENT: THE TU DELFT EXPERT JUDGMENT DATA Roger M. Cooke Department of Mathematics, Delft University of Technology, Delft, The Netherlands

Louis L.H.J. Goossens Department of Safety Science, Delft University of Technology, Delft, The Netherlands

1 INTRODUCTION The pros and cons of different weighting schemes remain a subject of research [1, 4]. The European Union (EU) contracted the TU Delft to review its applications both within EU projects, and elsewhere, in which experts assessed variables in their field of expertise for which the true values are known, in addition to variables of interest [3–6]. These are called seed , or calibration, variables. Since then, the TU Delft expert judgment database has nearly doubled. We now have studies involving over 67,000 experts’ subjective probability distributions. The main sectors and summary information are given in Table 1. The authors believe that this database represents a unique source from which much can be learned regarding the application of structured expert judgment in quantitative decision support. The entire data, appropriately anonymized, may be obtained from the TABLE 1

Summary of Applications per Sector

Sector Nuclear applications Chemical and gas industry Groundwater/water pollution/dike ring/barriers Aerospace sector/space debris/aviation Occupational sector: ladders/buildings (thermal physics) Health: bovine/chicken (Campylobacter)/SARS Banking: options/rent/operational risk Volcanoes/dams Rest group In total

Number of Experts

Number of Variables

Number of Elicitations

98 56 49

2,203 403 212

20,461 4,491 3,714

51 13

161 70

1,149 800

46

240

2,979

24 231 19 521

119 673 56 3,688

4,328 29,079 762 67,001

1560

CROSS-CUTTING THEMES AND TECHNOLOGIES

first author. It is hoped that others will use this data to further develop methods for using structured expert judgment. We assume that uncertainty is represented as subjective probability and concerns results of possible observations. For a discussion of foundational issues, the reader is referred to [7]. Section 2 discusses goals of a structured expert judgment study; Section 2 provides an explanation of the concepts and methods underlying the Delft expert judgment method. Section 3 gives an updated summary of the results, comparing equal weighting with performance-based weighting and with the best expert. Section 4 discusses seed variables and robustness, and Section 5 is devoted to lessons learned and anecdotal information, common pitfalls, and misconceptions. A concluding section identifies possible topics for future research.

2 STRUCTURED EXPERT JUDGMENT Expert judgment is sought when substantial scientific uncertainty impacts a decision process. Because there is uncertainty, the experts themselves are not certain and hence will typically not agree. Informally soliciting expert’s advice is not new. Structured expert judgment refers to an attempt to subject the decision process to transparent methodological rules, with the goal of treating expert judgments as scientific data in a formal decision process. The process by which experts come to agree is the scientific method itself. Structured expert judgment cannot preempt this role and therefore cannot have expert agreement as its goal. We may broadly distinguish three different goals to which a structured judgment method may aspire: •

Census Political consensus • Rational consensus. •

A study aiming at census will simply try to survey the distribution of views across an expert community. An illustration of this goal is found in the Nuclear Regulatory Commission’s Recommendations for Probabilistic Seismic Hazard Analysis: Guidance on Uncertainty and Use of Experts: “To represent the overall community, if we wish to treat the outlier’s opinion as equally credible to the other panelists, we might properly assign a weight (in a panel of 5 experts) of 1/100 to his or her position, not 1/5” (NUREG/CR-6372 [8], p. 36)

The goal of “representing the overall community” may in this view lead to a differential weighting of experts’ views according to how representative they are of other experts. A similar goal is articulated in [9]. The philosophical underpinnings of this approach are elaborated in Budnitz et al. [10]. Expert agreement on the representation of the overall community is the weakest, and most accessible, type of consensus to which a study may aspire. Agreement on a “distribution to represent a group”, agreement on a distribution, and agreement on a number are the other types of consensus, in decreasing accessibility. Political consensus refers to a process in which experts are assigned weights according to the interests or stakeholders they represent. In practice, an equal number of experts

EXPERIENCE WITH EXPERT JUDGMENT: THE TU DELFT EXPERT JUDGMENT DATA

1561

from different stakeholder groups would be placed and given equal weight in an expert panel. In this way the different groups are included equally in the resulting representation of uncertainty. This was the reasoning behind the selection of expert panels in the EU-USNRC accident consequence studies with equal weighting [11]. Rational consensus refers to a group decision process. The group agrees on a method according to which a representation of uncertainty will be generated for the purposes for which the panel was convened, without knowing the result of this method. It is not required that each individual member adopt this result as his/her personal degree of belief. This is a form of agreement on a distribution to represent a group. To be rational, this method must comply with necessary conditions devolving from the general scientific method. Cooke [1] formulated the necessary conditions or principles that any method warranting the predicate “science” should satisfy: •

Scrutability/accountability. All data, including experts’ names and assessments, and all processing tools are open to peer review and results must be reproducible by competent reviewers. • Empirical control. Quantitative expert assessments are subject to empirical quality controls. • Neutrality. The method for combining/evaluating expert opinion should encourage experts to state their true opinions, and must not bias results. • Fairness. Experts are not prejudged, before processing the results of their assessments. Thus, a method which satisfies these conditions and to which the parties precommit is proposed. The method is applied and after the result of the method is obtained, parties wishing to withdraw from the consensus incur a burden of proof. They must demonstrate that some heretofore unmentioned necessary condition for rational consensus has been violated. If they fail to demonstrate, their dissent is “irrational”. Of course any party may withdraw from the consensus because the result is hostile to his or her interests—this is not rational dissent and does not threaten rational consensus. The requirement of empirical control will strike some as peculiar in this context. How can there be empirical control with regard to expert subjective probabilities? To answer this question, we must reflect on the question “when is a problem an expert judgment problem?” We would not have recourse to expert judgment to determine the speed of light in a vacuum. This is physically measurable and has been measured to everyone’s satisfaction. Any experts we query would give the same answer. Nor do we consult expert judgment to determine the proclivities of a god. There are no experts in the operative sense of the word for this issue. A problem is susceptible for expert judgment only if there is relevant scientific expertise. This entails that there are theories and measurements relevant to the issues at hand, but that the quantities of interest themselves cannot be measured in practice. For example, toxicity of a substance for humans is measurable in principle, but is not measured for obvious reasons. However, there are toxicity measurements for other species, which might be relevant to the question of toxicity in humans. Other examples are given in Section 4. If a problem is an expert judgment problem, then necessarily there will be relevant experiments or measurements. Questions regarding such experiments can be used to implement empirical control. Studies indicate that performance on the so-called almanac questions does not predict performance on the variables in an expert’s field of expertise [12]. The key question regarding seed variables is as follows: Is performance on

1562

CROSS-CUTTING THEMES AND TECHNOLOGIES

seed variables judged relevant to performance on the variables of interest? For example, should an expert who gave very overconfident off-mark assessments on the variables for which we know the true values be equally influential on the variables of interest as an expert who gave highly informative and statistically accurate assessments? That is indeed the choice that often confronts a problem owner after the results of an expert judgment study are in. If seed variables in this sense cannot be found, then rational consensus is not a feasible goal and the analyst should fall back on one of the other goals. The above mentioned definition of “rational consensus” for group decision processes is evidently on a very high level of generality. Much work has gone into translating this into a workable procedure that gives good results in practice. This workable procedure is embodied in the “classical model” of Cooke [1] described in the following section. Before going into details, it is appropriate to say something about Bayesian approaches. Since expert uncertainty concerns experts’ subjective probabilities, many people believe that expert judgment should be approached from the Bayesian paradigm. This paradigm, recall, is based on the representation of preference of a rational individual in terms of maximal expected utility. If a Bayesian is given experts’ assessments on variables of interest and on relevant seed variables, then (s)he may update themselves on the variables of interest by prior conditionalizing on the given information. This requires that the Bayesian formulates his/her joint distribution over •

the variables of interest; the seed variables; • the experts’ distributions over the seed variables and the variables of interest. •

Issues that arise in building such a model are discussed in Cooke [1]. Suffice to say here that a group of rational individuals is not itself a rational individual, and group decision problems are notoriously resistant to the Bayesian paradigm.

3 THE CLASSICAL MODEL The above principles have been operationalized in the so-called classical model, a performance-based linear pooling or weighted averaging model [1, 13]. The weights are derived from experts’ calibration and information scores, as measured on seed variables. Seed variables serve a threefold purpose: 1. to quantify experts’ performance as subjective probability assessors; 2. to enable performance-optimized combinations of expert distributions; and 3. to evaluate and hopefully validate the combination of expert judgments. The name “classical model” is derived from an analogy between calibration measurement and classical statistical hypothesis testing. It contrasts with various Bayesian models. The performance-based weights use two quantitative measures of performance, calibration and information. Loosely, calibration measures the statistical likelihood that a set of experimental results correspond, in a statistical sense, with the expert’s assessments. Information measures the degree to which a distribution is concentrated.

EXPERIENCE WITH EXPERT JUDGMENT: THE TU DELFT EXPERT JUDGMENT DATA

1563

These measures can be implemented for both discrete and quantile elicitation formats. In the discrete format, experts are presented with uncertain events and perform their elicitation by assigning each event to one of several predefined probability bins, typically 10, 20, . . . , 90%. In the quantile format, experts are presented with an uncertain quantity taking values in a continuous range, and they give predefined quantiles, or percentiles, of the subjective uncertainty distribution, typically 5, 50, and 95%. The quantile format has distinct advantages over the discrete format, and all the studies reported below use this format. In five studies, the 25 and 75% quantiles were also elicited. To simplify the exposition, we assume that the 5, 50, and 95% values were elicited. 3.1 Calibration For each quantity, each expert divides the range into four interquantile intervals for which his/her probabilities are known, namely p 1 = 0.05: less than or equal to the 5% value, p 2 = 0.45: greater than the 5% value and less than or equal to the 50% value, and so on. If N quantities are assessed, each expert may be regarded as a statistical hypothesis, namely, that each realization falls in one of the four interquantile intervals with probability vector p = (0.05, 0.45, 0.45, 0.05) Suppose we have realizations x1 , . . . , xN of these quantities. We may then form the sample distribution of the expert’s interquantile intervals as s1 (e) = #{i|xi ≤ 5% quantile}/N s2 (e) = #{i|5% quantile < xi ≤ 50% quantile}/N s3 (e) = #{i|50% quantile < xi ≤ 95% quantile}/N s4 (e) = #{i|95% quantile < xi }/N s(e) = (s1 , . . . , s4 ) Note that the sample distribution depends on the expert e. If the realizations are indeed drawn independently from a distribution with quantiles as stated by the expert, then the quantity 2N I (s(e)|p) = 2N i=1,...,4 si ln(si /pi )

(1)

is asymptotically distributed as a chi-square variable with 3 degrees of freedom. This is the so-called likelihood ratio statistic and I (s|p) is the relative information of distribution s with respect to p. If we extract the leading term of the logarithm, we obtain the familiar chi-square test statistic for goodness of fit. There are advantages in using the form in Eq. (1) Cooke [1]. If after a few realizations the expert were to see that all realizations fell outside his 90% central confidence intervals, he/she might conclude that these intervals were too narrow and might broaden them on subsequent assessments. This means that for this expert the uncertainty distributions are not independent, and he/she learns from the realizations. Expert learning is not a goal of an expert judgment study and his/her joint distribution

1564

CROSS-CUTTING THEMES AND TECHNOLOGIES

is not elicited. Rather, the decision maker (DM) wants experts who do not need to learn from the elicitation. Hence, the DM scores expert e as the statistical likelihood of the hypothesis. He : the interquantile interval containing the true value for each variable is drawn independently from probability vector p. A simple test for this hypothesis uses the test statistic (Eq. (1)), and the likelihood, or p value, or calibration score of this hypothesis, is Calibration score(e) = p value = Prob{2N I (s(e)|p) ≥ r|He } where r is the value of Eq. (1) based on the observed values x 1 , . . . , xN . It is the probability under hypothesis He that a deviation at least as great as r should be observed on N realizations if He were true. Calibration scores are absolute and can be compared across studies. However, before doing so, it is appropriate to equalize the power of the different hypothesis tests by equalizing the effective number of realizations. To compare scores on two data sets with N and N ’ realizations, we simply use the minimum of N and N ’ in Eq. (1), without changing the sample distribution s. In some cases involving multiple realizations of one and the same assessment, the effective number of seed variables is based on the number of assessments and not the number of realizations. Although the calibration score uses the language of simple hypothesis testing, it must be emphasized that we are not rejecting expert hypotheses; rather we are using this language to measure the degree to which the data supports the hypothesis that the expert’s probabilities are accurate. Low scores, near zero, mean that it is unlikely that the expert’s probabilities are correct. 3.2 Information The second scoring variable is information. Loosely, the information in a distribution is the degree to which the distribution is concentrated. Information cannot be measured absolutely, but only with respect to a background measure. Being concentrated or “spread out” is measured relative to some other distribution. Generally, the uniform and log-uniform background measures are used (other background measures are discussed in Yunusov et al. [14]. Measuring information requires associating a density with each quantile assessment of each expert. To do this, we use the unique density that complies with the experts’ quantiles and is minimally informative with respect to the background measure. This density can easily be found with the method of Lagrange multipliers. For a uniform background measure, the density is constant between the assessed quantiles, and is such that the total mass between the quantiles agrees with p. The background measure is not elicited from experts as indeed it must be the same for all experts; instead it is chosen by the analyst. The uniform and log-uniform background measures require an intrinsic range on which these measures are concentrated. The classical model implements the so-called k % overshoot rule: for each item we consider the smallest interval I = [L, U] containing all the assessed quantiles of all experts and the realizations, if known. This interval is extended to I ∗ = [L∗ , U ∗ ]; L∗ = L − k(U − L)/100; U ∗ = U + k(U − L)/100

EXPERIENCE WITH EXPERT JUDGMENT: THE TU DELFT EXPERT JUDGMENT DATA

1565

The value of k is chosen by the analyst. A large value of k tends to make all experts look quite informative, and tends to suppress the relative differences in information scores. The information score of expert e on assessments for uncertain quantities 1, . . . , N is Information Score(e) = Average relative information with respect to background = (1/N )i=1,...,N I (fe,i |gi ) where gi is the background density for variable i and fe, i is expert e’s density for item i . This is proportional to the relative information of the expert’s joint distribution given the background, under the assumption that the variables are independent. As with calibration, the assumption of independence here reflects a desideratum of the DM and not an elicited feature of the expert’s joint distribution. The information score does not depend on the realizations. An expert can give himself a high information score by choosing his quantiles very close together. Evidently, the information score of e depends on the intrinsic range and on the assessments of other experts. Hence, information scores cannot be compared across studies. Of course, other measures of concentratedness could be contemplated. The above information score is chosen because it is •

familiar • tail insensitive • scale invariant • slow. The latter property means that relative information is a slow function; large changes in the expert assessments produce only modest changes in the information score. This contrasts with the likelihood function in the calibration score, which is a very fast function. This causes the product of calibration and information to be driven by the calibration score. 3.3 Decision Maker A combination of expert assessments is called a decision maker. All DMs discussed here are examples of linear pooling. For a discussion of pros and cons of the linear pool, see Refs [1, 2, 15, 16]. The classical model is essentially a method for deriving weights in a linear pool. “Good expertise” corresponds to good calibration (high statistical likelihood, high p value) and high information. We want weights that reward good expertise and that pass these virtues on to the DM. The reward aspect of weights is very important. We could simply solve the following optimization problem: find a set of weights such that the linear pool under these weights maximizes the product of calibration and information. Solving this problem on real data, we have found that the weights do not generally reflect the performance of the individual experts. An example of this is given in Section 4. As we do not want an expert’s influence on the DM to appear haphazard, and we do not want to encourage experts to game the system by tilting their assessments to achieve a desired outcome, we must impose a strictly scoring rule constraint on the weighing

1566

CROSS-CUTTING THEMES AND TECHNOLOGIES

scheme. Roughly, this means that an expert achieves his/her maximal expected weight only by stating assessments in conformity with his/her true beliefs. Consider the following score for expert e: wα (e) = 1α (calibration score) × calibration score(e) × information score(e)

(2)

where 1α (x ) = 0 if x < α and 1α (x ) = 1 otherwise. Cooke [1] showed that Eq. (2) is asymptotically a strictly proper scoring rule for average probabilities. This means the following: suppose an expert has given his quantile assessments for a large number of variables and subsequently learns that his/her judgments will be scored and combined according to the classical model. If (s)he were then given the opportunity to change the quantile values (e.g. the numbers 5, 50, or 95%) in order to maximize the expected weight, the expert would choose values corresponding to his/her true beliefs. Note that this type of scoring rule scores a set of assessments on the basis of a set of realizations. Scoring rules for individual variables were found unsuitable for purposes of weighting, for more details the reader is referred to Cooke [1]. The scoring rule constraint requires the term 1 α (calibration score), but does not say what value of α we should choose. Therefore, we choose α so as to maximize the combined score of the resulting DM. Let DMα (i ) be the result of linear pooling for item i with weights proportional to Eq. (2): DMα (i) = e=1,...,E wα (e)fe,i /e=1,...,E wα (e)

(3)

The global weight DM is DMα* where α* maximizes calibration score(DMa ) × information score(DMα )

(4)

This weight is termed global because the information score is based on all the assessed seed items. A variation on this scheme allows a different set of weights to be used for each time. This is accomplished by using information scores for each item rather than the average information score: wα (e, i) = 1α (calibration score) × calibration score(e) × I (fe,i |gi )

(5)

For each α we define the item weight DMα for item i as IDMα (i) = e=1,...,E wα (e, i)fe,i /e=1,...,E wα (e, i)

(6)

The item weight DM is IDMα* where α* maximizes calibration score(IDMa ) × information score(IDMα )

(7)

Item weights are potentially more attractive as they allow an expert to up- or down weight himself/herself for individual items according to how much (s)he feels (s)he knows about that item. “Knowing less” means choosing quantiles further apart and lowering the information score for that item. Of course, good performance of item weights requires that experts can perform this up–down weighting successfully. Anecdotal evidence suggests

EXPERIENCE WITH EXPERT JUDGMENT: THE TU DELFT EXPERT JUDGMENT DATA

1567

that item weights improve over global weights as the experts receive more training in probabilistic assessment. Both item and global weights can be pithily described as optimal weights under a strictly proper scoring rule constraint. In both global and item weights calibration dominates over information, information serves to modulate between more or less equally well-calibrated experts. Since any combination of expert distributions yields assessments for the seed variables, any combination can be evaluated on the seed variables. In particular, we can compute the calibration and the information of any proposed DM. We should hope that the DM would perform better than the result of simple averaging, called the equal weight decision maker (EWDM ), and we should also hope that the proposed DM is not worse than the best expert in the panel. In the classical model, calibration and information are combined to yield an overall or combined score with the following properties: 1. Individual expert assessments, realizations, and scores are published. This enables any reviewer to check the application of the method, in compliance with the principle of accountability/scrutability. 2. Performance is measured and hopefully validated, in compliance with the principle of empirical control . An expert’s weight is determined by performance. 3. The score is a long-run proper scoring rule for average probabilities, in compliance with the principle of neutrality. 4. Experts are treated equally, before the performance measurement, in compliance with the principle of fairness. Expert names and qualifications are part of the published documentation of every expert judgment study in the database; however, they are not associated with assessments in the open literature. The experts reasoning is always recorded and sometimes published as expert rationales. There is no mathematical theorem that either item weights or global weights outperform equal weighting or outperform the best expert. It is not difficult to construct artificial examples where this is not the case. Performance of these weighting schemes is a matter of experience. In practice, global weights are used unless item weights perform markedly better. Of course, there may be other ways of defining weights that perform better, and indeed there might be better performance measures. Good performance on one individual data set is not convincing. What is convincing is good performance on a large diverse data set, such as the TU Delft expert judgment database. In practice, a method should be easy to apply, easy to explain, should do better than equal weighting, and should never do something ridiculous.

4 APPLICATIONS OF THE CLASSICAL MODEL Forty-five expert panels involving seed variables have been performed to date.1 Because most of these studies were performed by or in collaboration with the TU Delft, it is 1 These results are obtained with the EXCALIBUR software, available from http://delta.am.ewi.tudelft.nl/risk/. The windows version upgraded chi-square and information computational routines, and this may cause differences with the older DOS version, particularly with regard to very low calibration scores.

1568

CROSS-CUTTING THEMES AND TECHNOLOGIES

possible to retrieve relevant details of these studies, and to compare performance of performance-based and equal weight combination schemes. For studies by Ter Haar [17], the data has not been retrieved. These are all studies performed under contract for a problem owner and reviewed and accepted by the contracting party. In most cases these have been published. Table 2 below lists these studies, references publications, and gives summary information. The number of variables and number of seed variables are shown, as is the number of effective seed variables. In general, the effective number of seeds is equal to the least number of seeds assessed by some expert. In this way each expert is scored with a test of the same power. In the Gas panel, the panel and the seed variables were split post hoc into corrosion and environmental panels. The combined scores of EWDM, performance-based DM, and best expert are compared pairwise in Figure 1. Figure 2 compares the calibration (p values) and information scores of the EWDM, the performance-based DM, and the best expert. In 15 of 45 cases, the performance-based DM was the best expert, that is, one expert received weight one. In 27 cases, the combined score of the performance-based DM was strictly better than both the EWDM and the best expert. In one case [2], the EWDM performed best, and in two cases [16, 40] the best expert outperformed both equal weights and performance-based weights. The EWDM is better calibrated than the best expert in 25 of the 45 cases, but in only two cases more informative. In 18 cases the combined score of the EWDM is better than that of the best expert. In 12 of the 45 cases the calibration of the best expert is less than or equal to 0.05; for the EWDM this happened in seven cases (15%). The study on radiological transport in soil Genest and Zidek [16] was unusual in that all the experts and all DMs performed badly. Both the seed variables and the experts were identified by the National Radiological Protection Board, and reanalysis of the seed variables and expert data did not yield any satisfactory explanation for the poor performance. We concluded that this was simply due to the small number of experts and bad luck. The motivation for performance-based weighting above equal weighting speaks for itself from this data. Most often the EWDM is slightly less well calibrated and significantly less informative, but sometimes the calibration of the EWDM is quite poor [41, 42]. Finally, we remark that the experts overwhelmingly have supported the idea of performance measurement. This sometimes comes as a surprise for people from the social sciences, but not for natural scientists. The essential point is that the performance measures are objective and fully transparent. It is impossible to tweak these measures for extrascientific expediency.

5 SEED VARIABLES, VARIABLES OF INTEREST, AND ROBUSTNESS A recurring question is the degree to which performance on seed variables predicts performance on the variables of interest. Forecasting techniques always do better on data used to initialize the models than on fresh data. Might that not be the case here as well? Obviously, we have recourse to expert judgment because we cannot observe the variables of interest, so this question is likely to be with us for some time. Experts’ information scores can be computed for the variables of interest and compared with the seed variables (see below). More difficult is the question whether calibration differences

1569

Dsm-1 12, 16 Dsm-2 18 Estec-1 12, 16 Estec-2 19 Estec-3 8 AOT (daily) 20 AOT (risk) 20 Grond-5 21

Case

1 Flange leak

2 Crane risk

3 Propulsion

4 Space debris

5 Composite materials

6 Option trading

7 Risk management

8 Groundwater transport

Expert Judgment Studies

Name/ Reference

TABLE 2

7

5

9

6

7

4

8

10

Number of Experts

38/10

11/11

38/38

22/12

58/26

48/13

39/12

14/8

Number of Variables/ Seeds

10

11

6

12

18

13

11

8

Number of Effective Seeds Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination

Performance Measure 0.66 1.371 0.905 0.84 1.367 1.148 0.43 1.72 0.7398 0.78 0.32 0.25 0.27 1.442 0.39 0.95 0.5043 0.4791 0.8287 1.212 1.003 0.7 3.008 2.106

Performance Weights

0.54 1.549 0.836 0.005 2.458 0.012 0.14 2.952 0.413 0.0001 2.29 0.0002 0.005 2.549 0.013 0.95 0.5043 0.4791 0.8287 1.212 1.003 0.4 3.966 1.586

Best Expert

(continued overleaf)

0.53 0.8064 0.4274 0.5 0.69 0.345 0.43 1.421 0.611 0.9 0.15 0.14 0.12 0.929 0.111 0.95 0.2156 0.2048 0.324 0.7449 0.2413 0.05 3.16 0.158

Equal Weights

1570 Name/ Reference Tuddispr 1, 2 Tnodispr 2 Tuddepos 1, 2 Acnexpts 4, 13, 22 Nh3expts 4, 13, 22 So3expts 4, 13, 22 Waterpol 23 Eunrcdis 5, 6, 24

Case

9 Dispersion panel TUD

10 Dispersionpanel TNO

11 Dry deposition

12 Acrylo-nitrile

13 Ammonia panel

14 Sulfur trioxide

15 Water pollution

16 Dispersionpanel

TABLE 2 (Continued )

8

11

4

6

7

4

7

11

Number of Experts

77/23

21/11

28/7

31/10

43/10

56/24

58/36

58/36

Number of Variables/ Seeds

23

10

7

10

10

22

36

36

Number of Effective Seeds Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination

Performance Measure 0.68 0.827 0.562 0.69 0.875 0.604 0.45 1.647 0.741 0.24 3.186 0.764 0.11 1.672 0.184 0.14 3.904 0.547 0.35 1.875 0.6563 0.9 1.087 0.9785

Performance Weights

0.71 0.715 0.508 0.32 0.751 0.24 0.34 1.222 0.415 0.28 1.511 0.423 0.28 1.075 0.301 0.14 2.098 0.294 0.35 1.385 0.4847 0.15 0.862 0.129

Equal Weights

0.36 1.532 0.552 0.53 1.698 0.9002 0.45 1.647 0.741 0.24 3.186 0.764 0.06 2.627 0.158 0.02 4.345 0.087 0.16 2.06 0.3296 0.13 1.242 0.161

Best Expert

1571

7

Eunrca s 5, 24, 25 Euncrwd 5, 6, 24 Eunrcint 5, 24, 26 Eunrcear 5, 24, 27 Euncrsoi 5, 24, 25 Gas95 28 Gas95 28 Mvblbarr 29

18 Rad. Transp. in animals

19 Wet deposition

20 Rad. internal dose

21 Rad. early health effects

22 Rad. trans. soil

23 Environment panel

24 Corrosion panel

25 Moveable barriers flood risk

12

15

4

9

8

7

8

Eunrcdd 5, 6, 24

17 Dry deposition

52/14

58/11

106/28

244/31

489/15

332/55

50/19

80/8

87/14

14

11

17

31

15

28

19

6

14

Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination

0.52 1.339 0.697 0.75 2.697 2.023 0.25 0.451 0.113 0.85 0.796 0.677 0.23 0.2156 0.0496 0.0001 1.024 0.0001 0.93 1.628 1.514 0.16 2.762 0.4419 0.43 1.243 0.535

0.52 1.339 0.697 0.75 2.697 2.023 0.01 0.593 0.0059 0.73 0.822 0.6001 0.0001 1.375 0.00014 0.0001 2.376 0.0002 0.06 2.411 0.145 0.16 2.762 0.4419 0.04 1.711 0.068 (continued overleaf)

0.001 1.184 0.001 0.55 1.778 0.978 0.001 0.726 0.00073 0.11 0.5598 0.062 0.07 0.1647 0.01153 0.0001 0.973 9.7E–05 0.11 1.274 0.14 0.06 1.304 0.078 0.22 0.57 0.125

1572 Realestr 30 Rivrchnl 31 Mont1 32, 33 Thrmbld 7 Dikring 15, 34 Carma 17 CARME-Greece 35 Opriskbank 36

27 River channel

28 Montserrat Volcano

29 Thermal phys. Blds

30 Dike ring failure

31 Campylobacter NL

32 Campy Greece

33 Oper. Risk

Name/ Reference

26 Real estate risk

Case

TABLE 2 (Continued )

10

6

12

17

6

11

6

5

Number of Experts

36/16

98/10

98/10

87/47

48/48

13/8

14/8

45/31

Number of Variables/ Seeds

16

10

10

47

10

8

8

31

Number of Effective Seeds Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination B Information Combination

Performance Measure 0.82 0.7648 0.6296 0.53 0.843 0.447 0.66 1.906 1.258 0.3628 0.5527 0.2005 0.4 0.614 0.2456 0.828 1.48 1.226 0.4925 0.8611 0.4241 0.4301 0.7827 0.3263

Performance Weights

0.005 0.1735 0.0009 0.64 0.289 0.185 0.53 0.8217 0.4355 0.02485 0.1424 0.00354 0.05 0.7537 0.03768 0.4735 0.2038 0.09648 0.5503 0.3428 0.1886 0.338 0.3219 0.1088

Equal Weights

0.82 0.7678 0.6296 0.53 0.843 0.447 0.66 1.906 1.258 0.3628 0.5527 0.2005 0.3 0.6462 0.1938 0.828 1.48 1.226 0.4925 0.8611 0.4241 0.1473 0.903 0.133

Best Expert

1573

Ladders

Dams 38 MVO seeds 33, 39 Pilots 32 Setecidades

36 Falls ladders

37 Dams

38 MVO seeds Montserrat follup

39 Pilots

40 Sete Cidades

42 Vesuvio

VesuvioPisa21Mar05

TeideMay 05

PM25

35 PM25

41 TeideMay 05

Infosec 37

34 Infosec

14

17

19

31

77

11

7

6

13

79/10

23/10

27/10

63/10

5/5

74/11

22/10

24/12

32/10

10

10

10

10

5

11

10

12

10

Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination Calibration Information Combination

0.7071 1.721 1.217 0.578 0.807 0.466 0.2441 0.975 0.238 0.615 1.248 0.7677 0.6084 3.116 1.896 0.4735 0.6903 0.3269 0.7901 2.709 2.141 0.7069 2.178 1.54 0.6827 2.43 1.659

0.3135 2.232 0.6999 0.1195 1.486 0.1776 0.00131 1.801 0.00236 0.01088 2.359 0.02566 0.6084 3.116 1.896 0.1917 1.403 0.2689 0.4281 2.474 1.059 0.04706 3.322 0.1563 0.4706 3.622 0.1705 (continued overleaf)

0.7971 1.012 0.7159 0.6451 0.542 0.3497 0.3005 0.4638 0.1394 0.492 0.6446 0.3171 0.3946 1.147 0.4525 0.5503 0.5946 0.2777 0.1065 0.8409 0.1713 0.1135 1.681 0.1907 0.4735 1.485 0.7029

1574 Volcrisk

Sars

Guadeloupe

43 Volcrisk

44 SARS

45 Guadeloupe

Case

Name/ Reference

TABLE 2 (Continued )

9

9

45

Number of Experts

57/10

20/10

30/10

Number of Variables/ Seeds

10

10

10

Number of Effective Seeds Calibration Information Combination Calibration Information Combination Calibration Information Combination

Performance Measure

0.8283 0.7738 0.641 0.6827 1.34 0.9149 0.4925 2.158 1.063

Performance Weights

0.1135 0.5571 0.06322 0.4735 0.6017 0.2849 0.4735 1.176 0.5567

Equal Weights

0.8283 0.7738 0.641 0.06083 2.31 0.1405 0.0008 3.649 0.00029

Best Expert

EXPERIENCE WITH EXPERT JUDGMENT: THE TU DELFT EXPERT JUDGMENT DATA Combined scores best expert and performance DMs 2.5 Best expert

Equal DM

2.5 2 1.5 1 0.5

Combined scores equal DMs and best expert 2.5

2

Equal DM

Combined scores equal and performance DMs

1.5 1 0.5

0

0

0.5 1 1.5 2 2.5 Performance DM

2 1.5 1 0.5 0

0

0

1575

0.5 1 1.5 2 Performance DM

0

2.5

0.5 1 1.5 2 Best expert

2.5

FIGURE 1 Combined scores of equal weight DM, performance-based DM, and the best expert.

Statistical accuracy (p-values)

Statistical accuracy (p-values) 1 Equal weight DM

Equal weight DM

1 0.8 0.6 0.4 0.2

0.8 0.6 0.4 0.2 0

0 0

0.2

04

0.6

0.8

0

1

0.2

1

2

3

06

0.8

1

4

5

Informativeness

Equal weight DM

Equal weight DM

Informativeness 5 4.5 4 3.5 3 2.5 2 1.5 1 0.5 0 0

0.4

Best expert

Performance-based DM

4

Performance-based DM

5

5 4.5 4 3.5 3 2.5 2 1.5 1 0.5 0 0

1

2

3

Best expert

FIGURE 2 Calibration (p values) and information scores of equal weight DM, performancebased DM, and the best expert.

in experts and DMs “persist” outside the set of seed variables. Questions related to this are as follows 1. Are the differences in experts’ calibration scores due to chance fluctuations? 2. Is an expert’s ability to give informative and well-calibrated assessments persistent in time, dependent on training, seniority, or related to other psychosocial variables? There has been much published and speculated on these questions, and the issue cannot be reviewed, let alone resolved here. If differences in experts’ performance did

1576

CROSS-CUTTING THEMES AND TECHNOLOGIES

Real estate risk: equal weight DM

Real estate risk: performance based DM 600

600 5% 50% 95% Realization

500 400 300 200

5% 50% 95% Realization

500 400 300 200

1

11

21

31

Variables 1–16 = seed; Variables 17–31 = Variables of interest

1

11

21

31

Variables 1–16 = seed; Variables 17–31 = Variables of interest

FIGURE 3 Seed variables and variables of interest, Real Estate Risk.

not persist beyond the seed variables, then that would certainly cast a long shadow over performance-based combination. If, on the other hand, there are real and reasonably persistent differences in expert performance, then it is not implausible that a performance-based combination could systematically do “better than average”. It is hoped that the TU Delft database can contribute to a further analysis of these issues. Closely related is the question of robustness: to what extent would the results change if different experts or different seed variables had been used. This last question can be addressed, if not laid to rest, by removing seed variables and experts one at a time and recomputing the DM. We discuss a few studies to illustrate good and poor choices of seed variables and, where possible, compare with variables of interest. 5.1 Real Estate Risk In this study, the seed variables were prime office rent indices for large Dutch cities, published quarterly (variables 1 through 16). The variables of interest were rents of the actual properties managed by the investment firm. After 1 year, the realized rents were retrieved and compared with the predictions. The results for the EWDM and performance DM are shown below. The robustness analyses in this case are also revealing. First, we examine the five experts’ (three portfolio managers and two risk analysts) and DM’s scores, and the relative information of each of the experts to the equal weight combination of their distributions (Table 3). This gives a benchmark for how well the experts agree among themselves. The experts’ densities are constructed relative to a background measure, so these comparisons also depend on the background measure. The relatively weak calibration performance of the EWDM is due to the fact that only 4 of the 16 seed variables were above the median assessment.2 At the same time, the equal DM’s medians are actually a bit closer to the realizations. Distance between median and realization is an example of a scoring variable, which is not taken into account by the performance-based DM.3 Note also that the pattern of informativeness on seed variables is comparable to that on all variables; portfolio manager 3 is least informative and risk analyst 1 is most informative. Note also that low informativeness does not translate automatically into better calibration. 2 The

values cited in Table 3 are based on 31 seed variables, using also the variables of interest, which became available a year later. 3 The reason is that distance is scale dependent. In this case, the scales of all variables are the same, so such a scoring variable could be used. Of course, such a rule may not be proper.

1577

Calibration 0.3303 0.1473 0.02012 6.06E–05 0.004167 0.3303 0.05608

ID

Portfol1 Portfol2 Portfol3 Riskan1 Riskan2 Performance DM Equal DM

0.7932 1.02 0.2492 1.334 0.5848 0.7932 0.1853

0.8572 0.9554 0.1556 1.536 0.6126 0.8572 0.179

Mean Relative Information All Variables Seed Variables 16 16 16 16 16 16 16

Number of Realization 0.2832 0 0 0 0 0.2832 0.01004

Unnormalized Weight

0.5004 0.7764 0.3633 0.9575 0.4579

0.6241 0.6545 0.2931 1.21 0.4402

Relative Information to Equal Weight DM All Variables Seed Variables

TABLE 3 Real Estate Risk: Relative Information of the Five Experts to the Equal Weight Combination for All Variables and for Variables with Realizations

1578

CROSS-CUTTING THEMES AND TECHNOLOGIES

Next we remove the 16 seed variables one at a time and recompute the performancebased DM (Table 4). The scores do not change much, but the relative information of the “perturbed DM” with respect to the original DM is rather large for eight of the variables, compared to the differences between the experts themselves. The explanation can be found by examining the robustness on experts (Table 5). If we remove portfolio manager 1, the effect on the DM is large, compared to the largest relative information between a single expert and the equal weight combination. This is not surprising as portfolio manager 1 coincides with the performance-based DM. Interestingly, we get a significant change by removing portfolio manager 2. This is because the combination of portfolio managers 1 and 3 would give a higher score than portfolio manager 1 alone, or 1 and 2 alone. We should have to give portfolio manager 2 weight zero and portfolio manager 3 positive weight, even though the latter’s calibration score is worse than that of the former. The proper scoring rule constraint prevents this from happening. This underscores the difference noted in Section 2 between optimization under the proper scoring rule constraint and unconstrained optimization. In the latter case, a better calibrated expert can have less weight than a poorly calibrated expert. The nonrobustness in Table 4 is caused by the fact that the removal of some seed variables cause the calibration of portfolio manager 2 to dip below that of portfolio manager 3. 5.2 AEX In this case, the seed variables were the variables of interest, namely the opening price of the Amsterdam stock exchange, as estimated at closing the previous day. Note that some of the experts anticipated a large drop on the day corresponding to variable 20. This was reflected neither in the performance-based DM nor in the realization. Other than that, the pattern across seed variables does not look erratic. In spite of the excellent performance of the experts in this case, they were not able to predict the opening price better than the “historical average predictor”. In other words, any information the experts might have had at closing time was already reflected in the closing price. 5.3 Dry Deposition The seed variables were measured deposition velocities, though not configured according to the requirements of the study (per species, windspeed, particle diameter, and surface). Here again, the poor statistical performance of the EWDM is due to the fact that all but one of the 14 seed variables fall above the median. 5.4 Dyke Ring The seed variables were ratios of predicted versus measured water levels (at different water levels, around 2 m above the baseline). Variables of interest were the same, but at water levels above 3.5 m above the baseline. In this case, we had several realizations of this ratio from each of several measuring stations. This explains the step pattern of the quantiles; these are actually the same assessment with several realizations. Although all 47 seed variables were used in the analysis, for purposes of comparing expert performance with that of other studies, the effective number of seeds was reduced to 10. This accounts for dependence in the experts’ assessments and corresponds to the number most often used for such comparisons.

EXPERIENCE WITH EXPERT JUDGMENT: THE TU DELFT EXPERT JUDGMENT DATA

TABLE 4

Real Estate Risk: Robustness Analysis on Seed Variables Relative Information/b Relative Information/Original DM All Variables Seed Variables Calibration All Variables Seed Variables

Excluded Item Q1Rent Amster. Q2Rent Amster. Q3Rent Amster. Q4Rent Amster. Q1Rent Rotter. Q2Rent Rotter. Q3Rent Rotter. Q4Rent Rotter. Q1Rent Denhaag Q2Rent Denhaag Q3Rent Denhaag Q4Rent DenHaag Q1Rent Utrecht Q2Rent Utrecht Q3Rent Utrecht Q4Rent Utrecht Original Perf DM

TABLE 5

0.5875 0.5974 0.7921 0.7859 0.5871 0.5857 0.8009 0.5872 0.7886 0.7861 0.784 0.7845 0.6034 0.6069 0.6013 0.794 0.7932

0.6234 0.6341 0.8583 0.8401 0.6047 0.6004 0.8841 0.6222 0.8478 0.8406 0.8345 0.8358 0.6396 0.6517 0.6356 0.8638 0.8572

0.3578 0.3578 0.5435 0.5435 0.3578 0.3578 0.387 0.3578 0.387 0.387 0.387 0.387 0.288 0.288 0.288 0.387 0.3303

0.37 0.4421 0 0 0.4565 0.4708 0 0.3575 0 0 0 0 0.4353 0.4644 0.464 0

Relative Information/b Relative Information/Original DM All Variables Seed Variables Calibration Total Variables Seed Variables

Portfol1 Portfol2 Portfol3 Riskan1 Riskan2 Original performance DM

1.006 0.637 0.5297 0.7921 0.7079 0.7932

0.9484 0.6899 0.4825 0.8572 0.8195 0.8572

0.1473 0.7377 0.3303 0.3303 0.3303 0.3303

AEX equal DM

10 20 30 Seed variable number

1.144 0.2916 0 0 0 0

1.058 0.3328 0 0 0 0

AEX Performance Dm 5% 25% 50% 75% 95% Realization

0

0.3539 0.4402 0 0 0.4438 0.4491 0 0.3505 0 0 0 0 0.4589 0.4663 0.4656 0

Real Estate Risk: Robustness Analysis on Experts

Excluded Expert

1500 1400 1300 1200 1100 1000 900 800

1579

40

1500 1400 1300 1200 1100 1000 900 800

5% 25% 50% 75% 95% Realization

0

10 20 30 40 Seed variable number

FIGURE 4 Seed variables (which are the variables of interest), AEX.

1580

CROSS-CUTTING THEMES AND TECHNOLOGIES

USNRC-EU dry deposition; equal DM

USNRC-EU dry deposition; performance DM

100

100 5% 50% 95% Realization

1 0.1 0.01

0.001

10 Log scale

Log scale

10

5% 50% 95% Realization

1 0.1 0.01

0

0.001

5 10 15 Seed variable number

0

5 10 15 seed variable number

FIGURE 5 Seed variables, USNRC-EU Dry Deposition.

Dike ring equal DM

Dike ring performance DM 100

100 Log scale

Log scale

10 10

1

0.1

0

10 20 30 40 Seed variable number

1

0.1

0

10 20 30 Seed variable number

40

5%

25%

50%

5%

25%

50%

75%

95%

Realization

75%

95%

Realization

FIGURE 6 Seed variables Dike Ring.

5.5 Space Debris The seed variables were numbers of tracked space debris particles injected into orbit between the years 1961 and 1986. Variables of interest characterized the debris flux for 10 years into the future. It turned out that the experts did not possess year-by-year knowledge of the debris particles, and gave generic assessments assuming that the number was growing, where in fact the number appears to be quite random. This is a case in which the choice of seed variables was unsuccessful; the experts did not really have relevant knowledge to apply to the task.4 5.6 Out-of-Sample Validation? In a review of the online version of this article, Clemen raised the important question: does the performance of the performance-weighted decision maker (PWDM) persist 4 In

this early study, the effective number of seed variables was chosen to optimize the DM’s performance, a procedure which is no longer followed. The DOS version of the software used a table of the chi-square distribution and had problems with very low calibration scores. These problems will come to the fore, when the number of seed variables is high, as in this case.

EXPERIENCE WITH EXPERT JUDGMENT: THE TU DELFT EXPERT JUDGMENT DATA

Space debris equal DM 900 800 700 600 500 400 300 200 100 0

Space debris; performance DM

5% 50% 95% Realization

0

10 20 30 Seed variable number

1581

900 800 700 600 500 400 300 200 100 0

5% 50% 95% Realization

0

10 20 30 Seed variable number

FIGURE 7 Seed variables Space Debris.

beyond the set of seed variables. Clemen believes that there is no significant difference between the PWDM and the EWDM outside the variables on which PWDM has been constructed. As noted above, PWDM does use optimization to remove a degree of freedom in the definition of the classical model. In every study, we routinely perform robustness analysis by removing seed variables (and experts) one at a time and recomputing PWDM. It is not uncommon to see the calibration scores of PWDM fluctuating by a factor 2 or 3 on 10 seed variables. Out-of-sample validation involves basing PWDM on an initial set of seed variables, then using this PWDM on other variables and comparing performance of EWDM on these other variables. This corresponds to the way PWDM is actually used. We can do this by splitting the set of seed variables into halves, initializing the model on one half and comparing performance on the other half. Of course, this requires a relatively large number of seed variables. There are 14 studies with at least 16 seed variables. One of these, “TNO dispersion”, eluded conversion to the format of the windows software and currently cannot be read. This leaves 13 studies. Dividing the seed variables into half gives two validation runs, using the first half to predict the second and conversely. Note that the variables on which the PWDM is initialized in these two runs are disjoint. The item weight PWDM could not be computed without writing a new code, so the choice of item versus global weights denied PWDM on this exercise. The data from the 13 studies are shown in Table 6. In 20 of the 26 studies, the out-of-sample PWDM outperforms EWDM. The probability of seeing 20 or more “successes” on 26 trials if PWDM were no better than EWDM is 0.0012. Clemen reports results on 14 validation studies that are somewhat more pessimistic (9 “success” on 14 trials). His method involves removing seed variables singly, computing PWDM on the remaining seeds, and using this PWDM to predict the eliminated seed. On a study with 10 seed variables, there are thus 10 different PWDMs. Each pair of the 10 DMs share eight common seeds. The criteria for selecting the 14 studies are not specified. It is difficult to see how all these factors would affect the results. Perhaps the following reasoning partially explains Clemen’s less optimistic result: With a small number of seeds, removing one seed favors experts who assessed that seed badly and hurts experts who assessed that seed well, thus tilting the PWDM toward a bad assessment of that seed. This happens on every seed thus cumulating the adverse effect on PWDM. This does not happen when one PWDM predicts the entire out-of-sample set of seeds.

1582

CROSS-CUTTING THEMES AND TECHNOLOGIES

TABLE 6 26 Out-of-Sample Validation Runsa Study TUD disper

TUD depos

Operrisk

Dikering

Thermbld

Realest

EuDis

PintDos 6exp. 39 items Soil

Gas Environ AOT 6 exp 20 items EU WD estec-2

DM e1 PW(2)1 e2 PW(1)2 e1 PW(2)1 e2 PW(1)2 e1 PW(2)1 e2 PW(1)2 e1 PW(2)1 e2 PW(1)2 e1 PW(2)1 e2 PW(1)2 e1 PW(2)1 e2 PW(1)2 e1 PW(2)1 e2 PW(1)2 e1 PW(2)1 e2 PW(1)2 e1 PW(2)1 e2 PW(1)2 e1 PW(2)1 e2 PW(1)2 e1 PW(2)1 e2 PW(1)2 e1 PW(2)1 e2 PW(1)2 e1 PW(2)1 e2 PW(1)2

Calibration 0.42 0.21 0.39 0.005 0.52 0.52 0.73 0.59 0.429 0.5337 0.5337 0.185 0.025 0.4 0.025 0.05 0.07 0.48 0.005 0.07 0.05 0.33 0.18 0.35 0.52 0.52 0.02 0.08 0.001 0.11 0.23 0.44 0.001 0.001 0.0001 0.0001 0.0001 0.06 0.72 0.73 0.1 0.1 0.5 0.7 0.11 0.0001 0.04 0.04 0.75 0.43 0.68 0.35

Information

Combination

0.646 0.8744 0.7844 1.525 1.119 1.42 1.324 1.374 0.2793 0.5749 0.3646 1.109 0.7386 0.3859 0.7814 0.6451 0.1424 0.5527 0.1424 0.7305 0.179 0.8572 0.1676 0.6724 0.9662 1.232 0.749 1.204 1.108 1.038 0.3262 0.6748 0.3638 0.4135 1.539 1.551 1.235 2.01 1.274 2.342 0.2046 0.6685 0.1793 0.5799 0.6611 2.048 0.7983 0.7743 0.2427 0.3623 0.07269 0.1893

0.2713 0.1836 0.3059 0.007624 0.5819 0.7382 0.9669 0.8108 0.1198 0.3068 0.1946 0.2053 0.01846 0.1544 0.01954 0.03225 0.009967 0.2653 0.0007119 0.05113 0.008948 0.2829 0.030168 0.2353 0.5024 0.6408 0.01498 0.09635 0.0011089 0.1141 0.07502 0.2969 0.0003638 0.0004135 0.0001539 0.0001559 0.0001235 0.1206 0.9171 1.71 0.02046 0.06685 0.08964 0.4059 0.07272 0.0002048 0.03193 0.03097 0.182 0.1558 0.04943 0.06627

Best performer is italicized. E1, the EWDM on the first half of the seed variables; E2, EWDM on the second half; PW(2)1, the PWDM constructed on the second half, predicting the first half; and PW(1)2, the PWDM constructed on the first half predicting the second half. a PintDos involved 55 seed items, and 8 experts, but two experts assessed only a small number of seed variables. The other experts’ seed assessments did not wholly overlap; 6 experts assessed 39 common seed variables used for this exercise. Similarly, AOT was restricted to 6 experts who assessed 20 common items. The Gas study was split into a corrosion and an environment panel. Many environment experts were also corrosion experts and their corrosion seed assessments were used in the original study. In this exercise, only the environment seeds were used for the environment panel. In the Dikering study, the multiple measurements from each measuring station were split.

EXPERIENCE WITH EXPERT JUDGMENT: THE TU DELFT EXPERT JUDGMENT DATA

1583

In any case, Clemen’s method is not the same as picking one PWDM and comparing it on new observations with the EWDM.

6 LESSONS LEARNED FROM ELICITATIONS A detailed description of the design of an expert judgment study is given in Cooke and Goossens [34]. Suffice to say here that a typical study involves a dry run with one expert to finalize the elicitation questions. This is followed by a plenary meeting of all experts in which the issues are discussed, the study design is explained, and a short elicitation exercise is done. This involves a small number of seed variables, typically five. Experts are shown how the scoring and combining works. Afterwards, the experts are elicited individually. An elicitation session should not exceed a half day. Fatigue sets in after 2 h. When experts are dispersed it may be difficult and expensive to bring them together. In such cases the training is given to each expert in abbreviated form. The EU-USNRC studies made the most intensive investment in training. In general, it is not advisable to configure the exercise such that the presence of all experts at one time and place is essential to the study, as this makes the study vulnerable to last minute disruptions. The following are some practical guidelines for responding to typical comments: From an expert: I don’t know that Response: No one knows, if someone knew we would not need to do an expert judgment exercise. We are tying to capture your uncertainty about this variable. If you are very uncertain, then you should choose very wide confidence bounds. From an expert: I can’t assess that unless you give me more information. Response: The information given corresponds with the assumptions of the study. We are trying to get your uncertainty conditional on the assumptions of the study. If you prefer to think of uncertainty conditional on other factors, then you must try to unconditionalize and fold the uncertainty over these other factors into your assessment. From an expert: I am not the best expert for that. Response: We don’t know who are the best experts. Sometimes the people with the most detailed knowledge are not the best at quantifying their uncertainty. From an expert: Does that answer look OK? Response: You are the expert, not me. From the problem owner: So you are going to score these experts like school children? Response: If this is not a serious matter for you, then forget it. If it is serious, then we must take the quantification of uncertainty seriously. Without scoring we can never validate our experts or the combination of their assessments. From the problem owner: The experts will never stand for it. Response We’ve done it many times, the experts actually like it. From the problem owner: Expert number 4 gave crazy assessments, who was that guy? Response: You are paying for the study, you own the data, and if you really want to know I will tell you. But you don’t need to know, and knowing will not make things easier for you. Reflect first whether you really want to know this. From the problem owner: How can I give an expert weight zero? Response: Zero weight does not mean zero value. It simply means that this expert’s knowledge was already contributed by other experts and adding this expert would only

1584

CROSS-CUTTING THEMES AND TECHNOLOGIES

add a bit of noise. The value of unweighted experts is seen in the robustness of our answers against loss of experts. Everyone understands this when it is properly explained . From the problem owner: How can I give weight one to a single expert? Response: By giving all the others weight zero, see previous response. From the problem owner: I prefer to use the equal weight combination. Response: So long as the calibration of the equal weight combination is acceptable, there is no scientific objection to doing this. Our job as analyst is to indicate the best combination, according to the performance criteria, and to say what other combinations are scientifically acceptable.

7 CONCLUSION Given the body of experience with structured expert judgment, the scientific approach to uncertainty quantification is well established. This does not mean that the discussion on expert judgment method is closed. First of all, we may note that a full expert judgment study is not cheap. Most of the studies mentioned above involved 1–3 man months. This cost could be reduced somewhat if we need not develop seed variables. However, simply using equal weights does not seem to be a convincing alternative. Other methods of measuring and verifying performance would be welcome, especially if they are less resource intensive. The classical model is based on the two performance measures, calibration and information, in conjunction with the theory of proper scoring rules. It satisfies necessary conditions for rational consensus, but is not derived from those conditions. Other weighting schemes could surely be devised which do as well or better in this regard, and other performance measures could be proposed and explored. Once we acknowledge that our models must be quantified with uncertainty distributions, rather than “nominal values” of undetermined pedigree, many new challenges confront modelers, analysts, and DMs. Experts can quantify their uncertainty about potentially observable phenomena with which they have some familiarity. The requirements of the study at hand may go beyond that. For example, in quantifying the uncertainty of models for transport of radiation through soils, plants, and animals, it emerged that the institutes that built and maintained these models could not supply any experts who were able to quantify uncertainty on the transfer coefficients in these models. Experts could quantify uncertainty with regard to quantities, which can be expressed as functions of the transport models themselves. Processing data of this sort required development of sophisticated techniques of probabilistic inversion [43, 21]. Perhaps, the greatest outstanding problems concern the elicitation of, representation of, and computation with dependence. Everyone knows that the ubiquitous assumption of independence in uncertainty analysis is usually wrong, and sometimes seriously wrong. This is a subject that must receive more attention in the future [37].

ACKNOWLEDGMENT The authors gratefully acknowledge the contributions of many people who cooperated in developing this database. Willy Aspinall and Tim Bedford are independently responsible

EXPERIENCE WITH EXPERT JUDGMENT: THE TU DELFT EXPERT JUDGMENT DATA

1585

for a quarter of the studies. This article is based on an article for a special issue, Reliability Engineering and System Safety, on expert judgment (doi:10.1016/j.ress.2007.03.001, available online 15 March 2007), which published reviewer comments. The present article incorporates part of the discussion with Clemen on out-of-sample validation. REFERENCES 1. Cooke, R. M. (1991). Experts in Uncertainty, Oxford University Press, Oxford. 2. Cooke, R. M. (1991). Expert Judgment Study on Atmospheric Dispersion and Deposition Report Faculty of Technical Mathematics and Informatics No.01–81 , Delft University of Technology, Delft. 3. Goossens, L. H. J., Cooke, R. M., and Kraan, B. C. P. (1996). Evaluation of Weighting Schemes for Expert Judgment Studies, Final report prepared under contract Grant No. Sub 94-FIS-040 for the Commission of the European Communities, Directorate General for Science, Research and Development XII-F-6, Delft University of Technology, Delft. 4. Goossens, L. H. J., Cooke, R. M., and Kraan, B. C. P. (1998). Evaluation of weighting schemes for expert judgment studies. In Proceedings PSAM4 , A. Mosleh, and R. A. Bari, Eds. Springer, New York, pp. 1937–1942. 5. Goossens, L. H. J., Cooke, R. M., Woudenberg, F., and van der Torn, P. (1998). Expert judgement and lethal toxicity of inhaled chemicals. J. Risk Res. 1(2), 117–133. 6. Goossens, L. H. J., Harrison, J. D., Harper, F. T., Kraan, B. C. P., Cooke, R. M., and Hora, S. C. (1998). Probabilistic Accident Consequence Uncertainty Analysis: Internal Dosimetry Uncertainty Assessment , Vols 1 and 2, Prepared for U.S. Nuclear Regulatory Commission and Commission of European Communities, NUREG/CR-6571, EUR 16773, Washington, DC, Brussels. 7. Cooke, R. M. (2004). The anatomy of the Squizzle –the role of operational definitions in science. Reliab. Eng. Syst. Saf. 85, 313–319. 8. NUREG/CR-6372 (1997). Recommendations for Probabilistic Seismic Hazard Analysis:Guidance on Uncertainty and Use of Experts, US Nuclear Regulatory Commission. 9. Winkler, R. L., Wallsten, T. S., Whitfield, R. G. Richmond, H. M. Hayes, S. R., and Rosenbaum, A. S. (1995). An assessment of the risk of chronic lung injury attributable to long-term ozon exposure. Oper. Res. 43(1), 19–27. 10. Budnitz, R. J., Apostolakis, G., Boore, D. M., Cluff, L. S., Coppersmith, K. J., Cornel, C. A., and Morris, P. A. (1998). Use of technical expert panels: applications to probabilistic seismic hazard analysis. Risk Anal. 18(4), 463–469. 11. Goossens, L. H. J., and Harper, F. T. (1998). Joint EC/USNRC expert judgement driven radiological protection uncertainty analysis. J. Radiol. Prot. 18(4), 249–264. 12. Cooke, R. M., Mendel, M., and Thijs, W. (1988). Calibration and information in expert resolution. Automatica, 24(1), 8–87–94. 13. Goossens, L. H. J., Cooke, R. M., and van Steen, J. (1989). Final Report to the Dutch Ministry of Housing, Physical Planning and Environment: On The Use of Expert Judgment in Risk and Safety Studies, Vols 1–5, TU Delft. 14. Yunusov, A. R. Cooke, R. M., and Krymsky, V. G. (1999). Rexcalibr-integrated system for processing expert judgement. In Proceedings 9th Annual Conference Risk Analysis: Blz. 587–589: Facing the New Millennium, L. H. J. Goossens, Eds. Delft University Press, ISBN: 90-407-1954-3, October 10–13, Rotterdam. 15. French, S. (1985). Group consensus probability distributions: a critical survey. In Bayesian Statistics, J. M. Bernardo, M. H. De Groot, D. V. Lindley, and A. F. M. Smith, Eds. Elsevier, North Holland, pp. 182–201.

1586

CROSS-CUTTING THEMES AND TECHNOLOGIES

16. Genest, C., and Zidek, J. (1986). Combining probability distributions: a critique and an annotated bibliography. Stat. Sci. 1(1), 114–1490. 17. Ter, Haar T. R., Retief, J. V., and Dunaiski, P. E. (1998). Towards a more rational approach of the serviceability limit states design of industrial steel structures paper no. 283. 2nd World Conference on Steel in Construction, San Sebastian. 18. Akkermans, D. E. (1989). Crane failure estimates at DSM’ Expert judgment in risk and reliability analysis; experience and perspective. ESRRDA Conference, October 11, 1989 . Brussels. 19. Lopez de la Cruz, J. (2004). Applications of Probability Models and Expert Judgement Analysis in Information Security, Master’s Thesis, TU Delft. 20. Van Elst, N. P. (1997). Betrouwbaarheid beweegbare waterkeringen [Reliability of movable water barriers] , WBBM Report Series 35 , Delft University Press, Delft. 21. Chou, D., Kurowicka, D., and Cooke, R. M. (2006). Techniques for generic probabilistic inversion. Comp. Stat. Data Anal., 50, 1164–1187. 22. Goossens, L. H. J. (1994). Water Pollution, TU Delft for Dutch Mininstry of Environment, VROM. 23. Goossens, L. H. J., Cooke, R. M., Woudenberg, F., and van der Torn, P. (1992). Probit Functions and Expert Judgment , Report prepared for the Ministry of Housing, Physical Planning and Environment, The Netherlands; Delft University of Technology, Safety Science Group and Department of Mathematics, and Municipal Health Service, Rotterdam, Section Environmental Health. 24. Cooke, R. M., and Jager, E. (1998). Failure frequency of underground gas pipelines: methods for assessment with structured expert judgment. Risk Anal. 18(4), 511–527. 25. Brown, J., Goossens, L. H. J., Harper, F. T., Haskin, E. H., Kraan, B. C. P., Abbott, M. L., Cooke, R. M., Young, M. L., Jones, J. A., Hora, S. C., and Rood, A. (1997). Probabilistic Accident Consequence Uncertainty Analysis: Food Chain Uncertainty Assessment , Vols 1 and 2, Prepared for U.S. Nuclear Regulatory Commission and Commission of European Communities, NUREG/CR-6523, EUR 16771, Washington, DC, Brussels. 26. Goossens, L. H. J., Boardman, J., Harper, F. T., Kraan, B. C. P., Young, M. L., Cooke, R. M., Hora, S. C., and Jones, J. A. (1997). Probabilistic Accident Consequence Uncertainty Analysis: Uncertainty Assessment for Deposited Material and External Doses, Vols 1 and 2 Prepared for U.S. Nuclear Regulatory Commission and Commission of European Communities, NUREG/CR-6526, EUR 16772, Washington, DC, Brussels. 27. Harper, F. T., Goossens, L. H. J., Cooke, R. M., Hora, S. C., Young, M. L., P¨asler-Sauer, J., Miller, L. A., Kraan, B. C. P., Lui, C., McKay, M. D., Helton, J. C., Jones, J. A. (1995). Joint USNRC/CEC Consequence Uncertainty Study: Summary of Objectives, Approach, Application, and Results for the Dispersion and Deposition Uncertainty Assessment , Vols 1–3, NUREG/CR-6244, EUR 15855, SAND94-1453, Washington, U.S. Nuclear Regulatory Commission and Commission of European Communities, DC, Brussels. 28. Cooke, R. M. (1994). Uncertainty in dispersion and deposition in accident consequence modeling assessed with performance-based expert judgment. Reliab. Eng. Syst. Saf. 45, 35–46. 29. Van der Fels-Klerx, H. J., Cooke, R. M., Nauta, M. J., Goossens, L. H. J., and Havelaar, A. H. (2005). A structured expert judgement study for a model of campylobacter transmission during broiler chicken processing. Risk Anal , 25: (1), 109–124. 30. Offerman, J. (1990). Safety Analysis of the Carbon Fibre Reinforced Composite Material of the Hermes Cold Structure, TU-Delft/ESTEC, Noordwijk. 31. Willems, A. (1998). Het gebruik van kwantitatieve technieken in risicoanalyses van grootschalige infrastructuurprojecten (The use of quantitative techniques in risk analysis of

EXPERIENCE WITH EXPERT JUDGMENT: THE TU DELFT EXPERT JUDGMENT DATA

32. 33.

34.

35. 36. 37. 38.

39.

40. 41.

42.

43.

1587

large infrastructural projects, in Dutch) Ministerie van Verkeer en Waterstaat, DG rijkswaterstaat, Bouwdienst, Tu Delft Masters Thesis, Delft. Aspinall, W. (1996). Expert Judgment Case Studies, Cambridge Program for Industry, Risk Management and Dependence Modeling, Cambridge University, Cambridge. Aspinall, W., and Cooke, R. M. (1998). Expert judgement and the Montserrat Volcano eruption. In Proceedings of the 4th International Conference on Probabilistic Safety Assessment and Management PSAM4, September 13th–18th 1998 , Vol. 3, A. Mosleh, and R. A. Bari, Eds. Springer, New York, pp. 2113–2118. Cooke, R. M., and Goossens, L. J. H. (2000). Procedures Guide for Structured Expert Judgment . Project report EUR 18820EN. Nuclear Science and Technology, specific programme Nuclear fission safety 1994–98, Report to: European Commission. Luxembourg, Euratom. Also in Radiation Protection Dosimetry, Vol. 90 No. 3.2000, 64 7, pp. 303–311. Qing, X. (2002). Risk Analysis for Real Estate Investment , PhD Thesis, Department of Architecture, Delft University of Technology. Bakker, M. (2004). Quantifying Operational Risks within Banks According to Basel II , Masters Thesis, Delft University of Technology, Department of Mathematics. Kurowicka, D., and Cooke, R. M. (2006). Uncertainty Analysis with High Dimensional Dependence, John Wiley & Sons, New York. Brown, A. J., and Aspinall, W. P. (2004). Use of expert opinion elicitation to quantify the internal erosion process in dams. Proceedings of the 13th Biennial British Dams Society Conference. University of Kent, Canterbury, 22–26th June 2004, p. 16. Aspinall, W. P., Loughlin, S. C., Michael, F. V., Miller, A. D., Norton, G. E., Rowley, K. C., Sparks, R. S. J., and Young, S. R. (2002). The Montserrat volcano observatory: its evolution, organisation, role and activities. In The Eruption of Soufri`ere Hills Volcano, Montserrat, from 1995–1999 , T. H. Druitt, and B. P. Kokelaar, Eds. Geological Society, London. Claessens, M. (1990). An Application of Expert Opinion in Ground Water Transport (in Dutch), DSM Report R 90 8840, TU Delft. Cooke, R. M., and Slijkhuis, K. A. (2003). Expert judgment in the uncertainty analysis of dike ring failure frequency. In Case Studies in Reliability and Maintenance, W. R. Blischke, and D. N. Prabhakar Murthy, Eds. ISBN: 0-471-41373-9, John Wiley & Sons, New York, pp. 331–352. Goossens, L. H. J., Cooke, R. M., Woudenberg, F., and van der Torn, P. (1995). Probit relations of hazardous substances through formal expert judgement. Loss Prevention and Safety Promotion in the Process Industries, Vol. 2, Elsevier Science B.V., pp. 173–182. Kraan, B., and Bedford, T. (2005). Probabilistic inversion of expert judgments in the quantification of model uncertainty. Manage. Sci. 51(6), 995–1006.

FURTHER READING Frijters, M., Cooke, R. Slijkuis, K., and van Noortwijk, J. (1999). Expert Judgment Uncertainty Analysis for Inundation Probability, (in Dutch) Ministry of Water Management , Bouwdienst, Rijkswaterstaat, Utrecht. De Wit, M. S. (2001). Uncertainty in Predictions of Thermal Comfort in Buildings, PhD. Dissertation, Department of Civil Engineering, Delft University of Technology, Delft. Haskin, F. E., Goossens, L. H. J., Harper, F. T., Grupa, J., Kraan, B. C. P., Cooke, R. M., and Hora, S. C. (1997). Probabilistic Accident Consequence Uncertainty Analysis: Early Health Uncertainty Assessment , Vols 1 and 2, Prepared for U.S. Nuclear Regulatory Commission and Commission of European Communities, NUREG/CR-6545, EUR 16775, Washington, DC, Brussels.

1588

CROSS-CUTTING THEMES AND TECHNOLOGIES

Meima, B. (1990). Expert Opinion and Space Debris, Technological Designer’s Thesis, Faculty ot Technical Mathematics and Informatics, Delft University of Technology, Delft. Sarigiannidis, G. (2004). CARMA-Greece: An Expert Judgment Study and the Probabilistic Inversion for Chicken Processing Lines, Masters Thesis, Delft University of Technology, Department of Mathematics. Sparks, R. S. J., and Aspinall, W. P. (2004). Volcanic activity: frontiers and challenges in forecasting, prediction and risk assessment. In State of the Planet: Frontiers and Challenges, Geophysical Monograph Series, R. S. J. Sparks, and C. J. Hawkesworth, Eds. IUGG/AGU Vol. 150, p. 414. Van Overbeek, F. N. A. (1999). Financial Experts in Uncertainty, Masters Thesis, Department of Mathematics, Delft University of Technology, Delft. Willems, A., Janssen, M., Verstegen, C., and Bedford, T. (2005). Expert quantification of uncertainties in a risk analysis for an infrastructure project. J. Risk Res. 8(12), 3–17.

SECURITY AND SAFETY SYNERGY ¨ and Sidney Dekker Nicklas Dahlstrom Lund University School of Aviation, Ljungbyhed, Sweden

1 INTRODUCTION Security and safety are concepts that share important features; they both involve the risk of occurrence of events with consequences that may range from trivial to disastrous. Yet as concepts they are also different, with security relating to intentional acts by individuals and safety relating to events caused by unintended consequences of a combination of a host of factors. In safety-critical industries, such as aviation and maritime transport, chemical and nuclear industry, and health care, safety is seen as the positive outcome of management of problems and trade-offs that are rooted in systems’ complexity, goal interaction, and resource limitations. This perspective has led safety research to shift focus and go beyond individual acts (such as “human error”) and move to systematic aspects of human, technological, and organizational performance [1]. It involves dealing with problems connected to regulations and standardized procedures, technology and automation, and efforts to understand the impact of communication, group dynamics, leadership, and culture on safety. The advancement of security issues in a complex modern society should be able to benefit from the knowledge gained through safety

SECURITY AND SAFETY SYNERGY

1589

industry operations in the field of Human Factors. This knowledge has the potential to make security more safe (for those who design and implement security measures as well as for those who are subjected to them) and effective (in terms of time and resources spent on security measures). Organizations do not exist just to be secure or safe. They exist to produce or provide goods or services. Customers care about the goods or service—that is why they engage with the organization in the first place (Even where security actually is the goal of an organization it is provided as a complement to another product or activity—protection of property, transportation, etc.). This means that an understanding of the fundamental conditions for security and safety begins with an understanding of the balance between production and protection. Humans normally strive for an acceptable (rather than ideal) level of performance in relation to their goals and resources [2] and to not process all available data is a part of this resource-saving strategy [3]. Consequently, action is guided by an intuitive and implicit trade-off between cost and efficiency [4] or between thoroughness and efficiency [5]. However, this introduces the risk of overlooking possible consequences of these trade-offs, particularly long-term consequences [6]. From investigations of aviation accidents the systematic trade-offs in favor of efficiency/production versus safety/protection have been labeled as “drift” toward accidents [7]. The model of drift has been an important tool for increased understanding of accidents in the otherwise impressively safe global transportation system of aviation. Drift should also be a useful concept for understanding of failure of security systems. In the 24 months leading up to 9/11, there were 30 cases of passengers breaking through cockpit-doors [8]. This type of event may at the time have been recognized as an acceptable risk.

2 THE PRESENT SITUATION FOR SECURITY Today, the situation is quite different. The pressure to respond quickly and decisively to perceived security threats can produce immense consequences—from severe disruption to significant financial loss. A recent example of this is the consequences of the events in the United Kingdom in September, 2006: “In the wake of the plot to smuggle liquids on board aircraft, mix them and use them as explosives the increased security measures during the following nine days meant that British Airway had to cancel about thousand flights resulting in estimated losses of 50 million pounds [9].”

In aviation, security is generally seen as an operational activity parallel and independent to safety. However, it is not unusual that security even by crews is seen as an intrusion (when performed by security staff) or as unwanted and unnecessary (when performed by crews themselves). There are even examples of how security and safety may conflict. The most prominent example, of course, is the locked cockpit door. The extra barrier can delay or interfere with cross-crew coordination, which has been identified previously as contributory to accidents [10]. A locked door can be especially problematic in case of escalating situations (disruptive passengers, or technical problems) where the threshold for coordinating may now have become higher. In a report by Nilsson and Roberg [11], crew members were unanimously negative in their view of the locked door. A manifestation of this problem occurred on an Air Canada Jazz flight in 2006. As a

1590

CROSS-CUTTING THEMES AND TECHNOLOGIES

captain returned from using the washroom in the cabin he could not get back into the cockpit. It was not possible to open the door: “For roughly 10 minutes, passengers described seeing the pilot bang on the door and communicating with the cockpit through an internal telephone, but being unable to open the cabin door. Eventually, the crew forced the door open by taking the door off its hinges completely, and the pilot safely landed the plane [12].”

The article also stated that “being locked out of the cockpit is a ‘nonreportable’ incident, there is no way of confirming their frequency as the airlines are under no obligation to report them”. Beyond the entertaining qualities of this story, it raises questions regarding the parallel pursuit and of security and safety and their interaction.

3 EVOLUTION OF SAFETY, REVOLUTION OF SECURITY Aviation safety has evolved, slowly but surely, over many decades. Technological, organizational, and regulatory developments, as well as greater insights into human and team performance, have all contributed to the steady “fly-fix-fly” improvement of aviation safety. Aircraft accidents have become a part of contemporary mythology—crowning heroes, identifying culprits and providing horror stories. All of this experienced and recounted by passengers to the rest of us; potential passengers who could have or may come to be caught up in similar events. There is not any abundance of similar stories and certainly not any similar mythology when it comes to aviation security. Although there certainly are hero stories (as that of the passengers of flight United 93), clear identification of culprits (as in cases of hijackings and bombings), and horrors to be shared also in this area the occurrence of such events have simply not been as frequent as safety-related accidents. Of course frequency alone explains little, but the abundance of safety-related accidents has produced numerous articles, books, documentaries, and movies that have helped to increase public awareness on safety issues. Such stories have also been successfully used in the training of airline crews in human limitations, communication, cooperation, and leadership for increased safety (Crew Resource Management (CRM) training). Security demands, in contrast to the gradual development of safety measures, have exploded dramatically over the past few years. This sudden tightening and acceleration could compromise the claim that security provides an essential service to society. See, as an example, this comment on the response after 9/11: “Confiscating nail files and tweezers from passengers seems like a good idea all around: The airlines don’t mind because it doesn’t cost them anything, and the government doesn’t mind because it looks like it’s doing something. The passengers haven’t been invited to comment, although most seasoned travelers simply roll their eyes [13].”

Security measures can appear quite haphazard, arbitrary—capricious even—to passengers or crews or other people subjected to them. Computers that have to be taken out of bags at some airports but not at others. Elderly ladies must give up their knitting ware before entering an aircraft while other passengers do not need to give up elegant and equally sharp pens. “Incendiary material” may not be brought onto an aircraft but alcohol (to drink or to smell better) is accepted and even sold onboard. Every piece of such failing logic will gradually or quickly erode the willingness of those who are supposed

SECURITY AND SAFETY SYNERGY

1591

to be felt protected, to see themselves as participants guaranteeing their own security. Although the pictures from 9/11 will be remembered and should seem to provide more than enough of modern mythology the patience of passengers and willingness to accept current security measures is probably not endless. This is one perspective on the current status of security: It’s been four years since the terrorist attacks of Sept 11, 2001, and backups at airport security checkpoint lines are growing, the army of federal airport screeners is still getting low performance marks and uncertainty dogs the contents of airline cargo holds. While the federal government has been spending about $4 billion a year on aviation security since hijackers transformed four jetliners into devastating weapons, critics say there aren’t enough results to show for all that taxpayer money [14].

3.1 Production Pressures in Providing Security As potential goodwill in regard to security might abate, there is a risk that mounting production pressures dictate the operational conditions for security operations. The effects of such production pressures have been seen in a vast number of aviation safety incidents and accidents and they are likely to have an influence also on security. A study of airport screening rather unsurprisingly found that “the longer passengers had to wait, the longer they were to be unsatisfied” and concluded that “There is little question that the effectiveness and efficiency of security screening is a key feature affecting passenger satisfaction” [15]. To reduce this problem computer-assisted passenger prescreening systems have been introduced and these “confirms passengers’ identities, performs criminal and credit checks, and retrieves additional information, such as residence, home-ownership, income, and patterns of travel and purchases, used to construct a predicted threat rating” [16]. With the currently fierce competition in the aviation industry— between airlines (increased by the arrival of low-cost carriers), between airlines and business jets, and from high-speed trains (in many parts of Europe)—many security measures will be under pressure to adapt to the demands of “effectiveness and efficiency” from a short-term business perspective rather than to what passengers perceive as illogic and irrelevant threats stemming from vague and remote risks of criminal acts and terrorism. A new segment of the aviation industry is partly based on the consequences of current security measures. An important reason for the emergence and anticipated success of a new type of small business jet aircraft (Very Light Jets, VLJs) is that the time demanded by security measures for scheduled flight at major airports is unacceptable for upper and middle management [17]. By operating or renting their own aircraft, flying direct and using small airports some of the time spent on security can be avoided or reduced for companies. The same reason has fueled a “remarkable upturn in business aviation” in Europe in recent years [17]. The experience from aviation safety is that this and other types of pressures on operations affect all organizational levels and induce risks of organizational drift toward future system failures. To further understand the current relationship that passengers (or the public in general) have to security (as well as to safety) in aviation we can use two concepts from economic theory. The first is that of “externalities”, that is a cost or benefit imposed on people other than those who purchase a good or service [18, 19]. Passengers buy a ticket to fly from A to B and expect this to be a secure and safe means of transportation (For the airline industry to imply anything else would be to discourage a substantial number of passengers.). Since security and safety are expected from this product and criminal

1592

CROSS-CUTTING THEMES AND TECHNOLOGIES

acts with severe consequences or accidents are rare (and this is stressed by the industry), consumers will see increased prices or procedural complications for flying as a negative externality. Of course, they do understand the need for baggage-screening and de-icing, but in day-to-day travel the meaning of these procedures often seems lost, as noted on consumer behavior “the tendency to trade-off costs and benefits in ways that damage their future utility in favor of immediate gratification” [20]. The paradox is that for the airline industry it is of great importance to be secure and safe to a level where passengers do not even consider potential threats when they make their decision to travel. As this level is achieved, however, passenger tolerance for increased costs and inconveniences to further reduce threats is declining. This explains the fundamental difficulties that everyone (security managers, pilots, cabin crew, screeners, etc.) involved in working with security encounters in day-to-day operations when trying to maintain the balance between production demands and the protection provided by the security system. The tendencies described by the theory of externalities can be further reinforced by the theory of “lemons” [21]. This describes how interaction between quality differences and asymmetrical information can cause a market where guarantees are unclear to disappear. When quality is indistinguishable beforehand to the buyer (due to the asymmetry of information) incentives exist for the seller to pass off a low-quality good as a higher-quality one. Since the nonoccurrence of adverse security and safety cannot be guaranteed, the quality of security and safety operations is known to very few (and in the case of security we do want to keep this a secret) there is no incentive for any consumer of airline transport services to select airport or airline based on if they are more secure or safe than other. This explains the pressure put on the security and safety operations as it is unlikely that they ever will be able to provide evidence of the value they bring to the consumer [22]. 4 EXPERIENCES FROM AVIATION HUMAN FACTORS OF RELEVANCE FOR SECURITY 4.1 Relation to Regulation, Standardization, and Procedures Economic theories of human behavior provide us with some understanding of its potential problems with regards to security and safety. A seemingly reasonable response would then be to try to control human behavior. This means using laws, regulations, standardized procedures, manuals, guidelines, and other similar means to increase the reliability of human behavior and limit the risk it may induce in systems. Aviation has a long tradition of negotiating global regulatory frameworks that can ensure a high minimum level of safety [23]. Manufacturing and maintenance of aircraft, medical and other requirements for staff (pilots, cabin crew, air traffic controllers, etc.) selection and training as well as practically all operational aspects are guided by extensive regulation and enforced by aviation authorities. The regulations stipulate that all operators also should have standard operational procedures (SOPs) for all aspects of operation. In aviation these procedures are regarded by crews as the main source of safety and regulations demand that they are regularly practiced to a satisfactory standard in simulators, mock-ups, or classroom teaching. Many think that regulation, standardization, and proceduralization are the main guarantors of aviation safety. Even though this might be historically true, the situation has always been more complex. While these efforts promote predictable organizational and

SECURITY AND SAFETY SYNERGY

1593

individual behavior and increase reliability they do not promote the flexibility to solve problems encountered in present complex sociotechnical systems [24]. Also, a blind adherence to regulations and procedures neglects the fact that much work has to be done in addition to, beyond or contrary to prescribed procedures [24]. A procedure is never the work itself, it cannot be that human intervention is always necessary to bridge the gap from written guidance to actual application in context. Note how the “work-to-rule” strike is not uncommon as a form of industrial action in aviation. Yet the commitment to rules and procedures is generally strong in aviation (although there are weaknesses in this commitment in some parts of the world). However, there are signs that further increase of aviation safety may need other methods than those used to achieve current levels of safety [25]. Most potential system failures in aviation have been anticipated and addressed by technical protection and procedural responses. But ill-defined, unexpected, and escalating situations have proved to be far more difficult to manage successfully and have resulted with tragic outcomes. An example of this is the in-flight fire on Swissair 111 [26], where the flight crew tried to follow procedures until the situation was entirely out of control. This accident showed that an overfocus on procedures and lack of training of general competencies needed in an emergency may conspire to turn a difficult situation to an unmanageable one. When putting security systems together, training staff to achieve increased standardization and procedural adherence may be an intuitive and relevant first step. But further consideration is necessary. A profound understanding of human performance issues (including topics such as perception, decision making, communication, cooperation, and leadership) should be helpful to security staff for increasing the overall effectiveness of security operations. Such training should go beyond operational and procedural aspects, instead providing security staff with an increased awareness of the individual, group, and system limitations that may induce weaknesses in the security system. This training should be recurrent and closely integrated with other training as well as with an effective operational reporting system (see below). 4.2 Relation to Technology and Automation As has been, and still is, the case for aviation safety, security seems to be driven by a reliance on technology to solve problems and increase efficiency (increased use of advanced identity cards, biometrics, surveillance cameras, sensors, background checks, data mining and for aviation specifically refined screening techniques, computer aided vetting of passengers, etc.). Focusing on technology is a prominent feature in the modern history of aviation safety [27]. The experiences of this development can provide some helpful guidance for security. Two important phases will be used as examples of the problems involved in the relation between aviation safety and technology. The first great technological step of improving the safety of modern air transportation depended upon increased understanding of the physical stresses on aircraft frames as well as of fundamental physiological and psychological processes affecting pilots. As aviation entered the jet-age, safety increased due to the superior performance and reliability of jet engines compared to piston-engines. To be able to fly faster and higher than before did, however, have unforeseen consequences and in-flight break-up of aircraft (such as the Comet accidents in the 1950s) put the focus on the risks of structural failure. This focus on fundamental engineering and manufacturing issues corrected previous design flaws for coming generations of aircraft. Another accident type was that connected to

1594

CROSS-CUTTING THEMES AND TECHNOLOGIES

approaching an airport in darkness. This induces the risk of the so-called black-hole illusion, where the airport is perceived as being lower than it actually is. Accidents of this type were frequent until there was a push for instrument landing systems on more airports, improved instrument design, and more warning systems, which reduced the risk of this type of accident. Also, the opportunities for effective flight simulation provided by the technological development meant that this type of approach and landing could be practiced effectively. In both cases, the measures taken were relevant and had positive effects on aviation safety. However, aircraft accidents were steadily occurring even after these measures had been implemented. These accidents involved failures of communication, cooperation, and leadership problems, such as the United 173 accident at Portland airport or the Air Florida 90 accident at Potomac Bridge where the captain’s decisions were accepted by other crew members in spite of their awareness of the risks involved. The existence of these types of problems was well known to the industry but previously obscured by the search for technological solutions. They did, however, become addressed through increased focus on Human Factors and the implementation of CRM-training in the industry. In the 1980s, the arrival of modern computer technology in large transport aircraft was supposed to solve safety problems and reduce costs. New aircraft were equipped with computerized Flight Management Systems (FMS) which were supposed to not only reduce the workload of the pilots, but also monitor their actions and prevent actions that would risk the safety of the aircraft. The most important learning point to come out of the technological revolution in the cockpit was that changing the conditions for work always may solve some known safety problems but it will always create new ones [28]. Although the introduction of the new technology was a part of an overall trend toward greater safety it was also involved in a number of incidents and accidents where a mismatch between the human operator and the automation was the primary cause [29]. This included accidents with mode confusion (such as China Airlines at Nagoya and Air Inter at Strasbourg), programming errors of the FMS (Boeing 757 accident at Cali, Colombia), and aircraft upset (conflicting aircraft and operator control of the aircraft, such as the JAS Gripen accident in Stockholm). Again, the focus on technological solutions obscured the essential focus on its effects on the role of the human operator. There is a lesson here. As pressure mounts to make security more cost effective, time effective, and less inconvenient, the history of aviation automation may serve as a reminder that new technology alone is seldom the solution. 4.3 Human Performance, Communication, Cooperation and Leadership-Training and Reporting An area where aviation safety has made significant progress is in training their operators in understanding potential safety risks associated with human performance, communication, coordination breakdowns, and leadership. Such training has been facilitated by the availability of well-investigated cases of aviation accidents. Gradually this type of training has gained increased recognition, both within aviation as well as in other safety-critical industries. The mandatory and recurrent training of Human Factors–related knowledge and skills is today a hallmark of the aviation industry and has become a model for similar training in maritime transportation, nuclear and chemical industry as well as health care. The emergence of the concept of Cockpit Resource Management in the late 1970s was precipitated by a number of disastrous accidents (e.g. the most disastrous of them

SECURITY AND SAFETY SYNERGY

1595

all, where 583 persons became victims as two aircraft collided on the runway on the island of Tenerife). This became the start of a systematic approach to train crews to understand aspects of human performance, communication, cooperation, and leadership of importance to aviation safety. Later, the concept was renamed CRM, to involve also the cabin crew (This too was precipitated by accidents, such as the Kegworth accident, where information from cabin crew on visible effects of engine problems did not make it into the cockpit to augment the pilot’s knowledge of the situation.). Analogously, engineering and technical staff have developed the concept of Maintenance Resource Management (MRM). In many countries, annual recurrent CRM courses are mandatory for maintaining active status for an airline pilot’s license. Currently, there are ongoing discussions as to if CRM should be made available or even mandatory also for other categories of staff involved in operations, such as schedulers, coordinators, and management. The initials CRM would then stand for Company Resource Management. Gradually, the focus of CRM-training has been turned to prevention and management of human error, based on the same content as previously but more explicitly framed around understanding error. This has included teaching of various accident models. Although the success of CRM is difficult to quantify in terms of fewer accidents or incidents or in any other measurable terms of increased safety or economic gain, the great interest from other industries (maritime transport, nuclear, chemical, and health care) in the concept seem to confirm its appeal. One of the lesser discussed benefits of CRM-training is that it widens the understanding of human performance and, as a consequence, the willingness to report events and incidents. To create an overall effective system for safety (or security), it is important to first create an organization that is curious regarding error rather than one where punishment expected and thus reporting is avoided. Curiosity is a sign of willingness to learn why a certain event occurred and a starting point for learning for the whole organization. In aviation, it is not uncommon that crews report their own errors even though there would have been no way to detect that an error had been committed; since there is no good reason that other crews should have to experience the same error. The benefits of this type of reporting and of CRM-training are not easy to quantify and might be more convincingly argued in connection to examples from operations. In the period of 1997 to 2001 one of the four terminals at Sky Harbor airport in Phoenix, Arizona, had 125 security lapses [30]. The Transportation Security Administration (TSA) screener workforce alone consists of 45,000 employees at 448 airports [31]. From aviation safety we would conclude that this type of events will not disappear. But by complementing increasingly effective technological solutions with equally effective training and reporting there will be less of them. Recurrent training of both security and safety (first aid, evacuation, fire-fighting, CRM) is mandatory for airline crews. These training events not only reinforce practical skills but also serve as important reminders of the threats and risks surrounding airline operations. It also gives crews the opportunity to discuss recent security- or safety-related events and come up with solutions to operational problems. If carried out according to its intentions, recurrent security, and safety, training strengthens organizational values and attitudes regarding their areas. Security staff could also benefit from systematic recurrent training of CRM-type, focused less on strict operation of technological equipment and more on Human Factors aspects of work.

1596

CROSS-CUTTING THEMES AND TECHNOLOGIES

4.4 Models and Culture Beyond the training of individual operators, research efforts to understand (and increase) safety have focused on formulation of models that can explain how accidents occur and how they can be prevented. Traditional models have relied heavily on statistical analysis and vast representations of actions in search of a “root cause” for an accident. Also, they commonly rely on “folk models”, that is general explanatory labels that only rename a phenomenon and do not actually provide any deeper analysis [32]. In recent times, highly influential models have focused more on “soft” organizational factors such as the norms and cultures in organizations and the effect of the balance between production and protection and how it is played out interactively between levels of an organization. In the last decade, the concept of “culture” has received increased attention in safety research. People now refer to the lack of a sound “safety culture” as a reason for incidents and accidents. The focus on safety culture was preceded by attention in managerial literature on “organizational culture” or “company culture” [33]. From this the concept safety culture emerged and has been embraced in many industries. A safety culture is characterized as an “informed culture”, that is the organization collects and analyses safety-related data to keep it informed on the safety status of the organization [34]. In particular, the following aspects of a safety culture are highlighted: •

Reporting —is considered of fundamental importance in the organization. • Just —unintentional acts are not punished which creates trust to report. • Flexible —ability to adapt to new information and changing circumstances. • Learning —ability to extract learning from safety-related information. There does not seem to be an equivalently researched and accepted “security culture”, although this probably should be a term as relevant as it has proved to be for safety. Certainly, the concept seem to be implicitly present, as indicated by this statement: “because enhancing security depends on changing the beliefs, attitudes, and behavior of individuals and groups, it follows that social psychology can help organizations understand the best way to work with people to achieve this goal” [35]. Learning is, however, a dialectical aspect of culture. In the balance between production and protection the learning from day-to-day operations may easily be the contrary of that implied by Murphy’s Law, that is, that things that can go wrong usually do. Actually, in normal operations things that can go wrong do not and there is a risk of learning the wrong lesson from this. Operators might interpret incidents as proof of safety and that it is ok to “borrow from safety” to increase production output. Production pressure on performance of “normal work” gradually effect standards and norms of this work in favor of production. This is the risk described by the model of “organizational drift” toward failure for complex sociotechnical systems. In security, drift of normal practice may create opportunities for those who deliberately want to cause harm to people and property. Aspects of safety culture are present also in research on high reliability organizations (HROs) such as aircraft carriers and air traffic control [36]. One of the conclusions of this research is that stories that organizations tell about their own operations reveal something about their attitude and ability to learn from incidents. In HROs, incidents are seen as signs of weaknesses in the system and they are used by the organization to extract information about how to become safer. In other organizations incidents may be taken as evidence of the strength of the safety system and lead to the conclusion

SECURITY AND SAFETY SYNERGY

1597

that nothing needs to be changed. From this it could be claimed that something that is needed for security operations, particularly for training, is “good stories”, both about the failure and success of its operations. While aviation safety has been able to use cases from well-investigated and publicly presented accidents, this is not the case for security. There are a number of models and research results regarding safety culture and HROs that should be fruitful for security operations. The similarities of the conditions and performance of security and safety operations mean that learning from each other should be mutually beneficial. Both represent operations where seemingly everything is done to prevent adverse events, where adverse events are extremely rare (and potentially disastrous). Also, for both the operators have to maintain a high level of skills, knowledge, and awareness to keep day-to-day operation secure and safe as well as readiness to manage unusual and unpredicted events. The potential for systematic and recurrent Human Factors training for security as well as for joint security and safety training for staff from both types of operations should be explored. 5 CONCLUSION Security and safety share fundamentally important features as operational activities with the goal to protect people, property, and the smooth economical functioning of organizations and society. Safety has been a focus of operations where risks have been overwhelmingly obvious since their inception (e.g. aviation, chemical, and nuclear industry) and demands on the safety of these operations have gradually increased. The demand for increased security has escalated recently and comprehensive development of it as a field of operations, beyond potential technological progress, is needed. In spite of distinct differences in the nature of threats (intentional/unintentional), there are many areas (use of standardized procedures, human factors training, modeling for increased understanding of adverse events) where knowledge and experiences from safety operations can fruitfully spill over to security. To establish cooperation between these two fields, for example on regulatory and procedural development, training and simulation, as well as operational evaluation, would be to produce synergies not yet known today. REFERENCES 1. Dekker, S. W. A. (2006). The Field Guide to Understanding Human Error, Ashgate Publishing, Aldershot. 2. Simon, H. A. (1957). Models of Man: Social and Rational , John Wiley and Sons, New York. 3. Besnard, D., and Arief, B. (2004). Computer Security impaired by legitimate users. Comput. Comput. 23, 253–264. 4. Bainbridge, L. (1993). Difficulties in Complex Dynamic Tasks, Discussion paper available at (2nd of February 2007): http://www.bainbrdg.demon.co.uk/Papers/CogDiffErr.html. 5. Hollnagel, E. (2002). Understanding accidents—From root causes to performance variability. Proceedings of the 7th IEEE Human Factors Meeting. Scottsdale, AZ. 6. D¨orner, D. (1997). The Logics of Failure, Perseus Books, Cambridge, MA. 7. Dekker, S. W. A. (2002). The Field Guide to Human Error Investigations, Ashgate Publishing, Ashgate. 8. Thomas, A. R. (2003). Aviation Insecurity: The New Challenges of Air Travel , Prometheus Books, New York, p. 13.

1598

CROSS-CUTTING THEMES AND TECHNOLOGIES

9. Schofield, A. (2006). Security standoff. Aviat. Week Space Technol. 165(8), 53. 10. Chute, R., Wiener, E. L., Dunbar, M. G., and Hoang, V. R. (1995). Cockpit/Cabin crew performance: recent research. Proceedings of the 48th International Air Safety Seminar. Seattle, WA, November 7–9. 11. Nilsson, M., and Roberg, J. (2003). Cockpit Door Safety—How does the locked cockpit door affect the communication between cockpit crew and cabin crew? In Examination paper presented at Lund University School of Aviation, Lund University School of Aviation, Ljungbyhed, Sweden. 12. Global National (2006). Pilot Locked Out of Jazz Cabin Mid-flight , Available at (4th of February 2007): http://www.canada.com/topics/news/national/story.html?id=ac82a8ec-391548f4-ad8d-e65274b8204a&k=44392 13. Schneier, B. (2006). Beyond Fear—Thinking Sensibly About Security in an Uncertain World, Copernicus Books, New York, p. 33. 14. Doyle, A. (2005). Security dilemma. Aviat. Week Space Technol. 163(8), 52. 15. Gkritza, K., Niemeier, D., and Mannering, F. (2006). Airport security screening and changing passenger satisfaction: An exploratory assessment, p. 217, 219. J. Air Transp. Manag. 12, 213–219. 16. Persico, N., and Todd, D. E. (2005). Passenger profiling, imperfect screening and airport security, p. 127. Am. Econ. Rev. 95(2), 127–131. 17. Lehman, C. (2006). Complementary, my dear Watson. Civ. Aviat. Train. Mag. 6, 6. 18. Simpson, B. P. (2003). Why Externalities are Not a Case of Market Failure, Available at (4th of February 2007): http://www.mises.org/asc/2003/asc9simpson.pdf. 19. Schneier, B. (2006). Beyond Fear—Thinking Sensibly About Security in an Uncertain World, Copernicus Books, New York. 20. Acquisti, A., and Grossklags, J. (2005). Privacy and rationality in individual decision making. IEEE Secur. Priv. Mag. 3(1), 26–33. 21. Akerlof, G. A. (1970). The market for lemons: quality uncertainty and market mechanism. Q. J. Econ. 84(3), 488–500. 22. Anderson, R. (2001). Why information Security is hard—An economic Perspective. Paper presented at the 17th Annual Computer Security Applications Conference. Available at (1st of February 2007): http://www.acsa-admin.org/2001/papers/110.pdf. 23. Abeyratne, R. I. R. (1998). Aviation Security: Legal and Regulatory Aspects, Ashgate Publishing, Brookfield, VT. 24. Dekker, S. W. A. (2005). Ten Questions About Human Error: A New View on Human Errors and Systems Safety, Lawrence Erlbaum Associates, Mawhah, NJ. 25. Amalberti, R. (2001). The paradoxes of almost totally safe transportation systems. Saf. Sci. 37(2-3), 109–126. 26. Transportation Safety Board of Canada (2003). Aviation Investigation Report Number A98H0003 , Available at (1st of February 2007): http://www.tsb.gc.ca/en/reports/air/1998/ a98h0003/a98h0003.asp. 27. Billings, C. E. (1996). Aviation Automation: The Search for a Human-centered Approach, Lawrence Erlbaum Associates, Mawhah, NJ. 28. Dekker, S. W. A. (2002). The Field Guide to Human Error Investigations, Ashgate Publishing, Aldershot. 29. Dekker, S. W. A., and Hollnagel, E. (1999). Computers in the cockpit: Practical problems cloaked as progress. In Coping with Computers in the Cockpit , S. W. A. Dekker, and E. Hollnagel, Eds. Ashgate Publishing, Aldershot, pp. 1–6. 30. Clois, W., and Waltrip, S. (2004). Aircrew Security: A Practical Guide, Ashgate Publishing, Aldershot, p. 3.

CRITICAL INFRASTRUCTURE PROTECTION DECISION MAKING

1599

31. Bullock, J., and Haddow, G. (2006). Introduction to Homeland Security, 2nd ed., Butterworth-Heinemann, Burlington, MA, p. 213. 32. Dekker, S. W. A., and Hollnagel, E. (2003). Human factors and folk models. Cogn. Technol. Work 6(2), 79–86. 33. Deal, T. E., and Kennedy, A. A. (1982). Corporate Cultures: The Rites and Rituals of Corporate Life, Penguin Books, Harmondsworth. 34. Reason, J. (1997). Managing the Risks of Organizational Accidents, Ashgate Publishing, Aldershot. 35. Kabay, M. (1993). Social psychology holds lessons for security experts. Comput. Can. 19(24), 33. 36. Rochlin, G. I. (1993). Defining high-reliability organization in practice: a taxonomic prolegomenon. In New Challenges to Understanding Organizations, K. H. Roberts, Ed. MacMillan, New York, pp. 11–32.

CRITICAL INFRASTRUCTURE PROTECTION DECISION MAKING Dennis R. Powell Los Alamos National Laboratory, Los Alamos, New Mexico

Sharon M. DeLand Sandia National Laboratories, Albuquerque, New Mexico

Michael E. Samsa Argonne National Laboratory, Argonne, Illinois

1 INTRODUCTION The critical infrastructure protection decision support system (CIPDSS) is a Department of Homeland Security (DHS) risk assessment tool and analysis process that (i) simultaneously represents all 17 critical infrastructures and key resources [1] in a single integrated framework and (ii) includes a decision-aiding procedure that combines multiple, nationally important objectives into a single measure of merit so that alternatives can be easily compared over a range of threat or incident likelihoods. At the core of this capability is a set of computer models, supporting software, analysis processes, and decision support tools that inform decision makers who make difficult choices between alternative mitigation measures and operational tactics or who allocate limited resources to protect

1600

CROSS-CUTTING THEMES AND TECHNOLOGIES

the United States’ critical infrastructures against currently existing threats and against potential future threats. CIPDSS incorporates a fully integrated risk assessment process, explicitly accounting for uncertainties in threats, vulnerabilities, and the consequences of terrorist acts and natural disasters. Unlike most other risk assessment tools, CIPDSS goes beyond the calculation of first-order consequences in one or just a few infrastructures and instead models the primary interdependencies that link the 17 critical infrastructures and key resources together, calculating the impacts that cascade into these interdependent infrastructures and the national economy. 2 BACKGROUND Choices made and actions taken to protect critical infrastructures must be based on a thorough assessment of risks and appropriately account for the likelihood of threat, vulnerabilities, and uncertain consequences associated with terrorist activities, natural disasters, and accidents. Initiated as a proof-of-concept in August 2003, the CIPDSS project has conducted analysis on disruption of telecommunications services, a smallpox outbreak and an influenza pandemic, and the accidental release of a toxic industrial chemical. Partial capability does exist to support analysis of physical disruption; cyber, insider, radiological or nuclear threats; and natural disaster scenarios. 2.1

Decision Support System and Infrastructure Risk

The project was developed in a system dynamics language (Vensim) to facilitate rapid development of capability. This decision support system is designed to address various infrastructure- and risk-related questions, such as these example questions: •

What are the consequences of attacks on infrastructure in terms of national security, economic impact, public health, and conduct of government—including the consequences that propagate to other infrastructures? • Are there critical points in the infrastructures (i.e. areas where one or two attacks could have extensive cascading consequences)? What and where are these points? • What are the highest risk areas from a perspective incorporating consequence, vulnerability, and threat? • What investment strategies can the United States make that will have the most impact in reducing overall risk? 2.2 Two Modeling Scales: National and Metropolitan The system has been designed to operate at two distinct scales of modeling: the national scale and the metropolitan scale. The national model represents the critical infrastructures at the national level, with resolution at a state level. The metropolitan (metro) model is intended to represent the functions of critical infrastructures at the local level, in urban landscapes with a population of 500,000 or more. Within these two modeling scales, many questions of critical infrastructure disruption can be addressed within a risk-informed framework. In general, both the models calculate the consequences of a disruption both within the affected sector and in related sectors linked by primary interdependencies. For example, a disruption in telecommunications could have an effect on banking and finance and even on traffic. Consequences are

CRITICAL INFRASTRUCTURE PROTECTION DECISION MAKING

1601

computed in the broad metric categories of human health and safety, environmental effects, economic costs, public confidence, and national security. 2.3 Decision Model Unique to CIPDSS is the coupling of the vulnerability and consequence simulation models with a decision model. This tool translates simulated fatalities, illnesses and injuries, economic costs, lost public confidence, and national security impacts into a single measure of merit for each mitigation measure, operational tactic, or policy option considered by a decision maker in a decision problem. Preferred options are plotted against threat or incident likelihood. As new intelligence information becomes available and as the view of the intelligence community evolves with respect to the near- and long-term capabilities and intentions of US adversaries, a preferred course of action that minimizes overall risk can be easily selected from a growing set of threat case studies. 3 INFRASTRUCTURE MODELS Each infrastructure sector is represented by a model of the system that is captured in a system dynamics representation. Table 1 lists the critical infrastructures modeled in CIPDSS. The most common model form is a limited-capacity, resource-constrained model as shown in Figure 1. In this generic representation, the model is shown as a network of nodes, for example, variables that are linked by directed edges, or influences. The connection of variable A via a directed edge to variable B indicates that the value of A is used to calculate the value of B. This abstract relationship indicator hides the actual mathematical relationships, but serves as a graphical description of the workings of the model without delving into specifics. Nonetheless, it is the mathematical description, TABLE 1 Critical infrastructures represented in CIPDSS Critical infrastructures 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.

Agriculture and food Banking and finance Chemical industry and hazardous materials Defense industrial base Emergency services Energy Government Information and telecommunications Postal and shipping Public health Transportation Water

Key asset categories 13. 14. 15. 16. 17.

National monuments and icons Nuclear power plants Dams Government facilities Commercial key assets

1602

CROSS-CUTTING THEMES AND TECHNOLOGIES Failure rate Repair rate Inoperable capacity

Total production capacity Available capacity Production rate Inventory

Local availability of repair materials Material availability

Local availability of production factors Amount delivered

Network performance

Demand

Performance of infrastructure

FIGURE 1 Structure of a generic resource limited module.

for example, a system of coupled ordinary differential equations, embedded in the syntax of the Vensim model that defines the actual model. A key aspect of the CIPDSS infrastructure models is the capturing of the primary interdependencies between infrastructures. In Figure 1, the dependencies are generically represented in the local availability of resources and materials and implicitly in the production operations. These functional dependencies are clearly called out in the infrastructure models. For example, the operation of telecommunication facilities depends on the supply of electrical power. Short durations of electrical power outages can be tolerated by the use of backup power generators. However, extended electrical power outages cause failure of selected equipment, which affects total communication capacity. The reduction in capacity may be compensated by other equipment with excess capacity (system resilience) or it may affect total throughput of calls. Because CIPDSS has a high level of representation of operations, not all dependencies are modeled, just the primary dependencies. Also, to maintain a consistent model resolution level, the effect of the dependency is modeled rather than the detailed interactions. Each critical infrastructure sector is divided into a number of subsectors, which have a more uniform character and for which one or more separate Vensim subsector models are developed. For example, the emergency services sector is divided into (i) fire services, (ii) emergency medical services, (iii) law enforcement, and (iv) emergency support services. A Java-based program, the Conductor [2], is used to merge multiple system dynamics models, link variables that cross source code boundaries, and assemble a unified multisector model from individual sector model files. The Conductor identifies variables present in models with references to other source code files and resolves the references when the models are combined. As such, the program allows the models to be developed and tested at a modular level, but it enables simulation runs at the multisector level. The ability to develop modularly has allowed multiple developers from three geographically separated sites to codevelop the models.

CRITICAL INFRASTRUCTURE PROTECTION DECISION MAKING

1603

3.1 Other Supporting Models to Represent Disruption Effects Models of the infrastructure sectors and subsectors are in themselves insufficient to represent the full suite of effects and artifacts of a disruption. Since the output metrics of interest are human health and safety, a population model is used to account for those people injured by the disruption event compared with the natural processes of illness, injury, and death. Straightforward accounting of population groups in terms of birth/death processes and recovery from health impairment provide a basis for consequence modeling. To model the effect of scenario consequences on subcategories of the population, particularly workers in the critical infrastructures, the model uses occupation data from the US Bureau of labor statistics to estimate the initial size of the group. Because the scenario time frame that is modeled is usually on the order of a year or less, these models do not cover all of the dynamics that could arise in a disruption, for example, product substitution, restructuring of industry or practices, or evolutionary transformations that take years to manifest. Economic modeling [3] assesses initial sector impacts from the incident in the individual sectors with interdependencies modeled to produce possible secondary effects. Most sectors compute revenue losses and other losses from clean-up, repairs, rebuilding, and so on. Other sectors, such as the energy subsectors, contain further information to give baseline revenue values with or without an incident. All of the metrics are passed into the economic sector model for further computation. Estimation of impacts to the rest of the economy is based on the North American Industry Classification System (NAICS) supersectors. Value-added, a measure of productivity in an industry is more conservative than lost sales or revenues since lost sales are often only temporary and can be recovered within a short period of time after an incident. Lost value-added tends to be permanent over short periods of time and is, therefore, a more accurate measure of the economic losses from temporary disruptions. 3.2 Scenario Models While the infrastructure models exist as a body of interacting systems, the modeling of a disruption to one or more infrastructures often requires that specific code is developed to initiate a disruption event and stimulate the infrastructure models to render specific effects required by the disruption scenario. The models that accomplish these effects are called scenario models. Scenario models for biological threats, chemical threats, and telecommunications disruptions have been developed and form a robust basis for other threat scenarios listed in Table 2. For a given study, if an appropriate scenario model does not exist, it must be developed or adapted from a previously developed scenario model. 3.3 Consequence Models Consequence models simulate the dynamics of individual infrastructures and couple separate infrastructures with each other according to their interdependencies. For example, repairing damage to the electric power grid in a city requires transportation to repair sites and delivery of parts, fuel for repair vehicles, telecommunications for problem diagnosis and coordination of repairs, and availability of labor. The repair itself involves diagnosis, ordering parts, dispatching crews, and performing repairs. The electric power grid responds to the initial damage and to the completion of repairs with changes in its operating capacity (the number of megawatts that can be distributed to customers). Dynamic processes like these are represented in the CIPDSS infrastructure

1604

CROSS-CUTTING THEMES AND TECHNOLOGIES

TABLE 2 Threat scenario categories to be addressed by CIPDSS Biological Chemical Physical disruption Radiological/nuclear Insider Cyber Natural disaster

sector simulations by differential equations, discrete events, and codified rules of operation, as appropriate for the sector being modeled. 3.4 Decision Support The CIPDSS team has conducted an ongoing series of formal and informal interviews of critical infrastructure protection decision makers and stakeholders to identify requirements for the decision support system, scope out the decision environment, and quantify the prioritization of consequences. The taxonomy of decision metrics derived from this research involves six categories: (i) sector specific, (ii) human health and safety—public and occupational fatalities, nonfatal injuries, and illnesses, (iii) economic—immediate and interdependent costs of event, including the implementation and operating cost for optional measures, (iv) environmental—air and water emissions, nonproductive land, and intrinsic value loss, (v) sociopolitical—perceived risk, public confidence, trust in government sector-specific effects, and market confidence, and (vi) national security—continuity of military and critical civilian government services. The preferences of three representative decision makers were encoded using structured interview techniques to arrive at multiattribute utility functions consonant with the output of the consequence models and applicable to the case studies described below. The primary building block for decision analysis in CIPDSS is a case. A case consists of two or more scenario pairs (base scenario pairs and alternative scenario pairs); each scenario pair is composed of a readiness scenario and an incident scenario: •

Base scenario pair ◦ Base readiness scenario. Business-as-usual conditions; consequences in the absence of terrorist events or other disruptions. ◦ Base incident scenario. Postulated event occurs with no additional optional measures implemented, beyond what exists at the time. • One or more alternative scenario pair(s) ◦ Alternative readiness scenario. A specific set of additional optional measures are in place; postulated event is not initiated. ◦ Alternative incident scenario. Optional measures are in place; postulated event occurs. Each scenario requires a separate simulation over a period of time (defined by the case) with the detailed national and metropolitan models. By comparing the alternative scenario pairs with the base scenario pairs, decision makers can evaluate the effects that various investments and strategies could have, if implemented. (The various investments and

CRITICAL INFRASTRUCTURE PROTECTION DECISION MAKING

1605

strategies, labeled here as optional measures include hardware, processes, and strategies related to prevention, protection, mitigation, response, and recovery.) 3.5 Uncertainty and Sensitivity Analysis Aggregate models such as those in the CIPDSS model set embody a degree of uncertainty in their formulation. Both uncertainty and sensitivity analyses [4] are essential tools in assessing the uncertainties arising when applying computer models to meaningful analyses. Rather than considering single predictions from the input space, prudent analysis considers the range of possible inputs and maps those to a range of outcomes. Uncertainty analysis defines methods to estimate the distribution of the model outputs, given uncertainties in the model inputs. Sensitivity analysis specifies a process by which sources of variance in the model outputs can be identified with uncertainties in the model inputs. Such information is useful when it is desirable to reduce the uncertainty of the outputs, as the information indicates which input variables are the greatest contributors to output variance. Both uncertainty analysis and sensitivity analysis are supported by the CIPDSS architecture and routinely applied when performing analyses. Although arbitrary experiment designs are supported, orthogonal array (OA), Latin hypercube sampling (LHS), and hybrid OA-based LHS designs are commonly used to support uncertainty and sensitivity analysis. 4 CASE STUDIES Throughout its development cycle, CIPDSS has been exercised by producing a case study for each disruption capability. Each case study is used to expose each capability’s potential cascading consequences and place a disruption scenario in a risk-informed context. In general, CIPDSS can address case studies to support decision making relative to a standardized set of scenarios defined by DHS (Table 2), although not all capabilities are currently well developed. Current work is focused on the physical disruption capability, where the disruption may be caused by explosive devices, assault teams, natural events, or accidents. The program’s goal is to cover all types of disruptions of interest to DHS policy makers. In this section, three case studies are briefly described: a telecommunications disruption, an outbreak of a contagious disease, and an accidental release of a toxic industrial chemical. 4.1 Telecommunications Disruption Case Study The earliest version of CIPDSS was exercised in a proof-of-concept case study that demonstrated the project’s feasibility. The case study—chosen to broadly perturb many infrastructure sectors—involved a telecommunications disruption that degraded the operation of other infrastructure sectors. In each of three northeastern cities, major telecommunication switching stations were bombed with explosives in a simultaneous attack. Significant switching capacity was lost at each site and a large number of casualties were inflicted. CIPDSS consulted with the National Communications System and Lucent Technologies to assure appropriate modeling of the disruption in telecommunication services. Decision metrics and utility values were computed for several investment alternatives that would mitigate the impact of the incidents.

1606

CROSS-CUTTING THEMES AND TECHNOLOGIES

For the telecommunications case study, two optional measures were examined: (i) improving the restoration capability of the system and (ii) consolidating the targeted facilities away from dense urban areas. The former alternative was expected to reduce the secondary economic impact of the incident, while the latter was expected to reduce the impact on human health and safety. While undergoing repairs, the telecommunications system loses revenue as well as requiring capital to replace lost capability. The impact on human health and safety was caused by casualties imposed by the bomb blast. Casualties were relatively high because one switching facility was near a metro mass transportation station and the blast occurred at a time of day when commuter traffic was heavy. The alternative to consolidate the switching facilities and move them to a less busy part of the metro region was expected to cost $7 billion. This posed an interesting trade-off between the mitigation alternatives. In improving the restoration capability, presumed to cost $1.5 billion, the economic losses from the incident would be lower. On the other hand, consolidation of facilities would reduce fatalities and injuries. In accounting for such trade-offs, the decision modeling method combines the primary metrics of the consequences of a scenario with the implementation costs associated with the scenario. Another way to represent the decision, depicted in Figure 2, is as a decision tree, which consists of decision nodes and chance nodes. The utility of the base readiness scenario is 99.2 for a given decision profile. This is the expected utility for the chance node for each decision alternative. The expected utility of the base incident scenario is 16.3. For an attack having the probability of 0.1, the expected utility of the base alternative is, therefore, 90.9. The utilities of all alternatives are calculated and shown in Figure 2. Figure 3 depicts a decision map that provides a convenient mechanism for the decision maker to assess investment alternatives as a function of the expected annual likelihood of the threat event. Figure 3 illustrates how a risk-neutral decision maker would prefer no action so long as the annual likelihood of the event is less than one incident in 13 years. When the likelihood is between one in 13 years and one in 5 years, that decision maker would prefer to improve the restoration capability; when the likelihood is greater than one in 5 years, that decision maker would prefer to consolidate facilities. The relative Expected utility = P*UIncident + (1−P)*UReadiness 1−P Do nothing

Utility 99.2

P

1−P′ Alt A

Improve $1.5B restoration [Reduces outage costs]

Alt B

P′

Base incident 16.3 Restoration capacity

98.0

Incident A

31.0

1−P′′ Consolidate facilities

91.3

93.6 89.0

$7.0B

[Reduces facilities] = decision node

Exp. Utility@P = 0.10* 90.9

$0.0B

Base

Consolidate facilities

Do Nothing

P′′ = chance node

Incident B

47.7 *P = P′ = P′′

FIGURE 2 Tree representation of decision alternatives.

CRITICAL INFRASTRUCTURE PROTECTION DECISION MAKING Equivalent scales $0.0 $0.0

100 No effect on the likelihood of attack

~1 Incident in 13 years

~1 Incident in 5 years

95

75 0.0%

No action preferred

$18.8

Improved restoration cabability preferred

0.5%

1.0% Annual likelihood of incident*

1.5%

600

900

$25.2

1.200

$31.5 2.0%

1.500

Fatalities

80

$12.6

No action Improve restoration Consolidate facilities

300 $B Damage cost

85

$6.3

Consolidation preferred

90

1607

*20 year protective life

FIGURE 3 Decision map of a scenario parameterized by the likelihood of the incident.

preferences are determined by the form of the decision maker’s multiattribute utility function and risk tolerance profile. 4.2 Biological Pandemic Case Study An analysis of a biological threat scenario was performed to assess infrastructure interdependency and economic effects resulting from the consequences of a highly infectious biological attack. To identify the conditions under which various alternatives are preferred, the consequences of the attack were combined with cost estimates for various protective measures within the decision model. At the core of this case study is an infectious disease scenario model. The infectious disease model is a modified susceptible-exposed-infected-recovered (SEIR) model [5], based on an extended set of disease stages, demographic groupings, an integrated vaccination submodel, and representation of quarantine, isolation, demographic, and disease-stage-dependent human behavior. As a variant on the SEIR model paradigm, the CIPDSS model represents populations as homogeneous and well mixed with exponentially distributed residence times in each stage [6]. The use of additional stages and demographic groupings is designed to add additional heterogeneity, where it can be useful in capturing key differences in disease spread and response in different subpopulations. The disease stages are generically represented so that the model can be used for a large number of infectious agents simply by adjusting the input parameters appropriately. For example, with the studied hypothetical biological agent like smallpox, the first stage is the exposed or incubating stage during which a vaccine can still be effective (about 3 days) and the next stage represents the remainder of the incubating period when the vaccine is no longer effective. This is followed by a prodromal phase when the disease is sometimes infectious and is symptomatic, but with nonspecific flu-like symptoms. The disease progresses into a rash stage, where the risk of contagion is highest, and then into the scab phase. The patient then either recovers from the disease, or dies. The analysis specifically considered the following incident and alternatives: •

Base incident. 1000 people initially infected with smallpox and implementation of existing vaccination policies.

1608

CROSS-CUTTING THEMES AND TECHNOLOGIES

•

Alternative A. Installation of biodetectors to provide early detection of the disease. Alternative B. Use of antiviral drugs to treat the disease. • Alternative C. Mass quarantine to reduce the spread of the disease. • Alternative D. Improved training of health care personnel to administer existing vaccines more rapidly. •

Large-scale simulations were used to characterize the uncertainty in the consequence results and understand which model parameters had the strongest effects on the decision metrics. Considering uncertainities, the number of fatalities in the base incident scenario ranged from 277 to 7041. Incorporation of individual alternatives A–D reduced the lower end of the fatality range slightly and in all cases significantly reduced the maximum number of simulated fatalities. Primary economic costs in the metropolitan area, where 1000 persons are initially infected, were calculated to range from $7.5 to $9.5 billion, except for the mass quarantine alternative (Alternative C) where the primary economic costs would be up to three times greater because of loss of worker productivity during a quarantine. On a national scale, economic costs might easily be driven by a widespread self-isolation response resulting from the general population seeking to protect itself by reducing exposure to potentially infected individuals. A severe self-isolation response could significantly impact business and industrial productivity as workers stay home from their jobs and reduce normal spending by avoiding shopping and other commercial areas where they might come in contact with infected persons. The interdependent private sector economic costs and personal income losses associated with a severe, widespread self-isolation response were calculated to be as great as $450 billion, or 15–45 times the primary economic costs of the infectious disease event. Government costs could be similar. Within the initially affected metropolitan area, the primary indirect or “cascading” effects of the incident involve the transportation and telecommunications sectors, with other sectors being affected by these in turn. Quarantine measures impact nearly half of the workers in the metropolitan area during the peak period of the crisis, resulting in much lower usage of the transportation system and losses in personal income because workers would not report to work and businesses would close temporarily. In accordance with the numerous infectious disease model results that are currently available [7, 8], the CIPDSS results show that given the initiating event, a significant epidemic will ensue, with an average of 6100 nonfatal illnesses and 1500 fatalities in the base case. CIPDSS results particularly agree with Gani and Leach [9] who point out the importance of delays in detecting the first cases and the importance of setting up effective public health interventions. In the CIPDSS analysis, the addition of biodetectors provides a high degree of early warning, enabling a rapid effective response that almost completely stops the spread of the disease outside the initially infected metropolitan area, thereby significantly reducing the number of cases and subsequent mortalities. The study indicates that time to intervention and effective response is a critical component in controlling the health impacts resulting from a deadly infectious biological outbreak. The national economic consequences are primarily caused by a behavioral response that could lead to widespread self-isolation and severe economic impacts. Because the magnitude of such a response is largely unstudied in the literature, the uncertainty surrounding this parameter is very great. Rather than assuming that more is known than is actually the case about the possible public self-isolation response to an intentional release of infectious smallpox virus, the analysis presents the decision model results parameterized with respect to the relative level of widespread self-isolation behavior.

CRITICAL INFRASTRUCTURE PROTECTION DECISION MAKING

Expected frequency of incident (1 in year)

0% 1 in 400

1609

Level of self-isolation response 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Existing policies

1 in 1200 years

1 in 200

Pretrained responders

1 in 135 1 in 100

1 in 135 years Antiviral drugs

1 in 80 1 in 67

1 in 90 years

1 in 57 1 in 50 1 in 45

Biodetectors

1 in 40 1 in 36

1 in 35 years

FIGURE 4 A preference map for preferred alternatives in a biological disease case.

For a risk-neutral profile, a preference map was derived by combining the calculated consequences in a decision model based on multiattribute decision theory and by assigning the attribute trade-off values that are consistent with values suggested by several DHS decision makers (Figure 4). The preference map indicates that up to an expected likelihood of one incident in 1200 years, the preferred alternative would be to continue existing vaccination and quarantine policies, regardless of the level of national self-isolation response. Likewise, between an incident likelihood of one in 1200 years and one in 135 years the preferred alternative would be to pretrain and implement a larger number of medical and emergency responders to vaccinate the public more rapidly, in the event of an intentional smallpox release. Without a widespread self-isolation response (0%), the antiviral drug alternative would be preferred when the incident likelihood increases to one in 90 years. At greater incident likelihoods, the detector alternative is preferred because it produces the lowest level of combined consequences across all simulations of the scenarios. When the level of self-isolation response increases, the antiviral strategy is the preferred alternative at increasing incident likelihoods, being preferred over detectors at the maximum level of self-isolation and incident likelihood of one in 35 years. This trend in increasing self-isolation takes place because the biodetectors would result in earlier disease detection and thus public notification, which in turn would result in an earlier commencement of the economic impacts caused by the widespread self-isolation response. 4.3 Toxic Industrial Chemical Case Study The chemical threat scenario analysis was performed to demonstrate the CIPDSS capability to provide risk-informed assessments of potential mitigation measures for this class of threats [10]. Coupled threat scenario, infrastructure interdependency, and economic effects models were used to estimate the consequences of an accidental release of a toxic industrial chemical, namely chlorine, in an urban setting. The consequences were combined with cost estimates for various protective measures within the decision model to identify the conditions under which various alternatives would be preferred. The analysis specifically considered the following incident and alternatives:

1610 • • • • • •

CROSS-CUTTING THEMES AND TECHNOLOGIES

Base incident. A large (70 percentile event) in a “normally prepared” community and a “normally trained” set of emergency responders. Alternative A. Installation of chemical detectors to detect the extent of spread of the chemical. Alternative B. Use of temporary or mobile triage/treatment sites to handle expected volumes of exposed persons. Alternative C. Application of comprehensive community preparedness training for chemical releases. Alternative D. Increased training and response preparedness for emergency responders and health providers. Alternative E. Application of comprehensive community preparedness training for chemical releases with an emphasis on significantly reducing the population response time.

The initiating event for the base incident and alternative mitigation measure scenarios is a statistical representation (model) of the unmitigated consequences of a large-scale chlorine release. The potential number of injuries and fatalities and the number of hospital beds and geographical areas rendered unusable during and some time after the passage of a toxic plume are estimated on a probabilistic basis. To accomplish this, historical accidental release data, maximum stored volumes, and meteorological data were used as inputs into a heavy gas dispersion model. Multiple runs were performed using plausible distributions on the dispersion model inputs to generate a generic statistical distribution of injuries and fatalities associated with specific toxic chemicals for four different regions of the United States, using actual geographic locations and population distributions as a basis for the calculations. The stochastic distributions of unmitigated injuries and fatalities were developed as a function of time, parameterized as a function of cumulative probability of the event, and normalized to a population base of 1 million persons in a 5-km radius from the release site to mask the identification of the actual site. The analysis of health effects employed Acute Exposure Guideline Levels (AEGLs) developed by Environmental Protection Agency (EPA) and National Research Council (NRC) [11], for which six different averaging times ranging from 5 min to 8 h are given. Three AEGLs were used in the analysis as follows: •

Persons within AEGL-1 footprint could experience adverse effects such as notable discomfort, irritation, or certain asymptomatic nonsensory effects. The effects are transient and reversible upon cessation of exposure. • Persons within AEGL-2 footprint could experience irreversible or other injuries, long-lasting adverse health effects, or an impaired ability to escape. • Persons within AEGL-3 footprint could experience life-threatening health effects or death. Furthermore, three additional health criteria that further disaggregate AEGL-3 were exercised to provide better definition of victim status or condition to the CIPDSS public health sector model. These additional criteria enabled a more complete modeling of healthcare response to the event. In this analysis, an unmitigated base case is compared to each of five modeled mitigation measures with respect to key operational parameters in the CIPDSS models relative to the value of the same variable in the base incident scenario.

1611

CRITICAL INFRASTRUCTURE PROTECTION DECISION MAKING

On the basis of the uncertainty analysis performed with the CIPDSS models, the minimum, mean, and maximum values for the mitigation measure costs, fatalities, injuries, economic losses, and losses in public confidence (decision metrics) for each of the above incident scenarios display virtually no variation in the results among the five alternative mitigation measure scenarios. Furthermore, there is almost no variation in the results between the alternative mitigation measure scenarios and the base incident scenario, which includes no additional mitigation measures. The reason for this is the rapidity with which the plume disperses; there is simply insufficient time to react. Even with accelerated response times, the majority of the population that would be exposed without additional mitigation measures would still receive exposure even with the additional mitigation measures. Because all of the measures that were modeled had an insignificant effect on mitigating the consequences of a large-scale chlorine release, the various options differentiated on the basis of implementation cost alone. Thus, as calculated in the CIPDSS decision model, the order in which the measures would be preferred is in direct relationship to their implementation cost. The analysis indicated that investing in any of the mitigation options considered is less desirable than taking no action, regardless of how likely it may be that the incident would occur. Of course, this conclusion is obvious from the fact that none of the modeled measures had any significant mitigation effect on the consequences of an accidental release. The rank ordering of preference for the alternatives, shown in Figure 5, was (i) base case, no mitigation; (ii) alternative A, chemical detectors; (iii) alternative D, response preparedness and training; (iv) alternative E, community preparedness II; (v) alternative C, community preparedness I; and (vi) alternative B, mobile treatment facilities. These results are consistent with other studies of chlorine releases [12]. One conclusion to draw is that investment should focus on prevention of a chemical release rather than on improving mitigation efforts after a release. 1.00 0.99

Relative preference

0.98

Existing (nominal) capabilities

0.97 Chemical detectors

0.96

Response preparedness

0.95 0.94

Community preparedness

Mobil treatment facilities

0.93

Community preparedness II

0.92 1 in 200 years 1 in 100 years

0.90 0.0%

0.5%

1.0%

1.5%

1 in 30 years

1 in 50 years

2.0%

2.5%

3.0%

3.5%

4.0%

4.5%

Annual likelihood of incident

FIGURE 5 The preference map for a chemical release scenario.

5.0%

1612

CROSS-CUTTING THEMES AND TECHNOLOGIES

These results do suggest, however, that in the effort to protect the public from large accidental releases of chlorine, consideration should be given to measures designed to prevent the release rather than measures designed to mitigate the consequences of a release once it has occurred. 5 CONCLUSION CIPDSS has demonstrated its capability to provide meaningful risk-informed decision support for several categories of threats of interest to the DHS. As a system dynamics suite of simulations, it has confirmed the ability of system dynamics to support a wide range of analyses of interest to policy makers through aggregate level simulation of multiple infrastructure systems. Combined with the flexibility and extensibility conferred by the conductor, the uncertainty and sensitivity analysis capability, the decision model, and the breadth of coverage, including all 12 critical infrastructures and 5 key resource categories, CIPDSS is a unique capability for investigating consequences of infrastructure disruption. CIPDSS incorporates a fully integrated risk assessment process, explicitly and rigorously accounting for uncertainties in threats, vulnerabilities, and the consequences of terrorist acts and natural disasters. CIPDSS goes beyond the sole calculation of first-order consequences in one or just a few infrastructures. CIPDSS models the primary interdependencies that link the 17 critical infrastructures and key resources together and calculates the impacts that cascade into these interdependent infrastructures and into the national economy. REFERENCES 1. Moteff, J., and Parfomak, P. (2004). Critical Infrastructure and Key Assets: Definition and Identification. Congressional Research Service, Report RL32631, Library of Congress, Washington, DC. 2. Thompson, D., Bush, B., and Powell, D. (2005). Software Practices Applied to System Dynamics: Support for Large-Scale Group Development . Los Alamos National Laboratory Report, LA-UR-05-1922, Los Alamos, NM. 3. Dauelsberg, L., and Outkin, A. (2005). Modeling Economic Impacts to Critical Infrastructures in A System Dynamics Framework . Los Alamos National Laboratory Report, LA-UR-05-4088, Los Alamos, NM. 4. Helton, J. C., and Davis, F. J. (2000). Sampling-Based Methods for Uncertainty and Sensitivity Analysis. Sandia National Laboratories, SAND99-2240, Albuquerque, NM. 5. Murray, J. D. (1989). Mathematical Biology vol 19. Springer-Verlag, Berlin. 6. Hethcote, H. W. (2000). The mathematics of infectious diseases. SIAM Rev . 42(4), 599–653. 7. Fraser, C., Riley, S., Anderson, R., and Ferguson, N. (2004). Factors that make an infectious disease outbreak controllable. Proc. Natl. Acad. Sci. U.S.A. 101(16), 6146–6151. 8. Halloran, M. E., Longini, I. M., Jr. Nizam, A., and Yang, Y. (2002). Containing bioterrorist smallpox. Science 298, 1428–1432. 9. Gani, R., and Leach, S. (2001). Transmission potential of smallpox in contemporary populations. Science 414, 748–751. 10. Shea, D., and Gottron, F. (2004). Small-Scale Terrorist Attacks using Chemical and Biological Agents: An Assessment Framework and Preliminary Comparisons, Congressional Research Service, RL32391, Library of Congress, Washington, DC.

THE USE OF THREAT, VULNERABILITY, AND CONSEQUENCE (TVC)

1613

11. National Research Council (NRC). (1993). Guidelines for Developing Community Emergency Exposure Levels for Hazardous Substances. National Academy Press, Washington, DC. 12. Streit, G., Thayer, G., O’Brien, D., Witkowski, M., McCown, A., and Pasqualini, D. (2005). Toxic Industrial Chemical Release as a Terrorist Weapon: Attack on a Chemical Facility in an Urban Area. Los Alamos National Laboratory, LA-CP-0575 Los Alamos, NM.

FURTHER READING LIST United States of America. (1998). Executive Office of the President , Critical Infrastructure Protection, Presidential Decision Directive (PDD) 63. United States of America. (2003). Executive Office of the President , The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets. United States of America. (2003). Executive Office of the President. Homeland Security Presidential Directive–7 . Critical Infrastructure Identification, Prioritization, and Protection.

THE USE OF THREAT, VULNERABILITY, AND CONSEQUENCE (TVC) ANALYSIS FOR DECISION MAKING ON THE DEPLOYMENT OF LIMITED SECURITY RESOURCES Nicholas A. Linacre Faculty of Land and Food Resources, the University of Melbourne, Parkville, Victoria, Australia

Marc J. Cohen International Food Policy Research Institute, Washington, D.C.

Bonwoo Koo Department of Management Sciences, Faculty of Engineering, University of Waterloo, Ontario, Canada

Regina Birner International Food Policy Research Institute, Washington, D.C.

1 OVERVIEW The United Nations defines terrorism as “any action that is intended to cause death or serious bodily harm to civilians or noncombatants, when the purpose of such act,

1614

CROSS-CUTTING THEMES AND TECHNOLOGIES

by its nature or context, is to intimidate a population, or compel a Government or an international organization to do or abstain from doing any act” [1]. On the basis of rational-choice considerations (compare [2]), an organization will choose terrorist actions in addition to other actions, if terrorism contributes to reaching their goals at a relatively low cost and has high impact. Hence, it would be rational for terrorists to attack a target, if this allows them to realize their goals to a larger extent with costs lower than that would be incurred by other means. However, it may be argued that our rational-choice model has limitations in explaining suicide attacks, although these may follow logically from the ideological or religious beliefs of those who carry them out. The rational-choice considerations are important because terrorists will consider perceived vulnerability and consequences in deciding on whether to launch an attack. Therefore, the allocation of security resources to counterterrorism is a complex task that requires decisions on the risk allocation mechanism, estimation of risk, and tolerable levels of risk. Until recently, few papers have been published on ways to allocate security resources. Innovations have applied game theory [3], portfolio theory and risk analysis approaches [4–6] to the allocation of security resources (For an extensive literature review see the special edition of Risk Analysis 27(3)). In this article, the risk analysis approach taken by Willis et al. [4–6] is discussed. This approach, known as threat–vulnerability–consequence (TVC ) analysis, is related to catastrophe modeling (see [7]). Both TVC analysis and catastrophe modeling are examples of a more general statistical theory known as the theory of loss distributions, which are widely applied by actuaries in the insurance and reinsurance industries. The theoretical development of loss distributions can be found in Cox et al. [8–10] Before outlining the essential elements of TVC analysis, it is useful to reflect on traditional definitions of risk as the approach taken by Willis et al. [4, 6] modifies the traditional definition of risk to reflect the underlying structure of the risks encountered in terrorism analysis. Traditionally risk is defined as the triplet s i , p i , x i  where si is the risk scenario, which has a probability pi of occurring and a consequence xi if it occurs [11, 12]. A useful risk metric is defined as the probability of an event occurring multiplied by its associated consequence, pi × xi . It is common for the expected value of the distributions to be used as point estimates in the calculation of pi × xi [13]. However, the measure for risk is uncertain and should be represented by a probability distribution, not a point estimate [14]. The traditional definition of risk is modified by [4, 6] and is defined as a function of TVC. This definition is similar to others proposed in risk literature, for example see [15–17]. The remainder of this article provides an overview of the TVC analysis framework, discusses TVC analysis and the deployment of resources, elaborates some of the challenges and limitations of TVC analysis, discusses methods of dealing with uncertainty, provides a summary of the current state of practice, and suggests linkages between areas of research currently addressing similar issues. 2 THREAT–VULNERABILITY–CONSEQUENCES (TVC) ANALYSIS FRAMEWORK Risk is measured as the probability of a terrorist “event” and the associated consequence. The probability of a terrorist event is measured as the threat and vulnerability of the target.

THE USE OF THREAT, VULNERABILITY, AND CONSEQUENCE (TVC)

1615

Threat is measured as the probability of a specific target being attacked in a specific way during a specified period. Vulnerability is measured as the probability of a damage that can occur, given a threat. Consequences are the magnitude and type of damage resulting, given a successful terrorist attack.

2.1 Assessing Threats The purpose of the threat assessment is to gain an understanding of where terrorists are targeting their activities; typically this is based on intelligence information gathered from a variety of sources, both human and technological. Threats may be general or specific, and security responses are conditioned on the nature of the information received [6]. Typically, an analysis will first assess whether a country or region is under a general threat from terrorist attacks. Subsequently, a view is formed of the probability or likelihood that a specific target will be attacked in a specific way during a specified time period; mathematically, Threat = p(attack occurs) However, it is essential to consider both the economic and the political dimension of costs and benefits in assessing the level of threat. For example, if a terrorist group has an antipoverty ideology, using a technique that hits mostly poor people implies a political cost, because it reduces the credibility of their cause. Thus, in the mid 1980s, the Liberation Tigers of Tamil Eelam in Sri Lanka threatened to use disease pathogens to destroy the economically important tea crop and to deliberately infect rubber trees with the leaf curl fungus [18]. One reason that the Tigers never made good on this threat may be that most of the low-income estate workers, who depend on tea and rubber cultivation for their livelihoods, are ethnic Tamils.

2.2 Assessing Vulnerabilities Different definitions of vulnerability appear in the literature. Haimes [16] defines vulnerability as the probability that damages (where damages may involve fatalities, injuries, property damage, or other consequences) occur, given a specific attack type, at a specific time, on a given target, or vulnerability is the manifestation of the inherent states of the system (e.g. physical, technical, organizational, and cultural) that can result in damage if attacked by an adversary. Pate-Cornell [19] defines vulnerability as the capacity of a system to respond to terrorist threats. Adopting the approach taken by Willis et al. [4, 6], vulnerability is mathematically represented as the probability that an attack results in damage: Vulnerability = p(attack results in damage|attack occurs) Vulnerability is an estimate of the likelihood of a successful attack resulting in damage. Vulnerability depends on the organization of the infrastructure, on the controls that are in place at the borders, and on the monitoring systems.

1616

CROSS-CUTTING THEMES AND TECHNOLOGIES

2.3 Assessing Consequences A consequence is an assessment of the impact or loss from a terrorist event. Willis [6] defines “consequence” as the expected magnitude of damage (e.g. deaths, injuries, or property damage), given a specific attack type, at a specific time that results in damage to a specific target. Mathematically, Consequence = E(damage|attack results in damage) One can also distinguish between the short- and long-term consequences, which may have both an economic dimension (loss of productive capacity and food availability) and a political dimension resulting in persistent periodic cycles of conflict. International efforts to promote increased security are inherently difficult, because conflicts typically occur in countries where national governments have limited legitimacy and where far-reaching governance problems persist [5]. 2.4 Risk Estimation Terrorism risk may be thought of as function of the threat level, vulnerability to the threat, and consequence from the terrorist action. For example, the risk estimate could refer to an attack by terrorists against food trade using a particular disease or toxin. The threat would then be an estimate of the terrorists’ priority for such attack against the available alternatives. Vulnerability could be estimated as likelihood of port interception and the consequences would be an assessment of the impact of the disease. TVC analysis is an interactive approach designed to elicit areas where high threat levels, extreme vulnerabilities, and high consequences overlap (Fig. 1). It is the intersection of these events that cause security concerns. Mathematical risk is estimated as Risk = p(attack occurs) × p(attack results in damage|attack occurs) ×E(damage|attack results in damage)

3 TVC ANALYSIS AND THE DEPLOYMENT OF RESOURCES TVC analysis should be viewed as part of an integrated terrorism risk management and response system that continually review prioritization decisions based on new knowledge. Components of the system include risk analysis including target selection and resource prioritization, risk mitigation including prevention of attacks and protection of assets, responses to attack, and mechanisms for recovery. Risk analysis provides identification and understanding of threats, assessment of vulnerabilities, and determination of potential impacts. Prevention provides detection and intervention measures, which are used to mitigate threats. Protection provides physical safeguards for critical infrastructure, property, and other economic assets. Response and recovery provide for the short- and medium-term private and public sector measures used to recover from a terrorist attack. TVC is an important component of this cycle, but it is not an end in itself. TVC analysis attempts to provide a loss distribution for use in decision making. In this application, the distribution is a function of the threat to a target, the target’s vulnerability to the threat, and the consequences should the target be successfully attacked. Risk metrics

THE USE OF THREAT, VULNERABILITY, AND CONSEQUENCE (TVC)

Vulnerability

1617

Consequences Risk

Threat

FIGURE 1 Overlapping regions of high threat, vulnerability, and consequence of great security risk.

can be applied to the different loss distributions derived for different risks to facilitate risk-based prioritization of resources. Metrics may include expected value, variance, skew or skewness (a measure of the asymmetry of the probability distribution of a real-valued random variable), and kurtosis (observations are spread in a wider fashion than the normal distribution, fewer observations cluster near the average, and more observations populate the extremes), all of which can be used to compare different targets, thus facilitating the risk-based prioritization of resources. Alternative metrics used in applied finance include value at risk (VaR); for example, see [20].

4 LIMITATIONS OF TVC ANALYSIS Willis [6] outlines two limitations for consideration when applying TVC analysis. Firstly, Willis [6] draws a distinction between risk assessment and resource allocation, and argues that an efficient allocation of homeland security resources should distribute resources where they can most reduce risks, not where risks are greatest. Secondly, Willis Willis [6] raises the difficult and contentious issue of establishing tolerable levels of risk, which is an important risk management decision. Both these issues are intertwined, as choices will depend on society’s willingness to accept some types of risk and mitigate others. The extent to which society self-insures risk and chooses to invest in risk mitigation is a complex issue. Willis [6] argues that risks may be tolerated simply because they are small compared to benefits obtained through the risky activity, and that risks may be tolerated because the available countermeasures could lead to equal or greater risks themselves. The extent to which rational choices will be made will depend on society’s risk perceptions and on our ability to consider options. Simon [21] argues that individuals have a limited range of alternatives, that is we do not know all the decision options available to us, and, even if we do, our conceptual limitations and time prevent us from comparing all of the options available. Other evidence supports this view. For example,

1618

CROSS-CUTTING THEMES AND TECHNOLOGIES

Solvic et al. [22] argue that decision makers rarely have all options available to them. Given these constraints it may be difficult to rationally allocate resources according to the principle of greatest risk reduction.

5 APPLYING THE TVC ANALYSIS FRAMEWORK In this section, we review various studies that attempt to address some aspect of the quantification of risk. Linacre et al. [5] provide evidence of the ex-ante consequences of agroterrorism in developing countries. Gordon et al. [23] provides an ex-ante economic consequence analysis of the impacts of a 7-day shutdown of the commercial aviation system in the United States. Rose et al. [24] use a computable general equilibrium analysis to quantify the economic effects of a terrorist attack on the electrical transmission system of Los Angeles. Simonoff et al. [25] provide a statistical analysis of electrical power failures, which can be used for risk scenario construction. Willis et al. [4, 6] provide guidance on developing risk-based allocation mechanisms for resource allocation and discuss some aspects of catastrophe modeling. Keeney [26] discusses how structuring of objectives can help in understanding the incentives of terrorists and defenders. Finally, Bier [3] provides a game-theoretic perspective on the issue where a defender must allocate defensive resources to a collection of locations and an attacker must choose which locations to attack.

6 DEALING WITH UNCERTAINTY The methods above allow us to estimate risk, but we also need to put bounds on that risk. There are a number of ways of incorporating uncertainty about parameter values and assumptions in models. The following methods allow us to set bounds on our risk assessment results that represent the confidence we have in our answers. Scenario (what-if) and sensitivity analyses are among the most straightforward ways to assess the effect of uncertainty, simply, by altering the parameter values and repeating the calculation [14]. Such an approach may become unwieldy when a large number of parameters are involved [14]. Worst-case analysis is the traditional approach to ecological risk assessment, which recognizes that uncertainty exists, but does not try to model it explicitly. Instead, the parameter values are set so that the overall risk estimate is conservative [14]. Many people argue that such approaches result in hyperconservative estimates of the risk and impose a high cost on society for little benefit. Monte Carlo analysis uses probability theory and numerical analysis to combine uncertainty in a way that reveals how probable each of the possible outcomes is [14, 27–29]. Its usefulness depends on the availability of data to estimate parameters for statistical distributions. In many problems, the data will not be available to estimate the parameters or identify the distribution [30]. Interval Arithmetic provides another method to incorporate uncertainty. Most scientific disciplines quote best estimate values plus or minus an error term, expressing uncertainty in the best estimate. These measures can be expressed as intervals, which are a closed bounded subset of the real line [a, b] = {x : a ≤ x ≤ b} [31]. Intervals have mathematical properties that allows us to propagate, or uncertainty about best estimate

THE USE OF THREAT, VULNERABILITY, AND CONSEQUENCE (TVC)

TABLE 1

1619

Comparing TVC and Catastrophe Model Structure

TVC Analysis

Catastrophe Model

Assessing threats, for example, Stochastic module randomly generates a catastrophic event dirty bomb attack Hazard module is used to determine the geographical effect of a catastrophic event brought about by variations in topography Vulnerability analysis Vulnerability module, which is used to calculate damage to buildings, contents, and business turnover, based on a number of factors including building type, design, and location Consequence analysis Financial module, which quantifies the financial loss to the insured

numbers through a series of calculations [14]. Fuzzy Numbers are a generalization of intervals have mathematical properties that allow the propagation of uncertainty about best estimates numbers through a series of calculations [14].

7 FURTHER READING As previously mentioned, there are a number of related developments in different subject areas that may have utility for researchers and decision makers involved in security resources prioritization. In the finance literature, the development of risk metrics such as VaR provide approaches for the comparison of different portfolios of risks (see [20]). Within the insurance and actuarial literature, loss distributions are relevant (e.g. [8–10]), extreme value theory [31], and catastrophe modeling. The structures of catastrophe models are similar to the structure of TVC analyses. Catastrophe models are composed of a number of modules and their relationship to TVC analysis is shown in Table 1 [7, 32, 33]. Catastrophe models may be used as a diagnostic tool to assess post event loss. The model may be designed to investigate ideas about the relationships between causal factors and, finally, the model may be designed to forecast the frequency and magnitude of events [32]. It is in this last use that TVC analysis and catastrophe models have a similar application. The political risk literature also provides a theoretical and applied underpinning for quantitative valuations of risk associated with war and political instability. A useful starting point into this literature is [34]. Further background reading on risk provides important information on acceptable levels of risk (e.g. [35, 36]). Fischhoff et al. [37] provide a useful paper on expert and lay perceptions of risk. Kahneman and Tversky [38] provide a seminal paper on how people make risk decisions, and finally [14, 27] provide an important technical information on dealing with uncertainty.

8 CONCLUSIONS TVC analysis offers a structured mechanism for addressing security resource allocations problems. However, it does not address the difficult and contentious issue of establishing

1620

CROSS-CUTTING THEMES AND TECHNOLOGIES

tolerable levels of risk, which is an important risk management decision. The extent to which rational decisions will be made over the choice of tolerable levels of risk will depend on societal perceptions of risk. Rational-choice considerations also suggest that homeland security resources should be allocated to where they can most reduce risks, not necessarily where risks are greatest. The extent to which society is prepared to accept self-insurance of risks that cannot be readily mitigated is a complex issue and will also depend on societal perceptions. Further limitations arise in TVC analysis because of uncertainty around the basic parameters used in the models. It may be that it is impossible, given the available data, to make confident decisions about the prioritization of security resources because of the level of uncertainty. However, given all these limitations, TVC analysis remains an important methodological approach to assist decision makers, structure, explain, justify, and communicate decisions on security resource prioritizations.

REFERENCES 1. UNEP (2004). United Nations Environment Program, Global Environment Facility. http:// www.unep.ch/biosafety/index.htm. 2. Krueger, A. B., and Maleˇckov´a, J. (2003). Education, poverty and terrorism—is there a causal connection? J. Econ. Perspect. 17(4), 119–144. 3. Bier, V. M. (2007). Choosing what to protect. Risk Anal . 27(3), 607–620. 4. Willis, H. H., Morral, A. R., Kelly, T. K., and Medby, J. (2005). Estimating Terrorism Risk . MG-388-RC. RAND Corporation, Santa Monica, CA. 5. Linacre, N. A., Koo, B., Rosegrant, M. W., Msangi, S., Falck-Zepeda, J., Gaskell, J., Komen, J., Cohen, M. J., and Birner, R. (2005). Security Analysis for Agroterrorism: Applying the Threat, Vulnerability, Consequence Framework to Developing Countries. Discussion Paper 138. International Food Policy Research Institute, Washington, DC. 6. Willis, H. (2007). Guiding resource allocations based on terrorism risk. Risk Anal. 27(3), 597–606. 7. Grossi, P., and Kunreuther, H. (2005). Catastrophe Modeling: A New Approach to Managing Risk . Springer, New York. 8. Cox, D. R., and Hinkley, D. V. (1974). Theoretical Statistics. Chapman and Hall, London. 9. Hogg, R. V. (1984). Loss Distributions. Wiley, New York. 10. Klugman, S. A., Panjer, H. H., and Willmot, G. E. (1998). Loss Models from Data to Decisions. Wiley, New York. 11. Kaplan, S., and Garrick, B. J. (1981). On the quantitative definition of risk. Risk Anal. 1, 11–27. 12. Kaplan, S. (1997). The words of risk analysis. Risk Anal . 17, 407–417. 13. Stewart, M. G., and Melchers, R. E. (1997). Probabilistic Risk Assessment of Engineering Systems. Chapman and Hall, Melbourne. 14. Ferson, S., Root, W., and Kuhn, R. (1998). Risk Calc: Risk Assessment with Uncertain Numbers. Applied Biomathematics, New York. 15. Ayyub, B. A. (2005). Risk analysis for critical infrastructure and key asset protection. Presentation at Symposium on Terrorism Risk Analysis. University of Southern California, January 13–14, 2005.

THE USE OF THREAT, VULNERABILITY, AND CONSEQUENCE (TVC)

1621

16. Haimes, Y. Y. (2004). Risk Modeling, Assessment, and Management, 2nd ed. John Wiley & Sons, Hoboken, NJ. 17. von Winterfeldt, D., and Rosoff, H. (2005). Using project risk analysis to counter terrorism. Symposium of Terrorism Risk Analysis. University of Southern California. 18. CNS (Center for Non-proliferation Studies). (2006). Agroterrorism: Chronology of CBW Incidents Targeting Agriculture and Food Systems, 1915–2006. Posted at http://cns.miis.edu/ research/cbw/agchron.htm. 19. Pate-Cornell, M. E. (2005). Risks of terrorist attack. Symposium of Terrorism Risk Analysis. University of Southern California. 20. McNeil, A., Frey, R., and Embrechts, P. (2005). Quantitative Risk Management: Concepts Techniques and Tools. Princeton University Press, Princeton, NJ. 21. Simon, H. A. (1956). Rational choice and the structure of the environment. Psychol Rev. 63(2), 129–138. 22. Slovic, P., Kunrether, H., and White, G. F. (1974). The perception of risk. In Natural Hazards: Local, National, Global , G. F. White, Ed. Oxford University Press, New York. 23. Gordon, P., Moore, J. E., Park, J. Y., and Richardson, H. W. (2007). The economic impacts of a terrorist attack on the U.S. commercial aviation system. Risk Anal. 27(3), 505–512. 24. Rose, A., Oladosu, G., and Liao, S. (2007). Business interruption impacts of a terrorist attack on the electrical power system of Los Angeles: customer resilience to at total blackout. Risk Anal. 27(3), 513–516. 25. Simonoff, J. S., Restrepo, C. E., and Zimmerman, R. (2007). Risk-management and risk-analysis-based decision tools for attacks on electric power. Risk Anal. 27(3), 547–570. 26. Keeney, R. L. (2007). Modeling values for anti-terrorism analysis. Risk Anal. 27(3), 585–596. 27. Morgan, A., and Granger, M. (1990). Uncertainty: A Guide to Dealing with Uncertainty in Quantitative Risk and Policy Analysis. Cambridge University Press, Cambridge. 28. Nelson, B. L. (1995). Stochastic Modeling. McGraw-Hill, New York. 29. Vose, D. (1996). Quantitative Risk Analysis: A Guide to Monte Carlo Simulation Modelling. John Wiley & Sons, Brisbane. 30. Ferson, S., Ginzburg, L., and Akcakaya, R. (2003). Whereof one cannot speak: when input distributions are unknown. Risk Anal. http://www.ramas.com/whereof.pdf. 31. Moore, R. E. (1979). Methods and Applications of Interval Analysis. SIAM, Philadelphia, PA. 32. Sanders, D. E. A. (2005). The modelling of extreme events. Br. Actuar. J. 11(III), 519–572. 33. Kunreuther, H., and Michel-Kerjan, E. (2004). Challenges for terrorism risk insurance in the United States. J. Econ. Perspect. 18(4), 201–214. 34. Howell, L. D., Ed. (2002). Political Risk Assessment: Concepts, Methods, and Management . The PRS Group Inc., East Syracuse, NY. 35. Slovic, P., Fischhoff, B., and Lichtenstein, S. (1975). Cognitive process and societal risk taking. In 11th Symposium on Cognition and Social Behavior, J. S. Carroll, and J. W. Payne, Eds. Lawerence Erlbaum Associates, Carnegie-Mellon University, New York, pp. 165–184. 36. Fischhoff, B., Lichtenstein, S., Slovic, P., Derby, S. L., and Keeney, R. L. (1981). Acceptable Risk. Cambridge University Press, New York. 37. Fischhoff, B., Slovic, P., and Lichtenstein, S. (1982). Lay foibles and expert fables in judgements about risk. Am. Stat. 30, 240–255. 38. Kahneman, D., and Tversky, A. (1984). Choices, values, and frames. Am. Psychol. 39, 341–350.

KEY APPLICATION AREAS AGRICULTURE AND FOOD SUPPLY

VULNERABILITY OF THE DOMESTIC FOOD SUPPLY CHAIN Peter Chalk RAND, Santa Monica, California

1 INTRODUCTION Over the past decade, the United States has moved to increase its ability to detect, prevent, and respond to terrorist threats and incidents. Much of this focus, which has involved considerable financial outlays, has aimed at upgrading public infrastructure through the development of vulnerability threat analyses designed to maximize both antiterrorist contingencies and consequence management modalities. Although many gaps remain, investments in preparedness, training, and response have helped with the development of at least nascent homeland incident command structures that have incrementally begun to span the ambit of potential terrorist attacks, from conventional bombings to more “exotic” biological, chemical, radiological, and nuclear incidents. Agriculture and food production have received comparatively little attention in this regard, however. In terms of accurate threat assessments and consequence management procedures, these related sectors exist somewhat as latecomers to the growing emphasis that has been given to critical infrastructure protection (CIP) in this country. Indeed at the time of writing, total funding for protecting the nation’s food supply stood at only $2.6 billion, a mere 2% of the US$130.7 billion in Congressional allocations earmarked for the United States Department of Agriculture (USDA) in Financial Year (FY) 2006.1 This article expands the debate on domestic homeland security by assessing the vulnerabilities of American agriculture and related products to a deliberate act of biological terrorism.2 It begins by examining key attributes of contemporary US farming and food processing practices that make them susceptible to deliberate disruption. The article then examines the main impacts that would be likely to result from a concerted biological 1 Agriculture, itself, was only included as a specific component of U.S. national counterterrorist strategy following al-Qaeda’s attacks on the Pentagon and World Trade Center in September 2001 [1]. 2 For the purposes of this analysis, agro-terrorism will be defined as the deliberate introduction of a disease agent, either against livestock or into the general food chain, for the purposes of undermining national stability and/or engendering public fear. Depending on the disease agent and vector chosen, it is a tactic that can be used either to generate either economic, social, and political disruption or as a form of direct human aggression.

1625

1626

KEY APPLICATION AREAS

TABLE 1 Selected FADs with Potential to Severely Impact Agricultural Populations and/or Trade FAD

Mortality/Mortality

Foot and Mouth Disease (FMD) Classical swine fever (CSF) African swine fever Rinderpest (RP) virus Rift valley fever (RVF)

Highly pathogenic avian influenza (AI) virus Exotic Newcastle Disease (END) Sheep and goat pox (SGP) viruses

Vesicular stomatitis (VS) Virus

Less than 1%; however, morbidity near 100% High 60–100%, depending on isolate virulence High 10–20% among adult populations; higher among young lambs, kids, and calves Near 100% 90–100% Near 50%, although can be as high as 95% in animals less than one-year old Low (however, morbidity near 90%)

Zoonotic No No No No Yes

Yes Yes No

Yes

Source: Adapted from Committee on Foreign Animal Diseases, Foreign Animal Diseases.

attack against agriculture, focusing on both economic and political fallout. Finally an assessment of the operational utility of agro-terrorism is offered and contextualized in terms of the overall strategic and tactical calculations of the post-9/11 global jihadist militant movement. 2 VULNERABILITY OF US AGRICULTURE AND FOOD PRODUCTION TO BIOLOGICAL ATTACK Agriculture and the general food industry are highly important to the economic and, arguably, political stability of the United States. Although farming directly employs less than 3% of the American population, one in eight people works in an occupation that is directly supported by food production [2]. In FY 2006, net cash farm gate receipts stood at over 64 billion, while a record US$68.7 billion was generated from agricultural exports—which, alone, equates to just under 1% of US Real Gross Domestic Product (GDP) [3]. Unfortunately, the mechanics for deliberately disrupting American agricultural and food production are neither expensive nor technically problematic. Many foreign animal diseases (FADs) can exist for extended periods of time on organic and inorganic matter and are characterized by rates of morality and/or morbidity (see Table 1 below), meaning that their latent potential to severely impact the health and trade in livestock is considerable. Significantly, the most lethal and contagious agents are nonzoonotic in nature, which necessarily precludes any need on the part of the perpetrator to have an advanced understanding of animal disease science or access to elaborate containment procedures (as there is no risk of accidental infection).3 3 Analysis

based on author interviews and field research conducted between 1999 and 2006.

VULNERABILITY OF THE DOMESTIC FOOD SUPPLY CHAIN

1627

Moreover, because contemporary farming practices in the United States are so concentrated and intensive,4 a single point pathogenic introduction—if not immediately identified and contained—would be likely to spread very quickly. This is true both of crowded herds at the targeted facility and, due to the rapid and distant dissemination of animals from farm to market, to populations further afield. There is, in other words, no obstacle of weaponization to overcome as the primary vector for disease transmission is constituted by agricultural livestock itself.5 This particular “facet” of agro-terrorism is noteworthy as the costs and difficulties associated with appropriately manufacturing viral and bacterial microbial agents for widespread dissemination are frequently cited as the most significant barriers preventing nonstate offensive use of biological agents.6 As noted above, early identification and containment of a disease is vital to physically check its geographic spread. However, there are at least three factors that work against such a (favorable) scenario. First, many veterinarians lack the necessary expertise and training to diagnose and treat Foot and Mouth Diseases (FMDs) of the sort that would be most likely to be used in a deliberate act of sabotage.7 Second, producers are often reluctant to quickly report contagious outbreaks at their farms, fearing that if they do so they will be forced to carry out uncompensated (or at least undercompensated) depopulation measures.8 Third, the possibility of emerging diseases being overlooked has steadily risen, largely because the scale of contemporary agricultural practices effectively negates the option of tending for animals on an individual basis.9 These various considerations have particular salience to FMD, which constitutes arguably the most threatening of all FADs. Although the disease is usually not fatal, it does cause the onset of rapid weight loss, oral/hoof lesions, lameness, and mastitis, effectively rendering any infected livestock population economically useless (in terms of milk and meat production).10 More pointedly, FMD is extremely infectious,11 environmentally hardy, frequently misdiagnosed,12 and nonzoonotic—all of which directly contribute to its ease of management and potential rate of dissemination. The means for disseminating the virus could be as simple as scraping some vesicular droplets directly on to a cow (or other cloven hoof animal) or introducing the agent into a silage bin at a state agricultural fair or barn auction [6]. Given the intensive nature of contemporary American farming practices, a multifocal outbreak would be virtually assured: models developed by the USDA, for instance, have projected FMD that could be expected to spread to as many as 25 states in a minimum of 5 days.13 4 Most dairies in the United States, for instance, can be expected to contain at least 1500 lactating cows at any one time, with some of the largest facilities host to upwards of 1000 animals. 5 Analysis based on author interviews and field research conducted between 1999 and 2006. 6 A good summary of the technical constraints inherent in weaponizing biological agents can be found in [4]. 7 Comments made by USDA officials attending the National Research Council National Security Implications of Advances in Biotechnology: Threats to Plants and Animals planning meeting, Washington D.C.:, August 1999. 8 At the time of writing, no standardized or consistent system to compensate farmers affected by pathogenic outbreaks existed in the United States, with all indemnity payments determined on a case-by-case basis. 9 Analysis based on author interviews and field research conducted between 1999 and 2006. 10 For more on the etiology and effects of FMD see [5]. 11 FMD is one of the most contagious diseases known to medical science and has been equated as the animal equivalent to smallpox in terms of subject-to-subject spread. 12 This reflects the general lack of expertise on the part of veterinarians in FAD identification as well as the fact that the clinical signs of FMD are not always immediately apparent (a pig, for instance, typically starts shedding vesicular droplets 7–10 days prior to symptoms becoming visibly evident). 13 Author interviews with USDA officials, Washington D.C. and Maryland, 1999– 2000.

1628

KEY APPLICATION AREAS

Weaknesses and gaps are equally as pertinent to food processing and packing plants, particularly those that have proliferated at the lower to medium of the production spectrum. Thousands of these facilities exist across the United States, many of which exhibit uneven internal quality control,14 questionable biosurveillance, and highly transient, unscreened workforces.15 Entry–exit controls are not always adequate (and occasionally do not exist at all) and even basic measures, such as padlocking warehouses and storage rooms may not be practiced. Exacerbating problems are developments in the farm-to-table food continuum, which have greatly increased the number of potential entry points for easy to cultivate toxins and bacteria, such as botulism, Escherichia coli , and Salmonella (all of which are tasteless, odorless, and colorless).16 Perishable, ready-to-eat products present a special hazard, largely because they are quickly distributed and consumed without cooking (a good “back-end” defense against microbial introduction) [8]. Moreover, because many small-scale operations do not maintain up-to-date (much less accurate) records of their distribution network, tracing exactly where a food item tainted in this manner may not be possible [9]. Underscoring these various difficulties is a dearth of definitive realtime technologies for detecting biological and chemical contaminants. As a result, possibilities for preemptive action are extremely limited as in virtually all cases health authorities would probably only become aware of an attack after it has occurred [10]. These gaps and weaknesses are particularly alarming given the lack of effective government regulation over food production and packing plants. While full implementation of the Hazard Analysis and Critical Control Points (HACCP)17 is now theoretically in place at all factories that slaughter and process meat and poultry, the number of facilities that exist in the United States relative to available federal and state inspectors largely precludes options for enforced compliance and auditing.18 Problems are even greater with regard to plants that deal with fresh-cut fruits and vegetables, most of which are devoid of any form of oversight or control [12]. Although a major food scare in 2006 involving spinach tainted with E. coli 0157:H719 has served to generate pressure for enhanced biosecurity and surveillance at these facilities, progress has been halting at best. Revised regulations issued by the Food and Drug Administration (FDA) in 200720 14 For

instance, a facility manufacturing pre-packaged open-faced meat or poultry sandwiches fall under the authority of the USDA; those specializing in closed-faced varieties with identical ingredients come under the auspices of the Food and Drug Administration (FDA). The former will be inspected every day while the latter may only be checked once every five years [7]. 15 The Bush administration has pledged to upgrade the screening of workers employed at food processing and packing plants. At the time of writing, however, definitive checks had still to be put in place and it was still not apparent to what extent they would apply to small and medium scale plants throughout the United States. 16 Analysis based on author interviews and field research conducted between 1999 and 2006. 17 Under the HACCP rule, all meat and poultry producing facilities are required to identify critical control points where microbial contamination is likely to occur and enact Food Safety and Inspection Service (FSIS) designated systems to prevent or reduce the likelihood of it taking place. HACCP controls were introduced at the country’s largest plants in January and have since been extended to all smaller facilities, including those with 10 employees or fewer. 18 As of 2006, the number of inspectors at the USDA had declined from 9000 to 7500 and at the FDA from 2200 to 1962. See [11]. 19 The 2006 outbreak killed 3 and sickened 205. See [13]. 20 The 2007 guidelines are the first to have been issued since 1998. The new (voluntary) procedures call for constant monitoring and control of vulnerable places in the production cycle where bacteria are likely to form; urge regular record keeping for recalls; and outline recommendations relating to the health and hygiene of workers as well as sanitation operations. See [14].

VULNERABILITY OF THE DOMESTIC FOOD SUPPLY CHAIN

1629

remain voluntary; with the notable exception of California, most state governments have failed to put in place definitive guidelines of their own.21

3 IMPACT OF A MAJOR BIOLOGICAL ACT OF AGRO-TERRORISM The ramifications of a concerted bioassault on the US meat and food base would be far-reaching and could extend beyond the immediate agricultural community to affect other segments of society. Perhaps one of the most immediate effects of a major act of biological agro-terrorism would be economic disruption, generating costs that could be expected to cross at least three levels. First, there would be direct losses resulting from containment measures and the eradication of disease-ridden livestock. Second, indirect multiplier effects would accrue both from compensation paid to farmers for the destruction of agricultural commodities22 and revenue deficits suffered by both directly and indirectly related industries. Third, international costs in the form of protective embargoes imposed by major external trading partners would manifest. As the 2001 FMD outbreak in the United Kingdom bears testimony, the overall extent of these costs could be enormous. The endemic, which led to the destruction of some 6,456,000 sheep cattle and pigs, is estimated to have cost the British government GBP2.7 billion (see Table 2), equivalent to over 0.2% of the country’s GDP at the time. In addition, there were substantial knock-on effects to other sectors of the economy, impacting on even distantly related industries. Tourism, for instance, is projected to have lost between GBP2.7 and GBP3.2 billion of value added in 2001 as a result of the closure/quarantine of farms located in or near popular holiday destinations, such as the Lake District and Peak District [15]. The effects of a multifocal outbreak in the United States would far exceed these figures simply because the scale of agriculture in the country is far greater than that in the United Kingdom. The 1999 study that projected eight different scenarios associated with a theoretical FMD outbreak in California, for instance, concluded that losses from depopulation measures, quarantine, and trade/output disruption to this state alone would exceed US$13 billion [16]. The potential for punitive costs arising out of agro-terrorism are equally as pertinent to product contamination. At the time of writing, the projected costs to the American spinach industry of the 2006 E coli outbreak, noted above, were expected to be between $75 and $100 million, with each acre loss amounting to roughly $3700 for the farmer [17]. Although the incident was accidental, it provides a good data point to illustrate how quickly negative fiscal reverberations can ensue from cases of food poisoning. Beyond its economic impact, a successful biological strike against agriculture could undermine confidence and support in government. Successfully releasing contagious agents against livestock might cause people to lose confidence in the safety of the food supply and could possibly lead them to question the effectiveness of existing contingency planning against weapons of mass destruction in general. Critics, perhaps unfairly 21 Following the E coli outbreak, which originated from farms and production plants in Salinas and Oxnard, California moved to put in place stringent, mandatory rules covering water quality, worker sanitation, and wildlife control. At the time of writing, some 90% of the state’s lettuce and leafy green processors were by these standards. 22 Although the United States has no standardized system of compensation in place, Federal funds would be forthcoming in the event of a large-scale agricultural disaster such as a multifocal outbreak of FMD.

1630

KEY APPLICATION AREAS

TABLE 2 Expenditure by the United Kingdom Government in Response to the 2001 FMD Outbreak

Activity Payments to farmers Compensation paid to farmers for animals culled and items seized or destroyedy Payments to farmers for animals slaughtered for welfare reasonsa Total payments to farmers Direct costs of measures to deal with the epidemic Haulage, disposal and additional building work Cleaning and disinfecting Extra human resource costs Administration of the Livestock Welfare (Disposal) Scheme Payments to other government departments, local authorities, agencies and others Miscellaneous, including seriology, slaughterers, valuers, equipment, and vaccine Claims against the Ministry of agriculture Total direct costs Other costs Cost of government departments’ staff time Support measures for businesses affected by the outbreakb Total other costs Total costs

Actual Expenditure to May 24, 2002 (GBP million)

1130 211 1341 252 295 217 164 73 66 5 1074 100 282 382 2797

a Includes payments of GBP205.4 million under the Livestock Welfare (Disposal) Scheme and GBP3.5 million under the Light Lambs Scheme. b Includes money available under European Union (EU) market support measures for agri-monetary compensation in respect of currency movements.

and with the benefit of hindsight, would doubtless demand why the intelligence services failed to detect that an attack was forthcoming and why the agriculture sector was left exposed. In an age where counterterrorism has emerged as arguably the country’s single most important national security priority, such reactions could conceivably serve to undermine popular perceptions of state effectiveness, if not credibility. The actual mechanics of dealing with an act of agricultural bioterrorism could also generate public criticism. Containing a major disease outbreak would necessitate the slaughter of hundreds of thousands of animals, particularly in cases where no concerted vaccination was in place. Euthanizing such volumes has the potential to generate vigorous opposition from the general population—not to mention farmers and animal rights advocates—particularly if slaughtering involved susceptible but nondisease showing herds (in so-called “stamping out” operations) and/or wildlife. To be sure, mass eradication has occurred in the past in the United States without triggering widespread civil disquiet. However, such operations have not involved large-scale husbandry (for the most part focusing on poultry flocks) nor have they been the subject of intensive media interest and scrutiny. It is these latter aspects that have relevance in terms of assessing the possible fallout from culling measures, largely because they necessarily mean there

VULNERABILITY OF THE DOMESTIC FOOD SUPPLY CHAIN

1631

has never been a visual point of reference to prepare the American general public for the consequences of eradicating highly visible animal herds [18]. The 2001 FMD outbreak in the United Kingdom, again, provides a salient example of the political ramifications that can result from mass animal eradication. The measures instituted by the Blair administration to stem the epidemic elicited significant criticism from farmers, scientists, opposition politicians (many of whom claimed that the government’s actions were entirely unethical), and the public (especially after it discovered that FMD did not actually kill infected animals).23 The following commentary in the Times newspaper is representative of the type of outrage that was expressed during the height of the crisis: Policy on foot and mouth disease is now running on autopilot . . . . Nothing in the entire history of the common agriculture policy has been so crazy. The slaughter is not declining but running at 80,000 a day . . . . At the last estimate, 95 percent of the three to four million animals dead or awaiting death are healthy . . . . The obscenity of the policy is said to be irrelevant “because of its success”. Yet what other industry would be allowed to protect its profits by paying soldiers with spades to kill piglets and drown lambs in streams? What other industry could get civil servants to bury cattle alive or take pot shots at cows from a 60 ft range? What other industry can summon teams from Whitehall to roam the lanes of Forest Dean, as one frantic farmer telephoned me, “like Nazi stormtroopers seeking healthy sheep to kill on the authority of a map reference?” [19]

4 BIOLOGICAL ASSAULTS AGAINST AGRICULTURE AND TERRORISM MODUS OPERANDI Despite the ease by which an act of agro-terrorism could be carried out and the severe political and economic ramifications that a successful assault could elicit, it is unlikely to constitute a primary form of terrorist aggression. This is because such acts would probably be viewed as “too dry” in comparison with traditional tactics in the sense that they do not produce immediate, visible effects. The impact, while significant, is delayed—lacking a single point of reference for the media to focus on (and highlight) [20]. In this light, it is perhaps understandable that biological attacks against agriculture have not emerged as more of a problem. Indeed, since 1912, there have only been 14 documented cases involving the substate use of pathogenic agents to infect livestock or contaminate related products (see Table 3). Of these, only three incidents could realistically be linked to a wider campaign of political violence and/or intimidation: the 1952 Mau Mau plant toxin incident in Kenya, the 1984 Rajneeshee Cult salmonella food poisoning in Oregon, and the release of sewer water onto Palestinian agricultural fields by Israeli settlers in 2000 (see Table 3).24 23 Author

observations, United Kingdom, June-July 2001. addition to these cases, there have also been four confirmed uses of chemical agents to contaminate agricultural products: (i) The use of cyanide to poison the water supply of a 1000-acre farm owned and operated by Black Muslims in Ashville, Alabama (1970); alleged perpetrator: the local chapter of the Ku Klux Klan (KKK). (ii) The use of cyanide to poison Chilean grape exports (1989); perpetrator: antiPinochet militants. (iii) The use of chlordane (a pesticide) to contaminate animal feed manufactured by National By-Products, Inc. in Berlin, Wisconsim (1996); perpetrator: Brian “Skip” Lea, the owner of a rival animal food processing facility. (iv) The use of “black leaf 40” (an insecticide) to contaminate 200 pounds of ground beef in Michigan (2003); perpetrator: randy Betram, a disgruntled employee at the Byron Center Family Fare Supermarket. For further details see [21].

24 In

1632

KEY APPLICATION AREAS

TABLE 3

Nonstate Use of Biological/Toxic Agents Against Agriculture and Food, 1912–2006

Year

Nature of Incident

Alleged Perpetrators

Contamination of Palestinian agricultural land with sewer water The spread of hemorrhagic virus among the wild rabbit population in New Zealand Food poisoning using Shigella in a Texas hospital Food poisoning of estranged husband using ricin Food poisoning using Salmonella in salad bars in Oregon Food poisoning of Canadian college students Food poisoning in Japan using Salmonella and dysentery agents Use of African bush milk (plant toxin) to infect livestock Food poisoning in Japan using Salmonella Food poisoning in Japan using Salmonella Food poisoning in New York using various biological agents Food poisoning in Germany using cholera and typhus Food poisoning in France using Salmonella and toxic mushrooms

Israeli settlers in the West Bank

Confirmed use of agent 2000 1997

1996 1995 1984 1970 1964 1952 1939 1936 1916 1913 1912

New Zealand farmers

Hospital lab worker Kansas physician Rajneeshee Cult Estranged roommate Japanese physician Mau Mau Japanese physician Japanese physician Dentist Former chemist employee French druggist

Threatened use of agent 1984

1984

Attempt to kill a racehorse with various pathogens (insurance scam); confirmed possession Threat to introduce FMD into wild pigs, which would then infect livestock; no confirmed possession

Two Canadians

Australian prison inmate

Source: Carus, Bioterrorism and Biocrimes; Parker, Agricultural Bioterrorism, 2–21; CNS, “Chronology of CBW Incidents Targeting Agriculture and Food Systems, 1915– 2006.”

That being said, agro-terrorism could emerge as favored form of secondary aggression that is designed to exacerbate and entrench the general societal disorientation caused by a more conventional campaign of bombings. The mere ability to employ cheap and unsophisticated means to undermine a state’s economic base and possibly overwhelm its public management resources give livestock and food-related attacks a beneficial cost/benefit payoff that would be of interest to any group faced with significant power asymmetries.

VULNERABILITY OF THE DOMESTIC FOOD SUPPLY CHAIN

1633

For at least two reasons, these considerations have particular relevance to the international jihadist movement that is ideologically personified by Al-Qaeda. First, Bin Laden has long asserted that using biological agents in any manner possible to harm western interests is a religious duty beholdent on all Muslims and one that is perfectly inline with religious precepts as set forth by Allah [22]. While the thrust of this message has undoubtedly been toward mass strikes intended to inflict large-scale loss of human life, the ability to pull off audacious operations on this scale is highly questionable given the tactical and strategic set-backs that have befallen Islamist extremists as a result of the Global War on Terror (GWOT) post-9/11.25 Bioattacks against agriculture, however, would appear to be ideally suited to the operational constraints of the post-9/11 era in that they are cheap, low risk, easy to perpetrate, and well-attuned to the operational capabilities of locally based affiliates acting in a largely self-sufficient, if not fully independent manner. Second, as discussed agro-terrorism has a genuine capacity to economically disrupt and destabilize. This would fit well with Al-Qaeda’s self-declared intention to destroy Washington (and its western allies) through a concerted “bleed to bankruptcy” strategy. Initially enunciated by Bin Laden in 2004, this approach stems from a conviction that the United States is a “paper tiger” that can be crippled simply by removing the key anchors and pillars, which are critical to upholding the integrity of the country’s fiscal base [24].26 More specifically, it is a stratagem that seeks to impose a debilitating asymmetric cost-burden27 on the American economy through the use of modalities that, while cheap, retain a realistic capacity to trigger cascading, ultimately nonsustainable monetary effects [26]. Disseminating biological agents against agricultural livestock and products would certainly fulfill such a requirement.

REFERENCES 1. United States Department of Agriculture (2006). 2006 Performance and Accountability Report, USDA, Washington, DC, 5, p. 48. 2. (a) Agriculture Research Service (2000). Econoterrorism, a.k.a. Agricultural Bioterrorism or Asymmetric Use of Bioweapons, unclassified briefing given before the USDA, February 28; (b) Henry, P. (2002). Agricultural Bioterrorism: A Federal Strategy to Meet the Threat , Institute for National Strategic Studies, National Defense University, Washington, DC, p. 11. 25 These

set-backs include the loss of safehaven in Afghanistan, the elimination/detention of senior midlevel commanders and the seizure of terrorist finances. The combined effect has been to transform Al-Qaeda into a movement of movements that has become more nebulous, segmented, and polycentric in nature and one which has, accordingly, been forced to focus on attacks that offer “the course of least resistance”. For more on the operational dynamics of Al-Qaeda post-9/11 see [23]. 26 For Bin Laden, the American economy constitutes the principal anchor of a morally bankrupt and dysfunctional western system that he regards has prevented Islam from assuming its “rightful” place as the world’s pre-eminent religion and culture. 27 Al-Qaeda has made much of the economic burden imposed by the GWOT, stressing that for every US$1 spent by the international jihadist movement, US$1 million was being expended by the United States. In many ways this assessment has been borne out. A study by the UK-based International Institute for Strategic Studies (IISS), for instance, calculated the costs of the global war on terror to Al-Qaeda at roughly US$500,000 compared to US$500 billion for Washington (not taking into account budgetary allocations for the war in Iraq). See [25].

1634

KEY APPLICATION AREAS

3. (a) USDA 2006 Performance and Accountability Report, 48; (b) Statement by Keith Collins, Chief Economist, USDA, Before the Senate Appropriations Subcommittee on Agriculture, Rural Development and Related Agencies, 30 march 2006, available on-line at http://www.usda.gov/oce/newsroom/congressional testimony/Collins SenateApprop 033006. doc, last accessed March 11, 2006. 4. Carus, S. (1999). Bioterrorism and Biocrimes: The Illicit Use of Biological Agents in the 20th Century, Center for Counterproliferation Research, National Defense University, Washington, DC, pp. 26–29. 5. Committee on Foreign Animal Diseases (1998). Foreign Animal Diseases, United States Animal Health Association, Richmond, VA, pp. 213–224 6. Observations Made During the Blue Ribbon Panel on the Threat of Terrorism to Livestock and Livestock Products, White House Conference Center, Washington DC, December 8–9, (2003). 7. (a) Testimony of Robert Robinson, “Food Safety and Security,” given before the Subcommittee on Oversight of Government Management, Restructuring, and the District of Columbia of the Committee on Governmental Affairs, U.S. Senate, Washington, DC, October 10, (2001); (b) Has politics contaminated the food supply. NY Times December 11, (2006). 8. Habenstreit, L. (2007). Workshop aims to protect Asia-Pacific region’s food supply from deliberate contamination. Foreign Agricultural Service (FAS) Worldwide, available on-line at http://www.fas.usda.gov/info/fasworldwide/2007/01-2007/FoodDefense.htm, last accessed March 12, 2007. 9. California Department of Health and Human Services (2000). Author Interviews, Sacramento, August. 10. Canadian Food Inspection Agency (CFIA) (2006). Workshop on the Assessment of Risk and Vulnerability in Relation to Terrorism, Ottawa, March 21–23. 11. Martin, A. (2006). Stronger rules and more oversight for produce likely after outbreaks of E-coli. NY Times, December 11. 12. Pollan, M. (2006). The vegetable-industrial complex. NY Times Mag. 13. Food and Drug Administration (2007). FDA Finalizes Report on 2006 Spinach Outbreak , FDA News, March 23, available on-line at http://www.fda.gov/bbs/topics/NEWS/2007/NEW 01593.html, last accessed March 27, 2007. 14. Burros, M. (2007). F.D.A. offers guidelines to fresh-food industry. NY Times. 15. Foot and Mouth Disease 2001: Lessons to Be Learned Inquiry Report , Her Majesty’s Stationery Office (HMSO), London, 22 July 2002, pp. 130–135. 16. Ekboir, J. (1999). Potential Impact of Footy-and-Mouth Disease in California, Agricultural Issues Center, University of California, Davis, Davis, CA, p. 65. 17. (a) McKinley, J. Farmers vow new procedures; Bacteria eyed in boy’s death. NY Times September 22, 2006; (b) Wood, D. (2007). Spinach growers tally losses. Christ. Sci. Monitor September 27, 2006, available on-line at http://www.csmonitor.com/2006/0922/ p02s01-usec.html, last accessed March 27; (c) Spinach Farmers Try to Grow Public’s Confidence, MSNBC News, October 2, 2006, http://www.msnbc.msn.com/id/15095551 last accessed March 27, 2007. 18. Agriculture Research Service (ARS) (2003). Author Interview , Washington, DC, October. 19. Jenkins, S. (2001). This wretched cult of blood and money. The Times 20. Jenkins, B. (1988). Future Trends in International Terrorism. In Current Perspectives on International Terrorism, R. Slater, M., and Stohl, Eds. Macmillan Press, London.

VULNERABILITY OF THE DOMESTIC FOOD SUPPLY CHAIN

1635

21. (a) Bioterrorism–the threat in the western hemisphere. Pan American Health Organization, 13th Inter-American Meeting, at the Ministerial Level, On Health and Agriculture. Washington, DC, 24–25 April, 2003; (b) Chronology of CBW Incidents Targeting Agriculture and Food Systems 1915–2006 , Monterey Institute for International Studies (MIIS) Center for Nonproliferation Studies (CNS), June 2006, available on-line at http://cns.miis.edu/research/cbw/agchron.htm, last accessed March 27, 2007; (c) Wooton, J. (1970). Black muslims would sell farm to klan. NY Times; (d) Poison is suspected in death of 30 cows on a muslim farm. NY Times (March 16, 1970); (e) Jones, R. (1997). Product recalled in four states; animal feed tainted in Act of Sabotage. Milw. J. Sentinel ; (f) Neher, N. Food Terrorism: The Need for a Coordinated Response–The Wisconsin Experience, Wisconsin Department of Agriculture, Trade and Consumer Protection, n.d.a. 22. (a) The world’s newest fear: germ warfare. Vanc. Sun (Canada), September 24, 2001; (b) Fear and breathing. Economist September 29, 2001. 23. Chalk, P., Hoffman, B., Reville, R., and Kasupski, A.-B. (2005). Trends in Terrorism: Threats to the United States and the Future of the Terrorism Risk Insurance Act , RAND, Santa Monica, CA, pp. 11–16. 24. (a) Chalk et al., Trends in Terrorism, pp. 13–14; (b) Flynn, S. (2004). The neglected homefront. Foreign Aff . (September/October), 25. 25. Hunt, M. (2007). Bleed to bankruptcy. Jane’s Intell. Rev . 14–15. 26. Hunt, M. (2007). Bleed to bankruptcy. Jane’s Intell. Rev . 14–17.

FURTHER READING Administration plans to use plum island to combat terrorism. NY Times September 21, (1999). Agriculture Research Service (1961). Agriculture’s Defense Against Biological Warfare and Other Outbreaks, USDA, Washington, DC. Agro-terrorism still a credible threat. Wall St. J . December 6, (2001). Brown, C. The impact and risk of foreign animal diseases. Vet. Med. Today 208(7). Chalk, P. (2004). Hitting America’s Soft Underbelly. The Potential Threat of Deliberate Biological Attacks Against the U.S. Agricultural and Food Food Industry, RAND, Santa Monica, CA. Gordon, J., and Bech-Nielsen, S. (1986). Biological terrorism: a direct threat to our livestock industry. Mil. Med . 151(7). Gorman, S. (1999). Bioterror down on the farm. Natl. J . 27. Hugh-Jones, M., and Brown, C. (2006). Accidental and intentional animal disease outbreaks: assessing the risk and preparing an effective response. In Biological Disasters of Animal Origin: The Role and Preparedness of Veterinary and Public Health Services, M. Hugh-Jones, Ed. Scientific and Technical Review, Dinh Nam, Vol. 25, No. 1, Special Issue. Kelly, T., Chalk, P., Bonomo, J., Parachini, J., Jackson, B., and Cecchine, G. (2004). The office of science and technology policy Blue Ribbon Panel on the threat of biological terrorism directed against livestock. Proceedings of a Conference, RAND, Santa Monica, CA. Parker, H. (2002). Agricultural Bioterrorism: A Federal Strategy to Meet the Threat , McNair Paper 65. Institute for National Strategic Studies, Washington, DC. Steele, N. (2000). U.S. Agricultural Productivity, Concentration and Vulnerability to Biological Weapons, Unclassified Briefing, Department of Defense Futures Intelligence Program, Washington, DC.

1636

KEY APPLICATION AREAS

THE GLOBAL FOOD SUPPLY CHAIN Justin J. Kastner Kansas State University, Manhattan, Kansas

Cobus L. Block University of Wyoming, Laramie, Wyoming

1 INTRODUCTION Any attempt to understand the global food supply chain and its security must draw on multiple academic perspectives. Indeed, today’s multidimensional global food supply chain—which features a range of state and private actors (e.g. producers, consumers, intermediary companies, and a cornucopia of regulatory institutions) and issues (e.g. social, economic, and political concerns)—is best understood using a multidisciplinary approach [1]. Perhaps fittingly, this article is authored by scholars affiliated with the expressly interdisciplinary Frontier program for the historical studies of border security, food security, and trade policy (http://frontier.k-state.edu). Drawing on food science, public health, history, political science, economics, and the discipline of international political economy, this article seeks to describe the inherent complexity of the global food supply chain including food security-seeking policies and programs that have been adopted by governments and food companies, external threats including, but not limited to, agroterrorism and bioterrorism, and novel approaches whereby public and private institutions and agents can better manage the safety and security of food supply chains that span borders. The article concludes with outstanding research questions and themes relevant to ensuring the safety and security of the global food supply chain.

2 THE GLOBAL FOOD SUPPLY CHAIN: A COMPLEX NETWORK OF INDUSTRY STANDARDS, GOVERNMENT REGULATIONS, AND BUSINESS PRACTICES In today’s globalized economy, food moves along a multisegmented production-to-consumption sequence: from primary producers to processors and manufacturers, to distributors and wholesalers, to retailers, and ultimately to consumers. This supply chain is further complicated when food crosses nation-state borders—perhaps multiple times. At different points, businesses and governments intervene in this flow to ensure food safety and food security. The term food security is oftentimes contested and its meaning debated across history. Although previously food security connoted ensuring enough food for a population, today food security covers many different aspects of the global food supply chain—ensuring a safe, secure, adequate, as well as cost-effective food supply [2]. This comprehensive understanding of food security requires an appreciation that cross-border trade flows

THE GLOBAL FOOD SUPPLY CHAIN

1637

both ensure food security through the provision of food imports and, potentially, can threaten food security through the introduction of accidentally introduced or deliberately introduced hazards. The global food supply chain begins with the production-oriented foundation—agriculture. Agriculture, viewed by some as the “first step” in the supply chain, involves the growing of plants and raising of animals for food and other materials. Multiple countries are involved in agricultural production, and in many agricultural sectors production is concentrated in a relatively small set of geographically large countries. For example, in arable agriculture, China produces the most rice, wheat, and potatoes; the United States grows the most corn (maize) and soybeans (soya); and the Russian Federation produces the most barley [3]. From this, the first step of production is succeeded by a complex network of transportation, processing, manufacturing, packaging, distribution, retailing, and food service institutions. In the United States and elsewhere, history has witnessed the development of multiple laws, agencies, and regulations to help ensure the safety and security of the food supply. Although some countries (e.g. the United Kingdom) have since instituted efforts to consolidate governance (e.g. in the UK Food Standards Agency), others (e.g. the United States) continue to regulate the food supply chain with a litany of institutions and laws—arguably, as many as 15 agencies and 35 laws, depending on how one organizes and counts them [4, 5]. Although agriculture is viewed by some as the “first step” in the global food supply chain, attention is also due to those economic and technological realities at work that make agriculture—and, indeed, the subsequent steps of the global food supply chain possible—possible in the first place. Both economic forces (often through the form of foreign direct investment) and technology represent kinds of “prerequisites” that help ensure not only the production of food but also its distribution, safety, and security. In this regard, an historical perspective is illustrative. During the late nineteenth century, the agricultural production capacity of the United States expanded due in part to the provision of capital in the US agricultural enterprises. From ranches and meat-packing to farms and milling, Great Britain helped plant the seeds for food supply chains that would bring, to Britain and elsewhere, foodstuffs from the United States [6]. British investment in railroads and steamship transportation also assisted in the enabling of a supply chain that, in effect, helped ensure the provision of enough food for a growing British population [7]. The reality of foreign direct investment shows that there are, upstream from agricultural production, economic elements in the food supply chain. Downstream from investment and agricultural production, one sees food transverse state borders. The volumes of food produced, exported, and imported are such that 100% inspection by food safety and food security officials is, quite simply, not possible [8]. Therefore, risk management—oriented approaches are needed. In recent history, many food companies and governments have adopted, for example, Hazard Analysis and Critical Control Point (HACCP) systems that can be used to manage risks in both domestic and global food supply chains. Broadly, the principles of HACCP were adopted in the United States and European Union (EU) in 1992 and 1993. The Codex Alimentarius Commission, which is one of the three food-trade standard-setting bodies recognized by the World Trade Organization (WTO), adopted HACCP principles in 1993 [9]. Since 1993, countries and companies across the globe have embraced HACCP through regulations as well as business practices.

1638

KEY APPLICATION AREAS

Although HACCP deals with biological, chemical, and physical hazards in the food system, it does not necessarily ensure another key element of supply chain security: traceability and in-plant security. In a 2007 food industry magazine, Alan Naditz cites Washington State University food-bioterrorism expert Dr. Barbara Rosco Washington State University, in this regard; food-supply chain security requires knowledge of both the origin and status of food products and the only way to ensure that is to have robust programs that can trace food and ensure food-plant security [10]. Not surprisingly, recent years have witnessed ramped-up efforts to institute animal identification and crop traceability programs, as well as food defense planning designed to ensure food-plant security. 3 THREATS AND CHALLENGES TO THE NORMAL FUNCTIONING OF THE GLOBAL FOOD SUPPLY CHAINS The global agricultural and food trade, long recognized as one of the most contentious areas of world economic affairs [11], has become more problematic as concerns about agroterrorism and bioterrorism have elicited new governmental regulations and business practices. In addition, health-protection regulations have spawned trade disputes,and previously excluded social considerations have entered into regulation and marketing activities along the global food supply chain. Today, economic and liability pressures are increasingly felt “upstream” in the supply chain. The example of China illustrates many formidable food-security challenges. 3.1 Agroterrorism and Bioterrorism Since the terrorist attacks on the United States on September 11, 2001, renewed attention has come to the twin issues of “agroterrorism” and “bioterrorism.” In this regard, the following definitions, courtesy of the Center for Food Security and Public Health at Iowa State University, offer an introductory explanation: Agroterrorism. The use, or threatened use, of biological (to include toxins), chemical, or radiological agents against some component of agriculture in such a way as to adversely impact the agriculture industry or any component thereof, the economy, or the consuming public [12]. Bioterrorism. The use of microorganisms or toxins derived from living organisms to cause death or disease in humans, animals, or plants in civilian settings [13]. Agroterrorism threatens a nation-state’s food security because it targets the ability of that nation to produce food—namely, the early production step in the food supply chain. An agroterrorist attack could, conceivably, lead to economic chaos in the form of higher food prices, unemployment, and disruption of international trade flows. Agriculture in geographically large countries is what security theorists term a soft target; it is virtually impossible to guarantee the protection of such geographically vast elements in the food supply chain. Bioterrorist attacks on the global supply chain involve intentional introduction of hazards into the food supply. Concerns with agroterrorism and bioterrorism have spawned policy and regulatory responses by nation-state governments, worldwide. In 2002, the US Congress passed the Public Health Security and Bioterrorism Preparedness and Response Act (Bioterrorism Act). The Bioterrorism Act’s third section, entitled “Protecting Safety and Security of Food and Drug Supply,” granted new powers to the US Food and Drug Administration (FDA). These included the ability to detain suspect food import shipments and the

THE GLOBAL FOOD SUPPLY CHAIN

1639

authority to mandate companies manufacturing food for US consumption to register their facilities. The US Department of Agriculture (USDA) Food Safety and Inspection Service, which regulates the meat and poultry industries, already had many of these new powers. Because of the Bioterrorism Act, the FDA can now detain food shipmentsif evidence indicates that they present a threat to humans or animals. Also, largely due to the 2002 Bioterrorism Act, hundreds of thousands of facilities—in the United States and abroad—must register with the FDA. In addition to registration and detention authorities, the 2002 Bioterrorism Act has incorporated new regulatory steps into parts of the global food supply chain that cross the United States. The “prior notice” provision of the Bioterrorism Act requires that food companies notify the FDA of all food import shipments; the prior notice regulation is intended to help the FDA better manage risk. The detailed information submitted via “prior notice” is used by the FDA so they can better deploy resources to conduct inspections (e.g. targeting inspection resources toward new or unfamiliar food-shipping firms) and intercept contaminated products. The Bioterrorism Act’s food security provisions also included the development of new regulatory categories for threats and agents. The new categories address specific regulatory authorities. Department of Health and Human Service (HHS) agents include select agents, such as Ebola virus and Yersinia pestis, as well as toxins such as ricin; HHS has the sole authority over these agents. USDA-only agents include agents, such as foot and mouth disease virus and rinderpest virus that may affect animal or plant products; the USDA has the regulatory purview over these agents. Thirdly, overlap agents, including, for example, Bacillus anthracis (anthrax), may be subject to regulation by either or both HHS and USDA. 3.2 Trade Disputes Regarding the Use of Sanitary and Phytosanitary Measures Global food supply chains have, in recent years, been complicated by disputes over import regulations related to sanitary (food safety and animal health) and phytosanitary (plant health) import-restricting measures. At the close of the twentieth century, transatlantic tensions over EU restrictions on the importation of North American beef produced with growth promoting hormones culminated in the first WTO ruling under the terms of the Agreement on the Application of Sanitary and Phytosanitary Measures (SPS Agreement) [14]. While typically adopted by governments to protect health, sanitary and phytosanitary regulations present a new kind of challenge for the global food supply chain; they offer a means by which nation-states can restrict trade under the guise of health protection [15]. International policy differences related to safety of genetically engineered organisms in food have also caused great consternation within supply chains [16]. In addition to fueling trade rows between, for example, the United States (US) and the EU, the GE issue has encouraged the adoption, in some countries, of technical standards designed to help companies ensure they are supplying and receiving food ingredients and products with especially particular (e.g. non-GE) specifications [3, pp. 95–96]. 3.3 Social Regulations and New Upstream Pressures in the Global Food Supply Chain The transatlantic divide over biotechnology policy, concurrent with a transatlantic rift of consumer views regarding GE foods, points to a broader trend within the global food supply chain: the adoption of business practices and government regulations that, for some, might be deemed as social regulations [16].

1640

KEY APPLICATION AREAS

Today’s food-trade agenda is increasingly dominated by such issues related more to production process preferences (e.g. organic agricultural practices) than end-product safety and security. (Organic agricultural practices, which are defined differently by different companies and nation-state governments, generally involves a system of farming that promotes “natural” rather than “artificial” forms of pest and disease controls and fertilizers [3].) Global activist and consumer-advocacy groups have exerted tremendous influence on companies—especially retailers in Europe—and a web of private and government standards have developed to cater to the organic and GE-free sentiments of consumers. Lamentably, this has resulted in some alarming consequences within the global food supply chain; for example, in 2002 shipments of North American food aid produced using GE technology were subject to import restrictions in Zambia, even during a time of famine and starvation [17]. Scholars writing for the African Journal of Biotechnology maintain that a balanced approach to the regulation of GE foods regulation is required [18]. Other upstream pressures—most notably, liability forces mediated by class-action and other lawsuits—are increasingly influential in the global food supply chain. As foodborne disease surveillance data has become more plentiful, and as public health authorities have become better adept at identifying sources of outbreaks, large-scale lawsuits have exerted new kinds of pressure upstream toward the agricultural production end of the food supply chain. The 2006 outbreak of Escherichia coli O157:H7, which cost the spinach industry millions of dollars through costs including, but not limited to, lawsuits, prompted produce-oriented firms to look further upstream and enhance microbial testing of irrigation water, soil amendments, and plant tissues [10]. 3.4 Traceability and Transparency: the Example of China China plays an important role in the global food supply chain as both a producer and a consumer. With 1.5 billion consumers, providing enough food in China represents a major policy challenge [19]. China is also a major exporter of agricultural and food products, including seafood that, in recent years, have fueled worries about food safety and security [20]. While countries in the developing world (e.g. the United States and Japan) that import products from China have cried for improved regulations, the growing “middle class” in China is also demanding better food, and higher safety levels. As told in a recent commentary by a Frontier research assistant studying food security and trade issues there, China is experiencing pressure from both foreign markets and its own people to offer a safer supply of food. To that end, a more secure food supply chain will be needed. Multiple challenges—amongst others, traceability, transparency, and time—require the attention of the Chinese government and agriculture and food sector. With 300 million low-income farmers, cash-based recordless transactions and slow distribution channels make it presently difficult to ensure supply chain traceability, as well as accurate records required for transparency, food quality, and business efficiency [21].

4 NOVEL APPROACHES TO MANAGING SUPPLY CHAINS ACROSS BORDERS The multilateral trading system’s framework for governing the global food supply chain features institutions and agreements that offer opportunities for uniquely managing food

THE GLOBAL FOOD SUPPLY CHAIN

1641

security threats in international trade. Under the WTO Agreement on the Application of Sanitary and Phytosanitary Measures (WTO Agreement), WTO member countries have the right to establish regulatory measures to protect animal, plant, and human health on the basis of scientific principles; to facilitate trade, WTO members are encouraged to follow standards and guidelines developed by three international scientific standard-setting bodies (i.e. the World Organization for Animal Health (OIE), the Codex Alimentarius Commission, and the International Plant Protection Convention (IPPC)), often termed the three sisters [22]. The concepts of “regionalization” (also known as zoning) and “compartmentalization” are affirmed by the WTO, the SPS Agreement, and the three sisters. Both concepts present internationally endorsed means by which nation-states can preserve trade relations when sanitary (human or animal health) or phytosanitary (plant health) hazards threaten a country’s trading status; however, the concepts are often difficult to implement. Because global agricultural biosecurity and food-safety concerns (such as highly pathogenic avian influenza, foot and mouth disease, and bovine spongiform encephalopathy (BSE)) persist, regulatory and business stakeholders have become increasingly interested in certifying subnational geographic disease-free zones (i.e. regionalization) as well as biosecure establishments, supply chains, and/or animal subpopulations (i.e. compartmentalization) for international trade. Helpful definitions for the key terms for trade policy concepts of regionalization and compartmentalization include the following: •

Zone/region. A clearly defined part of a country containing an animal subpopulation with a distinct health status with respect to a specific disease for which required surveillance, control, and biosecurity measures have been applied for the purpose of international trade. • Compartment. One or more establishments under a common biosecurity management system containing an animal subpopulation with a distinct health status with respect to a specific disease or specific diseases for which required surveillance, control, and biosecurity measures have been applied for the purpose of international trade [23]. Member countries of the OIE and WTO have, for years, used regionalization by defining disease-free areas with respect to, for example, particular animal diseases (foot and mouth disease, brucellosis, etc.). For example, both the USDA Animal and Plant Health Inspection Service and the EU Food and Veterinary Office have evaluated applications from trading partners seeking to certify, for trade purposes, disease-free regions or zones from which they can export animal products to the United States and EU. The concept of compartmentalization is a recent addition to the OIE codes and “extends the application of a ‘risk boundary’ beyond that of a geographical interface and considers all epidemiological factors that can contribute to the creation of an effective boundary” [23, p. 873]. Compartmentalization may be applied to specific herds, feed supply chains, establishments, premises, etc. A disease-specific compartment might include a cattle establishment defined as a bovine spongiform encephalopathy free compartment through demonstrable feed source management, animal movement documentation, and livestock identification [23]. Interest in compartmentalization is growing. 2006 witnessed the development of general considerations for implementing compartmentalization. These guidelines include the

1642

KEY APPLICATION AREAS

following factors: (i) the nature or definition of the compartment, (ii) epidemiological separation of the compartment from potential sources of infection, (iii) documentation of factors critical to the definition of the compartment, (iv) supervision and control of the compartment, (v) surveillance for the agent or disease, (vi) diagnostic capabilities, and (vii) emergency response, control, and notification capability [23]. Compartmentalization provides a unique opportunity for vertically integrated elements of the global food supply chain to, through business practices and regulatory oversight, insulate themselves from biosecurity problems experienced elsewhere. 5 FUTURE RESEARCH NEEDS The global food supply chain will continue to develop by research and development (indeed, innovation and investment) into technologies that can help provide security. Among other research areas, how best to provide supply chain traceability and in-plant security are salient research questions. The trade policy concepts of regionalization and compartmentalization represent ways whereby governments and businesses (the key state and private actors involved in international trade) can better cooperate along the food supply continuum. However, important research policy questions remain. These include the following. 1. What challenges and opportunities do food companies perceive in the implementation of the concepts of regionalization and compartmentalization? 2. How are government policies, regulations, and workflows responding to regionalization and compartmentalization? 3. How can all actors involved with the global food supply chain work better together to ensure security? 4. How might tools such as traceability systems help develop compartmentalized segments of the global food supply chain?

REFERENCES 1. Smith, D. F. and Phillips, J., Eds. (2000). Chapter 1: Food policy and regulation: a multiplicity of actors and experts. In Food, Science, Policy and Regulation in the Twentieth Century. Routledge, New York, pp. 1–16. 2. Kastner, J. and Ackleson, J. (2006). Chapter 6: Global trade and food security: perspectives for the twenty-first century. In Homeland Security: Protecting America’s Targets, J. J. F. Forest, Ed. Praeger Security International, Westport, CT, London, pp. 98–116. 3. Knight, C., Stanley, R., and Jones, L. (2002). Agriculture in the Food Supply Chain: An Overview . Campden & Chorleywood Food Research Association Group and the Royal Agricultural Society of England, United Kingdom. 4. U.S. Government Acc ountability Office (2005). Food Safety: Experiences of Seven Countries in Consolidating Their Food Safety Systems (GAO-05-212). US Government Accountability Office, Washington, DC. 5. Robinson, R. A. U.S. Government Accountability Office (2005). Overseeing the U.S. Food Supply: Steps Should be Taken to Reduce Overlapping Inspections and Related Activities (GAO-05-549T). US Government Accountability Office.

THE GLOBAL FOOD SUPPLY CHAIN

1643

6. Cottrell, P. L. (1975). British Overseas Investment in the Nineteenth Century. The MacMillan Press Ltd, London. 7. Rostow, W. (1948). British Economy of the Nineteenth Century. Oxford University Press, Oxford. 8. Jacob, M. (2008). Management of food hazards and incidents. World Food Regul. Rev . 18(3), 22–23. 9. Caswell, J. A. and Hooker, N. H. (1996). HACCP as an international trade standard. Am. J. Agric. Econ. 78(3), 775–779. 10. Naditz, A. (2007). Lock out food supply threats. Food Quality 14(6), 20–27. 11. Avery, W. P., Ed. (1993). Agriculture and free trade. In World Agriculture and the GATT , Boulder, Colorado. 12. Davis, R. G. and Bickett-Weddle, D. (2004). Agroterrorism Awareness Agroterrorism Awareness Education (version 12). Iowa State University Center for Food Security and Public Health, Ames, Iowa. 13. Dvorak, G. (2003). Definitions. Bioterrorism Awareness Education (version 12). Iowa State University Center for Food Security and Public Health, Ames, Iowa. 14. Kastner, J. J. and Pawsey, R. K. (2002). Harmonising sanitary measures and resolving trade disputes through the WTO-SPS framework. Part I: A case study of the US-EU hormone-treated beef dispute. Food Control 13(1), 49–55. 15. Moy, G. G. (1999). Food safety and globalization of trade: a challenge to the public health sector. World Food Regul. Rev . 8(9), 21. 16. Isaac, G. (2002). Agricultural Biotechnology and Transatlantic Trade: Regulatory Barriers to GM Crops. CABI Publishing, Oxon, UK. 17. Agence France Presse (English) (2002). Zambia Fears Genetically Modified Food Aid [AgNet Listserve from the International Food Safety Network] , 12 August. 18. Segenet, K., Mahuku, G., Fregene, M., Pachico, D., Johnson, N., Calvert, L., Rao, I., Buruchara, R., Amede, T., Kimani, P., Kirkby, R., Kaaria, S., Ampofo, K. (2003). Harmonizing the agricultural biotechnology debate for the benefit of African farmers. Afr. J. Biotechnol . 2(11), 394–416. 19. McGregor, R. and Anderlini, J. (2007). Pig disease adds 30% to China’s pork price and fuels inflation fear. Financ. Times, 29 May, Sects. 1, 2. 20. Dyer, G. (2007). China arrests 774 in product crackdown. Financ. Times, 30 October, Sect. 2. 21. Block, C. (2008). The Food Supply Chain and China, Frontier podcast [podcast] 2008 30 June, [cited October 16, 2008]. Available from http://frontier.k-state.edu. 22. WTO (1998). Agreement on the application of sanitary and phytosanitary measures. In The WTO Agreement Series: Sanitary and Phytosanitary Measures. World Trade Organization, Geneva, pp. 29–49. 23. Scott, A., Zepeda, C., Garber, L., Smith, J., Swayne, D., Rhorer, A., et al. (2006). The concept of compartmentalisation. Rev. Sci. Tech. Off. Int. Epiz . 25(3), 873–879.

FURTHER READING Frazier, T. W. and Richardson, D. C., Eds. (1999). Food and Agricultural Security: Guarding Against Natural Threats and Terrorist Attacks Affecting Health, National Food Supplies, and Agricultural Economies. New York Academy of Sciences, New York.

1644

KEY APPLICATION AREAS

ECONOMIC IMPACT OF A LIVESTOCK ATTACK Amy D. Hagerman, Bruce A. McCarl and Jianhong Mu Texas A&M University, College Station, Texas

1 INTRODUCTION Livestock are a potentially vulnerable target for the introduction of animal disease-causing agents. Large events have occurred from apparently inadvertent introductions. For example: •

A 2001 UK Foot-and-Mouth Disease (FMD) outbreak led to the slaughter of 6.1 million animals [1] • A Bovine Spongiform Encephalopathy (BSE) outbreak in the United Kingdom between 1994 and 2004 was associated with over 151 deaths [2] • Avian Influenza (AI) outbreaks in China since 2003 have been associated with up to a 25% reduction in poultry trade and over 25 deaths [3]. Such vulnerability raises the issue of exactly how vulnerable we are and what types of pre-event action and/or planning can be done to limit risk and bolster resiliency. This article reviews a number of economic aspects related to these issues.

2 THE IMPORTANCE OF CONSIDERING ECONOMICS Often, recommendations on the management of animal disease is based primarily on epidemic simulation models that minimize the time to control disease outbreaks by limiting the disease spread while treating or removing infected animals. After the 2001 UK FMD outbreak, such modeling was termed “armchair epidemiology” and was strongly criticized [4]. The reason for the criticism was the policy of contiguous herd slaughter used in addition to the slaughter of infected and dangerous contact herds, which was considered by many to be excessive since this caused unnecessary long term damage to the livestock industry. Following the outbreak, the United Kingdom exhibited a declining trend in animal agriculture [5] that indicated that some producers instead chose to scaleor shut-down operations. Animal disease impacts extend beyond the number of dead animals. A strategy chosen solely because it quickly “stamps out” the disease may not be the strategy that minimizes the total economic impact in either the short or long run. It should be noted at this point that neither can economics alone be used to determine optimal response strategies to animal disease. Rather it is a combined approach using an integrated epidemic-economic model that should be used for this type of analysis.

ECONOMIC IMPACT OF A LIVESTOCK ATTACK

1645

Ideally, this integrated approach would be dynamic and spatial in nature, [6] taking into account both, the time it takes to control the disease and the economic implications of the control strategies chosen. Control strategy efficacy can be measured in terms of lost animals and direct costs of disease management as well as national welfare losses, shortand long-term trade losses, environmental consequences, consumer demand shifts, and local impacts in terms of average affects and the distribution of effects. The economic portion of the analysis can capture some or all of these loss categories and integrate them into a single measure used to quantify the distribution of outcomes from an animal disease outbreak in a particular region. The reason economic models have not been more extensively used in the past is the difficulty in developing a model that can quantify those impacts that extend beyond the primary livestock markets.

3 ECONOMIC IMPACT CATEGORIZATIONS Economic impacts can be divided into two categories: direct and secondary. Most studies examining livestock disease have focused on direct impacts of the disease. Due to the highly integrated nature of the modern economy, consequences of agricultural contamination at any given point along the supply chain could be manifested in other sectors of the economy as well. For example in the recent foot FMD outbreak in the United Kingdom, the largest category of losses came from tourism. Such losses are termed secondary losses. The losses that should be examined in any given epidemic-economic study will vary depending on the type of disease, species of animals impacted and the importance of those species to the economy, as well as regional and international animal disease policies. 3.1 Direct Losses Direct losses accumulate to the livestock sector as a direct consequence of an animal disease attack. This category of losses has received the most attention due to the ease with which they can be quantified, particularly for the supply side. Direct losses are also of interest in establishing the cost of a particular response policy from the viewpoint of a governing agency. 3.1.1 Lost Animals and Changes in Animal Value. The most obvious direct loss is the number of animals or herds that are removed from the supply chain due to the disease. This may arise from massive preventative slaughter, as in the case of FMD, or death due to the disease itself, such as with BSE. It also captures increased culling and abortion in animals for production operations, as would be the case with Rift Valley Fever. The value of animals lost can be calculated using a schedule of market values based on pre-disease market conditions. This is often the method used in studies for calculating indemnity payments to producers from preventative slaughter. There are two issues with using this method. First, it does not recognize the role of livestock as a capital asset [1]. In particular for purebred animal producers, the value of an animal represents an investment in genetic improvements that may not be accounted for in a per pound cash market value as it would for a commercial animal. Second, producers who have animals not infected but expecting to absorb the full revenue loss from a negative price change may be tempted to claim their herd has been in direct contact with infected herds in order to collect a

1646

KEY APPLICATION AREAS

higher price per unit. It is suspected that the payout schedule was set too high in the 2001 FMD outbreak, leading to slaughter levels greater than necessary for disease control [7]. Welfare slaughter is an issue that has not received much attention in the literature, but has proven to be a real issue in historical animal disease outbreaks that include quarantine zones and strict movement restrictions. These policies may prevent feed grains and premade feeds from being shipped into the restricted regions plus movement of animals to feeding or other operations. For enterprises employing confined feeding or those raising young animals previous to feeding, the amount of feed on hand and facilities to keep animals beyond normal movement times may be insufficient to allow the animals to be kept. This leads to additional slaughter, and consequently higher indemnity payment levels to producers. As discussed in previous sections, producers expecting lower prices for animals post-outbreak may volunteer animals for welfare slaughter to prevent additional price change losses. 3.1.2 Costs of Disease Management. The direct costs of disease management account for the resources required for response to the disease outbreak including the cost of vaccination, slaughter, disposal, cleaning, disinfecting, and administrative costs. This would include cost for labor, equipment, and materials [8]. The market price changes will also impact the losses producers face. Prices could change as a result of the supply shift caused by slaughter of live animals, the destruction of milk, meat, and meat products ordinarily destined for the market and the time lag for operations to return to full production. Some studies have assumed prices do not change at the national level, but this would only be the case in a very small disease outbreak that does not change the aggregate national supply or affect demand. Another cost producers absorb is the loss in quality from withholding market-ready animals from slaughter. The additional time to slaughter causes carcasses to be too large or not be at the optimal level of conditioning to achieve one of the premium grades, which leads to carcass discounts. For some diseases, in order to ship meat products out of the region where the infection occurs, carcasses must either be processed into cooked meat products to kill the disease-causing agent or be put in nonhuman consumption products such as pet food. Carcass disposal becomes a serious issue in a disease outbreak, resulting in large-scale animal mortality or large-scale slaughter. Factors such as environmental regulations and public health impacts will also determine the disposal method hierarchy established [9] in addition to the cost per unit for disposal and the time required to dispose of all carcasses. The type of control strategy employed can also affect the carcass disposal method chosen since it will, hopefully, reduce the number of dead animals [10]. 3.1.3 Trade Losses. Animal disease often has significant impacts on international trade. Outbreaks in the last decade have increased the volatility in international meat markets through their effects on consumer preferences, trade patterns, and reduced aggregate supply [11]. Upon confirmation of an animal disease outbreak, restrictions are often placed on where livestock and meat products can be exported as well as what products are shipped. The extent of these damages will vary by disease and country, but in general countries experiencing an animal disease outbreak will experience immediate restricted international trade due to domestic supply changes and world demand shifts until the infected country is shown to be disease free for a predetermined amount of time. Domestic market impacts may be partially offset by imports [1].

ECONOMIC IMPACT OF A LIVESTOCK ATTACK

1647

If the disease is not carried in the meat, localized cuts in production will reduce the livestock and meat products available for export. In addition, movement restrictions in the country will prevent normal supplies from reaching the market, and export restriction shift meat normally shipped overseas to domestic supply [1]. If the disease is carried in the meat, it either must be cooked to destroy the organism or it must be removed from the meat supply chain. Avian influenza has affected the international poultry market reducing trade by at least $10 billion per annum [12]. As a result of Highly Pathogenic Avian Influenza (HPAI), Thailand lost its position as the worlds’ fifth largest exporter of poultry meat and Brazil replaced China and Thailand as the world’s largest supplier of frozen raw chicken products [12, 13]. Upon confirmation of BSE in the United States in 2003, more than 50 countries either completely stopped beef exports from the United States or severely restricted them resulting in beef exports at only 20% of the previous year’s levels [14]. Even in the case of diseases that can be transferred to humans through the meat, markets have historically been found to recover within two years; however, the nation that experienced the outbreak may take longer to recover their share of the world market [11]. At particular risk are developing countries. 3.1.4 Additional Direct Costs Associated with Zoonotic Diseases. In the case of zoonotic diseases (diseases that can be transferred to humans through direct exposure to the animals, disease transfer vectors like mosquitoes, or through meat consumption), several additional direct costs are accumulated. When humans can become infected from a disease, there are additional healthcare costs and loss in productivity resulting from sickness and death to be considered. In addition, reduced meat consumption will occur while meat recalls are in place in order to prevent infection. Examples of zoonotic diseases that have been under world scrutiny recently are BSE and Avian Influenza. In the 2003 US BSE case, negative price impacts may have been enlarged because of decreased consumer confidence in beef products, although that effect was short-lived [14]. 3.2 Secondary Losses Secondary losses are less easily quantified, but ignoring them in a study can lead to severe under-estimation of the total cost of the outbreak. These studies are often done separately from the integrated epidemic-economic model analysis; however, they should ideally be included in the integrated model as much as possible. In some cases, such as environmental costs and psychological costs, the estimation may have to be done separately. 3.2.1 Related Industries. Disease outbreaks can have effects that extend well beyond the meat production chain [2]. While industries directly in the meat production chain will typically experience the greater loss and have consequently been the focus of disease outbreak economics literature, little work has been done to ascertain the impact on service industries linked to the meat industry. A good example is the feed industry. In countries with large concentrated animal feeding operations, such as the United States, a significant source of demand for feed grains is represented by livestock demand. Disease outbreaks leading to large-scale animal mortality will reduce the domestic demand for feed grains. In addition, movement restrictions in the quarantine zone will restrict not only the transport of livestock but the transport of feed grain supply trucks or unit trains coming into or out

1648

KEY APPLICATION AREAS

of the region. These disruptions and demand shifts will be reflected in the price of feed grains. Other industries that would be impacted by a disease outbreak are transportation, veterinary service, supply industries, and rendering services [2]. 3.2.2 Local Economies. Disease outbreaks will have the greatest per capita impact on the area where the outbreak occurs. Local producers whose premises are depopulated must wait to rebuild their operation, removing the money that would have been spent on feed, supplies, and livestock-related services at local businesses. Movement restrictions divert commercial and tourist traffic coming through the region, removing income to local businesses like gas stations, hotels and restaurants. Businesses may choose to shut down or livestock operations may opt not to repopulate, decreasing the number of jobs available to local residents. Alternatively, the process of controlling the disease may provide some increased local employment but this would be short-term only. In the 2001, FMD outbreak 44% of the confirmed cases occurred in the county of Cumbria [15]. Farmers and businesses in the county were surveyed after the outbreak to ascertain their losses. Although 63% of farmers in the county said they would continue farming, only 46% planned to build back up to their previous level of operation. There was an estimated direct employment loss of 600 full-time jobs and an indirect employment loss of 900 jobs [15]. Depending on the area of the country impacted by the animal disease and the size of the outbreak, tourism can represent a serious source of secondary losses. Returning to the Cumbria county survey, after the 2001 UK FMD outbreak, the loss in gross tourism revenues in that county were expected to be around £400 million. Reports predicted the recovery of the county economy would largely depend on the long-term recovery of the tourism industry [15]. On a national level, tourism was the largest source of losses related to the FMD outbreak at £2.7 to £3.2 billion [1]. Page et al. [16] observed that Avian Influenza could have significant shocks on tourism and McLeod et al. [13] estimated that the 2004 AI outbreak in Vietnam led to a 1.8% decline in GDP, where a 5% decline in tourist arrivals could lead to an additional 0.4% decline in GDP [17]. Furthermore, Kuo et al. [18] found that Asian tourism demand is reduced by about 74 arrivals after an AI incident and this reduction was greater than the impact of AI on global tourism. 3.2.3 Environmental. There are two primary environmental impacts related to animal disease outbreaks: water and air quality. Ground water can be negatively impacted by disease carcasses being buried in areas where materials can leach from decomposing carcasses. Preventing this could restrict the amount of on-farm burial in the event of an animal disease outbreak, leading to additional spread risks by moving animals to suitable sites or delays in disposal by alternative methods. Water quality is also impacted by runoff from cleaning depopulated premises and from dumping infected milk as a result of movement restrictions. In a study of the 2001 FMD outbreak in the Netherlands, the illegal discharge of milk into sewage systems, rivers and smaller waterways led to a high to very high probability of spreading the disease to other cattle operations within 6–50 km of the dump site [19]. Air quality can be impacted when animal pyre burning or curtain burning of carcasses is employed. Curtain burning is preferred since it reduces the emissions into the air, but it is not always feasible since it requires more time and resources than pyre burning [9]. Studies in the United Kingdom, where pyre burning was used extensively at one

ECONOMIC IMPACT OF A LIVESTOCK ATTACK

1649

point in the outbreak, have examined the levels of dangerous compounds in livestock, dairy products, and eggs produced nearby. Slight increases in concentrations of dangerous compounds were found in lamb, chicken, and eggs, but these were not samples destined for the food chains. In milk, dangerous compound concentrations were within acceptable ranges. Overall, the study concluded that there is no evidence that the pyres were responsible for contaminating food produced in that region [20]. Human health has been another concern related to air quality. Pyre burning releases considerable amounts of ash and pollutants into the atmosphere that can be breathed in by carcass disposal workers and local residents. A study in Cumbria county in the United Kingdom found that levels of respiratory irritants, although elevated above normal levels from the pyres, did not exceed air quality standards or exceeded them by very little. Furthermore, the pollutants were unlikely to cause damage to all but the most sensitive individuals (e.g. asthmatics and those with weak lungs) [21]. 3.2.4 Demand. Consumer demand response comes from two sources in an animal disease outbreak. The first is the easier of the two to quantify, the adjustment in consumption patterns from price changes. Historically, consumers have experienced a small net loss in overall welfare although this is partially offset by lower domestic prices [1]. The second impact is substitution in consumption patterns as a result of changes in consumer confidence. How much of an impact reaches consumers depends on several factors such as industry organization, consumer demographics, and information release policies. 3.2.4.1 Industrial Organization. In countries with complex meat supply chains, such as the United States, Australia, and Europe, the extent to which consumers are impacted will depend on the number of bottlenecks in the supply chain and the level of vertical integration. In the United States there are a few meat-packers controlling a large portion of the livestock being processed [22]. This market power means greater pressure could be placed on producers and possibly consumers under an animal disease event. There is a greater vulnerability to that industry if one or more of those packers is forced to shut down during the outbreak or permanently remain shut. This would most likely have a greater impact on farmers than consumers. In addition, the growing popularity of value-added or ready-to-eat meals means most of the value of the product on the grocery store shelf is from the inputs other than the raw agricultural product. This means a lessened sensitivity of prices consumers face in the grocery store due to shocks at the farm level [2]. While this could have an influence on the price change consumers face, industry organization is not likely to be a factor in consumer confidence. 3.2.4.2 Consumer Demographics. Considerable work has been done on the factors influencing demand for meat in the United States, Europe, and more recently Asia. In general there are differences in attitudes toward meat quality and safety, which means actual consumer response will vary on a case-by-case basis for animal disease outbreaks. Consumer response to BSE has had long-term negative effects in Europe and Japan [2]. In France, Adda [23] examined the effect of past risk exposure for beef consumers. Consumer sensitivity to food safety concerns has been heightened by past risk exposure leading to decreased demand for meat from consumers who previously consumed medium to small amounts of beef and an increased demand in those groups for high quality meat products. In the United States, responses to food safety concerns is small,

1650

KEY APPLICATION AREAS

particularly in comparison to price effect sensitivity [24]. As the result of AI, there are losses of consumer confidence and losses of competitive strength of poultry meat in the meat market [25]. A limited amount of work has been done on willingness to pay by consumers for animal disease prevention activities like traceability and country of origin labeling. Willingness to pay for disease control could potentially be impacted by consumer demographics and risk perception as well. In order to guarantee the safety of poultry meat, providing the traceability label of poultry products is suggested as one of the incentives for farms and marketing firms to supply safer food [26, 27] and estimated results from the research done in China found that consumers in Beijing, on average, had stated a significant willingness to pay (WTP) for traceability of poultry products which was approximately 9-10% of the base price [28]. 3.2.4.3 Information Release Policies. Considerable work has been done on the impact of information release policies in the event of a food safety risk. Pope [29] found transparency on the part of the government and industry, in the event of an animal disease outbreak, reduced negative consumer response in Canada after the 2003 BSE outbreak [2]. In the UK, a “food publicity index” was used to show the inward shift in consumer meat demand after the 1996 BSE outbreak was influenced by the publicity surrounding the outbreak [30]. Although AI information has relatively small impacts on meat demand, its effects would last three months and indeed decrease the demand for turkey and increase the demand for beef in the US meat market [25].

4 EPIDEMIC-ECONOMIC MODEL DEVELOPMENT As stated earlier, to estimate potential economic losses of agricultural contamination from infectious animal disease spread, an integrated epidemic-economic model is needed. Epidemic simulation information is necessary to evaluate the extent of the physical damages [31, 32] and evaluate economic costs of a potential outbreak in an integrated framework. The type of economic model used will vary depending on several factors such as the geographic scope of interest (farm, region, nation, or world), economic factor of interest (employment changes, price changes, or trade changes) and the extent of damages expected from a particular disease. Such integrated models are primarily used to predict what would happen in the event of an outbreak of a specific disease in a specific region, or to assess the sensitivity of an outbreak to various control strategies. Models should capture both, the recovery over multiple time periods from the outbreak over the period of restocking and, recovering trade relationships to the time of full recovery. Furthermore, they should capture the geographic implications of the disease in terms of spread to other regions or countries [6]. Moreover, to assess risk through both the epidemic portion of the model and the economic portion, the iterations from the epidemic portion may be run through the economic portion as statistically independent trials. This is opposed to the standard practice of running only the averages from the epidemic model through the economic model. The stochastic parameters in the epidemic model deal with the rate of disease spread and the effectiveness of control strategies. The spread rate of an infectious disease will determine the severity of economic damages and the appropriate combination of necessary prevention and response actions. Prevention is perhaps the most desirable policy

ECONOMIC IMPACT OF A LIVESTOCK ATTACK

1651

option for livestock disease attacks. Some examples of these policies include employing antimicrobial livestock drugs and vaccination, storage and transportation facility security, and trade inspection. The purpose of prevention activities is to decrease the probabilities of intentional or unintentional agricultural contamination incidents. Response, control and recovery actions are indispensable policies in the face of agricultural sabotage. Essentially these policies are focused on minimizing damages by stopping the spread of a possibly infectious contamination and minimizing the scope of the sabotage, as well as fixing the source of the sabotage, restoring and replacing the lost livestock branches in the food supply chain, and rebuilding consumer confidence. 5 CONCLUSION Thorough, in-depth studies that include the costs of animal disease and evaluate both vulnerability and the consequences of control strategies, giving implications for livestock death loss and wider economic costs, allow for a greater degree of preparation, effectiveness of response, and faster recovery. This article has given an overview of the economic impacts of an animal disease attack and the approach to appraisal thereof. We also discuss multiple areas that have received little attention. Thorough analysis requires collaboration, drawing on expertise from epidemiology, sociology, biology, and economics. This level of collaboration is difficult, but indispensable in dealing with the necessary issues. Also key to a quality economic assessment is the integration of models and the identification of the right economic impact categories for the disease and region of interest.

REFERENCES 1. Thompson, D., Muriel, P., Russell, D., Osborne, P., Bromley, A., Rowland, M., Creigh-Tyte, S., and Brown, C. (2002). Economic costs of the foot-and-mouth disease outbreak in the United Kingdom in 2001. Rev. Sci. Tech. Off. Int. Epiz. 21(3), 675–687. 2. Pritchett, J., Thilmany, D., and Johnson, K. (2005). Animal disease economic impacts: a survey of literature and typology of research approaches. Int. Food Agribusiness Manage. Rev. 8(1), 23–46. 3. World Health Organization (WHO). (2009). Cumulative Number of Confirmed Human Cases of Avian Influenza A/(H5N1) Reported to WHO. Available at http://www.who.int/csr/disease /avian influenza/country/cases table 2009 06 02/en/index.html Accessed 2009 June. 4. Kitching, R. P., Thrusfield, M. V., and Taylor, N. M. (2006). Use and abuse of mathematical models: an illustration from the 2001 foot-and-mouth disease epidemic in the United Kingdom. Rev. Sci. Tech. Off. Int. Epiz. 25(1), 293–313. 5. Bai, P., Banks, H. T., Dediu, S., Govan, A. Y., Last, M., Lloyd, A. L., Nguyen, H. K., Olufsen, M. S., Rempala, G., and Slenning, B. D. (2007). Stochastic and deterministic models for agricultural production networks. Math. Biosci. Eng. 4(3), 373–402. 6. Rich, K. M., and Winter-Nelson, A. (2007). An integrated epidemiological-economic analysis of foot-and-mouth disease: applications to the southern cone of South America. Amer. J. Agr. Econ. 89(3), 682–397. 7. Anderson, I. (2002). Foot and Mouth Disease 2001: Lessons to be Learned Inquiry Report. Cabinet Office, UK . Available at http://archive.cabinetoffice.gov.uk/fmd/fmd report/index.htm. Accessed 2008 October.

1652

KEY APPLICATION AREAS

8. Schoenbaum, M. A., and Disney, W. T. (2003). Modeling alternative mitigation strategies for a hypothetical outbreak of foot and mouth disease in the United States. Prev. Vet. Med. 58, 25–52. 9. Scudamore, J. M., Trevelyan, G. M., Tas, M. V., Varley, E. M., and Hickman, G. A. W. (2002). Carcass disposal: lessons from Great Britain following the foot-and-mouth disease outbreaks of 2001. Rev. Sci. Tech. Off. Int. Epiz. 21(3), 775–787. 10. Jin, Y., Huang, W., and McCarl, B. A. (2005). Economics of homeland security: carcass disposal and the design of animal disease defense. Presented at the American Agricultural Economics Association Meetings. Rhode Island . 11. Morgan, N., and Prakash, A. (2006). International livestock markets and the impact of animal disease. Rev. sci. tech. Off. int. Epizoot. 25(2), 517–528. 12. Nicita, A. (2008). Avian Influenza and the Poultry Trade. World Bank, Policy Research Working Paper 4551. 13. McLeod, A., Morgan N., Prakash A., and Hinrichs J. (2005). Economic and social impacts of avian influenza. FAO Emergency Centre for Transboundary Animal Diseases Operations (ECTAD). 14. Hu, R., and Jin, Y. (2009). The impact of North American BSE events on the US beef market: consequences of trade disruptions. Working Paper. 15. Bennett, K., Carroll, T., Lowe, P., and Phillipson, J. (2002). Coping with Crisis in Cumbria: Consequences of Foot-and-mouth Disease. Center for Rural Economy, Newcastle University, Newcastle upon Tyne, United Kingdom. 16. Page, S., Yeoman, I., Munro, C., Connell, J., and Walker, L. (2006). A case study of best practice -Visit Scotland’s prepared response to an influenza pandemic. Tourism Manage. 27(3), 361–393. 17. Brahmbhatt, M. (2005). Avian Influenza: Economic and Social Impact . Available at http://go.worldbank.org/YELWWUIAY0. Accessed 2005 Oct. 18. Kuo, H. I., Chang, C. L., Huang, B. W., Chen, C. C., and McAleer, M. (2009). Avian Flu and International Tourism Demand: A Panel Data Analysis. Available at http://mssanz.org.au. Accessed June. 19. Schijven, J., Rijs, G. B. J., and de Roda Husman, A. M. (2005). Quantitative risk assessment of FMD virus transmission via water. Risk Anal. 25(1), 13–21. 20. Rose, M., Harrison, N., Greaves, A., Dowding, A., Runacres, S., Gem, M., Fernandes, A., White, S., Duff, M., Costley, C., Leon, I., Petch, R. S., Holland, J., and Chapman, A. (2005). Dioxins and polychlorinated biphenyls (PCDD/Fs and PCBs) in food from farms close to foot-and-mouth-disease animal pyres. J. Environ. Monit. 7, 378–383. 21. Lowles, I., Hill, R., Auld, V., Stewart, H., and Calhoun, C. (2002). Monitoring the pollution from a pyre used to destroy animal carcasses during the outbreak of foot-and-mouth disease in Cumbria, United Kingdom. Atmos. Environ. 36(17), 2901–2905. 22. Love, H. A., and Burton, D. M. (1999). A strategic rationale for captive supplies. J. Agric. Resour. Econ. 24(1), 1–18. 23. Adda, J. (2007). Behavior towards health risks: an empirical study using the ”mad cow” crisis as an experiment. J. Risk Uncertain. 35, 285–305. 24. Piggott, N. E., and Marsh, T. L. (2004). Does food safety information impact US meat demand? Am. J. Agric. Econ. 86(1), 154–174. 25. Mu, J., Bessler, D., and McCarl, B. A. (2009). Avian influenza information: economic effects on U.S. meat markets. Selected poster presentation at the March 2009 Department of Homeland Security Annual University Summitt. Washington, DC . 26. Pouliot, S., and Sumner, D. (2008). Traceability, liability, and incentives for food safety and quality. Am. J. Agric. Econ. 90, 15–27.

IMPACTS OF AN AGROTERRORISM ATTACK

1653

27. Brouwer, R., van Beukering, P., and Sultanian, E. (2008). The impact of the bird flu on public willingness to pay for the protection of migratory birds. Ecol. Econ. 64, 575–585. 28. Jin, Y., and Mu, J. (2009). Elicitation Effects of Using Payment Cards on Consumer Willingness to Pay. Working paper. 29. Pope, C. (2003). Managing consumer confidence. Presentation in the symposia the Economic Impact of Animal Disease on the Food Marketing Sector. Denver, CO, July 11. 30. Loyd, T., McCorriston, S., Morgan, C. W., and Rayner, A. J. (2001). The impact of food scares on price adjustments in the UK beef market. Agric. Econ. 25, 347–357. 31. Jalvingh, A. W., Nielen, M., Maurice, H., Stegeman, A. J., Elbers, A. R. W., and Dijkhuizen, A. A. (1999). Spatial and stochastic simulation to evaluate the impact of events and control measures on the 1997–1998 classical swine fever epidemic in The Netherlands. Prev. Vet. Med. 42, 271–295. 32. Ferguson, N. M., Donnelly, C. A., and Anderson, R. M. (2001). The foot-and-mouth epidemic in great britain: pattern of spread and impact of interventions. Science 292, 1155–1160.

FURTHER READING Agra CEAS Consulting Ltd. Prevention and control of animal diseases worldwide: economic analysis--prevention versus outbreak costs. The World Organisation for Animal Health (OIE) Final Report, Part I . Burns, A., van der Mensbrugghe, D., and Timmer, H. (2009). Evaluating the Economic Consequences of Avian Influenza. Available at http://siteresources.worldbank.org/EXTAVIANFLU /Resources/EvaluatingAHIeconomics 2008.pdf. Accessed 2006 Jun. Rich, K. M., Miller, G. Y., and Winter-Nelson, A. (2005). A review of economic tools for the assessment of animal disease outbreaks. Rev. Sci. Tech. Off. Int. Epiz. 24(3), 833–845.

SOCIAL, PSYCHOLOGICAL, AND COMMUNICATION IMPACTS OF AN AGROTERRORISM ATTACK Steven M. Becker University of Alabama at Birmingham School of Public Health, Birmingham, Alabama

1 INTRODUCTION As policy makers, the agriculture sector, researchers, emergency planners, and communities prepare to meet the enormous challenge posed by agroterrorism, increasing attention

1654

KEY APPLICATION AREAS

has been devoted to such critical issues as field and laboratory detection, surveillance, mapping, improved outbreak modeling, vaccine development and improvement, and disposal and decontamination options. Far less consideration, however, has been given to social, psychological, and communication issues. Yet, the manner in which these issues are approached will be one of the principal determinants of an agroterrorism event’s outcome. The ultimate aim of an agroterrorism attack, after all, is not to harm crops or ruin agricultural products; rather, it is to destroy confidence in the food supply and in societal institutions, create fear and a sense of vulnerability in the population, reduce people’s hope and resolve, and weaken the society and the nation. Effectively addressing key social, psychological, and communication issues will be crucial to the success of quarantines or other mitigation measures, and to efforts to minimize exposure to threat agents, reduce the impacts of an incident, maintain public confidence and trust, and better assist affected individuals, families, and communities [1]. It is no exaggeration, therefore, to say that social, psychological, and communication issues constitute “make or break” factors in any effort to manage an agroterrorism event. Without sufficient attention devoted to these issues, “response efforts after a terrorist attack might be successful in narrowly technical terms but a failure in the broader sense. In effect, the battle might be ‘won,’ but the war would be lost” [2, p. 16].

2 LEARNING FROM THE 2001 FOOT-AND-MOUTH DISEASE OUTBREAK Among the best ways to understand the nature and extent of the social, psychological, and communication challenges that an agroterrorism attack could pose is to learn from recent experience with large-scale disease outbreaks. In this regard, the 2001 foot-and-mouth disease outbreak in the United Kingdom is probably the most instructive. Although the 2001 outbreak was not the result of terrorism, it “presented unprecedented challenges which no one in any country had anticipated” [3, p. 6]. This included a host of serious social, psychological, and communication impacts. In addition, because of the open, forthright and thorough way that British society has examined the successes and failures in the handling of the epidemic, others have a rich opportunity to learn from this experience. Foot-and-mouth disease is a viral disease that mainly affects cattle, pigs, goats, and sheep. Its symptoms include fever, vesicles (blisters) in the mouth or on the feet, pain, lameness, loss of appetite, and loss of condition [4]. The virus can survive for long periods of time and is powerfully contagious. Indeed, foot-and-mouth disease has variously been described as “the most contagious of all diseases of farm animals” [5, p. 2], “the most feared infection of domestic livestock” [6, p. 1], and “the most contagious disease of mammals” [7, p. 425]. Not only can animals be infective without displaying signs of the disease, the virus can also be transmitted in a host of ways. “The virus is present in fluid from blisters, and can also occur in saliva, exhaled air, milk, urine and dung. Animals pick up the virus by direct or indirect contact with an infected animal. Indirect contact includes eating infected products and contact with other animals, items or people contaminated with the virus, such as vehicles, equipment, fodder and anyone involved with livestock.” [8, p. 13] The rapidity with which the 2001 epidemic spread was astonishing. British officials estimate that by the time the virus was confirmed on February 20, some 57 farms in 16 counties had already been infected. By February 23, when a movement ban was imposed, 62 more premises were thought to have been infected, involving seven more counties

IMPACTS OF AN AGROTERRORISM ATTACK

1655

[8, p. 14]. In addition, the scale of the outbreak was remarkable. At the height of the crisis, “more than 10,000 vets, soldiers, field and support staff, assisted by thousands more working for contractors, were engaged in fighting the disease. Up to 100,000 animals were slaughtered and disposed of each day” [8, p. 1]. By the time the outbreak ended—221 days after it began—the toll was enormous: animals were slaughtered at more than 10,000 farms and related agricultural premises in England, Scotland, and Wales. Approximately 2000 locations were “slaughtered out” because foot-and-mouth disease had been confirmed there, while another 8000 were targeted either because they neighbored an infected farm (“contiguous culling”) or because it was suspected that animals could have been exposed to the virus (“dangerous contacts”). While efforts were made to reduce pain and suffering, there were all too many situations where this aim was not achieved due to the scale of the operation and a shortage of trained personnel. Reports of frightened animals taking flight, animals being wounded, or animals being shot multiple times were not uncommon. Piles of dead animals awaiting disposal were a regular sight in affected areas, particularly in the early days of the culling operation; so, too, were trenches where carcasses were buried and “funeral pyres” where carcasses were burned. In the end, the total number of animals slaughtered for disease control purposes was staggering—over 4.2 million. Beyond that, 2.3 million other animals were slaughtered under “welfare provisions” because strict movement restrictions in affected regions made it impossible to get feed to them. People living in the midst of the epidemic and associated carnage were hit hard emotionally, as when farms that had been in the family for generations were wiped out or when children’s pets were required to be slaughtered. In addition, people were battered economically. Agricultural communities, including farmers and their families, people employed in agriculture, and area businesses, saw livelihoods and financial security disappear virtually overnight. Tourism—a vital industry in many of the affected areas—dropped precipitously, causing even greater economic damage and dislocation. Before the outbreak finished, it had even gone international, spreading to a limited extent to France, the Netherlands, Northern Ireland, and the Republic of Ireland [3, 8]. It is common in most disaster situations for people’s responses and reactions to be marked by resilience and helping behaviors. The foot-and-mouth epidemic was no exception. Many communities remained united in the face of the invisible threat and there were countless acts of assistance and support. Amongst farmers and farming families, there was a continuing commitment to agriculture as a way of life despite the tremendous difficulties caused by foot-and-mouth disease [9]. In addition, many veterinarians and other professionals endured difficult conditions and went above and beyond the call of duty to help bring the outbreak under control. Finally, there were many examples of public sympathy and support for affected farmers and farming communities. People in the Southwest and other parts of the United Kingdom, for example, participated in a huge fund-raising effort aimed at helping those whose livelihoods had been ravaged by the epidemic. The Green Wellie Appeal, launched in March by the Western Morning News, saw participation from celebrities, businesses, schools, and thousands of people sympathetic to the plight of affected farmers. More than £1 million was raised [10]. At the same time, the outbreak also caused new strains, sharp conflict and division, profound distress, widespread loss of trust, and a host of other serious social, psychological, and communication impacts. These were partly a result of the damage wrought by the outbreak itself, but they were also compounded by serious shortcomings in preparedness and response efforts. Initially, “no-one in command understood in sufficient detail what

1656

KEY APPLICATION AREAS

was happening on the ground.” By the time the extent of the problem was fully grasped, a cascade of social, psychological, and communication effects had already begun. “A sense of panic appeared, communications became erratic and orderly processes started to break down. Decision making became haphazard and messy . . . . The loss of public confidence and the media’s need for a story started to drive the agenda” [3, p. 6]. While no two events are ever alike, the range of individual, family, community, and societal effects experienced during foot and mouth provides a clear indication of the kinds of social, psychological, and communication impacts that could result from a large-scale agroterrorism attack. Some of the most significant effects evidenced during the 2001 outbreak are reviewed below.

3 SOCIAL, PSYCHOLOGICAL, AND COMMUNICATION IMPACTS 3.1 Isolation Efforts to control the spread of the virus had the unintended consequence of causing widespread social isolation. A ban on animal movements, the creation of large exclusion zones around affected farms, the posting of “keep out” signs, the placing of disinfectant baths and mats, the closure of footpaths, parks, tourist attractions and heritage sites, prohibitions against all nonessential travel, and the closure of widespread areas of the countryside often combined to bring community life to a standstill. Farmer’s markets, fairs, art shows, and other events were cancelled, and many other facets of social life—visiting neighbors, going to the pub, attending religious services, shopping, participating in clubs and community groups—ceased. Even the utilization and delivery of health and social services were affected. In the words of one official report, “children and families could not conduct normal lives . . . .” [11, p. 9]. Thus, at a time of maximum difficulty and stress, people were often cut off from normal social outlets, from each other, and from their community support networks. 3.2 A Sense of Being under Siege Even where some degree of movement or interaction was possible, fear that other people could potentially spread the virus caused many farmers, farming families, and others to barricade themselves off from the outside world. The farthest that one could safely venture was to the end of his or her property. Children were even kept home from school for an extended period of time. The sense of being on edge and under siege was reinforced every time there was an instance of someone ignoring warning signs or violating a closure order. Such occurrences appeared to happen at a variety of times and in a multiplicity of locations [12]. Reported problems included walkers pulling down disease-warning signs, people entering closed areas/footpaths, and people crossing farm property. A spokesperson for one police department was quoted as saying that numerous complaints had been received alleging that “people are either ignoring the signs or ripping them down. On one occasion a man walking his dog ripped a sign down and went straight down the path. Another time, a man led a child on horseback down a path” [13, p. 33]. In some instances, there were direct conflicts when farming families trying to protect their property from the virus encountered outsiders. Among the incidents described in media reports were one where

IMPACTS OF AN AGROTERRORISM ATTACK

1657

a farmer’s wife confronted cyclists with a shotgun, and another where a farmer was attacked by two men walking a dog after he asked them to leave his farmland [13]. 3.3 Hoaxes and Threats Compounding the fear, uncertainty, and distress experienced by farming communities were hoaxes and threats perpetrated in the wake of the outbreak. In one case, for example, a farmer reported having found a pig’s head that had apparently been thrown into the middle of his field of dairy cows. In another case, a vial and bloodstained gloves were left near a sensitive area of a farm. The overall number of such incidents was relatively small; but in the context of the enormous worries and uncertainties already being experienced by much of the countryside, even this small number was sufficient to add greatly to people’s fears and sense of being under siege [12]. 3.4 Noncompliance with Infection Control Measures Adherence to measures aimed at controlling the spread of infection is a key to crisis management during a large-scale outbreak. During the foot-and-mouth disease outbreak, cooperation and compliance were often good. However, many exceptions were seen over the course of the outbreak. At times, and in some areas, the lack of compliance occurred often enough and was sufficiently serious to constitute a major concern. Compliance problems, which were identified in relation to both farms and transport, included unlicensed movement of animals, dirty vehicles, and vehicles spilling organic material onto roads. Some of these problems might have stemmed from lack of awareness, lack of training, unclear instructions, or ineffective communication. There is evidence, for example, that words such as biosecurity, blue box, and red box were not always well understood. But other problems—including the deliberate alteration of movement licenses and illegal entry to infected premises—were clearly intentional violations of infection control measures. In a number of cases, violators were fined or prosecuted if they were caught [12]. 3.5 Conflict within Communities Differences between those involved in agriculture and those dependent on tourism, changes and perceived inconsistencies in valuation and compensation levels, and divergent views on approaches to dealing with the crisis sometimes created new tensions and sharp conflicts. These conflicts divided neighbors and friends and had broader impacts as well. As a member of one farming family explained, the situation was damaging “not just the farming lifestyle, but the farming communities, the farming relationship” (Quoted in [14], p. 274). One of the most powerful descriptions of the combined effect of isolation, the state of siege, and splits between people was given by a resident of Holne at the Devon Foot and Mouth Inquiry (2002, p. 58): Divisions occurred within people and between different groups—“us and them.” The “us” became narrower and smaller—only the immediate family. Thus psychological isolation exacerbated physical isolation. People withdrew from the nurturing of the community. The dangerous “not us” became wider and bigger: farmers, walkers; MAFF/DEFRA; those with no bio-security and those with excellent bio-security; those who left, those who remained; organic farmers, postmen, people with dogs; horse drivers and horse riders; children at

1658

KEY APPLICATION AREAS

school and not; open pubs and closed pubs; those compensated and those not; those who cheated and those who played straight. Suspicion, guilt, panic, fear and abandonment were all apparent. What is left is lack of confidence, depression, lack of ability to respond, and despair.

3.6

Psychological Impacts

As the Royal Society of Edinburgh [11, p. 9] summed up, “for those involved, or even those not involved but living in the locality, there was trauma . . . . For many of these people, and perhaps especially their children, the events of 2001 were a nightmare . . . ” Only a relatively small number of systematic studies of the outbreak’s psychological impact were conducted, perhaps in part because of the difficulties inherent in a situation involving severe travel restrictions. But the research that was conducted has reinforced the conclusion that this was a highly distressing experience. In a study carried out shortly after the official end of the outbreak, Peck et al. [15] compared psychological morbidity in a badly affected area (Cumbria) and an unaffected area (the Highlands) using a 12-item version of the General Health Questionnaire that was mailed to farmers. Though small sample size limits how far the results can be generalized, the study found that farmers in the affected area had significantly higher levels of psychological morbidity than those in the unaffected area. Other research (e.g. [16]) carried out in various locations and using a variety of methodologies has also examined emotional well-being and mental health in relation to the outbreak. Olff et al. [17] studied farmers whose animals were slaughtered during the outbreak and found that approximately half had high levels of traumatic stress symptoms. Deaville et al. [18] carried out a health impact assessment of the foot-and-mouth outbreak in Wales. Using a multimethod approach that combined validated quantitative instruments with qualitative interviews, the assessment found significant mental health effects in the study sample and identified such symptoms as sleeplessness, tearfulness, frustration, anger, and lack of motivation. Hannay and Jones [19] used a mail survey to examine how farmers and tourism workers in Dumfries and Galloway, Scotland were affected by the outbreak. The results indicated that both groups had experienced negative impacts in the areas of daily activities, feelings, overall health, social activities, social support, and quality of life [20]. Finally, Mort et al. [21] conducted a longitudinal qualitative analysis of weekly diaries and concluded that the foot-and-mouth experience was accompanied by distress, feelings of bereavement, fear of a new disaster, and loss of trust. Looking across the psychological impacts of the outbreak, Peck [20] concluded that, despite the high levels of distress, there had been no increase in demand for mental health services in affected areas. Rather, farmers turned to “family, friends and veterinary surgeons for support” (p. 272). In addition, noted Peck, there was “an expressed willingness to use anonymized sources of support, such as telephone or internet helplines” (p. 275). This is fully consistent with reports from the many organizations that provided support to farmers, farming families, and others in affected communities. Crisis hotlines and stress helplines were flooded with calls, so that hours had to be extended and staffing had to be increased. The Rural Stress Information Network, for example, reported that with the onset of the outbreak, it had received more calls in a single month than in the entire preceding year [12]. No direct, systematic studies of the outbreak’s effect on children—generally considered a vulnerable population—were carried out [22]. Nevertheless, it was apparent that the situation took a significant emotional toll on them. Children were often nearby when

IMPACTS OF AN AGROTERRORISM ATTACK

1659

parents’ and grandparents’ farms were slaughtered out. They witnessed piles of dead animals, saw and smelled the funeral pyres that burned for days, and sometimes even lost their own pets as a consequence of the crisis. In addition, children shared in the isolation that affected farm communities. They missed school for extended periods of time, were unable to socialize with friends, and saw their families’ own distress on a daily basis. As one parent told the Devon Foot and Mouth Inquiry, “my children had never seen me cry before” [23, p. 50]. Children’s stress manifested itself in many ways, from angry e-mail postings [24] to problems with bed-wetting. As one rural nurse wrote, “as time passed we had an increase in referrals for children who were bed-wetting, often after long periods of being dry” [25, p. 60]. In a health assessment carried out in Wales by Deaville et al. [18], over half of the study’s respondents indicated that the outbreak had affected their children. Although most attention has focused on farmers and their families, it should also be borne in mind that foot-and-mouth was often a distressing experience for those charged with fighting the outbreak. Professionals on the front lines worked very long hours, were often away from home, and regularly witnessed horrific sights. Furthermore, although some frontline personnel felt that their work was supported by farmers, community residents, and the broader public, this was often not the case. Indeed, because of the high level of controversy, anger, frustration, and mistrust surrounding almost every aspect of foot-and-mouth, it was not uncommon for frontline staff to find themselves the target of relentless hostility and derision. Some professionals even reported that they were ashamed to be identified as government agency staff members. This state of affairs undoubtedly made an already emotionally taxing situation even more difficult for some frontline workers. 3.7 An Overwhelming Demand for Information Just as the crisis developed with breathtaking rapidity, so too did the demand for information. Requests for information quickly exceeded all expectations, and communication resources and personnel were severely stretched. For example, during the early part of the outbreak, staff at the Carlisle Disease Emergency Control Centre found themselves having to field some 6500 calls per week even as they worked feverishly to deal with the outbreak. On the national level, the resources of a helpline at the headquarters of the Ministry of Agriculture, Fisheries and Food were quickly exceeded, as were those of a much larger governmental foot-and-mouth disease helpline that had been set up utilizing a call center at the British Cattle Movement Service. As a result, officials established an overflow service through a private contractor. By March–April, the national foot-and-mouth disease helpline was hitting 7000 calls per day. Over the course of the 31-week outbreak, government-sponsored helplines responded to literally hundreds of thousands of calls from farmers and the general public [8]; [12]. Aside from the overwhelming numbers of calls, one of the biggest challenges affecting the helpline effort was the difficulty those operating it had in obtaining information that was sufficiently detailed, accurate, and up-to-date. Helpline staff often had to rely on the website operated by the Ministry of Agriculture, Fisheries and Food. Although the Ministry had succeeded in quickly establishing the website after the outbreak began, and although it was widely used (by March–April it was seeing an average of 50,000 user sessions per day), the site did not always contain the most recent information [26, p. 321; 8; 12]. Particularly in situations where other sites were more up-to-date, this added to confusion and suspicion.

1660

KEY APPLICATION AREAS

Poortinga et al. [27] carried out a multimethod study of how people (n = 473) in two communities—one potentially at risk from foot-and-mouth and another not close to any cases—viewed the trustworthiness of various sources of information about the outbreak. Among those scoring lowest on trust were government ministers and food manufacturers. The media fell exactly in the middle of the list (number 7 out of 13 information sources), perhaps because of concerns about sensationalism and exaggeration. Who, then, were seen as the most trustworthy sources of information? Topping the list were veterinary surgeons, followed by farmers, and then friends and family. In other words, people often trusted animal health professionals and local sources (e.g. word of mouth, the grapevine) far more than the national media and the national government. The crisis also saw the emergence of new “virtual” communities and networks that were able to link people despite the isolation created by the outbreak [28]. 3.8 Conflict over Control Measures Efforts to dispose of the huge number of slaughtered animal carcasses encountered significant community opposition. In part, this was due to a lack of consultation with stakeholders. “The speed with which decisions were taken, from site selection to construction and use, meant that there was little time for consultation . . . . The lack of consultation angered local communities . . . the lack of information and perceived insensitivity to local concerns aggravated the situation” [3, p. 114]. One major focus of opposition was the so-called funeral pyres (fires) that were extensively used in affected areas. Concerns included smoke contamination, dioxins, the powerful stench, and the problem of ash removal. In one locale, protests by business people and other residents forced officials to substantially reduce the size of a major burning operation. In another location, families blockaded trucks carrying carcasses to a funeral pyre. In yet another area, residents blocked trucks from entering a pyre site [12]. Plans for burial of carcasses also provoked anger and protest. People’s concerns included possible transport leakage, seepage of leachate, and contamination of watercourses and drinking water supplies. Near one proposed site, for example, several hundred people from three villages came together to oppose burial plans. Although the vast majority of protests against burial sites were peaceful, there were isolated exceptions. In one situation, for example, earth-moving equipment was used to crush a police van after protesters attempted to stop plans for mass burial of animal carcasses [12]. At times, opposition and protest were local in nature. But at other times, the issue of what to do with the carcasses of dead animals pitted region against region. In one area, for example, hundreds of people marched to protest plans to bring dead sheep from other areas of Britain to their county for burial [12]. In such situations, there was a powerful sense that people were being asked to shoulder more than their fair share of the burden. As Bush et al. [29] commented, “in the final analysis, local hostility to the burial sites was not only about the shortcomings of consultation and the failure to take seriously local knowledge, or the doubts about possible risks to either human health or the local environment. It was equally about the injustice of being singled out as a local repository for the by-product” of a national disaster. 3.9 A Breakdown of Trust and Confidence Despite dedication and hard work from many civil servants, disease control professionals, and frontline staff, strategic problems such as a slow recognition of the severity of the

IMPACTS OF AN AGROTERRORISM ATTACK

1661

outbreak, a slow early response, controversy over the mass slaughter policy, perceived inconsistencies in compensation procedures, conflict over carcass disposal, and a lack of adequate consultation with stakeholders, all contributed to a loss of faith in the overall handling of the situation. Communication problems further damaged public confidence [26]. In the end, the foot-and-mouth disease crisis resulted in a “breakdown of trust between many of those affected directly or indirectly and their Government” [3, p. 7].

4 IMPLICATIONS FOR AGROTERRORISM PREPAREDNESS AND RESPONSE The 2001 foot-and-mouth disease outbreak in the United Kingdom—while not a terrorist event—provides a clear indication of the types of social, psychological, and communication impacts that could occur as a consequence of a large-scale agroterrorism attack. The spectrum of effects ranges from the distress suffered by individual farming families who see their life’s work disappear overnight to broad social impacts such as community division, regional conflict, and loss of trust. Furthermore, as the 2001 experience makes clear, these impacts may be profound and widespread. Indeed, there is a real potential for the severity of social, psychological, and communication impacts of an agroterrorism attack to be even greater than what was seen during the foot-and-mouth epidemic. For example, an event involving a zoonotic agent would present an additional layer of challenges. Likewise, the possibility of multiple or repeated attacks could make it vastly more difficult to reestablish people’s sense of security. It will be crucial to learn from the foot-and-mouth outbreak and other experiences and incorporate these insights into agroterrorism contingency planning, training, preparedness, and response. Some of the key lessons that relate to social, psychological, and communication issues are discussed in the following sections. 4.1 Enlist the Public as a Partner Although some level of disagreement and conflict is probably inevitable in a situation like the foot-and-mouth outbreak, it is now generally accepted that the situation was made far worse because of a lack of consultation with communities during the crisis. However, the problem ran deeper; even before the outbreak, there was failure to adequately engage stakeholders—including communities—in the emergency planning process. For example, stakeholders were “not formally consulted in preparing contingency plans” [8, p. 40]. Today, foot-and-mouth preparedness planners in the United Kingdom employ a much more inclusive, participatory approach. Nearly every aspect of managing an agroterrorism event will depend upon gaining the cooperation and confidence of agricultural communities and the broader public. Thus, it is essential for agroterrorism planning and preparedness efforts to view them as full-fledged partners. Stakeholders need to be involved in plan development long before an event occurs [30], and their participation in training exercises is vital. Similarly, the development of emergency information and outreach strategies cannot possibly be fully effective without community input and feedback. More broadly, there is a need to engage agricultural communities and the public in discussions about the agroterrorism threat long before an event occurs. This will permit full consideration of different management strategies, disposal options, compensation issues, and other potentially controversial matters, and

1662

KEY APPLICATION AREAS

facilitate the development of participatory decision-making processes that are seen as fair, transparent, credible, and effective. 4.2 Adequate Resources and Preparation for Information Hotlines It is clear from the foot-and-mouth experience that, in the event of an agroterrorism attack, the demand for information from official hotlines will be massive. If public confidence is to be maintained, agencies will need to have well-rehearsed plans, phone facilities, and trained personnel to rapidly set up and operate such hotlines. Hotline arrangements—including mechanisms to ensure that accurate and up-to-date information is available—should be regularly and realistically tested through exercises. Depending on the nature of an agroterrorism event, there may also be substantial information demands from veterinarians, county extension agents, health departments, doctors, and others involved in responding to the situation. Thus, agencies will also need to be able to rapidly provide special hotlines and appropriate informational materials tailored to meet the needs of professionals. 4.3 Adoption of a Pre-Event Message Development Approach An agroterrorism event and its resulting impacts could unfold with great speed, leaving agencies little or no time to develop effective communication strategies, informational materials, and emergency messages. In such a situation, events could easily outstrip communication efforts, leaving information vacuums that could quickly be filled with misinformation and rumors. This, in turn, could greatly complicate efforts to control an outbreak and contribute to the erosion of trust and confidence. One promising solution that has broken new ground is to adopt what has come to be known as the “pre-event message development” approach. In a nutshell, the idea is to carry out research on the concerns, information needs, and preferred information sources of key audiences; utilize the findings to prepare emergency messages and other materials; and carefully test them long before an event occurs [31–33]. Interest in this approach developed out of the experience of the Centers for Disease Control and Prevention (CDC) during the 2001 anthrax letter incidents. With concern about the incidents growing rapidly, CDC found itself having to field large numbers of calls from the public, requests by health officials for real-time information, and inquiries from the media. With events moving quickly and with staff already stretched assessing and managing the incidents, it became difficult to keep up with the demand for information. Reflecting on the experience, CDC later concluded that efforts to manage future emergencies would benefit from the use of a more proactive approach wherever possible. The agency enlisted the assistance of four US schools of public health, which carried out a multiyear, multisite research program to (i) understand the perceptions, information needs, self-protection concerns, preferred information outlets, and trusted sources for a range of population groups; (ii) identify core content for emergency messages; and (iii) pre-test draft message components (including the identification of confusing terms). CDC is now using these findings to craft more effective emergency messages, materials, and web content related to the human health aspects of unconventional terrorism agents. The communication challenges associated with an agroterrorism event would be immense. So too would the stakes. Should public trust and confidence be lost, they will

IMPACTS OF AN AGROTERRORISM ATTACK

1663

be difficult to regain. The “pre-event” approach is not easy. It requires investment in research and a commitment to translate that research into practice. However, adoption of a “pre-event” approach increases the chances that agencies can stay “ahead of the curve” rather than falling hopelessly behind. Rather than starting from scratch and guessing what information key stakeholders and the general public want, the use of a “pre-event” approach enables agencies to build on an empirically grounded foundation. “During an actual emergency, the focus of attention can be on developing incident specific information” that can quickly be incorporated into already tested materials [31]. 4.4 A Broader Approach to Communication Clearly, a vital part of any effective communication strategy during an agroterrorism event will involve working closely with the news media to get needed information out to the public. As practical experience and the literature on risk communication have shown, this means having the infrastructure and trained personnel to rapidly respond to media requests for information; being able to provide experienced, credible, well-informed spokespersons for interviews; being able to provide opportunities for visuals; and having press kits with relevant statistics and succinct and clear resource materials available. In addition, an effective communication strategy also requires reaching out to different types of media, including television, radio, and newspapers [34]. However, as important as the media component of a communication strategy may be, it is essential to remember that some population segments may not be reached through the media or may prefer or trust other sources of information. As noted earlier, during the 2001 foot-and-mouth disease outbreak in the United Kingdom, it was not uncommon for people to give more credence to trusted local sources, word of mouth, and the “grapevine” than to the national media or national government. This is consistent with some recent research on bioterrorism issues suggesting that, in some situations, there could be urban–rural differences in terms of preferred information sources. For example, one recent study noted that, whereas urban respondents reported looking to the media first for information, rural respondents reported looking first to local authorities [35]. In light of these findings, it is critical for an agroterrorism communication strategy to complement the mass media component with a carefully thought-out community outreach component. This should include steps to ensure that accurate, up-to-date information is rapidly and continuously provided directly to trusted local figures (e.g. county extension agents and veterinarians) and trusted community organizations and networks (e.g. farming organizations, houses of worship). The extensive involvement of stakeholders well before an event should greatly facilitate the identification of community networks that may be important for such outreach efforts. During the foot-and-mouth outbreak, parts of the farming community (particularly younger farmers and their families) also made extensive use of information technology. In an agroterrorism situation, it will be important to ensure that informational websites are easily found, user friendly, written in clear language, informed by an understanding of people’s concerns, and regularly updated with the latest information. 4.5 Ability to Rapidly Expand Crisis Hotlines and Peer/Social Support As noted earlier, many people having to cope with the impacts of the foot-and-mouth outbreak turned to crisis hotlines and stress helplines. With an agroterrorism attack likely

1664

KEY APPLICATION AREAS

to produce widespread emotional distress, it will be vital for emergency response plans to include mechanisms for rapidly expanding crisis/stress hotline services. Facilities, needed equipment and resources, and trained personnel should be identified in advance, as should ways of communicating the availability of the services. In addition, strategies for facilitating peer/social support should be included in planning. For example, mental health professionals can play “an educational and consultative role for veterinary surgeons, farming organizations, self-help groups . . . and local radio” [20, p. 275]. 4.6

Special Services and Materials for Children

In any disaster situation, children have unique vulnerabilities. They may be exposed to the same frightening sights, sounds, and smells as adults, but not have the maturity or experience to interpret and understand what is going on around them. Although children are often resilient, there is no doubt that an agroterrorism event would be a highly distressing situation for them. It is important, therefore, for agroterrorism preparedness planning to include appropriate mental health support and interventions for children. This should include a particular focus on schools and day-care settings. “Children spend the majority of their waking hours at school or in a child-care setting. These settings are familiar and comfortable to children, and generally are experienced as safe, secure environments. As such, school and child-care settings are excellent locations for working with children before, during, and after a disaster” [22, p. 24]. In addition, it will be important to develop age-appropriate informational materials, explanations, coloring books, and messages to help children and families understand and cope with the situation [22]. 4.7 Support for Frontline Personnel As the foot-and-mouth epidemic demonstrated, the job of managing a large-scale outbreak can put frontline personnel under enormous strain. Likewise, during an agroterrorism event, long work hours, fatigue, extended periods of time away from home and family, the risk of injury, regular exposure to upsetting images, the uncertainty of the situation, and perhaps even public hostility could put frontline personnel at significantly increased risk for emotional distress. Agroterrorism planning, therefore, should include a robust mental health component aimed at supporting frontline personnel. This should include such measures as predeployment briefings, provision of self-care and stress management information, regular rest breaks, buddy/peer support arrangements, and support groups. 4.8 Human Health Issues To the extent that human health concerns arise in relation to a suspected or actual agroterrorism attack (e.g. when zoonotic agents are involved or simply when rumors of possible human health effects gain prominence), it will be essential for agencies and spokespersons with a high level of credibility on health issues to be at the center of public communication efforts. Research on terrorism situations involving unconventional agents (including biological threats) has shown that many of people’s concerns, and many of the questions they want answered, relate directly or indirectly to health [32, 35–37]. In addition, other research on terrorism in general has demonstrated that when people are asked who they would trust to “give accurate and reliable information about what is happening and what to do in the event of a terrorist attack,” it was the professionals and organizations knowledgeable about health and health care that were ranked the highest [38]. The CDC was ranked the highest, with 84% of the population indicating it would

IMPACTS OF AN AGROTERRORISM ATTACK

1665

either “completely trust” or “somewhat trust” the agency to provide accurate and reliable information. Others on the list included “Doctor who is expert” (83%), the Surgeon General (76%), and the National Institutes of Health (75%). Figures such as the Secretary of Homeland Security and the Attorney General ranked much lower (68% and 65% respectively). The lesson is clear. If human health issues are involved in an agroterrorism event, communication with the general public needs to put health issues at the center, messages need to be “front-loaded” with information that answers people’s health questions, and the information should be provided by spokespersons recognized for having high credibility on health issues (e.g. the CDC). 4.9 More Realistic Plans and Exercises There is a pressing need to better integrate social, psychological, and communication issues into agroterrorism contingency plans and training exercises. Many plans and exercises continue to give only minimal attention to these crucial considerations. Key areas (e.g. provision of appropriate services, development of an effective risk communication strategy, maintenance of trust and confidence) need to be explicitly addressed, and relevant roles and coordination issues need to be delineated and practiced on a regular basis. Without adequate consideration of relevant social, psychological, and communication issues, plans and exercises will be unrealistic and of limited value in preparing agencies and responders to deal with the complex challenges posed by an agroterrorism attack. 5 RESEARCH DIRECTIONS In addition to implementing the lessons learned from the foot-and-mouth outbreak and other relevant experiences, it will be important in the coming years to carry out further research related to the social, psychological, and behavioral aspects of agroterrorism. In this regard, the topics identified in the 2002 National Research Council report on agricultural terrorism continue to be relevant [1]. For example, it would be useful to conduct additional work on how best to assist individuals and communities affected by an agroterrorism attack and how best to speed recovery. Another key area of research involves improving our understanding of the factors that affect compliance with infection control measures during large-scale agricultural disease outbreaks. What factors serve to facilitate compliance and what factors make compliance less likely? How, for example, do different work practices, economic situations, or local customs come into play? A better understanding of such factors will aid in the development of more realistic and more effective infection control strategies. Finally, it would be valuable to expand research on emergency communication during large-scale agricultural disease outbreaks. It is clear from the foot-and-mouth experience that communication problems exacerbated the outbreak’s impacts and damaged public trust and confidence. The stakes and the costs of failure could be even higher in an agroterrorism event. There is, therefore, a pressing need for additional research to better understand people’s concerns, information needs, and preferred information sources in relation to agroterrorism threats. Improved emergency communication—including the development of empirically grounded, pre-event messages—could play an important role in reducing an outbreak’s spread, mitigating its impacts, and maintaining trust, social cohesion, and public confidence.

1666

KEY APPLICATION AREAS

ACKNOWLEDGMENTS This article is based, in part, on fieldwork conducted by the author in the United Kingdom during and after the 2001 foot-and-mouth disease outbreak. The author is grateful to the many individuals and organizations that helped facilitate this work. Special thanks are due to the US Embassy in London, the Department for Environment, Food and Rural Affairs, the Rural Stress Information Network, the Ministry of Defence, and the National Farmers Union. Thanks are due as well to A. Becker, D. Franz, and R. Gurwitch, who provided helpful comments on earlier versions of the manuscript. Finally, the author wishes to thank the Lister Hill Center for Health Policy, and the Smith Richardson Foundation (International Security and Foreign Policy Program), which provided support for the research. REFERENCES 1. National Research Council (2002). Countering Agricultural Bioterrorism, Committee on Biological Threats to Agricultural Plants and Animals. The National Academies Press, Washington, DC. 2. Becker, S. M. (2001). Meeting the threat of weapons of mass destruction terrorism: toward a broader conception of consequence management. Mil. Med. 166(S2), 13–16. 3. Anderson, I. (2002). Foot and Mouth Disease 2001: Lessons to be Learned Inquiry, Stationery Office, London. 4. Donaldson, A. (2004). Clinical signs of foot-and-mouth disease. In F. Sobrino, E. Domingo, Eds. Foot and Mouth Disease: Current Perspectives, Horizon Bioscience, Norfolk, pp. 93–102. 5. Brown, F. (2004). Stepping stones in foot-and-mouth research: a personal view. In F. Sobrino, E. Domingo, Eds. Foot and Mouth Disease: Current Perspectives, Horizon Bioscience, Norfolk, pp. 1–17. 6. Rowlands, D. J., Ed. (2003). Foot-and-mouth Disease, Elsevier Science B.V., Amsterdam. 7. Blancou, J., Leforban, Y., and Pearson, J. E. (2004). Control of foot-and-mouth disease: role of international organizations. In F. Sobrino, E. Domingo, Eds. Foot and Mouth Disease: Current Perspectives, Horizon Bioscience, Norfolk, pp. 425–426. 8. National Audit Office (2002). The 2001 Outbreak of Foot and Mouth Disease, Stationery Office, London. 9. Bennett K., Carroll, T., Lowe, P., and Phillipson, J., Eds. (2002). Coping with Crisis in Cumbria: Consequences of Foot and Mouth Disease, Centre for the Rural Economy, University of Newcastle upon Tyne, Newcastle upon Tyne. 10. Western Morning News (2001). Foot and Mouth: How the Westcountry Lived Through the Nightmare, Western Morning Press, Plymouth. 11. Royal Society of Edinburgh (2002). Inquiry Into Foot and Mouth Disease in Scotland , Royal Society of Edinburgh, Edinburgh, Scotland. 12. Becker, S. M. (2004b). Learning from the 2001 foot and mouth disease outbreak: social, behavioral and communication issues. Scientific Panel on Agricultural Bioterrorism: Countering the Potential for Impact of Biothreats to Crops and Livestock , American Association for the Advancement of Science, Seattle, Washington, April 14, 2004. 13. Ingham, J., (2001). Look at the human suffering caused by efforts to keep this invisible enemy at bay. Daily Express, p. 33. 14. Bennett, K., and Phillipson, J. (2004). A plague upon their houses: revelations of the foot and mouth disease epidemic for business households. Sociol. Ruralis 44(3), 261–284.

IMPACTS OF AN AGROTERRORISM ATTACK

1667

15. Peck, D. F., Grant, S., McArthur, W., and Godden, D. (2002). Psychological impact of foot-and-mouth disease on farmers. J. Ment. Health 11(5), 523–531. 16. Garnefski, N., Baan, N., and Kraaij, V. (2005). Psychological distress and cognitive emotion regulation strategies among farmers who fell victim to the foot-and-mouth crisis. Pers. Individ. Dif. 38(6), 1317–1327. 17. Olff, M., Koeter, M. W. J., Van Haaften, E. H., and Kersten, P. H. (2005). Gersons BPR Impact of a foot and mouth disease crisis on post-traumatic stress symptoms in farmers. Br. J. Psychiatry 186(2), 165–166. 18. Deaville, J., Kenkre, J., Ameen, J., Davies, P., Hughes, H., Bennett, G., Mansell, I., and Jones, L. (2003). The Impact of the Foot and Mouth Outbreak on Mental Health and Well-being in Wales, November. Institute of Rural Health and University of Glamorgan, Glamorgan. 19. Hannay, D., and Jones, R. (2002). The effects of foot-and-mouth on the health of those involved in farming and tourism in Dumfries and Galloway. Eur. J. Gen. Pract. 8, 83–89. 20. Peck, D. F. (2005). Foot and mouth outbreak: lessons for mental health services. Adv. Psychiatr. Treat. 11(4), 270–276. 21. Mort, M., Convery, I., Baxter, J., and Bailey, C. (2005). Psychosocial effects of the 2001 UK foot and mouth disease epidemic in a rural population: qualitative diary based study. British Medical Journal 331, 1234. 22. Gurwitch, R. H., Kees, M., Becker, S. M., Schreiber, M., Pfefferbaum, B., and Diamond, D. (2004). When disaster strikes: responding to the needs of children. Prehospital Disaster Med. 19(1), 21–28. 23. Mercer, I. (2002). Crisis and opportunity: Devon foot and mouth inquiry 2001 , Devon Books, Tiverton Devon. 24. Nerlich, B., Hillyard, S., and Wright, N. (2005). Stress and stereotypes: children’s reactions to the outbreak of foot and mouth disease in the UK in 2001. Child. Soc. 19(5), 348–359. 25. Beeton, S. (2001). How foot and mouth disease affected a rural continence service. Nurs. Times 97(40), 59–60. 26. Gregory, A. (2005). Communication dimensions of the UK foot and mouth disease crisis, 2001. J. Public Aff. 5(3–4), 312–328. 27. Poortinga, W., Bickerstaff, K., Langford, I., Niewohner, J., and Pidgeon, N. (2004). The British 2001 Foot and Mouth crisis: a comparative study of public risk perceptions, trust and beliefs about government policy in two communities. J. Risk Res. 7(1), 73–90. 28. Hagar, C., and Haythornthwaite, C. (2005). Crisis, farming & community. J. Community Inform. 1(3), 41–52. 29. Bush, J., Phillimore, P., Pless-Lulloli, T., and Thomson, C. (2005). Carcass disposal and siting controversy: risk, dialogue and confrontation in the 2001 foot-and-mouth outbreak. Local Environ. 10(6), 649–664. 30. Levin, J., Gilmore, K., Nalbone, T., and Shepherd, S. (2005). Agroterrorism workshop: engaging community preparedness. J. Agromedicine 10(2), 7–15. 31. Vanderford, M. L. (2004). Breaking new ground in WMD risk communication: the pre-event message development project. Biosecur. Bioterror. 2(3), 193–194. 32. Becker, S. M. (2004a). Emergency communication and information issues in terrorism events involving radioactive materials. Biosecur. Bioterror. 2(3), 195–207. 33. Becker, S. M. (2005). Addressing the psychosocial and communication challenges posed by radiological/nuclear terrorism: key developments since NCRP 138. Health Phys. 89(5), 521–530. 34. U.S. Department of Health and Human Services (2002). Communicating in a Crisis: Risk Communication Guidelines for Public Officials, Center for Mental Health Services, Substance Abuse and Mental Health Services Administration, U.S. Department of Health and Human Services, Washington, DC.

1668

KEY APPLICATION AREAS

35. Wray, R., and Jupka, K. (2004). What does the public want to know in the event of a terrorist attack using plague? Biosecur. Bioterror. 2(3), 208–215. 36. Glik, D., Harrison, K., Davoudi, M., and Riopelle, D. (2004). Public perceptions and risk communication for botulism. Biosecur. Bioterror. 2(3), 216–223. 37. Henderson, J. N., Henderson, L. C., Raskob, G. E., and Boatright, D. T. (2004). Chemical (VX) terrorist threat: public knowledge, attitudes, and responses. Biosecur. Bioterror. 2(3), 224–228. 38. Marist College Institute for Public Opinion (2003). How Americans Feel About Terrorism and Security: Two Years After 9/11 , Survey conducted on behalf of the National Center for Disaster Preparedness and the Children’s Health Fund. August.

FURTHER READING Brown, C. (2003). Vulnerabilities in agriculture. J. Vet. Med. Educ. 30(2), 112–114. Chalk, P. (2004). Hitting America’s Soft Underbelly: The Potential Threat of Deliberate Biological Attacks Against the U.S. Agricultural and Food Industry, The Rand Corporation, Santa Monica, CA. Hugh-Jones, M. E. (2002). Agricultural bioterrorism. In High-Impact Terrorism: Proceedings of a Russian—American Workshop. National Research Council in Cooperation with the Russian Academy of Sciences, The National Academies Press, Washington, DC, pp. 219–232.

FOREIGN ANIMAL DISEASES AND FOOD SYSTEM SECURITY Barrett D. Slenning Department of Population Health and Pathobiology, College of Veterinary Medicine, North Carolina State University, Raleigh, North Carolina

Jimmy L. Tickel Emergency Programs Division, North Carolina Department of Agriculture and Consumer Services, Raleigh, North Carolina

1 INTRODUCTION Food safety and security takes many forms and requires differing methods, depending on the nature of the threat, the kind of agricultural commodity vulnerabilities involved, and

FOREIGN ANIMAL DISEASES AND FOOD SYSTEM SECURITY

1669

the consequences of the event. Major threats to western agricultural economies are foreign animal diseases (FADs), such as foot and mouth disease (FMD) or highly pathogenic avian influenza. In fact, such are the threats, through direct effects on food production and security, as well as through direct and indirect impacts on public health and economic stability, that all nations have developed major programs for detecting and eradicating these diseases as soon as is practicable. Most such programs are aimed toward quickly regaining international trade, and so, utilize severe control methods such as stop movement orders (SMOs) and “stamping out/eradication” (SOE) programs. However, SOE was designed and proven under market systems very different from those in modern agriculture. Further, the focus on international trade, at least for the United States (USA), is misguided. In the end, SOE programs have shown themselves to have the potential, if not the probability, to trigger cascades of unintended consequences;consequences that can destroy the farms and food security they were intended to protect. Modern agriculture requires that we rethink our focus and methods, such that the goal is to maximize farm survival through intelligent use of business continuity methods by accessing new technologies and tools, and through exploiting characteristics of modern agricultural markets.

2 BACKGROUND To understand how SOE programs came to be, and why they no longer are fully appropriate in the modern age, we need to look back at agriculture as it was when the plans and perspectives were designed and initially used, and then see how the landscape has changed. 2.1 Agriculture in the Twentieth Century For most of the twentieth century, agriculture was seen as ubiquitous, small-scale, and oriented or marketed locally: farms were relatively small, and much of the population was involved in agriculture; farms did not move; animals and products remained within a fairly local economy. FAD outbreaks that could result in a loss of foreign trade were considered to be one of the few threats that could create a national disaster. However, since FAD outbreaks were projected as local events, the solution to restoring trade was to quickly contain the small outbreak and eradicate the disease. Thus, FAD responses were aimed at identifying affected herds or flocks and destroying them to minimize impacts on trade agreements and markets [1]. Additionally, these programs carried unstated presumptions that the only risks agriculture faced were from accidental or natural threats, and these assumptions colored the scenarios against which programs were designed. The concept of intentional attacks or of accidental market-spread outbreaks were not serious considerations for researchers or decision makers. 2.2 Agriculture in the Twenty-First Century Currently, agriculture is large-scale, highly mobile, and interdependent. Agriculture is dependent on transportation and just-in-time management. While agriculture is still a major economic sector across the country, a very small proportion of the population makes their living through farming. Exports are not primary aspects of US livestock; in 2007, the percent of domestic production going to exports for beef, pork, and poultry

1670

KEY APPLICATION AREAS

were 5.4%, 14.3%, and 15.7%, respectively, yielding an overall export market for livestock products equaling approximately 12% of overall domestic production [2, p. 32]. This suggests programs whose aims are to protect exports at the expense of domestic production have their priorities misplaced. Agriculture is now developing concentrated “production centers” (parts of the country where a type of production is concentrated and predominates, such as poultry in the Delmarva peninsula, corn in Iowa, or catfish farming in Mississippi), which operate and have resources and skills far beyond what twentieth century farms could imagine. Furthermore, ownership has concentrated, such that now majorities of primary production and processing are owned by a few small groups and companies, allowing for consistent management and rapid communications. Finally, agriculture is now highly integrated. For instance, in the large poultry production centers of the southeastern US, the companies involved in production also operate their own feed processing, transportation, and wholesale or retail divisions. These structural innovations change the risk profiles against which we should be defending. 2.3 Threat Profiles of Today Reviews of recent FMD outbreaks in Taiwan (1997, [3, 4]), United Kingdom (2001, 2007, [5, 6]), plus bovine spongiform encephalopathy (BSE) in Canada (2003), United States (2004, 2005), [7, 8], with added insight from Newcastle Disease and highly pathogenic avian influenza outbreaks in North America (2003–2004, [9, 10]), have uncovered new considerations in regional or state disease control programs. For instance, the United Kingdom experienced near wholesale destruction of its cattle markets with the 1985 discovery of BSE, and added damage to both cattle and swine with the destruction of over 6 million animals in the 2001 FMD outbreak, third of which were done for “welfare” reasons (Fig. 1, [11, p. 21]). Welfare slaughter occurs when, with markets shut down and animal movement stopped, farms soon run out of space, feed, and/or money, and have no option other than to destroy their animals or let them starve. The United Kingdom has experienced, as a result, a drop in domestic consumption, signaling that severe outbreaks can lead to such changes in demand that attempts to maintain supply are futile. In another example, the Taiwan FMD experiences in the late 1990s (Table 1, [3, 4]), demonstrate that agriculture is actually quite fragile in the face of major supply and demand perturbations. In 1996, Taiwan was one of the largest pork exporters in the Pacific Rim. After FMD, Taiwan became a net pork importer; as of 2009 they had not regained their production or market share. Lastly, from documents found in Taliban sites in Afghanistan [12], to environmental or animal rights websites, it is apparent that agriculture, though a major critical infrastructure, is seen by its enemies as a large, soft target, susceptible to being a focus of politically motivated economic warfare. While none of the above disease events described were intentional in their origin, the results of the outbreaks are similar to what will be seen in a planned attack to either target an industry (state-level or locally) or a whole production system (nationally). The modern trend involving rapid and distant transportation of animals, feedstuffs, employees, and equipment, factored with collateral movements (wildlife, tourists, etc.), work synergistically to allow a disease agent to enter the production system by accident and create multifocal widespread outbreaks in a very short period of time (hours to days). Thus, accidental introductions of an FAD agent are likely to present the same disease management challenges that are found in intentional introductions.

FOREIGN ANIMAL DISEASES AND FOOD SYSTEM SECURITY

1671

Suspect (2%) Welfare (33%)

DC contig (20%)

Infected (21%) DC nContig (24%)

FIGURE 1 Reasons for animal destruction (UK 2001). In the 2001 FMD outbreak in the United Kingdom, fully one-third of all animals destroyed were killed for ”welfare” reasons—the animals had no markets to go to and the farms ran out of money and/or resources. Welfare, destroyed for welfare reasons; Infected, destroyed after confirmation of disease; DC Contig, destroyed as a contiguous dangerous-contact herd; DC nContig, destroyed as a noncontiguous dangerous-contact herd; Suspect, destroyed after classification as suspected of having disease. [Data from: Ref. [11]]. TABLE 1 Breakdown of Costs As of 3 Years After the Taiwan Foot and Mouth Disease (FMD) Outbreak Item or Activity Indemnity for pigs destroyed Vaccine costs Carcass disposal Miscellaneous Market value losses Total direct costs Total indirect costs (jobs, tourism)

Cost $ $ $ $ $ $ $

Percentage of Direct Costs (%)

188 million 14 million 25 million 28 million 125 million 380 million 3,650 million

49.5 3.6 6.5 7.4 33.0 100.0 961.0

Note: Taiwan used stamping out plus reactive vaccination protocols. Total direct costs of the disease response ($380 million) is only one tenth of the total indirect costs of this event. This means that major foreign animal disease outbreaks are societal catastrophes that come to society through agriculture. [Data from: Refs. 3, 4].

3 DETAILS AND CHALLENGES IN OPERATING STAMPING OUT/ERADICATION PROGRAMS SOE programs are initiated to achieve very specific goals, and the prioritization of tools and methods are based on assumptions that are often unstated. However, those assumptions are then left untested, meaning that the outcomes of the program will be very different from what was originally envisioned. To better understand how this can happen, we need to look at the history of SOE: how it works and how it fails. 3.1 How Stamping Out Programs Work Historically, programs for controlling FADs use the standard SOE approaches of quarantine (stop movements) and euthanasia as their primary tools [1]. In such a program,

1672

KEY APPLICATION AREAS

animal and product movement are stopped, decreasing disease expansion, and allowing time for affected herds or flocks and likely to be affected herds or flocks to be identified. The animals are then destroyed and disposed of, to halt their ability to spread disease. After a period of strict surveillance, official movement permits allow markets to build back. In this way, such programs eradicate FADs by stopping agent replication and shedding, as depicted in the UK FMD 2001-based model shown in Figure 2 [13]. Some new measures have been added to the SOE approach in recent years. Emergency vaccination is one such advancement: “ring” or “fence” vaccination involves identifying an infected premise (IP) and vaccinating herds around the IP to limit opportunities for the agent to spread, analogous to setting backfires to stop forest fires. Interestingly enough, until recently, the SOE perspective limited the best use of vaccine (i.e. vaccine to protect and preserve life) and instead required that vaccinated animals be euthanized even though they were not infected [13, 14]. New technologies can now allow differentiation between vaccinated uninfected animals versus animals that are infected, making such “Vaccinate to Kill” strategies obsolete. As a result of its long and proven track record in eradicating disease, its conceptual and logistical straightforwardness, and its clearly identifiable outcome, SOE has been the preferred tactic embraced by FMD-free countries since the mid-twentieth century [15]. Additionally, emergency vaccination is seeing increased interest from international FAD programs, and the World Organization for Animal Health (WOAH or OIE Office Inter´ national des Epizooties), which is changing rules that have previously severely penalized vaccine-using countries [13].

- - Daily reported cases - -

60 50

Per day case counts from outbreak

Rolling average case counts from outbreak

40

Simulation IP culling @ 24 hr, other as occurred

30 Simulation IP culling @ 24 hr, CP culling @ 48 hr

20 10 0 2.3

3.1

3.3

4.1

4.3

5.1

5.3

6.1

6.3

7.1

7.3

8.1

Month No. and Week No. (Mo#. Wk#)

FIGURE 2 SOE program goals and outcomes. Analysis of actual versus simulated epidemic curve for the 2001 UK FMD outbreak, assuming different levels of goal achievement for detection and slaughter. Actual did not achieve culling goals of infected premises (IPs) within 24 h of diagnosis, and contiguous premises (CPs) within 48 h. [Adapted from: Ref. [13] Chapter 10, Chart A, p. 94, with permission].

FOREIGN ANIMAL DISEASES AND FOOD SYSTEM SECURITY

1673

3.2 How Stamping Out Programs Fail An SOE approach operated as the sole or primary tool for outbreak control has its problems [16]. For instance, the assumption that outbreaks will start small is likely to be false in today’s mobile agriculture. Modeling of FADs suggests that either bioterror events or accidental market-driven outbreaks will not be present as small, local events. As an example, simulations suggest that an FMD outbreak starting in swine in eastern North Carolina (NC) could be in 5–7 states, affecting almost 500 herds in the first 10 days following exposure. Worst-case scenarios suggest an FMD outbreak could require destroying between 30 and 50 million animals, and would take more than 9 months (almost 280 days) to get under control [17, 18]. Thus, if SOE were to be used as the sole response tool, large numbers of animals, both of positive and negative nonexposed herds, will be euthanized. Additionally, to limit scavengers and potential public health concerns from the carcasses of euthanized animals, very rapid carcass destruction and disposal is required, usually by burial, composting or burning [19]. All carry public perception and environmental problems if done on a large scale, further limiting the attractiveness of an SOE approach. In the end, few workers believe that US society would tolerate that level of animal waste and destruction. Fewer still believe the United States could mobilize the necessary personnel to successfully execute and complete such a massive campaign. Adding emergency vaccine to an already late SOE approach does little to help, because its only response to being “behind the disease curve” is to increase the size of the potential “rings.” As shown in Table 2, however, increasing vaccination-ring size increases personnel and supply requirements by a square of the ring’s diameter increase, at a time when both are likely to be very limiting. Another problem is that SMOs required for SOE create massive damage in today’s highly mobile “just-in-time” agriculture. Estimates from the NC dairy industry to the authors are that if interstate milk movement is stopped, the entire NC system milk storage capacity would be reached within 48 h—far short of a typical multiday SMO–there would be nowhere for milk to go, even if the state remained FMD-free, thereby jeopardizing a healthy dairy industry. Even properly managed SMOs can create tremendous damage at the individual farm level. For example, Figure 3 illustrates a simple analysis done by us determining how many non-shipping days a dairy could absorb before its annual profit (measured as returns to management) reached zero. It suggests the average NC dairy in spring 2009 producing between 17,000 and 18,000 lbs of milk per cow, could survive an SMO up to 9–13 days, assuming all else is equal. Should the control and recovery program increase costs (or decrease milk prices) by a mere 3%; however, these farms will have zero returns to management within hours of instituting the SMO. Higher-producing farms, assuming similar debt and externals, survive longer, but the trend is relentless: The longer SMOs last, the more of the industry will fail, even though they are doing everything right and remain uninfected . The SOE/SMO mind-set can permeate other disease control programs. For instance, in spring 2009, a commercial Canadian swine herd was infected with the novel H1N1 influenza virus by a worker. Although the disease ran its course in the herd (no animals died), and recovered animals are not infective, the government stopped all movement of animals from the farm. This introduced welfare degradation, which meant they had to slaughter animals for welfare purposes. Furthermore, animals were kept out of the human food chain, and even rendered product (a process that destroys all viruses) had to be disposed of by one of the most expensive means, landfilling. To explain the reasoning,

1674

KEY APPLICATION AREAS

TABLE 2 Demonstration of Logistical Problems with Increasing the Size of a Ring Vaccination Program’s Area Default Program

Proposed Program

Factor Increase

Item/Resource Measure/Count

2 6 13 101 26 202 50,266 402,124 88 448 9 26 34 101 706 50,266 402,124

6 18 114 905 227 1810 452,390 3,619,115 760 4024 26 76 101 302 5289 452,390 3,619,115

3.0 3.0 8.8 9.0 8.7 9.0 9.0 9.0 8.6 9.0 2.9 2.9 3.0 3.0 7.5 9.0 9.0

Kill zone (KZ) radius (mi) Control zone (CZ) radius (mi) KZ area (sq. mi) CZ area (sq. mi) KZ swine farm count CZ swine farm count KZ count pigs CZ count pigs Kill team personnel count Vaccination team personnel count KZ roadblock count CZ roadblock count KZ roadblock personnel count CZ roadblock personnel count Total personnel count Total animal euthanasia sets required Total vaccine doses required

Note: Typical eastern North Carolina swine-farm size and density, and roadway density, plus standard response task force/strike team sizes and shift length used for both options. Counts rounded to next whole number. DEFAULT: Assumes a program with a 2-mile radius for culling KZ, where herd destruction would occur and a 6-mile radius for vaccination CZ, where vaccination would occur; PROPOSED: Expands KZ to a 6-mile radius, and CZ to an 18-mile radius (i.e. a threefold increase in radii compared to DEFAULT). The PROPOSED increase results in a 7.5- to 9-fold increase in immediate needs for personnel, eqipment, and supplies. This increase provides a near tripling of the distance the virus must spread to break the ring vaccination program before animals respond to the vaccine, which does not translate to a threefold decrease in risk, let alone a ninefold improvement.

a Canadian official was quoted as saying “ . . . The decision to cull the herd was to ease overcrowding . . . This doesn’t have anything to do with the flu, . . . It has to do . . . with animal welfare . . . Due to the quarantine, these animals cannot be moved off the farm as they normally would. The living conditions would soon become unacceptable due to overcrowding and they (the pigs) would have been in distress . . . ” [20]. As with the discussion of the dairies shut out of their market by SOE/SMO procedures above, we must be honest in recognizing that these animals, and these farms, are destroyed by our programs, not by the disease. Lastly, a strong motivation to transition FAD response away from SOE/SMO policies stems from the observations that historical plans generated numerous unintended consequences beyond the direct market effects mentioned above. Two especially vexing issues include (i) that our programs induce paradoxical motivation for producers to seek ways for their herds or flocks to become infected or to bypass control measures in last-ditch efforts to avoid individual financial ruin by either gaining indemnities or selling product [21] and (ii) that we ignore the socioeconomic and political impacts on nonagricultural facets of communities and economies; impacts that are often several fold greater than the direct impacts on agriculture (see Table 1 as an example).

FOREIGN ANIMAL DISEASES AND FOOD SYSTEM SECURITY

1675

30

Days to $0 returns to management

Effect of FAD program costs and milk production on farm resilience

0% FAD program Cost increase

25 Using typical spring 2009 North Carolina costs and relationships 20

2% Increase

15 4% Increase 10

5

6% Increase

0 16

17

16

19

20

21

22

305 d FCM (000's Ibs; per cow per yr)

FIGURE 3 Destroying uninfected farms through SOE programs. Economic prediction for dairies’ resilience to stop movement orders (using typical NC dairy cost structures and trends), as a function of per cow milk production and across program-induced cost increases from 0% to 6%. The typical NC dairy produces almost 18,000 lbs FCM, meaning it would have mere days before a stop movement program would erase a total year’s profit, assuming the program did not change the dairy’s relative costs and income. However, if the SOE program decreased income relative to cost by 2%, its resiliency is halved. Should the SOE program imbalance costs and revenues by 4%; however, the farm will almost immediately become unprofitable. This damage occurs even though the farm is uninfected by the disease. FCM, fat-corrected milk production per cow per lactation.

4 KNOWLEDGE ADVANCES ENCOURAGING DEVELOPMENT OF BALANCED EVENT MANAGEMENT STRATEGIES Many nations and trade blocks have reconsidered their FAD programs, and are considering a more managed strategy. For instance, WOAH/OIE has increased its interest in, and work with (i) regionalization within a country (declaring parts of a country free of disease and open to trade) and compartmentalization within industries (allowing unaffected segments to continue economic activity), (ii) decreasing the time-to-trade-resumption penalties that countries practicing FMD vaccination face, and (iii) updating their rules and policies regarding testing and vaccination technologies [22]. But these changes, though helpful, do not address fundamental issues causing SOE/SMO methods to fail. A major lack is in not recognizing how technologies offer improved methods and tools [23, p. 122]. Following are but a few of the disciplines and technologies that have recently advanced greatly. While many examples could be brought forth, here we only address vaccinology or immune enhancements, disease detection, and information technology. Together, they bring new tools and opportunities for prevention, response, and recovery.

1676

KEY APPLICATION AREAS

4.1 Advances and Tools Ignored by Most Stamping Out Plans Current vaccine development techniques include functional genomics and gene alteration techniques that produce live vector-based vaccines exploiting important gene expression and genetic recombination techniques to increase their safety and create readily identifiable genetic markers for differentiation from wild virus [24]. Subunit vaccines—products that do not involve the use of live agents—can take vaccine safety margins to levels unattainable by standard killed or attenuated techniques [25]. Novel methods of vaccine delivery—through feed, aerosols, or the previously mentioned vectors—promise to improve the ability to cover disparate populations. Further, improvements in lyophilization and sterilization have enhanced shelf life and stability, making long-term stockpiling of these tools in ready-to-deploy forms more feasible. Nonvaccine immune system enhancement opportunities have been augmented through expanding knowledge of general animal health, nutrition, and stressors. Direct oral or mucosal delivery of interferons have demonstrated themselves to be an effective and fast therapy against viruses, including FMD–without vaccine use. The ability to include such products in feed during an outbreak has experimentally shown efficacy in protecting swine from FMD infection, even without concomitant vaccines [26]. Developments in understanding and manipulating different parts of immune systems (e.g. cell-mediated vs. humoral) to optimize responses to different agents also show highly specific potentials for control applications. Finally, long-term genetic techniques and expanded genome maps promise new opportunities to create more disease resistant livestock. Modern materials science, biochemistry, nanotechnology, mathematical patternrecognition, spectroscopy, and molecular imaging systems have recently been combined to optimize approaches to rapid, high resolution, accurate, and efficient diagnostic and biosensor tools. Environmentally stable automated systems that can combine sampling and detection technologies have been commercialized and adapted to business, environmental, and military applications as well. Combined with previously mentioned genetically altered vaccines, these technologies potentially allow rapid and repeatable differentiation of vaccinated, recovering, and recently exposed animals [27]. The last innovation example, information technology, is perhaps the most obvious and socially permeating change that is not recognized in typical SOE plans. Field personnel now access and create information at speeds and distances unheard of only a decade ago. Global positioning systems incorporated into mobile wireless devices are currently in-field for military and government planners and responders. With the advent of national animal identification systems and shared multihazard data structures [28], these systems create new avenues for planning and executing trace-in/trace-out work, for monitoring animal flow, and for serving as the basis for syndromic surveillance systems, distributed databases, and “network aware” activities and coordination, where central decision makers and in-field workers have access to real-time updated data. 5 TRANSITIONING TO A STRATEGIC EVENT MANAGEMENT POLICY Recent catastrophic FAD outbreaks from all parts of the globe have highlighted policy areas we need to improve (e.g. the lack of state or national consideration of business continuity issues for primary production, secondary handling or processing, and support industries) while designing and executing FAD control and eradication programs. A key driver to quickening the transition needed will be the realization that SOE policies as

FOREIGN ANIMAL DISEASES AND FOOD SYSTEM SECURITY

1677

stand-alone solutions are not the answer to the challenges presented to modern food and agriculture by FADs. 5.1 Regionalization, Compartmentalization, Proof-of-Status Testing Consideration of both sides of a disease event (infected case management and uninfected premises administration) are critical to transitioning between SOE and an event management strategy. Approaches and tactics such as regionalization, compartmentalization, standardized biosecurity, and proof of negative-status testing are all part of a comprehensive managed response, and as mentioned above are experiencing interest internationally [22]. Modern agriculture continues to regionalize and compartmentalize itself into production centers, and will do so in the future due to a number of different factors adding to the validity of the approach [29]. While regionalization refers to geographic separation and specialization of production and processing, compartmentalization capitalizes on breaks that occur naturally in production processes. For example, in swine production many producers have breaks (physical, workforce, and management separations) among sows /pigs, nursery age pigs, and finishing pigs, producing essentially a three-compartment production system. Compartmentalization has been utilized by industry in day-to-day operations to protect the overall health of their animals and the system by safeguarding different segments, and improving organization and efficiency. This same strategy can be used during disease outbreaks to maximize response organization, effectiveness, efficiency and more importantly, to protect uninfected segments of agriculture. Unfortunately, current SOE/SMO plans treat these densely populated and specialized production centers as if they were small and relatively isolated, that is, as if they were farms and companies from the 1950s. This results in current FAD response plans working against regionalization, and ignoring compartmentalization. However, understanding Production Centers, regionalization, and compartmentalization, can afford response officials the ability to designate zones for infected herds or flocks, as well as for negative herds or flocks. As regionalization and compartmentalization approaches are developed specific to a region and an industry, response actions such as proof-of-status testing and standardized biosecurity can support control activities, so that as response officials in infected states grapple with eradication, response officials in negative states can preserve their food production, processing, and related industries through business continuity efforts. 5.2 New Horizon: Programs and Tools That Can Aid the Transition There are a number of programs and tools in existence or in development that can greatly aid the transition. Existing programs include Criticality, Accessibility, Recuperability, Vulnerability, Effect, Recognizability (CARVER) and Shock (a threat assessment tool that evaluates the vulnerability to, and the shock factor of, a successful attack on an entity) [30] and Food Agriculture Sector–Criticality Assessment Tool (FAS–CAT), a method to assess the subsystems comprising the overall food and agricultural organization [31]. Others in development offer new methods to help responders gauge readiness and develop standardized cross-jurisdictional plans. To insure that efforts are fully integrated, standardized exercises can be conducted in states, regions, and nationally through a program known as Homeland Security Exercise and Evaluation Program (HSEEP) [32]. Finally, recognizing that agriculture and food systems have outgrown local approaches

1678

KEY APPLICATION AREAS PRODUCTION SYSTEM LEVEL Identification and criticality of systems (tool: FASCAT)

FARM and PROCESSING PLANT LEVEL Vulnerability of a facility and mitigation of threat (tool: CARVER-Shock)

HSEEP P Exercises

HSEEP S P Exercises e s

REGIONAL AND COUNTRY LEVEL Federal support of State and Regional planning/response (tool: Standardization, Regionalization, Compartmentalization)

MULTI-PRODUCTION SYSTEM LEVEL & STATES Response strategies/plans (tool: Target capabilities lists, Regionalization, Compartmentalization)

HSEEP Exercises

FIGURE 4 Diagram of “farm to fork” resilience planning. Scalable processes and tools allow vulnerability analyses and prioritization at all levels of food security. However, some tools and methods will be appropriate at some levels, but not others. For descriptions of the tools listed, please see the text.

to FADs has led to regional planning efforts utilizing tools such as compartmentalization and regionalization. The keys will be to develop standardized approaches across states (i.e. regions) for biosecurity measures, proof-of-status testing (surveillance), zoning guidelines, and movement protocols, as illustrated in Figure 4.

6 CONCLUSIONS The combination of new knowledge, tools, and economic environments has given rise to new considerations for disease control programs. It is now evident that the current plans to prioritize FAD eradication by only using strict SOE (Figure 5, [33]) in order to maintain agricultural trade, if applied in the many advanced agricultural regions of the United States, are likely to not only fail to contain the epidemic, but could so damage the industries that they will not recover. Furthermore, given the concentration of production centers seen in NC swine, California dairies, or High Plains’ feedlots, emergency ring vaccination strategies are likely to consume vast amounts of very limited early resources to achieve minimal results. From a systems’ perspective, then, the unavoidable conclusion is that historical ideas on control of FADs are counterproductive and could well result in greater net harm to agriculture, to rural communities, and to regional economies, than they will alleviate.

FOREIGN ANIMAL DISEASES AND FOOD SYSTEM SECURITY

Can FMD be No eradicated using stamping out only 1 Yes

Is pre-emptive slaughter possible? 2

No

Yes

Yes Are resoures sufficient for pre-emptive slaughter 3

Stamp out only

Is vaccination possible? 4

No

1679

No

Is vaccination possible? 4

Yes

Yes

Pre-emptive slaughter + stamp out

PES + vaccination stamp out

No

Vaccination + stamp out

Endemic FMD

FIGURE 5 Typical FAD response decision tree for a nonendemic country. Decision tree addressing foot and mouth disease assumes stamping out/eradication, which is the preferred course of action. Only until SOE is deemed infeasible can alternative methods be considered. This disallows risk-based decision processes, and limits decision makers to a single tool, until that tool fails. Such blind rigidity does not belong in decision making within a changing and dynamic event such as an outbreak. [Excerpted from: Ref. [29]].

Finally, in these days of heightened concern for terrorism, we must face the fact that if we can show that even a simultaneous multisite outbreak could be controlled with minimal disruption to production and markets, we will have gone a long way to making these pathogens low-yield tools for those wishing us harm. Many workers have recognized that new technologies must be incorporated into a comprehensive event management strategy that would prevent and/or limit large-scale outbreaks. Five characteristics of such a new strategy include the following: 1. The goal should not be eradication at any cost, but instead, to best assure farm and market survival. We exist to protect agriculture, not stamp out diseases. Eradication is but one tool we have available in order to accomplish our goals. Managed eradication with attention to business continuity issues regarding production, processing, and transportation will best assure that we protect agriculture and our food supply. 2. Today’s regionalized, compartmentalized, and concentrated production centers should utilize coordinated, facilitated, biosecurity and population health programs. potentially including preventive vaccination. Production centers represent the largest single points of failure for US agriculture, while at the same time offering us the single best points for establishing targeted prevention and mitigation tools. If we protect production centers (the major population centers) ahead of time, we cut the chances of an uncontrolled epidemic.

1680

KEY APPLICATION AREAS

3. We should exploit new means to augment animals’ immunities, with or without vaccines. Using nonvaccine delivery systems will also decrease demands on specially trained personnel and equipment, both of which are always in very limited availability early in any outbreak. Nonvaccine methods also do not trigger trade issues, further helping to assure markets are maintained. 4. We must minimize SMOs. They can be minimized through genetically altered or vector vaccines and risk-based differential testing methods, aimed at controlled and permitted market maintenance–that is, we must allow likely negative herds and products to move through markets. A major issue here is in testing capacity, for most state and federal diagnostic laboratories do not have the authority to perform proof-of-status testing, while disallowing private laboratories access and authorities to do the same. Hence, we must change our formal decision processes to incorporate the new technologies, methods, and opportunities, to better protect agriculture and food security. The decisions cannot presuppose any method as optimal, such as we currently do with SOE. It must be risk-based, with a view toward business continuity, if we are to truly succeed in our goals to protect US food security.

7 ABBREVIATIONS BSE FAD FMD IP OIE SMO SOE UK WOAH

Bovine Spongiform Encephalitis Foreign Animal Disease Foot and Mouth Disease Infected Premises Office International des Epizooties (aka: WOAH/OIE) Stop Movement Order (aka: Market Standstill) Stamping-Out / Eradication United Kingdom World Organization for Animal Health (aka: WOAH/OIE)

REFERENCES 1. Geering, W. A., Penrith, M. L., and Nyakahuma, D. (2009). Manual of Procedures for Disease Eradication by Stamping Out , FAO Animal Health Manual No. 12. FAO, Rome, p. 140. Available at http://www.fao.org/docrep/004/y0660e/Y0660E00.htm Accessed 2001 Apr 21. 2. Bange, G. A. (2009). World Agricultural Supply and Demand Estimates (WASDE-469). Table 32: U.S. Meats Supply and Use. Interagency Commodity Estimates Committee, USDA/ERS, Washington, DC, p. 41. Available at http://www.usda.gov/oce/commodity/wasde Accessed 2009 May 09. 3. Anonymous. (1997). Foot-and-Mouth disease spreads chaos in pork markets. Livestock and Poutlry–World Markets and Trade. FASonline. USDA/Foreign Agricultural Service, Washington, DC, Updated Dec 2003, p. 4. Available at http://www.fas.usda.gov/dlp2/ circular/1997/97-10LP/taiwanfmd.htm Accessed 2009 Apr 20. 4. Huang, S. (2000). Taiwan’s hog industry—3 years after disease outbreak. Agricultural Outlook/ October 2000 . Economic Research Service/USDA, Washington, DC, pp. 20–23. Available at http://www.ers.usda.gov/publications/agoutlook/oct2000/ao275h.pdf Accessed 2009 April 20.

FOREIGN ANIMAL DISEASES AND FOOD SYSTEM SECURITY

1681

5. Anderson, I. (2008). Foot and Mouth Disease 2007: A Review and Lessons Learned . Address of the Honourable House of Commons dated 11 March 2008. HC 312. The Stationery Office, London, p. 6. Available at http://archive.cabinetoffice.gov.uk/fmdreview/documents/section 1.pdf Accessed 2009 May 09. 6. Anonymous. (2007). FMD 2007 Epidemiology Report–Situation at 12:00 Sunday 30 September 2007, Day 58 . Department for Environment, Food and Rural Affairs. London. p. 17 Available at http://www.defra.gov.uk/FootandMouth/ pdf/epidreport300907.pdf Accessed 2009 May 09. 7. Becker, G. S. (2006). Bovine Spongiform Encephalopathy (BSE, or “Mad Cow Disease’’) in North America: A Chronology of Selected Events. Congressional Research Service, Library of Congress, Order Code RL32932, Washington, DC, p. 35. 8. LeRoy, D., Klein, K. K., and Kivacek, T. (2006). The losses in the beef sector in Canada from BSE. Canadian Agricultural Trade Policy Research Network, Guelph, ON. CATPRN Trade Policy Brief 2006–2004, p. 4. Available at http://www.uoguelph.ca/ ∼catprn/PDF/TPB-06-04-LeRoy.pdf Accessed 2009 Apr 20. 9. Anonymous. Exotic Newcastle Disease Factsheet (online). National Agricultural Biosecurity Center. Kansas State University, Kansas. Available at http://nabc.ksu.edu/content/factsheets/ category/Exotic%20Newcastle%20Disease#outbreaks Accessed 2009 Apr 20. 10. Lee, C. W., Swayne, D. E., Linares, J. A., Senne, D. A., and Suarex, D. L. (2005). H5N2 avian influenza outbreak in Texas in 2004: the first highly pathogenic strain in the United States in 20 years? J. Virol. 79(17), 11412–11421. DOI:10.1128/JVI.79.17.11412-11421.2005. 11. Rushton, J., Willmore, T., Shaw, A., and James, A. (2002). Economic Analysis of Vaccination Strategies for Foot and Mouth Disease in the UK . Royal Society Inquiry into Infectious Diseases in Livestock, London, p. 95. 12. Friend, M. (2006). Chapter 6 - biowarfare, bioterrorism, and animal diseases as bioweapons. In Disease Emergence and Resurgence: The Wildlife–Human Connection, 1st ed., M. Friend, Ed. USGS Circular 1285, Reston, VA, pp. 231–272. 13. Anderson, I. (2002). Chapter 10- pre-emptive slaughter. In Foot and Mouth Disease 2001: Lessons to be Learned Inquiry Report, I. Anderson, Ed. The Stationery Office, London, pp. 89–98. 14. Members of the OIE Terrestrial Code Commission (2006–2009). (2008). Glossary. Terrestrial Animal Health Code 2008 . OIE–World Organization for Animal Health, Paris, p. 12. Available at http://www.oie.int/eng/normes/MCODE/ en glossaire.htm#sous-chapitre-2 Accessed 2009 May 09. 15. Anonymous. (2009). History of disease control in the UK (On-Line). Animal Health & Welfare. Dept of Environment, Food, and Rural Affairs, London. Available at http://www.defra.gov.uk/animalh/diseases/control/history.htm Accessed 2009 Apr 21. 16. Ferguson, N. M., Donnelly, C. A., and Anderson, R. M. (2001). The foot-and-mouth epidemic in Great Britain: pattern of spread and impact of interventions. Science 292, 1155–1160. 17. Anonymous. (2002). U.S. conducts mock foot-and-mouth outbreak. Animalnet October 1, 2002 . Available at http://archives.foodsafety.ksu.edu/animalnet/2002/10-2002/animalnet october 1-2. htm#U.S. %20CONDUCTS Accessed 2009 May 9. 18. Reardon, J. W. (2005). Testimony Before the House Committee on Homeland Security. Subcommittee on Intelligence, Information Sharing, and Terrorism Risk Assessment, Washington, DC, p. 16. Available at http://www.globalsecurity.org/security/library /congress/2005 h/050525-reardon.pdf Accessed 2009 May 09. 19. D¨orfer-Kreissl, W. (2002). Report of Measures to Control Foot and Mouth Disease in the European Union in 2001 and Future Measures to Prevent and Control Animal Diseases in the European Union. [European Parliament Session Document A5-0405/2002]. 28 Nov. pp. 45–52.

1682

KEY APPLICATION AREAS

20. Strojek, S. (2009). Alberta farm infected with H1N1 culls 500 pigs. The Canadian Press/CityNews TV . Rogers Digital Media Co. Toronto. Available at http://www.citynews.ca /news/news 34444.aspx Accessed 2009 May 23. 21. Campbell, D., and Lee, B. (2003). The foot and mouth outbreak 2001: lessons not yet learned. The UK Foot and Mouth Epidemic of 2001: A Research Resource. ESRC Centre for Business Relationships, Accountability, Sustainability and Society, Cardiff, p. 27. Available at http://www.fmd.brass.cf.ac.uk/lessonsnotlearnedDCBL.pdf Accessed 2009 May 09. 22. Members of the OIE Terrestrial Code Commission (2006–2009). (2008). Article 8.5. foot and mouth disease. Terrestrial Animal Health Code 2008 . OIE–World Organization for Animal Health, Paris, p. 23. Available at http://www.oie.int/eng/normes/Mcode/en chapitre 1.8.5.htm Accessed 2009 May 09. 23. Committee on Assessing the Nation’s Framework for Addressing Animal Diseases, National Research Council. (2005). Chapter 4- gaps in the animal health framework. Animal Health at the Crossroads: Preventing, Detecting, and Diagnosing Animal Diseases, pp. 118–132. 24. Kitching, P., Hammond, J., Jeggo, M., Charleston, B., Paton, D., Rodriguez, L., and Heckert, R. (2007). Global FMD control–Is it an option?. Vaccine 25, 5660–5664. 25. Moraes, M. P., Chinsangaram, J., Brum, M. C. S., and Grubman, M. (2003). Immediate protection of swine from foot-and-mouth disease: a combination of adenoviruses expressing interferon alpha and a foot-and-mouth disease virus subunit vaccine. Vaccine 22, 268–279. 26. McVicar, J. W., Richmond, J. Y. et al. (1973). Observation of cattle, goats and pigs after administration of synthetic interferon inducers and subsequent exposure to foot and mouth disease virus. Can. J. Comput. Med. 37, 362–368. 27. Pasick, J. (2004). Application of DIVA vaccines and their companion diagnostic tests to foreign animal disease eradication. Anim. Health Res. Rev. 5, 257–262. DOI:10.1079/AHR200479. 28. North Carolina Department of Agriculture (2009). Emergency Programs - Multi-Hazard Threat Database. North Carolina Department of Agriculture and Consumer Services, Raleigh, NC. Available at http://www.agr.state.nc.us/oep/MHTD/index.htm Accessed 2009 May 08. 29. MacDonald, J. M., and McBride, W. D. (2009). The Transformation of U.S. Livestock Agriculture–Scale, Efficiency, and Risks, Economic Information Bulletin No. 43. Economic Research Service, U.S. Dept. of Agriculture, Washington, DC, 46. Available at http://www.ers.usda.gov/ Publications/EIB43/ Accessed 2009 May 16. 30. Mann, C. J., Acheson, D., and Caverty, J. (2007). Appendix 4: CARVER + Shock Primer. Agriculture and Food: Critical Infrastructure and Key Resources Sector-Specific Plan. Food and Agriculture Government Coordinating Council. Washington, DC, p. 250. Available at http://www.cfsan.fda.gov/∼acrobat/agfood.pdf Accessed 2009 May 25. 31. The National Center for Food Protection and Defense (2009). FAS-CAT 1.1 . National Center for Food Protection and Defense, Saint Paul, MN. Available at http://www.ncfpd.umn.edu/ Accessed 2009 May 25. 32. Anonymous. (2007). Homeland Security Exercise and Evaluation Program - Terminology, Methodology, and Compliance Guidelines. U.S. Department of Homeland Security, Washington, DC, p. 6. Available at https://hseep.dhs.gov/support/ HSEEP 101.pdf Accessed 2009 May 25. 33. EM/VS/APHIS/USDA. (2005). Appendix 1. vaccine decision tree for a highly contagious disease. National Animal Health Emergency Management System Guidelines - Response Strategies: Highly Contagious Diseases, Washington, DC. p. 27, 31.

INSECTS AS VECTORS OF FOODBORNE PATHOGENS

1683

INSECTS AS VECTORS OF FOODBORNE PATHOGENS Ludek Zurek Kansas State University, Departments of Entomology and Diagnostic Medicine and Pathobiology, Manhattan, Kansas

J. Richard Gorham United States Public Health Service, Food and Drug Administration, Xenia, Ohio

1 INTRODUCTION Two areas of concern are discussed in this article. One, the major one, has to do with the contamination of food and food-contact surfaces by various insect pests often associated with human or animal foods [1]. The scenarios by which such contaminations occur are well known and are mitigated by strict adherence to sanitation standard operating procedures (SSOPs) and good manufacturing practices (GMPs), by the implementation of the hazard analysis critical control points (HACCP) program, and by the practice of Integrated Pest Management (IPM). We will not describe these four programs. The reader will find abundant resources about these programs on the Internet, from the Land Grant universities, scientific literature, and commercial providers of these programs [2, 3]. The lesser concern, a much less familiar one, deals with intentional food contamination mediated by insect agents. To deal with this threat, an equally proactive approach, similar to SSOPs/GMPs/HACCP/IPM, is essential. It involves a strategy we have termed AIM=F: anticipate, inform, mitigate equals frustrate, that is, the prevention, neutralization or control of intentional acts of food contamination by means of insect agents.

2 MUSCOID FLIES AND FRUIT FLIES Muscoid flies and fruit flies represent a close association of insects with microbes, especially with bacteria originating from human and animal feces and other decaying organic materials. Moreover, muscoid flies have a great potential to contaminate human food and drink with bacteria, including foodborne pathogens, because of their developmental habitats, mode of feeding (regurgitation), unrestricted movement, and attraction to places occupied by humans and domestic animals. 2.1 Nutrition and Development Virtually any environment rich in decaying organic matter harbors a diverse bacterial community and becomes a suitable substrate for development of muscoid flies, such as house flies (Musca domestica), stable flies (Stomoxys calcitrans), horn flies (Haematobia irritans), and face flies (Musca autumnalis) [4]. The primary larval developmental sites

1684

KEY APPLICATION AREAS

for these flies include animal feces/manure and other decaying organic material (human garbage and compost). The importance of bacteria in the development of muscoid flies has been reported in several studies that show that a live bacterial community is essential for the larval development of these flies. The nature of this symbiosis is unclear. The significance of bacteria for the development of larvae has been examined for house flies [5–7], stable flies [8, 9], horn flies [10], and face flies [11]. Digestibility of bacteria in the intestinal tract was demonstrated in house flies [12], stable flies [13], and blow flies [14, 15]. Other studies of morphological and physiological adaptations of muscoid flies for uptake, storage, and digestion of bacteria also emphasized the importance of bacteria in larval development [12, 16]. In addition, it has been demonstrated that the same bacteria that support the development of stable fly larvae also stimulate oviposition (egg laying) on the specific substrate and therefore indicate the suitability of the substrate for offspring development [9]. Studies on house flies and stable flies have demonstrated that bacteria in the larval gut can survive pupation and can colonize the digestive tract of newly emerged adult flies [17, 18]. This important finding supports the idea that adult muscoid flies serve as vectors of human and animal pathogenic bacterial strains. Fruit flies do not require bacteria to successfully complete development; however, it has been shown that exogenous bacteria enhance the lifespan of Drosophila melanogaster, especially during the first week of adult life [19]; however, a more recent study did not confirm these results [20]. 2.2 Dissemination of Pathogens and Antibiotic Resistant Strains House flies and other muscoid (filth) flies are pests of great medical and veterinary significance [21]. House flies are important nuisance pests of domestic animals and people, as well as the main fly vectors of foodborne and animal pathogens [21–23]. Due to their indiscriminate movements, ability to fly long distances, and attraction to both decaying organic materials and places where food is prepared and stored, house flies greatly amplify the risk of human exposure to foodborne pathogens. House flies can transport microbial pathogens from reservoirs (animal manure) where they present a minimal hazard to people to places where they pose a great risk (food) [21, 22]. Stable flies are bloodsucking insects and important pests of domestic animals and people. Stable flies cause great economic losses in the animal industry, primarily in dairy and beef production [24, 25], and they can also play a role in ecology of various bacteria originating from animal manure and other larval developmental habitats [18]. The potential of adult house flies to transmit pathogens such as Yersinia pseudotuberculosis [26, 27], Helicobacter pylori [28], Campylobacter jejuni [29], Escherichia coli O157:H7 [30–32], Salmonella spp. [33], and Aeromonas caviae [34] has been also reported. Recently, it has been demonstrated that house flies are capable of transmitting E. coli O157:H7 to cattle, the major reservoir of this human foodborne pathogen [35]. Fruit flies, primarily the Mediterranean fruit fly (Ceratitis capitata) and the vinegar fruit fly (D. melanogaster), were also reported as potentially competent vectors for E. coli O157:H7 and were capable of contaminating fruits with this pathogen under laboratory conditions [36, 37]. Several studies reported a direct positive correlation between the incidence of foodborne diarrheal diseases and the density of fly populations. For example, suppression of flies in a military camp in the Persian Gulf region resulted in an 85% decrease in shigellosis and a 42% reduction in the incidence of other diarrheal diseases [38]. Esrey [39]

INSECTS AS VECTORS OF FOODBORNE PATHOGENS

1685

reported a 40% reduction of incidence of diarrheal infections in children after suppression of the fly population. Additionally, the development of antibiotic resistance among clinical bacterial isolates and commensal bacteria of people and animals, as well as bacteria in other habitats, raises a concern that flies may be vector competent not only for specific pathogens but also for nonpathogenic bacteria carrying antibiotic resistance genes. A recent study reported that the majority of house flies collected from fast-food restaurants in the United States carried a large population of antibiotic resistant and potentially virulent Enterococci , primarily Enterococcus faecalis. The resistance genes were present on mobile genetic elements (plasmids, transposons) with a broad host range [40] that could be potentially transferred by horizontal gene transfer to more pathogenic strains. Additionally, it has been shown that ready-to-eat food in fast-food restaurants is more frequently contaminated by E. faecalis and Enterococcus faecium in summer months when house flies are more common in restaurants than in winter months [41], indirectly implicating house flies as a potential source of the contamination. 2.3 Homeland Security Aspects It is becoming more apparent that muscoid flies, primarily house flies, and some species of fruit flies have the potential to play an important role in the dissemination of foodborne pathogens in both agricultural and urban environments. Consequently, both preharvest and postharvest food safety strategies will have to include the insect pest management approach. Unfortunately, the current mind set of many farmers and animal production managers is to tolerate insects such as house flies (and other pests that do not have direct and obvious economic impact on animal production) unless residents from surrounding urban sites complain about fly or other insect infestation problems. House flies and fruit flies can be easily reared in large numbers in laboratory colonies and could be intentionally contaminated on the surface and in the digestive tract by various bacteria, including foodborne pathogens such E. coli O157:H7, Salmonella spp., and Campylobacter spp. Although muscoid flies and fruit flies have been shown to carry these bacteria in nature and have potential to contaminate the surfaces and food they feed on, the relatively short life span of these flies (up to 2–3 weeks) probably does not represent a viable prospect for domestic or international bioterrorist attack that would have serious consequences on a large scale. However, the AIM = F (anticipate, inform, mitigate equals frustrate) strategy has to be ready for this scenario because the typical integrated pest management (lPM) approach would be too slow to protect the public. Immediate quarantine and insecticide measures will have to be in place and ready to be implemented for such situations.

3 COCKROACHES 3.1 Nutrition and Development Cockroaches (Blattaria, Dictyoptera) of many species are widely distributed in the natural world, but only a relatively few species have adapted to life within manmade structures or to the habit of frequently invading such structures from the outdoors [42, 43]. Foraging for food generally occurs at night. Cockroaches typically retire to dark, sheltered niches during the hours of daylight. Gradual metamorphosis being the rule in the Blattaria, nymphs

1686

KEY APPLICATION AREAS

emerging from eggs lack wings and functional reproductive organs, but otherwise they are similar to the adult stage except for being smaller in size. All postegg stages have chewing mouthparts and all utilize similar kinds of food. They are omnivores; virtually any organic material, of either plant or animal origin and either solid or liquid, can be ingested. Domestic cockroaches tend to require a daily ration of water. This may be supplied as liquid water, as in a floor drain or a puddle under leaky plumbing, or in the form of moist food (anything from food on a hospital food cart to rotting kitchen waste in a garbage can). Moisture, as well as food, may be acquired by ingesting human or animal feces, vomitus, blood, and pus on discarded wound dressings, and moist pet food, to name a few sources. When it comes to food and drink, cockroaches take whatever they can get wherever they can get it. This is where the problem arises for human and animal health: Like flies, cockroaches visit feces (and many other contaminated substrates) and food (that is, edible human or animal food) indiscriminately and their movements from one to the other may contaminate food-contact surfaces. 3.2 Dissemination of Pathogens The cockroach gut is home to a bewildering array of naturally occurring bacteria, most of which are harmless to people and domestic animals [44–46]. But in their visits to substrates laden with pathogens, their exterior surfaces, especially the legs, become laden with pathogenic bacteria. Moreover, they can ingest pathogens, some of which may survive in the gut long enough to be egested with the fecal pellets or, occasionally, regurgitated during feeding. Thus, both clean surfaces and clean food may become contaminated. Although some doubt about the importance of cockroaches as vectors of foodborne pathogens has been expressed [47], the larger body of published research, some of which is noted here, suggests that cockroaches should be given serious consideration by the public and by the guardians of the public’s health. Concern over the role of flies, cockroaches, and ants as potential vectors of microbes pathogenic to humans and animals dates at least from very early in the 1900s and this concern is reflected in the many dozens of scientific papers published during the past century. There is much to be learned from these older papers; many of them are cited in more recent papers and several of them are appended in “Further Reading”. For this section on cockroaches, we will bring to the reader’s attention a few investigative reports published since the turn of the present century. The essential thrust of these papers is that pathogens and cockroaches are intimately and consistently associated, a conclusion derived from multiple isolations of pathogens from cockroaches collected in places, such as hospitals and kitchens, generally perceived to be sanitary and sanitized. Cockroaches and their associated pathogens might be implicated in some way, either by direct contact with people (or domestic animals), or by contact with food or food-contact surfaces, is a premise supported by the observations that specific disease outbreaks waned when standard infection control procedures were complemented by elimination of cockroaches [48, 49]. None of these reports conclusively proves that the cockroach committed the “crime,” but the correlation of the specific strain of the pathogen taken from the cockroach with the same specific strain taken from the sick patient seems to us to be very compelling circumstantial evidence implicating the cockroach. The authors of virtually every scientific paper on this subject published since 1900 have come to this understanding.

INSECTS AS VECTORS OF FOODBORNE PATHOGENS

1687

Two other factors add weight to the premise that cockroaches and food (or food-contact surfaces) should not coincide: (i) some strains of pathogens exhibit enhanced virulence, that is, even an immunologically competent host may be susceptible to a much lower than usual infective dose; and (ii) immunocompromised hosts are, of course, susceptible to the supervirulent strains and to lower than usual infective doses of the standard pathogenic strains. All agree that the cornerstone of personal and community hygiene is hand-washing. Countless incidents of foodborne disease and nosocomial infections have been traced back to a simple behavioral flaw: hand-washing was omitted or done ineffectively. People can be trained to more consistently and effectively wash their hands. Although flies, ants and cockroaches engage in a lot of self-grooming, a behavior vaguely comparable to hand-washing, this does not render them clean in the microbiological sense, as has been graphically demonstrated in at least one instance for cockroaches [50]. We offer here a partial list of pathogens isolated from various species of common domestic cockroaches (locality information, given only after first mention of a given reference, is stated after the reference number); many other pathogen isolation reports may be found in the extensive literature on this subject [51]. Although the status of each of the several pathogens with regard to antibiotic resistance, a very common phenomenon, may be of special interest to clinicians, this information is omitted here because the matter does not seem essential to the purposes of this article. Aeromonas [52 (Libya); 53 (Nigeria)]; Bacillus sp. [54 (Botswana)]; Citrobacter freundii [53, 55 (Thailand)]; Enterobacter aerogenes [56 (Brazil)]; Enterobacter cloacae [53, 55, 56]]; Enterobacter gergoviae [56]; Enterobacter sp. [52, 54]; Erwinia sp. [54]; E. coli [[53–55] 57 (Taiwan)]: Hafnia alvei [56]; Klebsiella pneumoniae [48 (South Africa); [53, 55, 56]]; Klebsiella sp. [52, 54]; Mycobacteria [58 (Taiwan)]; Proteus mirabilis [53]; Proteus sp. [57]; Proteus vulgaris [53]; Pseudomonas aeruginosa [53, 57]; Pseudomonas sp. [54]; Salmonella sp. [53, 54]; Serratia marcescens [53, 56, 57]; Serratia sp. [52, 54, 56]; Shigella sp. [54]; Staphylococci (Gram neg.) [56]; Staphylococcus aureus [53, 57]; Staphylococcus epidermidis [53]; Staphylococcus sp. [54]; Streptococcus faecalis [53]; Streptococcus sp. [52]; Alternaria sp. [59 (Brazil)]; Aspergillus flavus [54]; Aspergillus fumigatus [54]; Aspergillus parasiticus [54]; Aspergillus sp. [59]; Candida sp. [53, 54, 59]; filamentous fungi [56]; Penicillium sp. [59]; yeast [56]; Ballantidium coli [53]; Cryptosporidium parvum [53]; Entamoeba histolytica [60 (Taiwan)]; Ancylostoma duodenale [53]; Ascaris lumbricoides [53]; Enterobius vermicularis [53]; Strongyloides stercoralis [53]; Trichuris trichiura [53]. 3.3 Homeland Security Aspects Our primary concern here is to keep our citizens healthy and productive by ensuring that their food is safe to eat. One of the many ways to do that is to prevent the convergence of food and cockroaches, a convergence that is still much too common. Several species of domestic cockroaches, especially Blattella germanica (Blattellidae), Blatta orientalis (Blattidae), and Periplaneta americana (Blattidae), can be easily reared in huge numbers in the laboratory and are easily contaminated, either superficially or internally, with certain pathogens (such as avian influenza virus, SARS virus, foot-and-mouth disease virus, E. coli O157:H7, to name a few) that may cause disease in humans or in domestic animals (and then, in the latter case, may secondarily cause disease in humans). Cockroaches, upon their release from the rearing environment, typically

1688

KEY APPLICATION AREAS

first seek shelter. As the light of day wanes, the cockroaches will venture forth in search for moisture. Some fall into and drown in the water supplies that serve the chickens, cows, or pigs, inadvertently releasing their burden of pathogens. Others are eaten by pigs or chickens or accidentally ingested by cows as they feed nose-to-nose with the cockroaches. Others seek out the darkness and moisture of the beverage and ice machines in the school, restaurant or company cafeteria. Again, pathogens are deposited on surfaces presumed to be clean. Whether this shotgun type of dissemination will result in human or animal disease, no one can predict. But the level of probability for that eventuality seems to be at least somewhat higher than what might occur during the normal course of farm and food service operations. Now is the time for the AIM = F strategy to pay off. Thanks to the “A,” our farmers, ranchers, factory managers, food service personnel, and school administrators are aware of the inventory of unfriendly interventions that might occur; they have been “I” (Informed) on how to recognize the signs of enemy interventions; they know that IPM is an effective form of “M” (Mitigation); and the combination of AIM results in the “F” (Frustration) of this assault on the public’s health. In the bioterrorism scenario, it may not be feasible to wait for the slower pest control measures that are typical of the usual lPM approach. Immediate and thorough application of insecticides and immediate quarantine measures may be essential to quell an obvious threat; protocols for these interventions should be in place, practiced and ready for implementation.

4 ANTS 4.1 Nutrition and Development Ants (Formicidae, Hymenoptera) are social insects, that is, they live in colonies, each colony responding to the control of (usually) only one queen. The worker ants are females. They are the ones that leave the nest and venture out on food-finding expeditions. Colony size varies greatly according to species and within species. Some are enormous, with thousands of workers; others, only a few dozen. Unlike the cockroaches, ants go through a complete metamorphosis—egg, larva, pupa, adult; but like cockroaches, most kinds of ants live in the natural world; only a relatively few species either nest in manmade structures or routinely forage within such structures [61, 62]. Structure-invading ants are omnivores. The animal proteins and fats in their diet are derived mostly from insects and other arthropods that fall prey to the foraging worker ants. Sugars and starches or foods containing those carbohydrates are often very attractive to ants. Kitchens, bakeries, restaurants, and food factories are typical venues where ants collect a variety of foods that are then held in their chewing mouthparts and transported to the home nest to become essential nutrients for the queen and her brood of larvae. Hospitals too, are often visited. Besides the usual floor feasts of bread crumbs, sugar granules, and fat droplets, ants, especially the pharaoh ant, Monomorium pharaonis, may annoy patients by nibbling on food around a patient’s mouth; they also feed on exposed pus and dried blood, or they may be found on patient food trays. These ants (M. pharaonis) have been found in IV drips and inside packages of sterile dressings [63, 64]. Water is essential and this may be obtained from any exposed source such as floor drains, urinals, patient water flasks, unemptied bedpans, wound dressings, ice machines, plumbing drips, and so forth.

INSECTS AS VECTORS OF FOODBORNE PATHOGENS

1689

4.2 Dissemination of Pathogens Like cockroaches, ants harbor many kinds of internal bacteria [65, 66], but, with a few exceptions, only the external surfaces, mainly the legs and mandibles, are of concern here [1, 67–69]. These appendages come into contact with substrates, such as the soil and pit latrines outdoors and, most commonly, floors indoors, from which the ants may pick up pathogens. As the ants forage over clean surfaces, such as dishes or cutting boards, or food conveyors in a factory, pathogens may be deposited and eventually become mixed in with a food destined, without a subsequent heat treatment, for human or animal consumption. Ants as pests in hospitals have been reported many times [70–74]. We offer here a partial list of pathogens isolated from various species of common pest ants (locality information, given only after first mention of a given reference, is stated after the reference number); other pathogen isolation reports may be found in the literature on this subject. Bacillus cereus [70 (England)]; bacteria (Gram +) [72 (Brazil)]; Clostridium perfringens [70]; E. coli [70]; filamentous fungi [72]; K. pneumoniae [71 (Trinidad)]; Micrococcus sp. [72]; P. mirabilis [71]; Pseudomonas sp. [71]; Salmonella sp. [70]; S. aureus [70]; Staphylococcus sp. [72]; Streptococcus pyogenes [70]. 4.3 Homeland Security Aspects Although ants are good candidates for the role of accidental mechanical vectors of pathogens, they are poor candidates as pawns in an act of intentional food contamination. The principal homeland security concern here coincides with the universal objective of operating hospitals and food service facilities, including the home kitchen, in such a sanitized manner that food offered for human consumption is safe to eat, that is, at least it and the surfaces it has touched have been protected from exposure to the pathogens that ants and cockroaches are known to carry. 5 PANTRY PESTS 5.1 Nutrition and Development The moths (Lepidoptera) and beetles (Coleoptera) that infest grains, flour, nuts, chocolate, dry dog food, and cereals in the kitchen storage cabinet are referred to as pantry pests. They are found in home kitchens, of course, but also in grain storage elevators, huge ships that transport grains, bakeries, restaurants, chicken ranches, dairy barns, food factories, food warehouses, transport trucks, and many other venues both large and small. The pantry pests noted here are holometabolous, that is, their life stages are egg, larva, pupa, and adult. The larva has chewing mouthparts; it is the stage that does the bulk of the feeding and the bulk of the damage to commodities. 5.2 Dissemination of Pathogens Compared to ants and cockroaches, pantry pests are relatively free of pathogens that cause human or animal diseases. They do not usually get out into those venues where bacterial pathogens are common. Unfortunately, they often do not long remain free of pathogens [75] or spoilage organisms [76]. This is because their food sources, in which they live throughout their entire lives, are visited by those pests that commonly visit

1690

KEY APPLICATION AREAS

pathogen-laden substrates. Cockroaches, ants, flies, rats, and mice bring pathogens to the home territory of the pantry pests. The latter, then, quite inadvertently spread these pathogens here and there as they move about within their food material [77]. The situation is quite different with regard to spoilage molds. The spores of these fungi are ubiquitous; they are produced most abundantly from grain substrates that are damp and deteriorating, that is, “out of condition.” Grain spoilage represents economic loss; that explains why managers of grain storages, whether for bulk commodities or retail packages, go to great lengths to maintain a dry environment for these products. But beyond the economic consideration, moldy grain can become a health hazard for both people and domestic animals when certain fungi of deterioration produce aflatoxins. 5.3

Homeland Security Aspects

Our concerns here are similar to those faced with ants. The primary goal is to keep susceptible products—nuts, grains, beans, coffee beans, peanuts, and so forth—free of pantry pests, the objective being to produce end-product foods that are safe for human and animal consumption. Generally speaking, the better the storage conditions, the less likely that pantry pests will become established and the less likely that spoilage molds and aflatoxin-producing fungi will proliferate in the commodity. Pantry pests spread the spores of the aflatoxin-producing fungi [78, 79] through the commodity just as they do the spores of common spoilage molds. Several kinds of pest beetles are easy to cultivate in very large numbers. It would be a simple matter to superficially contaminate adult beetles with some pathogen and release them at a vulnerable location. The sudden increase in the population of a pest around or within a food facility would be the signal to implement AIM = F, with emphasis on immediate, focused insecticidal treatment of the affected facility.

REFERENCES 1. Gorham, J. R. (1991). Food pests as disease vectors. In Ecology and Management of Food-industry Pests, FDA Tech Bull 4, J. R. Gorham, Ed. AOAC International, Arlington, VA, pp. 477–482. 2. Hui, Y. H., Nip, W.-K., and Gorham, J. R. (2003). Sanitation and warehousing. In Food Plant Sanitation, Y. H. Hui, B. L. Bruinsma, J. R. Gorham, W.-K. Nip, P. S. Tong, and P. Ventresca, Eds. Marcel Dekker, New York, pp. 373–389. 3. Stanfield, P. (2006). FDA’s GMPs, HACCP, and the food code. In Handbook of Food Science, Technology, and Engineering, Y. H. Hui, Ed. Vol. 2, CRC Taylor & Francis, Boca Raton, FL, pp. 73.1–73.14. 4. Spiller, D. (1964). Nutrition and diet of muscoid flies. Bull. World Health Organ. 341, 551–554. 5. Schmidtmann, E. T., and Martin, P. A. W. (1992). Relationship between selected bacteria and the growth of immature house flies, Musca domestica, in an axenic test system. J. Med. Entomol. 29, 232–235. 6. Watson, D. W., Martin, P. A. W., and Schmidtmann, E. T. (1993). Egg yolk and bacteria growth medium for Musca domestica (Diptera: Muscidae). J. Med. Entomol. 30, 820–823. 7. Zurek, L., Schal, C., and Watson, D. W. (2000). Diversity and contribution of the intestinal bacterial community to the development of Musca domestica (Diptera: Muscidae) larvae. J. Med. Entomol. 37(6), 924–928.

INSECTS AS VECTORS OF FOODBORNE PATHOGENS

1691

8. Lysyk, T. J., Kalischuk-Tymensen, L., Selinger, L. B., Lancaster, R. C., Wever, L., and Cheng, K.-J. (1999). Rearing stable flies larvae (Diptera: Muscidae) on an egg yolk medium. J. Med. Entomol. 36, 382–388. 9. Romero, A., Broce, A., and Zurek, L. (2006). Role of bacteria in the oviposition behavior and larval development of stable flies. Med. Vet. Entomol. 20(1), 115–121. 10. Perotti, M. A., Lysyk, T. J., Kalischuk-Tymensen, L. D., Yanke, L. J., and Selinger, L. B. (2001). Growth and survival of immature Haematobia irritans (Diptera: Muscidae) is influenced by bacteria isolated from cattle manure and conspecific larvae. J. Med. Entomol. 38(2), 180–187. 11. Hollis, J. H., Knapp, F. W., and Dawson, K. A. (1985). Influence of bacteria within bovine feces on the development of the face fly (Diptera: Muscidae). Environ. Entomol. 14, 568–571. 12. Espinosa-Fuentes, F. P., and Terra, W. R. (1987). Physiological adaptations for digestion bacteria. Water fluxes and distribution of digestive enzymes in Musca domestica larval midgut. Insect. Biochem. 17, 809–817. 13. Rochon, K., Lysyk, T. J., and Selinger, L. B. (2004). Persistence of Escherichia coli in immature house fly and stable fly (Diptera: Muscidae) in relation to larval growth and survival. J. Med. Entomol. 41(6), 1082–1089. 14. Greenberg, B. (1968). Model for destruction of bacteria in the midgut of blow fly maggots. J. Med. Entomol. 5, 31–38. 15. Mumcuoglu, K. Y., Miller, J., Mumcuoglu, M., Friger, M., and Tarshis, M. (2001). Destruction of bacteria in the digestive tract of the maggot of Lucilia sericata (Diptera: Calliphoridae). J. Med. Entomol. 38(2), 161–166. 16. Dowding, V. M. (1967). The function and ecological significance of the pharyngeal ridges occurring in the larvae of some cyclorrhaphous Diptera. Parasitology 57, 371–388. 17. Greenberg, B. (1959). Persistence of bacteria in the developmental stages of the housefly.4. Infectivity of the newly emerged adult. Am. J. Trop. Med. Hyg. 8(6), 618–622. 18. Rochon, K., Lysyk, T. J., and Selinger, L. B. (2005). Retention of Escherichia coli by house fly and stable fly (Diptera: Muscidae) during pupal metamorphosis and eclosion. J. Med. Entomol. 42(3), 397–403. 19. Brummel, T., Ching, A., Seroude, L., Simon, A. F., and Benzer, S. (2004). Drosophila lifespan enhancement by exogenous bacteria. Proc. Natl. Acad. Sci. U.S.A. 101(35), 12974–12979. 20. Ren, C., Webster, P., Finkel, S. E., and Tower, J. (2007). Increased internal and external bacterial load during Drosophila aging without life-span trade-off. Cell Metab. 6(2), 144–152. 21. Olsen, A. R. (1998). Regulatory action criteria for filth and other extraneous materials III. Review of flies and foodborne enteric disease. Regul. Toxicol. Pharm. 28(3), 199–211. 22. Greenberg, B. (1971). Flies and Diseases, Princeton University Press, Princeton, NJ. 23. Graczyk, T. K., Knight, R., Gilman, R. H., and Cranfield, M. R. (2001). The role of non-biting flies in the epidemiology of human infectious diseases. Microbes Infect. 3(3), 231–235. 24. Campbell, J. B., Berry, I. L., Boxler, D. J., Davis, R. L., Clanton, D. C., and Deutscher, G. H. (1987). Effects of stable flies (Diptera: Muscidae) on weight gain and feed efficiency of feedlot cattle. J. Econ. Entomol. 80, 117–119. 25. Campbell, J. B., Skoda, S. R., Berkebile, D. R., Boxler, D. J., Thomas, G. D., Adams, D. C., and Davis, R. (2001). Effects of stable flies (Diptera: Muscidae) on weight gains of grazing yearling cattle. J. Econ. Entomol. 94(3), 780–783. 26. Fukushima, H., Tsubokura, M., Otsuki, K., and Kawaoka, Y. (1984). Biochemical heterogeneity of serotype 03 strains of 700 Yersinia strains isolated from humans, other mammals, flies, animal feed, and river water. Curr. Microbiol. 11, 149–154. 27. Zurek, L., Denning, S. S., Schal, C., and Watson, D. W. (2001). Vector competence of Musca domestica (Diptera: Muscidae) for Yersinia pseudotuberculosis. J. Med. Entomol. 38(2), 333–335.

1692

KEY APPLICATION AREAS

28. Grubel, P., Hoffman, J. S., Chong, F. K., Burstein, N. E., Mepani, C., and Cave, D. R. (1997). Vector potential of houseflies (Musca domestica) for Helicobacter pylori . J. Clin. Microbiol. 35, 1300–1303. 29. Shane, S. M., Montrose, M. S., and Harrington, K. S. (1985). Transmission of Campylobacter jejuni by the housefly (Musca domestica). Avian Dis. 29(2), 384–391. 30. Kobayashi, M., Sasaki, T., Saito, N., Tamura, K., Suzuki, K., Watanabe, H., and Agui, N. (1999). Houseflies: not simple mechanical vectors of enterohemorrhagic Escherichia coli O157: H7. Am. J. Trop. Med. Hyg. 61(4), 625–629. 31. Moriya, K., Fujibayashi, T., Yoshihara, T., Matsuda, A., Sumi, N., Umezaki, N., Kurahashi, H., Agui, N., Wada, A., and Watanabe, H. (1999). Verotoxin-producing Escherichia coli O157: H7 carried by the housefly in Japan. Med. Vet. Entomol. 13(2), 214–216. 32. Sasaki, T., Kobayashi, M., and Agui, N. (2000). Epidemiological potential of excretion and regurgitation by Musca domestica (Diptera: Muscidae) in the dissemination of Escherichia coli O157: H7 to food. J. Med. Entomol. 37(6), 945–949. 33. Mian, L. S., Maag, H., and Tacal, J. V. (2002). Isolation of Salmonella from muscoid flies at commercial animal establishments in San Bernardino County, California. J. Vector Ecol. 27(1), 82–85. 34. Nayduch, D., Noblet, G. P., and Stutzenberger, F. J. (2002). Vector potential of houseflies for the bacterium Aeromonas caviae. Med. Vet. Entomol. 16(2), 193–198. 35. Ahmad, A., Nagaraja, T. G., and Zurek, L. (2007). Transmission of Escherichia coli O157: H7 to cattle by house flies. Prev. Vet. Med. 80(1), 74–81. 36. Janisiewicz, W. J., Conway, W. S., Brown, M. W., Sapers, G. M., Fratamico, P., and Buchanan, R. L. (1999). Fate of Escherichia coli 0157: H7 on fresh-cut apple tissue and its potential for transmission by fruit flies. Appl. Environ. Microbiol. 65(1), 1–5. 37. Sela, S., Nestel, D., Pinto, R., Nemny-Lavy, E., and Bar-Joseph, M. (2005). Mediterranean fruit fly as a potential vector of bacterial pathogens. Appl. Environ. Microbiol. 71(7), 4052–4056. 38. Cohen, D., Green, M., Block, C., Slepon, R., Ambar, R., Wasserman, S. S., and Levine, M. M. (1991). Reduction of transmission of shigellosis by control of houseflies (Musca domestica). Lancet 337(8748), 993–997. 39. Esrey, S. A. (1991). Interventions for the Control of Diarrhoeal Diseases Among Young Children: Fly Control , World Health Organization, Geneva, Published document WHO/CDD/91.37. 40. Macovei, L., and Zurek, L. (2006). Ecology of antibiotic resistance genes: characterization of enterococci from houseflies collected in food settings. Appl. Environ. Microbiol. 72(6), 4028–4035. 41. Macovei, L., and Zurek, L. (2007). Influx of enterococci and associated antibiotic resistance and virulence genes from ready-to-eat food to the human digestive tract. Appl. Environ. Microbiol. 73(21), 6740–6747. 42. Gurney, A. B., Fisk, F. W. (1991). Cockroaches. In Agriculture Handbook 655 , Insect and Mite Pests in Food: An Illustrated Key, J. R. Gorham, Ed. Superintendent of Documents, U. S. Government Printing Office, Washington, DC, pp. 45–74, 527–544. 43. Robinson, W. H. (2005). Urban Insects and Arachnids, Cambridge University Press, Cambridge. 44. Bracke, J. W., Cruden, D. L., and Markovetz, A. J. (1979). Intestinal microbial flora of the American cockroach, periplaneta American L. Appl. Environ. Microbiol. 38(5), 945–955. 45. Cruden, D. L., and Markovetz, A. J. (1987). Microbial ecology of the cockroach gut. Annu. Rev. Microbiol. 41, 617–643.

INSECTS AS VECTORS OF FOODBORNE PATHOGENS

1693

46. Roth, L. M., and Willis, E. R. (1960). The biotic associations of cockroaches. Smithson Misc. Coll. 141, 1–470. 47. Bennett, G. (1993). Cockroaches as carriers of bacteria. Lancet 341(8847), 732. 48. Cotton, M. F., Wasserman, E., Pieper, C. H., Theron, D. C., van Tubbergh, D., Campbell, G., Fang, F. C., and Barnes, J. (2000). Invasive disease due to extended spectrum beta-lactamase-producing Klebsiella pneumoniae in a neonatal unit: the possible role of cockroaches. J. Hosp. Infect. 44(1), 13–17. 49. Graffar, M., and Mertens, S. (1950). Le rˆole des blattes dans la transmission des salmonelloses. Ann. Inst. Pasteur 79, 654–660. 50. Gazivoda, P., and Fish, D. (1985). Scanning electron microscope demonstration of bacteria on the tarsi of Blattella germanica. J. N. Y. Entomol. Soc. 93, 1064–1067. 51. Roth, L. M., and Willis, E. R. (1957). The medical importance of cockroaches. Smithson Misc. Coll. 134(10), 1–147. 52. Elgderi, R. M., Ghenghesh, K. S., and Berbash, N. (2006). Carriage by the German cockroach (Blattella germanica) of multiple-antibiotic-resistant bacteria that are potentially pathogenic to humans, in hospitals and households in Tripoli, Libya. Ann. Trop. Med. Parasitol. 100(1), 55–62. 53. Tatfeng, Y. M., Usuanlele, M. U., Orukpe, A., Digban, A. K., Okodua, M., Oviasogie, F., and Turay, A. A. (2005). Mechanical transmission of pathogenic organisms: the role of cockroaches. J. Vector Borne Dis. 42(4), 129–134. 54. Mpuchane, S., Allotey, J., Matsheka, I., Simpanya, M., Coetzee, S., Jordaan, A., Mrema, N., and Gashe, B. A. (2006). Carriage of micro-organisms by domestic cockroaches and implications for food safety. Int. J. Trop. Insect. Sci. 26, 166–175. 55. Chaichanawongsaroj, N., Vanichayatanarak, K., Pipatkullachat, T., Poirojpanya, M., and Somkiatcharoen, S. (2004). Isolation of gram-negative bacteria from cockroaches trapped from urban environment. Southeast Asian J. Trop. Med. Public Health 35(3), 681–684. 56. Prado, M. A., Gir, E., Pereira, M. S., Reis, C., and Pimenta, F. C. (2006). Profile of antimicrobial resistance of bacteria isolated from cockroaches (Periplaneta Americana) in a Brazilian health care institution. Braz. J. Infect. Dis. 10(1), 26–32. 57. Pai, H.-H., Chen, W. C., and Peng, C. F. (2004). Cockroaches as potential vectors of nosocomial infections. Infect. Control Hosp. Epidemiol. 25(11), 979–984. 58. Pai, H.-H., Chen, W. C., and Peng, C. F. (2003). Isolation of non-tuberculous mycobacteria from hospital cockroaches (Periplaneta Americana). J. Hosp. Infect. 53, 224–228. 59. Lemos, A. A., Lemos, M. A., Prado, M. A., Pimenta, F. C., Gir, E., Silva, H. M., and Silva, M. R. R. (2006). Cockroaches as carriers of fungi of medical importance. Mycoses 49(1), 23–25. 60. Pai, H.-H., Ko, Y. C., and Chen, E. R. (2003). Cockroaches (Periplaneta Americana and Blattella germanica) as potential mechanical disseminators of Entamoeba histolytica. Acta Trop. 87(3), 355–359. 61. Smith, D. R. (1991). Ants (Formicidae, Hymenoptera). In Agriculture Handbook 655 , Insect and Mite Pests in Food: An Illustrated Key, J. R. Gorham, Ed. Superintendent of Documents, U. S. Government Printing Office, Washington, DC, pp. 297–309, 633–649. 62. Smith, M. R. (1965). House-infesting Ants of Eastern United States, Technical Bulletin 1326, U. S. Department of Agriculture, Washington, DC. 63. Beatson, S. (1973). Pharaoh’s ants enter giving sets. Lancet 1(7803), 606. 64. Cartwright, R. Y., and Clifford, C. M. (1973). Pharaoh’s ants. Lancet 2(7843), 1455–1456. 65. Boursaux-Eude, C., and Gross, R. (2000). New insights into symbiotic associations between ants and bacteria. Res. Microbiol. 151(7), 513–519.

1694

KEY APPLICATION AREAS

66. Zientz, E., Feldhaar, H., Stoll, S., and Gross, R. (2005). Insights into the microbial world associated with ants. Arch. Microbiol. 184, 199–206. 67. Hughes, D. E., Kassim, O. O., Gregory, J., Stupart, M., Austin, I., and Duffield, R. (1989). Spectrum of bacterial pathogens transmitted by Pharaoh’s ants. Lab. Anim. Sci. 39(2), 167–168. 68. Ipinza-Regla, J., Figueroa, G., and Moreno, I. (1984). Iridomyrmex humilis (Formicidae) y su papel como possible vector de contaminaci´on microbiana en industrias de alimentos. Folia Entomol. Mex. 62, 111–124. 69. de Zarzuela, M. F. M., Campos-Farinha, A. E. C., and Pec¸anha, M. P. (2005). Evaluation of urban ants (Hymenoptera: Formicidae) as carriers of pathogens in residential and industrial environments. Sociobiology 45(1), 9–14. 70. Beatson, S. H. (1972). Pharaoh’s ants as pathogen vectors in hospitals. Lancet 1(7747), 425–427. 71. Chadee, D. D., and Le Maitre, A. (1990). Ants: potential mechanical vectors of hospital infections in Trinidad. Trans. R. Soc. Trop. Med. Hyg. 84, 297. 72. da Costa, S. B., Pelli, A., de Carvalho, G. P., Oliveira, A. G., da Silva, P. R., Teixeira, M. M., Martins, E., Terra, A. P. S., Resende, E. M., Hueb, C. C., de Oliveira, B., and de Morais, C. A. (2006). Ants as mechanical vectors of microorganisms in the school hospital of the universidade federal do Triˆangulo Mineiro. Rev. Soc. Bras. Med. Trop. 39(6), 527–529. 73. Edwards, J. P., and Baker, L. F. (1981). Distribution and importance of the Pharaoh’s ant Monomorium pharaonis (L.) in National Health Service Hospitals in England. J. Hosp. Infect. 2(3), 249–254. 74. Fowler, H. G., Bueno, O. C., Sadatsune, T., and Montelli, A. C. (1993). Ants as potential vectors of pathogens in hospitals in the State of S˜ao Paulo, Brazil. Insect Sci. Appl. 14, 367–370. 75. Harein, P. K., and De Las Casas, E. (1968). Bacteria from granary weevils collected from laboratory colonies and field infestations. J. Econ. Entomol. 61(6), 1719–1720. 76. Dunkel, F. V. (1988). The relationship of insects to the deterioration of stored grain by fungi. Int. J. Food Microbiol. 7, 227–244. 77. Husted, S. R., Mills, R. B., Foltz, V. D., and Crumrine, M. H. (1969). Transmission of Salmonella montevideo from contaminated to clean wheat by the rice weevil. J. Econ. Entomol. 62(6), 1489–1491. 78. Eugenio, C., De Las Casas, E., Harein, P. K., and Mirocha, C. J. (1970). Detection of the mycotoxin F-2 in the confused flour beetle and the lesser mealworm. J. Econ. Entomol. 63(2), 412–415. 79. Pande, N., and Mehrotra, B. S. (1988). Rice weevil (Sitophilus oryzae Linn.): vector of toxigenic fungi. Nat. Acad. Sci. Lett. (India) 11, 3–4.

FURTHER READING Agbodaze, D., and Owusu, S. B. (1989). Cockroaches (Periplaneta Americana) as carriers of agents of bacterial diarrhoea in Accra, Ghana. Cent. Afr. J. Med. 35(9), 484–486. Devi, S. J., and Murray, C. J. (1991). Cockroaches (Blatta and Periplaneta species) as reservoirs of drug-resistant salmonellas. Epidemiol. Infect. 107(2), 357–361. Foil, L. D., and Gorham, J. R. (2000). Mechanical transmission of disease agents by arthropods. In Medical Entomology: A Textbook on Public Health and Veterinary Problems Caused by Arthropods, B. F. Eldridge, and J. D. Edman, Eds. Kluwer Academic Publishers, Dordrecht, pp. 461–514.

INSECTS AS VECTORS OF FOODBORNE PATHOGENS

1695

Fotedar, R., and Banerjee, U. (1992). Nosocomial fungal infections—study of the possible role of cockroaches (Blattella germanica) as vectors. Acta Trop. 50(4), 339–343. Fotedar, R., Banerjee, U., Samantray, J. C., and Shriniwas, K. (1992). Vector potential of hospital houseflies with special reference to Klebsiella species. Epidemiol. Infect. 109(1), 143–147. Fotedar, R., Nayar, E., Samantray, J. C., Shriniwas, K., Banerjee, U., Dogra, V., and Kumar, A. (1989). Cockroaches as vectors of pathogenic bacteria. J. Commun. Dis. 21, 318–322. Fotedar, R., Shriniwas, K., Banerjee, U., Sumantray, J. C., Nayar, E., and Verma, A. (1991). Nosocomial infections: cockroaches as possible vectors of drug-resistant Klebsiella. J. Infect. 18, 155–159. Fotedar, R., Shriniwas, K., Banerjee, U., and Verma, A. (1991). Cockroaches (Blattella germanica) as carriers of microorganisms of medical importance in hospitals. Epidemiol. Infect. 107, 181–187. Gorham, J. R. (1981). Filth in foods: implications for health. In Principles of Food Analysis for Filth, Decomposition and Foreign Matter, J. R. Gorham, Ed. FDA Technical Bulletin 1, Food and Drug Administration, Washington, DC, pp. 27–32. Gorham, J. R. (1991). Filth and extraneous matter in food. In Encyclopedia of Food Science and Technology, Y. H. Hui, Ed. Wiley-Interscience, New York, pp. 847–868. Gorham, J. R. (1994). Food, filth, and disease: a review. In Food-borne Disease Handbook , Y. H. Hui, J. R. Gorham, K. D. Murrell, and D. O. Cliver, Eds. Marcel Dekker, New York, pp. 627–638. Gorham, J. R. (1995). Reflections on food-borne filth in relation to human disease. In Fundamentals of Microanalytical Entomology: A Practical Guide to Detecting and Identifying Filth in Foods, A. R. Olsen, T. H. Sidebottom, and S. A. Knight, Eds. CRC Press, Boca Raton, FL, pp. 269–275. Gorham, J. R. (2001). Food, filth, and disease: a review. In Food-borne Disease Handbook , Seafood and Environmental Toxins, Vol. 4, Y. H. Hui, D. Kitts, and P. S. Stanfield, Eds. 2nd ed, Marcel Dekker, New York, pp. 627–637. Gorham, J. R., Zurek, L. (2006). Filth and other foreign objects in food. In Handbook of Food Science, Technology, and Engineering, Y. H. Hui, Ed. Vol. 2, CRC Press, Boca Raton, FL, pp. 74.1–74.28. Gratz, N. (2006). Vector- and Rodent-borne Diseases in Europe and North America, Cambridge University Press, Cambridge. Hui, Y. H., Gorham, J. R., Murrell, K. D., and Cliver, D. O., Eds. (1994). Food-borne Disease Handbook , Volume 1, Diseases Caused by Bacteria; Volume 2, Diseases Caused by Viruses, Parasites, and Fungi; Volume 3, Diseases Causes by Hazardous Substances, Marcel Dekker, New York. Hui, Y. H., Pierson, M. D., Gorham, J. R., Eds. (2001). Food-borne Disease Handbook , Bacterial Pathogens, Vol. 1, 2nd ed. Marcel Dekker, New York. Klowden, M. J., and Greenberg, B. (1976). Salmonella in the American cockroach: evaluation of vector potential through dosed feeding experiments. J. Hyg. (Lond) 77(1), 105–111. Klowden, M. J., Greenberg, B. (1977). Effects of antibiotics on the survival of Salmonella in the American cockroach. J. Hyg. (Lond) 79, 339–345. Kopanic, R. J., Sheldon, B. W., and Wright, C. G. (1994). Cockroaches as vectors of Salmonella: laboratory and field trials. J. Food Prot. 57(2), 125–132. Olsen, A. R., Gecan, J. S., Ziobro, G. C., and Bryce, J. R. (2001). Regulatory action criteria for filth and other extraneous materials. V. Strategy for evaluating hazardous and nonhazardous filth. Regul. Toxicol. Pharm. 33, 363–392. Oothumen, P., Jeffery, J., Aziz, A. H. A., Bakar, E. A., and Jegathesan, M. (1989). Bacterial pathogens isolated from cockroaches trapped from paedriatric ward in peninsular Malaysia. Trans. R. Soc. Trop. Med. Hyg. 83(1), 133–135.

1696

KEY APPLICATION AREAS

Panhotra, B. R., Agnihortri, V., Agarwal, K. C., and Batta, R. P. (1981). Isolation of salmonellae from hospital food and vermin. Indian J. Med. Res. 74, 648–651. Rahuma, N., Ghenghesh, K. S., Ben Aissa, R., and Elamaari, A. (2005). Carriage by the housefly (Musca domestica) of multiple-antibiotic-resistant bacteria that are potentially pathogenic to humans, in hospital and other urban environments in Misurata, Libya. Ann. Trop. Med. Parasitol. 99(8), 795–802. Sulaiman, S., Cheon, Y. K., Aziz, A. H., and Jeffery, J. (2003). Isolations of bacteria pathogens from cockroaches trapped in downtown Kuala Lumpur. Trop. Biomed. 20(1), 53–57. Umunnabuike, A. C., and Irokanulo, E. A. (1986). Isolation of Campylobacter subsp. Jejuni from Oriental and American cockroaches caught in kitchens and poultry houses in Vom, Nigeria. Int. J. Zoonoses 13(3), 180–186. Vythilingam, I., Jeffery, J., Oothuman, P., Abdul Razak, A. R., and Sulaiman, A. (1997). Cockroaches from urban human dwellings: isolation of bacterial pathogens and control. Southeast Asian J. Trop. Med. Public Health 28(1), 218–222. Zerpa, R., and Huicho, L. (1994). Childhood cryptosporidial diarrhea associated with identification of Cryptosporidium sp. in the cockroach Periplaneta Americana. Pediatr. Infect. Dis. J. 13(6), 546–548.

FARM LEVEL CONTROL OF FOREIGN ANIMAL DISEASE AND FOOD-BORNE PATHOGENS Gay Y. Miller University of Illinois, Urbana-Champaign, Illinois

Charles Hofacre University of Georgia, Athens, Georgia

Lindsey Holmstrom Texas A&M University, College Station, Texas

1 INTRODUCTION Preventing the introduction of diseases, especially foreign animal diseases (FADs) and diseases that could cause food-borne illness, is critically important. Diseases of this type can be devastating to the individual farm, to the industries affected, and also to the overall

1697

FARM LEVEL CONTROL OF FOREIGN ANIMAL DISEASE

TABLE 1

2002 Census of Agriculture Market Value of Agricultural Products Sold Number of Farmsa Sales ($000)a Rank by Sales Percent of Total

Item Cattle and calves Poultry and eggs Milk and other dairy products from cows Hogs and pigs Horses, ponies, mules, burros, and donkeys Total animal and animal product sales Total grain and crop Production Total agriculture sales a Numbers

851,971 83,381 78,963

45,115,184 23,972,333 20,281,166

1 3 4

22.5 11.9 10.1

82,028 128,045

12,400,977 1,328,733

8 12

6.2 0.7

1,142,357

109,494,401

—

—

986,625

93,789,281

2,128,982

200,646,355

—

100.0

may not add due to overlap of some categories.

Source: USDA (200). National Agricultural Statistics Service, 2002 Census of Agriculture, Ranking of 2002 Market Value of Agricultural Products Sold , http://www.nass.usda.gov/census/census02/topcommodities/ topcom US.htm, and USDA 2002. National Agricultural Statistics Service, 2002 Census of Agriculture, Table 50, http://www.nass.usda.gov/census/census02/volume1/us/st99 1 050 050.pdf.

economy. The value of US animal production is substantial (Table 1) [1]. In the 2002 census of agriculture, the United States had approximately 1.1 million animal-producing farms with average assets (land, buildings, and equipment) exceeding $500,000 [2]. The market value of agricultural production sold from animal production farms in 2002 was approximately $107 billion, and including crops sold from these farms, the total sales was $109 billion. The animal-producing sector exceeds the crop sector in agricultural value of products sold by several billion dollars. Current US policy is to have a variety of programs and methods to control the introduction of FADs to the United States by controlling importation of live animals and animal products that can present a risk of introduction of FAD. Science-based rules and regulations established by the United States Department of Agriculture (USDA) govern activities that could present homeland security risks. There are outbreaks of FADs around the world and in many countries diseases foreign to the United States are endemic and present a constant risk of introduction. Trade, movement of people, mechanical means of transmission, and biological vectors between the countries need to be monitored and controlled to decrease transmission risks. This article presents an overview of animal agriculture production in the United States, how animal production practices influence farm-level control of pathogens, how the structure of food animal-producing industries affects prevention and control of the introduction and farm-level vulnerabilities of FADs, and finally, farm-level control of contemporary critical FAD pathogens.

2 OVERVIEW OF ANIMAL AGRICULTURE PRODUCTION IN THE UNITED STATES Agricultural production has increased in efficiency over the last several decades in the United States. Increased efficiency of production has been realized by use of inputs such

1698

KEY APPLICATION AREAS

as growth promotants and growth promoting antibiotics, as well as changes in the organizational structure of the industries and ongoing improvements in animal genetics and animal husbandry. Many of these changes in animal husbandry practices and organizational structure have grown out of a desire to enhance productivity by limiting the amount of disease and the potential for disease transmission. Additionally, as the profitability per animal declines over time, it becomes uneconomical for smaller producers to be involved in production; hence, through time, the scale of production in the United States has become larger. Simultaneously, we have seen an increasing movement toward so-called intensive agricultural production, where large numbers of animals are located at one geographic site in environmentally controlled and confined housing where capital investment in facilities has replaced labor to the extent economical and possible. These large scale production systems have been made possible because of improvements in disease control, improved water and feed quality, enhanced labor efficiency, and improved technology in housing structures and equipment. 2.1 US Beef Industry Beef production has the highest monetary value and is the most vulnerable of the US animal production sectors. It is also one segment of animal production where a major portion of the industry remains extensive in nature. Cow–calf operations, which are responsible for the breeding and early growing segment of beef cattle occurs typically on small farms on land that is marginal for crop production but which provides good grazing land with associated shelter due to the topography and trees on these premises. In 2002, there were 796,436 beef cow farms with an inventory of 61,413,259 beef cattle and calves [3]. The two herd size categories with the largest number of beef cattle and calves were the 215,320 farms having 20–49 head each and a total of 11,496,796 cattle and calves; and the 23,126 farms having 200–499 head each and a total of 11,852,703 cattle and calves. The largest size category (over 2500 head) had fewer numbers of animals in total than the smallest herd size category of 1–9 head. With such a large number of cow–calf premises, they are more widely geographically dispersed than other less extensive production systems. Annual US beef production is estimated at about 26 billion lb (2006), with an increase of about 2 billion lb from 2005 to 2007 projections [4]. Current projections of production are expected to be stable over the period from 2006 to 2008 [4]. Animals sold from cow–calf premises are typically sold through auction markets, with the larger-scale farms being less likely than smaller-scale farms to sell through auctions [5]. Congregation of animals from previously dispersed geographic areas, as happens at auction markets, increases disease transmission and disease dispersion risks. Beef calves weaned from cows are typically placed in a stocker or backgrounding operation, which uses production practices and resources to grow calves slowly and inexpensively; or calves may be placed directly into a feedlot. For example, a stocker operation might turn calves onto corn stubble for the winter, or into other grazing environments, which will typically cause slower less expensive growth than in the feedlot. Most (over 80% of inventory) beef calves eventually are placed into large scale (1000+ head) beef feedlots for finishing [5]. The feedlot diet consists of a higher grain content than the previous diets, and animals are usually confined to pens with a high density of cattle. Veterinary services and biosecurity practices are quite variable premises to premises in beef cow–calf production. Most beef cow–calf operations do not have individual animal

FARM LEVEL CONTROL OF FOREIGN ANIMAL DISEASE

1699

identification [6]. Most beef cow–calf operations have limited or no biosecurity practices, or regular disease prevention programs, have potentially regular contact with wildlife in the area (70% of producers report sightings of wild deer four or more times per month, [7]) and uncontrolled human access to the animals. Additionally, most (85%) cow–calf operations have animals other than beef cattle present [8], and there is regular contact between these different animals/species; not an insignificant percentage (30% in 1997) of cow–calf operations purchase cattle to add to the existing herd [8]. Replacement heifers and cows that calve most typically are raised on the premises where they calve [6]. Since introducing new stock is an important way that new diseases could enter a herd, separating newly purchased stock (quarantine) is important for disease control; within herd quarantines for any newly purchased, cattle and calves are provided by less than 40% of operations [8]. Most cow–calf operators are unaware of the distance to other premises that contain species such as captive cervidae, bison, or Mexican-origin cattle [7]. It is not uncommon for cow–calf herds to graze on public or privately leased ground, and to be commingled with herds owned by other individuals [7]. Some vector control is commonly practiced with over 80% of cow–calf premises reporting fly control and 75% reporting rodent control. Carcass disposal is important for disease agent containment; most common methods used are burial, rendering, and incineration [7]. In beef feedlots, most operations use veterinary services [5]. The majority of larger feedlots (8000+ head) have formal quality assurance programs, and collect and test a variety of environmental samples, and have at least some dust control practices in place. Such practices can decrease the transmission of diseases that can be spread by virus or bacterial particles (which can ride on dust plumes carried from a premises). Almost all cattle entering a feedlot are “processed” at or near arrival to the feedlot, using a variety of procedures which can include injections, topical or oral treatments, and implants of various kinds unless they receive such processing (or preconditioning) prior to arrival at the feedlot. The average distance cattle are shipped from the feedlot to a packing plant is shorter (100 miles) for larger feedlots, compared with smaller (144 miles) feedlots, and closer (110 miles) for the central region of the United States versus other regions (179 miles) [9]. The distance that animals travel to packing plants can influence disease transmission, especially in the early stages (prior to diagnosis) of an FAD event. Biosecurity in beef feedlots is commonly practiced, with some farms restricting the movement of people, and most farms making some effort to control entry of other animals (including horses, dogs, cats, foxes, squirrels, coyotes, raccoons, skunks, rabbits, and birds) to varying degrees [10]. Nearly all (over 95%) feedlots have fly control measures, with most implementing more than one control measure. In terms of general security, large scale production systems are more likely to have enhanced security with limited (e.g. gated) access to the premises, security cameras, night lights, etc. 2.2

US Poultry Industry

The commercial poultry industry in the United States is a fully integrated system of animal agriculture. Each poultry company has control over all fiscal and bird husbandry aspects of production, from the day-old parent breeders to the marketing and distribution of the final products to the retailer. The “poultry industry” is actually three different industries: commercial layers, broilers, and turkeys. Commercial layers are chickens of the leghorn breed that lay table or breaker eggs for human consumption. There are approximately

1700

KEY APPLICATION AREAS

334 million table egg layers in production in the United States [11]. These birds begin laying eggs for human consumption at 18–19 weeks of age. The US turkey (272 million) and broiler chicken (9.1 billion) [12] industries are similar to each other, with the company purchasing the parent breeders at one day of age, or hatching eggs from a primary breeder or genetic selection company. These birds are raised on farms contracted by the company under specific company guidelines. The offspring (broiler chickens or commercial turkeys) of these breeders are hatched in company-owned hatcheries, and placed on a contract or company-owned farm, where the farmer must follow strict company guidelines for husbandry. All feed that is fed to the breeders, broiler chickens, or commercial turkeys is manufactured in a company-owned (or contracted) feed mill under specific guidelines of the company. The company nutritionist(s) will specify the nutritional aspects of the feed, and the company veterinarian(s) will determine any vaccine, antibiotic, or anticoccidial usage requirements. The birds will then be slaughtered in the company-owned processing plant. The typical US broiler chicken farm will have approximately 100,000 chickens, divided equally into four houses. As in a city of 100,000 people, disease prevention becomes imperative for the poultry industry. Poultry veterinarians practice preventive medicine, utilizing two primary tools, biosecurity and vaccination. The US average level of death loss (mortality) in the typical 100,000-bird broiler farm is 4–5% [13]. There is also a loss of approximately 0.5–1.0% of the birds for human consumption in the processing plant, when birds are condemned by the United States Department of Agriculture-Food Safety Inspection Service (USDA-FSIS) inspectors [14]. 2.2.1 Typical Poultry Company. A typical broiler (or turkey) company comprises one or more divisions, or in industry jargon “complexes”. A complex is a self-contained integrated unit that has broiler birds (or turkeys) breeder birds, a hatchery, a feed mill, and a processing plant. The typical broiler complex will slaughter approximately 1 million broiler chickens per week. Typically, the manager of a complex of broiler birds will have three to four persons as direct reports who are managing this finely tuned operation on a daily basis (Fig. 1). The feed mill manager provides all of the feed to all of the immature breeders (pullets), the adult breeders (breeder layers), and the broiler chickens in the complex. The feed is very closely controlled and monitored by the Food and Drug Administration (FDA). All documentation is available for FDA when they inspect each feed mill. It is illegal for any unapproved drugs to be added to the feed or for the level of the drug to be different than the use limitations on the FDA approved label. This means there is no legal means of using any drug in an extra label manner in poultry feed. The live production manager has the three segments of the business dealing with the live birds. The first direct report is the breeder manager who is responsible for acquiring the day-of-age breeder chicks from the primary breeding company. These chicks are raised by contract pullet growers in specially designed houses from day 1 to sexual maturity (approximately 22–24 weeks of age). At sexual maturity, these pullets are moved in trailers with cages to breeder farms to begin laying fertile eggs. These breeder farms are typically owned by a farmer contracting with the poultry company. These contractors are paid by the dozen for the eggs produced. There are approximately 10,000 hens (plus 1000 roosters) in each house and most typically two houses per farm. The feed for both pullets and breeders is weighed and distributed automatically at a specific time of day. The water is also automatically available to the birds. All of the eggs from

FARM LEVEL CONTROL OF FOREIGN ANIMAL DISEASE

1701

Complex manager Live production manager Broiler manager

Breeder manager

Pullet servicepersons

Hatchery manager

Breeder (layer) servicepersons

Broiler servicepersons

Pullet farms

Breeder farms

Broiler farms

Pullet farms

Breeder farms

Broiler farms

Pullet farms

Breeder farms

Broiler farms

Pullet farms

Breeder farms

Broiler farms

Feedmill manager Processing plant manager Grain buyer (may be at coporate level)

FIGURE 1 Typical broiler chicken complex management structure.

a breeder farm are held in an environmentally controlled room on the farm for 2–3 days. An environmentally controlled truck goes to the farm, the eggs are loaded on to the truck, and then delivered to the hatchery. The hatchery manager receives the eggs from multiple broiler breeder farms and four times each week, sets eggs into incubators where they have a controlled environment. The broiler chicks hatch in 21 days (28 days for turkeys). These day-of-age chicks are typically vaccinated in the hatchery to help prevent two respiratory diseases, Newcastle disease and infectious bronchitis. The day-old chicks are then delivered to a contract broiler grower farm where they go into an environmentally controlled house that is on average 40-ft wide and 500-ft long with approximately 25,000 broilers per house. Many of these houses have computers controlling the temperature and ventilation. An automatic feeder system maintains feed available to the birds 100% of their life. Automatic nipple or closed water systems are found in almost 100% of the houses. Fresh water from a municipal system or a potable well flows into the house and can only exit the system when a bird pecks or touches the nipple thus allowing water to go into its mouth. The contract farmer or “grower” is responsible for the daily care of the birds, providing the building, equipment, heat, electricity, water, and litter handling. The company owns the birds and provides the feed, any medication or vaccines if necessary, and transportation of birds. The growers follow the poultry companies’ husbandry guidelines. The broiler manager has many broiler servicepersons, who each have a number of farms where they provide any technical assistance to the contract grower. They visit every farm a minimum of once a week and usually twice a week. If a grower has birds that become sick, or an abnormal number dies (>1 bird/day per 1000, i.e. >25/day in a 25,000 bird house) then they immediately contact their broiler serviceperson (available 24 h/day). These broiler servicepersons are trained by veterinarians to perform necropsies or they

1702

KEY APPLICATION AREAS

may deliver diseased or dead birds to a diagnostic laboratory veterinarian in order to identify the cause of excess mortality. The broiler chicken growers’ pay is based on the pounds of broilers delivered to the processing plant utilizing the least amount of feed for growth. They will have any birds that are condemned by the USDA as unwholesome for human consumption deducted from this weight. Therefore, it is important for growers to follow company husbandry guidelines. Also for many poultry company contracts, the use of any medication, insecticides, disinfectants, etc. will be strictly controlled by the company. The birds on a broiler farm are of the same age (all in at the same time). When the birds reach slaughter age (on average ∼49 days old) all birds are caught and loaded on to trucks and delivered to the processing plant (all-out at the same time). At the processing plant, the USDA-FSIS veterinarian is responsible for antemortem and postmortem inspection. The processing plant manager oversees all operations from slaughter to the final product leaving the plant. 2.3 US Pork Industry The US pork-producing industry has also changed dramatically over the past few decades. What was once an industry dominated by small, independently owned operations now comprises fewer, larger operations that are concentrated in certain regions of the United States. In 1995, only 2.6% of swine operations had 2000 or more hogs and held 43% of the inventory. In 2006, 11.8% of swine operations had 2000 or more hogs, holding 80% of the hog inventory. Over 21.1 billion lb of pork was produced in 2006 [15]. As for the poultry industry, decreased production costs and increased efficiency obtained from using new specialized technologies and genetics, among other things, have contributed to the increased pork industry concentration [16]. Many parallels can be seen with the poultry industry as the pork industry becomes more specialized and vertically integrated. A previously open market industry has moved to one dominated by marketing and production contracts. In marketing contracts, producers agree to deliver a certain number and size of hogs to processors at a certain time. Prices received by producers may be determined in advance or be a formula-based price, such as a spot market price. Production contracts are becoming more common and are not dissimilar to production contracts in the broiler industry. In these contracts, an integrator (large producer or processor) provides the inputs such as the hogs, feed, veterinary, and management services. The contractor provides the land, facilities, and labor, and receives a fixed payment. In both types of contracts, premiums may be given for production efficiency or the quality and size of the hogs [16]. Total confinement and multiple-site production are commonly used in US swine production operations. Operations that specialize in a specific phase of production are becoming more common. Such operations take advantage of newer cost efficient technology and improved genetics in many aspects of production. The attractiveness of specialization has caused the number of farrow-to-finish operations to decrease [17]. Farrow-to-finish operations are generally less efficient and have an increased risk of disease introduction and spread due to the wide age range of pigs on a premises, and increased movement of pigs and personnel on and off these sites, as compared to operations that specialize in one phase of production. Farrow-to-wean, nurseries, and grower or finishing operations are three typical phases of specialized production and will be discussed next.

FARM LEVEL CONTROL OF FOREIGN ANIMAL DISEASE

1703

2.3.1 Farrow-to-Wean. Artificial insemination is the primary technique for mating gilts and sows, especially in large and medium size operations. Semen is primarily purchased or collected off-site [18], eliminating the need to keep boars on-site except for checking if the gilt or sow is ready for insemination (in heat). Artificial insemination does reduce the risk of disease transmission. Semen should still be tested for certain diseases (e.g. porcine reproductive and respiratory syndrome; PRRS). In 2006, [18], the average number of piglets per litter was 11.5, with 10.5 being born alive and 9.4 weaned. Preweaning mortalities ranged from 8.5 to 11.3% per litter The most common reason for preweaning deaths is from being crushed by the sow. Piglets are injected with iron when they are 7–10 days old and are sometimes given antibiotics in the feed. Most breeding-age females are culled when there is a reproductive failure or when the age of the female becomes a risk factor. Carcasses are primarily disposed of by rendering or composting on-site [18]. There can be a high flow of new arrivals on farrow-to-wean production sites and proper biosecurity is important to decrease the risk of disease introduction. Isolating or quarantining, and disease testing of new breeding animals before they are introduced into the herd can help prevent the introduction of new pathogens. Newly introduced pigs are isolated for an average of 4–6 weeks. Administering vaccines to new arrivals is the most common acclimation method used. Other acclimation practices include exposing new arrivals to pigs on-site, and less commonly feedback of feces from other swine or feedback of mummies, placentas, or stillborn pigs [18]. Pigs are generally weaned between 16 and 27 days, although larger operations may wean at an earlier age (16–20 days). Pig flow is continuous during gestation phases and primarily continuous or all-in/all-out by room or building during farrowing phases. All-in/all-out management includes cleaning and disinfecting before the room or building is refilled which reduces the risk of disease spread [18]. 2.3.2 Nursery. Weaned pigs often move to a nursery, where they will stay for 6–8 weeks. Pigs leaving the nursery will weigh 30–80 lb. Annual mortalities in nurseries are typically 4–5%, with respiratory problems being the most frequent reason for deaths. Most operations use antibiotics in feed and vaccination as disease prevention methods during this phase of production. Nursery pigs are commonly vaccinated for Mycoplasma and erysipelas. Pig flow is mainly all-in/all-out. Pigs are primarily obtained off-site from another producer and come from a single producer (i.e. single source), although 25.4% of larger sites obtained pigs from three or more sources [18]. 2.3.3 Grower or Finisher. Pigs stay at a grower or finisher site for an average of 16–18 weeks. Annual mortalities and pig flow management are similar to nurseries. Also like nurseries, pigs are primarily obtained off-site from a single source. The most common disease prevention method used during this phase of production is antibiotics in feed [1]. Once they reach market weight (225–300 lb), most hogs will be sold to one or two packers, but may be sold to more depending on the geographic proximity of packers and production sites [19]. Hog production was previously mainly concentrated in the North Central regions of the United States (Iowa, Illinois, Indiana, and Minnesota), but has expanded to include the South Atlantic (North Carolina) and South Central (Oklahoma, Texas) regions [16]. Differences in operation types are seen between regions. For example, weaned pigs are commonly transported from the South Atlantic to the North Central region to be finished [18]. It has been estimated that 3.8 million hogs were shipped out of North Carolina in

1704

KEY APPLICATION AREAS

2001 [20]. Based on the 2006 National Animal Health Monitoring System (NAHMS) study of the swine industry, 31.6% of sites shipped pigs across state lines [18]. Also, approximately 8% of hogs slaughtered in the United States are of Canadian origin. Most Canadian hogs are imported to the North Central region as feeder pigs, and the rest go directly to slaughter houses [17]. Livestock trucks transporting pigs between the different phases of production, both locally and regionally, can also spread pathogens in the process. Both local and regional animal movements can affect the extent of an outbreak, especially if there is delayed detection of disease. It is believed that a livestock truck that was not properly cleaned and disinfected was responsible for the spread of classical swine fever (CSF) from Germany to The Netherlands during the 1997–1998 outbreak [21]. Feral swine populations continue to grow in the United States, and their distribution is becoming more widespread. Estimates of their numbers are over 4 million, with the majority of feral swine located in Florida, Texas, and California. They pose a serious risk for transmitting endemic diseases of feral swine such as brucellosis and pseudorabies. FADs could also be introduced into the feral swine population and go undetected for some time. An FAD introduced into feral swine could fade out or become endemic. This represents a risk of disease transmission to commercial swine if biosecurity does not prevent direct or indirect contact between feral and commercial swine. In the 2006 NAHMS swine study, 25% of large sites and 12% of medium sites reported the presence of feral swine in their county, especially those facilities located in the southern regions [18]. Rodents can also spread disease, either as hosts or mechanical vectors. Most operations use some method to control rodents; bait or poison is most frequently used. The majority of swine operations only allow employees to come into contact with areas that house the swine. Some companies have their employees sign documents prohibiting them from owning swine of their own. Outside visitors that are allowed in areas where the swine are housed are usually required to put on clean boots and coveralls. Operations may require visitors to be without swine contact from other premises 24 or more hours before entering [18].

3 PREVENTING/CONTROLLING INTRODUCTION OF DISEASES AT THE FARM LEVEL Production practices and the structure of the food animal industries imply many areas of vulnerability. Large numbers of animals are often housed at one geographic site, and often in a shared airspace, or in close confinement. Although such practices enhance the profitability of production and also decrease transaction costs for production companies (costs decreased or avoided with integrated production companies), they can increase disease transmission risk by making a larger number of animals at risk for becoming infected by a contagious disease. However, large integrated companies can also afford to have more stringent biosecurity practices through economies of scale in production. Large companies are more likely to have in-house veterinary staff, written and enforced biosecurity guidelines, in-house diagnostic laboratories, and other production inputs that are not possible for smaller scale production systems. The net impact then for disease risks implied by the current food animal industries’ structure and production practices in the United States is unclear; there are forces that could increase disease transmission risks and forces that would decrease such risks. Similarly, the development of appropriate and

FARM LEVEL CONTROL OF FOREIGN ANIMAL DISEASE

1705

protective countermeasures can simultaneously have aspects that are of varying difficulty to implement. The remainder of this section focuses on production inputs and ways to help harden these as sources of vulnerabilities. Obvious risks include genetic stock (both live animals and semen or eggs/embryos), vectors for disease transmission, feeds, supplements, water, vaccines and pharmaceuticals, and air. 3.1 Direct Animal Contact and Genetic Stock Vulnerabilities, Vehicles/Fomites, and Vectors as Sources of Pathogens Goals for biosecurity of live animals include minimizing opportunities for disease transmission, decreasing sources of infectious agents, using methods such as vaccination and good husbandry to enhance the immune status of animals to prevent disease, and monitoring for the presence of disease while using appropriate diagnostic testing to become aware of the profile of pathogens and immune status. Infected live animals and direct contact are arguably the most likely source for introduction of many FADs to a herd or flock. By appropriately siting production facilities away from neighboring herds and flocks and then maintaining a closed herd/flock (i.e. no animals are admitted from outside sources) sources of infectious agents can be minimized. This means that no animals are admitted from outside sources. This practice may or may not be possible or appropriate. The next alternative is to identify animals that will come to the farm that are from sources that have high biosecurity and that can certify the disease status of their animals and products (e.g. semen). It is important for farms to use transportation methods and routes that are safe and will limit potential exposure to infectious agents by limiting sources of infectious agents, for example, manure, animal hair, dander, and dust. This means transporting animals using thoroughly cleaned and disinfected trucks, and when possible, company-owned transportation. Quarantine of all newly arrived animals is needed so that there is adequate time for monitoring and testing for diseases that might have been carried to the farm by the new animals. Appropriate vaccination or processing prior to mixing new arrivals with any animals that are on the premises will further ensure the safety of adding new genetic stock to the farm. Biosecurity surrounding the introduction of live animals may be the most important area for protecting the farm from FAD risk. Additionally, there are many other activities that are important to decrease the likelihood of FAD introduction to a farm. Control of traffic of all types to the premises is critical. Exclusion of unnecessary visitors, pets, and pests will decrease the likelihood that a disease is introduced accidentally. Disease can be introduced by animal or environmental exposure/contamination to vehicles/fomites such as boots or coveralls, pets or pests, or a variety of other mechanisms. Pests include vertebrate animals such as wild birds, rats, mice, and raccoons, as well as invertebrate vectors, which may transmit disease, such as flies and mosquitoes. As examples, poultry production systems and many swine production systems require the use of disposable coveralls, boots, gloves, face masks, and hair bonnets for all people entering the premises. Additionally, many swine production systems require shower in and shower out for all visitors to production facilities. Many systems stipulate and enforce a period of no animal contact prior to visiting the facilities for all noncompany personnel. Maintaining a record of all visitors is also a common practice on poultry and swine production systems.

1706

KEY APPLICATION AREAS

Cleaning and disinfecting between batches of animals decreases the disease transmission risks between batches. Reporting of abnormal signs of disease and maintaining a veterinary–client relationship are all valuable practices so that if disease is present or introduced, it is treated promptly and when appropriate, the facility is depopulated, infected materials are appropriately disposed of, and the facility and all associated equipment and materials are cleaned and disinfected. These and many similar practices all contribute to enhanced biosecurity for the animals present in production systems. The description of the goals of biosecurity should make it obvious why much of the US commercial agriculture, as explained in the previous section describing the US animal production sectors, has evolved to its current structures and practices. For example, the current structures and practices in commercial broiler and turkey production and larger-scale swine production have the same age animals that arrive from a single source, into facilities that are managed as all-in–all-out (or batch) production. Companies and production methods have been structured to avoid introduction of disease to the farm. Genetic stock is an important source for meeting improved product standards driven by industry demands. Today in commercial agriculture, breeding companies develop and maintain pure breeding lines, which are used to create grandparent stock. Grandparent stock are the parents of so-called parent stock. Parent stock are then the parents of the commercial animals. Biosecurity for genetic stock involves similar functions to those applied directly to the commercial animals, except that the standards are even higher. The use of purchased semen is a common practice to introduce new genetic stock or simply as the standard for parent stock breeding systems. Practices that will enhance biosecurity for semen include obtaining semen from known negative sources, from companies that practice high biosecurity and use extensive surveillance and testing, and ensure the safety and security of transportation and delivery of semen to the farm premises where it will be used. Frequency of disease testing and the openness of semen company records are some of the indicators that can be used to assess the biosecurity of semen providers. Companies responsible for providing semen to producers must consider a variety of issues beyond the basic biosecurity and surveillance of their animals. For example, sources of equipment and products (e.g. semen extenders) must be thoroughly checked with ongoing methods to detect accidental or potential sabotage to materials that could contribute disease risks to the semen products they produce. Studies help elucidate the risks for farms and on-farm production practices. For example, a risk analysis for the importation of CSF (also known as hog cholera and an FAD that was eradicated from the US swine population in 1976) demonstrated that CSF is spread by movement of live animals, especially wild boars, people, vehicles, equipment, or semen contaminated with virus [22]. These risk factors identified for the importation risk model apply also to potential spread within the US domestic herd. There is a variety of other practices that can be implemented to help harden on-farm production systems. Examples include the following: •

Background checks for all hired personnel Enforcing company biosecurity policies/monitoring employee compliance of company biosecurity requirements • Anticipating and watching for abnormal signs of disease and abnormal activity of people in and around the production facilities •

FARM LEVEL CONTROL OF FOREIGN ANIMAL DISEASE • • • • • •

1707

Establishing farm-specific emergency response plans Identifying animal disposal sites that meet Environmental Protection Agency (EPA) requirements Identifying depopulation, disposal, and disinfectant/decontamination methods and partner companies that could be worked with if needed Siting facility locations to minimize exposure to other herds/flocks including siting away from major roads/freeways Participating in and practicing with industry and local county animal response team (CART) and state animal response team (SART) Structuring the farm and animal production sector to provide for agility of response to outbreaks from a variety of considerations

3.2 Feeds/Supplements and Water Vulnerabilities Feeds/supplements and water will be discussed from the perspective of the poultry industry, but the concepts and vulnerabilities identified apply generally to animal agriculture production. The two primary sources of water for poultry are also the same sources for the human population: municipal water and well water. Both sources should be potable drinking water. If a farm is near a municipal/local government water system, it may source from that system. However, because of the large amount of water usage, especially in the summer to aid in cooling birds, and because the location of production systems does not normally allow accessing municipal water systems, the source of water for the majority of farms is wells. Commonly, more than one well is required to supply water to a farm. In most cases, the well water would have been tested for potability when the well was first opened but may not be tested again unless a problem is suspected. Many turkey farms and some broiler breeder farms have water treatment systems, primarily chlorinators. Few broiler or layer farms have any consistent water treatment occurring. Many newer farms have water meters in each house/barn and the farmer/grower/company will monitor water consumption. From a biosecurity perspective, the water system is an area of vulnerability. Some diseases and chemicals could be transmitted by contaminating the water system. This can occur both naturally and by intentional introduction. The testing for potability is typically limited to looking at organisms that are indicators of fecal contamination, nitrates, and ion levels including sodium, chloride, sulfate, iron and manganese. For livestock, testing may also include pH, conductivity, potassium, total dissolved solids, and hardness. Potability testing does not generally indicate the presence of other disease agents, toxins, or chemicals that could cause a disease. The water source should be secured and regularly checked. This will mean locking the well heads, and controlling the source, storage, and use of any chemicals and water processing systems that may be used. Water that is obtained from a municipal system, while perhaps more secure, can also be potentially contaminated. Given the ease of distribution and wide exposure contaminated water could cause, ensuring quality water in animal agriculture production is important. The majority of feed provided to all segments of the poultry industry in the United States is obtained from large centralized feed mills specific to that location/company. Nearly all of the broiler chicken and turkey feed mills provide feed for only broilers or turkeys of that company. However, many of the commercial table egg-producing feed

1708

KEY APPLICATION AREAS

mills are multiple species mills, producing feed for dairy cattle, beef cattle, etc. The ingredients are primarily corn (energy) and soybean meal (protein) with added vitamins, minerals, and any medications. The feed accounts for as much as 60% of the cost of producing the poultry or eggs, so feed ingredient prices significantly affect which ingredients are used. For example, as the price of soybean meal increases, more rendered by-products derived from animal processing plants are used as a protein source. Routinely now, ruminant rendered product (meat and bone meal) is used as a cheaper source of protein to add to poultry diets in addition to soybean meal. The major raw ingredients arrive at the feed mill either by train or by truck in bulk. These will be offloaded and stored in large silos. The minor raw ingredients such as minerals, vitamins, or medications come in bags and these are stored usually in the warehouse section of the mill. Feed mills will normally produce feed for 16+ h/day and feed is delivered in bulk tanker trucks which augers the feed into storage bins on the farm. The system on the farm is a closed auger system from the bin which supplies one to two houses (i.e. barns). The feed mills are an area of vulnerability for animal agriculture. Feed mills are operating 16+ h and have feed being delivered from the finished feed storage bins almost 24 h/day. Feed mills are usually open with few locks or security systems. Employees, feed trucks, raw ingredient vehicles, etc. are coming and going on an almost continuous basis. Thus, intentional introduction of pathogens, toxins, or chemical contaminants is possible. Feeds have been shown to be a risk recently with the melamine contamination of poultry and pig feeds [23]. This contamination occurred through the use of feed ingredients imported from China used in producing pet foods. Left over pet food ingredients were then purchased by animal feeds manufacturers and used in the production of animal feeds. The contamination was traced to the use of a rice protein concentrate, wheat gluten, and corn gluten that evidently had melamine used to increase the apparent protein content of the feed. Hogs that fed the melamine were initially quarantined. They were eventually allowed to go to slaughter after a holding period and testing revealed they were safe for human consumption. There was significant market disruption and concern generated for the producers directly involved in this event and for the industries generally. Undoubtedly, there will be increased guidance and potentially increased regulations from the FDA, the agency responsible for oversight of animal feeds. Animal feeds have a history of being a target for a terrorist attack [23]. Many poisonings have been accidental [23, 24]. Still these incidents are informative about the potential risk and the needs for improving feed security. The use of garbage feeding of pigs is forbidden by federal law unless the garbage is treated (usually by cooking) to kill disease organisms. Garbage can be a source of transmission of animal diseases including FADs, such as foot-and-mouth disease (FMD). Additionally, human pathogens found in garbage can be transmitted to pigs if not killed by cooking the garbage, and might form the basis for a zoonotic cycle of disease transmission. Salmonella is a zoonotic pathogen that can be transmitted in feeds. In poultry, it has been well documented that feed can be a source of salmonella [25, 26]. The primary source of salmonella introduced into feed is from a contaminated raw ingredient with animal protein sources often having high levels of salmonella [27]. Additional sources of salmonella introduction into finished feed can be from residual feed in the mill from passage of previously contaminated feed, from rodents living in or near the feed mill, and from wild birds [26].

FARM LEVEL CONTROL OF FOREIGN ANIMAL DISEASE

1709

3.3 Vaccine and Pharmaceutical Vulnerabilities Vaccines and pharmaceuticals are a source of vulnerability for food animal production. These materials need to be kept in a secure location which holds the materials at appropriate conditions needed for the materials. Materials must be procured from reputable sources that conduct assessments for quality and safety of product. Clean injection equipment needs to be used with new needles used for each animal, or at least changed frequently if new needles are not used on every animal. Records need to be kept of all use of vaccines and pharmaceuticals. 3.4 Air Contaminants and Airborne Spread of Pathogens Aerosol transmission of certain pathogens and contaminants can occur within and between farms. Successful transmission depends on many farm-level factors. Host factors include the animals’ health status, species, age, density, and their behavior and interaction. Management factors include the building type (layout, floor type, dimensions, ventilation system), feeding system (equipment, time and duration, feed type), waste removal system, and bedding type. Environmental factors include temperature, relative humidity, concentration of gas, and the direction and speed of air [28, 29]. For airborne spread of pathogens, a sufficient amount of infectious particles must be generated by infectious animals and transported and inhaled by susceptible animals [30]. Infectivity must be maintained in order for susceptible animals to become infected. Airborne particles originating from droplets stay in the air for longer periods of time than particles originating from dry matter, such as dust. A high amount of aerosolized particles are generated from animals that sneeze or cough, and a lower amount from normally exhaled breath [28]. Aerosols can also be generated from urine or feces, especially from spraying slurry [31, 32], and from bedding and feed [33]. Airborne FMD viral particles may originate from incinerating infected carcasses [34]. Once in the air, pathogens undergo decay that is related to the amount of time they remain in the air, particle size, temperature, and relative humidity [35]. Influenza viruses are most stable in dry air, whereas FMD virus is most stable in moist air [28]. Airborne particle concentration has been shown to increase at lower temperatures [33], but this can be influenced by the type of farm management. Building design and ventilation systems are equally important as animal activity and density in determining airborne particle concentrations [36]. Cool and damp environments that are flat, with little to no wind and sunlight, favor the travel and survival of airborne particles over long distances [28]. Airborne disease transmission depends on the minimal infective dose of the agent needed to cause infection, as well as farm-level factors such as herd size and type/susceptibility of animals. Transmission is more likely to occur as herd size increases. Larger animals and older animals have a higher risk of becoming infected because they breathe in more air than smaller and younger animals. For example, there is lower risk of transmitting airborne FMD virus to hog farms than to cattle farms [37]. Airborne disease transmission risk can be reduced. Reducing dust, where feed is a major source, greatly reduces aerosol particles [28]. Dust can be reduced from feed by adding tallow, soybean oil, or water [38]. The amount of animal activity and movement should be decreased, when possible. Slurry and manure spreading should be done appropriately to limit the production of aerosol particles as much as possible. Facilities should be designed to allow for proper ventilation and space between animals; the relative humidity to decrease airborne transmission risk is 60% or above [39]. Strategically

1710

KEY APPLICATION AREAS

placed air inlets can also be beneficial [40]. Although expensive, combining air filtration and positive pressure ventilation has also been suggested [28]. Facility dispersion (i.e. more space between facilities) will help decrease airborne disease transmission risk. However, appropriate spacing of housing is not always feasible, and this alone is not enough to prevent aerosol transmission [36]. Personnel on farms should always be vigilant and follow appropriate biosecurity protocols when entering and exiting animal houses. Movement between infected and noninfected houses by the same person should be minimized or avoided. Depending on the disease, vaccination as part of an overall animal health plan can also help prevent diseases caused by airborne pathogens.

4 PATHOGENS OF CURRENT CRITICAL IMPORTANCE FOR FOOD-PRODUCING INDUSTRIES Infectious diseases and emerging pathogens are of critical importance in today’s food animal-producing industries. Even endemic diseases have become of increased importance. For example, low pathogenic avian influenza (LPAI) is a disease which is endemic with periodic regional epidemics being experienced (for example in the turkey industry). However, LPAI has become of critical importance because of the potential for mutation to highly pathogenic avian influenza (HPAI). There are many endemic diseases of importance for food animal-producing industries. Indeed, there are so many that whole books are written on such topics. In this section, three FADs of contemporary importance are discussed: HPAI FMD, and CSF 4.1 Highly Pathogenic Avian Influenza The two most important poultry FADs are exotic Newcastle disease (END) and HPAI. Since there is minimal zoonotic potential with END, the focus here is HPAI. However, END is a potentially devastating disease to the poultry industry as evidenced by the outbreak in Southern California, Nevada, Texas, and Arizona in 2002–2003 that cost an estimated $198 million [41]. This END outbreak was limited to a small segment of the commercial poultry industry and was primarily in game fowl and backyard flocks. The last major outbreak of HPAI in the United States occurred in 1983–1984 in Pennsylvania [42]. This outbreak, caused by an H5N2 virus, affected 448 flocks with more than 17 million birds destroyed in Pennsylvania and Virginia. The virus began as an LPAI subtype H5N2 and then quickly mutated to the highly pathogenic form. The USDA spent over $63 million in 1983 to eradicate this virus from these two states and prevent further spread. This amount does not include the cost to the individual farmer (except indemnity for the affected flock), the losses for the poultry industry in lost revenue, and the many other costs that are not easily calculated. In general, influenza viruses are very host specific; however, there have been some occasions when the virus has crossed between species as has been seen in the recent H5N1 in Asia crossing from poultry to humans [43]. The recent viruses that have been associated with bird to human transmission are of the H7 and H5 hemagglutination type. It is because of the recent Asian outbreak and concerns for a further change in the virus that many states have now begun programs for containment of low pathogenic H5 or H7 avian influenza viruses.

FARM LEVEL CONTROL OF FOREIGN ANIMAL DISEASE

1711

HPAI is a reportable disease [44]. The USDA is designated with the authority for containment, destruction, and indemnity. However, successful control of an outbreak will require close cooperation among the USDA, the state(s) where the outbreak is occurring, and the poultry industry. HPAI outbreaks also include notification of the US Department of Health and Human Services and the US Centers for Disease Control and Prevention. There is a federal program for monitoring for LPAI called US Avian Influenza Clean for layer and broiler breeding birds. This is administered by the USDA’s National Poultry Improvement Plan (NPIP) [45]. This program requires that a minimum of 30 birds be tested and antibody negative for avian influenza when more than 4 months of age. To retain negative classification, a breeder flock must have a minimum of 30 birds tested negative at intervals of 180 days. Also, before these birds are slaughtered, 30 days prior to the end of the laying cycle, 30 birds must be tested and antibody negative. The USDA-NPIP also has recently begun a special program for the meat-type (broiler) chicken industry to monitor for H5/H7 subtypes prior to slaughter. This program requires a negative antibody test for H5/H7 subtypes of avian influenza from a minimum of 11 birds per flock no more than 21 days prior to slaughter. In most states with large numbers of commercial poultry, there are also active surveillance of live bird auctions and markets, as well as passive surveillance programs. Passive surveillance programs include serological testing of all live birds submitted to state diagnostic laboratories for avian influenza. In the event of a positive serological result, the confirmation of subtype will be done by a USDA authorized laboratory, frequently the USDA National Veterinary Services Laboratories (NVSL) in Ames, Iowa. NVSL will immediately report the results to the proper state authority. If it is an H5/H7 subtype of LPAI, then the state veterinarian will quarantine the farm and implement that state’s avian influenza (AI) response plan. It should be noted that a serological surveillance program is not necessary in the event of an introduction of HPAI since there are normally morbidity and mortality rates approaching 100% [46]. In this event, the poultry producer will immediately notify either a company veterinarian or a local diagnostic laboratory. HPAI can be readily diagnosed and would result in an immediate quarantine and depopulation of the affected premises by a cooperative effort of federal, state, and local authorities working closely with the poultry producers. The size of the affected premises or number of premises affected will determine the size of a testing and/or depopulation zone around the index premises. All of this will be decided by the response (also called the incident command ) team of the federal, state, and poultry industry cooperators. LPAI cannot be clinically distinguished from other respiratory diseases. Therefore, the USDA and state programs for active serological surveillance are necessary and have been shown to be effective in identifying H5/H7 subtype affected flocks as seen in 2007 in West Virginia and Virginia. These birds were identified and depopulated. The virus did not spread. The method of mass depopulation of floor reared poultry that is being developed is using foam [47]. Foam has been shown to be a faster depopulation method as group size increases and is no more stressful for the birds than CO2 depopulation. Speed of response in an FAD event is critical to a successful response. Foam has the added advantage of needing fewer humans to depopulate larger houses, and thus may be preferred for HPAI. Proper handling of depopulated birds and infected materials such as litter is also important for a successful response. Natural decomposition by on-site composting was the method used for the 2007 LPAI events in West Virginia and Virginia. The biosecurity

1712

KEY APPLICATION AREAS

of on-site composting needs more research, but appears to have good potential for meeting the biosecurity goals of appropriate and safe carcass disposal [48]. 4.2 Foot-and-Mouth Disease A major epidemic of FMD in Taiwan in 1997 caused the death of approximately 184,000 pigs; additionally, almost 4 million hogs were slaughtered in the eradication program [49]. The previously robust Taiwanese pork industry has been restructured and downsized [50]. The FMD outbreak in the United Kingdom in 2001 had an estimated economic impact of £8.6 billion (equivalent to $17.4 billion US) [51]. There has been a second outbreak in 2007 in the United Kingdom that is substantially smaller, although still costly. Both of these economies suffered in major ways because of FMD. Additionally, there was serious animal suffering and human psychological problems, as well as serious restriction of a variety of activities. For example in the UK outbreak in 2001, the most important economic impact was associated with loss of tourism and recreational use of agricultural lands and the countryside. FMD is considered an important contemporary FAD because of ease of access to the virus (there are many countries where FMD is endemic), extremely contagious nature of the agent and its ability to spread rapidly, the affect on multiple species (all cloven-hooved animals are affected, including dairy cattle, beef cattle, pigs, goats, and sheep to name a few), the high potential impact on international trade, and the potentially severe economic, social, and political consequences of the disease [52]. Epidemiological models have suggested that as many as 17% of all herds could become infected during a hypothetical outbreak of FMD in California [53]. Total eradication costs from the simulated FMD outbreaks ranged from $61 million to $551 million with mean herd indemnity payments estimated to be $2.6 million and $110,359 for dairy and nondairy herds, respectively [54]. Wind-borne spread of the virus contributes to a higher potential for more rapid spread since it can spread to 20 km [55]. The National Center for Animal Health Emergency Management (NCAHEM) has plans for handling an outbreak of FMD should it occur in the United States. Similarly, there are many states and state animal or agricultural response teams that have plans and have conducted exercises around FMD scenario outbreaks. The United States also maintains the North American FMD Vaccine Bank which provides ready access to FMD vaccine should this be needed as part of mounting appropriate countermeasures during the face of an outbreak of FMD should one occur. This vaccine bank contains contemporary FMD strains with sufficient cross strain immune protection to cover virtually any strain that might occur, either from a natural introduction or bioterrorist introduction of FMD. Additionally, it has been shown that use of an emergency vaccine will prevent or reduce virus replication dramatically reducing the amount of virus released into the environment [56]. This is critically important in the early stages of an outbreak, and suggests that vaccination can be used as an appropriate countermeasure even if animals receiving vaccine will be diverted to depopulation later in managing the outbreak. Animals might be diverted to depopulation rather than being sent through market channels because the rules established by the OIE (World Organization for Animal Health) currently require a longer period of time to elapse, from the identification of the last known infected animal, in order to be listed as disease free, if vaccination has been used as a part of the control measures employed during an outbreak. Since the OIE-disease free status provides access to markets which exchange at a premium rate over markets which involve other

FARM LEVEL CONTROL OF FOREIGN ANIMAL DISEASE

1713

designations, there might be times at which the most epidemiologically and economically sound decision would be to use vaccination to slow disease spread because depopulation could not proceed as rapidly as desired. This would make time for later depopulation, while simultaneously preventing the negative impact of having used vaccination as a part of the control strategy (since the vaccinated animals do not enter market channels). 4.3 Classical Swine Fever CSF, also known as hog cholera, is a highly contagious disease of swine. CSF was first recognized in the United States in 1833. The United States was declared free of CSF in 1978 following an intensive 16-year eradication campaign, which cost $140 million. A similar eradication effort would have cost approximately $525 million in 1997 [57, 58]. The virus remains widespread throughout the world and is well established in the Caribbean basin and regions of Mexico despite extensive control and eradication efforts. Outbreaks continue to be reported in countries with control programs, while other countries simply consider the disease endemic. In many counties in Europe, CSF has become endemic in large wild boar populations [59]. The ease of access to the CSF pathogen in the Caribbean basin represents a significant threat to the United States for both intentional and nonintentional introduction. Any introduction of CSF could result in significant economic loss due to the subsequent need for massive control and eradication efforts, and the resulting loss of access to foreign markets. An outbreak in The Netherlands in 1997, for example, resulted in the destruction of almost 11 million pigs, of which almost 9.2 million were slaughtered for welfare reasons [60]. The cost of this epidemic has been estimated at US $2.3 billion, which included both direct costs and the consequential losses to farms and related industries [61]. Infected pigs shed virus in all excretions and secretions including blood, semen, urine, feces, and saliva. Oronasal is the most important route of transmission between pigs [62]. Transmission of CSF may occur through direct contact between domestic and wild/feral pigs, by feeding pig carcasses or infective pig products (especially swill feeding) to susceptible animals, or indirectly via contaminated clothing or equipment [63]. During the 1997–1998 CSF outbreak in The Netherlands, 17% of transmission was due to direct animal contact. The rest of transmission was due to indirect contact, primarily from transport lorries [64]. Illegal swill feeding is responsible for many outbreaks as the virus survives very well in meat. The virus has been shown to survive up to 4 years in frozen pork [65]. Clinical signs of CSF can be variable and depend on many factors, the most important factor being viral virulence. Although outbreaks of highly virulent strains characterized by high mortalities were common in the past, currently circulating strains are predominately mild to low virulence [66]. Introduction into the United States of low virulence CSF may delay detection. Such was the case in Europe. The approximate time from viral introduction until detection of CSF outbreaks was 3 weeks in Belgium (1993), 4 weeks in the UK (1986), 6 weeks in The Netherlands (1992 and 1997–1998 outbreaks), 8 weeks in Germany (1997), and 9 weeks in Spain (1997) [64]. Many other diseases in swine have clinical signs indistinguishable from these low to moderate CSF strains. These diseases include PRRS, erysipelas, Salmonella, Pasteurella, postweaning multisystemic wasting syndrome (PMWS) (all endemic in US commercial swine), and any enteric or respiratory disease with fever that is unresponsive to antibiotics [62]. Floegel-Niesmann et al. [66] evaluated the virulence of recent CSF strains and concluded that clinical diagnosis would

1714

KEY APPLICATION AREAS

be difficult up to 14 days post infection. Still, 75% or more of outbreaks in Germany and The Netherlands were detected by clinical signs [67]. Fever and apathy or fever and ataxia were the most prominent clinical signs reported by veterinarians and farmers during the Netherland outbreak [64]. The United States does have a CSF surveillance plan. The objectives are to allow for rapid detection, monitor the risk of introduction and CSF status in other countries, and to demonstrate freedom of disease, which is especially important for trading purposes. A passive surveillance plan relies on reporting by veterinarians, producers, diagnostic labs, and slaughter plants of pigs with clinical signs similar to CSF. Once the area veterinarian in charge (AVIC) is notified, a foreign animal disease diagnostician (FADD) will be sent to investigate and collect appropriate samples which will then be shipped to the Foreign Animal Disease Diagnostic Laboratory (FADDL) at Plum Island, New York. The United States also actively performs surveillance of high-risk swine populations, such as waste feeding operations, condemned pigs at slaughter facilities and periodically, feral swine. Twenty-six high-risk states and Puerto Rico have been identified for sample collection. Eligible samples from sick pigs received by a CSF-approved National Animal Health Laboratory Network (NAHLN) laboratory can be tested [68].

ACKNOWLEDGMENTS The authors thank Peter Bahnson, University of Wisconsin, for early discussions and ideas about the overall chapter structure and content. REFERENCES 1. USDA, National Agricultural Statistics Service (2002). 2002 Census of Agriculture, Ranking of 2002 Market Value of Agricultural Products Sold . http://www.nass.usda.gov/census/census02/ topcommodities/topcom US.htm. 2. USDA, National Agricultural Statistics Service (2002). 2002 Census of Agriculture, Table 50. Selected Characteristics of Farms by North American Industry Classification System, http://www.nass.usda.gov/census/census02/volume1/us/st99 1 050 050.pdf. 3. USDA, National Agricultural Statistics Service (2002). 2002 Census of Agriculture, Table 16. Beef Cow Herd Size by Inventory and Sales, http://www.nass.usda.gov/census/ census02/volume1/us/st99 1 014 016.pdf. 4. USDA, ERS, WASDE (2002). www.usda.gov/oce/commodity/wasde/ –accessed 10-12-06 and 06-26-07. 5. NAHMS (1999). Part 1. Baseline Reference of Feedlot Management Practices, http://www. aphis.usda.gov/vs/ceah/ncahs/nahms/feedlot/. 6. NAHMS. (1997). Part 1: Reference of 1997 Beef Cow-Calf Management Practices, http://www.aphis.usda.gov/vs/ceah/ncahs/nahms/beefcowcalf/beef cowcalf other. 7. NAHMS (1997). Part 3: Reference of 1997 Beef Cow-Calf Production Management and Disease Control , http://www.aphis.usda.gov/vs/ceah/ncahs/nahms/beefcowcalf/beef cowcalf other. 8. NAHMS. (1997). Part 2: Reference of 1997 Beef Cow-Calf Health and Management Practices, http://www.aphis.usda.gov/vs/ceah/ncahs/nahms/beefcowcalf/beef cowcalf other. 9. NAHMS (1999). Part II: Baseline Reference of Feedlot Health and Health Management , http://www.aphis.usda.gov/vs/ceah/ncahs/nahms/feedlot/.

FARM LEVEL CONTROL OF FOREIGN ANIMAL DISEASE

1715

10. NAHMS (1999). Part III. Health Management and Biosecurity in U.S. Feedlots, http://www. aphis.usda.gov/vs/ceah/ncahs/nahms/feedlot/. 11. www.nass.usda.govpublication/statistical highlights. 12. Pedersen, J. (1999). By the Numbers. Poultry USA, February, 2007:12–64. 13. Agri Stats, Inc. (2007). Fort Wayne, Agri Stats Inc., Indiana, Jan.–June 2007, 317–319. 14. Agri Stats, Inc. (2007). Agri Stats Inc., Indiana, Jan.–June 2007, 336–339. 15. USDA, National Agricultural Statistics Service (2007). Statistical Highlights 2006/2007 , http://www.nass.usda.gov/Publications/Statistical Highlights. Accessed November 11, 2007. 16. Martinez, S. W. USDA, Economic Research Service (2002). Current Issues in Economics of Food Markets: A Comparison of Vertical Coordination in the U.S. Poultry, Egg, and Pork Industries. Agriculture Information Bulletin 2002 No. 747-05. 17. Haley Mildred, M. (2007). USDA, Economic Research Service. Market Integration in the North American Hog Industries, http://www.ers.usda.gov/publications/ldp/NOV04/ldpm12501/ ldpm12501.pdf. Accessed July 22, 2007. 18. NAHMS (2007). Part 1: Reference of Swine Health and Management Practices in the United States, 2006 , http://nahms.aphis.usda.gov/swine/swine2006/Swine2006 Pt1.pdf. Accessed November 1, 2007. 19. Lawrence, John D., and Glenn, G. (2007). Production and Marketing Characteristics of U.S. Pork Producers, 2006 . Working Paper 07014, Iowa State University. http://www.econ. iastate.edu/research/publications/viewabstract.asp?pid = 12828. Accessed November 1, 2007. 20. Shields Dennis A., and Mathews , Kenneth H. USDA, Economic Research Service (2003). Interstate Livestock Movements, http://www.ers.usda.gov/publications/ldp/jun03/ldpm10801/ ldpm10801.pdf. Accessed July 23, 2007. 21. Meuwissen , Miranda P. M., Horst , Suzan H., Huirne , Ruud B. M., and Dijkhuizen, A. A. (1999). A model to estimate the financial consequences of classical swine fever outbreaks: principles and outcomes. Prev. Vet. Med. 42, 249–270. 22. USDA, National Center for Import and Export (2007). http://www.aphis.usda.gov/vs/ncie/ swine manual/exe-summary.html-accessed 9-4-07. 23. National Institute for Animal Agriculture (2007). Swine Health Report , Summer. 24. Kosal, M. E., and Anderson, D. E. (2004). An unaddressed issue of agricultural terrorism: a case study on feed security. J. Anim. Sci. 82, 3394–3400. 25. Schleifer, J. H., Juven, B. J., Beard, C. W., and Cox, N. A. (1984). The susceptibility of chicks to Salmonella Montevideo in artificially contaminated poultry feed. Avian Dis. 28(2), 497–503. 26. McIlroy, G. S. (1998). Control of salmonella contamination of poultry feeds. In Proceedings of International Symposium on Food-Borne Salmonella in Poultry, R. K. Gast, and C.L. Hofacre, Eds. July 25-26, 1998, Baltimore, MD, pp. 83–87. 27. Hofacre, C. L., White, D. G., Maurer, J. J., Morales, C., Lobsinger, C., and Hudson, C. (2001). Characterization of antibiotic-resistant bacteria in rendered animal products. Avian Dis. 45, 953–961. 28. St¨ark, K. D. C. (1999). The role of infectious aerosols in disease transmission in pigs. Vet. J. 158, 164–181. 29. Radostits, O. M. (2001). Health and production management in swine herds. Herd Health: Food Animal Production Medicine, 3rd ed. WB Saunders, Philadelphia, PA, pp. 635–764. 30. Winkler, K. C. (1973). The scope of aerobiology. In Airborne Transmission and Airborne Infection. IVth International Symposium on Aerobiology, J. F. Ph. Hers, and K. C. Winkler, Eds. Oosthoek Publishing Company, Utrecht, pp. 1–11. 31. Rankin J. D., and Taylor, R. J. (1969). A study of some disease hazards which could be associated with the system of applying cattle slurry. Vet. Rec. 85, 578–581.

1716

KEY APPLICATION AREAS

32. Boutin, P., Torre, M., Serceau, R., and Rideau, P. J. (1988). Atmospheric bacterial contamination from land-spreading of animal wastes: evaluation of the respiratory risk for people nearby. Agric. Eng. Res. 39, 149–160. 33. Fiˇser, A., and Kr´al, F. (1969). Air temperature and air humidity effect on number of air bacteria in piggeries with a different feed technology. Acta Vet. 38, 579–587. 34. Smith, L. P., and Hugh-Jones, M. E. (1969). The weather factor in foot and mouth disease epidemics. Nature 223, 712–715. 35. Cox, C. S. (1989). Airborne bacteria and viruses. Sci. Prog. 73, 469–500. 36. Smith, J. H., Boon, C. R., and Wathes, C. M. (1993). Dust distribution and airflow in a swine house. In Livestock Environment IV. 4th International Symposium, E. Collins, and C. Boon, Eds, Amercian Society of Agricultural Engineers, pp. 657–662. 37. Sellers, R. F. (1971). Quantitative aspects of the spread of foot-and-mouth disease. Vet. Bull. Weybridge 41, 431–439. 38. Heber, A. J., Stroik, M., Nelssen, J. L., and Nichols, D. A. (1988). Influence of environmental factors on concentrations and inorganic content of aerial dust in swine finishing buildings. Trans. Am. Assoc. Agric. Eng. 31, 875–881. 39. Hartung, J. (1994). The effect of airborne particulates on livestock health and production. In Pollution in livestock production systems, I. Ap Dewi, R. F. E. Axford, I. F. M. Marai, and H. M. E Omed, Eds. CAB International, Oxon, pp. 55–69. 40. Amass, S. F. (2005). Biosecurity: reducing the spread. Pig. J. 56, 78–87. 41. Whiteford, A. M., and Shere, J. A. (2004). California experience with exotic newcastle disease: a state and federal regulatory perspective. Proceedings of 53rd Western Poultry Disease Conference. Sacramento, CA, March 7–9, 2004, 81–84. 42. Fichtner, G. J. (1986). The Pennsylvania/Virginia experience in eradication of avian influenza (H5N2). Proceedings of the 2nd International Symposium on Avian Influenza. Athens, GA, Sept. 3–5, 1986, 33–40. 43. Perdue, M. L., and Swayne, D. E. (2005). Public health risk from avian influenza viruses. Avian Dis. 49, 317–327. 44. Cooperative Control and Eradication of livestock or poultry diseases. Code of Federal Regulations:9. subsection 53.1. 45. Poultry Improvement – Sub Chapter G. National Poultry Improvement Plan. Code of Federal Regulations:9. subsections 145, 146, 147. 46. Swayne, D. E., and Halvorson, D. A. (2003). Influenza. In Diseases of Poultry, 11th ed., Y. M. Saif, Ed. Iowa State Press, pp. 135–160. 47. Benson, E., Malone, G. W., Alphin, R. L., Dawson, M. D., Pope, C. R., and Van Wicklen, G. L. (2007). Foam-based mass emergency depopulation of floor-reared meat-type poultry operations. Poult. Sci. 86, 219–224. 48. Wilkinson, K. G. (2007). The biosecurity of on-farm mortality composting. J. Appl. Microbiol. 102, 609–618. 49. Knowles, N. J., Samuel, A. R., Davies, P. R., Midgley, R. J., Valarcher, J. F. (2005). Pandemic strain of foot-and-mouth disease virus serotype O. Emerging Infect. Dis. 11(12), 1887–1892. 50. USDA, Economic Research Service (2000). Taiwan’s Hog Industry –3 Years After Disease Outbreak; Agricultural Outlook , October 2000, pp. 20–23. 51. DEFRA (2007). http://www.defra.gov.uk/animalh/diseases/fmd/pdf/economic-costs report.pdf, accessed 9-4-07. 52. National Science and Technology Council, Subcommittee on Foreign Animal Disease Threats, Committee on Homeland and National Security February 16, (2007). Protecting Against High Consequence Animal Diseases: Research and Development Plan for 2008-2012 .

FARM LEVEL CONTROL OF FOREIGN ANIMAL DISEASE

1717

53. Bates, T. W., Thurmond, M. C., and Carpenter, T. E. (2003). Results of epidemic simulation modeling to evaluate strategies to control an outbreak of foot-and-mouth disease. Am. J. Vet. Res. 64(2), 205–210. 54. Bates, T. W., Carpenter, T. E., and Thurmond, M. C. (2003). Benefit-cost analysis of vaccination and preemptive slaughter as a means of eradicating foot-and-mouth disease. Am. J. Vet. Res. 64(7), 805–812. 55. Sellers, R. F., and Gloster, J. (1980). The northumberland epidemic of foot-and-mouth disease, 1966. J. Hyg. 85(1), 129–140. 56. Cox, S. J., Voyce, C., Parida, S., Reid, S. M., Hamblin, P. A., Paton, D. J., and Barnett, P. V. (2005). Protection against direct-contact challenge following emergency FMD vaccination of cattle and the effect on virus excretion from the oropharynx. Vaccine 23, 1106–1113. 57. Dahle, J., and Liess, B. (1992). A review on classical swine fever infections in pigs: epizootiology, clinical disease and pathology. Comp. Immunol. Microbiol. Infect. Dis. 15(3), 203–211. 58. United States Animal Health Association (USAHA) (1998). Hog Cholera In Foreign Animal Diseases. Pat Campbell & Associates and Carter Printing Co., Richmond, VA., pp. 273– 282. 59. Artois, M., Depner, K. R., Guberti, V., Hars, J., Rossi, S., and Rutili, D. (2002). Classical swine fever (hog cholera) in wild boar in Europe. Rev. Sci. Tech. 21(2), 287–303. 60. Dijkhuizen, A. A. (1999). The 1997-1998 outbreak of classical swine fever in The Netherlands. Prev. Vet. Med. 42(3-4), 135–137. 61. de Vos, C. J., Saatkamp, H. W., and Huirne, R. B. M. (2005). Cost-effectiveness of measures to prevent classical swine fever introduction into The Netherlands. Prev. Vet. Med. 70(3-4), 235–256. 62. Moennig, V., Floegel-Niesmann, G., and Greiser-Wilke, I. (2003). Clinical signs and epidemiology of classical swine fever: a review of new knowledge. Vet. J. 165, 11–20. 63. Straw, B. E. (2006). Diseases of swine, 9th ed. Blackwell Publishers (US), Ames, IA. 64. Elbers, A. R. W., Stegeman, A., Moser, H., Ekker, M. H., Smak, J. A., and Pluimers, F. H. (1999). The classical swine fever epidemic 1997–1998 in The Netherlands: descriptive epidemiology. Prev. Vet. Med. 42, 157–184. 65. Edwards, S. (2000). Survival and inactivation of classical swine fever virus. Vet. Microbiol. 73, 175–181. 66. Floegel-Niesmann, G., Bunzenthal, C., Fischer, S., and Moennig, V. (2003). Virulence of recent and former classical swine fever virus isolates evaluated by their clinical and pathological signs. J. Vet. Med. B 50, 214–220. 67. Elbers, A. R. W., Bouma, A., and Stegeman, J. A. (2002). Quantitative assessment of clinical signs for the detection of classical swine fever outbreaks during an epidemic. Vet. Microbiol. 85, 323–332. 68. USDA (2007). Procedure Manual for Classical Swine Fever (CSF) Surveillance, http://www. aphis.usda.gov/vs/nahss/swine/csf/CSF procedure manual 2007.pdf. Accessed November 2, 2007.

FURTHER READING Iowa State University The Center for Food Security and Public Health website, http://www. cfsph.iastate.edu/ National Research Council of the National Academies (2005). Animal Health at the Crossroads: Preventing, detecting and diagnosing animal diseases. The National Academies Press, Washington, DC.

1718

KEY APPLICATION AREAS

RISK ASSESSMENT, RISK MANAGEMENT, AND PREVENTIVE BEST PRACTICES FOR RETAILERS AND FOODSERVICE ESTABLISHMENTS Julie A. Albrecht University of Nebraska-Lincoln, Lincoln, Nebraska

Catherine H. Strohbehn Iowa State University, Ames, Iowa

1 INTRODUCTION Projected sales for the foodservice industry for 2007 were $537 billion with $1.5 billion of food sold on a typical day. There is a great deal of concentration of ownership within the food industry at all levels: production, processing, distribution, and retail sales. With the population of Americans shifting from rural to urban locations, the majority of consumers’ food is purchased from retail and foodservice establishments, which rely on food wholesalers to procure food from food manufacturing plants. These food facilities are inspected at least once per year, but potential for intentional contamination through physical or chemical agents can occur at any time. The restaurant industry employs an estimated 12.9 million people, 9% of the US workforce, making it the largest employer outside of government [2]. The foodservice industry is expected to add two million jobs over the next decade, with total employment projected to reach 14.8 million in 2017. The majority of foodservice workers (83%) are employed in privately owned eating and drinking establishments. The largest category of commercial eating places is restaurants, with projected market sales of $491 billion in 2007. Although more than 7 out of 10 eating and drinking places are single unit, independently owned operations [3], those establishments that are part of multiunit or chain organizations are serving food to greater numbers of people. Census data from 2000 showed increasing diversity in the US population with an increase of 30% for Hispanics and growth in the other races of 29%. Data from the National Restaurant Association (NRA) in 2006 found about one of every four restaurant employees (26%) was reported as speaking a foreign language at home (predominately Spanish) compared to 18% of the overall population [4]. Foreign born workers represented 21% of foodservice employees in 2004 [2] Because the foodservice industry hires a large diverse population, reaches a large number of customers and generates a large market share, this industry may be potential target of intentional contamination of the United States food supply. The World Health Organization [4] identified food terrorism as an act of deliberate contamination of food for human consumption with chemical, biological, or radionuclear

RISK ASSESSMENT, RISK MANAGEMENT, AND PREVENTIVE BEST PRACTICES

1719

agents for the purpose of causing injury or death to civilian populations, and/or disruption to social, economic and political stability. In a keynote address at Institute of Food Technologists (IFT’s) Fourth Research Summit in April of 2005, Hedberg from the University of Minnesota’s School of Public Health detailed challenges of defending global food systems from terrorist attacks: global sourcing, increased fresh produce consumption from nondomestic sources, increased number of meals consumed away from home, increased centralization of production (with larger batch sizes and distribution networks) [5]. Hedberg also commented on the paradigm shift from a food safety focus (which relies on forensic review of events) to a food defense approach (which predicts risks and implements prevention steps). Another speaker at the conference, Shaun Kennedy from the National Center for Food Protection and Defense, noted that terrorists do not fear retribution as many are committed to sacrificing their own lives to achieve their aims. Multiple detection techniques are being developed, which may provide methods to prevent catastrophic consequences of a terrorist attack on the food supply, yet there are limitations with these techniques [5]. These threats can be presented through physical infrastructures or through humans. The reality of potential threats to our food and water was intensified after the terrorist attacks of September 11, 2001. Federal legislation has been enacted to provide some degree of protection through the ability to trace back food products, as this has been identified as a critical step to mitigate public health impacts. The Bioterrorism Act of 2002 required those involved in the food chain (producer, processor, wholesaler, or retailer) to be able to identify their food sources, minimally to the immediate past link. The final rule issued in December, 2004, required establishment and maintenance of records by those who manufacture, process, pack, transport, distribute, receive, hold or import food in the United States. Country of origin labeling (COOL) legislation was passed to ensure that provenance of meat items was communicated to consumers. Motivations to harm food include purposes of terrorism or criminal activity, such as corporate sabotage, yet results of causing harm or creating an atmosphere of fear and panic are the same. There are 15 reports of serious attacks on the food chain from 1961 to 2005. These have been limited in the United States with only two occurrences [6]. The most serious attack on the food chain in the United States was due to Rajneeshees (an Oregon-based cult) contaminating food at 10 restaurants with Salmonella typhimurium, causing 751 illnesses in 1984 [7]. Another attack was the intentional poisoning by a supermarket employee 250 lb of ground beef in 2002 which caused 111 cases of illness [6]. The scope of the threat to agriculture from bio- or chemical attacks. particularly for livestock producers, was illustrated in the United Kingdom with cases involving food-and-mouth disease (FMD) and oovine spongiform encephalopathy (BSE). Although uniteritional, the impact on the food producer and the food industry was wide spread. Operators in the retail food industry need to assess risks, implement strategies to manage these risks, and identify the best practices that will prevent threats to food while in their custody. Organizational policies and written standard operating procedures (SOPs) can provide internal guidance. The food and drug administration (FDA) has developed an educational program to raise awareness among government agency and industry representatives about food defense issues and emergency preparedness. The ALERT program title is based on the acronym of key elements assure, look, employees, reports, and threats [8].

1720

KEY APPLICATION AREAS

2 RISK ASSESSMENT Emergency management literature emphasizes the importance of assessment as a means of developing response scenarios. These vulnerability assessments are a critical part of a food defense plan and several tools are available within sectors of the industry. One tool used is the CARVER+Shock process that can help organizations focus on intentional system vulnerabilities, which was discussed in an earlier article. A traditional supply chain is the integrated network of entities involved in the manufacture of goods (which includes procurement of raw materials and assembly into final product), transportation to distributors, and ultimately preparation and/or sale to final customers. Multiunit corporate foodservice chains are coordinating their own supply chains as a control measure to ensure security and safety of the food product. The intention is to protect the safety, quality, and quantity of products. This includes maintaining product integrity so that it is tamper resistant and that substitution of ingredients or final products is prevented. Larger food-related organizations may be better positioned to implement assessment and prevention steps, yet their investment is likely to be driven by potential widespread impact and economic consequences should an attack occurs. Parallels can be drawn with outbreaks of food borne illnesses within one specific restaurant chain, and its resultant destruction [9]. Terrorists may not attack smaller food industry organizations as resultant impact would be low, both in terms of public health and economics. However, an orchestrated simultaneous attack on multiple, smaller food industries could achieve the same outcomes as one large attack on a multinational company. Thus, all food industries are advised to consider potential threats. For wholesale and retail (foodservice and grocery stores) links of the food chain, the focus should consider physical and human elements [10, 11, 12]. Foodservices vary considerably with regards to market niche, menu items and needed raw ingredients, amount of preparation required, hours of operation and service, access to storage and production areas, frequency of deliveries and regularity of these, and number of employees on any one shift. Generally, all employees receive some basic food safety training and are aware of some security issues. Enhancing the training to consider food defense is needed [13]. 2.1 Perceptions of Risk In an assessment conducted by one of the authors [14] at three Midwest supplier food shows 393 respondents representing a variety of institutional and commercial foodservices or retail grocery stores indicated their levels of concern about an attack on their food supply, their perceptions of the likelihood of this occurring, and whether any changes had occurred in the past year. Approximately 82% indicated they were very or somewhat concerned about intentional food contamination, although only 35% thought something could happen in their businesses. Approximately 25% reported that their organization conducts background checks on prospective employees, limits employee access within physical structures, and inspects their facilities. About 12% (50 of 393 respondents) reported that an identification system for employees is in place and 55 said that changes had been made in reporting systems, such as installation of security cameras and locks. Of the 393 respondents, 43 indicated that changes had been made with regard to customer access. Food security practices in Kansas schools and health care facilities were investigated for foodservice directors’ perceptions of their operations’ risk of bioterrorism [15]. The

RISK ASSESSMENT, RISK MANAGEMENT, AND PREVENTIVE BEST PRACTICES

1721

authors found that limited access to chemicals and storage was perceived as the most important practice to protect operations from food defense threats. The least important practices perceived by these foodservice directors to protect their facilities from possible food threats were updating contact information and building a network outside of their operation. In addition, Yoon and Shanklin reported that foodservice operators implemented preventative measures where they perceived a risk, that is, chemical use and storage. In their study, the largest gap between perception and practice was communication. 2.2 Assessment Steps As part of the risk assessment phase, organizations are encouraged to (i) develop a response team, (ii) review and develop written policies and SOPs (focus on human element), (iii) assess vulnerabilities of physical elements (facility, equipment, utilities, and infrastructure), and (iv) review and develop a training program for all organizational staff. 2.2.1 Response Team. It is recommended that a team should be formed representing all functional areas of the organization and all levels of employees. Team members should be knowledgeable about the operation and trustworthy, as risk assessments and management plans are considered confidential and available on a need-to-know basis. The team for smaller organizations might consist of three or four members. Infusion with an organization’s food safety plan has been suggested [10]. Larger organizations have established Hazard Analysis Critical Control Points (HACCP) plans, albeit frequently only seen at the management level. 2.2.2 Review Policies and Procedures. The foundation for any food safety plan is written policies and SOPs. Foodservice SOPs are available from a number of sources in the public domain, such as the National FoodService Management Institute and Iowa State Universities Food Safety Project (See www.nfsmi.org and www.iowahaccp.iastate.edu for SOPs available in Microsoft Word format so that organizations can easily modify as needed). Written documentation is needed for food defense as well. Current hiring procedures should be reviewed and job descriptions be updated to include responsibilities for food defense and safety. Documentation of current practices should also be reviewed, such as sign-in sheets and building entry logs. Restriction of employee access to designated work areas is suggested. Written policies and SOPs should also consider customers. The review should consider access by those internal (i.e. employees) and external (delivery personnel, repair workers and contract personnel, and customers) to the organization, and screening practices. 2.2.3 Access. A photo identification badge easily seen on uniforms of employees is one way to verify access is valid. Job descriptions should include the statement that photo identifications are worn all the time while at work. Some organizations may issue color-coded uniforms to designate areas of operation the employee should be. Wholesalers who supply foodservice operations should have their own controls to ensure that employees are screened before hiring. A wholesale food distributor would want to limit access to inventory only to screened and bonded employees. Identification as an employee of the wholesaler company is frequently achieved with use of uniforms and wholesale company vehicles. However, because these could be hijacked, the use of photo identification is also recommended. Deliveries should occur ONLY while employees are present. In some

1722

KEY APPLICATION AREAS

smaller school districts, the dairy vendor may request a key to make milk deliveries early in the morning before the opening of the building. This practice is not recommended. Repair personnel and contractors should stop at the organizational office for check-in and be escorted to the work area by a supervisory employee. Their presence should be monitored while at the work site. Subcontractors, suppliers, repair persons, and others should not be given unrestricted access while on a wholesale or retail foodservice organizations’ premises. 2.2.4 Screening. As part of the selection process, employees should be screened for any physical or mental characteristics that may present a threat to the organization. The selection process should be documented so that the desired employee characteristics are tied to the job description and are a bona fide occupational qualification. Thus, the job description should include a statement regarding employee’s responsibility in risk assessment. Often a financial background check is conducted on a person who will work with money just as organizations may periodically screen e-mail messages and internet traffic on workplace computers to ensure that inappropriate websites are not visited. 2.2.5 Facility Assessment. An assessment of the operation considering the facility and property itself, layout and design of the building that allow for unchecked access, and infrastructure, such as utilities or transportation vehicles, should be conducted. Potential risks should be identified and procedures be developed to mitigate these risks [16]. All properties of the organization, including parking lots should be reviewed on a regular basis. Although there are governmental regulations that provide some safeguards, industry organizations should recognize the inherent benefits of regularly reviewing operations. Wholesalers and foodservices should incorporate risk assessments into the daily operational regime. Emergency contact information should be readily available in each work area for management fire, FEMA, police, building security, and so on, so that employees are knowledgeable about response authorities and response procedures. 2.2.6 Facilities. Access onto the grounds of the retail foodservice and wholesaler should be screened so that only necessary individuals or vehicles are allowed to enter. Perimeter fencing should be in place and be regularly checked. Exterior lighting of the grounds and parking areas should be in place, particularly by entry areas. Access to facility grounds and to facilities should be restricted to individuals with a legitimate reason for their presence. Physical barriers, such as locked doors and keys restricted to a few screened individuals, can protect against tampering with equipment, theft or substitution of product, or adulteration of the food products. Unlocked doors during operation provide open access in many food and chemical storage areas and in the food production and service areas. 2.2.7 Layout and Design. Identify areas for restricted access, such as food or chemical storage areas. In many organizations, access to these is open during working hours. Often, surplus inventory (food and chemicals) is kept in areas hard to monitor. It is recommended that employees, customers, and contractors/repair persons have access ONLY to areas necessary to complete their work. Addition of doors, security gates, or other physical barriers can help prevent transition. Reconfiguration of product flow may also improve work efficiencies and product safety.

RISK ASSESSMENT, RISK MANAGEMENT, AND PREVENTIVE BEST PRACTICES

1723

2.2.8 Infrastructure. Vehicles are used in transporting food ingredients and menu items to and from foodservices. All retail food operations need a potable water supply and an energy source (gas or electric). Mail and computer systems are other potential attack points. 2.2.9 Training. In the food security plan, management needs to identify training needs (annual or semiannual of key points of the plan). The training program could include introduction and implantation of new policies and procedures that are made because of the food security plan, simulation of what to do in a tampering event, emergency procedures/evacuation simulations, and so on. 2.2.10 Monitoring. Continual assessment of potential risks from employees, contractors, customers, or the public is needed. Some organizations utilize third party monitoring programs, such as undercover patrons, and receive reports on potential risks. The use of security cameras has also increased. These can be a valuable tool to document compliance and assess future training needs. A checklist format can be used on a daily or weekly basis by rotating key personal to ensure that vulnerabilities have not been attacked and ownership is spread among all staff members (Table 1). Employees should be aware of any existing vulnerabilities and trained to report any observations. Responsibility to continually observe for vulnerabilities should be included in job descriptions and as part of the review process. These reports should be formalized with a written plan. Physical vulnerabilities can be minimized with prompt attention.

3 RISK MANAGEMENT Many food defense action steps mirror those in place to ensure the safety of food products, such as a HACCP plan and SOPs. Although the food security and HACCP plans are similar in nature and development process, two separate documents should be prepared. The food security plan needs to be individualized for each organization. Foodservice and grocery store managers need to prepare for the possibility that tampering or other criminal and terrorist attacks could occur. A food security plan needs to be in place as a proactive measure—including elements for evacuation, segregation of affected products, local response network, and availability of emergency contact information as well as training for staff about communications internally and externally during a crisis. Retail food managers need to have a broader perspective—should think all possibilities and methods that can compromise integrity of products and facilities. 3.1 Plan Development Managers should select a team of knowledgeable individuals to develop the food security plan and conduct assessments of food security procedures and operations. It is recommended that the plan be kept confidential, but the strategies for employee training and communication, both internal and external, should be included in the plan. 3.1.1 Communication. The food security plan should lay out a strategy for internal and external communication.

1724

KEY APPLICATION AREAS

TABLE 1 Food Defense Checklist for Retail Foodservice Operations Yes Facility security Facility has a written food defense plan A designated person or team plans and implements food defense policies Food defense practices are evaluated and documented at least annually Emergency contact list is available to all employees Managers conduct a daily walk-through inspection of the operation The outside of facility is adequately lighted Facility is locked and secured when closed Exterior doors are locked at all times (except customers’ entrance) Keys to access kitchen and food and chemical storage areas are restricted to foodservice management staff Access to food preparation areas is controlled for all visitors and nonfoodservice employees, including cleaning crews, delivery vendors, and contractors Visitors are required to sign in at the main office, show picture ID, and explain the purpose of their visit. A visitor badge is worn Personnel References for new employees are verified and backgrounds are checked Managers are alert for unusual employee and customer behavior (i.e. workers staying after shift and arriving early) Personnel have been trained in food defense policies and procedures Customers are restricted from entering storage and preparation areas Visitors are supervised while in food production areas Terminated employees lose all means of access to facility (keys and passwords); this may mean locks are rekeyed and passwords are changed Storage is provided for employees’ personal items so that these are not allowed in food preparation areas Receiving Food is purchased only from approved vendors A delivery schedule is maintained Deliveries are verified against purchase orders Delivery personnel are monitored while at the facility Packaging integrity of received products is verified Food and supplies are placed immediately in appropriate storage upon receipt

No

N/A

RISK ASSESSMENT, RISK MANAGEMENT, AND PREVENTIVE BEST PRACTICES

TABLE 1

1725

(Continued ) Yes

No

N/A

Food preparation areas Self-service stations (such as food bars and buffets) are monitored at all times by foodservice employees Employees are trained to check ingredients before use to note unusual smells, defective products, and expiration dates, and to know appropriate actions to take if there is a problem Records are maintained to ensure traceability of raw ingredients back to suppliers Procedures are in place for safely handling and disposing of contaminated products Storage areas Access to all food product and chemical storage areas is secured and controlled Chemicals are stored in a locked area, outside of food preparation areas Chemical use is monitored to prevent deliberate food contamination Employees are trained to properly use chemicals to prevent food contamination and protect human safety Food Defense in foodservice operations refers to the process of guarding the operation against intentional acts of contamination or tampering. This checklist will help you assess the security of your operation. Check YES, NO, or N/A (not applicable) for each practice in your operation. Develop a plan for addressing practices that were marked NO.

The internal communication plan should include training of supervisory staff to be observant of signs of tampering or unusual behavior. A clear reporting system of such events needs to be established so that information is transferred to the proper channels and appropriate actions can be taken in a timely manner. An updated list of key contacts (fire, police, etc.) should be maintained and readily available to key personnel. Employee training should include awareness about suspicious activity, the appropriate reporting channel, and response required of employees for the operation. Who and what will be communicated internally to employees should be included if an event occurs that jeopardizes the integrity of the facility or food products. In addition, signage at designated points to restrict access to employees, delivery and repair personnel, and the public should be an integral component of the communication plan. The external communications section should identify a designated spokesperson knowledgeable about the organization and the plan. This person should be capable of effective communication with press and authorities. This part of the food security plan should include a crisis management strategy to prepare for and respond to any suspicious activity. This crisis management strategy may be similar to an existing natural disaster plan already in place in the food establishment. 3.1.2 Procedures to Ensure Security. The food security plan should include procedures to ensure security of the physical facility and human elements.

1726

KEY APPLICATION AREAS

Facility security should include access limited to only authorized personnel. At some locations, this may mean perimeter fencing and/or security guards and check-in stations or designated employee entrances. Lighting of outside areas should be evaluated and changes be made to provide adequate lighting for high visibility in parking lots, delivery areas, and other access area. Designated parking areas for staff should be available. Swipe cards or pass codes should be used at employee entrances. Security badges with codes (uniform colors, electronic bar codes, etc.) to restrict access to only necessary areas. Use of security cameras external to the building and internally in staff and public areas is encouraged. These can be useful as a deterrent and as a reconstruction aid in the event of an incident and may lower insurance premiums. Door locks with limited distribution of keys is also recommended. What we often see at retail foodservices, particularly those not part of multinational chains, is open access to food storage and production areas during hours of operation. Those intended for direct harm or theft can often easily enter the facility and access food and/or chemical storage areas. Posing as a customer, delivery or repair person, or new employee is a way by which access to vulnerable areas can be gained. A defined product recall plan should be identified for any product that is considered unusual or suspicious. This recall plan may be similar to an existing policy for a product that is a food safety concern. The food security plan should include routine security checks of facilities and of procedures established by the team and a third party may be employed to conduct such an audit. 3.1.3 Training Programs. Training plans should raise awareness in staff about potential risks, and that natural hazards, such as a fire which would cause an evacuation, might be part of an intentional attack on the organization. Management should provide training to all staff about need for building and product security. Part of the training should include importance of restriction to work areas, reasons for background checks and employee screening, and need to follow policy with regards to security measures (no loaning of keys or passwords). The job description should include a statement with regards to compliance with all operational policies, including consequences identified for noncompliance. Staff should also be provided with storage areas for personal items to limit what is brought into the production areas. Management should encourage all staff to be alert to actions of others and to report any unusual or suspicious behavior—such as reporting early or staying late without any reason, accessing files or information about areas outside of their work zones, asking questions about security measures or other sensitive issues, or bringing cameras to work. Management is advised to consider restricted use of cell phones during work day due to the ability to take photos. 3.1.4 Implementation and Evaluation. After training, new policies and procedural changes can be implemented with subsequent changes introduced as steps are added to the food security plan. It is not necessary to have a complete plan in place with one rollout. The team should consider an annual review of the food security plan. Reports of concern (inventory records, supplier receipts, etc.) should be evaluated by the appropriate management staff on a regular basis to verify that the plan is working. If the plan is not

RISK ASSESSMENT, RISK MANAGEMENT, AND PREVENTIVE BEST PRACTICES

1727

working, the plan needs to be modified and changes be implemented to ensure the security of the facility and food products. The team should meet on a quarterly basis or as needed to consider events or changes noted/needed. An event that occurs nationally, such as a tampering activity in a similar industry, should trigger a review of the existing plan. Management should consider instituting a reward system for employee compliance.

4 PREVENTATIVE BEST PRACTICES The Food Security Plan development should include the areas listed in Table 2. To aid in the development of your food security plan, current organizational policies and procedures should be reviewed. HACCP Plans and SOPs are important to review as part of the Food Security Plan development phase, and for continuous improvement of the plan. TABLE 2

Components of the Food Security Plan

Area of Concern

Check for Inclusion in Plan

Human Element Management Assemble a team Determine a designated spokesperson. Assign responsibilities for security to authorized personnel and incorporate into job descriptions Develop a crisis management strategy Review existing facility layout/design, policies and procedures, including food safety plans (i.e. HACCP) and SOPs Examine existing records related to security issues, such as receiving and purchasing. Establish appropriate records and/or revise existing records to be able to track previous link of the food chain Develop a system for reporting suspicious behavior Develop a plan for evacuation in light of various scenarios—fire, water outages, and so on Maintain a current list of emergency response organizations in the community Develop and post signage in facility restricting access as appropriate Provide training for employees at least annually Staff and employees Review existing policies and procedures about hiring practices including background checks, job descriptions, performance appraisals, reward systems, training logs, sign-in sheets, and so on Provide recognizable forms of identification for employees. These forms should include name badges with photo identification and may include specific uniforms (continued overleaf)

1728

KEY APPLICATION AREAS

TABLE 2 (Continued ) Area of Concern

Check for Inclusion in Plan

Provide storage for employees’ personal items. Restrict types of items that employees can bring to work Change locks, keys, combinations, codes, passwords, and so on, when employees discontinue employment Restrict access of employees, delivery, and repair personnel to areas of work Require annual training for employees, document training, and develop a reward system for application of training content Public Restrict access to nonpublic areas Monitor public areas Physical Element Physical facility Provide protection of nonpublic perimeter of facility Monitor access to nonpublic areas of facility Use lighting for perimeter of premises, such as parking, delivery areas, and so on Inspect and evaluate HVAC system, water, and utilities on a regular basis by screened personnel Operations Evaluate inspection procedures of incoming products, deliveries, supplies, mail, and so on Evaluate records for receiving Monitor food storage areas so access is restricted to authorized personnel only Monitor chemical storage areas so access is restricted to authorized personnel only. Implement security measures. MSD Sheets should be accessible to all employees Evaluate vulnerabilities of foodservice and/or retail display areas regularly Review potential vendors, suppliers, and contractors. Maintain an approved list and monitor access to operation to those on list Develop security for your computer system. Limit access by nonscreened personnel Develop a method to validate your program

ACKNOWLEDGMENTS Table 1 was developed as part of a project funded by the USDA Cooperative States Research, Education and Extension Service, Project No. 2005-51110-03282. The mention of trade or company names does not mean endorsement. The contents are solely the responsibility of the authors and do not necessarily represent the views of USDA.

RISK ASSESSMENT, RISK MANAGEMENT, AND PREVENTIVE BEST PRACTICES

1729

Prepared by Catherine Strohbehn, PhD, Iowa State University (ISU) Extension specialist; Jeannie Sneed, PhD, former ISU HRIM professor; Paola Paez, M.S., ISU HRIM graduate student; Sam Beattie, PhD, ISU Extension specialist; and Janell Meyer, ISU HRIM Food Safety Project Coordinator. Reviewed by Julie A. Albrecht, Extension specialist, University of Nebraska-Lincoln.

REFERENCES 1. Food Marketing Institute. Trends 2008. Food Marketing Institute, Aslington, VA. 2. National Restaurant Association (2006b). State of the Restaurant Industry Workforce: An Overview , June 2006. Restaurant and Information Services Division. Retrieved December 1, 2006 www.restaurant.org/pdfs/research/workforce overview.pdf. 3. National Restaurant Association (2006a). Restaurant Industry Facts, Accessed December 14, 2006 www.restaurant.org/research/ind glance.cfm. 4. World Health Organization (2002). Terrorist Threats to Food: Guidelines for Establishing and Strengthening Prevention and Response Systems. Retrieved May 10, 2007 www.who.int/ foodsafety/publications/fs management/terrorism/en. 5. Bryant, C., McEntire, J., and Newsome, R. (2005). Defending the Food Supply. Food Technology, August. In Proceedings of the Terrorism, Pandemics, and Natural Disasters: Food Supply Chain Preparedness, Response, and Recovery Conference, University of Minnesota, Minnesota, pp. 64–73, November 1, 2006. 6. Mohtadi. H., and Murshid, A. P. (2005). Analyzing Catastrophic Terrorist Events with Application to the Food Industry. Proceedings of the Terrorism, Pandemics, and Natural Disasters: Food Supply Chain Preparedness, Response, and Recovery Conference, University of Minnesota, Minnesota, November 1, 2006. 7. Carus, S. W. (2002). Bioterrorism and Biocrimes: The Illicit use of Biological Agents Since 1990 , Fredonia Books, Amsterdam, the Netherlands. 8. FDA (2006). ALERT . Retrieved January 16, 2007. www.cfsan.fda.gov/alert. 9. Lockyer, S. E. (2004). Chi-Chi’s shuts all units: Outback buys site rights: Mexican chain, in Chapter 11, retains brand, operations, recipes, trade secrets, National Restaurant News. Retrieved June 20, 2007 http://findarticles.com/p/articles/mi m3190/is-40-38/ain6232955. 10. Powitz, R. W. (2007). Food Defense for the Small Retail Operation. Food Saf. Mag. 12(6), 28–33. Retrieved April 15, 2007 www.iowafoodsafety.org. 11. Barringer, A. A. (2007). Staying ALERT about Food Defense. Food Saf. Mag. 13(1), 26–30. 12. FDA (2004). Guidance for Industry Retail food stores and Foodservice Establishments: Food Security Preventive Measures Guidance, Retrieved June 20, 2007 http://www.cfsan.fda.gov/ guidance.html. 13. NFSMI (2005). How to Develop a Plan, Retrieved May 31, 2007. http://foodbiosecurity. nfsmi.org/DevelopingPlan.php. 14. Albrecht, J. A. (2007). Food Biosecurity Eduation, Extension Accomplishments Reporting System, Retrieved september 8, 2008 http://citnews.unl.edu/etension/eass/lib/show Report.cgi?RECORD=4323 up. Unpublished data. 15. Yoon, E., and Shanklin, C. W. (2007). Food Security Practice in Kansas Schools and Health Care Facilities. J. Am. Diet. Assoc. 107, 325–329. 16. Sayer, S. (2006). Think Like a Terrorist. Food Qual. 13(5), 26–28.

1730

KEY APPLICATION AREAS

FURTHER READING National Restaurant Association Educational Foundation (2003). Food Security: An Introduction. NFSMI (2005). How to Develop a Plan. Retrieved May 31, 2007 http://foodbiosecurity.nfsmi. org/DevelopingPlan.php. National Restaurant Association Educational Foundation (2003). Food Security: An Introduction. Retrieved October 30, 2008.http://www.nreaf.org/foodsecurity/foodsecurity.asp. Bruemmer, B. (2003). Food biosecurity. J. Am. Diet. Assoc. 103(6), 687–691. Sayer, S. (2006). Food Defense at the Federal Level. Food Qual. 13(5), 29–35. Simmons, K., Harrison, M. A., Hurst, W. C., Harrison, J., Brecht, J., Schneider, K., Simonne, A. and Rushing, J. (2007). Survey of food defense practices in produce operations in the southeast. Food Prot. Trends 27(3), 174–184. USDA (2004). Food Defense Strategies–A Self-Assessment Guide for Foodservice Operators, Retreived May 31, 2007. http://www.health.state.ny.us/enrionmental/indoors/food safety// food defense strategies.

ADDITIONAL RESOURCES South Dakota State University (2006). Food Defense: Security in a Foodservice Operation. An educational video for foodservice managers.

RISK ASSESSMENT AND SAFETY OF THE FOOD SUPPLY Lorna Zach and Vicki Bier Center for Human Performance and Risk Analysis, University of Wisconsin-Madison, Madison, Wisconsin

1 BACKGROUND In their seminal paper, Kaplan and Garrick [1] define risk as involving both uncertainty and some kind of loss or damage. Moreover, Zimmerman and Bier [2] state that “Risk assessment is a means to characterize and reduce uncertainty to support our ability to deal with catastrophe through risk management.” Thus, we view risk assessment as “a decision-directed activity, directed toward informing choices and solving problems,” as suggested by the National Research Council [3]. Sometimes, the available choices include waiting for additional information before making a final decision; likewise, effective problem-solving can involve doing additional

RISK ASSESSMENT AND SAFETY OF THE FOOD SUPPLY

1731

research to identify the best solution. Therefore, assessing the uncertainties about the results of a risk assessment can be useful in determining whether additional information is needed, and if so, which information would be most helpful in making a good decision. In fact, the American Industrial Health Council and others [4] have stated that a good risk assessment “explicitly and fairly conveys scientific uncertainty, including a discussion of research that might clarify [and reduce] the degree of uncertainty.” Likewise, the National Research Council [5] has recently gone further, recommending that risk assessments should “characterize and communicate uncertainty and variability in all key computational steps of risk assessment—for example, exposure assessment and dose-response assessment” (emphasis in original). As Phillips [6] notes, “Quantifying uncertainty does not create uncertainty. It merely measures and reports the uncertainty that is always there . . . quantified uncertainty better describes what we know, and thus can facilitate better decisions, suggest improvements in our methods, and help direct new research to where it will provide the most benefit.” In other words, if a particular risk is highly uncertain, then a good and accurate risk assessment should have large uncertainty bounds. While a lesser degree of uncertainty might be preferable, decision-makers faced with highly uncertain risks are not well-served by focusing on a single best estimate, since this can lead to undesirable “after-the-fact surprises” [4]. Rather, once the nature and magnitude of the uncertainties are known, this knowledge can help decision-makers prioritize not only which protective measures (if any) should be taken in the short term, but also how best to spend their research dollars to reduce risk in the long term, by considering whether the value of additional information [7] in supporting better decisions would outweigh the cost of collecting such information. This article discusses one particular approach to characterizing uncertainty and variability, as recommended by the National Research Council [5] namely, the use of so-called “two-dimensional” or “second-order” Monte Carlo simulation. We also discuss applications of this method to food safety and related issues, such as agricultural animal disease. Two-dimensional Monte Carlo simulation is typically used in applications of risk assessment to health, safety, and environmental problems, to assess the desirability of possible preventive and/or mitigating measures to help reduce risk. However, it can also be used to assess the desirability of preventive and mitigating measures for intentional threats to homeland security (e.g. intentionally introduced foot-and-mouth disease or food contamination), as will be discussed below. 1.1 Uncertainty Versus Variability When the National Research Council [5] talks about the need to “characterize and communicate uncertainty and variability,” they have specific definitions of these terms in mind. For example, Kaplan [8] describes uncertainty assessment as characterizing the scientific “state of knowledge” about an uncertain quantity of interest (e.g. uncertainty about the average effectiveness of a vaccine that has not yet been fully characterized), and distinguishes this from “population variability” (e.g. differences in vaccine effectiveness from one person or animal to another). Similarly, Pat´e-Cornell [9] draws a distinction between “epistemic uncertainty” (i.e. “Uncertainties about fundamental phenomena reflecting incomplete knowledge”) and the randomness or “aleatory uncertainty” used to represent “variations in samples (e.g. of temperature readings at a precise moment of the year over several years).”

1732

KEY APPLICATION AREAS

It is, in principle, possible to have uncertainty with little or no variability; for example, if all people are believed to be equally susceptible to a particular disease agent, but little is known about their level of susceptibility. Similarly, it is possible to have variability without uncertainty; for example, if the dose of some microbial toxin required to cause disease is known quite accurately, but is known to vary based on the age or weight of the exposed individual. However, most real-world situations exhibit both state-of-knowledge uncertainty and population variability. The distinction between variability and uncertainty is not necessarily fundamental. For example, some sources of uncertainty might be treated as (effectively irreducible) randomness if a decision has to be made in the short term (e.g. in less than a year), but could be researchable through programs that would yield answers in five to ten years. However, if uncertainty and variability are not clearly separated, analysis results can be misunderstood, and options for risk reduction overlooked. For example, for motor vehicles, as Thompson [10] points out, “simply saying that airbags save approximately 3000 lives each year fails to capture the significant threat that airbags pose to children and small-stature adults. Once this variability is acknowledged, however, opportunities for reducing the risks to those groups may be recognized and implemented.” Many current models analyze variability and randomness (e.g. using Monte Carlo simulation), but unfortunately omit any formal consideration of epistemic uncertainty about the parameter values of the simulation. Thus, Pat´e-Cornell [9] notes that randomness “is generally more easily acknowledged and integrated in mathematical models,” while epistemic uncertainties “are sometimes ignored and tend to be under-reported, especially in public policy studies of controversial or politically sensitive issues.” For example, epidemiological models of foot-and-mouth disease may devote a great deal of computation time to simulating the progression of an outbreak as a function of random fluctuations in the number of infectious contacts an animal may have per day and so on, but treat key uncertain quantities (such as the infectivity and latent period of the disease, or even the level of public and stakeholder cooperation with mitigation measures such as movement restrictions [11]) as if they were known constants. Of course, sensitivity analysis [12] is often used to investigate the effect of key parameter uncertainties on the results of epidemiological models. However, sensitivity analysis on the effects of individual parameters or model assumptions does not yield an integrated statement on the level of uncertainty about the model results. 1.2 Two-Dimensional Monte Carlo Simulation Monte Carlo simulation [13] is a mathematical tool commonly used to help predict what might happen in disease outbreaks or situations where the population is exposed to a disease or toxic agent. Two-dimensional Monte Carlo analysis [14–18] is a variation of this method, designed to create a single, overall statement of uncertainty, including not only the types of randomness and variability that are commonly taken into account in simulations, but also systematic scientific uncertainties (such as lack of knowledge about disease infectiousness). The basic idea of two-dimensional Monte Carlo is similar to that of sensitivity analysis (namely, varying key parameters over their credible ranges). However, instead of doing a separate set of sensitivity runs for each parameter individually, two-dimensional Monte Carlo does this in an integrated manner, sampling randomly from the probability distributions for all uncertain input parameters before initiating any given simulation

RISK ASSESSMENT AND SAFETY OF THE FOOD SUPPLY

1733

run. In this manner, the methodology makes it possible to quantify and characterize the combined effects of numerous different uncertainties at the same time. The fact that two-dimensional Monte Carlo analysis explicitly recognizes the uncertainty about key input parameters to the simulation is important in part because randomness and variability have different implications for policy than broader scientific uncertainties. So, while it is useful to have a single overall statement of uncertainty, it is also important to distinguish variability from scientific uncertainty in order to understand their policy implications. In the next section, we discuss several real-world applications of two-dimensional Monte Carlo analysis and their policy recommendations. 2 APPLICATIONS OF TWO-DIMENSIONAL MONTE CARLO SIMULATIONS TO FOOD SAFETY AND ANIMAL DISEASE 2.1 Fumonisin Toxin in Corn One example of the use of two-dimensional Monte Carlo analysis from the food-safety literature [17] analyzes a naturally occurring toxin (fumonisin, a type of mycotoxin) in corn and corn products, and explores the associated potential for health concerns. This analysis addressed the uncertainty about the exposure to this toxin (both the quantity of the toxin in corn-based food products, and how much corn people in the United States consume), and also the variability in human susceptibility to the toxin (accounting for variability of response between individuals, and the inadequacy of the data on dose-response relationships). Humphreys et al. [17] treated the uncertainty about the exposure of the US population to fumonisin as the “outer loop” in the two-dimensional Monte Carlo analysis. In the problem being described here, the lack of knowledge about both, corn consumption levels and the presence of fumonisin in corn, could result in up to 3 orders of magnitude of uncertainty about individual dietary exposure to fumonisin. Figure 1 shows the concentrations of fumonisin that have been measured in different types of corn products in the United States [17]. Corn meal, for example has relatively high levels of fumonisin contamination, while popcorn, corn chips, and corn flakes have much lower levels. Figure 2 shows fumonisin exposure per person per day as a function of both, the level of corn consumption (measured in a country-wide dietary survey) and several possible levels of a maximum allowable concentration of fumonisin in corn. The solid black line at the top of the figure shows the toxin consumption under circumstances with no regulatory limit on fumonisin concentration in corn products. As the limit of allowable fumonisin concentration in corn is reduced (from no limit to 2.0 ppm, down to 0.5 ppm), the exposure to the toxin decreases, as expected). However, reducing the allowable concentration level of the contaminant may not substantially reduce the exposure levels of individuals with extremely high levels of corn consumption. This suggests that those individuals with high levels of corn consumption may still be heavily exposed to fumonisin, even if the corn itself is less heavily contaminated. Given these uncertainties, Humphreys et al. [17] compared two alternative policy measures for dealing with fumonisin toxins namely, limiting the allowable concentrations of fumonisin, and issuing consumption advisories (i.e. advising people to restrict their intake of certain corn products). Figure 3 illustrates the effects of differing consumption advisories on total fumonisin intake, as a function of people’s (original) levels of corn

1734

KEY APPLICATION AREAS

Maximum 3000

Average

2000

1000

s

s

ke n or C

C

or

n

fla

ch

gr C

or

n

pc Po

ip

its

n or

ur flo n or C

Sh

C

el

or

le

n

d

m

co

ea

l

rn

0

FIGURE 1 Average Presence of Fumonisin B in U.S. Corn (based on surveillance data from the U.S. Food and Drug Administration, 1994–1995) and based on data published in Reference 17.

μgF consumed/person-day

100 0.5 ppm 1 ppm

80

2 ppm no limit

60 40 20 0 0

0.25

0.5

0.75

1

Percentile corn consumption

FIGURE 2 Effects of Different Concentration Limits on Fumonisin Exposure per Person per day (in micrograms) as a Function of the Percentile of Corn Consumption, based on Data in Reference 17.

consumption. The solid black line at the top again shows the extent of fumonisin intake with no consumption advisory. As the recommended consumption limit in the advisory decreases, from no limit to 100 g of corn per day down to 25 g of corn per day, the daily toxin intake is markedly reduced. Thus, consumption advisories would seem to have a greater effect on reducing peak levels of fumonisin intake than contamination limits, because consumption advisories specifically address risks to those individuals who consume large amounts of corn.

RISK ASSESSMENT AND SAFETY OF THE FOOD SUPPLY

1735

μgF consumed/person-day

100 25 g corn/day 50 g corn/day 100 g corn/day no limit

80 60 40 20 0 0

0.25

0.5 0.75 Percentile corn eaters

1

FIGURE 3 Effects of Differing Consumption Advisories on Total Fumonisin Intake per Person per Day (in micrograms) as a Function of the Original Percentile of Corn Consumption, based on Data in Reference 17.

Humphreys et al. [17] also studied the effects of variability, or the “inner loop” of the Monte Carlo simulation. As noted above, the model input parameters designated as representing variability included different responses between individuals (for example, due to different body weights) and the inadequacy of the data available for characterizing the dose-response relationship to fumonisin. Figure 4 illustrates the contributions of both uncertainty and variability, as defined by Humphreys et al., to human kidney toxicity in response to a variety of simulated regulatory scenarios. (The graph is dimensionless, because the units can be difficult to interpret.) In Figure 4, the black bars represent the effects of uncertainty with no variability; the gray bars represent variability with no uncertainty; and the white bars represent the effects of both uncertainty and variability. Thus, the black bars show the estimated health risk if both corn consumption and the levels of fumonisin concentration (treated as aspects of “uncertainty” in this study) were at relatively high levels. Conversely, neglecting the uncertainty (or “outer loop” of the Monte Carlo simulation) and setting only those factors treated as variability to high levels would give us the gray estimates of risk (rather than the white-colored estimates). This could result in estimates of risk that are low by about a factor of 10. Thus, the results in Figure 4 demonstrate the value of two-dimensional Monte Carlo analysis: for example, by highlighting cases in which uncertainty is high, so that it may be worthwhile to conduct additional research before making a final decision. In this particular case, those factors categorized as “variability” appear to contribute more to the overall risk than those categorized as “uncertainty” (although, as noted earlier, there is reason to dispute the categorization of these terms). In any case, all of the risk estimates were low enough that no further regulatory action was judged to be necessary. However, in cases where the overall risk estimates were higher, it could be important to take uncertainty into account in order to avoid underestimating peak risks. Moreover, in this case study, consumption advisories appeared to be more effective at controlling peak exposures than regulatory limits (presumably because of the wide variability in consumption levels within the population), although it is worth noting that

1736

KEY APPLICATION AREAS

1000 High variability High uncertainty High uncertainty and variability

Log (risk)

100

10

1 No action

3 ppm

1 ppm

100 g/d

Regulatory options

FIGURE 4 Effects of Uncertainty and Variability on Risk as a Function of Regulatory Option (no action, 3 ppm limit on fumonisin concentrations, 1 ppm limit on fumonisin concentrations, and 100 grams/day consumption advisory), based on Data in Reference 17.

they put the burden of risk reduction on consumers rather than producers. If consumption advisories were to be adopted, it might be desirable to identify which population subgroups are most vulnerable to fumonisin, as well as collecting data on consumption levels by ethnicity and region. By contrast, if regulatory concentration limits were adopted, then additional information on toxin concentrations by production region might be more useful, along with information on how contaminated corn might flow through the supply chain. To summarize, Humphreys et al. [17] found only low levels of risk in the United States, and therefore little reason for concern about fumonisin levels in the US corn supply. However, risks may not be as low as indicated above if the data on corn consumption were not representative of the entire country (for example, if high-consumption regions were omitted), and if the measured levels of fumonisin in corn crops did not include data obtained under drought conditions (under which fumonisin contamination is more likely). Finally, while Humphreys et al. [17] assumed that kidney lesions were the most sensitive toxicity endpoint in humans, the risks could turn out to be higher than indicated in their analysis if some other endpoint turned out to be more important clinically. 2.2 Patulin Toxin in Apple Juice A similar analysis was performed by Baert et al. [15] to characterize variability and uncertainty regarding children’s exposure to patulin toxin from consuming three types of apple juice in Belgium: organic; handcrafted; and conventional. Based on a survey of juice consumption in preschool children, and measured values of patulin in the three types of apple juice, they considered variability in both consumption and contamination levels, as well as uncertainty about these parameters due to lack of data. The resulting analysis showed that variability in the type of juice consumed did have a significant

RISK ASSESSMENT AND SAFETY OF THE FOOD SUPPLY

1737

effect on risk in this case, even considering the confidence intervals reflecting lack of knowledge. In particular, patulin exposure was found to be higher in children consuming only organic apple juice, with 0.9% of children (90% confidence interval of 0.3% to 1.8%) estimated to exceed the tolerable daily intake of patulin. By contrast, 0.1% of children consuming conventional apple juice (90% confidence interval of 0–0.3%) and no children consuming handcrafted apple juice (90% confidence interval of 0–0.2%) were estimated to exceed the tolerable daily intake. The results reflect both the high variability of juice consumption between individuals, and the high variability of contamination levels in apple juice. The use of two-dimensional Monte Carlo provided a significant methodological advance in the study of this risk. In particular, the authors noted that “a tendency exists to overestimate mean exposures when a deterministic approach is used.” Thus, the probabilistic uncertainty analysis performed by Baert et al. [15] arguably provided a more realistic assessment of the range of exposures, and avoided unnecessarily conservative modeling assumptions and approaches. The two risk mitigation strategies considered by Baert et al. [15] to reduce patulin intake were similar to the strategies evaluated in the fumonisin example above: either to reduce the allowable levels of contamination in juice, or to reduce juice consumption. Unlike in the fumonisin example, however, here the analysis concluded that regulatory limits would be more effective than consumption advisories. Presumably, this was because the variability of patulin concentrations in organic apple juice was sufficiently high that even with reduced consumption, some children could still be exposed to hazardous levels. In particular, the authors concluded that “a reduction of the consumption has more effect when the patulin contamination is lower.” 2.3 Escherichia coli O157:H7 on Beef Trimmings Cummins et al. [16] illustrate a slightly different approach to characterizing the role of variability and uncertainty in food contamination, focusing on the process of food preparation in the supply chain, rather than food consumption. In their work, a model was developed to estimate the prevalence of E. coli O157:H7 on beef trimmings in Irish slaughterhouses by considering: initial contamination levels on hides; cross-contamination events; process steps at which microbial growth could occur; the results of decontamination efforts; and steps undertaken to reduce bacterial numbers. The output of the model was a distribution of the prevalence of E. coli O157:H7 on beef trimmings, and also a distribution of the number of organisms on contaminated beef trimmings. The purpose of the model was to identify critical points in the process, and assess the impact of various process mitigations for this bacterial disease agent. Variability and uncertainty were separated in this analysis in order to identify future data requirements and research needs for model improvements, and also to identify those input parameters that had a significant effect on risk, and should therefore be monitored. A total of 19 input parameters were categorized as representing uncertainty (e.g. test sensitivity, which was assumed to be constant but unknown), variability (e.g. number of contaminated carcasses, which was assumed to fluctuate from day to day), or both (e.g. E. coli counts on contaminated hides). The results showed that uncertainty dominated the results, with variability having relatively little impact on model outputs. In fact, Cummins et al. [16] compared the results of

1738

KEY APPLICATION AREAS

their two-dimensional Monte Carlo simulation (reflecting both uncertainty and variability) with empirical survey results (reflecting variability alone), and concluded that “the confidence bounds for the simulation are much wider due to parameter uncertainty.” Thus, the use of two-dimensional Monte Carlo again arguably resulted in a more accurate statement of the true level of uncertainty about meat contamination in this instance, and avoided providing misleading results, indicating that the true prevalence of E. coli O157:H7 on beef trimmings could be almost twice as large at some slaughterhouses as would have been indicated by the results of the surveillance survey at a single slaughterhouse. The results of the analysis indicated that uncertainty about microbial test sensitivity contributed significantly to the overall uncertainty about model results, and therefore required further experimental work to characterize it. However, the results also supported recommendations about specific risk-reduction measures that could be undertaken in the interim, such as minimizing hide contamination before slaughter and reducing cross-contamination during hide removal. 2.4 Application of Two-Dimensional Monte Carlo Simulation To Homeland Security The above examples were primarily concerned with food safety. However, two-dimensional Monte Carlo can also be used to analyze problems of homeland security, such as intentionally introduced contamination. For example, consider an intentionally introduced outbreak of foot-and-mouth disease. An analysis of such outbreaks should ideally address not only the effects of variability and randomness (for example, due to differences in weather conditions and disease transmission contacts from day to day under various cattle-management strategies), but also key scientific uncertainties (such as lack of knowledge about the infectivity of the disease agent, or the effectiveness of proposed vaccines). We have undertaken such an analysis [19], using expert opinion to quantify the uncertainty about simulation inputs such as disease infectivity, and differences in infectivity between species. This reflects the fact that such parameters are not known constants, and therefore are better represented by probability distributions rather than point estimates. As in Cummins et al. [16], we found that the results of the two-dimensional Monte Carlo simulation (taking into account the uncertainty about simulation inputs) were much broader than the results of a one-dimensional simulation (reflecting variability alone). For example, in one scenario, the 90% confidence interval for the duration of possible disease outbreaks increased from 1–2 months due to variability alone, to 0.5–4 months taking uncertainty into account, and up to 4 times wider. In fact, for some input parameters, the ranges of values considered credible by the experts we surveyed were so broad that the inner loop of the simulation would not run for some combinations of parameter values, necessitating significant revisions to the computer code (AusSpread) that was used to model the spread of foot-and-mouth disease. Thus, the discipline imposed by the rigorous quantification of uncertainty and the use of expert opinion arguably helped to overcome any biases or overconfidence that could have resulted from relying on the opinion of a single expert or model developer, leading to a more accurate assessment of the possible extent of disease spread. Of course, care must be taken in representing intentional malicious acts using probability distributions. Clearly, we do not have perfect information about what a potential attacker might do, so some representation of uncertainty is important. However, the

RISK ASSESSMENT AND SAFETY OF THE FOOD SUPPLY

1739

uncertainties about intentional acts will not necessarily follow the same probability distributions as uncertainties about the same parameters in an unintentional outbreak. For example, while various strains of foot-and-mouth disease may differ in their infectivity, potential attackers will not necessarily choose randomly among them, but may prefer to use strains that are believed to be more infectious. Similarly, the progression of an unintentional outbreak may vary significantly depending on whether the disease happens to emerge shortly before cattle are transferred to an auction barn (and commingled with large numbers of other animals); by contrast, intentional introduction of foot-and-mouth disease may be deliberately performed shortly before transfer to an auction barn, in order to maximize the likelihood of rapid disease transmission. With such caveats in mind, though, uncertainty can be just as important in homeland security as in health and safety, if not more so. Critical uncertainties related to security might include factors such as how the food system (and consumers) would respond if an incident of intentional food contamination drastically reduced confidence in the security of imported food products, whether the public and stakeholders would cooperate with recommended mitigation measures [11] (such as movement controls, in the case of foot-and-mouth disease), and the secondary economic impacts of terrorism events (e.g. whether consumers resume buying products affected by contamination after the crisis is over, whether import or export markets suffer lasting losses after a contamination incident). Moreover, variability and uncertainty still have different implications for decisionmaking in the homeland security context, as in the other examples discussed in this article. For instance, further research on issues such as whether foot-and-mouth disease is amenable to airborne spread could help to determine how severe an outbreak is likely to be, and hence how much effort is justifiable to reduce the risk of disease introduction. Likewise, if the severity of an outbreak of foot-and-mouth disease is found to be significantly affected by vaccine effectiveness, then further research to verify effectiveness might be desirable before committing to vaccination as a mitigation strategy. By contrast, if the severity of an outbreak is found to be influenced primarily by random fluctuations (such as differences in weather conditions at the time of disease introduction), that would argue for committing to a specific mitigation policy sooner, rather than waiting for further research results.

3 THE EFFECTS OF MODEL UNCERTAINTY The applications described above consider primarily the effects of variability and uncertainty in the parameters of a single model. However, in some cases, there is also significant uncertainty about which model is most appropriate, especially if different models give quite different results. In fact, Box [20], an eminent statistician, pointed out that “All models are wrong, but some are useful.” A study by Linkov and Burmistrov [21] investigated model uncertainty in the context of radioactive contamination on fruit (such as strawberries) in the aftermath of a nuclear power plant accident. The authors found radically different predictions for the cesium concentrations in strawberries from the different models they considered. In fact, the results from the six different models initially varied by as much as 7 orders of magnitude. Figure 5 shows the ratio of the individual model results to the median output of all six models for four different iterations of modeling effort. The iterations represent

1740

KEY APPLICATION AREAS

Ratio to median calculation

100 10 1 0.1 0.01 0.001 0.0001 0.00001 0.000001 0

1

2

3

4

Model run

FIGURE 5 Effects of Model Uncertainty for Strawberry Contamination (based on Data in Reference 21).

meetings in which the modelers discussed and agreed on their assumptions, and attempted to standardize modeling methods in order to achieve greater consistency. As shown in Figure 5, it was not until the third meeting that major disagreements among the results of the various models were substantially reduced. By iterations three and four, there was much closer agreement among most of the models, but one model still gave much lower predictions than the other five. Thus, even extensive interactions among the modelers did not completely eliminate model-to-model differences. The above results suggest that model uncertainty can be a significant consideration in practice. In some cases, it may still be possible to address model uncertainty within the context of a two-dimensional Monte Carlo simulation. For example, if there is scientific uncertainty about whether foot-and-mouth disease is amenable to airborne spread, this could perhaps be treated as one of the uncertain parameters in the outside loop of a two-dimensional Monte Carlo, with some simulation runs being done under the assumption of airborne spread and others not (depending on how plausible airborne spread is considered to be). In other cases, however, model uncertainty may need to be treated merely as a caveat, or through more traditional sensitivity analysis, for example, if some models are too computation-intensive to be run numerous times, or if the researchers do not have access to all relevant models.

4 SUMMARY AND CONCLUSIONS In summary, methods such as two-dimensional Monte Carlo uncertainty analysis [14, 18] can be a useful adjunct to more traditional Monte Carlo simulation in supporting decision-making. In particular, uncertainty analysis can help identify which areas are the most important focus for future research and data collection, and moreover avoids the problem of inadvertently claiming more than is actually known (which can occur if Monte Carlo simulation is used with point estimates rather than probability distributions for key input parameters). The implementation of two-dimensional Monte Carlo can be mathematically complex, but ideally, the results should be communicated to decision-makers and stakeholders in

RISK ASSESSMENT AND SAFETY OF THE FOOD SUPPLY

1741

a form that is both informative and easy to understand [10]. This can be done by using probability distributions to show the overall uncertainty about the outcome of the analysis; for example, probability distributions for the number of infected animals in an outbreak of foot-and-mouth disease might be useful in understanding the range of possible scenarios that could occur, and hence how seriously to take the threat [19]. Graphics could also assist in risk communication by showing which sources of uncertainty contribute the most to the overall uncertainty about the outcome. This kind of information can shed light on the value of additional information, thereby helping to improve decisions about which uncertainties are the most important to study and resolve. Eventually, the results of a risk assessment could be used as input to a formal decision analysis [example Refs. 3, 5, 13], in which stakeholder values are quantified as a basis for identifying the most desirable risk management options. However, in practice (as in several of the examples discussed in this article), it is often straightforward to identify the best (i.e. most effective and cost-effective) risk-reduction options once the risks have been thoroughly characterized. In that case, a formal decision analysis may never be necessary. REFERENCES 1. Kaplan, S., and Garrick, B. J. (1982). On the quantitative definition of risk. Risk Anal. 1(1), 11–27. 2. Zimmerman, R., and Bier, V. M.(2002). Risk assessment of extreme events. ColumbiaWharton/Penn Roundtable on Risk Management Strategies in an Uncertain World . Palisades, New York, April 12–13. Available at http://www.ldeo.columbia.edu/chrr/documents/meetings/ roundtable/white papers/zimmerman wp.pdf. 3. National Research Council. (1996). Understanding Risk: Informing Decisions in a Democratic Society. National Academy Press, Washington, DC. 4. American Industrial Health Council, U.S. Environmental Protection Agency, U.S. Department of Health and Human Services, and Society for Risk Analysis. (1989). Presentation of Risk Assessments of Carcinogens: Report of an Ad Hoc Study Group on Risk Assessment Presentation. American Industrial Health Council, Washington, DC. 5. National Research Council. (2008). Science and Decisions: Advancing Risk Assessment . National Academy Press, Washington, DC. 6. Phillips, C. V. (2003). Quantifying and reporting uncertainty from systematic errors. Epidemiology 14(4), 459–466. 7. Yokota, F., and Thompson, K. M. (2004). Value of information analysis in environmental health risk management decisions: past, present, and future. Risk Anal. 24(3), 635–647. 8. Kaplan, S. (1983). On a ‘two-stage’ Bayesian procedure for determining failure rates from experiential data. IEEE Trans. Power Apparatus Syst. PAS-102(1), 195–202. 9. Pat´e-Cornell, M. E. (1996). Uncertainties in risk analysis: six levels of treatment. Reliab. Eng. Syst. Saf. 54(2), 95–111. 10. Thompson, K. M. (2002). Variability and uncertainty meet risk management and risk communication. Risk Anal. 22(3), 647–654. 11. Anthony, R. (2004). Risk communication, value judgments, and the public-policy maker relationship in a climate of public sensitivity toward animals: revisiting Britain’s foot and mouth crisis. J. Agric. Environ. Ethics 17(4–5), 363–383. 12. Frey, H. C., and Patil, S. R. (2002). Identification and review of sensitivity analysis methods. Risk Anal. 22(3), 553–578.

1742

KEY APPLICATION AREAS

13. Morgan, M. G., and Henrion, M. (1990). Uncertainty: A Guide to Dealing with Uncertainty in Quantitative Risk and Policy Analysis. Cambridge University Press, Cambridge. 14. Vicari, A. S., Mokhtari, A., Morales, R. A., Jaykus, L. A., Frey, H. C., Slenning, B. D., and Cowen, P. (2007). Second-order modeling of variability and uncertainty in microbial hazard characterization. J. Food Prot. 70(2), 363–372. 15. Baert, K., De Meulenaer, B., Verdonck, F., Huybrechts, I., De Henauw, S., Vanrolleghem, P. A., Debevere, J., and Devlieghere, F. (2007). Variability and uncertainty assessment of patulin exposure for preschool children in Flanders. Food Chem. Toxicol. 45(9), 1745–1751. 16. Cummins, A., Nally, E. P., Butler, F., Duffy, G., and O’Brien, S. (2008). Development and validation of a probabilistic second-order exposure assessment model for Escherichia coli O157:H7 contamination of beef trimmings from Irish meat plants. Meat Sci. 79(1), 139–154. 17. Humphreys, S. H., Carrington, C., and Bolger, M. (2001). A quantitative risk assessment for fumonisins B1 and B2 in US corn. Food Addit. Contam. 18(3), 211–220. 18. Vose, D. (2008). Risk Analysis: A Quantitative Guide, 3rd ed. John Wiley & Sons, Chichester. 19. Zach, L., and Bier, V. M. Manuscript in preparation. An alternative to sensitivity analysis for understanding uncertainty: analyzing uncertainty and variability in the risk of foot-and-mouth disease. 20. Box, G. E. (1979). Robustness in the strategy of scientific model building. In Robustness in Statistics, R. L. Launer, and G. N. Wilkinson, Eds. Academic Press, New York, pp. 201–236. 21. Linkov, I., and Burmistrov, D. (2003). Model uncertainty and choices made by modelers: lessons learned from the international atomic energy agency model intercomparisons. Risk Anal. 23(6), 1297–1308.

MICROBIOLOGICAL DETECTORS FOR FOOD SAFETY APPLICATIONS Evangelyn C. Alocilja and Sudeshna Pal Biosystems and Agricultural Engineering, Michigan State University, East Lansing, Michigan

1 BIOSECURITY AND FOOD SAFETY THREATS The complexity of the US food supply chain from cradle to grave provides numerous entry points and routes in which (inadvertent and intentional) contaminants and pathogens can be introduced into the nation’s food system. For example, a simple hamburger, consisting of a bun, a beef patty, tomato, lettuce, cheese, and onion, is made of at

MICROBIOLOGICAL DETECTORS FOR FOOD SAFETY APPLICATIONS

1743

least 50 ingredients which could include hundreds of sources when we consider the raw materials, processing, transportation, and finished product. Furthermore, these ingredients may come from across the globe, crossing the US border in less than 24 h. The recent scandal on melamine-tainted pet foods (and maybe human food through melamine-tainted animal feed) is one example of how the food supply can potentially be sabotaged. The use of microorganisms as biological weapons has long been reported in history. One of the first major attacks that have been reported occurred in the 14th century with Yersenia pestis during the siege of Kaffa [1]. The most recent was the deliberate release of Bacillus anthracis spores through the postal system in the United States in October 2001, shortly after the terrorist attack, resulting in 22 cases of anthrax and five deaths [2]. Inhalational anthrax has a high mortality rate of about 100% and the spore forms of the bacteria are very stable under harsh environmental conditions. The Centers for Disease Control and Prevention (CDC, http://www.bt.cdc.gov/agent/agentlist.asp) and the National Institute of Allergy and Infectious Diseases (NIAID, http://www3.niaid.nih.gov/topics /BiodefenseRelated/Biodefense/ research/CatA.htm) have classified B. anthracis as a Biodefense Category A agent because it can be easily transmitted from person to person, can cause high mortality with potential for major public health impact, may cause public panic and social disruption, and requires special action for public health preparedness. It is estimated that the release of 50 kg of dried anthrax spores for 2 h can lead to a complete breakdown in medical resources and civilian infrastructure in a city of 500,000 inhabitants [3]. B . anthracis is a gram-positive, nonmotile, facultatively anaerobic, spore-forming, rod-shaped bacterium and is the etiological agent of anthrax. Anthrax is primarily a zoonotic disease but all mammals, particularly humans, are prone to this disease. The spore forms of B. anthracis are highly resistant to adverse environmental conditions, such as heat, ultraviolet and ionizing radiation, pressure, and chemical agents. They are able to survive for long periods of time in contaminated soils and this account for the ecological cycle of the microorganism. The vegetative cells of the bacterium are square-ended and capsulated having a size range of 3 to 5 μm while the spores are elliptical with a size range of 1 to 2 μm [4]. The primary virulence factors of B. anthracis are toxin production and capsule formation. Virulent strains of the microorganism carry two large plasmids pXO1 and pXO2 which encode these virulence factors. The plasmid pXO1 carries the structural genes for the anthrax toxin proteins pagA (protective antigen), lef (lethal factor), and ef (edema factor); two trans-acting regulatory genes atxA and pagR; a gene encoding type I topoisomerase, topA; and a three gene operon, gerX , which affects germination. Plasmid pXO2 carries three genes which encode capsule synthesis: capA, capB, and capC ; a gene associated with capsule degradation, dep; and a trans-acting regulatory gene acpA [5]. None of the three toxin proteins are toxic separately. Toxicity is associated with the formation of binary exotoxins. The association of pagA and lef results in the formation of lethal toxin (LTx), which provokes lethal shock in animals, while the association of pagA and ef forms the edema toxin (ETx), which produces edema in the skin [6]. B. anthracis spores can enter the human host through the skin (cutaneous route), ingestion (gastrointestinal route), and inhalation (pulmonary route). Ingesting food products contaminated with the spores can lead to gastrointestinal anthrax. In this manner, anthrax spores may cause lesions from the oral cavity to the cecum [7]. Cases of gastrointestinal anthrax have been reported through ingesting undercooked meat from animals [8]. The disease is characterized by fever, nausea, vomiting, abdominal pain, and bloody

1744

KEY APPLICATION AREAS

diarrhea [8]. Gastrointestinal anthrax has been reported to cause fatalities in 25-60% of cases (CDC, 2001). In some community-based studies, cases of gastrointestinal anthrax outnumbered those of cutaneous anthrax [7]. Awareness of gastrointestinal anthrax in a differential diagnosis remains important in anthrax-endemic areas but now also in settings of possible bioterrorism. The inhalational form of anthrax is considered the most dangerous among the three routes, having a mortality rate close to 100% (CDC, 2001). The inhaled spores reach the alveolus where they are phagocytosed by macrophages and transported to the mediastinal lymph nodes, where spore germination can occur in up to 60 days. Following germination, the disease progresses rapidly resulting in the production of exotoxins that cause edema, necrosis, and hemorrhage [4]. Diagnosis is difficult in both gastrointestinal and inhalational forms, resulting in the disease rapidly becoming treatment-resistant and fatal. In addition to intentional contaminations, we have recently faced unintentional food poisoning through pathogen-tainted products which caused recalls on these products. In September 2007, a major meat processing company recalled up to 9,843 mt (21.7 million lb) of ground beef due E. coli O157:H7 contamination; it was one of the largest meat recalls in US history. This contamination sickened 30 people in eight states. On October 5, 2007, that company announced that it was closing its business.1 Contamination of meat products by foodborne pathogens is increasingly a major food safety and economic concern. Billions of dollars are lost every year in medical costs, productivity, product recalls, and jobs as a result of pathogen-contamination outbreaks. In the United States, there are up to 33 million cases of human illness each year from microbial pathogens in the food supply with an associated cost of $2–4 billion in 2006.2 NIAID has identified the following microbes as foodborne and waterborne pathogens: diarrheagenic Escherichia coli, Salmonella species, pathogenic Vibrios, Shigella species, Listeria monocytogenes, Campylobacter jejuni , Yersinia enterocolitica, caliciviruses, Hepatitis A, Cryptosporidium parvum, Cyclospora cayatanensis, Giardia lamblia, Entamoeba histolytica, Toxoplasma, and Microsporidia. These organisms are classified as Category B because they are moderately easy to disseminate, result in moderate morbidity rates, and require specific enhancements of CDC’s diagnostic capacity and enhanced disease surveillance (http://www.bt.cdc.gov/agent/agentlist.asp). In general, the causes of foodborne illness include viruses, bacteria, parasites, fungi, toxins, and metals with the symptoms ranging from mild gastroenteritis to life-threatening neurological, hepatic, and renal problems. It is estimated that foodborne diseases cause approximately 76 million illnesses, including 325,000 hospitalizations and 5000 deaths in the United States each year [9]. Of these, known pathogens account for an estimated 14 million illnesses, 60,000 hospitalizations, and 1800 deaths indicating that these pathogens are a substantial source of infectious diseases [9]. Researchers at the Economic Research Service (ERS) of the US Department of Agriculture (USDA) estimate that the total annual medical cost associated with foodborne illness caused by pathogens is $6.5–9.4 billion. Recent foodborne disease outbreaks involved E . coli O157:H7 in spinach in 2007, and cookie dough in June 2009, and Salmonella in peanut butter in January 2009. E. coli are bacteria that naturally occur in the intestinal tracts of humans and warm-blooded animals 1

http://www.msnbc.msn.com/id/21149977/

2 http://www.ers.usda.gov/Data/FoodborneIllness/

MICROBIOLOGICAL DETECTORS FOR FOOD SAFETY APPLICATIONS

1745

to help the body synthesize vitamins. A particularly dangerous type is the enterohemorrhagic E. coli O157:H7 or EHEC. In 2000, EHEC was the etiological agent in 69 confirmed outbreaks (twice the number in 1999) involving 1564 people in 26 states [10]. Of the known transmission routes, 69% were attributed to food sources, 11% to animal contact, 11% to water exposures, and 8% to person-to-person transmission [10]. E. coli O157:H7 produces toxins that damage the lining of the intestine, cause anemia, stomach cramps, and bloody diarrhea, and a serious complication called hemolytic uremic syndrome (HUS) and thrombotic thrombocytopenic purpura (TTP) [11]. In North America, HUS is the most common cause of acute kidney failure in children, who are particularly susceptible to this complication. TTP has a mortality rate of as high as 50% among the elderly [12]. Recent food safety data indicates that cases of E. coli O157:H7 are rising in both the United States and other industrialized nations [13]. Human infections with E. coli O157:H7 have been traced back to individuals having direct contact with food in situations involving food handling or food preparation. The most recent E . coli O257:H7 outbreak covering 29 states involved eating raw refrigerated prepackaged cookie dough [14]. In addition to human contamination, E. coli O157:H7 may be introduced into food through meat grinders, knives, cutting blocks, and storage containers. E . coli O157:H7 has also been found in drinking water that has been contaminated by runoff from livestock farms as a result of heavy rains. Regardless of source, E. coli O157:H7 has been traced to a number of food products including meat and meat products, apple juice or cider, milk, alfalfa sprouts, unpasteurized fruit juices, dry-cured salami, lettuce, game meat, and cheese curds [11, 15]. Possible points of entry into the food supply chain include naturally occurring sources from wild animals and ecosystems, infected livestock, contaminated processing operations, and unsanitary food preparation practices. Salmonella enterica serovar Typhimurium and Salmonella enterica serovar Enteritidis are the most common Salmonella serotypes found in the United States. According to CDC, salmonellosis is the most common foodborne illness [16]. Over 40,000 actual cases are reported yearly in the U.S. [17]. Approximately 500 [9] to 1,000 [18] persons die annually from Salmonella infections in the United States. The estimated annual cost of human illness caused by Salmonella is $3 billion [9]. Salmonella Enteritidis has frequently been observed as a contaminant in foods such as fresh produce, eggs, and poultry products. While various Salmonella species have been isolated from the outside of egg shells, presence of Salmonella Enteritidis inside the egg is of great concern as it suggests vertical transmission, that is, deposition of the organism in the yolk by an infected hen (prior to shell deposition) [19]. The recent outbreak of Salmonella involving peanut butter in January 2009 hit almost every state in the United States. Human Salmonella infection can lead to enteric (typhoid) fever, enterocolitis, and systemic infections by non-typhoid microorganisms. Typhoid and paratyphoid strains are well-adapted for invasion and survival within host tissues, causing enteric fever which is a serious human disease. Non-typhoid Salmonella causes salmonellosis, which is manifested as gastroenteritis with diarrhea, fever, and abdominal cramps. Severe infection could lead to septicemia, urinary tract infection, and even death in at-risk populations (young, elderly, and immunocompromised individuals). Raw meats, poultry, eggs, milk and dairy products, fish, shrimp, frog legs, yeast, coconut, sauces and salad dressing, cake mixes, cream-filled desserts and toppings, dried gelatin, peanut butter, cocoa, and chocolate are some of the foods associated with Salmonella infection.

1746

KEY APPLICATION AREAS

2 DETECTION The detection and identification of these foodborne pathogens in raw food materials, ready-to-eat food products, restaurants, processing and assembly lines, hospitals, ports of entry, and drinking water supplies continue to rely on conventional culturing techniques. Conventional methods involve pre-enrichment, selective isolation, and biochemical screening, as well as serological confirmation for certain pathogens. Hence, a complex series of tests is often required before any identification can be confirmed. These methods are laborious and may require a certain level of expertise to perform. Though these methods are highly sensitive and specific, they are elaborate, laborious, and typically require 2–7 days to obtain conclusive results [15]. Their results are not available on the time-scale desired in the food quality assurance or clinical laboratory, which has safety, cost, and quality implications for the food, medical, and biodefense sectors. Rapid detection methods for pathogens have hence become a necessity. Currently, the three most popular methods for detecting pathogens are: microbial culturing followed by biochemical identification, enzyme-linked immunosorbent assay (ELISA), and polymerase chain reaction (PCR) assay. Conventional microbial culturing techniques are very sensitive; however, they include multiple steps in the assay and require pre-enrichment steps and time consuming processes. For example, conventional detection and specific identification of B. anthracis require complex techniques and laborious methods because of the genetic similarities among various Bacillus species as well as their existence in both spore forms and vegetative state. B. anthracis is identified using standard biochemical techniques, such as its sensitivity to penicillin, nonmotility, non β-hemolytic behavior on sheep or horse blood agar plates, and its susceptibility to lysis by gamma phage. It has been reported that identification of B. anthracis by initial blood culturing requires 6–24 h for growth, which is followed by morphological and biochemical identification that requires an additional 12–24 h, and finally, definitive identification that requires an additional 1–2 days [20]. B. anthracis is also shown to selectively grow on polymyxin-lysozyme EDTA-thallous acetate (PLET) agar which requires 1–2 days for growth followed by further confirmation [21]. ELISA is a diagnostic tool to detect the presence of antibody-antigen reaction in a sample. An unknown amount of antigen is affixed to a surface, and then a specific antibody is washed over the surface so that it can bind to the antigen. This antibody is linked to an enzyme, and in the final step a substance is added that the enzyme can convert to some detectable signal. ELISA is becoming very popular for food safety monitoring. PCR is gaining popularity in non-culture-based detection schemes. It is highly sensitive and able to detect the presence of just one cell. However, PCR technology has some disadvantages such as the requirement of expensive equipment, skilled personnel to perform assays, DNA extraction stages which increase the detection time, and prior information of target DNA sequences. Biosensors can play a role in the rapid test market. Biosensor technology is emerging as a promising field for rapid detection of microbial pathogens. A biosensor is an analytical device that integrates a biological sensing element with an electrical transducer to quantify a biological event (e.g. an antigen-antibody reaction) into an electrical output. The basic concept of operation of a biosensor is illustrated in Figure 1. The biological sensing element may include enzymes, antibodies, DNA probes, aptamers, molecularly imprinted polymers, and whole cells. Depending on the transducing mechanism, biosensors can be electrochemical, electrical, optical, mechanical, and magnetic. They can be operated in a

MICROBIOLOGICAL DETECTORS FOR FOOD SAFETY APPLICATIONS

1747

FIGURE 1 Schematic representation of a biosensor.

reagent-less process enabling the creation of user-friendly and field-ready devices. Some of the major attributes of biosensor technology are its specificity, sensitivity, reliability, portability, real-time analysis, and simplicity of operation. Biosensors are needed to quickly detect disease-causing agents in food, in order to ensure continued safety of the nation’s food supply. Biosensors show high sensitivity and specificity to targets and can be used as simple one-step measurement tools or as multimeasurement devices. Moreover, biosensors can be designed to be operated on-site or at point of care, eliminating the need of expensive lab-based testing. The miniaturization ability of biosensors and their compatibility with data processing technologies, allow them to be integrated into small portable devices. This versatility in biosensors has prompted worldwide research and commercial exploitation of the technology. Recent trends (Fig. 2) indicate that biosensors are the fastest-growing technology for rapid detection of pathogens [22].

3 BIOSENSORS FOR MICROBIAL PATHOGEN DETECTION In this section, we describe different types of biosensors for pathogen detection based on their transduction mechanism such as mechanical, optical, electrochemical, and magnetic approaches.

Publications in SCI journals

120

Forecast PCR

100 80

Culture methods 60

Biosensors

40 20

(b)

0 1985

ELISA Gel electrophoresis 1990

1995

2000

2005

2010

FIGURE 2 Recent trends in pathogen detection [adapted from Lazcka et al. [22]].

1748

KEY APPLICATION AREAS

3.1 Mechanical Biosensors 3.1.1 Quartz Crystal Microbalance (QCM) Biosensors. Quartz crystal resonators form the basis of Quartz Crystal Microbalance (QCM) sensors. The term “QCM” is used collectively for bulk acoustic wave (BAW), quartz crystal resonance sensors (QCRS), and thickness shear mode (TSM) acoustic sensors [23]. QCM sensors are comprised of a thin quartz disc with electrodes plated on it. When an oscillating electric field is applied across the disc, an acoustic wave with a certain resonant frequency is induced. The disc can be coated with a sensing layer of biomolecules based on the analyte to be detected. The interaction of the analyte with the biomolecules on the disc surface causes a change in mass and a concurrent change in resonant frequency that can be directly correlated to the biomolecular interactions [24]. The relation between mass and the resonant frequency is given by the Sauerbrey equation: F =

−2.3 × 106 F02 m A

(1)

where, F is the change in frequency (Hz), F0 is the resonant frequency of the crystal (MHz), m is the deposited mass (grams) and A is the coated area (cm2 ). The quartz crystals are inexpensive, easily available, and robust, thus making them suitable for chemical sensors and biosensors. In addition, QCM-based sensors provide great flexibility, wide dynamic range of frequency measurements, and label-free detection [24]. A wide range of nonlabeled QCM biosensors have been reported in the literature for the detection of pathogenic bacteria and viruses. QCM sensors based on lectin recognition systems for bacterial identification have been studied by Shen et al. [25], Safina et al. [26]. Shen et al. have used a combination of mannose self-assembled monolayer (SAM) and lectin concanavalin A for the detection of E. coli W1485 in a linear range of 7.5 × 102 to 7.5 × 107 cells/ml. Safina et al. utilized lectin reporters to develop a flow injection QCM biosensor for detection of Campylobacter jejuni and Helicobacter pylori . The authors were able to detect 103 to 105 cells/ml in 30 min. A SAM based QCM immunosensor was developed for the detection of E. coli O157:H7 by Su and Li [27]. The immunosensor was able to detect the target bacteria in the range of 103 to 105 CFU/ml in 30–50 min. Detection of B. subtilis spores as a surrogate to B. anthracis was achieved by Lee et al. utilizing a QCM immunosensor to a detection limit of 450 spores/ml [28]. Furthermore, virus (dengue virus and hepatitis B virus) detection with QCM immuno- and nucleic acid- based sensors has been reported by Wu et al. [29] and Yao et al. [30]. QCM biosensors for the detection of DNA sequences have also been developed using nanoparticle labels as amplifiers. Mao et al. [31] reported the use of streptavidin conjugated Fe3 O4 nanoparticles (NPs) for the detection of E. coli O157:H7 eaeA gene. The NPs acted as ‘mass enhancers’ and amplified the change in frequency. The biosensor could attain a sensitivity of 10−12 M synthetic oligonucleotides and 2.67 × 102 CFU/ml E. coli O157:H7 cells [31]. Similarly, Au NPs were employed by Wang et al. for real-time bacterial DNA detection in a circulating flow QCM biosensor. The authors reported a sensitivity of 2.0 × 103 CFU/ml for E. coli O157:H7 eaeA gene [32]. A QCM-based biosensor was used to detect Salmonella sp. in milk samples with detection limits around 106 CFU/ml [33]. Tombelli et al. [34] developed a DNA piezoelectric biosensor for the detection of bacterial toxicity based on the detection of PCR amplified aer gene of Aeromonas hydrophila. The biosensor was applied to vegetables,

MICROBIOLOGICAL DETECTORS FOR FOOD SAFETY APPLICATIONS

1749

environmental water, and human specimens. The biosensor was able to successfully distinguish between samples containing the pathogen and those not contaminated. Zhao et al. [35] developed a QCM biosensor using 50 nm gold NPs as the amplification probe for DNA detection in the order of 10 fM of target, which was higher than what has been reported using the same method. The high sensitivity was explained by the weight of the larger particles, and the larger area occupied by the larger particles that needed less target DNA for their binding. Another QCM biosensor applied to the detection of E. coli in water in combination with PCR amplification (of the lac gene) was able to detect a 10 fg of genomic E. coli DNA (few viable E. coli cells in 100 ml of water) [36]. When used for detection of Hepatitis B virus, [37] observed that the QCM could detect frequency shifts of DNA hybridization as a linear relationship, in the range 0.02–0.14 μg/ml with a detection limit of 0.1 μg/ml, similar to the QCM biosensor developed by He and Liu [38] for Pseudomonas aeruginosa. 3.1.2 Surface Acoustic Wave Biosensors. Surface Acoustic Wave (SAW) sensors are the second class of acoustic wave sensors that have found applications in biosensor devices. SAW sensors consist of two metal interdigital transducers (IDT) etched from a thin metal film deposited on a piezoelectric substrate. The sensing mechanism is based on the changes in SAW velocity or attenuation when mass is sorbed on the sensor surface. Since the acoustic energy is strongly confined to the surface, SAW devices are very sensitive to surface changes such as mass loading, viscosity, and conductivity changes [39]. It has been suggested that SAW based biosensors have good sensitivities because of their higher mass sensitivities [39]. SAW biosensors have been successfully applied for the detection of bacteria and viruses. E. coli detection using SAW biosensors have been reported in the literature by multiple authors [40–43]. The biosensors have used antibodies as the biological sensing element with sensitivities ranging from 106 cells/ml to 0.4 cells/μl. Branch and Brozik have developed a 36◦ YX-cut LiTaO3 based love-wave device for the detection of the B . anthracis, as simulated by B . thuringiensis spores in aqueous conditions [44]. The authors have investigated two waveguide materials polyimide and polystyrene for creating the love-wave sensors. Detection of B . thuringiensis spores at concentrations below the lethal dose of anthrax spores was possible using both waveguide materials. The sensor had a detection limit of a few hundred cells per ml and a response time of 0.05).

1760

KEY APPLICATION AREAS

the control and the different spore concentrations. The lowest spore concentration that produced a resistance signal significantly different (P < 0.05) from the control was considered to be the sensitivity or detection limit of the biosensor. For the lettuce and ground beef samples, the biosensor sensitivity was 4.2 × 102 spores/ml with statistically significant differences from the control (P -value for lettuce at 102 spores/ml was 1.79 E-05; P-value for ground beef at 102 spores/ml was 2.63E-06). For whole milk samples, the biosensor could reach a sensitivity of 4.2 × 103 spores/ml where statistically significant differences could be observed from the control (P -value at 103 spores/ml was 8.47E-08). The reduced biosensor sensitivity in the whole milk samples could be attributed to the high fat content in these samples. As observed in Figure 6, although the biosensor resistance readings recorded for the different spore concentrations were different from the control, statistical analysis did not reveal any significant differences between the concentrations. Artifacts in biosensor fabrication, probabilistic antigen-antibody interactions, antibody orientations, and stability of the sandwich complex on the capture pad might be some of the factors behind such biosensor performance. At this stage the biosensor is only considered to be a qualitative device for a yes/no diagnosis of B. anthracis spores. However, the biosensor shows excellent sensitivity and fast detection time in comparison to the very few rapid detection systems for B. anthracis in the food matrices that have been reported in the literature [130, 131]. Specificity evaluation of the biosensor is also presented here. A comparison of the biosensor resistance responses was made in pure cultures of E. coli with cell concentrations ranging from 1.7 × 101 to 1.7 × 105 CFU/ml, in pure cultures of Salmonella Enteritidis with cell concentrations ranging from 1.6 × 101 to 1.6 × 105 CFU/ml, and pure spore suspensions of B. anthracis with spore concentrations ranging from 4.2 × 101 to 4.2 × 105 spores/ml. The biosensor average resistance values for different concentrations of the nontarget bacteria (i.e. E. coli and Salmonella Enteritidis) are similar to the values observed for the control. Single factor ANOVA tests to a significance of 95% (P < 0.05) showed no statistically significant differences between the control and different cell concentrations of E. coli and Salmonella Enteritidis with P -values ranging from 0.278 to 0.887 for E. coli , and from 0.348 to 0.981 for Salmonella Enteritidis. The results indicate that the effects of nonspecific interactions are not significant for the range of cell concentrations tested on the biosensor. In comparison, for pure B. anthracis spore suspensions, the biosensor average resistance responses show significant differences between the control and spore concentrations ranging from 102 to 105 spore/ml (P -value range: 0.009−0.0009) which is expected since the antibodies used in the biosensor are specific for B. anthracis.

5 CONCLUDING COMMENTS In this chapter, we attempted to present biosensors using various transduction mechanisms that have been developed for rapid detection of microbial pathogens of concern to food defense and food safety. These biosensors are designed for rapid, highly sensitive, specific, and user-friendly operation. While they are not exhaustive, the chapter provides a wide range and scope of the detection mechanisms that are novel and potentially market-ready. The illustrated biosensor on the EAPM-based system is an excellent demonstration on the potential speed, sensitivity, and specificity that can be achieved by biosensors in general.

MICROBIOLOGICAL DETECTORS FOR FOOD SAFETY APPLICATIONS

1761

REFERENCES 1. Inglesby, T. V., Dennis, D. T., Henderson, D. A., Bartlett, J. G., Ascher, M. S., Eitzen, E., et al. (2000). Plague as a biological weapon-medical and public health management. JAMA 283(17), 2281–2290. 2. Jernigan, J. A., Stephens, D. S., Ashford, D. A., Omenaca, C., Topiel, M. S., Galbraith, M., et al. (2001). Bioterrorism-related inhalational anthrax: the first 10 cases reported in the United States. Emerging Infect. Dis. 7(6), 933–944. 3. Spencer, R. C. (2003). Bacillus anthracis. J. Clin. Pathol. 56(3), 182–187. 4. Mock, M., and Fouet, A. (2001). Anthrax. Annu. Rev. Microbiol. 55, 647–671. 5. Okinaka, R. T., Cloud, K., Hampton, O., Hoffmaster, A. R., Hill, K. K., Keim, P., et al. (1999). Sequence and organization of pXO1, the large Bacillus anthracis plasmid harboring the anthrax toxin genes. J. Bacteriol. 181(20), 6509–6515. 6. Collier, R. J., and Young, J. A. T. (2003). Anthrax toxin. Annu. Rev. Cell Dev. Biol. 19, 45–70. 7. Sirisanthana, T., and Brown, A. E. (2002). Anthrax of the gastrointestinal tract. Emerging Infect. Dis. 8(7), 649–651. 8. Mock, M., and Mignot, T. (2003). Anthrax toxins and the host: a story of intimacy. Cell. Microbiol. 5(1), 15–23. 9. Mead, P. S., Slutsker, L., Dietz, V., McGaig, L., Bresee, J., Shapiro, C., Griffin, P., and Tauxe, R. (1999). Food-related illnesses and death in the United States. Emerging Infect. Dis. 5, 607–625. 10. CDC. (2001a). Outbreaks Caused by Shiga Toxin-producing Escherichia Coli-Summary of 2000 Surveillance Data. Centers for Disease Control and Prevention. Available at http://www.cdc.gov/foodborneoutbreaks/ecoli/2000 summaryLetter.pdf. 11. Doyle, M. P., Zhao, T., Meng, J., and Zhao, S. (1997). Escherichia coli O157:H7. Food Microbiology Fundamentals and Frontiers. American Society for Microbiology, Washington, DC. 12. FDA. (2006). Foodborne Pathogenic Microorganisms and Natural Toxins Handbook: The “Bad Bug Book”. FDA-CFSAN . Available at http://www.cfsan.fda.gov/∼mow/intro.html 13. WHO. (2002). Terrorist Threats to Food: Guidance for Establishing and Strengthening Prevention and Response Systems. World Health Organization Food Safety Dept, Geneva, Switzerland. 14. CDC. (2009). Multistate Outbreak of E. coli O157:H7 Infections Linked to Eating Raw Refrigerated, Prepackaged Cookie Dough. Updated June 25, 2009 . Available at http://www. cdc.gov/ecoli/2009/0619.html 15. FDA. (2005). Bacteriological Analytical Manual . Food and Drug Administration, Rockville, MD. Available at http://www.cfsan.fda.gov/∼ebam/bam-toc.html 16. CDC. (2002b). Preliminary FoodNet Data on the Incidence of Foodborne Illnesses-Selected Sites, United States, 2001. MMWR 51: 325-9 . 17. CDC. (2002a). Notice to Readers: Final 2001 Reports of Notifiable Diseases. MMWR 51: 710 . 18. CDC. (2001b). Salmonellosis. Available at http://www.cdc.gov/ncidod/dbmd/diseaseinfo/ salmonellosis g.htm 19. FDA. (1992). Foodborne Pathogenic Microorganisms and Natural Toxins Handbook: Salmonella spp. Available at http://www.cfsan.fda.gov/∼mow/chap1.html 20. Inglesby, T. V. (2000). Anthrax as a biological weapon: medical and public health management (vol 281, pg 1735, 1999). JAMA 283(15), 1963.

1762

KEY APPLICATION AREAS

21. Erickson, M. C., and Kornacki, J. L. (2003). Bacillus anthracis: current knowledge in relation to contamination of food. J. Food Prot. 66(4), 691–699. 22. Lazcka, O., Del Campo, F. J., and Munoz, F. X. (2007). Pathogen detection: a perspective of traditional methods and biosensors. Biosens. Bioelectron. 22(7), 1205–1217. 23. Cooper, M. A., and Singleton, V. T. (2007). A survey of the 2001 to 2005 quartz crystal microbalance biosensor literature: applications of acoustic physics to the analysis of biomolecular interactions. J. Mol. Recognit. 20(3), 154–184. 24. O’Sullivan, C. K., and Guilbault, G. G. (1999). Commercial quartz crystal microbalances-theory and applications. Biosens. Bioelectron. 14(8–9), 663–670. 25. Shen, Z. H., Huang, M. C., Xiao, C. D., Zhang, Y., Zeng, X. Q., and Wang, P. G. (2007). Nonlabeled quartz crystal microbalance biosensor for bacterial detection using carbohydrate and lectin recognitions. Anal. Chem. 79(6), 2312–2319. 26. Safina, G., van Lier, M., and Danielsson, B. (2008). Flow-injection assay of the pathogenic bacteria using lectin-based quartz crystal microbalance biosensor. Talanta 77(2), 468–472. 27. Su, X. L., and Li, Y. B. (2004). A self-assembled monolayer-based piezoelectric immunosensor for rapid detection of Escherichia coli O157: H7. Biosens. Bioelectron. 19(6), 563–574. 28. Lee, S. H., Stubbs, D. D., Cairney, J., and Hunt, W. D. (2005). Rapid detection of bacterial spores using a quartz crystal microbalance (QCM) immunoassay. IEEE Sens. J. 5(4), 737–743. 29. Wu, T. Z., Su, C. C., Chen, L. K., Yang, H. H., Tai, D. F., and Peng, K. C. (2005). Piezoelectric immunochip for the detection of dengue fever in viremia phase. Biosens. Bioelectron. 21(5), 689–695. 30. Yao, C. Y., Zhu, T. Y., Tang, J., Wu, R., Chen, Q. H., Chen, M., et al. (2008). Hybridization assay of hepatitis B virus by QCM peptide nucleic acid biosensor. Biosens. Bioelectron. 23(6), 879–885. 31. Mao, X. L., Yang, L. J., Su, X. L., and Li, Y. B. (2006). A nanoparticle amplification based quartz crystal microbalance DNA sensor for detection of Escherichia coli O157: H7. Biosens. Bioelectron. 21(7), 1178–1185. 32. Wang, L. J., Wei, Q. S., Wu, C. S., Hu, Z. Y., Ji, J., and Wang, P. (2008). The Escherichia coli O157:H7 DNA detection on a gold nanoparticle-enhanced piezoelectric biosensor. Chin. Sci. Bull. 53(8), 1175–1184. 33. Park, I. S., Kim, W. Y., and Kim, N. (2000). Operational characteristics of an antibody-immobilized QCM system detecting Salmonella spp. Biosens. Bioelectron. 15, 167–172. 34. Tombelli, S., Mascini, M., Sacco, C., and Turner, A. P. F. (2000). A DNA piezoelectric biosensor assay coupled with a polymerase chain reaction for bacterial toxicity determination in environmental samples. Anal. Chim. Acta 418, 1–9. 35. Zhao, H. Q., Lin, L., Li, J. R., Tang, J. A., Duan, M. X., and Jiang, L. (2001). DNA biosensor with high sensitivity amplified by gold nanoparticles. J. Nanopart. Res. 3, 321–323. 36. Mo, X. T., Zhou, Y. P., Lei, H., and Deng, L. (2002). Microbalance-DNA probe method for the detection of specific bacteria in water. Enzyme Microb. Technol. 30, 583–589. 37. Zhou, X. D., Liu, L. J., Hu, M., Wang, L. L., and Hu, J. M. (2002). Detection of Hepatitis B virus by piezoelectric biosensor. J. Pharm. Biomed. Anal. 27, 341–345. 38. He, F. J., and Liu, S. Q. (2004). Detection of P. aeruginosa using nano-structured electrode-separated piezoelectric DNA biosensor. Talanta 62, 271–277. 39. Galipeau, D. W., Story, P. R., Vetelino, K. A., and Mileham, R. D. (1997). Surface acoustic wave microsensors and applications. Smart Mater. Struct. 6(6), 658–667.

MICROBIOLOGICAL DETECTORS FOR FOOD SAFETY APPLICATIONS

1763

40. Berkenpas, E., Millard, P., and da Cunha, M. P. (2006). Detection of Escherichia coli O157:H7 with langasite pure shear horizontal surface acoustic wave sensors. Biosens. Bioelectron. 21(12), 2255–2262. 41. Deobagkar, D. D., Limaye, V., Sinha, S., and Yadava, R. D. S. (2005). Acoustic wave immunosensing of Escherichia coli in water. Sens. Actuators, B Chem. 104(1), 85–89. 42. Moll, N., Pascal, E., Dinh, D. H., Pillot, J. P., Bennetau, B., Rebiere, D., et al. (2007). A Love wave immunosensor for whole E-coli bacteria detection using an innovative two-step immobilisation approach. Biosens. Bioelectron. 22(9–10), 2145–2150. 43. Moll, N., Pascal, E., Dinh, D. H., Lachaud, J. L., Vellutini, L., Pillot, J. P., et al. (2008). Multipurpose Love acoustic wave immunosensor for bacteria, virus or proteins detection. Irbm 29(2–3), 155–161. 44. Branch, D. W., and Brozik, S. M. (2004). Low-level detection of a Bacillus anthracis simulant using Love-wave biosensors on 36 degrees YX LiTaO3. Biosens. Bioelectron. 19(8), 849–859. 45. Jin, X., Gao, Z., Pan, H., Zhu, H., Zhou, M., and Chen, H. (2003). The surface acoustic wave biosensor for detecting the gene of Staphylococal Enterotoxin B. Proceedings of the International Symposium on Test and Measurement 1 , 261–264. 46. Bisoffi, M., Hjelle, B., Brown, D. C., Branch, D. W., Edwards, T. L., Brozik, S. M., et al. (2008). Detection of viral bioagents using a shear horizontal surface acoustic wave biosensor. Biosens. Bioelectron. 23(9), 1397–1403. 47. Lange, K., Rapp, B. E., and Rapp, M. (2008). Surface acoustic wave biosensors: a review. Anal. Bioanal. Chem. 391(5), 1509–1519. 48. Carrascosa, L. G., Moreno, M., Alvarez, M., and Lechuga, L. M. (2006). Nanomechanical biosensors: a new sensing tool. Trends Analyt. Chem. 25(3), 196–206. 49. Waggoner, P. S., and Craighead, H. G. (2007). Micro- and nanomechanical sensors for environmental, chemical, and biological detection. Lab Chip 7(10), 1238–1255. 50. Davila, A. P., Jang, J., Gupta, A. K., Walter, T., Aronson, A., and Bashir, R. (2007). Microresonator mass sensors for detection of Bacillus anthracis Sterne spores in air and water. Biosens. Bioelectron. 22(12), 3028–3035. 51. Campbell, G. A., and Mutharasan, R. (2006). Piezoelectric-excited millimeter-sized cantilever (PEMC) sensors detect Bacillus anthracis at 300 spores/mL. Biosens. Bioelectron. 21(9), 1684–1692. 52. Ilic, B., Czaplewski, D., Zalalutdinov, M., Craighead, H. G., Neuzil, P., Campagnolo, C., and Batt, C. (2001). Single cell detection with micromechanical oscillators. J. Vac. Sci. Technol. B 19(6), 2825–2828. 53. Johnson, L., Gupta, A. T. K., Ghafoor, A., Akin, D., and Bashir, R. (2006). Characterization of vaccinia virus particles using microscale silicon cantilever resonators and atomic force microscopy. Sens. Actuators, B Chem. 115(1), 189–197. 54. Weeks, B. L., Camarero, J., Noy, A., Miller, A. E., Stanker, L., and De Yoreo, J. J. (2003). A microcantilever-based pathogen detector. Scanning 25, 297–299. 55. Erickson, D., Mandal, S., Yang, A. H. J., and Cordovez, B. (2008). Nanobiosensors: optofluidic, electrical and mechanical approaches to biomolecular detection at the nanoscale. Microfluid. Nanofluidics 4(1–2), 33–52. 56. Shankaran, D. R., Gobi, K. V. A., and Miura, N. (2007). Recent advancements in surface plasmon resonance immunosensors for detection of small molecules of biomedical, food and environmental interest. Sens. Actuators, B Chem. 121(1), 158–177. 57. Waswa, J., Irudayaraj, J., and DebRoy, C. (2007). Direct detection of E-coli O157:H7 in selected food systems by a surface plasmon resonance biosensor. LWT-Food Sci. Technol. 40(2), 187–192.

1764

KEY APPLICATION AREAS

58. Subramanian, A., Irudayaraj, J., and Ryan, T. (2006). A mixed self-assembled monolayerbased surface plasmon immunosensor for detection of E-coli O157: H7. Biosens. Bioelectron. 21(7), 998–1006. 59. Lan, Y. B., Wang, S. Z., Yin, Y. G., Hoffmann, W. C., and Zheng, X. Z. (2008). Using a surface plasmon resonance biosensor for rapid detection of Salmonella typhimurium in chicken carcass. J. Bionic Eng. 5(3), 239–246. 60. Waswa, J. W., DebRoy, C., and Irudayaraj, J. (2006). Rapid detection of Salmonella enteritidis and Escherichia coli using surface plasmon resonance biosensor. J. Food Process Eng. 29(4), 373–385. 61. Chen, L. L., Deng, L., Liu, L. L., and Peng, Z. H. (2007). Immunomagnetic separation and MS/SPR end-detection combined procedure for rapid detection of Staphylococcus aureus and protein A. Biosens. Bioelectron. 22(7), 1487–1492. 62. Jyoung, J. Y., Hong, S. H., Lee, W., and Choi, J. W. (2006). Immunosensor for the detection of Vibrio cholerae O1 using surface plasmon resonance. Biosens. Bioelectron. 21(12), 2315–2319. 63. Chung, J. W., Kim, S. D., Bernhardt, R., and Pyun, J. C. (2005). Application of SPR biosensor for medical diagnostics of human hepatitis B virus (hHBV). Sens. Actuators, B Chem. 111, 416–422. 64. Vaisocherova, H., Mrkvova, K., Piliarik, M., Jinoch, P., Steinbachova, M., and Homola, J. (2007). Surface plasmon resonance biosensor for direct detection of antibody against Epstein-Barr virus. Biosens. Bioelectron. 22(6), 1020–1026. 65. Taylor, A. D., Ladd, J., Yu, Q., Chen, S., Homola, J., and Jiang, S. (2006). Quantitative and simultaneous detection of four foodborne bacterial pathogens with a multi-channel SPR sensor. Biosens. Bioelectron. 22(5), 752–758. 66. Homola, J. (2008). Surface plasmon resonance sensors for detection of chemical and biological species. Chem. Rev. 108(2), 462–493. 67. Hoa, X. D., Kirk, A. G., and Tabrizian, M. (2007). Towards integrated and sensitive surface plasmon resonance biosensors: a review of recent progress. Biosens. Bioelectron. 23, 151–160. 68. Koubova, V., Brynda, E., Karasova, L., Skvor, J., Homola, J., Dostalek, J., Tobiska, P., and Rosicky, J. (2001). Detection of foodborne pathogens using surface plasmon resonance biosensors. Sens. Actuators, B Chem. 74, 100–105. 69. Vaughan, R. D., Carter, R. M., O’Sullivan, C. K., and Guilbault, G. G. (2003). A quartz crystal microbalance (QCM) sensor for the detection of Bacillus cereus. Anal. Lett. 36, 731–747. 70. Kim, N., Park, I. S., and Kim, D. K. (2004). Characteristics of a label-free piezoelectric immunosensor detecting Pseudomonas aeruginosa. Sens. Actuators, B Chem. 100, 432–438. 71. Su, X. L., and Li, Y. (2005). Surface plasmon resonance and quartz crystal microbalance immunosensors for detection of Escherichia coli O157: H7. Trans. ASAE 48, 405–413. 72. Zhang, D., Carr, D. J., and Alocilja, E. C. (2009). Fluorescent bio-barcode DNA assay for the detection of Salmonella enterica serovar Enteritidis. Biosens. Bioelectron. 24(5), 1377–1381. 73. Taitt, C. R., Anderson, G. P., Lingerfelt, B. M., Feldstein, M. J., and Ligler, F. S. (2002). Nine-analyte detection using an array-based biosensor. Anal. Chem. 74(23), 6114–6120. 74. Li, Y. G., Cu, Y. T. H., and Luo, D. (2005). Multiplexed detection of pathogen DNA with DNA-based fluorescence nanobarcodes. Nat. Biotechnol. 23(7), 885–889. 75. Epstein, J. R., Biran, I., and Walt, D. R. (2002). Fluorescence-based nucleic acid detection and microarrays. Anal. Chim. Acta 469(1), 3–36.

MICROBIOLOGICAL DETECTORS FOR FOOD SAFETY APPLICATIONS

1765

76. Ko, S. H., and Grant, S. A. (2006). A novel FRET-based optical fiber biosensor for rapid detection of Salmonella Typhimurium. Biosens. Bioelectron. 21(7), 1283–1290. 77. Kim, H., Kane, M. D., Kim, S., Dominguez, W., Applegate, B. M., and Savikhin, S. (2007). A molecular beacon DNA microarray system for rapid detection of E-coli O157:H7 that eliminates the risk of a false negative signal. Biosens. Bioelectron. 22(6), 1041–1047. 78. Geng, T., Uknalis, J., Tu, S. I., and Bhunia, A. K. (2006). Fiber-optic biosensor employing Alexa-Fluor conjugated antibody for detection of Escherichia coli O157: H7 from ground beef in four hours. Sensors 6(8), 796–807. 79. Geng, T., Morgan, M. T., and Bhunia, A. K. (2004). Detection of low levels of Listeria monocytogenes cells by using a fiber-optic immunosensor. Appl. Environ. Microbiol. 70, 6138–6146. 80. Nanduri, V., Kim, G., Morgam, M. T., Ess, D., Hahm, B., Kothapalli, A., et al. (2006). Antibody immobilization on waveguides using a flow-through system shows improved Listeria monocytogenes detection in an automated fiber optic biosensor: RAPTOR™. Sensors 6, 808–822. 81. Ho, J.-A. A., Hsu, H.-W., and Huang, M.-R. (2004). Liposome-based microcapillary immunosensor for detection of Escherichia coli O157:H7. Anal. Biochem. 330, 342–349. 82. Abel, A. P., Weller, M. G., Duveneck, G. L., Ehrat, M., and Widmer, H. M. (1996). Fiber-optic evanescent wave biosensor for the detection of oligonucleotides. Anal. Chem. 68, 2905–2912. 83. Liu, X., and Tan, W. (1999). A fiber-optic evanescent wave DNA biosensor based on novel molecular beacons. Anal. Chem. 71, 5054–5059. 84. Liu, C. H., Liao, K. T., and Huang, H. J. (2000). Amperometric immunosensors based on protein A coupled polyaniline-perfluorosulfonated ionomer composite electrodes. Anal. Chem. 72, 2925–2929. 85. Baeumner, A. J., Cohen, R. N., Miksic, V., and Min, J. (2003). RNA biosensor for the rapid detection of viable Escherichia coli in drinking water. Biosens. Bioelectron. 18, 405–413. 86. Esch, M. B., Locascio, L. E., Tarlov, M. J., and Durst, R. A. (2001). Detection of viable Cryptosporidium parvum using DNA-modified liposomes in a microfluidic chip. Anal. Chem. 73, 2952–2958. 87. Hartley, H. A., and Baeumner, A. J. (2003). Biosensor for the specific detection of a single viable B. anthracis spore. Anal. Bioanal. Chem. 376, 319–327. 88. Theegala, C. S., Small, D. D., and Monroe, W. T. (2008). Oxygen electrode-based single antibody amperometric biosensor for qualitative detection of E-coli and bacteria in water. J. Environ. Sci. Health A Tox. Hazard Subst. Environ. Eng. 43(5), 478–487. 89. Singh, C., Agarwal, G. S., Rai, G. P., Singh, L., and Rao, V. K. (2005). Specific detection of Salmonella typhi using renewable amperometric immunosensor. Electroanalysis 17(22), 2062–2067. 90. Aguilar, Z. P., and Sirisena, M. (2007). Development of automated amperometric detection of antibodies against Bacillus anthracis protective antigen. Anal. Bioanal. Chem. 389(2), 507–515. 91. Zhao, G., Xing, F., and Deng, S. (2007). A disposable amperometric enzyme immunosensor for rapid detection of Vibrio parahaemolyticus in food based on agarose/Nano-Au membrane and screen-printed electrode. Electrochem. Commun. 9(6), 1263–1268. 92. Lermo, A., Campoy, S., Barbe, J., Hernandez, S., Alegret, S., and Pividori, M. (2007). In situ DNA amplification with magnetic primers for the electrochemical detection of food pathogens. Biosens. Bioelectron. 22(9–10), 2010–2017. 93. Elsholz, B., Worl, R., Blohm, L., Albers, J., Feucht, H., Grunwald, T., et al. (2006). Automated detection and quantitation of bacterial RNA by using electrical microarrays. Anal. Chem. 78(14), 4794–4802.

1766

KEY APPLICATION AREAS

94. Farabullini, F., Lucarelli, F., Palchetti, I., Marrazza, G., and Mascini, M. (2007). Disposable electrochemical genosensor for the simultaneous analysis of different bacterial food contaminants. Biosens. Bioelectron. 22(7), 1544–1549. 95. Gau, J.-J., Lan, E. H., Dunn, B., Ho, C.-M., and Woo, J. C. S. (2001). A MEMS based amperometric detector for E. coli bacteria using self-assembled monolayers. Biosens. Bioelectron. 16, 745–755. 96. Nagai, H., Murakami, Y., Yokoyama, K., and Tamiya, E. (2001). High-throughput PCR in silicon based microchamber array. Biosens. Bioelectron. 16, 1015–1019. 97. Zhang, Z. X., and Li, M. Q. (2005). Electrostatic microcantilever array biosensor and its application in DNA detection. Prog. Biochem. Biophys. 32, 314–317. 98. Ramanaviciene, A., and Ramanavicius, A. (2004). Pulsed amperometric detection of DNA with an ssDNA/polypyrrole-modified electrode. Anal. Bioanal. Chem. 379, 287–293. 99. Berney, H., West, J., Haefele, E., Alderman, J., Lane, W., and Collins, J. K. (2000). A DNA diagnostic biosensor: development, characterisation and performance. Sens. Actuators, B Chem. 68, 100–108. 100. Lee, J. S., Choi, Y.-K., Pio, M., Seo, J., and Lee, L. P. (2002). Nanogap capacitors for label free DNA analysis. BioMEMS Bionanotechnol. 729, 185–190. 101. Diamond, D. (1998). Principles of Chemical and Biological Sensors. John Wiley & Sons, New York. 102. Eggins, B. R. (2002). Chemical Sensors and Biosensors. John Wiley & Sons, Chichester. 103. Palchetti, I., and Mascini, M. (2008). Electroanalytical biosensors and their potential for food pathogen and toxin detection. Anal. Bioanal. Chem. 391(2), 455–471. 104. Hafeman, D. G., Parce, J. W., and Mcconell, H. M. (1988). Light-addressable potentiometric sensor for biochemical systems. Science 240(4856), 1182–1185. 105. Ercole, C., Del Gallo, M., Mosiello, L., Baccella, S., and Lepidi, A. (2003). Escherichia coli detection in vegetable food by a potentiometric biosensor. Sens. Actuators, B Chem. 91(1–3), 163–168. 106. Rahman, M. A., Kumar, P., Park, D. S., and Shim, Y. B. (2008). Electrochemical sensors based on organic conjugated polymers. Sensors 8(1), 118–141. 107. Muhammad-Tahir, Z., and Alocilja, E. C. (2003a). A conductometric biosensor for biosecurity. Biosens. Bioelectron. 18(5–6), 813–819. 108. Muhammad-Tahir, Z., and Alocilja, E. C. (2003b). Fabrication of a disposable biosensor for Escherichia coli O157:H7 detection. IEEE Sens. J. 3, 345–351. 109. Muhammad-Tahir, Z., Alocilja, E. C., and Grooms, D. L. (2005a). Polyaniline synthesis and its biosensor application. Biosens. Bioelectron. 20, 1690–1695. 110. Muhammad-Tahir, Z., Alocilja, E. C., and Grooms, D. L. (2005b). Rapid detection of Bovine viral diarrhea virus as surrogate of bioterrorism agents. IEEE Sens. J. 5(4), 757–762. 111. Hnaiein, M., Hassen, W. M., Abdelghani, A., Fournier-Wirth, C., Coste, J., Bessueille, F., et al. (2008). A conductometric immunosensor based on functionalized magnetite nanoparticles for E. coli detection. Electrochem. Commun. 10(8), 1152–1154. 112. Katz, E., and Willner, I. (2003). Probing biomolecular interactions at conductive and semiconductive surfaces by impedance spectroscopy: routes to impedimetric immunosensors, DNA-Sensors, and enzyme biosensors. Electroanalysis 15(11), 913–947. 113. Radke, S. M., and Alocilja, E. C. (2005). A high density microelectrode array biosensor for detection of E. coli O157:H7. Biosens. Bioelectron. 20(8), 1662–1667.

MICROBIOLOGICAL DETECTORS FOR FOOD SAFETY APPLICATIONS

1767

114. Nandakumar, V., La Belle, J. T., Reed, J., Shah, M., Cochran, D., Joshi, L., and Alford, T. L. (2008). A methodology for rapid detection of Salmonella Typhimurium using label-free electrochemical impedance spectroscopy. Biosens. Bioelectron. 24(4), 1039–1042. 115. Varshney, M., and Li, Y. (2007). Interdigitated array microelectrode based impedance biosensor coupled with magnetic nanoparticle-antibody conjugates for detection of Escherichia coli O157:H7 in food samples. Biosens. Bioelectron. 22(11), 2408–2414. 116. Ruan, C. M., Yang, L. J., and Li, Y. B. (2002). Immunobiosensor chips for detection of Escherichia coli O157: H7 using electrochemical impedance spectroscopy. Anal. Chem. 74, 4814–4820. 117. Shah, J., Chemburu, S., Wilkins, E., and Abdel-Hamid, I. (2003). Rapid amperometric immunoassay for Escherichia coli based on graphite coated nylon membranes. Electroanalysis 15, 1809–1814. 118. Wang, S. X., and Li, G. (2008). Advances in giant magnetoresistance biosensors with magnetic nanoparticle tags: review and outlook. IEEE Trans. Magn. 44(7), 1687–1702. 119. Tamanaha, C. R., Mulvaney, S. P., Rife, J. C., and Whitman, L. J. (2008). Magnetic labeling, detection, and system integration. Biosens. Bioelectron. 24(1), 1–13. 120. Edelstein, R. L., Tamanaha, C. R., Sheehan, P. E., Miller, M. M., Baselt, D. R., Whitman, L. J., and Colton, R. J. (2000). The BARC biosensor applied to the detection of biological warfare agents. Biosens. Bioelectron. 14(10–11), 805–813. 121. Ruan, C. M., Zeng, K. F., Varghese, O. K., and Grimes, C. A. (2003). Magnetoelastic immunosensors: amplified mass immunosorbent assay for detection of Escherichia coli O157:H7. Anal. Chem. 75(23), 6494–6498. 122. Sandhu, A., Kumagai, Y., Lapicki, A., Sakamoto, S., Abe, M., and Handa, H. (2007). High efficiency Hall effect micro-biosensor platform for detection of magnetically labeled biomolecules. Biosens. Bioelectron. 22(9–10), 2115–2120. 123. Pal, S., and Alocilja, E. C. (2009). Electrically-active polyaniline coated magnetic (EAPM) nanoparticle as novel transducer in biosensor for detection of Bacillus anthracis spores in food samples. Biosens. Bioelectron. J. 24(5), 1437–1444. 124. Alam, J., Riaz, U., and Ahmad, S. (2007). Effect of ferrofluid concentration on electrical and magnetic properties of the Fe3 O4 /PANI nanocomposites. J. Magn. Magn. Mater. 314(2), 93–99. 125. Kryszewski, M., and Jeszka, J. K. (1998). Nanostructured conducting polymer composites superparamagnetic particles in conducting polymers. Synth. Met. 94(1), 99–104. 126. Kim, J. H., Cho, J. H., Cha, G. S., Lee, C. W., Kim, H. B., and Paek, S. H. (2000) Biosens. Bioelectron. 14(12), 907–915. 127. Pal, S., Alocilja, E. C., and Downes, F. P. (2007). Nanowire labeled direct-charge transfer biosensor for detecting Bacillus species. Biosens. Bioelectron. J. 22, 2329–2336. 128. Pal, S., Setterington, E., and Alocilja, E. C. (2008a). Electrically-active magnetic nanoparticles for concentrating and detecting Bacillus anthracis spores in a direct-charge transfer biosensor. IEEE Sens. J. 8(6), 647–654. 129. Pal, S., Ying, W., Alocilja, E. C., and Downes, F. P. (2008b). Sensitivity and specificity performance of a direct-charge transfer biosensor for detecting Bacillus cereus in selected food matrices. Biosyst. Eng. 99(4), 461–468. 130. Tims, T. B., and Lim, D. V. (2004) J. Microbiol. Methods 59(1), 127–130. 131. Cheun, H. I., Makino, S. I., Watarai, M., Shirahata, T., Uchida, I., Takeshi, K. (2001). J. Appl. Microbiol. 91(3), 421–426.

1768

KEY APPLICATION AREAS

GENERAL DETECTOR CAPABILITIES FOR FOOD SAFETY APPLICATIONS S. Huang, R. S. Lakshmanan, S. Horikawa, and B. A. Chin Materials Engineering, Auburn University, Auburn, Alabama

J. M. Barbaree Department of Biological Sciences, Auburn University, Auburn, Alabama

1 INTRODUCTION 1.1 Threats to Food Safety Every year, more than 76 million Americans suffer from foodborne illnesses that result in an estimated 325,000 hospitalizations and 5000 deaths [1]. Costs of these illnesses are between $9.3 and 12.9 billion in direct medical expenses [2]. Foodborne illnesses are primarily caused by four types of microorganisms (bacteria, fungi, eukaryotic parasites, and viruses) that are pathogenic, but commonly found in the natural environment. The US Food and Drug Administration (FDA) and Centers for Disease Control and Prevention (CDC) have concluded that foodborne illness is one of the most serious, yet unavoidable, health problems facing the nation. The majority of foodborne illnesses can be attributed to changing human demographics, lifestyle choices, food consumption trends, mass transportation of food items, and microbial adaptation [3, 4]. In addition, the nation’s aging population contributes to a rise in such illnesses; as one grows older, his/her immune system weakens, and, consequently, a further increase in the number of foodborne illnesses is anticipated. Another factor stems from new interests in international cuisines that increase the importation of exotic foods from many countries. These foods are grown, harvested, and often processed in foreign countries. Therefore, they must be shipped longer distances to reach the final consumers. As the health standards of foreign countries are often significantly different from those in the United States, food importation becomes an additional source of possible contamination. The greater transportation distances and longer-term storage of food may allow small amounts of bacteria and other pathogens to multiply and potentially reach their infectious doses. 1.2 Outbreaks of Foodborne Illnesses Bacteria are responsible for more than 90% of the confirmed foodborne illnesses and deaths in humans reported to the CDC. Of the foodborne bacterial pathogens, Salmonella causes most of the foodborne illnesses worldwide [5]. For the nation’s entire population, the CDC estimates that there are 173 cases of Salmonella illnesses per million people

GENERAL DETECTOR CAPABILITIES FOR FOOD SAFETY APPLICATIONS

1769

each year [6]. In the United States, human gastrointestinal illnesses are most commonly due to Salmonella and Escherichia coli infections. Salmonella infection is usually caused by the S. typhimurium, S. enteritidis, or S. heidelberg serotypes [7]. In 1985, a large US outbreak of salmonellosis that occurred in Chicago was attributed to S. typhimurium in pasteurized milk from a single dairy plant [8]. In September 2006, the outbreak due to the E. coli O157:H7-contaminated fresh spinach resulted in 187 reported cases of illness in 27 states, including 97 hospitalizations, at least 29 cases of kidney failure, and 1 death. In December of the same year, another outbreak linked to Taco Bell restaurants in the northeastern United States was also caused by E. coli O157:H7. There were 71 people with illness reported from five states: New Jersey (33), New York (22), Pennsylvania (13), Delaware (2), and South Carolina (1) [9]. In 2008, several Salmonella outbreaks occurred in the United States. The most serious case of these occurred in the mid-April, when the Salmonella St. Paul outbreak involving contaminated tomatoes became one of the largest Salmonella outbreaks in the recent history, sickening at least 869 people and resulting in the hospitalization of 257 individuals. On the basis of the CDC’s estimated ratio of nonreported salmonellosis cases to reported cases (38.6:1), around 52,826 illnesses resulted from the Salmonella St. Paul outbreak. Salmonella and other foodborne pathogens (e.g. E. coli O157:H7) can be spread easily throughout the food chain. Daily consumed food items, such as oat cereal [3, 10], tomatoes [11], eggs [12], milk [13], vegetables and fruits (e.g. raw tomatoes), water [12], green onions, jalape˜no peppers, red plum, peanut butter [14], and cilantro [15], have recently been found to be contaminated with Salmonella. Although it appears that more outbreaks are being linked to vegetable and fruit products, this has not been proven, because of the difficulty that scientists and inspectors often experience in locating the source of the pathogen contamination. Foodborne contamination is difficult to monitor because products may be cleaned at the harvesting site, transported to a warehouse, and then repackaged several times before reaching retail outlets. This leaves a lengthy trail that covers many states and often more than one country. In order to reduce the incidence of foodborne illnesses, there is an urgent need to develop a device capable of rapid, on-site detection of bacterial pathogens. The device needs to be inexpensive as well as easy to use so that it can readily be adopted by every link in the food chain, up to and including the final individual consumers. 1.3 Major Pathogenic Bacteria Studied for Food Safety Pathogenic bacterial detection is of the utmost importance for the prevention and identification of problems related to health and safety [16]. Figure 1 summarizes the distribution of scientific literature covering bacterial detection, where Salmonella is ranked as the most commonly studied bacterium. Other than Salmonella, E. coli , Listeria, Campylobacter, and Legionella are also popularly studied. 1.4 Capability of Detectors for Foodborne Pathogen Detection The prevention of foodborne illnesses depends on the availability of rapid, simple, and effective detection devices capable of identifying and distinguishing various pathogenic microorganisms in food, food production facilities, clinical medicine, and the natural environment. High sensitivity and selectivity are two important criteria for effective biological detection methods. Some pathogenic organisms, such as E. coli O157:H7, are

1770

KEY APPLICATION AREAS

FIGURE 1 The distribution of scientific literature covering the detection of pathogenic bacteria [16].

able to infect people at doses as small as a few cells. Hence, extremely sensitive methods are required to detect them [17–19]. At the same time, microbiological detection methods should be cheap and robust from a commercial applications point of view. For a pathogen detection method to be industrially successful, detection test equipment must be portable so that they can be taken outside of laboratory confines and used with a minimal need of skilled personnel [20, 21]. Today, intensive research is being conducted to develop new techniques for the early detection of the causes of foodborne illnesses. Traditional methods of identifying the pathogens responsible for foodborne illnesses are very time consuming (i.e. several days to yield results) and typically require highly trained personnel in laboratories with expensive equipment [22]. There is, therefore, a real need for the development of portable, rapid, specific, and sensitive biosensors to enable real-time, on-site detection of foodborne pathogens. To achieve the objective, various biosensing techniques have been developed and used in the food safety field. However, real-time biological monitoring remains a challenge. The ever-growing need for rapid detection of pathogenic microorganisms has resulted in an increased interest in the research and development of biosensor systems. 1.5 The Objective In this review paper, we will provide an overview of general detectors that may be used to insure food safety and their capabilities. First, various bacterial detection methods will be classified and described. Next, the capability of each of the methods will be summarized, covering the working principle, detection limit, advantages, and weaknesses. Finally, phage-based detectors, especially one type of potential biosensor, phage-based magnetoelastic (ME) biosensors, will be discussed in detail. 2 DETECTORS FOR FOOD SAFETY APPLICATIONS Figure 2 compares the number of articles using different bacterial detection methods. To date, polymerase chain reaction (PCR) [23] and culture-based methods (colony counting)

GENERAL DETECTOR CAPABILITIES FOR FOOD SAFETY APPLICATIONS

1771

FIGURE 2 Approximate number of articles using different techniques to detect and/or identify pathogenic bacteria [16].

[24] have been the most commonly used methods and are able to provide unambiguous results. Other than these methods, newly developed biosensor technologies and traditional enzyme-linked immunosorbent assay (ELISA)-based [25] methods are also promising and drawing a lot of attention. 2.1

Culture-Based Methods

Culture-based morphological evaluation has been one of the most commonly used bacterial identification methods for food safety. It relies on the use of microbiological media to selectively cultivate bacteria and colony count, followed by biochemical characterization. Although culture-based methods can be used to identify a very small number of bacterial pathogens (down to single pathogens) there are two major drawbacks: They are time-consuming and labor-intensive processes, which make them unsuitable for rapid, on-site bacterial detection methods that ideal future instruments must be able to perform. In culture-based methods, cumbersome and lengthy experimental steps such as pre-enrichment, selective enrichment, biochemical screening, and sometimes serological confirmation are required [26]. This may take 14–16 days to complete [27], depending on the target organisms. The second drawback is that no single culture-based test leads to the universal identification of unknown bacterial pathogens [26]. Some examples of culture-based methods used for detection of pathogenic bacteria in food are shown in Table 1. 2.2 Surveillance System The surveillance system traditionally used to collect foodborne disease outbreak data has been overwhelmed by the emergence of megafarms, distribution centers, and transporters. To address these issues, an automated bioterrorism surveillance system, Real-time Outbreak Disease Surveillance (RODS), was implemented by the University of Pittsburgh in 1999. RODS collects data from multiple sources (e.g. clinics, laboratories, and drug sales) and uses this data to identify a bioterrorism event. Within a year, this system had been modified by RODS lab member Michael Wagner and his coworkers to collect data

1772

KEY APPLICATION AREAS

TABLE 1 Culture-Based Detectors Detection Method

Foodborne Pathogen

2001

Selective special media EN ISO-11290-1

2006

NGFIS

Legionella Drinking water pneumophila Listeria Cheese, meat, eggs monocytogenes Listeria Minced meat, monocytogenes fermented sausage, and others Listeria Milk (goat) monocytogenes

Year 1998

FDA

Source

Detection Limit

Reference

10.0–100.0 mg/l, and acetone at >100 mg/l.

4 MONITORING FOR RADIATION TO DETECT RADIONUCLIDES Radiation monitoring equipment is designed to measure either the total amount of radiation emitted from a source (gross radiation) or the specific types and energy levels of radiation emitted from a source. Responders trying to determine whether there is an elevated level of radiation in the water from accidental releases or intentional introductions do not necessarily require that the specific radionuclides causing the contamination be immediately identified. They would rather most likely be interested in utilizing some type of continuous, on-line screening equipment to measure gross radiation. The common types of gross radiation are α, β, and γ . On-line instruments for monitoring α, β, and γ radiation in water have been developed. However, there are a limited number of models available, and they can be expensive. Technical Associates16 offers the SSS-33-5FT for approximately $58,000. This is a flow-through scintillation detection system for α-, β-, and γ -radiation monitoring. The detector can be preset to measure one type of radiation, or all three combined, and can be equipped with a system that sends an alert if unusual counts are detected. Canberra17 sells the OLM-100 on-line liquid monitoring system, which is attached to the exterior of a pipe and continuously measures the radiation in a liquid stream. The cost of this device is between $35,000 and $70,000 [4].

5 SCREENING FOR SPECIFIC CHEMICAL CONTAMINANTS Unlike the general organic chemical load monitors (TOC and UV–vis spectrometry), gas chromatography (GC) and gas chromatography–mass spectrometry (GC–MS) can detect, identify, and measure the concentration of a wide variety of specific organic compounds. In fact, of all of the on-line physical/chemical monitors described above, GC and GC–MS are the only analytical techniques, currently being deployed in a continuous on-line mode, which can actually identify a specific chemical contaminant. Both these techniques can detect and identify a large number of volatile organic compounds in the low parts per billion (ppb) to parts per million (ppm) range, and can operate automatically and unattended. In the case of GC, the components of a complex mixture are separated, their retention times are compared to known standards, and then the concentrations are quantified. In GC–MS, the organic components are separated by GC, and a more definitive identification of contaminants is provided by mass spectrometry using mass to charge ratio of chemical compound fragments and comparing the mass spectrum with internal libraries that contain thousands of chemical fingerprints of known organic compounds. Some of the on-line devices collect and concentrate volatile organic compounds (VOCs) from water using standard purge and trap technology. In the continuous on-line 16

Technical Associates, Los Angeles, CA. Meriden, CT.

17 Canberra,

2176

KEY APPLICATION AREAS

mode, sample collection is automated and analysis occurs at regular programmable intervals throughout a 24-h period. INFICON18 manufactures both GC and GC–MS instruments that utilize purge and trap, and can be operated as on-line monitors for either natural waters or finished drinking waters. A highly specialized mass spectrometer is being utilized to screen water samples, in an on-line mode, at the Phoenix Arizona Water Services Department [5]. This photoionization and quadrupole ion trap, time-of-flight mass spectrometer provides high-speed screening and molecular identification for weaponized chemicals and other hazardous compounds. The commercially available mass spectrometer is used in an automated mode as an early warning system screening device. The advantage of this particular mass spectrometry approach is that it can be operated on-line and, unlike most mass spectrometers, can analyze mixtures of compounds without preliminary separation by GC. With its integrated autosampler, the instrument provides a high throughput monitor capable of analyzing samples every 45 s.

6 SCREENING FOR SPECIFIC PATHOGENS While a number of devices are currently employed for real-time monitoring of the general chemical characteristics of water (e.g. chlorine concentration and TOC), and for screening for specific chemical contaminants (e.g. on-line GC–MS), the ability to continually screen drinking water for the presence of microorganisms is still quite limited. A microbial sensor must include a recognition device (bioreceptor), which can react with a target microbe. One approach is to utilize immunoassay-based sensors that recognize specific proteins on the surface of a microbe. Another approach is to employ a bioreceptor that recognizes nucleic acid, either DNA (deoxyribonucleic acid) or RNA (ribonucleic acid), uniquely characteristic of a specific microorganism. When the target protein or nucleic acid is present in the sample, a biological reaction takes place between it and the bioreceptor, creating a physical or chemical change that is converted into an electrical signal proportional to the target microorganism’s concentration in the solution. The signal is then amplified, processed, and displayed as a measurable piece of data [6]. In the case of immunoassay-based sensors, antibodies that have an affinity for specific antigens associated with a particular species are utilized. Antibody-based biosensors incorporate antibodies onto a sensor surface and utilize the hybridization between antigen and antibody as the recognition factor [7]. Nucleic acid-based bioreceptors contain on their surface an oligonucleotide that is complimentary to the nucleic acid sequence of the target organism. Recognition consists of hybridization between the bioreceptor’s complimentary oligonucleotide and the target microbe’s single stranded DNA or RNA. The hybridization reaction generates either an amperometric, optical, thermal, or mass differential signal that is amplified for quantification. The major technical problem associated with nucleic acid biosensing, unlike immunoassay biosensing, is that the DNA or RNA must first be extracted from the target cell. The extraction process requires reagents and incubation steps. Furthermore, following extraction, the double stranded DNA must be denatured into single stranded 18

INFICON Corp., East Syracuse, NY.

SURVEILLANCE METHODS AND TECHNOLOGIES FOR WATER

2177

DNA through a heating process. The challenge lies in fully automating the pretreatment extraction and denaturation steps. An advantage of both immunoassay- and nucleic acid-based sensors is that they can be highly specific and, therefore, able to identify a specific target microbe with certainty. However, since there is such a variety of microbes that could accidentally or intentionally contaminate a water system, these approaches would require the deployment of a complicated array of bioreceptors to provide broad spectrum coverage. An additional disadvantage of both nucleic acid- and antibody-based biosensors is the lifespan and fragility of the recognition system. Nucleic acids and antibodies are biological macromolecules that can be damaged by conditions typical of water and wastewater systems. Another biosensor approach for on-line biomonitoring of water systems utilizes amperometric detection of the β-galactosidase enzyme for detection of E. coli [8]. β-Galactosidase is an enzyme involved in lactose fermentation in E. coli . In this biosensor system, reagents are added to induce production of β-galactosidase in E. coli present in the sample, which, in turn, hydrolyzes the reagent phenyl β-d-galactopyranoside to produce phenol, which is detected by an amperometric sensor. Using this system, sensitivity of detection has been observed at a level of 10 CFU/ml of E. coli after a 5-h incubation period. Although the sensitivity of this system is generally greater than that of nucleic acid or immunoassay systems, the obvious disadvantages of its application as a real-time microbial sensor are the requirements for reagents, the 5-h incubation time, and the biosensors’s specificity for a single bacterial species. Still another biosensor approach for continuous monitoring is based on optical recognition of microbes [9]. Multiangle light scattering (MALS) is a reagent-less optical approach. MALS technology involves continual irradiation of a flowing column of water with a laser beam. Particles in the column of water scatter the laser beam producing a pattern that is detected by a number of detectors on the opposite side of the water column. Since a variety of angles are monitored simultaneously, a three-dimensional pattern is generated that represents the structure and size of the particle in the laser’s path. The goal of MALS is to differentiate between waterborne microorganisms and inorganic particles based on the pattern of scattered light. An additional objective is to identify microbes by comparing the pattern of scattered light with a library of unique “bio-optical signatures” that have been developed by analyzing known microorganisms. The light pattern resembles a fingerprint since it is unique to the internal and surface features of the particles, including size, shape, morphology, and material composition. The current limitations of MALS for on-line monitoring include interferences from organic and inorganic particulate matter in the water sample stream, and difficulty achieving low detection limits. However, developmental efforts are being taken to address these issues. 7 PATHOGEN DETECTION SYSTEMS CURRENTLY UNDER DEVELOPMENT Several continuous monitoring systems for pathogens have been designed, based on the biosensor approaches described above, and are deployed in several drinking water utilities in the United States. Two of these are described below.

2178

KEY APPLICATION AREAS

JMAR Technologies19 manufactures the Biosentry System which is a commercial application of the MALS technology optical approach [10]. This technique has been commercially applied in the beverage industry and is now being adapted for use in drinking water utilities [11]. Biosentry is a laser-based system that continuously monitors water for microbes of interest, including pathogens, and attempts to classify them. The system can be used simply as a monitoring device recording microbe counts against time. Alternatively, the system can provide a real-time warning when a predetermined threshold for a particular pathogenic microbe is reached. The device can operate remotely and transmit data into a SCADA network via an encrypted internet connection. The system can send an alert via a number of means, including e-mail and encrypted internet, or directly into a linked information system. Information is refreshed at 1-min intervals and microbial counts are displayed for the species being monitored as well as for unclassified microorganisms. The system typically monitors a water stream of about 35 ml/min. Sensitivity, and the ability to discriminate between various particles and microbes, is optimal with water containing fewer background particles (i.e. 256

Mexico: 30/1513

USA: 142/1658

LPG, 600 fat. Russia: 32/1286 (Russia,1989)

China: 1098/19141

2338

KEY APPLICATION AREAS

18,017 fatalities occurred in 1044 accidents attributable to the coal chain, but only nine of these resulted in 100 or more fatalities (Table 2). In contrast, the cumulated fatalities of the Philippines, Afghanistan, Nigeria, India, Mexico, Russia, South Korea, and Egypt were strongly influenced by a few very large accidents that contributed a substantial share of the total [36, 37]. United States exhibited a distinctly different pattern compared to the other countries with no extremely large accidents (only 3 out of 142 with more than 50 fatalities), and over 70% of accidents and associated fatalities taking place in the oil and gas chains.

4 COMPARATIVE ANALYSIS OF ENERGY CHAINS The majority of accidents in fossil energy chains do not occur in power plants, but rather in other stages in the energy chains (Table 3). Over 95% of the victims in the coal chain lose their lives in mines, primarily due to gas explosions. With oil, the transportation to the refinery and regional distribution is the most accident-prone stage; most frequent are tanker accidents at sea and road accidents involving tank trucks. Transportation TABLE 3 Relative Share of Accidental Fatalities in the Stages of Different Energy Chains Coal

Oil

NaturalGas

LPG

Well blowouts, Exploration / Explosions and accidents on Extraction fires in mines drilling platforms at sea

Well blowouts, accidents on drilling platforms at sea

Long Distance Transport

Tanker accidents at sea

Pipeline accidents

Processing / Storage

Process accidents in refineries and tank farms

Accidents at refinery / natural gas processing plants

Regional / Local Distribution

Overturning Pipeline and collisions accidents of tank trucks

Overturning and collisions of tank trucks

Process accidents

Power / Heat Generation

Hydro

Pipeline accidents, LPG tankers at sea

Process accidents

Overflow or failure of storage dam

Waste Treatment / Disposal

0 – 5%

6 – 15%

16 –30%

Nuclear

31 – 60%

61 – 100%

Core meltdown with large release of radioactivity

COMPARATIVE RISK ASSESSMENT FOR ENERGY SYSTEMS

2339

is also a weak stage in the natural gas chain, which is dominated by pipeline accidents in transmission (long distance) and distribution (regional/local) networks. In the LPG chain, transportation accidents are most prominent too, particularly in regional and local distribution. In contrast, hydropower and nuclear power accidents occur only near the area of the storage dam or reservoir and the plant site, respectively. While coal chain victims are almost exclusively work related, gas and oil accidents involve a significant number of innocent bystanders as victims. If a storage dam breaks, then the general populace is almost exclusively affected, with the exception of the dam operators. Nuclear plant accidents may also lead to immediate fatalities, but here the deaths are dominated by latent fatalities (compare Sections 3.1 and 3.2) due to eventual cases of cancer. 4.1 Aggregated Indicators Aggregated fatality rates of severe (≥5 fatalities) accidents are reported only for immediate fatalities, whereas the significance of latent fatalities in the case of the nuclear chain is discussed in Section 3.2. Damage rates differed substantially among energy chains and country groups, with OECD countries generally showing significantly lower fatality rates than non-OECD countries (Table 4). Among the fossil chains, natural gas has the best performance, followed by oil and coal, whereas the value for LPG is one order of magnitude worse. The lowest fatality values occur for western style nuclear and hydropower plants, whereas dam failures in non-OECD countries may lead to thousands of victims in the downstream population. Additionally, Table 4 also displays a full allocation of damages for fossil energy chains on the basis of imports and exports (Section 1.4) because a large number of severe accidents in non-OECD countries are related to energy exports to the OECD countries. Severe fatality rates for the oil and LPG chains exhibited the most distinct increase for OECD countries and decrease for non-OECD countries compared to the rates without allocation, whereas differences for coal and natural gas chains were TABLE 4 Aggregated Fatality Rates for Full Energy Chains Based on Historical Experience of Severe Accidents (≥5 immediate fatalities) in OECD and Non-OECD Countries for the Period 1969–2000, Except for China 1994–1999 (compare text). Allocated Values Incorporate Imports and Exports between OECD and Non-OECD No Allocation/With Allocation [fatalities/GWe yr] Coal

OECD 0.157/0.163

Oil Natural gas LPG Hydro

0.132/0.390 0.085/0.097 1.957/3.317 0.003

Nuclear a First

—

line: OECD without China; second line: China for the period 1994– 1999. dam failures of Banqiao/Shimantan with a total of 26,000 fatalities are excluded. c Only immediate fatalities of Chernobyl accident; see text for latent fatalities. b Chinese

Non-OECD 0.597/0.589 6.169a 0.897/0.502 0.111/0.096 14.896/5.112 10.285 1.349b 0.048c

2340

KEY APPLICATION AREAS

distinctly less. Within the framework of sustainable development, it could be argued that the highly industrialized OECD countries should assume a certain share of these damages. 4.2 Frequency–Consequence Curves Figure 5 provides F –N curves for severe (≥5 fatalities) accidents in OECD and non-OECD countries, including allocated curves. For fossil chains in OECD countries, natural gas has the lowest frequency, coal and oil are intermediate, and LPG has the highest frequency, whereas hydro and nuclear chains perform significantly better. Maximum consequences are negligible for hydro, followed distantly by natural gas (109 fatalities), and the other fossil chains have maxima between 2.5 and 4.5 times greater than natural gas. Concerning allocated F –N curves, those for natural gas are practically identical (not shown in figure), the allocated curve for LPG exhibits higher frequencies at corresponding numbers of fatalities, whereas for the oil chain maximum consequences increase by a factor of about 3.8. This is fully attributable to the extremely deadly accident in the Philippines with 4386 fatalities already discussed before. Non-OECD countries showed a comparable ranking as for OECD countries, except for the Chinese coal chain that performed significantly worse. However, the frequencies at corresponding numbers of fatalities were generally higher for non-OECD countries compared to OECD countries. Additionally, values for maximum consequences were one order of magnitude higher for the oil chain (4386 fatalities) compared to OECD countries, and the Chinese dam failure of Banqiao/Shimantan with 26,000 fatalities is by far the most deadly accident in terms of immediate fatalities. Concerning allocated F –N curves, the oil and LPG chains have clearly lower maxima, whereas curves for natural gas are again almost identical. For nuclear energy, immediate fatalities play a minor role, whereas latent fatalities clearly dominate. Therefore, total fatalities are split into the following categories: early (immediate) fatalities that occur shortly after exposure and latent fatalities that include all potential deaths occurring within 70 years from the radioactive release. For details see Burgherr et al. [5] and Hirschberg et al. [17]. Accident frequencies causing actual damage external to the plant associated with the nuclear chain (Chernobyl) are relatively low, but the maximum credible consequences may be very large due to the dominance of latent fatalities. According to Hirschberg et al. [17], estimated latent fatalities due to delayed cancers range from about 9000 (based on dose cutoff) to 33,000 (entire northern hemisphere with no dose cutoff) over the next 70 years. In 2005, a study by the “Chernobyl Forum”—a consortium of several United Nations organizations, the World Bank and the Russian, Belarus and Ukrainian governments—estimated that in the areas with high contamination, up to 4000 people could eventually die due to radiation doses from the Chernobyl accident, most of them among the so called liquidators [38]. Because of the more limited area considered, this value is substantially lower than the PSI values previously mentioned. The upper range in PSI’s estimate is conservative (as intended) because it was not limited to the most contaminated areas. Finally, one should be aware that no dependable statistics can be determined from this single, severe accident. The Chernobyl accident data also cannot be transferred to Western plants, because they use a very different technology. For realistic calculations, it is necessary to use PSA (Figure 5).

2341

COMPARATIVE RISK ASSESSMENT FOR ENERGY SYSTEMS

1.E+0

1.E−1

LPG

1.E−2

1.E−3

Coal Hydro

1.E−4

Natural gas

Oil

1.E−5

Frequency of events causing X or more fatalities per GWeyr

1.E−6 Nuclear (PSA-based, latent fatalities) 1.E−7 1

10

100

1000

10,000

100,000

(a) 1.E+0

1.E−1 Coal China 1944-1999 1.E−2 LPG 1.E−3

Hydro

Nuclear,Chernobyl (immediate fatalities)

1.E−4

Natural gas

Nuclear,Chernobyl (latent fatalities)

Coal w/o China Oil

1.E−5

1.E−6

1.E−7 1

10

100

1000

10,000

100,000

Fatalities, X (b)

FIGURE 5 Comparison of frequency–consequence curves for full energy chains based on historical experience of severe accidents in (a) OECD and (b) non-OECD countries for the period 1969–2000, except for China 1994–1999 (compare text). Dashed lines denote F –N curves based on allocated values, that is, taking into account imports and exports between OECD and non-OECD countries. For natural gas, allocated curves are not shown as they are almost identical to nonallocated ones.

5 CONCLUSIONS AND RECOMMENDATIONS 5.1

Comparative Aspects

– The ENSAD database provides comprehensive accident data for the objective and quantitative analysis of specific technical aspects and the comparative assessment

2342

– –

–

–

KEY APPLICATION AREAS

of severe accident risks in the energy sector. However, it is in the nature of the topic that new accidents continuously occur; therefore, the ENSAD database needs to be maintained, updated, and extended to keep up with the growing historical experience and to provide state-of-the-art estimates of risk indicators. Energy-related accident risks in non-OECD countries are distinctly higher than in OECD countries; reflected by aggregated indicators as well as F –N curves. The most accident-prone energy chain stages are upstream stages (i.e. extraction, refining, and transportation) in fossil energy chains, and hydropower in the less developed (non-OECD) countries. Expected fatality rates are lowest for Western hydropower and nuclear power plants. However, the maximum consequences can be very high. The associated risk valuation is subject to stakeholder value judgments and can be pursued in multicriteria decision analysis [39, 40]. PSA perspective on severe accident risks is particularly important for energy chains whose risks are dominated by power plants, the historical experience of accidents is scarce, or its applicability is highly restricted. These conditions are valid for most Western hydro- and nuclear power plants.

5.2 Selected Future Developments – Estimation of risk indicators for future technologies based on extrapolations of currently operating systems. This type of analysis has been introduced in the NEEDS Project of the EU 6th Framework Programme, and is further developed, systematized, and extended in several upcoming projects. – Further advancement of the simplified PSA approach to establish a broader reference database for site-specific risk indicators for advanced nuclear designs has been initiated. – Broader and systematic evaluation of smaller accidents in the fossil chains, as it has already been undertaken for natural gas [24]. Such an effort, however, requires access to the relevant raw data that are often subject to proprietary use. – Qualitative analysis of indirect impacts of accidents on the energy sector. Besides the purely physical effects of severe accidents, a variety of indirect effects can occur, including environmental concerns (e.g. oil spills), acceptance problems of specific technologies due to extremely large maximum credible consequences or high accident frequencies, potential social conflicts among stakeholders (e.g. oil companies and local tribe communities in developing countries), and so on. – Enhanced coupling of the ENSAD database with Geographic Information System (ArcGIS) together with multivariate statistical analyses to analyze spatial patterns across hierarchical scales.

REFERENCES 1. Dao, H., and Peduzzi, P. (2004). Global evaluation of human risk and vulnerability to natural hazards. In Proceedings from: EnviroInfo 2004 Conference, Editions du Tricorne, Geneva, Vol. 1.

COMPARATIVE RISK ASSESSMENT FOR ENERGY SYSTEMS

2343

2. Dilley, M. (2006). Setting priorities: global patterns of disaster risk. Philos. Trans. R. Soc. A 364, 2217–2229. 3. Lerner-Lam, A. (2007). Assessing global exposure to natural hazards: progress and future trends. Environ. Hazards 7, 10–19. 4. UNDP (2004). Reducing Disaster Risk: A Challenge for Development , UNDP Bureau for Crisis Prevention and Recovery, New York. 5. Burgherr, P., Hirschberg, S., Hunt, A., and Ortiz, R. A. (2004). Severe accidents in the energy sector. Final Report to the European Commission of the EU 5th Framework Programme ”New Elements for the Assessment of External Costs from Energy Technologies” (NewExt), DG Research, Technological Development and Demonstration (RTD),Brussels, Online-Version under: http://www.ier.uni-stuttgart.de/public/de/organisation/abt/tfu/projekte/ newext/newext final.pdf. 6. Munich, R. (2007). Topics Geo: Natural Catastrophes 2006—Analyses, Assessments, Positions, Munich Re Group, Munich. 7. Swiss, R. (2008). Natural Catastrophes and Man-made Disasters in 2007: High Losses in Europe. Sigma No. 1/2008 , Swiss Reinsurance Company, Zurich. 8. Barnett, J. (2003). Security and climate change. Glob. Environ. Change 13, 7–17. 9. Beniston, M. (2007). Linking extreme climate events and economic impacts: examples from the Swiss Alps. Energy Policy 35, 5384–5392. 10. Dilley, M., Chen, R. S., Deichmann, U., Lerner-Lam, A. L., Arnold, M., Agwe, J., Buys, P., Kjekstad, O., Lyon, B., and Yetman, G. (2005). Natural Disaster Hotspots. A Global Risk Analysis, Disaster Risk Management Series, No. 5. The World Bank, Hazard Management Unit, Washington, DC. 11. Rinaldi, S. M., Peerenboom, J. P., and Kelly, T. K. (2001). Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Control Syst. Mag. 21(6), 11–25. 12. WEF (2008). Global Risks 2008—A Global Risk Network Report , World Economic Forum, Cologny/Geneva. 13. EM-DAT (2008). The OFDA/CRED International Disaster Database, Retrieved from http://www.em-dat.net (January 2008). 14. Gregory, R., and Lichtenstein, S. (1994). A hint of risk: tradeoffs between quantitative and qualitative risk factors. Risk Anal . 14(2), 199–206. 15. Gheorghe, A. V., Masera, M., Weijnen, M., and De Vries, L. J. (2006). Critical infrastructures at risk. Securing the European Electric Power System, Series: Topics in Safety, Risk, Reliability and Quality, Springer, Dordrecht, Vol. 9. 16. Flyvbjerg, B. (2006). From Nobel Prize to project management: getting risks right. Proj. Manage. J . 37(3), 5–15. 17. Hirschberg, S., Spiekerman, G., and Dones, R. (1998). Severe Accidents in the Energy Sector, 1st ed., Paul Scherrer Institut, Villigen PSI, PSI Report No. 98-16. 18. Marshall, V. C. (1987). Major Chemical Hazards, Ellis Horwood Limited, Chichester. 19. van Beek, P. C. (1994). Presentation of FACTS, A Database for Industrial Safety, AC-Laboratorium, Spiez. 20. Hirschberg, S., Burgherr, P., Spiekerman, G., and Dones, R. (2004). Severe accidents in the energy sector: comparative perspective. J. Hazard. Mater. 111(1–3), 57–65. 21. Burgherr, P., and Hirschberg, S. (2007). Assessment of severe accident risks in the Chinese coal chain. Int. J. Risk Assess. Manage. 7(8), 1157–1175. 22. Hirschberg, S., Burgherr, P., Spiekerman, G., Cazzoli, E., Vitazek, J., and Cheng, L. (2003). Assessment of severe accident risks. In Integrated Assessment of Sustainable Energy Systems in China. The China Energy Technology Program—A Framework for Decision Support in the

2344

23.

24. 25. 26. 27.

28. 29. 30.

31. 32. 33.

34. 35. 36. 37. 38.

39.

40.

KEY APPLICATION AREAS

Electric Sector of Shandong Province, Alliance for Global Sustainability Series, B. Eliasson, and Y. Y. Lee, Eds. Kluwer Academic Publishers, Amsterdam, Vol. 4, pp. 587–660. Hirschberg, S., Burgherr, P., Spiekerman, G., Cazzoli, E., Vitazek, J., and Cheng, L. (2003). Comparative Assessment of Severe Accidents in the Chinese Energy Sector, Paul Scherrer Institut, Villigen PSI, PSI Report No. 03-04 . Burgherr, P., and Hirschberg, S. (2005). Comparative Assessment of Natural Gas Accident Risks, Paul Scherrer Institut, Villigen PSI, PSI Report No. 05-01. IRGC Policy Brief (2007). Managing and Reducing Social Vulnerabilities from Coupled Critical Infrastructures, International Risk Governance Council, Geneva. Jones, A. (2007). Critical infrastructure protection. Comput. Fraud Secur. 2007(4), 11–15. Bruneau, M., Chang, S. E., Eguchi, R. T., Lee, G. C., O’Rourke, T. D., Reinhorn, A. M., Shinozuka, M., Tierney, K., Wallace, W. A., and von Winterfeldt, D. (2003). A framework to quantitatively assess and enhance the seismic resilience of communities. Earthquake Spectra 19(4), 733–752. Hollnagel, E. (2006). Resilience—the challenge of the unstable. In Resilience Engineering: Concepts and Precepts, E. Hollnagel, D. D. Woods, and N. Leveson, Eds. Ashgate, Aldershot. Perrings, C. (2006). Resilience and sustainable development. Environ. Dev. Econ. 11, 417–427. Moteff, J., and Parfomak, P. (2004). Critical Infrastructure and Key Assets: Definition and Identification, Congressional Research Service (CRS), The Library of Congress, Washington, DC. The White House (2003). The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, The White House, Washington, DC. The White House (2007). National Strategy for Homeland Security, Homeland Security Council, Washington, DC. Willis, H. H., LaTourrette, T., Kelly, T. K., Hickey, S., and Neill, S. (2007). Terrorism Risk Modeling for Intelligence Analysis and Infrastructure Protection. RAND Center for Terrorism Risk Management Policy for the Department of Homeland Security, RAND Corporation, Santa Monica, CA. DNV (1999). Worldwide Offshore Accident Databank (WOAD), WOAD statistical report 1998. Det Norske Veritas AS, Hovik. Glickman, T., and Terry, K. (1994). Using the News to Develop a World-wide Database of Hazardous Events, Center for Risk Management, Resources for the Future, Washington, DC. Burgherr, P., and Hirschberg, S. (2008). Severe accident risks in fossil energy chains: a comparative analysis. Energy 33(4), 538–553. Burgherr, P., and Hirschberg, S. (in press) A comparative analysis of accident risks in fossil, hydro and nuclear energy chains. Hum. Ecol. Risk Assess. 14(5), 947–973. Chernobyl Forum (IAEA, W, UNDP, FAO, UNEP, UN-OCHA, UNSCEAR, World Bank, Governments of Belarus, the Russian Federation and Ukraine) (2005). Chernobyl’s Legacy: Health, Environmental and Socio-economic Impacts and Recommendations to the Governments of Belarus, the Russian Federation and Ukraine. The Chernobyl Forum: 2003–2005, Second revised version, IAEA, Vienna. Hirschberg, S., Dones, R., and Gantner, U. (2000).Use of external cost assessment and multi-criteria decision analysis for comparative evaluation of options for electricity supply. In Proceedings of the ”5th International Conference on Probabilistic Safety Assessment and Management PSAM 5”, 27 Nov–1 Dec 2000, Osaka, Japan, Universal Academy Press, Tokyo. Hirschberg, S., Dones, R., Heck, T., Burgherr, P., Schenler, W., and Bauer, C. (2004). Sustainability of Electricity Supply Technologies Under German Conditions: A Comparative Evaluation, Paul Scherrer Institut, Villigen PSI, PSI-Report No. 04-15 .

LESSONS LEARNED FOR REGIONAL AND GLOBAL ENERGY SECURITY

2345

FURTHER READING Ale, B. J. M., and Uitdehaag, P. A. M. (1999). Guidelines for Quantitative Risk Analysis, (CPR18E) RIVM. SDU-Publishers, The Hague. Bajpai, S., and Gupta, J. P. (2007). Securing oil and gas infrastructure. J. Petrol. Sci. Eng. 55, 174–186. Duffey, R. B., and Saull, J. W. (2003). Know the Risk. Learning from Errors and Accidents: Safety and Risk in Today’s Technology, Butterworth-Heinemann, Burlington, MA. Eliasson, B., and Lee, Y. Y. (eds.) (2003). Integrated assessment of sustainable energy systems in China. The China Energy Technology Program—A framework for decision support in the electric sector of Shandong province. In Alliance for Global Sustainability Bookseries Science and Technology: Tools for Sustainable Development , J. M. Kauffmann, Ed. Kluwer Academic Publishers, Dordrecht / Boston / London, Vol. 4. Jonkman, S. N., van Gelder, P. H. A. J. M., and Vrijling, J. K. (2003). An overview of quantitative risk measures for loss of life and economic damage. J. Hazard. Mater. 99, 1–30. Konstandinidou, M., Nivolianitou, Z., Markatos, N., and Kiranoudis, C. (2006). Statistical analysis of incidents reported in the Greek petrochemical industry for the period 1997–2003. J. Hazard. Mater., 135(1–3), 1–9. Swiss, R. (2002). Terrorism—Dealing with the New Spectre (Focus Report), Swiss Reinsurance Company, Zurich. Wilson, R., and Crouch, E. A. C. (2001). Risk-benefit Analysis, Harvard University Press, Cambridge, MA.

LESSONS LEARNED FOR REGIONAL AND GLOBAL ENERGY SECURITY Yaroslav Minullin IIASA-DYN, Laxenburg, Austria

Leo Schrattenholzer Visiting Professor of the Royal Institute of Technology, Sweden, (deceased)

1 INTRODUCTION One major thrust for the production of this volume on Science and Technology for Homeland Security was the “need for a coordinated scientific and technological response to terrorism” [1]. As a political response to terrorism, the Homeland Security Presidential Directive/HSPD-7 established a national policy for federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks [2]. Voeller [1], (op. cit.) argues that the Presidential Directive

2346

KEY APPLICATION AREAS

does not emphasize the “need to mobilize the nation’s skills in science and technology” as strongly as the operational concerns. This apparent lack of emphasis was the stimulus for the study by the National Research Council (NRC) Making the Nation Safer: The Role of Science and Technology in Countering Terrorism [3]. In response to the research priorities identified by the NRC report, the present volume was proposed to create a major new reference resource. Picking up one of the aims proposed for this handbook, this overview article addresses “the international dimensions of homeland security.” 1.1 Background The background of the authors of this article is in the field of systems analysis. Together, they gathered some 40 years of work experience at the International Institute for Applied Systems Analysis (IIASA), a nongovernmental global institute for scientific research [4]. Adhering to the scientific method requires working with terms and concepts that are rigorously defined. In this regard, it appears unfortunate that the term “terrorism” has not been unambiguously defined (that is, in absolute rather than relative terms) even politically, let alone scientifically. We therefore refrain from using this term in the description of our analysis following below. In our opinion, the term “deliberate attacks” is a more precise—and therefore better—descriptor of what is commonly referred to as “terrorist attacks.” 1.1.1 Systems analysis. There appears to be no universally accepted single definition of systems analysis. One of the reasons is that the term has a specific meaning in some fields. Even IIASA itself does not promote a unique interpretation of its name on its website, but it is obvious that interdisciplinary research of interactions of systems is a key characteristic of systems analysis. A particularly important aspect of studying interaction is to avoid the pitfall of neglecting crucial interdependencies between systems. For the general question of national security, any systems analytical approach must therefore consider relevant international aspects in the form of outside reactions to national policies. The second major pillar on which we want to base our concept is a general and fundamental tenet of systems analysis, according to which systems vulnerability is proportional to systems efficiency.1 To the extent that increasing efficiency of a system goes along with decreasing redundancy, the assertion appears immediately plausible because in a system with many redundancies, the possibilities for substitution (of a malfunctioning subsystem) are greater than in a system with fewer redundancies. Furthermore, if we understand resilience as the opposite of vulnerability, we see that an important systems analytical issue to study is the interplay (trade-off) between resilience and efficiency, that is, to find a joint optimum (maximum) of the conflicting objectives, resilience and efficiency.2 As to energy systems, vulnerability and resilience are related to security in an obvious way. Energy security can be enhanced by increasing the resilience of the energy (infrastructure) system. For the purpose of analysis, we believe that it is useful to also distinguish between resilience in the short term and resilience in the long term. While short-term 1 This

general insight has been formulated and substantiated in many specific cases. See, for instance, [14], who analyzed different efficiency, vulnerability and cost functions and found “that these magnitudes display strong correlations.” 2 Accordingly, one of the first major themes of research undertaken at IIASA was a collaborative effort on resilience by IIASA’s Ecology and Energy Projects [5, 6].

LESSONS LEARNED FOR REGIONAL AND GLOBAL ENERGY SECURITY

2347

resilience is related to natural disasters and deliberate attacks, long-term resilience is more a fundamental structural feature of any system. As a sequel, we cover two topics. The first section deals with basic design features of secure energy systems, and the next addresses the modeling of energy security and competition by presenting the design and some illustrative results of a model of gas-market competition. We also discuss policy implications of the analysis presented here.

2 COOPERATIVE ENERGY SECURITY 2.1 Resilient Energy Systems In systems analytical terms, one important manifestation of resilience is the stable equilibrium of a system [6]. To illustrate this mathematically for the case of a one-dimensional dynamic system, Y = x(t), ˙ a stationary state x0 defined by

x(t ˙ 0) = 0

is a stable equilibrium of the system if and only if x¨ < 0 In an interval around x0 , the dynamics of the system move it toward the equilibrium point. Applying the concept to an energy system means that the system can be called resilient if it is designed in a way that the dynamic forces determining the evolvement of the system lead it back to the original equilibrium state after a minor (accidental) shock has displaced it away from the equilibrium point.3 “An example of such a shock would be a deliberate hostile attack on a particular part of energy infrastructure. Addressing such a shock would be addressing the short-term resilience of an energy supply system. Let us now turn to long-term energy system resilience and, consequently, on resilience as a fundamental structural feature of the energy system. Doing so requires looking at the long-term vulnerabilities of a national energy system. One important—maybe the most important—long-term security threat to any national energy system is the failure of international suppliers of energy to deliver according to signed agreements or established market principles. Looking at examples of the past, we find that supply disruptions often were justified with disagreements among the partners (consuming, producing, and transit countries) and thus political rather than technical. From this we conclude that long-term resilience of energy supply requires energy importers, exporters, and transit countries to share a strong common interest, 3 Perhaps

one of the most well-known applications of the equilibrium concept is the model of equilibrium price, which results from the intersection of the demand curve and the supply curve. According to this model, for instance, a downward movement (“shock”) of the demand curve is followed by an adjustment (reduction) of supply of the item in question. The shock and the adjustment together lead to a new price equilibrium. Alas, recent experiences (in particular in the years 2007 and 2008) have shown that in practice, and contrary to what the model suggests, prices can “run away” from levels that were considered stable.

2348

KEY APPLICATION AREAS

which stabilizes any equilibrium and which treats “shocks” as a stability problem that must be solved jointly. A prerequisite of such a system design is therefore symmetry, in the sense that the system must serve the interests of all parties involved. Thus if security of supply is the main criterion for the long-term resilience of an energy system from the importer’s perspective, security of demand must be seen as the symmetric criterion from the perspective of an exporter. Both criteria taken together gave rise to cooperative energy security. We cover the two criteria, one by one, in the following two subsections. Recent work in this area [7] generalizes the concept of resiliency in relation to critical infrastructures (e.g. energy infrastructures) by introducing cooperative systems models for quantitative vulnerability assessment for interdependent complex structures. They describe the resiliency of systems by highlighting the coexistence of two meta-indicator sets defined as tangibles (investments, available resources, and so on), and intangibles (geopolitics, cultural aspects, and so on). 2.2 Security of Supply For a long time, energy security was more or less tacitly assumed to refer to the security of supply only. Accordingly, national energy security was defined as “adequate and reliable energy supply by reasonable prices to avoid damages of fundamental national goals and principles”. Even the World Energy Council had only supply in mind when it defined energy security as the “Security of citizens, economics, society and nations against damages and for sustainable fuels and energy supply”. Similarly, the International Energy Agency (IEA) sees energy security as the “availability of energy, sufficient (by volume) and available (by price).” In the case of the IEA, the lack of consideration of energy demand security is of course understandable on the grounds that its mission is defined as “energy policy advisor to 27 member countries in their effort to ensure reliable, affordable and clean energy for their citizens” [9]. Recently, energy supply security was analyzed also from the perspective of strategic goals that enhance the long-term resilience of the global energy system in terms amenable to energy modeling. Schrattenholzer [10] identified two indicators that are argued to measure long-term energy security. These are the resource-to-production (R/P) ratio of mineral primary-energy resources and equity, which are defined as follows: The R/P ratio is defined, for any given year and any given resource, as the amount of the resource left for consumption (“in the ground”), divided by the annual consumption in that given year. Equity was defined as the ratio of average GDP per capita in today’s developing regions and today’s industrialized world regions.4 Most global long-term scenarios include the data that allow these indicators to be calculated. Important examples are the scenarios published by IPCC’s Special Report on Emission Scenarios [11]. 2.3 Security of Demand As we have argued above, symmetry is a necessary requirement for stable equilibria. Since the notion of energy demand security is a comparatively recent concept, we begin this discussion by deriving specific aspects of demand security from their “mirror images” on the supply side. 4 In

1990, this ratio was approximately six per cent.

LESSONS LEARNED FOR REGIONAL AND GLOBAL ENERGY SECURITY

2349

Vulnerability of supply to natural disasters and deliberate attacks. Natural disasters and deliberate attacks on energy supply infrastructure are hazards to suppliers as well as to consumers and thus symmetric in principle. Recognizing this suggests that producers and consumers have a natural interest in jointly addressing the risks posed by these hazards. Use of energy as a weapon by suppliers. This demand-side hazard figures strongly in the public coverage of the issue of energy security. Often the symmetric hazard of consumers using the same situation as a weapon against suppliers is not included in the discussion. Considering the fact, however, that energy deliveries, for instance, those of natural gas, require sizable up-front investments, the possibility that consumers use sunk cost as leverage is an obvious hazard for suppliers. Energy prices. Energy prices so high as to be felt as threatening the security of energy supply has, for suppliers, the mirror hazard of energy prices so low as to fail covering costs. 2.4 Conclusions So far, we have mainly argued that a systems analytical approach suggests that the security of energy supply and the security of energy demand should be considered together. Now we turn to the question: To which degree are security of supply and security of demand different concepts? To the extent that security is the absence of risk and risk is “the probability of an unwanted event” (Oxford University), the concepts are the same—only the unwanted events are different! If consumers and producers follow identical concepts, it is easier for them to practice active energy security in an institutionalized dialogue. Moreover, as our analysis suggests, disruptions (of supply or demand) can be avoided by timely planning. This is another argument for embarking on a comprehensive dialogue, supported by analysis and research, between consumer, producer, and transit countries. Following this argument, one would, for example, aim at minimizing the joint probabilities of all sides’ unwanted events. Also, the actors in such a global energy security management are likely to orient their assessment of the (subjective) probabilities involved in this exercise, according to scenarios of future developments. Thus, energy projections have always played a major role in long-term national security considerations but also in short- and medium-term policy decisions of governments and international organizations such as the IEA and the European Union.

3 MODELING ENERGY SECURITY 3.1 An Illustrative Example: Natural Gas In order to illustrate how the concept described above can be applied to the formal modeling of real-world issues, we turn to one of the most interesting examples in the wider area of energy security, the international natural gas markets. Before summarizing the model, we want to note that in our opinion, what is usually referred to as the natural-gas market lacks important features of more conventional markets. The main reason for this opinion is the lack of a global referencing point for the

2350

KEY APPLICATION AREAS

price formation (as in case of oil), and the undeveloped trade on well-established markets. Due to its environmental friendliness—relative to the other fossil energy carriers, coal and oil—the share of natural gas in the primary-energy mix is on the increase, with some countries supplying 40 to 60% of their primary-energy needs with the “blue fuel.” Although this “success story” began as early as in the 1970s, not much has been done in terms of establishing an institutional framework for efficient and reliable gas trade. In pursuit of a suitable arrangement, in the beginning of the “gas era,” consumers and producers tried to hedge the risks of both parties by negotiating long-term contracts (LTCs) which—as a rule—serve to protect producers’ interests by introducing a minimum price and an indexing scheme (in some cases there is an additional condition called “take-or-pay,” which increases the security of demand, but compromises the flexibility of the consumer) and consumers’ interests by guaranteeing a certain delivery pattern throughout each year at predictable prices. The equivalent of market clearance occurs during re-negotiation phases, which can take years. These re-negotiations lead to contract amendments regulating the pricing mechanism. By adjusting the coefficients in the “formula,” round by round, each party approaches an equilibrium price. Today global gas trade is still following the formula “if there are no good relations between supplier and consumer, there is no gas trade.” This condition immediately extends the matter from an economic layer to a political, if not—given the strategic interests of each party—geopolitical layer. The quoted formula wants to express that in most cases, physical gas deliveries under import-export deals require good bilateral relations between two or three countries. LNG (liquefied natural gas) imports into the USA5 are a minor counterexample at best as only some 50% of these imports were delivered under short-term LNG contracts.6 Likewise, regional and local distribution especially in Eurasia is also characterized by nonmarket price formation for end users. These peculiarities of gas trade can be explained—among others—by the facts that (i) consumption and production centers are concentrated, (ii) the infrastructure for natural-gas production, transportation, and distribution and is very inflexible (due to the long economic service life of the equipment involved) and cost-intensive, (iii) there are few alternative means of gas delivery, which are, again, inflexible, and, finally, (iv) there are few major gas producers, and these are geographically scattered. In any case, these types of international relations have an obvious bearing on national energy security. Our formal analysis of these relations builds on the notion of equilibrium in the form of agreed-upon prices and volumes. In practice, such equilibrium suffers several drawbacks. First, the negotiation position of a consumer depends on a set of geopolitical factors and the state of bilateral relations. Second, there is very little or no competition between sellers at all (primarily due to inflexibility of the import infrastructure), which provides more leverage to the supplier. Thus, the equilibrium is defined on a very narrow optimization interval, which is sensitive to externalities and influenced by many intangible factors. On the other hand, such long-term arrangement provides two very important ingredients to cooperative energy security: it guarantees the long-term demand for the supplier, which is a key condition to invest into natural-gas production and transmission infrastructure; and it allows the consumer to do national energy planning at given volumes and prices. 5 The

USA is often believed to be a pioneer in the liberalization of natural-gas trade, and LNG has been attributed the role of a “dissolver” of long-term trading agreements. 6 Moreover, the share of LNG imports in the US consumption is very small—only 3.7% in 2007.

LESSONS LEARNED FOR REGIONAL AND GLOBAL ENERGY SECURITY

2351

In public discussions in (Western) consuming countries, this mutual dependence of a producer and a consumer is often mistakenly perceived as a burden of the consumer alone. It is obvious, however, that both parties should be interested to act and plan jointly, thus improving energy security of both.7 Although we recognize at the same time that such long-term interdependence, which extends to the energy sectors of both parties, can also reduce the flexibility of each of them and therefore can be associated with the disadvantages of long-term form of gas contracts. Responding to the perceived shortcomings of long-term markets, the established up-to-date practice of short-term gas deals had the primary goal of reducing the burden of mutual dependence—the heritage of LTCs. Whereas past local gas markets were formed from scratch, new spot-markets were formed by analogy to oil markets. The main instruments in this spot-market trade are financial derivatives, covered by physical deliveries under long- or short-term contracts. Among the advantages of such a scheme one could highlight the room for competition, transparency (prices and quantities are reported publicly) and indifference with regard to suppliers. However, while resolving almost all the supply-related drawbacks of the LTCs, markets (in their pure form) bring one big disadvantage with respect to security of demand, which is near zero. We can characterize such markets as delivering energy security to consumer and supplier at the cost of efficiency and mutual dependence, and we have encountered another manifestation of the tenet of systems analysis mentioned in the introduction, according to which efficiency (market efficiency from the perspective of suppliers) is proportional to vulnerability (of suppliers). Following the logic of cooperative energy security, it is thus natural to expect that the deterioration of suppliers’ security will eventually reflect on consumers. The arguments for the latter consideration go back to the issue of high investment intensity of gas infrastructure. Payback times, usually equivalent to between 10 and 15 years of a pipeline operating at maximum capacity, pose rather strict necessary conditions even for consideration of an export project. We summarize main characteristics of the two market types (Table 1). This comparison makes it obvious that both market models have advantages and disadvantages. Therefore a harmonious solution of cooperative energy security should include features of both of them. 3.2 Economic Aspects and Rationality In previous sections, we identified that competition can help mitigating a number of unwanted features of gas trade; not to mention that fostering competitive energy markets is one of the key elements in modern energy policies of almost all countries. Competition and energy security are thus the key ingredients of the model that we shall summarize here. The model is named GASCOM (Gas Market Competition) and belongs to the family of gaming models. The key idea behind the model was to combine competition with existing methods of evaluating the economic efficiency of energy export projects. GASCOM covers gas trade from an evaluation of a transport corridor on a national level, to precise supply schedules and corresponding cash flows. 7 The interests of transit countries will be discussed in the section on “Expanding the Scope: Geopolitics and the Inclusion of Transit Countries into the Analysis.”

2352

KEY APPLICATION AREAS

TABLE 1 Main Characteristics of International Gas Trade Models Long-term, Bilateral

Free-market

• Few producers, few consumers

• More producers, more consumers

• Price is indexed by alternative fuels

• Competitive short-term price formation

(seasonality pattern) • “Shock-absorbing” price formation

• High price volatility

• Two-way reliability (prices and quantities)

• Infrastructure development: mostly opera-

tional (storage), risky for transmission lines • Infrastructure development: small risk

• Less dependable because more erratic

• Foreseeable thus dependable for consumers,

• Indifferent with regard to suppliers or con-

producers, investors

sumers

• Requires maintaining “good” long-term

political relations; creates mutual dependence

One of the key characteristics of the gaming approach is that it provides an insight to all admissible strategies (in this particular example: of supply volumes and the timing of market penetration) of all agents. The model thus confirms with our understanding of systems analysis as described in the introduction because it includes all relevant feedbacks and interactions. The result is, for all agents,8 an optimized supply schedule and an optimized time for entering the market. Here are two interpretations of this model solution: – In the case of LTCs the model replicates rounds of negotiations between the agents9 who iteratively update their knowledge about their competitors and adjust their own strategy accordingly. Thus, having collected all information about responses of others to their strategy, agents are capable of defining an “optimal” time of entering the market, optimality being defined by the minimum time passed from the point of decision-making to payback (this option of optimality criterion is closer to maximization of internal rate of return, IRR, of the project rather than traditionally applied maximization of the net present value, NPV). Having determined the time of market entry, agents engage in the second, distinct phase of negotiations, because naturally, this represents another game, when agents control their supply to the market. Eventually (in most cases) all agents will reach a point (the Nash Equilibrium), where varying the timing or supply schedule will not improve their own benefit. 8

This feature is in contrast to models in which the NPV of one (and only one) is maximized. the example discussed here, the agents are one importer and many exporters.

9 In

2353

LESSONS LEARNED FOR REGIONAL AND GLOBAL ENERGY SECURITY

Thus, for a LTCs case, a gaming model such as GASCOM, permits each agent to reveal the potential demand of the importer as well as the potential supply —a strategic advantage. – In case of mid- and short-term contracts, the model imitates the market price formation (in our example, with regard to the future with the delivery in one year), where market fundamentals and the project’s economical characteristics identify its competitive advantage. Technically, the solution is similar to the case of LTCs, but the essence of results is different. First, the equilibrium solution involves much higher market risks due to additional impact on price caused by agents’ supply strategies. Second, the solution also presumes coordination between agents: no long-term plans will be valid in case there is some irrational behavior for one of the agents (i.e. deviation from equilibrium in pursuit of strategic interests). Before presenting illustrative results, we would like to mention that most arguments in this section apply to cases when there is a need for the construction of new upstream infrastructure. With growing world demand for natural gas and a trend for diversification of supply sources, this issue is most relevant. Another consideration is that once a gas transmission pipeline has paid back, the risk profile of this infrastructure changes. This, in fact, defines the turning point with regard to providing cooperative energy security: it is most crucial for the payback period; after return of investments, the supplier might gradually engage in free trade. The three figures below illustrate the processes described above. They illustrate results from a recent case study in which GASCOM was used to analyze the perspectives and the potential of the emerging gas market in China as well as of a set of proposed export projects from Russia, Kazakhstan, Turkmenistan, and LNG in the Pacific Basin [12]. In Fig. 1 we present the discounted cash flows before optimization, that is, the cash flows Discounted Cash Flows Market entry times as declared by proponents

6 Each competitor's entry results in the reduction of benefit rates

4

Billion USD

2 0 −2 −4 Annual discount rate 10%

−6 −8 2005

Reaching maximum throughput Constructing additional compressor stations

2010

2015

2020

2025

2030

2035

2040

2045

Kovykta

Sakhalin

Sakha

Altai

Turkmenistan

Kazakhstan

2050

FIGURE 1 Discounted cash flow with timing as announced by the promoters.

2354

KEY APPLICATION AREAS

as a consequence of realizing the projects as announced by the representative companies. Explanations inserted into the graphics and the shapes of the curves demonstrate that the model reflects all important peculiarities of a transmission project. Not only that, without optimization one of the projects does not pay off before 2050; most of them also have a relatively low IRR. The underlying reason for this is that all agents endeavor to take a strategic position on a newly emerging market and therefore all of them enter it as quickly as they can. Since demand is limited, achievable prices are insufficient for the candidate projects to be economically attractive. Figure 2 displays the cash flows for the same set of candidate projects after GASCOM optimization. Now all the projects pay off in a shorter time frame, and they have a higher IRR. To give a broader picture, Fig. 3 presents the supply schedule by the agents and how it compares to total demand in the market after optimization with the GASCOM model. From the past studies with the GASCOM model we would like to highlight two—as we believe—important conclusions. In case of traditional gas trade, based on long-term contractual agreements, the suppliers have an incentive to cooperate with each other with the aim to mitigate market risks and to achieve the best financial results for all parties. In the case of market trade, we have observed that the suppliers acting in a market with limited representation (i.e. not so many suppliers and even less consumers, which is the case of today’s natural-gas markets) tend to keep it in deficit, thus increasing instantaneous profits which, given no possibility to build on long-term planning, is a more profitable strategy for them.

Discounted Cash Flows Market entry times optimized by GASCOM

20

Billion USD

15 10 5 0 Annual discount rate 10%

−5 −10 2005

2010

FIGURE 2

2015

2020

2025

2030

2035

2040

Kovykta

Sakhalin

Sakha

Altai

Turkmenistan

Kazakhstan

2045

Discounted cash flow with timing optimized by GASCOM.

2050

2355

LESSONS LEARNED FOR REGIONAL AND GLOBAL ENERGY SECURITY

Total Supply, China Gas Market Timing and supply optimized by GASCOM Dynamic feedback: –Change in price creates incentives to enter the market

300 $10.9 NPV =

5.37%

n, IRR =

-0.64 b NPV = $

250

9.45%

n, IRR =

18.52 b

NPV = $

300

IRR = 1

4.3 bn,

200

.37%

R = 16

bn, IR

NPV = $

250

26.3%

200

14.15% , IRR = 1.28 bn NPV = $ 15.93% , IRR = 4.51 bn $ = V P N

150

150

Kazakhstan

Sakhalin

Turkmenistan

Kovykta

Altai

Domestic Production

Sakha

Demand

2050

2047

2044

2041

2038

2035

2032

2029

2026

2023

0 2020

0 2017

50

2014

50

2011

100

2008

100

2005

Supply, bcm

350

–At the same time, price dynamics is defined by startegies of agents

Demand, bcm

350

FIGURE 3 Total supply in the market, timing and supply schedule optimized by GASCOM.

3.3 Expanding the Scope: Geopolitics and the Inclusion of Transit Countries into the Analysis So far we based our discussion of energy security on price and volume factors. However, there are a number of concerns, which make it necessary to enhance the existing analysis tools so as to be closely related to the real world. 1. There has been a growing number of instances in which strategic aspects have dominated over traditionally considered technical and economical feasibility in the process of decision-making in the field of international energy deals. 2. Additional concerns are being raised by the growing complexity of the world energy infrastructure, which strongly exposes interdependability of its layers and sensitivity to short and long-term threats. 3. The interruption of the export flows of Russian gas in January 2009 suggest that role of transit regions in providing the security of supply had been underestimated by research. It is also important that bypassing traditional transit regions will have

2356

KEY APPLICATION AREAS

a significant socioeconomic impact on them, which, in turn, will affect cooperative energy security. GASCOM is being enhanced to take these concerns into account. By monitoring the unwanted events (e.g. a supply disruption for a critical period of time) the new system will be capable of answering questions such as the following: – Which setup and evolution of the import-export network guarantees the minimum vulnerability in case the given unwanted event occurs? – How will alternative supply routes impact the cooperative security, that is, to which degree will it serve the suppliers’ demand security, the consumers’ supply security and the socioeconomic objectives of the transmitters? In our opinion, these examples of modeling energy security are distinct from previous approaches to energy systems and capable of dealing with the nexus of energy system and its economic-environmental solutions in a dynamic geopolitical global perspective.

4 POLICY IMPLICATIONS Viewing the resilience of a national energy system as a problem of homeland security can go a long way, but as we have argued in this article, going the whole way to international long-term energy security requires a systems analytical approach. One of the most important ingredients of such an approach is to include symmetry, most importantly the symmetry of demand security and supply security. We have illustrated this conviction with examples of popular arguments, which we analyzed from the perspective of symmetry. The resulting recommended strategy we call cooperative energy security. The second major focus of this article was the presentation of GASCOM, a concrete model of gas trade, which is one of the most important issues in long-term international energy supply and demand. At the core of that model is the notion of Nash Equilibrium, which is completely symmetric by its very formulation. Applying the model we analyzed two trade modes, a long-term, bilateral mode and a free-market mode. From our analysis of the advantages and disadvantages of the two modes we conclude that the “optimal” mode of the model is fully consistent with the strategy of cooperative security: LTCs until the end of the payback period, free trade afterwards. In addition to its security aspect, we think that cooperation is needed in any gas trade model due to the limited nature of gas “markets.” But how can we implement symmetry of global energy security in the real world? Generally speaking, consumer-producer dialogues that recognize this kind of symmetry and that enter the dialogue in a spirit of joint problem-solving, would appear as a prerequisite. Modest steps in this direction were undertaken jointly by IIASA’s Dynamic Systems (DYN) and Environmentally Compatible Energy (ECS) Programs in 2004–2006. In the spirit of systems analysis, a forum was created, on which academia, industry, and policy-making from consumer and producer countries regularly exchanged their views about energy security—in this case of natural gas in particular—in a scientific and neutral environment. Activities of this forum were the basis of contributions, by the authors of this chapter and their colleagues, to the Energy Modeling Forum’s study on “Prices and Trade in a

LESSONS LEARNED FOR REGIONAL AND GLOBAL ENERGY SECURITY

2357

Globalizing Natural Gas Market” (EMF-23), to the Civil G-8 activities preparing for the St. Petersburg G8 Summit, and to industrial applications. In order to better understand the phenomena illustrated in this chapter, IIASA’s DYN Program has embarked on the Fragility of Critical Infrastructures (FCI) initiative. The purpose of FCI is to view critical infrastructures in the context of systems analysis, that is assessing not only physical properties but also operational, regulatory and behavioral aspects of network nodes and agents involved. In the meanwhile, the forum has been transformed into the so-called WIEN (W orld I ndependent E nergyN etwork) Group, moderated by the Institute of Energy and Finance, Moscow [13]. WIEN is an informal network of independent experts and acts as an assembly of individuals with academic, governmental, and industrial backgrounds who are interested in specific issues which are being addressed by the Network. Also the thoughts presented in this article were inspired by the discussions on that forum and in the WIEN Group. Nonetheless, the authors are solely responsible for the contents presented here.

REFERENCES 1. Voeller, J. G. (2007). Handbook of Science and Technology for Homeland Security, A Guide for Authors. Wiley. 2. Bush, G. W. (2003). Homeland Security Presidential Directive/HSPD-7 . The White House. 3. NRC, National Research Council Committee on Science and Technology for Countering Terrorism. (2002). Making the Nation Safer: The Role of Science and Technology in Countering Terrorism. National Academies Press, Washington, DC. 4. IIASA. (2008). http://www.iiasa.ac.at/. 5. Holling, C. S. (1973). Resilience and stability of ecological systems. Annu. Rev. Ecol. Syst. 4, 1–23, reprinted as Research Report 73-3, International Institute of Applied Systems Analysis, Laxenburg, Austria. 6. H¨afele, W. (1976). Resilience of energy systems. In Second Status Report of the IIASA Project on Energy Systems, Research Report 76-1, W. H¨afele, et al., Eds. International Institute of Applied Systems Analysis, Laxenburg. 7. Gheorghe, A., and Vamanu, D. (2009). Mining intelligence data in the benefit of critical infrastructures security: vulnerability modelling, simulation and assessment, system of systems engineering. Int. J. Syst. Syst. Eng. 1(1/2), 189–221. 8. Yergin, D. (1973). The energy crisis: time for action. Time Magazine. 9. IEA. (2008). http://www.iea.org/about/index.asp. 10. Schrattenholzer, L. (2008). Scenarios of energy demand and supply until 2100: implications for energy security. In Facing Global Environmental Change: Environmental, Human, Energy, Food, Health and Water Security Concepts, Hexagon Series on Human and Environmental ´ O. Spring, J. Grin, C. Mesjasz, P. Kameri-Mbote, Security and Peace, Vol. 4, H. G. Brauch, U. N. C. Behera, B. Chourou, and H. Krummenacher, Eds. Springer-Verlag, Berlin, Heidelberg, New York, in print. 11. IPCC, Nakicenovic, N., Alcamo, J., Davis, G., de Vries, B., Fenhann, J., Gaffin, S., Gregory, K., Gruebler, A., Jung, T. Y., Kram, T., La Rovere, E. L., Michaelis, L., Mori, S., Morita, T., Pepper, W., Pitcher, H., Price, L., Riahi, K., Roehrl, R. A., Rogner, H.-H., Sankovski, A., Schlesinger, M., Shukla, P., Smith, S., Swart, R., van Rooijen, S., Victor, N., and Dadi, Z. (2000). Special Report on Emissions Scenarios (SRES). A Special Report of Working Group III of the Intergovernmental Panel on Climate Change. Cambridge University Press, Cambridge.

2358

KEY APPLICATION AREAS

12. Minullin, Y. (2008). Queuing to China’s gas market. Oil Russ. J. 5, (in Russian). 13. Grigoriev, L., et al. (2008). World Independent Energy Network , Draft Mission Statement. 14. Criado, R., Hern´andez-Bermejo, B., Marco-Blanco, J., and Romance, M. (2007). Asymptotic estimates for efficiency, vulnerability and cost for random networks. J. Comput. Appl. Math. 204(1), 166–171.

FURTHER READING EIA DOE. (2009). U.S. Natural Gas Imports and Exports: 2007 , Special Report. Energy Charter Secretariat. (2007). Putting a Price on Energy: International Pricing Mechanisms for Oil and Gas. Energy Modeling Forum, EMF-23. (2007). Prices and Trade in a Globalizing Natural Gas Market, Stanford University. Available at http://www.stanford.edu/group/EMF/projects/ emf23/emf23.pdf. Klaassen, G., Kryazhimsky, A., Minullin, Y., and Nikonov, O. (2002). On a game of gas pipeline projects competition. International Congress Of Mathematicians, Game Theory and Applications Satellite Conference (ICM2002GTA), Proceedings Volume. Qingdao publishing house, China, pp. 327–334. Kryazhimsky, A., Minullin, Y., and Schrattenholzer, L. (2005). Global long-term energyeconomy-environment scenarios with an emphasis on Russia. Perspect. Energy J. 9, 119–137. Minullin, Y. (2008). Whose pipeline will go east? Oil Russ. J. 3, (in Russian). Victor, D. G., Jaffe, A. M., and Hayes, M. H. (2006). Natural Gas and Geopolitics: From 1970 to 2040 . Cambridge University Press.

LARGE-SCALE ELECTRICITY TRANSMISSION GRIDS: LESSONS LEARNED FROM THE EUROPEAN ELECTRICITY BLACKOUTS Hans Glavitsch Swiss Federal Institute of Technology, Zurich, Switzerland

1 INTRODUCTION Electricity as the most versatile form of energy is the commodity of civilization, which has become something without which modern life is unthinkable. It is not a primary

LARGE-SCALE ELECTRICITY TRANSMISSION GRIDS

2359

form of energy, but rather a secondary one, which has to be converted from various primary forms. The locations where these are available may be at distances to those where they are consumed; for example, hydraulic sources or technical constraints may require distant placements of generating stations, although primary sources would allow their site anywhere. Further, electricity requires a transport by conductors or better by transmission lines. Thus, transmission is a basic means for providing electricity to consumers. Since the transportation loss is a function of the current, the transportation over long distances is done at high voltages as high voltages allow low currents, which produce low losses. Single transmission lines are not enough as they do not guarantee enough reserves. Hence, the practice has led to the formation of interconnected transmission networks, which provide reserves, contribute to the economy of the operation and equalize between deficiencies and surplus. The interconnection, however, implies the propagation of disturbances over wide areas. Hence, deficiencies or surplus of power are felt in the overall system. In extreme condition, a disturbance with all possible internal corrections may evolve to a blackout or near blackout as experienced in recent years in the European interconnected system. There are various causes for blackouts, such as technical, conceptual, due to misunderstanding of phenomena, or simply due to human error.

2 BASIC MECHANISM OF ELECTRIC POWER TRANSMISSION IN A LARGE GRID Electric power transmission is predominantly realized by the system of alternating currents (AC system), in particular by three-phase currents. The alternating mode allows transformation of voltages by the relatively simple transformer. A single-phase system generates a stream of pulsating power. However, if three single-phase systems—as a three-phase system consists of three single phase systems—are combined in such a way that the three single phase systems are shifted one third time period each the shifted pulsating powers result in one constant power stream. Alternating voltages and currents create synchronizing forces between generators such that all machines rotate at the same speed yielding one unique frequency in the system. The sum of the input powers, thus the generated output, is balanced by the total of the consumed load. The level is adjusted such that the speed that is directly proportional to the frequency of the voltage stays at the nominal level, in terms of frequency 60 or 50 Hz. Any disturbance in the power balance causes a change in frequency. Thus, a drop in frequency is a signal that there is not enough primary power or an excess of load. The Union for the Co-ordination of Transmission of Electricity (UCTE) has established rules [1] for the contribution of generators in subsystems (areas) to the correction or maintenance of frequency. Should there be a major drop in frequency, each subsystem has to be adjusted such that it contributes in terms of the so-called primary control an amount of power proportional to its annual consumption. The amount is derived from an assumed maximum loss of generation of 3000 MW, which does not cause more than 180 mHz of frequency deviation. Besides global changes in frequency, there are local changes on transmission circuits, which may cause overloads. Another important phenomenon is the change in system voltage. The transport of large amounts of power over long distances leads to a decrease in voltage, which may cause instabilities. Generally, the whole system is an oscillatory system that breaks up if the

2360

KEY APPLICATION AREAS

amplitudes of the swings exceed a limit, and then there is a loss of generation, which could cause a chain reaction, that is, further losses. In order to counteract undesired oscillations, damping measures are installed in generators, explicitly in voltage regulators. The magnetic field in the generators is mainly responsible for the voltage, and the excitation system controlled by the voltage regulator reacts to any change in the voltage.

3 POWER FLOWS IN INTERCONNECTED GRIDS Power flows in the grid are determined by the injected nodal powers, that is generation and consumption, and by the laws of the network acting on meshes and nodes, which consist of balances of voltages generated by currents times impedances in a loop or by balances of nodal currents. Impedances are characteristics of transmission lines. Because of mechanical properties, transmission lines can carry flows up to a predetermined thermal limit (conductor temperature determining the sag of conductors). Since the flows from one location to a distant one is fixed by the injected powers, the loss of a transmission circuit causes a redistribution of local flows. In extreme condition, the loss of one of the several parallel circuits causes a shift of the flow to the remaining ones, which can lead to overloads. A numerical example of a flow situation is given in Figure 1. The total of flows is given by the injections at nodes A and B equaling the output at nodes C and D, that is 490 MW. In the normal operation, the flows in the circuits A–C, A–D, and B–D are also 490 MW. When the line A–C is lost, the loading on A–D reaches 279.4 MW and on B–D 210.6 MW without any change in the total of input/ output at the nodes.

4 THE EUROPEAN INTERCONNECTED SYSTEM—THE UCTE SYSTEM The European interconnected system consists of three major parts that are connected by high voltage direct current (HVDC), namely, the central UCTE system, the Scandinavian 270

C

205.1 0

394

A

x

64.9

270

153.2 114.6

35.7

279.4

220

D

210.6

131.7

B

96

Figures in MW

FIGURE 1 Effect of outage of one circuit (A–C): black figures flow in nondisturbed network and grey figures flow when circuit A–C is tripped.

LARGE-SCALE ELECTRICITY TRANSMISSION GRIDS

2361

network, and the network on the British Islands. Here, the interconnected synchronous AC system, the UCTE system, is of interest. It extends from Denmark to Spain and from France to Greece and the East European countries. It consists of 380- and 220-kV-transmission lines operated to a maximum of 420 and 245 kV, respectively. The structure of the grid is characterized by substations where a large number of transmission lines terminate and a larger number of substations where just three or four lines are connected. Typical line lengths for 380 kV are in the range of 100–150 km, sometimes 200 km. For 220 kV, they are considerably shorter (50 km). In France, the line lengths are above 200 km for 380 kV. In Germany, Switzerland, and Northern Italy, the grid is highly interconnected. Tie-lines (circuits crossing borders) are not numerous, except in Germany and Switzerland. The number of tie-lines to East European countries is relatively less. Originally, the UCTE system had the function to provide the security of supply in continental Europe. For this purpose, the system has been developed over the last 50 years with a view of assuring mutual assistance between national subsystems. However, there has been a fundamental change of paradigms over the past one or two decades. The transmission infrastructure is no longer just a tool for mutual assistance, but has become a platform for shifting ever growing power volumes all across the continent. On the other hand, the development of the system is more and more affected by stricter constraints and limitations in terms of licensing procedures and construction times. In the UCTE system, the annual production in the year 2006 amounted to 2584.6 TWh, the maximum load 390.6 GW (third Wednesday in December) and the annual load reached 2530.1 TWh. Electricity is produced in nuclear stations (37%), conventional thermal stations (47%), and in hydro stations (16%, figures of 1999). Within a country, one or more control areas operated by independent transmission system operators (TSOs) and a large number of market participants (traders) are in existence. Today there are 29 TSOs in 24 countries. Energy is exchanged for various reasons, hydro to thermal, day to night and vice versa, as well as for economic benefits. The annual exchange 2006 among UCTE countries reached 296,822 GWh, that is 11.7% of the consumption. This is an increase over the time before the opening of the market as the exchanged energy is typically in the order of 9–10%.

5 MANAGEMENT OF THE SYSTEM 5.1 Before Opening of the Market The vertically organized utilities were focused on their system and consumers. Tariffs for the exchange between voltage levels were fixed and state controlled. On the transmission level, an exchange of energy and power took place for the benefit of reducing reserves, peaking power, system regulation, better control of frequency, area control, and coordinated scheduling. The TSOs were the traders and the actors. The operation was coordinated by the rules of UCTE, which comprised the reserve management, primary, secondary, and tertiary frequency control, as well as security management. 5.2 In the Open Market The Directives of the European Community introduced the liberalization of the electricity market [2], which was implemented step by step and is now nearly complete. The aim is

2362

KEY APPLICATION AREAS

a fully liberalized electricity market for all consumers whereby generation, transmission, and distribution are unbundled. The market participants are the traders and the TSOs are responsible for the technical aspects of operation. Explicitly, traders are utilities, power producers, and consumers, whereas TSOs are organizations for system control. In the open market, the exchange is governed by short-term economic objectives and trading takes place in a bilateral way and on central exchanges. However, there are also long-term contracts among partners being apart for short and long distances. As compared to the modes of operation, before liberalization flow patterns change markedly from hour to hour. There are countries that mainly export and import, that is France, Switzerland, and Germany export and Italy and Netherlands import. Some are net importers/exporters, others show changing patterns, and still other traders sell energy not originating in the own area. As mentioned, TSOs are responsible for congestion management and system security; however, quite often they are not in command of controlling flows in their own area since the cause and origin of the problem lie outside the area, that is corresponding generation and consumption. The UCTE rules as laid down in the handbook [1] supplemented by the multilateral agreement (MLA [3]) are still in effect, the latter in particular focused on maintaining security. Congestion management is predominantly implemented in terms of auctions on cross-border transmission circuits. The methodology is market conform, but has limited effects as the TSOs lack information from neighboring areas and congestions within the areas are not handled. This is not satisfactory, as the annual exchange is increasing particularly in local zones such as in countries like Switzerland, France, Germany, Netherlands, and Italy.

6 THE ITALIAN BLACKOUT 2003 6.1 Introduction The Italian transmission system is in a particular situation as the connection to the European network is geographically concentrated on the North only. The cross-border lines consist of not too many 380 kV circuits concentrated toward France and Switzerland. There is a 380 kV connection to Slovenia, but the network behind, that is, through Austria, consists of 220 kV lines only. The 380 kV loop through Hungary is not very effective because of high impedances, see Figure 2. Because Italy does not generate nuclear energy and is with high energy costs due to fossil fired units, energy is imported from France, Germany, and Switzerland (for economic reasons) and the energy is stored in pump storage units during nights and weekends. The power flows predominantly over the circuits from France and Switzerland. As the flows are substantial and when it has been realized that the loadings of the tie-lines are critical, the countries involved established reference flows for the summer and the winter period, which were derived from power injections in the zone north of the Alps. According to these reference flows, the maximum import to Italy may reach 6500 MW in winter and 5500 MW in summer. These imports when appropriately distributed over the cross-border zones and circuits have been designed to guarantee an (n –1)-secure system. (The concept of (n –1)-security is discussed below.)

LARGE-SCALE ELECTRICITY TRANSMISSION GRIDS

2363

Germany

Switzerland Hungary

Austria France Slovenia Italy

380 kV line 220 kV line Line tripped

FIGURE 2 Italy—tie-lines to the north.

6.2 Factual Sequence of Events—Blackout September 28, 2003 On September 28, 2003, a Sunday, at 03:00 a.m., a typical situation existed where 6651 MW was imported and apparently used for pumping (pump load 3638 MW). At this time, the total consumption in Italy was 27,702 MW. The tie-line flows and the scheduled flows are as follows [4, 5]:

Switzerland–Italy France–Italy Slovenia–Italy Austria–Italy

Physical flows (MW)

Scheduled flows (MW)

3610 2212 638 191

3068 2650 467 223

2364

KEY APPLICATION AREAS

The physical flows are those actually measured and the scheduled flows are those set on the load—frequency controllers. The cross-border circuits between Switzerland and Italy consisted, at that time, of two 380 kV circuits (single lines) and several 220 kV circuits. The 380 kV circuits run from Mettlen to Lavorgo (Lukmanier line) and Sils to Soazza (San Bernardino line), both cross the Alpes. The latter substations are still in Switzerland, but are connected via 380 kV lines to stations in Italy. In the following paragraph, the exact sequence of events is discussed as reported in Refs. [4, 5]. At 03:01:42 a.m., the 380 kV circuit Mettlen–Lavorgo tripped due to a tree flashover. The automatic reclosure was unsuccessful because of a phase angle difference of 42◦ across the open breaker (the setting on the breaker was 30◦ ). A subsequent manual trial was just as unsuccessful. As a consequence, the 380 kV circuit Sils–Soazza overloaded and reached 110% of its thermal rating. At this point, the state of (n –1)-security was lost. The operator at the control center in Laufenburg (at that time ETRANS, now Swissgrid) was unaware of the urgency of the situation. The Swiss operator noticed that the actual flows to Italy were roughly 300 MW above the scheduled value and requested a reduction of the imports from the Italian TSO (GRTN–Gestore della Rete di Trasmissione Nationale) by telephone at 03:11 a.m. The tolerable time for the reduction of the current was 15 min. The reduction was performed and the imports reached the scheduled value after 10 min. However, the reduction was not sufficient and at 03:25:11 a.m., the circuit Sils–Soazza tripped due to a tree flashover (probably because of a high sag caused by the overload). Immediately afterwards further 220 kV circuits tripped, and at 03:25:28 a.m. the Italian network lost synchronism with the rest of the UCTE system. The Italian system has lost about 6500 MW, the frequency dropped causing the shutdown of generating stations, which led to the blackout (definite at 03:27:58 a.m. when the frequency dropped below 47.5 Hz). The rest of the UCTE system experienced a rise in frequency to 50.25 Hz with swings to 50.3 Hz. In the immediate vicinity of the Italian border in Switzerland (Ticino and Valais), the systems were lost (blackout). Otherwise the UCTE system was not affected, although it experienced the frequency changes. The report [4] mentions four main reasons for the blackout: 1. Unsuccessful reclosing of the line Mettlen–Lavorgo (Lukmanier) because of a too high phase angle difference. 2. Lacking sense of urgency regarding the Sils–Soazza (San Bernardino) line overload, and call for inadequate countermeasures in Italy. 3. Angle instability and voltage collapse in Italy. 4. Right-of-way maintenance practices. However, the principle of (n –1)-rule in chapter “Security and reliability standards— safety of the system” states that a single incident must not jeopardize the system, which implies that after a loss of the (n–1)-state the system is supposed to return to the (n –1)-state as soon as possible. This means identifying countermeasures which would enable the system to be brought back to a secure state. The report states that the appropriate countermeasure after the loss of the Mettlen–Lavorgo circuit would have been the shutting down of the pumps in the storage plants in Italy having a load of about 3500 MW.

LARGE-SCALE ELECTRICITY TRANSMISSION GRIDS

2365

6.3 Comments on and Interpretations of the Events/Findings The reasons given in Ref. 4 are certainly true and correct, but do not give the complete picture. In particular, the first two points need further explanations. As far as point 1 is concerned it has to be realized that there was a substantial flow across the Swiss network where the circuit Mettlen–Lavorgo is imbedded. This flow caused the phase angle difference of 42◦ , which should have been below 30◦ . The Swiss Federal Office of Energy (SFOE) investigated the situation and came to the conclusion that the flow situation has been far away from the reference flow [6]. The reference flow would have produced a phase angle difference of 20◦ and there would have been no overload on the circuit in the first place. A simplified network illustrates the effect of flows on the phase angle difference at an open breaker, see Figure 3. The phase angle difference is proportional to the sum of the flows C + D + E or to the flow A or B. A phasor diagram is shown on the right-hand side where phasors are the terminal voltages. The tree flashover is probably due to excessive sag of the conductors, which was caused by the overload. Hence, the flow situation is the primary cause of the tripping and the unsuccessful reclosing. The report states that the system was still (n –1)-secure at 03:00 a.m., which would have been correct if the countermeasures had been identified and implemented. This is one of the basic flaws in the whole process that must be further criticized by the following. A quite similar disturbance happened in the critical zone of the Swiss network in the year 2000, which is documented in the annual report 2000 of UCTE [7]. On September 8, 2000, the San Bernardino (Sils–Soazza) 380 kV circuit tripped at 9:46 p.m. and at 10:11 p.m. the Mettlen–Lavorgo (Lukmanier) 380 kV circuit tripped, followed by trippings of 220 kV circuits between Switzerland and Italy as well as between Austria and Italy. These line trips led to load displacements on France to Italy line resulting in a flow of 3900 MW on 380 kV and 220 kV lines. As a result of this overloading, these transfrontier lines together with five other 380 kV lines in France reached their 20 min overload protection threshold, others even their 10 min overload protection threshold. Italy was required to produce an additional 1800 MW, in order to ensure operational security without network separation. It was not possible to implement a sufficiently rapid reduction of nearly 1500 MW in exchange programs between Italy and Switzerland. For these reasons, the UCTE network frequency rose to 50.15 Hz. C

A

Angle Angular difference D V1 V1

V2

E

B

FIGURE 3

Flows generating phase angle difference at open breaker.

V2

2366

KEY APPLICATION AREAS

The report mentions numerous problems that took place in the following hours and on September 9, 2000. However, no disturbances in the distribution were recorded. What is important is the concluding statement in the report: As a result of the events described above, TSOs in Italy, France, Switzerland have agreed to a joint procedure for the improvement of communications and the implementation of arrangements for the modifications of exchange programs in case of emergency.

The events after 03:00 a.m. on September 28, 2003, do not indicate that such a joint procedure has been established. Further, it is an open question what the countermeasures would have been if the outages had taken place during the week around 11:00 a.m. when no pumps were in operation. Unless one would resort to substantial load shedding in Italy (the remedial measure to point 3 above), the solution to the problem is careful congestion management whereby flow patterns close to the reference flow are maintained and the security is monitored whenever the load changes. Swissgrid, the Swiss TSO, has implemented a security monitoring scheme [8], which generates security information within half a minute whereby the Swiss network plus the surrounding network comprising 6000 nodes is modeled. Today this is the only realistic and practical procedure to master the problem.

7 THE SYSTEM DISTURBANCE NOVEMBER 4, 2006 7.1 Situation and Actions before the Disturbance On November 4, 2006, at 10:10 p.m., the European network was split into three parts caused by a planned outage of a double circuit 380 kV line in northern Germany where the consequences were meant to have been orderly estimated and considered secure, but finally evolved to a cascading process. The process separated the UCTE and caused low-frequency load sheddings, but did not lead to a complete blackout. A precondition to the disturbance was the heavy cross-border flow situation between East and West Germany on the one hand and Eastern Europe and South Eastern Europe on the other hand. Since this is essential to the understanding of the disturbance of the network areas, the generation and cross-border flows are shown in Figure 4 [9]. The East–West flow of 9260 MW was caused by a heavy load in the Netherlands, which was supplied by wind generation in the northeast. The double circuit line that was switched was the Conneforde–Diele line shown in Figure 5 located in the far northwest corner of Germany. The line belongs to the network of E.ON, the important German utility and the taking-out-of-service was planned for November 5 and prepared the days before. The operation was requested by a shipyard for passing of ship on a canal that is crossed by the line. It was also coordinated with Tenne T, the TSO of the Netherlands. E.ON Netz, the TSO of E.ON, carried out an analysis of the impact of the operation using standard planning data. As no violation of the (n –1)-criterion was detected, E.ON Netz provisionally approved the switching off. On November 3, around 12:00, the shipyard requested E.ON Netz to advance the disconnection of the line by 3 h, to November 4 at 10:00 p.m. A provisional agreement was given by E.ON Netz after a new analysis did not reveal a violation of the (n –1)-criterion. At this point, the TSO of Rheinisch-Westfaelisches-Elektrizitaetswerk (RWE) of the adjacent German network

LARGE-SCALE ELECTRICITY TRANSMISSION GRIDS

2200

Data at 22:09 UK-France HVDC (RTE-NG)

2367

(Kontek, Baltic cable, SwePol, DK DC cable)

G = 62300

1910 9260

G = 182700

APG (East), CEPS, E.ON Netz (East), MAVIR, PSE Operator, SEPS, VE-T, WPS

750 (TERNA-HTSO) (REE-MOROCCO) 490 APG (West), CEGEDEL Net, E.ON Netz (West), ELES, ELIA, ENBW TNS, HEP (West), REE, REN, RTE, RWE TSO, Swiss TSOs, TENNET, TERNA, TIWAG Netz, VKW Netz

310

170

G = 29100 AD MEPSO, EPCG, HEP (East), HTSO, ISO BIH, JP EMS, KESH, MAVIR (Szeged area), NEK, TRANSELECTRICA

FIGURE 4 Schematic of UCTE system: three areas before separation at 9:09 p.m. and generation and cross-border flows.

and the TSO of Tenne T were not informed about this procedure, so no special security analyses were made. For the new situation, it was not possible to reduce the exchange program between Germany and the Netherlands including the outage of the Conneforde–Diele line (agreed timing, setting of capacities, and auctions). Further, there was no indication of the switching operation in the planning tools and data, such as day ahead congestion forecast (DACF), by E.ON Netz to all UCTE TSOs on November 3 with the forecast for November 4 at 10:00 p.m. and beyond. As late as 6:00 p.m., E.ON Netz informed Tenne T and RWE TSO about the new time for the disconnection of the line. At 9:29 p.m., a load flow calculation by E.ON Netz did not indicate any violation of limit values. On the basis of an empirical evaluation of the grid situation, E.ON staff assumed, without numerical computations, that, after the disconnection of the line, the security of the system would be met. RWE TSO also made a load flow calculation and an (n –1)-analysis at 09:30 p.m. just before the opening of the line, which confirmed that the RWE grid would be highly loaded but secure. 7.2 Evolvement of the Disturbance The two circuits of the Conneforde–Diele line were switched off at 9:38 p.m. and 9:39 p.m. Shortly afterwards, E.ON Netz received warning messages about the high loading

2368

KEY APPLICATION AREAS

Switched line

Tripped line

Overloaded

FIGURE 5 Line diagram, section of northern Germany.

LARGE-SCALE ELECTRICITY TRANSMISSION GRIDS

2369

on a line south of the area shown in Figure 5 and at 9:41 p.m. RWE TSO informed E.ON Netz about the safety limit of 1795 A on the line Landesbergen–Wehrendorf, an interconnection between the E.ON network and the RWE network. This line is shown in Figure 5. However, at this point in time the critical current on this line has not been reached. The report [9] documents that the protection settings on either sides of this line were different and the TSO of E.ON was not aware of this fact, that is tripping current 3000 A on the E.ON side and 2100 A on the RWE side. In phone calls between the TSOs of E.ON, RWE, and Vattenfall, up to 10.00 p.m. the situation was considered to be critical and apparently RWE TSO informed E.ON Netz about the settings. Between 10.05 p.m. and 10.07 p.m., the load on the 380 kV line Landesbergen– Wehrendorf increased and exceeded the warning value of 1795 A, which caused the RWE TSO to request from E.ON Netz an urgent intervention to restore the security of the system. E.ON Netz made an empirical assessment of corrective switching measures in terms of coupling of the busbars in Landesbergen expecting a reduction of the line current by about 80 A. The operation was done at 10:10 p.m., but resulted in the opposite effect. The line current increased and caused the tripping of the Landesbergen–Wehrendorf line, leading to a subsequent cascading opening of circuits along the vertical line shown in Figure 4 and separation of the southeastern network. 7.3 Consequences of the Opening The European network was separated into three parts, as shown in Figure 6, whereby different frequency patterns developed. Since a substantial flow between the East and West part was interrupted, the area 1 experienced a drop and the area 2 a rise in frequency. In area 3, there was a frequency drop but it was only 200 mHz. The low frequency in areas 1 and 3 caused a series of load sheddings spread over the areas and the loss of loads was substantial, that is between 3% and 19% of the load. In some areas, pumps were disconnected between 240 and 450 MW. In all areas, generation was tripped, namely, 10,909 MW in total. The switching operations caused heavy intersystem Area 1 low frequency Area 2 high frequency Area 3 low frequency

FIGURE 6 Separation of the UCTE network into three parts.

2370

KEY APPLICATION AREAS

flows after 10:10 p.m. A complete blackout did not result in neither of the areas. This allowed the restoration and the resynchronization of the areas fairly soon after the initial disturbance. The actions of the resynchronization process showed three different phases, namely: •

resynchronization trials that did not result in real interconnection; resynchronization attempts that resulted in real interconnection, but failed after a few seconds; • successful resynchronization steps. •

The milestones of resynchronization were first successful reconnection of tie-lines between areas 1 and 2 at 10:47 p.m. when areas 1 and 2 were connected, and area 3 was connected at 10:49 p.m. The problems in the resynchronization process were the missing information on the state of generating units and of the network, as well as noncoordinated trials of operators to synchronize generators. In particular, actions in the distribution network were completely non-coordinated. 7.4 Failures and Mistakes that Led to this Disturbance On the basis of report [9], several items that caused the disturbance can be identified. The main cause is the omission of contingency analyses at various stages of the preparation of the switching operation, both by E.ON Netz and RWE TSO. This applies to the points in time before the opening of the line, right after the opening of the line, and before the coupling of the busbars in Landesbergen. It is not just an analysis of the respective own area, which should have been performed, but a comprehensive analysis of the own area including the surrounding network, that is E.ON network plus RWE network plus Tenne T network as it is possible today and described in [8]. Another item is the missing information of RWE TSO and Tenne T by E.ON Netz about the advance of the switching of the line. This did not allow the TSOs to check the consequences of the switching early enough. A crucial item was the different protection settings on the Landesbergen–Wehrendorf line about which E.ON Netz was not aware. It was not only this line which was heavily loaded, but also several lines in the E.ON and RWE network, which when tripped, could have caused the disturbance. The load increase between 10:00 and 10:10 p.m., which led to the tripping, was also affected by the change in exchange programs that usually takes place around this time, for example, 340 MW from Germany to the Netherlands. Generally, there was insufficient coordination between the TSOs. According to [9], this was considered the second main cause of the disturbance.

8 UNBUNDLING AND DECENTRALIZATION—FEATURES IN CONTRADICTION TO SECURITY Further to the detailed discussions and conclusions from the reports on disturbances, there are general features of the liberalized system in Europe, which are detrimental for the security of the network. One of the features is the requirement of the Directive of the European Community to unbundle generation, transmission, and distribution.

LARGE-SCALE ELECTRICITY TRANSMISSION GRIDS

2371

Unbundling is justified in the normal state of the system. However, in a critical situation, the cooperation of generation and transmission is absolutely necessary and therefore unbundling has to be suspended. A TSO must have direct access to generation for the correction of a flow. Above all, the European system is decentralized. According to [9], there are 29 TSOs in 24 countries which manage an area or subsystem. But for the purpose of security, a comprehensive control over a wide region, that is overlapping the own, would be necessary. Each TSO is obliged to carry out such an analysis and TSOs have to cooperate and communicate in critical situations. Thus, decentralization, congestion management, and security control in the European system are unresolved items.

9 CONCLUSIONS The large-scale electricity transmission grid with a decentralized control structure, that is independent transmission operators as in the UCTE system, and under the concept of unbundling is only partly suited to manage disturbances and to avoid blackouts, at least with the presently implemented tools. Unbundling and decentralization are detrimental for security as the electricity grid acts as a whole, in terms of frequency, voltage, and flows, from one end to the other. Contracts over long distances and the ensuing flows are difficult to control by TSOs. Hence, cooperation and closer communication is needed.

REFERENCES 1. UCTE. Operation Handbook , www.ucte.org. 2. Directive European Union 2003/54/EG (previous 96/92/EG). 3. Multi-Lateral Agreement (MLA) in UCTE. Operation Handbook , http://www.ucte.org/e default asp. 4. UCTE (2003). Report–Interim Report of the Investigation Committee on the 28 September 2003 Blackout in Italy, 27 October, www.ucte.org. 5. Gheorghe, A. V., Masera, M., Weijnen, M., and De Vries, L. (2006). Critical Infrastructures at Risk—Securing the European Electric Power System, Appendix A.1 Learning from the Past—Electric Power Blackouts and Near Misses Europe. Springer, New York. 6. SFOE Swiss Federal Office of Energy (2003). Bericht u¨ ber den Stromausfall in Italien am 28. September 2003 , November (Report on the blackout in Italy). SFOE Swiss Federal Office of Energy, Switzerland. 7. UCTE 2000 Annual Report, www.ucte.org. 8. Nordanlycke, I., Bossert, G., and Glavitsch, H. (2007). Security and congestion management tool for the use in extended transmission systems. IEEE Powertech 2007 . Lausanne, July 1–5, www.ucte.org. 9. UCTE (2006). Final Report - System Disturbance on 4 November 2006, www.ucte.org.

FURTHER READING Taylor, C. W. (1994). Power System Voltage Stability McGraw-Hill International Editions— Electrical Engineering Series.

2372

KEY APPLICATION AREAS

Philipson, L., and Lee Willis, H. (1999). Understanding Electric Utilities and De-Regulation, Marcel Dekker, Inc., New York. Shahidehpour, M., and Alomoush, M. (2001). Restructured Electrical Power Systems—Operation, Trading, and Volatility, Marcel Dekker, Inc., New York. Kundur, P. (1993). Power System Stability and Control , McGraw-Hill Inc., New York.

INTERDEPENDENT ENERGY INFRASTRUCTURE SIMULATION SYSTEM G. Loren Toole and Andrew W. McCown Los Alamos National Laboratory, Threat Reduction Directorate/Decision Applications, Los Alamos, New Mexico

1 INTRODUCTION IEISS was derived from the energy interdependence simulation (EISim) and simulation object framework for infrastructure analysis (SOFIA) software architectures that have been applied routinely at Los Alamos since the mid-1990s. The National Infrastructure Simulation and Analysis Center (NISAC), supported by the Department of Homeland Security, Office of Infrastructure Protection, funds for the use of this software. The NISAC program was established to meet the need for a comprehensive capability to assess the national system of interdependent infrastructures. In the USA PATRIOT Act of October 2001, NISAC was chartered to “serve as a source of national competence to address critical infrastructure protection and continuity through support for activities related to counter terrorism, threat assessment, and risk mitigation”. This article discusses the underlying simulation concepts, application of interdependent energy infrastructure simulation system (IEISS) to an interdependency case study of urban infrastructure, and IEISS applications to other problems of national interest. Interconnected and interdependent energy infrastructures are extremely complex systems, consisting of physical facilities (such as power plants and refineries), transmission lines, phone lines, roads, railways, waterways, and so on, as well as human decision makers (e.g. consumers, legislators, investors, and chief executive officers). Examples of critical infrastructures that are interconnected and interdependent are shown in Figure 1. A comprehensive simulation tool is needed to model the nation’s key infrastructures (e.g. energy, communication, and transportation) and their intra/interdependencies.

2373

INTERDEPENDENT ENERGY INFRASTRUCTURE SIMULATION SYSTEM

Transportation

Wall st. Wall street

Oil & gas production and storage

Satellite

Business

Electric power

Telecom Water supply Emergency services Government

Banks/finance Information

FIGURE 1 National interconnected and interdependent infrastructures.

However, these dependencies must be identified and understood before infrastructure protection, mitigation, response, and recovery options can be provided. Although existing technology well analyzes single-domain infrastructures, severe limitations arise when this technology is applied to interdependent infrastructures. For these cases in which multiple infrastructures are considered, analysts typically treat these interdependencies in an ad hoc manner. To represent the complex, nonlinear, and interdependent nature of these infrastructures, advanced computer simulations are needed. Without these simulations, it is simply too expensive, too risky, and too time consuming to determine the impact of policy and security decisions.

2 IEISS SIMULATION CONCEPTS An infrastructure interdependency is defined as a physical, logical, or functional connection from one infrastructure to another, where the loss or severing would affect the operation of the dependent infrastructure. Although short-term service interruptions of energy infrastructures routinely occur, catastrophic system failures, or large-scale blackouts, are rare events. As infrastructures become more complex and interdependent, the probability of having large-scale outages increases. Because a component failure in one infrastructure does not necessarily result in a propagating failure in another interdependent infrastructure (or for that matter, within the same infrastructure), this cascading phenomenon is difficult to analyze. An example of interdependencies among network-like infrastructures is given in Figure 2. “Network-like” refers to an inherent topological feature of the infrastructure itself, namely, a connected structure of linked nodes.

2374

KEY APPLICATION AREAS

A seamless and unified view of infrastructure as a ‘‘system of systems’’ Pump

A AD SC

ly

upp

el s

ly

power supp

ly

upp

Natural gas

m ge sa es

Power plant

y tra

l

rt

nspo

Powe

Communication

nerg

Coa

ly

r supp

ay e

ly

Rep

upp er s

Highways

Electric power

Substatinn

Pow

End office

Oil

Fuel s

Compressor

er s

Fu

ly

upp

el s

Pow

Fu

upply

Pump

Traffic light Waterways

Commocity transportation

FIGURE 2 Illustration of interdependencies among network-like infrastructures.

The horizontal layers in the figure represent dependencies within an infrastructure, and the vertical lines indicate interdependencies between infrastructures. Although Figure 2 shows only physical infrastructures, future capability will include nonphysical infrastructures as well, such as financial and/or other economic networks. IEISS does not replace single-infrastructure tools since existing technology analyzes these domains in sufficient detail. However, when this technology is applied to interdependent infrastructures, severe limitations usually exist. IEISS relies on an actor-based (or object-oriented) modeling approach of infrastructures [1]. Each physical, logical, or functional entity in an infrastructure corresponds to a software actor (sometimes called a software agent) that has a variety of attributes and behaviors that mimic its real-world counterpart. The connections within or between infrastructures are represented by connections between the relevant actors, and the actors interact in the software through a message-passing protocol. Mathematically, infrastructures can be represented by graphs. Thus, any infrastructure(s) that can be represented in terms of a dependency graph can be modeled using this actor-based, message-passing representation. This approach is suitable for a wide variety of network-like infrastructures.

3 THE COMPLEXITY OF MULTIPLE INFRASTRUCTURES A simulation of coupled infrastructures necessarily requires the use of multiple, heterogeneous algorithms [2]. Each infrastructure under consideration has its own dynamic laws and, thus, its own types of algorithms. It may be useful to mix different solution methods in the same simulation because of their varying accuracy and speed or to compare the

INTERDEPENDENT ENERGY INFRASTRUCTURE SIMULATION SYSTEM

2375

results of simulations using different algorithms. Ideally, “pluggable” algorithms could be attached individually to each actor in the system or to groups of actors. Mixtures of algorithms may be required by geography, infrastructure, or time. Because of the potential complexity of coupled infrastructures, it is important that the solution algorithms be able to handle problems involving the “forward” simulation of systems and the “inverse” search problems. That is, given an initial state of the system, its evolution could be followed forward in time or, given the final state (typically involving loss of service), initial states could be determined that might evolve to this final state if a given number of contingencies were to occur. When one or more interconnected components are forced out of service because of an operational or intentional failure, affected dependent or secondary components are also treated by IEISS as interdependency. This approach is based on the service area/outage area concept [3, 4]. For example, if an electric power substation is forced out of service, a polygonal representation of the service area normally served by the component is calculated. If components from other infrastructures lie within the calculated service area boundary and these components are dependent on the services of the failed substation, a propagation of the failure to dependent infrastructures is assumed. If the service areas of any affected infrastructures cannot be mitigated or reduced in extent through recovery measures, they are assumed to represent the outage area. This concept is further discussed in the next section. Finally, if a service area can be estimated for all affected infrastructures, the simulation approach for interdependent cascading failures can be illustrated by the logic flow diagram shown in Figure 3. The simulation is initiated by creating a “contingency” event that

Start contingency

Steady state solve

No

Limit violations

Yes

Impossible

Dispatch

Possible

Shed load

Service/outage area

No

Affected components in other infrastructure

Yes

Exit

FIGURE 3 IEISS logic diagram describing network limit violations.

2376

KEY APPLICATION AREAS

involves single (or multiple) outages in one or more infrastructures. Steady-state solutions are then obtained for all infrastructures with key attributes reported (e.g. pressure or flow). If an attribute is not within its normal operating range, for example, a pipeline is operating above its maximum allowable operating pressure, the associated components are subject to limit violations [5]. Limit violations must be mitigated or else severe consequences can result. Mitigation can be accomplished by a variety of measures such as dispatching or reducing demand. Dispatching requires adjustments to operating parameters of variable equipment such as generators or compressors. The dispatch box shown in Figure 3 contains algorithms to eliminate limit violations. If the contingency can be mitigated by dispatching, limit violations are rechecked and the simulation is ended (“possible”). However, if further violations exist (“impossible”), IEISS sheds customer load near the contingency and then calculates outage areas. Affected components in other infrastructures are also identified. Another simulation will be required to determine if loss of the affected components cause violations within their respective infrastructure(s) or propagation of effects is stopped. The IEISS simulation process ends when all limit violations have been eliminated. The final result is a list of outage areas, failed components, history of cascading events, and so on.

4 IEISS CASE STUDY: URBAN INTERDEPENDENCIES A key element in modeling interdependent infrastructures is the ability to predict the propagation of a perturbation. This condition results from a component failure created within an infrastructure, which cascades to other interdependent infrastructures. This cascading effect is a key issue, but usually the least understood phenomenon. Although short-term service interruptions of energy infrastructures are routine in many areas, catastrophic system failures, or large-scale blackouts, are rare events. As urban infrastructures become more complex and interdependent, the probability of having large-scale outages increases. The underlying concepts of interdependency and application of IEISS are illustrated by a fictitious example. Interconnected electric power and natural gas component attributes were input into the IEISS model, which are notionally representative of urban networks in most US cities. The model incorporated multiple layers of components operating at different voltages and pressures. Because of the network-like features, disruptions to key components in one layer can affect the operation of colocated components in other layers, creating an interdependency event. During the analysis, IEISS reported greater effects than would have resulted if single components were individually outaged. The first phase of this event requires simultaneous loss of two components: an electric substation and a natural gas pipeline junction. An outage of the natural gas pipeline junction disrupts natural gas delivery to gas-fired power plants located approximately 10 miles to the south. The simultaneous outage of a 230-kV electric substation completes the initiating event. Components “A” and “B” are located approximately 30 miles apart as shown in Figure 4. Following the initial loss of components, high-voltage electric transmission lines will be overloaded. This condition forces the utility to shed customer load to avoid equipment

INTERDEPENDENT ENERGY INFRASTRUCTURE SIMULATION SYSTEM

B Substation

2377

Citygates Lines Generators Substations 66 kV lines 138 kV lines 230 kV lines

A Citygate

FIGURE 4 Natural gas (NG) and electric power (EP) components in the IEISS model, highlighting locations of outaged nodes.

B Substation

Citygates Lines Generators Substations 66 kV lines 138 kV lines 230 kV lines

Electric outgate area

FIGURE 5 Outage area (gray shade) resulting from the loss of substation “B”.

damage and to stabilize the local network. In turn, this action will create an outage area, as shown in Figure 5. The outaged electric substation provides connections to areas west of this location. Under normal operating conditions, electric generators are capable of providing more power than needed locally, so excess is exported to the east. Following a loss of electric generation due to pipeline junction “A” outage, customer demand must be met by supplying from the east. Three 230-kV transmission lines normally support this power flow. However, two of three lines originate at the outaged electric substation “B”. Since this component is outaged, power can only be supplied by a single 230-kV line, which is severely overloaded. The result is an additional area of customer load shed, as shown in Figure 6. Because large area is affected by this event, many businesses and facilities critical to continued operation of urban infrastructure would lose electricity and natural gas

2378

KEY APPLICATION AREAS

Extended electric outage area (interdependency)

Citygates Lines Generators

Substations 66 kV lines 138 kV lines 230 kV lines

B Substation

A Citygate

Gas outage area

FIGURE 6 Additional load shed due to transmission line overload from electric substation “B” results in the final interdependency event.

service. The total outage area encloses nearly 2700 sq. miles. On the basis of average business sales density, the direct cost of a 3-day interdependency outage would total approximately $150 million. Indirect costs due to supply chain disruptions, noninsured loss of perishable goods, and related items may also be significant. In addition, key emergency facilities such as hospitals, telecommunication end offices, police, and fire stations would be outaged forcing extended reliance on emergency backup power. REFERENCES 1. Bush, B. W., Bush, A. B., Fisher, R., Folga, S., Giguere, P., Holland, J., Hurford, J., Kavicky, J., Linger, S., McCown, A., McLamore, M., Pontante, E., Rothrock, L., Salazar, M., Shamsuddin, S., Unal, C., Visarraga, D., and Werley, K. (2005). Interdependent Energy Infrastructure Simulation System–IEISS Version 2.1 Technical Reference Manual , Report LANL-D4-05-0027, Los Alamos National Laboratory. 2. Unal, C., Werley, K. A., and Gigue, P. (2001). Energy Interdependence Modeling and Simulation, Report LA-UR-01-1879, Los Alamos National Laboratory. 3. Linger, S. P., Toole, G. L., and McPherson, T. (2001). A Primer on Estimating Electrical Service and Outage Areas Using GIS and Cellular Automata Based Methods, Report LA-UR-01-0490, Los Alamos National Laboratory. 4. Werley, K. A. (2002). Constrained Cellular Colonization (C3) for Estimating Service and Outage Areas in Electric Power Transmission Networks (Rev. 4), Report LA-UR-01-4845, Los Alamos National Laboratory. 5. Werley, K. A. (2001). An AC Dispatcher for Relieving Problems within Electric Power Transmission Networks, Report LA-UR-03-8266, Los Alamos National Laboratory, pp. 1–16.

FURTHER READING National Infrastructure Protection Plan (2006). http://www.dhs.gov/xprevprot/programs/editorial 0827.shtm.

SELF-HEALING AND RESILIENT ENERGY SYSTEMS

2379

SELF-HEALING AND RESILIENT ENERGY SYSTEMS S. Massoud Amin University of Minnesota, Minneapolis, Minnesota

1 INTRODUCTION The rise of our nation into a global economic power, which began with the opening of a vast continent in the mid-1800s by the railroads, was followed in the nineteenth century by expansion of the networks of commerce, navigable waterways, transportation, water supply and wastewater, dams, electric power networks, and rural electrification (in the early to mid-twentieth century), aviation, transit, and highways. This has dramatically transformed our nation and the resultant economic output has been unprecedented in history. The tremendous value of infrastructure systems such as roads and bridges and the nation that help make possible indispensable activities of our modern societies cannot be overstated. I would submit that along with our bricks and mortar infrastructure— railroads, highways, bridges, seaports, and airports—another important part is the “hidden infrastructure” that supports the workings of all aspects of our $14 trillion economy.2

2 THE BIGGER PICTURE Energy, telecommunications, transportation, and financial infrastructures are becoming increasingly interconnected, thus posing new challenges for their secure, reliable, and efficient operation. All of these infrastructures are themselves complex networks, geographically dispersed, nonlinear, and interacting both among themselves and with their 1 Honeywell/H.W. Sweatt Chair in Technological Leadership, Director of the Center for the Development of Technological Leadership (CDTL), Professor of Electrical and Computer Engineering, and University Distinguished Professor. Contact information: [email protected], or http://umn.edu/amin. 2 A 24-page special feature in The Wilson Quarterly for Spring 2008 (Vol. 32, No. 2) includes three articles under the heading, “BACKBONE: Infrastructure for America’s Future.” The three are “The Secret Is the System,” “Get Smart,” and “Built to Last.” An introduction notes that “building tomorrow’s infrastructure will pose larger political and technological challenges than ever before-with potential payoffs to match.” Examples cited are the huge new water tunnel being dug beneath New York City, started in 1970 and to be completed by 2020; the collapse of the I-35W bridge in Minneapolis, the 2003 blackout affecting 50 million people, and the proposed North American Super Corridor, from Mexico to Canada that would create a road, rail, and shipping system around the existing I-35. Some excerpts: Shopping for Infrastructure The American Society of Civil Engineers Report Card for America’s Infrastructure (2005) offers a daunting menu of future needs and calls for more than $300 billion in additional annual spending (for more information please see http://www.wilsoncenter.org/index.cfm).

2380

KEY APPLICATION AREAS

human owners, operators, and users. No single entity has complete control of these multiscale distributed, highly interactive networks, nor does any such entity have the ability to evaluate, monitor, and manage them in real time. In fact, the conventional mathematical methodologies that underpin today’s modeling, simulation, and control paradigms are unable to handle the complexity and interconnectedness of these critical infrastructures. Power, telecommunications, banking and finance, transportation and distribution, and other infrastructures are becoming more and more congested partially due to dramatic population growth, particularly in urban centers. These infrastructures are increasingly vulnerable to failures cascading through and between them. A key concern is the avoidance of widespread network failure due to cascading and interactive effects. Moreover, interdependence is only one of several characteristics that challenge the control and reliable operation of these networks. Other factors that place increased stress on the power grid include dependencies on adjacent power grids (increasing because of deregulation), telecommunications, markets, and computer networks. Furthermore, reliable electric service is critically dependent on the whole grid’s ability to respond to changed conditions instantaneously. Secure and reliable operation of complex networks poses significant theoretical and practical challenges in analysis, modeling, simulation, prediction, control, and optimization. The pioneering initiative in the area of complex interactive networks and infrastructure interdependency modeling, simulation, control, and management was launched and successfully carried out during 1998–2002, through the Complex Interactive Networks/Systems Initiative (CIN/SI). It studied closely the challenges to the interdependent electric power grid, energy, sensing and controls, communications, transportation, and financial infrastructures. It comprised six university research groups consisting of 108 university faculty members and over 220 researchers who were involved in the joint Electric Power Research Institute (EPRI) and US Department of Defense program. During 1998–2002, CIN/SI developed modeling, simulation, analysis, and synthesis tools for damage-resilient control of the electric power grid and interdependent infrastructures connected to it. This work showed that the grid can be operated close to the limit of stability given adequate situational awareness combined with better security of communications and controls. A grid operator is similar to a pilot flying an aircraft as in monitoring how the system is being affected, how the “environment” is affecting it, and having a solid sense of how to steer it in a stable fashion. In recent decades, in light of increased demand, we have reduced the generation and transmission capacity margins of the electric power grid, and we are indeed flying closer to the edge of the stability envelope. Ongoing programs at EPRI, Department of Energy (DOE) are continuing pursuit of these objectives. Earlier work by the author during the 1990s on damaged F-15 aircraft in part, provided background for the creation, successful launch, and management of research programs for the electric power industry, including the EPRI/DOD CIN/SI mentioned above, which involved six university research consortia along with two energy companies, to address challenges posed by our critical infrastructures. This work was done during the period from 1998 to early 2002. CIN/SI laid the foundation for several ongoing initiatives on the self-healing infrastructure and subsets focusing on smart reconfigurable electrical networks. These have now been under development for some time at several organizations, including programs sponsored by the National Science Foundation (NSF), DOD,

SELF-HEALING AND RESILIENT ENERGY SYSTEMS

2381

DOE, and EPRI (including the “Intelligrid” program), and the US DOE’s “Gridwise” and “Modern Grid” initiative. To provide a context for this, the EPRI/DOD CIN/SI aimed to develop modeling, simulation, analysis, and synthesis tools for robust, adaptive, and reconfigurable control of the electric power grid and infrastructures connected to it. In part, this work showed that the grid can be operated close to the limit of stability given adequate situational awareness combined with better sensing of system conditions and communication controls. A grid operator steers it in a stable fashion by keeping the lines within their operating limits while helping a instantaneous balance between loads (demand) and available generation. Grid operators often make these quick decisions under considerable stress. Given that in recent decades we have reduced the generation and transmission capacity, we are indeed flying closer to the edge of the stability envelope. As an example, one aspect of the Intelligrid program is aimed at enabling grid operators have greater look-ahead capability and foresight, overcoming limitations of the current schemes which at best have over a 30-seconds’ delay in assessing system behavior. This is analogous to driving to the car by looking into the rear-view mirror instead of the road ahead. This tool using advanced sensing, communication, and software module was proposed during 2000 to 2001 and the program was initiated in 2002 by the author while at EPRI, under the Fast Simulation and Modeling (FSM) program. This advanced simulation and modeling program promotes greater grid self-awareness and resilience in times of crisis, in three ways: by providing faster-than-real-time, look-ahead simulations (analogous to master chess players rapidly expanding and evaluating their various options under time constraints) and thus avoiding previously unforeseen disturbances; by performing what-if analysis for large-region power systems from both operations and planning points of view; and by integrating market, policy, and risk analysis into system models, and quantifying their integrated effects on system security and reliability.

3 INFRASTRUCTURES UNDER THREAT The terrorist attacks of September 11th exposed critical vulnerabilities in America’s essential infrastructures: never again can the security of these fundamental systems be taken for granted. Electric power systems constitute the fundamental infrastructure of modern society. A successful terrorist attempt to disrupt electricity supplies could have devastating effects on national security, the economy, and the life of every citizen. Yet, power systems have widely dispersed assets that can never be absolutely defended against a determined attack. The growing potential for infrastructural problems stems from multiple sources, including system complexity, deregulation, economic effects, power market impacts, and human error. The existing power system is also vulnerable to natural disasters and intentional attacks (terrorism). Regarding the latter, a November 2001 EPRI assessment developed in response to the September 11th attacks highlights three kinds of potential threats to the US electricity infrastructure. We discuss them briefly and in very broad terms, without providing a “blue book” for potential attackers: The first is attacks upon the power system. In this case, electricity infrastructure is the primary target—with ripple effects, in terms of outages extending into the customer base. The point of attack could be a single component, such as a critical

2382

KEY APPLICATION AREAS

substation or a transmission tower. There could also be a simultaneous, multipronged attack intended to bring down the entire grid in a specific region of the United States An attack could also target electricity markets which are highly vulnerable because of their transitional status. The second type of attack is by the power system. In this case the ultimate target is the population, using parts of the electricity infrastructure as a weapon—similar to the way our transportation and mail delivery systems were used against our nation. Power plant cooling towers, for example, could be used to disperse chemical or biological agents. The third means is attack through the power system. In this case, the target is the civil infrastructure. Utility networks include multiple conduits for attack, such as lines, pipes, underground cables, tunnels, and sewers. An electromagnetic pulse, for example, could be coupled through the grid with the intention of damaging computer and/or telecommunications infrastructure. As seen from these scenarios, the specter of terrorism raises a profound dilemma for the electric power industry: How to make the electricity infrastructure more secure without compromising productivity in today’s complex, highly interconnected electric networks? Resolving this dilemma requires short-term and long-term technology development and deployment, affecting fundamental characteristics of today’s power systems. The North American electric power system needs a comprehensive strategy to prepare for the diverse threats posed by terrorism. Such a strategy should both increase protection of vital industry assets and assure the public that they are well protected. A number of actions will need to be considered in formulating an overall security strategy: • • • • • •

The grid must be made secure from cascading damage. Pathways for environmental attack must be sealed off. Conduits for attack must be monitored, sealed off, and “sectionalized” under attack conditions. Critical controls and communications must be made secure from penetration by hackers and terrorists. Greater intelligence must be built into the grid to provide flexibility and adaptability under attack conditions, including automatic reconfiguration. Ongoing security assessments, including use of game theory to develop potential attack scenarios, will be needed to ensure that the power industry can stay ahead of changing vulnerabilities.

A survey of electric utilities revealed real concerns about grid and communications security on the perceived threats to utility control centers. The most likely threats were bypassing controls, integrity violations, and authorization violations, with four-in-ten rating each as either a 5 or 4, out of 5. Concern about potential threats generally increased as the size of the utility (peak load) increased. The system’s equipment and facilities are dispersed throughout the North American continent, which complicates absolute protection of the system from a determined terrorist attack. In addition, another complexity needs to be considered—the power delivery systems’ physical vulnerabilities, and susceptibility to disruptions in computer networks and communication systems. For example, terrorists might exploit the increasingly centralized

SELF-HEALING AND RESILIENT ENERGY SYSTEMS

2383

control of the power delivery system to magnify effects of a localized attack. Because many consumers have become more dependent on electronic systems that are sensitive to power disturbances, an attack that leads to even a momentary interruption of power can be costly. A 20-min outage at an integrated circuit fabrication plant, for example, could cost US$30 million. The Grid Then and Now The first grids. The worldwide electrical grid deployment, now costing trillions of dollars and reaching billions of people, began very humbly. The first grids came into being in the 1880s, for bringing electrical energy to a variety of customers for a variety of uses; at first mostly for illumination but later for turning power machines and moving trolley cars. The most important of these early grids, the first established big city grid in North America, was the network built by Thomas Edison in lower Manhattan. From its power station on Pearl Street, practically in the shadow of the Brooklyn Bridge, Edison’s company supplied hundreds and then thousands of customers. Shortly thereafter, Edison’s patented devices, and those of his competitors—devices such as bulbs, switching devices, generators, and motors—were in use, in new grids in towns all over the industrialized world.

Grid Overview • •

• •

•

•

Power, communications, and computing are all converging, making entire systems as sensitive as the most sensitive component. Secure and reliable combined electric power, communications, fuel supply, and financial networks are essential to today’s microprocessor-based economy, public health and safety, and overall quality of life. The demands of our secure digital economy are outpacing the electricity and communication infrastructures that support it. It costs the United States $75–180 billion in annual losses from power outages and disturbances. On any day, typically half a million people are without power for 2 or more hours. The US power grid operates under ever more stress from increasing electrical traffic and from a changing economic climate. Here are four notable grid issues: (i) the regulatory problem: federal and state grid guidelines often conflict; (ii) the investment problem: demand for power is increasing faster than new grid construction; (iii) the reliability problem: operating rules should keep the grid up and running more of the time; (iv) the marketplace problem: in many instances, the production, transmission, and distribution of power is subject to unfair competition. Operating the grid will increasingly come to resemble the flight of combat aircraft, including the use of complex adaptive software.

2384

KEY APPLICATION AREAS

Smart Self-Healing Grid •

What is “self-healing?” – A system that uses information, sensing, control and communication technologies to allow it to deal with unforeseen events and minimize their adverse impact. • Why is self-healing concept important to the energy infrastructure? – It is a secure “architected” sensing, communications, automation (control), and energy-overlaid infrastructure as an integrated, reconfigurable, and electronically controlled system that will offer unprecedented flexibility and functionality. It will also improve system availability, security, quality, resilience and robustness.

4 A STRESSED INFRASTRUCTURE The major outage on 14 August 2003, in the eastern United States and the earlier California power crisis in 2000–2001 are only the most visible parts of a larger and growing US energy crisis from inadequate investments in the infrastructure, leading to a fundamental imbalance between growing demand and an almost stagnant supply. The imbalance had been brewing for many years and is prevalent throughout the nation. From a broader view, the North American electricity infrastructure is vulnerable to increasing stresses from several sources. One stress is caused by an imbalance between growth in demand for power and enhancement of the power delivery system to support this growth. From 1988 to 1998, the United States’ electricity demand rose by nearly 30%, but the capacity of its transmission network grew by only 15%. This disparity is likely to increase from 1999 to 2009: analysts expect demand to grow by 20%, while planned transmission systems grow by only 3.5%. Along with that imbalance, today’s power system has several sources of stress: •

Demand is Outpacing Infrastructure Expansion and Maintenance Investments. Generation and transmission capacity margins are shrinking and unable to meet peak conditions particularly when multiple failures occur, while electricity demand continues to grow. • The Transition to Deregulation is Creating New Demands That Are Not Being Met. The electricity infrastructure is not being expanded or enhanced to meet the demands of wholesale competition in the industry; so connectivity between consumers and markets is at a gridlock. • The Present Power Delivery Infrastructure Cannot Adequately Handle Those New Demands of High End Digital Customers and Twenty-First-Century Economy. It cannot support the levels of security, quality, reliability, and availability needed for economic prosperity. • The Infrastructure Has Not Kept Up with New Technology. Many distribution systems have not been updated with current technology including IT.

SELF-HEALING AND RESILIENT ENERGY SYSTEMS

2385

•

Proliferation of Distributed Energy Resources (DERs). DER includes a variety of energy sources—microturbines, fuel cells, photovoltaics, and energy storage devices—with capacities from approximately 1 kW to 10 MW. DER can play an important role in strengthening energy infrastructure. Currently, DER accounts for about 7% of total capacity in the United States, mostly in the form of backup generation, yet very little is connected to the power delivery system. By 2020, DER could account for as much as 25% of total US capacity, with most DER devices connected to the power delivery system. • Return on Investment(ROI) Uncertainties Are Discouraging Investments in the Infrastructure Upgrades. Investing new technology in the infrastructure can meet these aforementioned demands. More specifically, according to a June 2003 report by the NSF, R&D spending in the United States as a percent of net sales was about 10% in the computer and electronic products industry and 12% for the communication equipment industry in 1999. Conversely, R&D investment by electric utilities was less than 0.5% during the same period. R&D investment in most other industries is also significantly greater than that in the electric power industry. • Concern about the National Infrastructure’s Security (1). A successful terrorist attempt to disrupt electricity supplies could have devastating effects on national security, the economy, and human life. Yet power systems have widely dispersed assets that can never be absolutely defended against a determined attack. Competition and deregulation have created multiple energy producers that share the same energy distribution network, one that now lacks the carrying capacity or safety margin to support anticipated demand. Investments in maintenance, and research and development continue to decline in the North American electrical grid. Yet, investment in core systems and related IT components are required to ensure the level of reliability and security that users of the system have come to expect. From a national security viewpoint, in the aftermath of the tragic events of September 11th and recent natural disasters and major power outages, there are increased national and international concerns about the security, resilience and robustness of critical infrastructures in response to evolving spectra of threats. Secure and reliable operation of these networks is fundamental to national and international economy, security and quality of life3 . 3 Executive

Order 13010, signed by President Clinton in 1996, defined critical infrastructures as “so vital that their incapacity or destruction would have debilitating impact on the defense or economic security of the United Stares” and included “telecommunications, electrical power systems, gas and oil storage and transportation, banking and finance, transportation, water-supply systems, emergency services and continuity of government.” The US Department of Homeland Security (DHS) in the National Infrastructure Protection Plan has expanded the concept to include “key resources” and added food and agriculture, health and health care, defense industrial base, information technology, chemical manufacturing, postal and shipping, dams (including locks and levees), government facilities, commercial facilities, and national monuments and icons. The National Infrastructure Improvement Act (S. 1926) defines “infrastructure” as any of a number of components of the transportation system, water supply and control facilities, resource recovery facilities, and solid waste disposal facilities.” While in our research we focus on a subset of (i) energy and power, (ii) cyber and telecommunications, (iii) transportation, (iv) banking and finance, and their couplings and interdependencies; elsewhere in our nation, all the 17 sectors identified by DHS are under study by the ASME, DHS, National Labs, and other organizations.

2386

KEY APPLICATION AREAS

5 WHERE ARE WE AND HOW DID WE GET HERE? The existing electricity infrastructure evolved to its technology composition today from the convolution of several major forces, only one of which is technologically based. Today opportunities and challenges persist in worldwide electric power networks, these include: reducing transmission congestion, increasing system/cyber security, increasing overall system and end-use efficiency while maintaining reliability, and so on. Many other challenges engage those who plan for the future of the power grid: producing power in a sustainable manner (embracing renewable fuels while accounting for their scalability limitations, for example, increased use of land and natural resources to produce more renewable electricity will not be sustainable, thus not being able to lower emissions from existing generators), delivering electricity to those who do not have it (not just on the basis of fairness but also because electricity is the most efficient form of energy, especially for things like lighting), and using electricity more wisely as a tool of economic development, and pondering the possible revival of advanced nuclear reactor construction. To prepare for a more efficient, resilient, secure and sustainable electrical system it is helpful to remember the historical context, associated bottlenecks and forcing functions: As the readers of this article know, the trends of worldwide electrical grid deployment, costing trillions of dollars and reaching billions of people, began very humbly. Some obvious electrical and magnetic properties were known in antiquity. In the seventeenth and eighteenth centuries, partially through scientific experiments and partially through parlor games, more was learned about how electric charge is conducted and stored. But only in the nineteenth century, with the creation of powerful batteries, and through insights about the relations between electric and magnetic force could electricity in wires service large-scale industries—first the telegraph and then telephones. And only in the 1880s did the first grids come into being for bringing electrical energy to a variety of customers for a variety of uses, at first mostly for illumination but later for turning power machines and moving trolley cars. The most important of these early grids, the first established big city grid in North America, was the network built by Thomas Edison in lower Manhattan. From its power station on Pearl Street, practically in the shadow of the Brooklyn Bridge, Edison’s company supplied hundreds and then thousands of customers. Shortly thereafter, Edison’s patented devices, and those of his competitors—devices such as bulbs, generators, switching devices, generators, and motors—were in use in new grids in towns all over the industrialized world. From a historical perspective the electric power system in the United States evolved in the first half of the twentieth century without a clear awareness and analysis of the system-wide implications of its evolution. In 1940, 10% of the energy consumption in America was used to produce electricity. By 1970, this had risen to 25%, and by 2002 it had risen to 40%. (Worldwide, current electricity production is near 15,000 billion kWh/year, with the United States, Canada, and Mexico responsible for about 30% of this consumption.) This grid now underlies every aspect of our economy and society, and it has been hailed by the National Academy of Engineering as the twentieth century’s engineering innovation that has been most beneficial to our civilization. The role of electric power has grown steadily in both scope and importance during this time and electricity is increasingly recognized as a key to societal progress throughout the world, driving economic prosperity, security and improving the quality of life. Still it is noteworthy that at the time of this writing, there are about 1.4 billion people in the world

SELF-HEALING AND RESILIENT ENERGY SYSTEMS

2387

with no access to electricity, and another 1.2 billion people have inadequate access to electricity (meaning that they experience outages of 4 h or longer per day). Once “loosely” interconnected networks of largely local systems, electric power grids increasingly host large-scale, long-distance wheeling (movement of wholesale power) from one region or company to another. Likewise, the connection of distributed resources, primarily small generators at the moment, is growing rapidly. The extent of interconnectedness, like the number of sources, controls, and loads, has grown with time. In terms of the sheer number of nodes, as well as the variety of sources, controls, and loads, electric power grids are among the most complex networks made. In the coming decades, electricity’s share of total energy is expected to continue to grow, as more efficient and intelligent processes are introduced into this network. Electric power is expected to be the fastest-growing source of end-use energy supply throughout the world. To meet global power projections, it is estimated by the US DOE/EIA that over $1 trillion will have to be spent during the next 10 years. The electric power industry has undergone a substantial degree of privatization in a number of countries over the past few years. Growth in power generation capacity is expected to be particularly strong in the rapidly growing economies of Asia, with China leading the way. The electric power grid’s emerging issues include: creating distributed management through using distributed intelligence and sensing; integration of renewable resources; use of active-control high voltage devices; developing new business strategies for a deregulated energy market; and ensuring system stability, reliability, robustness, and efficiency in a competitive marketplace and carbon-constrained world. In addition, the electricity grid faces (at least) three looming challenges: its organization, its technical ability to meet 25-year and 50-year electricity needs, and its ability to increase its efficiency without diminishing its reliability and security. As an example of historical bifurcation points, the 1965 Northeast blackout not only brought the lights down, it also marked a turn in grid history. The previous economy of scale, according to which larger generators were always more efficient than small machines, no longer seemed to be the only risk-managed option. In addition, in the 1970s two political crises—the Middle East war of 1973 and the Iranian Revolution in 1979—led to a crisis in fuel prices and a related jump in electric rates. For the first time in decades, demand for electricity stopped growing. Moreover, the prospects of power from nuclear reactors, once so promising, now faced public resistance and the resultant policy threats. Accidents at Brown’s Ferry, Alabama in 1974 and Three Mile Island, Pennsylvania in 1979, and rapidly escalating construction costs caused a drastic turnaround in orders for new facilities. Some nuclear plants already under construction were abandoned. In the search for a new course of action, conservation (using less energy) and efficiency measures (to use available energy more wisely) were put into place. Electrical appliances were reengineered to use less power. For example, while on the average today’s refrigerators are about 20% larger than those made 30 years ago, they use less than half the electricity of older models. Furthermore, the Public Utility Regulatory Policy Act (PURPA) of 1978 stipulated that the main utilities were required to buy the power produced by certain independent companies which cogenerated electricity and heat with great efficiency, providing the cost of the electricity was less than the cost it would take the utilities to make it for their own use. What had been intended as an effort to promote energy efficiency, turned out, in the course of the 1980s and 1990s, to be a major instigator of change in the power industry

2388

KEY APPLICATION AREAS

as a whole. First, the independent power producers increased in size and in number. Then they won the right to sell power not only to the neighboring utility but also to other utilities further away, often over transmission lines owned by other companies. With the encouragement of the Federal Energy Regulatory Commission (FERC), utilities began to sell off their own generators. Gradually the grid business, which for so long had operated under considerable government guidelines since so many utilities were effective monopolies, became a confusing mixture of regulated and unregulated companies. Opening up the power industry to independent operators, a business reformation underway for some years in places like Chile, Australia, and Britain (where the power denationalization process was referred to as “liberalization”), proved to be a bumpy road in the United States. For example, in 2001 in the state of California, the effort to remove government regulations from the sale of electricity, even at the retail level, had to be rescinded in the face of huge fluctuations in electric rates, rolling blackouts, and amid allegations of price-fixing among power suppliers. Later that year, Enron, a company that had grown immense through its pioneering ventures in energy trading and providing energy services in the new freed-up wholesale power market, declared bankruptcy. Restructuring of the US power grid continues. Several states have put deregulation into effect in a variety of ways. New technology has helped to bring down costs and to address the need for reducing emission of greenhouse gases during the process of generating electricity. Examples include high efficiency gas turbines, integrated “microgrids” of small generators (sometimes in the form of solar cells or fuel cells), and a greater use of wind turbines. Much of the interest in restructuring has centered around the generation part of the power business and less on expanding the transmission grid itself. About 25 years ago, the generation capacity margin, the ability to meet peak demand, was between 25 and 30%. It has now reduced to less than half and is currently at about 10–15%. These “shock absorbers” have been shrinking; for example, during the 1990s actual demand in the United States increased by some 35%, while transmission capacity has increased by only 18%. In the current decade, the demand is expected to grow by about 20%, with new transmission capacity lagging behind at under 4% growth. In the past, extra generation capacity served to reduce the risk of generation shortages in case equipment failed and had to be taken out of production, or in case there was an unusually high demand for power, such as on very hot or cold days. As a result capacity margins, both for generation and transmission, are shrinking. Other changes add to the pressure on the national power infrastructure as well. Increasing interregional bulk power transactions strain grid capacity. New environmental considerations, energy conservation efforts, and cost competition require greater efficiency throughout the grid. As a result of these “diminished shock absorbers,” the network is becoming increasingly stressed, and whether the carrying capacity or safety margin will remain to support anticipated demand is in question. The most visible parts of a larger and growing US energy crisis is the result of years of inadequate investments in the infrastructure. The reason for this neglect is caused partly by uncertainties over what government regulators will do next and what investors will do next. Growth, environmental issues, and other factors contribute to the difficult challenge of ensuring infrastructure adequacy and security. Not only are infrastructures becoming more complexly interwoven and more difficult to comprehend and control, there is less investment available to support their development. Investment is down in many industries. For the power industry, direct infrastructure investment has declined in an

SELF-HEALING AND RESILIENT ENERGY SYSTEMS

2389

environment of regulatory uncertainty due to deregulation, and infrastructure R&D funding has declined in an environment of increased competition because of restructuring. Electricity investment was not large to begin with. Presently the power industry spends a smaller proportion of annual sales on R&D than do the dog foods, leather, insurance, or many other industries—less than 0.3% or about $600 million per year. Most industry observers recognize this shortage of transmission capability, and indeed many of the large blackouts in recent years can be traced to transmission problems, either because of faults in the lines themselves or in the coordination of power flow over increasingly congested lines. However, in the need to stay “competitive,” many energy companies, and the regional grid operators that work with them, are “flying” the grid with less and less margin for error. This means keeping costs down, not investing sufficiently in new equipment, and not building new transmission highways to free up bottlenecks.

6 CHIEF GRID PROBLEMS Several cascading failures during the past 40 years have spotlighted our need to understand the complex phenomena associated with power network systems and the development of emergency controls and restoration. In addition to the mechanical failures, overloading a line can create power-supply instabilities such as phase or voltage fluctuations. For an AC power grid to remain stable, the frequency and phase of all power generation units must remain synchronous within narrow limits. A generator that drops 2 Hz below 60 Hz will rapidly build up enough heat in its bearings to destroy itself. So circuit breakers trip a generator out of the system when the frequency varies too much. But much smaller frequency changes can indicate instability in the grid: in the Eastern Interconnect, a 30 MHz drop in frequency reduces power delivered by 1 GW. According to data from the North American Electric Reliability Corporation (NERC) and analyses from the EPRI, average outages from 1984 to the present have affected nearly 700,000 customers per event annually. Smaller outages occur much more frequently and affect tens to hundreds of thousands of customers every few weeks or months, while larger outages occur every two to nine years and affect millions. Much larger outages affect seven million or more customers per event each decade. These analyses are based on data collected for the US DOE, which requires electric utilities to report system emergencies that include electric service interruptions, voltage reductions, acts of sabotage, unusual occurrences that can affect the reliability of bulk power delivery systems, and fuel problems. Coupling these analyses with diminished infrastructure investments, and noting that the cross-over point for the utility construction investment versus depreciation occurred in 1995, we analyzed the number and frequency of major outages along with the number of customers affected during 1991–2005. These data from the NERC’s Disturbance Analysis Working Group (DAWG) are a subset of the total outages that are required to be reported to DOE’s EIA. Going through the more comprehensive data sets from DOE’s EIA, during 2001–2005 there were 162 outages of 100 MW or more, and 150 outages affecting >50,000 consumers. In addition, analyzing outages in 2006 (NERC’s data), in 1 year we had: 24 occurrences over 100 MW and 34 occurrences over 50,000 or more consumers. At the core of the power infrastructure investment problem lie two paradoxes of restructuring, one technical and one economic. Technically, the fact that electricity supply

2390

KEY APPLICATION AREAS

66 occurrences over 100 MW 41 occurrences over 50,000 consumers 76 occurrences over 100 MW 58 occurrences over 50,000 consumers 140 occurrences over 100 MW 92 occurrences over 50,000 consumers Result: large blackouts are growing in number and severity

140 Number of US power outages affecting 50,000 or more customers

120 100 80

*Analyzing outages in 2006 we had: 24 occurrences over 100 MW 34 occurrences over 50,000 or more consumers

60

Number of outages over100 MW

40 20 0 1991–1995

1996–2000 2001–2005

FIGURE 1 Historical analysis of outages 1991–2005 (please also note that annual increases in load, about 2% per year, and corresponding increase in consumers should also be taken into account). [Data courtesy of NERC’s Disturbance Analysis Working Group database.]

and demand must be in instantaneous balance at all times must be resolved with the fact that new power infrastructure is extraordinarily complex, time-consuming, and expensive to construct. Economically, the theory of deregulation aims to achieve the lowest price through increased competition. However, the market reality of electricity deregulation has often resulted in a business-focused drive for maximum efficiency to achieve the highest profit from existing assets, and not resulted in lower prices or improved reliability. Both the technical and economic paradoxes could be resolved by knowledge and technology. Whether or not the power industry renews its traditional levels of investment in research and in new transmission lines, or the government clarifies its regulatory role in the making and dispatching of electricity, the grid will have to go on functioning. Fortunately, several recent innovations promise to make better use of the existing electrical network. Grid Challenges Power produced in one place and used hundreds of miles away creates new opportunities, especially in terms of encouraging the construction of new power generation, possibly transmission, and in making full use of the power produced, rights of way and assets; but it also creates challenges: 1. Regulatory Challenges. More than ever power transmission is an interstate transaction. This has led to numerous conflicts between federal statutes applying

SELF-HEALING AND RESILIENT ENERGY SYSTEMS

2391

to energy and rules set up by public utility commissions in the various states. Generally the federal goal is to maximize competition, even if this means that traditional utility companies should divest themselves of their own generators. Since the 1990s, the process of unbundling utility services has brought about a major change in the way that energy companies operate. On the other hand, the goal of state regulators has generally been to provide reliable service and the lowest possible prices for customers in state. 2. Investment Challenge. Long-distance interstate routing, or “wheeling,” of power, much encouraged by the federal government, has put the existing transmission network, largely built in the 1970s and 1980s in a time of sovereign utilities, under great stress. Money spent by power companies on research is much lower than in past decades. Reserve power capacity, the amount of power-making to be used in emergencies, which was 25–30% 25 years ago is now at 10–15%. 3. Security, Reliability, and Innovation Challenges. The August 2003 Northeast blackout, when operators did not know of the perilous state of their grid and how a local power shutdown could propagate for hundreds of miles, leaving tens of millions in the dark, demonstrated the need for mandatory reliability rules governing the daily operation of the grid. Such rules are now coming into place. 4. Marketplace Challenges. Some parts of the power business operate now without regulations. Other parts, such as the distribution of power to customers might still be regulated in many states, but the current trend is toward removing rules. The hope here is that rival energy companies, competing for customers, will offer more services and keep their prices as low as possible. Unfortunately, in some markets, this has the risk of manipulating the market to create energy shortages, even to the extent of requiring rolling blackouts in an effort to push prices higher. These are recognized by the power companies and stakeholders in a rapidly changing marketplace. The public, usually at times of dramatic blackouts, and the business community, which suffers losses of over $80 billion per year, have taken notice. Even the Congress, which must negotiate the political fallout of power problems and establish laws governing the industry, takes up the problems of power transmission and distribution on a recurring basis, although usually in the context of the larger debate over energy policy. In the meantime, the US power grid has to be administered and electricity has to be delivered to millions of customers. Fortunately, many new remedies, software and hardware, are at hand.

7 OPTIONS AND POSSIBLE FUTURES—WHAT WILL IT TAKE TO SUCCEED? Revolutionary developments in both information technology and material science and engineering promise significant improvement in the security, reliability, efficiency, and cost-effectiveness of all critical infrastructures. Steps taken now can ensure that critical

2392

KEY APPLICATION AREAS

infrastructures continue to support population growth and economic growth without environmental harm. As a result of increased demand, regulatory uncertainty, and the increasing connectedness of critical infrastructures, it is quite possible that in the near future the ability, for example, of the electricity grid to deliver the power that customers require in real time, on demand, within acceptable voltage and frequency limits, and in a reliable and economic manner may become severely tried. Other infrastructures may be similarly tested. At the same time, deregulation and restructuring have added to the concern about the future of the electric power infrastructure (and other industries as well). This shift marked a fundamental change from an industry that was historically operated in a very conservative and largely centralized way as a regulated monopoly, to an industry operating in a decentralized way by economic incentives and market forces. The shift impacts every aspect of electrical power including its price, availability, and quality. For example, as a result of deregulation, the number of interacting entities on the electric grid (and hence its complexity) has been dramatically increasing while, at the same time, a trend toward reduced capacity margins has appeared. Yet when deregulation was initiated, little was known about its large-scale, long-term impacts on the electricity infrastructure, and no mathematical tools were available to explore possible changes and their ramifications. It was in this environment of concern that the smart self-healing grid was conceived. One event in particular precipitated the creation of its foundations: a power outage that cascaded across the western United States and Canada on 10 August 10 1996. This outage began with two relatively minor transmission-line faults in Oregon. But ripple effects from these faults tripped generators at McNary dam, producing a 500 MW-wave of oscillations on the transmission grid that caused separation of the primary West Coast transmission circuit, the Pacific Intertie, at the California–Oregon border. The result: blackouts in 13 states and provinces costing some $1.5 billion in damages and lost productivity. Subsequent analysis suggests that shedding (dropping) some 0.4% of the total load on the grid for just 30 min would have prevented the cascading effects and prevented large-scale regional outages (note that load-shedding is not typically a first option for power grid operators faced with problems). From a broader perspective, any critical national infrastructure typically has many layers and decision-making units and is vulnerable to various types of disturbances. Effective, intelligent, distributed control is required that would enable parts of the constituent networks to remain operational and even automatically reconfigure in the event of local failures or threats of failure. In any situation subject to rapid changes, completely centralized control requires multiple, high data rate, two-way communication links, a powerful central computing facility, and an elaborate operations control center. But all of these are liable to disruption at the very time when they are most needed (i.e. when the system is stressed by natural disasters, purposeful attack, or unusually high demand). Had the results of the CIN/SI been in place at the time of the August 2003 blackout, the events might have unfolded very differently. For example, fault anticipators located at one end of the high voltage transmission lines would have detected abnormal signals, and made adaptive reconfigurations of the system to sectionalize the disturbance and minimize impact component failures several hours before the line failed. The look-ahead simulations would have identified the line as having a higher than normal probability of failure. Quickly, cognitive agents (implemented as distributed software and hardware in the infrastructure components and in control centers) would have run failure scenarios on their virtual system models to determine the ideal corrective response. When the

SELF-HEALING AND RESILIENT ENERGY SYSTEMS

2393

high voltage line actually failed, the sensor network would have detected the voltage fluctuation and communicated the information to reactive agents located at substations. The reactive agents would have executed the predetermined corrective actions, isolating the high voltage line and rerouting power to other parts of the grid. No customer in the wider area would even be aware that a catastrophic event had been impending, or have noticed the lights flickering. Such an approach provides an expanded stability region with larger operational range. As the operating point nears the limit to how much the grid could have adapted (e.g. by automatically rerouting power and/or balancing by dropping a small amount of load or generation), rather than cascading failures and large-scale regional system blackouts, the system would be reconfigured to minimize severity or size of outages to shorten duration of brownouts or blackouts, and to enable rapid and efficient restoration. This kind of distributed grid control has many advantages if coordination, communication, bandwidth, and security can be assured. This is especially true when the major components are geographically dispersed, as in a large telecommunications, transportation, or computer networks. It is almost always preferable to delegate as much of the control as is practical, to the local level. The simplest kind of distributed control would combine remote sensors and actuators to form regulators (e.g. intelligent electronically controlled secure devices), and adjust their set points or biases with signals from a central location. Such an approach requires a different way of modeling—of thinking about, organizing and designing—the control of a complex, distributed system. Recent research results from a variety of fields, including nonlinear dynamical systems, artificial intelligence, game theory, and software engineering have led to a general theory of complex adaptive systems (CAS). Mathematical and computational techniques originally developed and enhanced for the scientific study of CAS provide new tools for the engineering design of distributed control so that both, centralized decision-making and the communication burden it creates, can be minimized. The basic approach to analyzing a CAS is to model its components as independent adaptive software and hardware “agents”—partly cooperating and partly competing with each other in their local operations while pursuing global goals set by a minimal supervisory function. If organized in coordination with the internal structure existing in a complex infrastructure and with the physics specific to the components they control, these agents promise to provide effective local oversight and control without need of excessive communications, supervision, or initial programming. Indeed, they can be used even if human understanding of the complex system in question is incomplete. These agents exist in every local subsystem—from “horseshoe nail” up to “kingdom”—and perform preprogrammed self-healing actions that require an immediate response. Such simple agents are already embedded in many systems today, such as circuit breakers and fuses as well as diagnostic routines. The observation is that we can definitely account for loose nails and save the kingdom. Another key insight came out of analysis of forest fires, by researchers at CalTech and UC-Santa Barbara, in the one of the six funded consortia, which I led during 1998–2002. They found forest fires to have “failure-cascade” behavior, similar to electric power grids. In a forest fire the spread of a spark into a conflagration depends on how close together the trees are. If there is just one tree in a barren field and it is hit by lightning, it burns but no big blaze results. But if there are many trees and they are close enough together—which is the usual case with trees because Nature is prolific and efficient in using resources—the single lightning strike can result in a forest fire that burns until it

2394

KEY APPLICATION AREAS

reaches a natural barrier such as a rocky ridge, river, or road. If the barrier is narrow enough for a burning tree to fall across it, or it includes an inflammable flaw such as a wooden bridge, the fire jumps the barrier and burns on. It is the role of first-response wild-land fire fighters such as smoke jumpers, to contain a small fire before it spreads by reinforcing an existing barrier or scraping out a defensible fire line barrier around the original blaze. Similar results hold for failures in electric power grids. For power grids, the “one-tree” situation is a case in which every single electric socket had a dedicated wire connecting it to a dedicated generator. A lightning strike on any wire would take out that one circuit and no more. But like trees in Nature, electrical systems are designed for efficient use of resources, which means numerous sockets served by a single circuit and multiple circuits for each generator. A failure anywhere on the system causes additional failures until a barrier—such as a surge protector or circuit breaker—is reached. If the barrier does not function properly or is insufficiently large, the failure bypasses it and continues cascading across the system. These preliminary findings suggest approaches by which the natural barriers in power grids may be made more robust by simple design changes in the configuration of the system, and eventually show how small failures might be contained by active smoke-jumper-like controllers before they grow into large problems. Other research into fundamental theory of complex interactive systems explored means of quickly identifying weak links and failures within a system. CIN/SI developed, among other things, a new vision for the integrated sensing, communications, and control of the power grid. Some of the pertinent issues are why or how to develop controllers for centralized versus decentralized control and issues involving adaptive operation and robustness to disturbances that include various types of failures. Modern computer and communications technologies now allow us to think beyond the protection systems and the central control systems to a fully distributed system that places intelligent devices at each component, substation and power plant. This distributed system will enable us to build a truly smart grid. One of the problems common to the management of central control facilities is the fact that any equipment changes to a substation or power plant must be described and entered manually into the central computer system’s database and electrical one-line diagrams. Often this work is done some time after the equipment is installed and there is thus a permanent set of incorrect data and diagrams in use by the operators. What is needed is the ability to have this information entered automatically when the component is connected to the substation—much as a computer operating system automatically updates itself when a new disk drive or other device is connected. 8 THE ROAD AHEAD A new mega-infrastructure is emerging from the convergence of energy (including the electric grid, water, oil and gas pipelines), telecommunications, transportation, Internet and electronic commerce. Furthermore, in the electric power industry and other critical infrastructures, new ways are being sought to improve network efficiency and eliminate congestion problems without seriously diminishing reliability and security. Electric power systems constitute the fundamental infrastructure of modern society. Often continental in scale, electric power grids and distribution networks reach virtually every home, office, factory, and institution in developed countries and have made

SELF-HEALING AND RESILIENT ENERGY SYSTEMS

2395

remarkable, if remarkably insufficient, penetration in developing countries such as China and India. The electric power grid can be defined as the entire apparatus of wires and machines that connects the sources of electricity and the power plants, with customers and their myriad needs. Once “loosely” interconnected networks of largely local systems, electric power grids now increasingly host large-scale, long-distance wheeling of power from one region to another. Likewise, the connection of distributed resources—at the moment, primarily small generators—are growing rapidly. The extent of interconnectedness, like the number of sources, controls, and loads, has grown with time. In terms of the sheer number of nodes, as well as the variety of sources, controls, and loads, electric power grids are among the most complex networks made. Global trends toward interconnectedness, privatization, deregulation, economic development, accessibility of information, and the continued technical trend of rapidly advancing information and telecommunication technologies all suggest that the complexity, interactivity, and interdependence of infrastructure networks will continue to grow. The existing electricity infrastructure evolved to its technology composition today from the convolution of several major forces, only one of which was technologically based. During the past 10 years, we have systematically scanned science and technology, investment, and policy dimensions to gain clearer insight on current science and technology assets when looked at from a consumer-centered future perspective, rather than just incremental contributions to today’s electric energy system and services. The goal of transforming the current infrastructures to self-healing energy-delivery, and computer and communications networks with the unprecedented robustness, reliability, efficiency and quality for customers and our society is ambitious. This will require addressing challenges and developing tools, techniques, and integrated probabilistic risk assessment/impact analysis for wide-area sensing and control for digital-quality infrastructure such as sensors, communication and data management, as well as improved state estimation, monitoring and simulation linked to intelligent and robust controllers leading to improved protection and discrete-event control. These follow-on activities will build on the foundations of CIN/SI and current programs that include self-healing systems and real-time dynamic information and emergency management and control. More specifically, the operation of a modern power system depends on a complex system of sensors and automated and manual controls, all of which are tied together through communication systems. While the direct physical destruction of generators, substations, or power lines, may be the most obvious strategy for causing blackouts, activities that compromise the operation of sensors, communication and control systems by spoofing, jamming, or sending improper commands could also disrupt the system, cause blackouts, and in some cases result in physical damage to key system components. Hacking and cyber attacks are becoming increasingly common. Most early communication and control systems used in the operation of the power system were carefully isolated from the outside world, and were separate from other systems such as corporate enterprise computing. However, economic pressures created incentives for utilities to make greater use of commercially available communications and other equipment that was not originally designed with security in mind. Unfortunately from a security perspective, such interconnections with office and electronic business systems through other layers of communications created vulnerabilities. While this problem is now well understood in the industry and corrective action is being taken, we are still in a transition period during which some control systems have been inadvertently exposed

2396

KEY APPLICATION AREAS

to access from the Internet, intranets, and remote dial-up capabilities that are vulnerable to cyber intrusions. Many elements of the distributed control systems now in use in power systems are also used in a variety of applications in process control, manufacturing, chemical process controls and refineries, transportation, and other critical infrastructure sectors and hence are vulnerable to similar modes of attack. Dozens of communication and cyber security intrusions, and penetration red-team “attacks” have been conducted by DOE, EPRI, electric utilities, commercial security consultants, KEMA, and others. These “attacks” have uncovered a variety of cyber vulnerabilities including unauthorized access, penetration and hijacking of control. While some of the operations of the system are automatic, ultimately human operators in the system control center make decisions and take actions to control the operation of the system. In addition, to the physical threats to such centers and the communication links that flow in and out of them, one must also be concerned about two other factors: the reliability of the operators within the center, and the possibility that insecure code has been added to one of the programs in a central computer. The threats posed by “insider” threats, as well as the risk of a “Trojan horse” embedded in the software of one or more of the control centers is real, and can only be addressed by careful security measures both, within the commercial firms that develop and supply this software, and careful security screening of the utility and outside service personnel who perform software maintenance within the center. Today security patches are often not always supplied to end users, or users are not applying the patches for fear of impacting system performance. Current practice is to apply the upgrades or patches after SCADA vendors thoroughly test and validate patches, sometimes incurring a delay of several months in patch deployment. As an example related to numerous major outages, narrowly programmed protection devices have contributed to worsening the severity and impact of the outage—typically performing a simple on/off logic which locally acts as preprogramme while destabilizing a larger regional interconnection. With its millions of relays, controls and other components, the parameter settings and structures of the protection devices and controllers in the electricity infrastructure can be a crucial issue. It is analogous to the poem “For want of a horseshoe nail . . . the kingdom was lost” that is, relying on an “inexpensive 25 cent chip” and narrow control logic to operate and protect a multibillion dollar machine. As a part of enabling a smart self-healing grid, we have developed fast look-ahead modeling and simulation, precursor detection, adaptive protection, and coordination methods that minimize impact on the whole system performance (load dropped as well as robust rapid restoration). There is a need to coordinate the protection actions of such relays and controllers with each other to achieve overall stability. A single controller or relay cannot do all, and they are often tuned for worst cases, therefore control action may become excessive from a system-wide perspective. On the other hand, they may be tuned for the best case, and then the control action may not be adequate. This calls for coordinating protection and control—neither agent, using its local signal, can by itself stabilize a system; but with coordination, multiple agents, each using its local signal, the overall system can be stabilized. It is important to note that the key elements and principles of operation for interconnected power systems were established in the 1960s prior to the emergence of extensive computer and communication networks. Computation is now heavily used in all levels of the power network for planning and optimization, fast local control of equipment, and processing of field data. But coordination across the network happens on a slower

SELF-HEALING AND RESILIENT ENERGY SYSTEMS

2397

time-scale. Some coordination occurs under computer control, but much of it is still based on telephone calls between system operators at the utility control centers, even (or especially!) during emergencies. Systems should be motivated by living beings’ resilience and robustness to operate to some degree after injury, by developing compensatory behaviors and to autonomously recover from unexpected damage through continuous self-modeling, thus providing increased “situational awareness,” and ability to be “damage adaptive,” to withstand and possibly recover from “injury,” attacks, or unexpected damage. Grid “self-modeling” could survive emergencies and adapt to new conditions quicker than grids that are not “self-conscious.” Enabled by distributed sensing and measurement and combined with Fast Modeling and Simulation we have developed and pilot tested data-driven control and operation of regional power grids, analogous to the continuous self-modeling and compensation of damaged fighter planes and intelligent robots in the face of unexpected damage. From a broader perspective, any critical national infrastructure typically has many layers and decision-making units and is vulnerable to various types of disturbances. Effective, intelligent, distributed control is required that would enable parts of the constituent networks to remain operational and even automatically reconfigure in the event of local failures or threats of failure. In any situation subject to rapid changes, completely centralized control requires multiple, high data rate, two-way communication links, a powerful central computing facility, and an elaborate operations control center. But all of these are liable to disruption at the very time when they are most needed (i.e. when the system is stressed by natural disasters, purposeful attack, or unusually high demand). When failures occur at various locations in such a network, the whole system breaks into isolated “islands,” each of which must then fend for itself. With the intelligence distributed, and the components acting as independent agents, those in each island have the ability to reorganize themselves and make efficient use of whatever local resources remain to them, in ways consonant with the established global goals to minimize adverse impact on the overall network. Local controllers will guide the isolated areas to operate independently while preparing them to rejoin the network, without creating unacceptable local conditions either during or after the transition. A network of local controllers can act as a parallel, distributed computer, communicating via microwaves, optical cables, or the power lines themselves, and intelligently limiting their messages to only that information necessary to achieve global optimization and facilitate recovery after failure. Over the last 12 years, our efforts in this area have developed, among other things, a new vision for the integrated sensing, communications, protection and control of the power grid. Some of the pertinent issues are why or how to develop protection and control devices for centralized versus decentralized control, and issues involving adaptive operation and robustness to various destabilizers. However, instead of performing in vivo societal tests which can be disruptive, we have performed extensive “wind-tunnel” simulation testing (in Silico) of devices and policies in the context of the whole system along with prediction of unintended consequences of designs and policies to provide a greater understanding of how policies, economic designs and technology might fit into the continental grid, as well as guide in their effective deployment and operation. Advanced technology now under development or under consideration, holds the promise of meeting the electricity needs of a robust digital economy. The architecture for this new technology framework is evolving through early research on concepts and the necessary enabling platforms. This architectural framework envisions an integrated,

2398

KEY APPLICATION AREAS

self-healing, electronically controlled electricity supply system of extreme resiliency and responsiveness—one that is fully capable of responding in real time to the billions of decisions made by consumers and their increasingly sophisticated agents. The potential exists to create an electricity system that provides the same efficiency, precision, and interconnectivity as the billions of microprocessors that it will power.

9 COST AND BENEFIT Electricity shall prevail at the quality, efficiency and reliability that customers demand and are willing to pay for. On the one hand the question is who provides it; on the other hand it is important to note that achieving the grid performance, security and reliability are a national profitable investment, not a cost burden on the taxpayer. The economic payback is three to seven times and in some cases an order of magnitude greater than the money invested. Further, the payback starts with the completion of each sequence of grid improvement. The issue is not merely who invests money because that is ultimately the public, whether through taxes or kilowatt hour rates. Considering the impact of regulatory agencies, they should be able to induce the electricity producers to plan and fund the process. That may be the most efficient way to get it in operation. The current absence of a coordinated national decision-making is a major obstacle. State’s rights and State PUC regulations have removed the individual State’s utility motivation for a national plan. Investor utilities face either collaboration on a national level, or a forced nationalization of the industry. Simply replicating the existing system through expansion or replacement will not only be technically inadequate to meet the changing demands for power, but will produce a significantly higher price tag. Through the transformative technologies outlined here, the nation can put in place a twenty-first century power system capable of eliminating critical vulnerabilities while meeting intensified consumer demands, and in the process, save society considerable expense. What is at stake is whether our national critical infrastructures and the underpinning interconnected networks will continue to function reliably and securely or not. This program will produce significant advances in the security, robustness, efficiency, and performance of the power grid and its interdependent infrastructures. The tools indicated will provide unprecedented stability, reliability, efficiency, and service quality. A major outage (affecting 7 million or more customers) occurs about once every decade costing over $2 billion—smaller disturbances are commonplace with very high cost to the customers and our society. On a given day, there are 500,000 customers without power for 2 h or more in the United States. The above programs cost about $170–200 million per year for R&D, and up to about $400 million per year over a decade for fielding, testing and integration into the system. Therefore we can save about five to sevenfold in prevention and mitigation of disturbances. Other benefits include the following: •

builds a smart generation and delivery infrastructure, an “electrinet,” with in-built security; • creates opportunities for a risk-managed integration of diverse risk-managed balanced portfolios of generation sources; • improves security and observability of system operation and control; • refines definition of system operating limits’

SELF-HEALING AND RESILIENT ENERGY SYSTEMS

2399

•

serves transmission system market demands; minimizes transmission costs; • reduces utage cost; • improves system simulation models; • improves management of system reliability and asset integration (from distributed generators and renewables, to central power plants). •

As expressed in the July 2001 issue of Wired magazine: “The best minds in electricity R&D have a plan: Every node in the power network of the future will be awake, responsive, adaptive, price-smart, eco-sensitive, real-time, flexible, humming—and interconnected with everything else.” The technologies included, for example the concept of self-healing electricity infrastructure, methodologies for fast look-ahead simulation and modeling, adaptive intelligent islanding and strategic power infrastructure protection systems, are of special interest for improving grid security from terrorist attack. 10 NEXT STEPS How to control a heterogeneous, widely dispersed, yet globally interconnected system is a serious technological problem in any case. It is even more complex and difficult to control it for optimal efficiency and maximum benefit to the ultimate consumers while still allowing all its business components to compete fairly and freely. A similar need exists for other infrastructures, where future advanced systems are predicated on the near-perfect functioning of today’s electricity, communications, transportation, and financial services. From a national perspective, a key grand challenge before us is how do we redesign, retrofit, and upgrade the nearly 220,000 miles of electromechanically controlled system into a smart self-healing grid that is driven by a well-designed market approach. Creating a smart grid with self-healing capabilities is no longer a distant dream; we have made considerable progress. But considerable technical challenges as well as several economic and policy issues remain to be addressed. Funding and sustaining innovations, such as the self-healing grid, remain a challenge as utilities must meet many competing demands on precious resources while trying to be responsive to their stakeholders, who tend to limit R&D investments to immediate applications and short-term ROI. In addition, utilities have little incentive to invest in the longer term. For regulated investor–owned utilities there is added pressure caused by Wall Street to increase dividends. Several reports and studies have estimated that for existing technologies to evolve and for the innovative technologies to be realized, a sustained annual research and development investment of $10 billion is required. However, the current level of R&D funding in the electric industry is at an all-time low. The investment rates for the electricity sector are the lowest rates of any major industrial sector with the exception of the pulp and paper industry. The electricity sector invests at most, only a few tenths of a percent of sales in research. This is in contrast to fields such as electronics and pharmaceuticals in which R&D investment rates have been running between 8 and 12% of net sales; all of these industry sectors fundamentally depend on reliable electricity. A balanced, cost-effective approach to investments and use of technology can make a sizable difference in mitigating the risk. Electricity shall prevail at the quality, efficiency,

2400

KEY APPLICATION AREAS

and reliability that customers demand and are willing to pay for. On the one hand, the question is, “Who provides it?” on the other hand, it is important to note that achieving the grid performance, security, and reliability are a profitable national investment, not a cost burden on the taxpayer. The economic payback is three to seven times greater than the money invested. Further, the payback starts with the completion of each sequence of grid improvement. The issue is not merely who invests money, because that is ultimately the public, but whether it is invested through taxes or kWh rates. Considering the impact of regulatory agencies, they should be capable of inducing the electricity producers to plan and fund the process; this may be the most efficient way to get it in operation. The current absence of a coordinated national decision-making body is a major obstacle. State’s rights and State PUC regulators have removed the individual State’s utility motivation for a national plan. Investor utilities face either collaboration on a national level or a forced nationalization of the industry.

ACKNOWLEDGMENTS I developed most of the context and many of findings presented here while I was at the EPRI in Palo Alto (during 1998–2003), and for the Galvin Electricity Initiative (during 2005–2006). I gratefully acknowledge the feedback from Mr John Voeller (the editor of this series) and Dr James Peerenboom. The support and feedback from numerous colleagues at EPRI, universities, industry, national laboratories, and government agencies with funding from EPRI, NSF, and the ORNL is gratefully acknowledged.

REFERENCES 1. Amin, S. M. (2003). North America’s electricity infrastructure: are we ready for more perfect storms? IEEE Secur. Priv. Mag. 1(5), 19–25.

FURTHER READING Amin, S. M. (2008). For the good of the grid: toward increased efficiencies and integration of renewable resources for future electric power networks. IEEE Power Energy Mag. 6(6), 48–59. Amin, S. M., and Stringer, J. (2008). The electric power grid: today and tomorrow. MRS Bull. 33(4), 399–407. Amin, S. M., and Schewe, P. F. (2007). Preventing Blackouts. Scientific American, pp. 60–67. Schewe, P. F. (2007). The Grid: A Journey Through the Heart of our Electrified World. Joseph Henry Press. Amin, S. M. (2005). Scanning the technology: energy infrastructure defense systems. Spec. Issue Proc. IEEE 93(5), 857–871. Amin, S. M., and Gellings, C. (2006). The North American power delivery system: balancing market restructuring and environmental economics with infrastructure security. Energy 31(6–7), 967–999. Amin, S. M., Carlson, L. W., and Gellings, C. (2006). Galvin Electricity Initiative: Technology Scanning, Mapping and Foresight . Galvin Electricity Project, Inc., EPRI, Palo Alto, CA, Chicago, IL, p. 70.

NANO-ENABLED POWER SOURCES

2401

Amin, S. M., and Wollenberg, B. F. (2005). Toward a smart grid: power delivery for the 21st century. IEEE Power Energy Mag. 3(5), 34–41. Amin, S. M. (2005). Energy infrastructure defense systems. Proc. IEEE 93 (5). Amin, S. M. (2005). Powering the 21st century: we can—and must—modernize the grid. IEEE Power Energy Mag., 93–96. Amin, S. M. (2004). Electricity. In Digital Infrastructures: Enabling Civil and Environmental Systems through Information Technology, R. Zimmerman, and T. Horan, Eds. pp. 116–140, Chapter 7. EPRI. (2003). Complex Interactive Networks/Systems Initiative: Final Summary Report—Overview and Summary Final Report for Joint EPRI and US DoD University Research Initiative. EPRI, Palo Alto, CA, p. 155. Amin, S. M. (2001). Special issues of IEEE control systems magazine on control of complex networks. 21 (6), (2002). 22(1). Amin, S. M. (2001). Toward self-healing energy infrastructure systems. cover feature in the IEEE Comput. Appl. Power 14(1), 20–28. Amin, S. M. (2000). Toward self-healing infrastructure systems. cover feature in the IEEE Comput. Mag. 33(8), 44–53. Amin, S. M. (2000). National infrastructures as complex interactive networks. In Automation, Control, and Complexity: An Integrated Approach, T. Samad, and J. Weyrauch, Eds. John Wiley and Sons, New York, pp. 263–286, chapter 14.

NANO-ENABLED POWER SOURCES Enoch Wang Intelligence Community, Washington, D.C.

Daniel H. Doughty SION Power Corp, Tucson, Arizona

1 SCIENTIFIC OVERVIEW As with portable consumer electronics, there is an insatiable demand for more power in most military applications. The exponential growth in integrated circuit performance over the past 30 years, as predicted by the Moore’s law, accelerated the demand for power in many consumer electronics and military devices. Unfortunately, the pace of development of electrochemical cells or other power sources cannot keep up with the exponential growth of the integrated circuit and has become a limiting technology for electronic microdevices such as miniaturized communication devices (Fig. 1). Although the number

2402

KEY APPLICATION AREAS

FIGURE 1 Photograph of a sensor “mote” (only 2 mm × 4 mm) containing a sensor, microprocessor, and communications electronics mounted on top of a much larger coin cell (from www-bsac. eecs.berkeley.edu). The operation of this device is limited by the lifetime of the battery.

of transistors per integrated circuit has been doubled every couple of years since 1970, the performance gain per year for commercial cells is usually a small percentage, depending on the cell chemistry. Battery technology performance has increased about 2% per year. The newer lithium-ion (Li-ion) rechargeable chemistry performance gain in terms of capacity has been about 12% per year since the introduction in 1991, but still has not kept pace with demand. Thus, the accelerating growth in the digital devices has often been limited by the incremental improvement in battery performance. Nanotechnology offers an opportunity for improvement in power and energy density of power sources [1]. Generally speaking, nanotechnology can be classified either as nanoscale fabrication technology of devices or the revolutionary enhancement of performance by using nanoscale materials. Nanomaterials are usually defined dimensionally, with features such as particle dimension or porosity in the range of 1–100 nm. Fabrication technology for nanodevices is based on the so-called “bottom-up” approach whereby complex structures are self-assembled from the atomic or molecular level, as is found in all biological systems. Progress in this area has been slow due to inadequate control at the atomic level with currently available equipment. On the other hand, much progress has been made in developing nanomaterials as evidenced by commercially available carbon nanotubes from many sources (recent search found >25 websites that claim to be “dedicated to nanotubes”). Nanomaterials hold the potential to be an enabling technology for energy storage and conversion devices by increasing energy storage capacity, discharge rate capability, or stability over the lifetime of the device. Thus, the focus of this article is to review nano-enabled power sources based on judicious implementation of nanostructured materials. 1.1 High Power Cells Increasing power and rate capability of batteries are the important applications of nanoscale materials. By reducing the particle size of the active materials from submicron to nanoscale, one should be able to increase diffusion rates in these solids by two orders of magnitude and improve the power capability. Typical battery active materials

NANO-ENABLED POWER SOURCES

2403

Percentage discharge capacity

100 15 min 10 min

78 nm

30 min

150 nm

45 min 60 min

240 nm

40

90 min 120 min

360 nm

20

240 min

80 60

960 min

0 1C

1000 nm

5C 10 C Discharge rate

FIGURE 2 Nano- versus macro-Li4 Ti5 O12 capacity utilization under high discharge rates [2].

are on the order of 10 μm (10,000 nm). Because of the diffusion distance required, full charge and discharge usually require a period of 30 min to 1 h to diffuse through 10,000 nm. According to the diffusion equation, the diffusion time, t, is proportional to r 2 /D, where r is the diffusion length and D is the diffusion coefficient. It is difficult to decrease drastically the intrinsic diffusion coefficient, but one can shorten the diffusion length by 2–3 orders of magnitude through the use of nanomaterials, and achieve minutes or subminutes charge or discharge rates. One such example is the nano-lithium titanate (nano-Li4 Ti5 O12 ) of approximately 30 nm. Nano-Li4 Ti5 O12 was demonstrated to have greater than 80% utilization at 10 C (6 min) continuous discharge rate while 1 μm macro-Li4 Ti5 O12 had only about 10% utilization at the same discharge rate [2] (Fig. 2). As anode, nano-Li4 Ti5 O12 enabled fast charge Li-ion cells was demonstrated in Toshiba’s 1-min charge Li-ion cells [3]. Another example of a nano-enabling material is the olivine lithium iron phosphate, LiFePO4 . The low electronic conductivity of LiFePO4 results in very poor rate performance. However, when LiFePO4 is reduced to the nanodomain and coated with nanocarbon particles, the conductivity and power density were improved up to seven and one orders of magnitude, respectively [4]. High power Li-ion cells based on modified nano-LiFePO4 are being commercialized by A123Systems. These cells were claimed to be capable of delivering about one order of magnitude more power (>3000 W/kg) than conventional Li-ion cells [5], similar to that of a supercapacitor but with the energy density of that of a rechargeable battery, albeit lower energy density than conventional Li-ion cells. Similarly, by reducing the particle size to nanoscale, one can also enhance the high power performance of electrochemical capacitors. In an electrochemical capacitor, charge is stored on the surface of a porous, high-surface-area electrode, and not in the bulk of the material. Very high surface area leads to high power delivery, and capacitances of

2404

KEY APPLICATION AREAS

0.03

Cell capacity (Ah)

0.025 0.02 4.1 years

0.015 0.01 (2 in. × 3 in. bicell (AC/LTO) – MR = 4.2) Voltage: 1.4 – 2.8 V Current: 1 A

0.005 0 0

200,000 400,000 600,000 800,000 1,000,000 1,200,000 Cycle number

FIGURE 3 Cycle life of nano-Li4 Ti5 O12 versus carbon asymmetric electrochemical capacitor [courtesy of Prof. Amatucci of Rutgers University].

∼100 F/g have been measured with carbon foams. Because there is no movement of mass within the electrode material and therefore no change in volume in the anode or cathode during charge and discharge, the cycle life of these systems is essentially infinite with a very poor specific energy, typically less than 1 Wh/kg. However, using asymmetric hybrid configuration, containing one battery electrode and one electrochemical double-layer capacitor electrode, Amatucci et al. have demonstrated energy density greater than 20 Wh/kg at a power density of 3000 W/kg [6]. The asymmetric capacitor was enabled by the nano-Li4 Ti5 O12 , which not only enabled high power but also high cycle life. Cycle life greater than 1 million cycle was demonstrated using the nano-Li4 Ti5 O12 (Fig. 3), which has unique zero volume change during cycling. Thus, the asymmetric capacitors serve to bridge the performance gap between batteries (high energy but low power) and capacitor (high power but low energy). Nanotech-enabled optimization should also lead to new high power-density electrochemical capacitors as a consequence of the recent determination of the true nature of pseudocapacitance in hydrous ruthenium oxide (designated as RuO2 ·x H2 O). For x =0.5, 720 F/g can be stored in hydrous ruthenium oxide [7], 5-10 times greater than that stored at high-surface-area carbon supercapacitors. This form of the material appears amorphous to X rays, but upon medium-range structural analysis was shown to form a nanocomposite of metallic, anhydrous rutile-like RuO2 nanocrystallites whose surfaces contain of proton-conductive structural water associated with Ru–O [8]. The competing percolation networks of electronic and protonic conduction pathways provide the optimized multifunctionality of hydrous ruthenium oxide for energy storage. This new structural understanding on the nanoscale can also serve as a new archetype for the design of charge-storage materials. 1.2 High Capacity Cells Nanomaterials open new options in preparing high capacity electrode materials. Today’s high energy batteries rely almost exclusively on lithium or lithiated compounds since

NANO-ENABLED POWER SOURCES

2405

lithium is the lightest metal in the periodic table, has a high oxidation potential, large electrochemical equivalence, and good conductance. The energy density of lithium cells, and especially the state of the art (SOA) of Li-ion cells is limited by the energy density of the positive materials. The current SOA positive materials utilized intercalation reactions, which are limited to the amount of lithium transferred, thereby limiting electron transfer to typically less than 1e–per compound such as LiMeO2 , where Me is a transition metal. 1e− + 1Li+ + Me4+ O2 ↔ LiMe3+ O2 An alternative to the intercalation mechanism is to utilize the concept of reversible conversion compounds where multiple electrons can be transferred to the active electrode material to reduce it fully to the metal state and later reoxidize it back to the original compound. 3e− + 3Li+ + Me3+ X3 ↔ 3LiF + Meo In theory, these reactions can lead to a specific energy greater than 1500 Wh/kg, or in a practical cell about 3x that of the SOA Li-ion cells based on LiCoO2 positive electrode. Such reactions have been shown to exist for dichalcogenides and nitrides in the reaction range of 0.5–1.5 V [9]. To increase the potential of such reactions by at least 1 V, highly ionic halides are preferred over oxides, which are used in almost all lithium cells. Of the halides, the metal fluorides are most attractive due to their light weight and low solubility in nonaqueous electrolyte solvents relative to the heavier halides such as Cl and Br. The theoretical attractiveness of metal fluorides as electrodes for primary cells has been known for over four decades. However, metal fluoride electrodes have not often been realized in part due to the fact that metal fluorides are very high bandgap materials resulting in electronic insulator characteristics. Amatucci et al. at Rutgers ESRG have demonstrated the enablement of a variety of high bandgap, insulating metal fluorides as reversible conversion electrodes through the use of nanocomposite technology [10]. By fabricating the desired metal fluoride materials as 20 nm crystallites in a small amount of conducting matrix, the electrochemical activity of these materials has been enabled. The reduction to nanocrystallite size (reducing electron path length by three orders of magnitude) has a threefold effect: developing a large volume of interface that is defect rich, creating surface states that assist both electron and ion diffusion, and enabling a larger portion of the material to be activated via electron tunneling reactions. A number of systems have been enabled, exhibiting near theoretical conversion voltages (2–3.2 V) and specific capacities from 400 to 700 mAh/g. Systems including fluorides and in some cases oxyfluorides of Fe, Ni, Co, Cr, Bi, and Cu have been enabled. Of these, CuF2 has been identified as promising electrode material for primary cells, and FeF3 and BiF3 as promising electrode materials for rechargeable cells (Fig. 4) [11]. Nanotechnology also plays a key role in improving the effectiveness of the negative materials used in lithium cells. Firstly, in addition to aforementioned enhanced power performance, smaller particle sizes mean less internal stress on the electrodes during intercalation/deintercalation (the binder is more compressible and can more effectively tolerate the volume change), which could lead to increased cycle life. Secondly, smoother electrodes may also allow one to use thinner separators and/or electrolyte—again improving battery performance. Finally, one can replace carbon with a material that reversibly binds more than a single lithium atom per six host atoms (for example, Sn or Si). Nanosize composite anodes (e.g. carbon/silicon) offer the potential to take advantage of much

2406

KEY APPLICATION AREAS 3.5

5 4.5

Nanostructured (3000 nm)

3 BiF3 nanocomposite Voltage

Voltage

4 3.5 3

2.5

CuF2 nanocomposite

Macro-CuF2

2

2.5 2

i = 45.45 mA/g First cycle, RT

1.5 −50 0 50 100 150 200 250 Specific capacity (mAh/g of composite) (a)

FIGURE 4

1.5 1

0 100 200 300 400 500 Specific capacity (mAh/g composite) (b)

Theoretical capacity utilization enabled in (a) nano-BiF3 and (b) nano-CuF2 .

higher capacity anode materials (e.g. Li4 .Si has 10 times the capacity of LiC6 ) and the smaller particle size can accommodate stresses that would fracture larger particles. This gives both higher capacity and reasonable stability on cycling [12]. The 40 wt% Si composite, which was the most silicon-rich composite that was tested, had a maximum reversible capacity of 1345 mAh/g and it still delivered 745 mAh/g, more than twice the capacity of LiC6 in the 20th cycle. SONY announced “Nexelion” cell in 2005 with carbon/Sn alloy anode [13], which increased the capacity per volume by 30%. In February 2007, Panasonic announced a further 40% increase in capacity by using alloy anode [14] and, although we do not know the composition, nanomaterials are suspected because they can accommodate the strain produced by the >300% volumetric expansion that accompanies conversion to Li alloy (e.g. conversion of Si to the lithiated compounds Li22 Si5 has a 325% expansion). These advances in materials enable the production of high energy cells and batteries—Panasonic claims to have reached 740 Wh/l at the cell level.

2 GLOBAL EFFORT ON NANO-ENABLED POWER SOURCE TECHNOLOGIES Ongoing research programs in the government (e.g. National Nanotechnology Initiative) and commercial sector are likely to benefit energy conversion technology. Fuel cells are of worldwide commercial interest, and DARPA has existing programs in thermoelectric materials development. The Department of Homeland Security should analyze and exploit these developments if nanotech-related breakthroughs appear that are relevant to their special needs. Outside the United States, the most publicized R&D effort on nanotechnologies for power sources is the European consortium, Alistore [15]. Launched in 2004, the main objective of Alistore is to develop high power and high energy lithium cells based on nanomaterials. The consortium consisted of 16 European university research groups and University of Picardie at Amiens, France, was the program administrator. Other European companies are also very active in developing nanomaterials for fuel cells

NANO-ENABLED POWER SOURCES

2407

and energy harvesting technologies such as photovoltaic cells and thermoelectric energy harvester. Government-sponsored nanotechnology efforts for power sources are not as well publicized among the Asian countries. However, there is already a strong effort by Japanese companies to commercialize nanomaterials such as carbon nanotubes for energy-related applications [16]. On the basis of the open literatures, we anticipated that other Asian countries such as Japan, China, and South Korea will become major players in nano-enabling materials for power sources within the next few years. NEDO in Japan has committed 2B  for developing carbon nanotubes for high performance capacitors.

3 CRITICAL NEEDS ANALYSIS Improved energy storage technology will benefit homeland security by providing increased performance across a wide range of portable electronic, including sensors, transmitters, and communication devices. Nanotechnology has strong potential to enable the development of batteries, capacitors, and hybrid systems with enhanced power and/or energy performance, which will enable the fabrication of micropower sources. In addition to the high power and high energy cells that were discussed above, technical areas that could be impacted by improvements in nanomaterials are other types of battery materials (e.g. electrolytes and separators) and fuel cells. The advent of micromachining and now nanomachining technology, combined with new and improved materials, provides opportunities for improving the performance of energy harvesting schemes. 3.1 3D Battery Architecture and Novel Fabrication Methods Micropower sources capable of providing reliable rechargeable power under extreme conditions are critical to the development of security applications such as small autonomous distributed sensors. However, as Figure 5 illustrates, the energy density of the batteries decreases almost linearly as the size of the batteries decreases due to decreasing packaging efficiency. In addition, as batteries are reduced to the microscale,

Energy density (Wh/l)

Energy density of commercial prismatic Li-ion cells 500 450 400 350 300 250 200 150 100 50 0 1

10

100 Volume (ml)

1000

10,000

FIGURE 5 Energy density decreases with cell size in commercial prismatic Li-ion cells. ((Table 35.13) D. Linden, and T. B. Reddy, Eds. Energy Density Calculated Based on Data in Handbook of Batteries, 3rd ed., McGraw Hill, New York, p. 35.36.)

2408

KEY APPLICATION AREAS

it becomes impractical (and almost impossible) to assemble cell stacks via the conventional layer-by-layer stacking approach. Extreme alignment precision is required in order to avoid any shorting between the microelectrodes. This necessitates the use of microelectronic fabrication techniques such as vacuum deposition. To date, the most mature microbattery is based on the all solid-state thin-film technology, first developed by Bates et al. [17]. The active components are typically less than 20 μm thin and the solid-state lithium phosphorus oxynitride (LiPON) separator is only a few micrometers thick in order to compensate for the low conductivity of the LiPON electrolyte. However, because of poor packaging, most of the cells exhibit poor energy density (Wh/l). The core concept behind the 3D battery is to develop novel nanoarchitecture by more efficient use of available space in the z direction, resulting in interpenetrating electrodes. The concepts, shown schematically in Figure 6, are the topics of current research. Scaling of these architectures to realistic battery sizes is not yet proven. 3D architectures are clearly optimal when one is constrained in volume (e.g. for thin-film cells or smart motes). Fabrication strategies play a key role here; novel techniques such as the use of Langmuir–Blodgett thin films, layer-by-layer self-assembly, template synthesis, and semiconductor processing (e.g. lithography and etching to define microstructures followed by and deposition to add materials) are not yet available or are prohibitively expensive. It is important to note that the periodic arrangements of 3D configured anodes and cathodes lead to nonuniform current distributions [18], while interpenetrating, conformal, aperiodic arrangements do not. Finally, Belcher et al. in MIT [20] reported virus assembled electrochemically active cobalt oxide for use in lithium batteries. However, the complex command and control needed for viruses to self-assemble themselves to form the positive and negative electrodes remain to be demonstrated, in order to achieve the ultimate goal of virus self-assembled microbattery. 3.2 Membranes, Separators, and Electrolytes Self-assembly of nanostructures may produce advanced functional materials for this application as well. Shape control can allow synthesis of tubular structures with enhanced ionic conductivity. Surfactant templating methods [21] have produced interesting materials for battery electrolytes and the same technology could be used for fuel cell electrolytes. This approach could also be applied to membranes in metal/air batteries (sometimes termed semi-fuel cells) to allow selective transport of oxygen while rejecting carbon dioxide and water. Additionally, commercialization of high energy rechargeable systems (e.g. Li/sulfur and Li/air) would be enabled by stabilizing the lithium interface, which results in cycle life and safety improvements. Although nanotechnology may not play a role in the chemistry of liquid electrolytes, it can be potentially exploited to improve separator performance. For example, new separator materials designed with large numbers of nanoscale pores may allow for thinner materials with enhanced ionic conductivity. Opportunities also include tailoring the separator nanostructure using organic/inorganic composite electrolytes to improve both physical stability (i.e. prevent physical contact of the electrodes) and conductivity [22]. Self-assembly processes may also be effective in depositing extremely thin separator layers on anode and cathode surfaces. If both the pore size/shape and the pore chemistry could be controlled effectively, one can envision ions rapidly moving through empty channels, thereby forming a “liquid-like” separator without any liquid.

NANO-ENABLED POWER SOURCES

2409

(a) Anode Cathode

L

Electrolyte

(b)

(c)

Cathode

Cathode

Anode

Anode Electrolyte

Electrolyte

(d) Anode Cathode Electrolyte

FIGURE 6 Schematic representation of 3D architectures including (a) an array of interdigitated cylindrical cathodes and anodes; (b) an interdigitated plate array of cathodes and anodes; (c) a rod array of cylindrical anodes (cathodes) with a thin layer of ion conducting electrolyte with the remaining free volume filled with cathode (anode) material; (d) a sponge architecture in which the solid network of the “sponge” serves as both the cathode and the current collector, it is coated with a thin electrolyte and the remaining free volume is filled with an interpenetrating, continuous anode. [See Figure 2 in Reference 19, page 4466].

The ionic conductivity of solid-state electrolytes is generally far less than that of liquid electrolytes due to limited ion mobility and the hopping of charge from one unit cell to the next. However, by making the electrolyte layers extremely thin and stable, effective (albeit low power density) batteries can be made; for example, LiPON functions as a micrometer-scale electrolyte in rechargeable thin-film lithium batteries [23]. Optimization of the nanostructure of these materials may lead to increased conductivity (grain boundary/defect diffusion) and thinner layers without shorting (again leading to enhanced conductivity), and thus to improved power capability. 3.3 Electrodes and Electrocatalysts for Fuel Cells These components are critical to the function of a fuel cell since they catalyze the electrochemical reduction of oxygen at the cathode and the oxidation of fuel at the anode. Breakthroughs in electrocatalysts might revolutionize fuel cells by giving them fuel flexibility and increasing power output, as well as by increasing their tolerance to

2410

KEY APPLICATION AREAS

chemical species that tend to poison them (e.g. carbon monoxide or sulfur-containing moieties). New synthetic methodologies might allow for the control of fuel cell electrode microstructures. Nanostructured catalysts may enhance reaction kinetics by dramatically increasing electrode surface area and restricting reactions to confined regions of the active surface. In one study, high catalytic activity resulted from high active surface area of the catalysts supported within an ultraporous electrode nanoarchitecture [24]. High-surface-area materials are extremely reactive, which often causes problems during synthesis (e.g. nanophase metals are often capped with organic ligands after synthesis to prevent sintering reactions). The goal is to maintain the high surface area of nanostructured catalysts, while avoiding agglomeration, sintering, or restructuring during use. Self-assembly on the nanoscale using shape control of catalytic materials (e.g. bimetallic catalysts) might also be important [25]. 3.4 Thermoelectric Devices Temperature differences can be used to generate power. The power density scales with temperature difference. A 5 ◦ C temperature difference can generate 40-80 μW/cm2 with existing thermoelectric technology. This temperature difference can be generated from man-made sources (parasitic devices placed on warm surfaces such as automobile engines, pipelines, and heaters), environmental gradients (in the soil, water, or at their interface), and within animals (one company has announced one such device for human implantation) [26]. While static conversion of heat into electricity has been an area of research for many decades, the promise of producing tailored nanostructures has prompted renewed interest in several energy conversion schemes. Nanotechnology offers the potential for improved efficiencies, since shrinking the characteristic dimensions of a device to nanometer length scales influences electron and phonon behavior. The efficiency of thermoelectric devices can also be characterized by the figure of merit, ZT , where Z is the power factor and T is the absolute temperature. A limitation of thermoelectrics designed around standard bulk materials is that most metallic conductors (high σ materials) have low Seebeck coefficients (a few microvolt per kelvin, whereas ≥100 μV/K would be more desirable), while the electron and phonon contributions to thermal conductivity make it difficult to achieve both high σ and low κ in the same material. As a result, the ZT remained at 1 or less for the last 40 years. Recently, researchers from Research Triangle Institute were able to increase the ZT to about 2.4 in p-type thin-film superlattices of Bi2 Te3 /Sb2 Te3 [27]. The nanostructured superlattice layers vary from 1 to 5 nm. The thermal conductivity and the electrical resistivity are reduced due to blocked phonon transmission and enhanced carrier mobility, respectively, in the nanothick superlattice layer. Quantum confinement of electronic charge carriers within regions of reduced dimensionality has the potential to increase the power factor [28]. Increased phonon scattering that occurs when interfaces are separated by distances compared to phonon wavelengths can reduce the lattice thermal conductivity [27]. These approaches require tailored nanometer-scale materials synthesis techniques, as the critical dimension for confinement is ∼10 nm. One can reduce dimensionality in one dimension (confinement in a plane) to three dimensions (confinement in a “quantum dot”). Improved materials synthesis and characterization techniques on the nanoscale, as well as advances in the theory and characterization of nanodimensional solids, are required.

NANO-ENABLED POWER SOURCES

2411

3.5 Photovoltaics The energy conversion efficiency of photovoltaics (including thermophotovoltaic or TPV devices) may also be increased by effects associated with reduced dimensionalities on the nanometer scale. Photonic lattices have sharp absorption and emission peaks at their photonic band edges. By tuning the emission peak of a photonic crystal (emitter) to the bandgap energy of a photodiode (energy conversion device), one could increase the overall conversion efficiency of TPVs [29]. The conversion efficiency might also be increased by evanescent coupling of an infrared emitter to a photodiode in very close (subwavelength) proximity [30]. Another approach to improve the photovoltaic (PV) efficiency is by increasing the intrinsic quantum efficiency of the PV material via the use of quantum dots. The exact mechanism for the quantum dot enhancement is still not well understood, though it is speculated to be related to enhanced electron–hole interaction due to quantum confinement. In conventional PV material such as Si, one electron–hole pair (or exciton) is generated per photon. The feasibility of generating multiple excitons per photon was demonstrated in various quantum dots materials such as PbSe quantum dots, leading to multiple increase in quantum efficiency [31]. However, it remains a challenge to design high efficiency PV devices based on the quantum dots, and PV device efficiency enhancement over 100% has yet to be demonstrated. Nanoscale optimization of the interfaces between disparate materials in organic light-emitting diodes (OLEDs), organic solar cells, and thin-film solar cells represents another opportunity. Nanosize oxide particles (e.g. TiO2 or ZnO) with organic sensitizers bound to the surface are proposed as a new class of solar cells, and controlled interfaces are the key to improving the efficiency of these devices [32]. Modeling advancements are required to direct the materials synthesis and processing efforts.

4 RESEARCH DIRECTIONS Nanotechnology enables the rational design of power source devices and structures with optimized storage, conductivity, density, and optical and electronic properties. The potential for tailoring of chemical composition and morphology at the nanometer scale will provide the opportunity for unprecedented control of materials properties. The following are specific areas that need to be investigated: 1. Nanomaterial synthesis and characterization. • Performance optimization is a balancing act between electron/ion/mass transport and electrode kinetics, but independent control of transport multifunction is difficult to do with bulk materials. In batteries, disorder improves mass transport of insertion ions, but sufficient order (even on the nanoscale) must be retained to move electrons. As the particle size is reduced, the relative fraction of atoms at the surface significantly increases, to the point that three-dimensional particles begin to exhibit the characteristics of two-dimensional objects. • By creating 2D structures with specific surface chemistry and morphology, one can control the interface between materials or phases, so as to elicit the desired behavior. Nanomaterials plus interface chemical approach have enabled the rapid implementation of the insulating LiFePO4 phase in practical Li-ion cells and allowed us to foresee the use of Si as an alternative to the nanostructured

2412

KEY APPLICATION AREAS

Sn-graphite-based negative electrode. There exists also the possibility to tailor the optical and electronic characteristics of a material, which strongly influence energy conversion processes, allowing us to envision the production of improved catalysts and electrolytes for fuel cells, as well as improved thermoelectrics and photovoltaics. 2. Nanoarchitectures to develop novel energy conversion and storage devices. • Nanotechnology will enable realization of devices with increased energy or power. For example, by maximizing the interfacial area between the anode and cathode while minimizing their separation, one can increase the power density of a cell dramatically. Improvements in energy density are attained by processing very thin electrolytes and better packing of materials. Such multifunctional concepts have the potential to further decrease the size and weight of a system for a given mission. • Nanomachining technology, combined with new and improved materials, opens up opportunities both for improving the performance of energy harvesting schemes and for realizing highly miniaturized versions of systems that are familiar at a larger scale. Creation of exciting new materials and architectures for batteries, electrochemical capacitors, fuel cells as well as other energy conversion devices holds the potential to meet the intense need for increased energy and power for electronic devices of interest to homeland security community.

REFERENCES 1. National Academy of Science. Nanotechnology for the Intelligence Community, National Research Council of the National Academies, National Academy Press, Washington, DC, May 2005. 2. Plitz, I., Dupasquier, A., Badway, F., Gural, J., Pereira, N., Gmitter, A., and Amatucci, G. G. (2006). The design of alternative nonaqueous high power chemistries. Appl. Phys. A82, 615–626. DOI: 10.1007/s00339-005-3420-0. 3. http://www.technewsworld.com/story/hardware/41889.html [March 30, 2005]. 4. Herle, P. S., Ellis, B., Coombs, N., and Nazar, L. F. (2004). Nano-network electronic conduction in iron and nickel olivine phosphates. Nat. Mater. 3, 147–152. 5. http://www.a123systems.com/newsite/index.php#/products/cells26650/, 2008. 6. Amatucci, G. G., Badway, F., Du Pasquier, A., and Zheng, T. (2001). An asymmetric hybrid nonaqueous energy storage cell. J. Electrochem. Soc. 148, A930–A939. 7. Zheng, J. P., Cygan, P. J., and Jow, T. R. (1995). Hydrous ruthenium oxide as an electrode material for electrochemical capacitors. J. Electrochem. Soc. 142, 2699–2703. 8. Dmowski, W., Egami, T., Swider-Lyons, K. E., Love, C. T., and Rolison, D. R. (2002). Local atomic structure and conduction mechanism of nanocrystalline hydrous RuO2 from X-ray scattering. J. Phys. Chem. B 106, 12677–12683. 9. Winter, M., and Besenhard, J. O. (1999). Rationalization of the low-potential reactivity of 3d-metal-based inorganic compounds toward Li. Electrochim. Acta 45, 31. See also Poizot, P., Laruelle, S., Grugeon, S. Dupont, L., and Tarascon, J.-M. (2000). Nano-sized transition-metal oxides as negative-electrode materials for lithium-ion batteries. Nature 407, 496–499.

NANO-ENABLED POWER SOURCES

2413

10. Amatucci, G. G., and Pereira, N. (2007). Fluoride based electrode materials for advanced energy storage devices. J. Fluor. Chem. 128(4), 243–262. DOI:10.1016/j.jfluchem. 2006.11.016. 11. (a) Badway, F., Mansour, A., Plitz, I., Pereira, N., Weinstein, L., Yourey, W., and Amatucci, G. G. (2006). Enabling aspects of metal halide nanocomposites for reversible energy storage. J. Electrochem. Soc. 153, A799; (b) Bervas, M., Yakshinskiy, B. Klein, L. C., and Amatucci, G. G. (2006). Soft-chemistry synthesis and characterization of bismuth oxyfluorides and ammonium bismuth fluorides. J. Am. Ceram. Soc. 89, 645–651. 12. Roberts, G. A., Gross, K. J., Ingersoll, D., Spangler, S. W., and Wang, J. C. (2003). Silicon/Carbon Composite Negative Electrode Materials, Sandia National Laboratories SAND Report for Unlimited Release, SAND2002-8627. See also Kevin Bullis, Technology Review Published Online, (25 October 2006) http://www.technologyreview.com/Energy/17653/page2/. 13. http://www.sony.net/SonyInfo/News/Press/200502/05-006E/index.html, 2008. 14. http://www.dailytech.com/Article.aspx?newsid=6094, 2008. 15. http://www.u-picardie.fr/alistore/new page 2.htm, 2008. 16. http://www.smalltimes.com/Articles/Article Display.cfm?ARTICLE ID=267721&p=109, 2008. 17. Bates, J. B., Dudney, N. J., Gruzalski, G. R., and Luck, C. F. (1994). Thin film battery and method for making same. US Patent 5338625. 18. Hart, R. W., White, H. S., Dunn, B., and Rolison, D. R. (2003). 3-D microbatteries. Electrochem. Commun. 5, 120–123. 19. Long, J. W., Dunn, B., Rolison, D. R., and White, H. S. (2004). Three-dimensional battery architectures. Chem. Rev. 104, 4463–4492. DOI 10.1021/cr020740l. 20. Nam, K., Kim, D.-W., Yoo, P. J., Chiang, C.-Y., Meethong, N., Hammond, P. T., Chiang, Y.-M., and Belcher, A. (2006). Sciencexpress/ www.sciencexpress.org/06 April. 21. Kim, H. J., Lee, H. C., Rhee, C. H., Chung, S. H., Lee, K. H., and Lee, H. C. (2003). Alumina nanotubes containing Li of high ion mobility. J. Am. Chem. Soc. 125, 13354–13355. 22. Bronstein, L. M., Joo, C., Karlinsey, R., Ryder, A., and Zwanziger, J. W. (2001). Solid hybrid polymer electrolyte networks: nano-structurable materials for lithium batteries. Chem. Mater. 13, 3678. 23. (a) Bates, J. B., Dudney, N. J., Gruzalski, G. R., Zuhr, R. A., Choudhury, A., Luck, C. F., and Robertson, J. D. (1992). Effects of deposition condition on the ionic conductivity and structure of amorphous lithium. Solid State Ionics 647, 53–56.; (b) Bates, J. B., Dudney N. J., Neudecker, B., Ueda, A., and Evans C. D. (1997). Thin-film lithium and lithium-ion batteries. J. Electrochem. Soc. 144, 524. 24. Anderson, M. L., Stroud, R. M., and Rolison, D. R. (2002). Enhancing the activity of fuel-cell reactions by designing three–dimensional nanostructured architectures: catalyst-modified carbon-silica composite aerogels. Nano Lett. 2, 235–240; correction: Nano Lett . 2003, 3, 1321. 25. Approaches to Combat Terrorism (ACT) (2003). Opportunities for Basic Research, Joint Workshop by The Directorate of the Mathematical and Physical Sciences, NSF and the Intelligence Community, National Science Foundation, http://www.mitre.org/public/act/10 22 final.pdf). 26. http://adsx.com/prodservpart/thermolife.html, 2008. 27. Venkatasubramanian, R., Silvola, E., Colpitts, T., and O’Quinn, B. (2001). Thin-film thermoelectric devices with high room-temperature figures of merit. Nature 413, 597–602. DOI: 10.1038/35098012. 28. (a) Hicks, L. S. and Dresselhaus, M. S. (1993). Effect of quantum-well structures on the thermoelectric figure of merit. Phys. Rev. B 47, 12727–12731. DOI: 10.1103/PhysRevB.47.12727;

2414

29. 30.

31.

32.

KEY APPLICATION AREAS

(b) Majumdar, A. (2004). Thermoelectricity in semiconductor nanostructures. Science 303, 777–7778. Fleming, J. G., Lin, S. Y., El-Kady, I., Biswas, R., and Ho, K. M. (2002). All-metallic three-dimensional photonic crystals with a large infrared bandgap. Nature 417, 52–55. DiMatteo, R. S., Greiff, P., Finberg, S. L., Young-Waithe, K. A., Choy, H. K. H., Masaki, M. M., and Fonstad, C. G. (2001). Enhanced photogeneration of carriers in a semiconductor via coupling across a nonisothermal nanoscale vacuum gap. Appl. Phys. Lett. 79, 1894. Schaller, R. D., and Klimov, V. I. (2004). High efficiency carrier multiplication in PbSe nanocrystals: implications for solar energy conversion. Phys. Rev. Lett. 92, 186601. DOI:10.1103/PhysRevLett.92.186601. Gr¨atzel, M. (2001). Sol-gel processed TiO2 films for photovoltaic applications. J. Sol-Gel Sci. Technol. 22, 7–13.

PUBLIC HEALTH

THREAT FROM EMERGING INFECTIOUS DISEASES Roger W. Parker DoD Veterinary Food Analysis and Diagnostic Laboratory, Fort Sam Houston, Texas

1 AGROTERRORISM POTENTIAL OF EMERGING INFECTIOUS DISEASES The US National Strategy for Homeland Security identifies agriculture, food, and water among the critical infrastructure sectors that must be protected. Agroterrorism is an intentional criminal act perpetrated on some segment of the agriculture or food industry intended to inflict harm (e.g. public health crisis or economic disruption). Although the use of biological weapons against targets by state-sponsored terrorists, rouge terrorist groups, and even isolated individuals is highly unpredictable, there have been attempts to assess risks [1]. In June 1999, the US Centers for Disease Control and Prevention (CDC) convened a meeting of national experts to review potential general criteria for selecting the bioagents that pose the greatest threats to civilians, concluding in a list divided into three categories (A, B, and C) based on such criteria as threat to national security, public health impact (disease and death), production and delivery potential, public perception as related to public fear and potential civil disruption, and special public health preparedness needs [2]. Many of the agents are associated with emerging infectious diseases [3], an important subset because of potential limited experience in management of cases or outbreaks and lack of appropriate resources [4]. Emerging infectious diseases are those in which incidences have recently increased as a result of the introduction of a new agent, recognition of an existing disease that has previously gone undetected, a reappearance (reemergence) of a known disease after a decline in incidences, or an extension of the geographic range of a known disease [4].

2 THREAT DEVELOPMENT This article offers description of risk factors involved in threats on agriculture and food systems critical for a nation’s revenue or defense. It is important to predict plausible 2417

2418

KEY APPLICATION AREAS

targets and credible events to avoid being surprised by and be unprepared for terrorist attacks [1, 5]. Although examples used are kept to a minimum, considering the abundant possibilities as can be found in public literature, the threat risks from glanders and melioidosis are presented in more detail. 2.1 Availability and Cost For many decades, widely published sources have identified the bioagents suitable for nefarious applications and have provided the technical information on how to produce them in bulk [6]. Despite efforts to restrict the acquisition of dangerous bioagents, it is likely that terrorists and criminals, with some microbiological expertise, will be able to obtain an agent that they want when they want it [7]. Agents have been rated as most available if readily obtainable from soil, animal, insect, or plant sources; somewhat available if mainly available only from clinical specimens, clinical laboratories, or regulated commercial culture suppliers; and, least available if only from nonenvironmental, noncommercial, or nonclinical sources such as high-level security research laboratories [2, 6]. Some examples of soil-borne pathogens include Bacillus anthracis, Clostridium botulinum, Clostridium perfringens, Burkholderia mallei , and Burkholderia pseudomallei . The ease with which such naturally occurring agents can be acquired varies among geographic regions, according to specific prevalence [1]. The anthrax agent, B. anthracis, can be found worldwide in areas of predominately alkaline soils. Endemic anthrax in nature characteristically occurs in herbivores grazing contaminated land or eating contaminated feed [8, 9]. Also, there can be contamination of naturally occurring B. anthracis in the wool, hair, or hides of these herbivores. Other environmental sources for pathogens include surface and coastal waters, the ecology of which can serve as reservoirs for Giardia, Cryptosporidium, Naegleria fowleri , Vibrio cholerae, and Vibrio vulnificus. Zoonotic bioagents (transmissible from animal hosts or reservoirs to humans) naturally available in animals include Yersinia pestis (rodents), Brucella melitensis (small ruminants), Francisella tularensis (rodents, rabbits, and hares), B. mallei (equine), and Nipah virus (porcine). Naturally sourced foreign animal disease threats to US agriculture include foot-and-mouth disease (FMD) virus (in ungulates), hog cholera (porcine), rinderpest virus (bovine), African swine fever virus (porcine), African horse sickness virus (equine), and velogenic Newcastle disease virus (avian). Among the plant pathogens available in nature, which could threaten agriculture production are Candidatus Liberibacter americanus (citrus greening disease), Peronosclerospora philippinensis (Philippine downy mildew of maize), Phakopsora pachyrhizi (Asian soybean rust), Ralstonia solanacearum (southern bacterial wilt in many plants), Xanthomonas oryzae (bacterial leaf blight in rice), Xylella fastidiosa (citrus variegated chlorosis strain), Tilletia indica (karnal bunt of wheat), and Puccinia fungi (stem rust for cereals and wheat). It is not uncommon for biological weapons to be referred to as the “poor man’s weapon of mass destruction.” Bacterial pathogen and toxin production can use basic and easily available equipment (e.g. culture media, flasks, vials, incubators or fermenters, and microscopes) in facilities ranging from crude makeshift labs to advanced, state-run facilities [10]. Viral production using egg or cell cultures requires more advanced technology. It has been estimated that less than a few hundred thousand dollars would be needed for bioagent research, testing, production, and weaponization. However, Kathleen Bailey, a national security analyst and a former assistant director of the US Arms Control and Disarmament Agency, has speculated that it may only require tens of thousands of dollars,

THREAT FROM EMERGING INFECTIOUS DISEASES

2419

using a modestly equipped 15 × 15 ft room [6]. Among the cost for terrorists to consider would be risk of self-inoculation of virulent organisms like F. tularensis and B. anthracis. 2.2 Ease and Route of Dissemination The bioagent must be collected in sufficient quantities or cultured to reach the dose required to cause harm, and additional procedures may be necessary in the preparation of the final product in a gaseous, liquid, or solid form [1]. Because a bioagent may be inconspicuous during delivery, the first evidence of a biological attack may be the onset of disease, days or even weeks later, making it difficult or impossible to determine that an outbreak resulted from an intentional act [7]. Other dissemination factors to consider are the stability of the agent and potential for host-to-host transmission of the agent [2]. A contagious microorganism may be disseminated at lower doses because it could spread in secondary waves of infection following its multiplication in the infected hosts [1]. Of potentially greater impact but smaller probability (because of very complex technology) is terrorist dissemination of a bioagent in an aerosol cloud [7, 11]. During biological warfare defense programs, it was calculated that an ideal aerosol cloud should consist of particles of 1–5 μm in size, as particles much larger than 5 μm do not penetrate into the lungs (they tend to settle out of the air relatively quickly and are filtered out by the upper respiratory tract) and smaller particles do not remain in the lungs (they are likely to be breathed out) [12]. Intentional aerosol contamination of production crops would be less complicated in that plant pathogens could be disseminated by a crop duster or even hand spray pumps [13]. Terrorists can also spread bioagents by contaminating food anywhere in the food system’s continuity. Tommy Thompson, former Secretary of the US Department of Health and Human Services, stated in 2004, “For the life of me, I cannot understand why the terrorists have not attacked our food supply, because it is so easy to do [14].” Contamination at a centralized facility may affect large numbers of people down the distribution chain. Contamination at the retail outlet may have more limited direct population reach but still escalate because of the terror aspect. Contamination of food that will not be subject to further cooking is the most vulnerable, unless a heat-resistant bioagent or toxin is used. The most successful recent foodborne attack was perpetrated by a religious cult, known as the Rajneeshees, employing Salmonella typhimurium in restaurant salad bars against the people of The Dalles, a small town in Oregon, in August and September 1984 [7]. Deliberate contamination of municipal water systems is also a target of concern but fortunately direct harmful effects would be limited by dilution, disinfection, filtration, and nonspecific inactivation [15]. Smaller water sources are more vulnerable as evidenced in 1990 when nine people in Edinburgh, United Kingdom, were infected with Giardia lamblia when the water-supply tank of their apartment building was deliberately contaminated with fecal material [16]. A reliable mode for small-scale dissemination of bioagents would be direct application or injection of victims with a pathogen or toxin [7]. On a larger scale, infected food handlers could maliciously serve as modern-day “Typhoid Mary(s)”, purposely harboring and transmitting Shigella, Salmonella, Campylobacter, V. cholerae, Giardia, Cryptosporidium parvum, Cyclospora cayetanensis, Balantidium coli , Entamoeba histolytica, Ascaris lumbricoides, hepatis A virus, norovirus, and rotavirus. It would seem that nature does not need assistance from terrorists as one highly cited source estimates that foodborne diseases cause approximately 76 million illnesses, 325,000 hospitalizations, and 5000 deaths in the United States each year [17].

2420

KEY APPLICATION AREAS

Intentional transmission of diseases through insect vectors is also a potential risk. Some examples include plague (transmitted by certain flea species), yellow fever (carried by a specific mosquito species, Aedes aegypti ), and typhus (spread by the body louse, Pediculus humanus corporis) [7]. During World War II, Japanese planes were suspected of dropping plague-infected fleas in advance of plague epidemics affecting China and Manchuria [18]. Among the challenges to overcome is establishing a program to breed and infect the necessary vectors and controlling them following release [7]. An example of an agent that is potentially harmful regardless of its route of dissemination is B. anthracis. Anthrax in humans is frequently classified as per the route by which the disease is acquired: cutaneous anthrax acquired through a skin lesion, gastrointestinal tract anthrax contracted from ingestion of contaminated food (primarily meat from an animal that died of the disease), and pulmonary (inhalation) anthrax from breathing in airborne anthrax spores [9, 19]. It is commonly considered that FMD virus can be introduced into a free area by various means: direct or indirect contact with infected animals through aerosols, feeding contaminated garbage, and contact with contaminated objects. After a susceptible animal becomes infected, rapid and exponential spread via respiratory aerosols can occur. 2.3 Virulence and Susceptible Host Range Biological agents can be used to attack a wide variety of targets including humans, animal herds, and food at any point during the farm-to-food continuum (including stored or processed food) [20]. The pathogens considered and attempted over history have involved a wide spectrum of virulence, from those with little ability to cause disease or disability to some of the agents deemed most deadly [7, 11]. The CDC Category A agents generally have the potential to cause high morbidity and mortality with Category B agents threatening moderate morbidity and mortality [2]. Many of the diseases in the CDC bioterrorism categories are of zoonotic nature. For example, apparently all warm-blooded species can be infected by B. anthracis [9]. While it appears that humans are moderately resistant to anthrax [9], such innate resistance can be overcome by sufficient exposure level, poor prior health or immune status of the exposed individual, or by the use of a strain of B. anthracis possessing critical virulence factors [7, 19]. Concerning susceptible animal populations, it has been recommended that farm operators and veterinarians maintain expertise in recognizing and reporting suspected foreign animal diseases [21]. Among the educational resources is the list published by the Office International des Epizooties (OIE) (available at http://www.oie.int/eng/ maladies/en classification.htm) concerning animal diseases that are highly infectious, capable of rapidly spreading across international borders, and having the potential to inflict catastrophic economic losses and social disruption. As an example, there are many subtypes of FMD virus of varying virulences, which can sicken cloven-hoofed domestic and wild animals. An FMD outbreak can widely spread through an area using sheep as maintenance hosts, pigs as amplifiers, and cattle as indicators. 2.4 Impact and Public Perception Depending upon the efficiency of an aerosol dissemination system and the population density of targets, a biological weapon could produce up to hundreds of thousands of casualties [6]. Even without inflicting an actual illness or physical injury, a terrorist can achieve objectives of fear, societal disruption, and/or economic damage (considering the

THREAT FROM EMERGING INFECTIOUS DISEASES

2421

usage of hoaxes) [1]. Notoriety of a bioagent can influence the public perception from its use or threatened use. The fearsome anthrax agent is the most frequent pathogen of recent historical use or threat. Dr W. Seth Carus has researched nearly 270 alleged bioterrorism or biocrime cases involving biological agents used in crimes and found B. anthracis associated with at least 113 cases, largely due to the growing popularity of anthrax threats [7]. Confirmation of an anthrax attack would result in expensive and time-, labor-, and resource-consuming control and decontamination measures to include treatment of human cases, isolation of animal cases, quarantine of exposed animals, animal carcass disposal, and environmental decontamination [9]. One published estimate of economic impact of an aerosolized anthrax attack scenario against humans reached $26.2 billion per 100,000 persons exposed [22]. Because of the uncertainty and fear surrounding anthrax attacks, it has been estimated that for every exposed person, an additional 15 may request medical intervention because of exposure concerns [22]. To a lesser extent but of still significant burden, will be the resulting control and recovery measures for confirmed agroterrorism events with any other agents. Because agriculture disease outbreaks have the potential to cause economic chaos, plants and livestock are an attractive target to potential terrorists [13, 23]. In 2001, the US Food and Fiber system (FFS) provided employment for 23.7 million Americans (e.g. farmers, processors, manufacturers, wholesalers, retailers, restaurateurs, and transporters) and was a supplier of products worldwide [24]. The total FFS economy added $1.24 trillion to the nation’s gross domestic product (GDP); 12.3% of the nation’s total GDP [24]. Briefly, concerning economic downstream instability, every bushel of wheat, corn, or soybeans in addition to beef carcasses and pork bellies, has a futures contract written in United States and foreign exchanges, meaning multidimensional financial losses on unfulfilled contracts, including damage on handling and transportation commerce [13]. The scale of nationwide FMD outbreaks is mind-boggling (e.g. in 1997, Taiwan slaughtering over 8 million pigs, over $20 billion estimated total cost; in 2001, the United Kingdom destroying 4.2 million animals, approximately $9.6 billion in direct compensation payments) [13]. Similarly, introduction of foreign animal diseases in the United States would require drastic rapid measures, usually disease eradication, to reopen agriculture exports. Eradication efforts are costly. For example, in 1983–1984 the control and eradication of a highly pathogenic avian influenza outbreak cost the US Department of Agriculture $60 million and the average cost of one dozen eggs increased by 5% [25]. To complete hog cholera eradication during the 1971–1977 outbreak, the US government spent $79 million [26]. Because animals have special places in families and society, any animal disease tragedy reflects on and in people. For example, the 2001 FMD outbreak in England was accompanied and followed by human distress, feelings of bereavement, fear of a new disaster, and loss of trust in authority and control systems [27]. 3 GLANDERS AND MELIODOSIS The agents causing glanders (B. mallei ) and melioidosis (B. pseudomallei ) are closely related mesophilic (optimal temperature for growth is 37◦ C), gram-negative rods. Glanders is primarily a disease affecting equines, involving the upper respiratory tract (purulent nasal discharge) and the lungs (pneumonia). Farcy is the cutaneous form (nodules, pustules, and ulcers) of the equine disease. Melioidosis is primarily a human disease ranging from asymptomatic pulmonary consolidation to localized cutaneous or visceral abscesses, necrotizing pneumonia, or rapidly fatal septicemia [28].

2422

KEY APPLICATION AREAS

3.1 Availability and Cost The glanders agent has either disappeared or been eradicated from most areas of the world. Of particular concern is that recent reports of glanders are mostly from Middle Eastern and Asian countries such as Turkey, United Arabic Emirates, Iraq, Iran, India, Pakistan, Mongolia, and China [29]. Rogue or state-sponsored terrorists could acquire this agent via natural sources. The melioidosis organism can likewise be acquired by terrorists as it is free-living on dead organic material in certain soils, mud, and waters in many tropical and subtropical areas of Africa, America, Asia, Australia, Pacific Islands, India, and the Middle East [28, 30]. In Thailand it is considered to be a disease of rice farmers [28]. Both of the Burkholderia organisms can be cultured on simple media, including nutrient, blood, and MacConkey agar [31]. Bulk culture of the agents would expose laboratory workers to significant occupational disease risk [32]. Because both are Category B select agents, acquisition from laboratory sources would require theft or other illegal activities. 3.2 Ease and Route of Dissemination Historically, Burkholderia agents were viewed as suitable bioweapons because of their ability to initiate infection in normal individuals via aerosol [31]. Inhalation delivery would require complex technical work by terrorists with uncertain success. Because wound infections are common in nature, a terrorist may be able to induce disease by contaminated wound-inducing debris or shrapnel. Oral exposure may be a concern because it is thought that ingestion could cause clinical disease especially in immunocompromised or overwhelmed hosts. Despite the apparent ease with which melioidosis may be acquired from the environment, there is little evidence of the secondary spread from cases of the disease [31]. 3.3 Virulence and Susceptible Host Range Glanders primarily affects horses, donkeys, and mules, but can be naturally contracted by goats, dogs, and cats [33]. Various animals, including sheep, goats, horses, swine, monkeys, and rodents can become infected with melioidosis [28]. Human clinical melioidosis is uncommon, generally occurring in individuals with impaired immunocompetence whose nonintact skin had intimate contact with contaminated soil or surface water [28]. Approximately two-thirds of melioidosis cases have a predisposing medical condition such as diabetes, cirrhosis, alcoholism, or renal failure [28]. Four clinical forms of glanders and melioidosis are generally described: localized infection (skin, brain, or visceral abscesses, lymphadenitis, osteomyelitis, septic arthritis), pulmonary infection, septicemia, and chronic suppurative infections of the skin, soft tissues, or viscera [33]. Of these two diseases, glanders is ranked as a higher threat than melioidosis because of a greater likelihood of death if not treated [2]. 3.4 Impact and Public Perception Although terrorism from the Burkholderia agents may not cause widespread direct clinical illnesses, there would still be significant psychological impact because of the infamous history of these biothreats. It is known that during World War I, Germany distributed cultures of B. mallei to undercover agents who attempted to infect livestock that were

THREAT FROM EMERGING INFECTIOUS DISEASES

2423

to be shipped to Allied countries [34]. Glanders was among the agents used to infect human victims by Japan’s notorious Unit 731 in Manchuria under the direction of Ishii Shiro [35]. Purported victims may worry for a long time because although the incubation period for melioidosis can be as short as 2 days, there are cases where years have elapsed between presumed exposure and appearance of clinical disease [28]. As an intentionally introduced foreign animal disease, the US agricultural system and horse-owning population would be significantly disaffected with required quarantine, test, and eradication programs for glanders. It may take time before it is recognized in a previously uninfected region. Initial cases may be misdiagnosed and animal carriers would spread the disease in the regular course of commerce and movement. It is a notifiable disease to the OIE and export restrictions would be placed on US origin equines. Environmental contamination or threatened contamination by Burkholderia agents may involve troublesome detection procedures to separate these agents from other ubiquitous microbiological relatives, including other Burkholderia spp. and the Pseudomonas spp. REFERENCES 1. Elad, D. (2005). Risk assessment of malicious biocontamination of food. J. Food Prot. 68(6), 1302–1305. 2. Rotz, L. D., Khan, A. S., Lillibridge, S. R., Ostroff, S. M., and Hughes, J. M. (2002). Public health assessment of potential biological terrorism agents. Emerg. Infect. Dis. 8(2), 225–230. 3. Whitehouse, C. A., Schmaljohn, A. L., and Dembek, Z. F. (2007). Emerging infectious diseases and future threats. In Medical Aspects of Biological Warfare, Z. F. Dembek, Ed. Borden Institute, Washington, DC, pp. 579–607. 4. Feldmann, H., Czub, M., Jones, S., Dick, D., Garbutt, M., Grolla, A., and Artsob, H. (2002). Emerging and re-emerging infectious diseases. Med. Microbiol. Immunol. 191(2), 63–74. DOI: 10.1007/s00430-002-0122-5. 5. Tucker, J. B. (2004). Biological threat assessment: is the cure worse than the disease? Arms Control Today. 34(8), 13–19. 6. Falkenrath, R. A., Newman, R. D., and Thayer, B. A. (1998). America’s Achilles’ Heel: Nuclear, Biological, and Chemical Terrorism and Covert Attack , MIT Press, Cambridge, MA. 7. Carus, W. S. (2002). Bioterrorism and Biocrimes: The Illicit Use of Biological Agents Since 1900 , Fredonia Books, Amsterdam. 8. Purcell, B. K., Worsham, P. L., and Friedlander, A. M. (1997). Anthrax. In Medical Aspects of Biological Warfare, Z. F. Dembek, Ed. Borden Institute, Washington, DC, pp. 69–90. 9. Turnbull, P. C. B. (1998). Guidelines for the Surveillance and Control of Anthrax in Human and Animals, 3rd ed., World Health Organization, Geneva. 10. Frerichs, R. L., Salerno, R. M., Vogel, K. M., Barnett, N. B., Gaudioso, G., Hickok, L. T., Estes, D., and Jung, D. F. (2004). Historical Precedence and Technical Requirements of Biological Weapons Use: a Threat Assessment , Sandia Report. May, 1854, pp. 1–76. 11. Kortepeter, M. G., and Parker, G. W. (1999). Potential biological weapons threats. Emerg. Infect. Dis. 5(4), 523–527. 12. Eitzen, E. M. (1997). Use of biological weapons. In Medical Aspects of Chemical and Biological Warfare, F. R. Sidell, E. T. Takafuji, and D. R. Franz, Eds. Borden Institute, Washington, DC, pp. 437–450. 13. Gilmore, R. (2004). US food safety under siege? Nat. Biotechnol. 22(12), 1503–1505. 14. Neild, B. (2006). Agroterrorism: How Real is the Threat? Sep 25. Available at http://www.cnn. com/2006/WORLD/americas/09/25/agroterrorism/, accessed March 7, 2009.

2424

KEY APPLICATION AREAS

15. Anonymous (2004). Precautions against the sabotage of drinking-water, food, and other products. In Public Health Response to Biological and Chemical Weapons—WHO Guidance, J. P. P. Robinson, Exec. Ed. 2nd ed., World Health Organization, Geneva, pp. 294–319. 16. Ramsay, C. N., and Marsh, J. (1990). Giardiasis due to deliberate contamination of water supply. Lancet 336, 880–881. 17. Mead, P. S., Slutsker, L., Dietz, V., McCaig, L. F., Bresee, J. S., Shapiro, C., Griffin, P. M., and Tauxe, R. V. (1999). Food-related illness and death in the United States. Emer. Infect. Dis. 5(5), 607–625. 18. Anonymous (2001). History of biological warfare and current threat. In USAMRIID’s Medical Management of Biological Casualties Handbook , M. Kortepeter, G. Christopher, T. Cieslak, R. Culpepper, R. Darling, J. Pavlin, J. Rowe, K. McKee, and E. Eitzen, Eds. 4th ed. U.S. Army Medical Research Institute of Infectious Diseases, Fort Detrick, MD, pp. 3–10. 19. Anonymous (2001). Anthrax. In USAMRIID’s Medical Management of Biological Casualties Handbook , M. Kortepeter, G. Christopher, T. Cieslak, R. Culpepper, R. Darling, J. Pavlin, J. Rowe, K. McKee, and E. Eitzen, Eds. 4th ed., U.S. Army Medical Research Institute of Infectious Diseases, Fort Detrick, MD, pp. 26–35. 20. Dembek, Z. F., and Anderson, E. L. (2007). Food, waterborne, and agricultural diseases. In Medical Aspects of Biological Warfare, Z. F. Dembek, Ed. Borden Institute, Washington, DC, pp. 21–38. 21. Noah, D. L., Noah, D. L., and Crowder, H. R. (2002). Biological terrorism against animals and humans: a brief review and primer for action. J. Am. Vet. Med. Assoc. 221(1), 40–43. 22. Kaufmann, A. E., Meltzer, M. I., and Schmid, G. E. (1997). The economic impact of a bioterrorist attack: are prevention and postattack intervention justifiable? Emerg. Infect. Dis. 3(2), 83–94. 23. Ashford, D. A., Gomez, T. M., Noah, D. L., Scott, D. P., and Franz, D. R. (2000). Biological terrorism and veterinary medicine in the United States. J. Am. Vet. Med. Assoc. 217(5), 664–667. 24. Edmondson, W. (2004). Economics of the food and fiber system. Amber Waves 2(1), 12–13. 25. Lasley, F. A., Short, S. D., and Henson, W. L. (1985). Economic Assessment of the 1983-84 Avian Influenza Eradication program, United States Department of Agriculture, Economic Research Service, National Economics Division. U.S. Government Printing Office, Washington, DC. 26. Wise, G. H. (1981). Hog Cholera and its Eradication: A Review of U.S. Experience, U.S. Department of Agriculture, Animal and Plant Health Inspection Service. U.S. Government Printing Office, Washington, DC. 27. Mort, M., Convery, I., Baxter, J., and Bailey, C. (2005). Psychosocial effects of the 2001 UK foot and mouth disease epidemic in a rural population: qualitative diary based study. Br. Med. J. 331, 1234–1238. DOI:10.1136/bmj.38603.375856.68. 28. Plant, A. (2004). Melioidosis. In Control of Communicable Diseases Manual , D. L. Heymann, Ed. 18th ed., American Public Health Association, Washington, DC, pp. 386–388. 29. Neubauer, H., Sprague, L. D., Zacharia, R., Tomaso, H., Al Dahouk, S., Wernery, R., Wernery, U., and Scholz, H. C. (2005). Serodiagnosis of Burkholderia mallei infections in horses: state-of-the-art and perspectives. J. Vet. Med. B Infect. Dis. Vet. Public Health. 52(5), 201–205. 30. Inglis, T. J., Rolim, D. B., and Sousa Ade, A.A. (2006). Melioidosis in the Americas. Am. J. Trop. Med. Hyg. 75(5), 947–954. 31. Dance, D. A. B. (2005). Melioidosis and glanders as possible biological weapons. In Bioterrorism and Infectious Agents: A New Dilemma for the 21st Century, I. W. Fong, and K. Alibek, Eds. Springer Science+Business Media, Inc., New York, pp. 99–145.

FOREIGN DENGUE VIRUS PRESENTS A LOW RISK TO U.S. HOMELAND

2425

32. Srinivasan, A., Kraus, C. N., DeShazer, D., Becker, P. M., Dick, J. D., Spacek, L., Bartlett, J. G., Byrne, W. R., and Thomas, D. L. (2001). Glanders in a military research microbiologist. N. Engl. J. Med. 345(4), 256–258. 33. Bossi, P., Tegnell, A., Baka, A., Van Loock, F., Hendriks, J., Werner, A., Maidhof, H., and Gouvras, G. (2004). Bichat guidelines for the clinical management of glanders and melioidosis and bioterrorism-related glanders and melioidosis. Euro. Surveill. 9(12), 1–6. 34. Wheelis, M. (1998). First shots fired in biological warfare. Nature 395, 213. 35. Harris, S. (1999). The Japanese biological warfare programme: an overview. In SIPRI Chemical and Biological Warfare Studies. 18. Biological and Toxin Weapons: Research, Development and Use from the Middle Ages to 1945 , E. Geissler, and J. E. van Courtland Moon, Eds. Oxford University Press, Oxford, pp. 127–152.

FURTHER READING Anonymous (1998). Foreign Animal Diseases. In The Gray Book , W. W. Buisch, J. L. Hyde, and C. A. Mebus, Eds. 6th ed., U.S. Animal Health Association, Pat Campbell & Associates and Carter Printing Company, Richmond, VA. Dembek, Z. F., Kortepeter, M. G., and Pavlin, J. A. (2007). Discernment between deliberate and natural infectious disease outbreaks. Epidemiol. Infect. 135(3), 353–371. DOI:10.1017/ S0950268806007011. Riemann, H. P., and Cliver, D. O. (2005). Foodborne Infections and Intoxications, 3rd ed., Academic Press, Amsterdam.

FOREIGN DENGUE VIRUS PRESENTS A LOW RISK TO U.S. HOMELAND Terry Carpenter, Kathryn L. Clark, R. Kevin Hanson, and Michael Sardelis National Center for Medical Intelligence, Frederick, Maryland

1 INTRODUCTION Widespread dengue virus transmission in the continental United States is very unlikely. Media reporting in early 2008 [1, 2] speculating that the dengue virus may soon be

2426

KEY APPLICATION AREAS

introduced and spread nationwide, as West Nile virus (WNV) did previously, have grossly overstated the threat. Once WNV was imported into the United States, many factors facilitated its spread and long-term establishment, which do not apply to dengue virus [3]. While sustained dengue virus transmission is unlikely, isolated cases or small case clusters of local transmission resulting from sporadic introduction by infected travelers will continue to occur in limited areas of the country where competent mosquito vectors are present. Such cases will likely be identified and contained by effective US public health responses.

2 BACKGROUND OF DENGUE AND WEST NILE VIRUSES 2.1 Worldwide Dengue Distribution Dengue fever is transmitted at high levels year round throughout most tropical areas worldwide, including Central and South America, the Caribbean, southern and southeast Asia, the south Pacific, and parts of Africa. An estimated 50–100 million cases occur each year and the geographic distribution of dengue fever continues to expand (Fig. 1) [4]. 2.2 History of Dengue Virus in the United States Dengue fever, which was once endemic in the United States, was eliminated around 1950. No known outbreaks occurred between 1950 and 1980. However, small outbreaks of locally acquired dengue fever have been reported recently in southern Texas, usually in association with epidemic dengue spillover from adjacent Mexican states [5]. 2.3

History of West Nile Virus in the United States

WNV has reemerged in the United States every year since 1999 and has expanded its range to include all states in the continental United States (Fig. 2). [6]. The spread of WNV has been aided by its ability to “overwinter” in birds and mosquitoes [7]. WNV has become widespread because it is maintained in nature principally in a mosquito-bird cycle [3]. Historically, migrating birds have spread WNV over a large are of the world, most recently in North America [6]. The spread and establishment of WNV has been assisted by the ability of the virus to infect many different bird and mosquito species [6].

(U) Clinical dengue fever and WNV (U) Dengue virus causes dengue fever, dengue hemorrhagic fever, and dengue shock syndrome in humans. (U) West Nile virus causes West Nile fever and neuroinvasive disease labeled as West Nile encephalitis, West Nile meningitis, or West Nile poliomyelitis. (U) No vaccine is currently available to prevent any of these diseases.

FIGURE 1 Clinical dengue fever and West Nile Virus.

FOREIGN DENGUE VIRUS PRESENTS A LOW RISK TO U.S. HOMELAND

2427

N

(U) Approximate distribution of dengue fever March 2008 Countries with reported or suspected dengue

FIGURE 2 Approximate worldwide distribution of dengue virus.

3 SEVERAL FACTORS REDUCE THE LIKELIHOOD OF SUSTAINED DENGUE VIRUS TRANSMISSION IN THE UNITED STATES AS COMPARED TO WNV 3.1 Disease Promulgation Multifactorial For dengue virus to be transmitted in the United States, an infected traveler must arrive in the United States within the incubation period, typically 4–7 d (range 3–14 d) [4]. Persons already experiencing symptoms are unlikely to be well enough to travel. This relatively narrow time window reduces the odds that a traveler will arrive while incubating infection. Once in the United States, infected individuals must be bitten by a competent mosquito vector during the 3–5 d of viremia. Bites before or after this period, will not infect the mosquito. During viremia, the great majority of dengue fever patients will be severely debilitated or bedridden and unable to sustain normal activities, further limiting outdoor contact with mosquitoes. In order to transmit infection, the infected mosquito vector must bite another person 8–12 d after taking the blood meal from the original infected patient. The predominant competent mosquito vector in the United States is relatively inefficient at passing the infection to other humans, because it tends to feed only once, and also tends to bite other animals instead of humans [4].

3.2 Dengue Virus Mosquito Vectors Differ from those of WNV Dengue virus mosquito vectors are not as numerous or as widely distributed in the United States as are WNV mosquito vectors (Fig. 3) [8]. WNV is transmitted by more than 60 species of mosquitoes, including the Culex species, which are distributed throughout the continental United States. Dengue virus is transmitted by Aedes aegypti and Aedes albopictus, which leave much of the United States uncovered. The overwhelming majority of dengue-infected people who travel to the United States do not encounter the mosquito vector to begin the transmission cycle.

2428

KEY APPLICATION AREAS

N

(U) Approximate distribution vectors of dengue and west nile virus in the United States West Nile virus vectors Dengue vectors only

FIGURE 3 Approximate distribution of vectors of dengue virus and West Nile virus in the United States.

3.3 The Natural Ecology of Dengue Virus Differs from that of WNV in Ways that do not Favor Spread and Long-Term Establishment Dengue viruses use humans as reservoir hosts. Neither migratory birds, nor any other bird species, have a role in the natural cycle and spread of dengue [9]. WNV has become widespread because it is principally maintained in a mosquito-bird cycle. Migrating birds act as vehicles to spread WNV over a large area [6]. The long-term establishment of WNV has been aided by its ability to “overwinter” in birds and mosquitoes, which allows WNV outbreaks to occur year after year in an area without reintroduction of the virus [7]. Dengue virus is transmitted in a mosquito-human cycle; birds have no role in the natural cycle and spread Table 1 [3]. In addition to dengue virus, other pathogens maintained exclusively in mosquito-man cycles (yellow fever virus and malaria) have been eliminated from the United States [10–12]. Socioeconomic development (improved housing, piped water systems, and air conditioning), sociobiological changes (people are indoors during early daylight hours, and late afternoon until dusk, the peak biting times), and vector control efforts have helped interrupt transmission of these pathogens despite the continued presence of the mosquito vectors, highlighting the requirement for a high level of mosquito-human contact to maintain dengue virus transmission. 4 OBSERVED DENGUE VIRUS IN THE UNITED STATES 4.1 Historical Importation Despite frequent importation of dengue virus into the United States over the past 60 years by travelers to dengue virus endemic areas, no reports have surfaced of substantial outbreaks initiated by these travelers [13, 14]. An estimated 14 million travelers come to the

FOREIGN DENGUE VIRUS PRESENTS A LOW RISK TO U.S. HOMELAND

TABLE 1

2429

Comparison of Selected Aspects of West Nile and Dengue Viruses

Characteristics Natural cycle Means of importation Reservoir

Vector Natural evidence of ability to “overwinter” (e.g. survive during the winter in temperate regions, persist in nature during interepidemic periods) Efficacy of mosquito control programs

West Nile Virus

Dengue Virus

Mosquito-bird Infected mosquitoes or migratory birds Birds; nearly 300 native species found infected in the United States Over 60 species of mosquito, principally Culex species Yes, using mechanisms involving birds and mosquitoes

Mosquito-human Infected humans

Moderate; can be difficult because of the number of mosquito species that serve as vectors and their varied (and some times large) breeding habitats

Good; only two species of mosquitoes serve as vectors, and their breeding habitats (small containers) are readily accessible

Humans

Aedes aegypti and Aedes albopictus None

United States from dengue virus endemic areas each year, in addition to tens of millions of migrants who cross into the United States through Mexico. During 1980–2007, five small outbreaks (less than 40 confirmed cases each) occurred in Texas near the border with Mexico [15]. The origins of these outbreaks were associated with spillover from adjacent Mexican states. In addition, Florida has not reported an incident of local dengue virus transmission since 1934 [10]. Indigenous transmission is very rare. 4.2 Importation through Military Redeployment The likelihood of military personnel redeploying from dengue-endemic areas and initiating local transmission of dengue virus in the United States is very low. Military personnel do deploy and travel to highly endemic areas, and in rare instances a limited number have contracted dengue fever while deployed (e.g. Haiti, Somalia) [16, 17]. Dengue fever outbreaks have not been observed in the United States upon redeployment because the deployed population is thoroughly screened for illness, consistent with established requirements for the military health system to conduct deployment health assessments. 5 UNITED STATES COUNTERMEASURES MITIGATE RISK Public health readiness and public awareness of the threat of vector-borne viruses have been heightened, largely as a result of the introduction of WNV. Dengue fever outbreaks that do occur in the United States are relatively small and are quickly identified and contained by effective public health practices. Areas with increased risk for dengue introduction, such as Florida and Texas, have very well-developed and proven surveillance systems that remain alert for dengue cases [18]. Public health countermeasures

2430

KEY APPLICATION AREAS

will prohibit transmission from progressing far enough to reach a sufficiently large enough reservoir of infected humans necessary to sustain a large outbreak. 6 SUMMARY AND CONCLUSIONS Myriad infectious diseases exist throughout the world and conceivably could enter the United States. Careful identification and prioritization of significant foreign infectious disease threats which could be imported into the United States and develop into considerable public health challenges are critical to developing and maintaining appropriate Homeland Security countermeasures. A methodological scientific approach involving the cooperation of the intelligence community (with their assessments of diseases in foreign countries) and domestic agencies (with their knowledge of existing mitigating factors such as airport screening, vaccination, and vector control) would provide defensible rationale for allocation of countermeasure resources and establishment of homeland security procedures. REFERENCES 1. Ricardo, A.-Z. (2008). Dengue fever is not quite dead. Los Angeles Times, 10. 2. Fox, M. (2008). Tropical dengue fever may threaten U.S.: report. Reuters, http://www. reuters.com/article/scienceNews/idUSN0847856420080108?sp=true. 3. Glaser, V. (2001). Dengue West Nile virus—an interview with Duane Gubler Sc.D. Vector Borne and Zoontoic Dis. 1(1), 81–88. 4. Heymann, D. L. (Ed.) (2004). Dengue fever. Control of Communicable Diseases Manual . American Public Health Association, Washington, DC, pp. 146–149. 5. Reiter, P., Lathrop, S., Bunning, M., Biggerstaff, B., Singer, D., Tiwari, T., Baber, L., Amador, M., Thirion, J., Hayes, J., Seca, C., Mendez, J., Ramirez, B., Robinson, J., Rawlings, J., Vorndam, V., Waterman, S., Gubler, D., Clark, G., and Hayes, E. (2003). Texas lifestyle limits transmission of dengue virus. Emerg. Infect. Dis. 9(1), 86–89. 6. Gubler, D. (2007). The continuing spread of West Nile virus in the Western Hemisphere. Clin. Infect. Dis. 45, 1039–1046. 7. Reisen, W. K., Fang, Y., Lothrop, H. D., Martinez, V. M., Wilson, J., O’Connor, P., Carney, R., Cahoon-Young, B., Shafii, M., and Brault, A. C. (2006). Overwintering of West Nile virus in Southern California. J. Med. Entomol . 43(2), 344–355. 8. Moore, C. G., and Mitchell, C. J. (1997). Aedes albopictus in the United States: ten-year presence and public health implications. Emerg. Infect. Dis. 3(3), 329–334. 9. Weaver, S. C., and Barrett, A. D. (2004). Transmission cycles, host range, evolution and emergence of arboviral disease. Nature 2, 789–801. 10. Ehrenkranz, N. J., Ventura, A. K., Cuadrado, R. R., Pond, W. L., and Porter, J. E. (1971). Pandemic dengue in Caribbean countries and the Southern United States-past, present and potential problems. N. Engl. J. Med . 285(26), 1460–1469. 11. Thwing, J., Skarbinski, J., Newman, R. D., Barber, A. M., Mali, S., Roberts, J. M., Slutsker, L., and Arguin, P. M. (2007). Malaria surveillance—United States, 2005. MMWR 56(SS06), 23–38. 12. World Health Organization (1986). Present status of yellow fever. Bull. World Health Organ. 64(4), 511–524. 13. Abell, A., Smith, B., Fournier, M., Betz, T., Gaul, L., Robles-Lopea, J. L., Carrillo, C. A., Rodriguez-Trujillo, A., Rabelly-Moya, C., Velasquez-Monroy, O., Alvarez-Lucas, C.,

DATA SOURCES FOR BIOSURVEILLANCE

14.

15. 16.

17.

18.

2431

Kuri-Morales, P., Anaya-Lopez, L., Hayden, M., Zielinski-Butierrez, E., Munoz, J., Beatty, M., Sosa, I., Wenzel, S., Excobedo, M., Waterman, S., Ramos, M., Kapella, B. K., Mohammed, H., Taylor, R., and Brunkard, J. (2007). Dengue hemorrhagic fever—U.S. Mexico border, 2005. MMWR 56(31), 785–789. Rawlings, J., Burgess, C., Tabony, L., Campman, R., Hendricks, K., Stevenson, G., Vela, L., Simpson, D., Tapia-Conyer, R., Matus, C. R., Gomez-Dantes, H., Montesanos, R., Flisser, A., Briseno, B., Bernal, S. I., Medina, C. C., Flores, G., Coello, G. C., Hayes, J., Craig, G. B., Blackmore, M. S., and Mutebi, J. P. (1996). Dengue fever at the U.S. Mexico border, 1995-1996. MMWR Morb. Mortal. Wkly. Rep. 45(39), 841–844. Ayala, A., Rivera, A., Johansson, M., Munoz, J., Ramos, M., and Mohammed, H. (2006). Travel-associated dengue—United States, 2005. MMWR 55(25), 700–702. Defraites, R., Smoak, B., Trofa, A., Hoke, C., Kanesa-thasan, N., King, A., MacArthy, P., Putnak, J., Burrous, J., Oster, C., Redfield, R., Aronson, N., Brown, M., Fishbain, J., Deal, V. T., Quan, J., Jollie, A., Long-acre, J., Shuette, J., Logan, T., Jahrling, P., and Rossi, C. (1994). Epidemiologic notes and reports dengue fever among U.S. military personnel—Haiti, September-November, 1994. MMWR 43(46), 845–848. Sharp, T. W., Wallace, M. R., Hayes, C. G., Sanchez, J. L., DeFraites, R. F., Arthur, R. R., Thornton, S. A., Batchelor, R. A., Rozmajzl, P. J., and Hanson, R. K. (1995). Dengue fever in U.S. troops during Operation Restor Hope, Somalia, 1992-1993. Am. J. Trop. Med. Hyg. 53(1), 89–94. Lister S. A. (2005). An Overview of the U.S. Public Health System in the Context of Emergency Preparedness, Congressional Research Service http://www.fas.org/sgp/crs/homesec/ RL31719.pdf.

DATA SOURCES FOR BIOSURVEILLANCE Ronald A. Walters Pacific Northwest National Laboratory, Richland, Washington

Pete A. Harlan, Noele P. Nelson, and David M. Hartley Division of Integrated Biodefense, Imaging Science and Information Systems, Georgetown University Medical Center, Washington, D.C.

1 INTRODUCTION As recognized recently in the 2005 revision of the International Health Regulations, early detection of disease is vital in responding to dangerous situations in a timely manner [1]. Researchers have explored the potential for identifying distinctive environmental [2–4],

2432

KEY APPLICATION AREAS

climatic [5–7], and human behavior [8–10] signatures for rapid identification of outbreaks and epidemics [11]. Biosurveillance is the discipline in which diverse data streams such as these are characterized in real or near–real-time to provide early warning and situational awareness of events affecting human, plant, and animal health. Biosurveillance is distinct from the traditional public health surveillance; in that biosurveillance does not rely on classical epidemiologic studies or clinical data, the availability of which can be limited and nearly always lag the events they describe by days or months. Many biosurveillance systems provide graded alerting of potential infectious disease outbreaks and refine the degree of confidence in these alerts as additional data becomes available. In this way, systems support graded response by public health, agriculture, and other decision makers [12]. Within such a process, evidence suggesting that an infectious disease outbreak is nascent in a particular region or locale cues a biosurveillance system (or perhaps a collection of systems) to search for additional information clarifying disease status. As more data are collected, surveillance becomes more directed and more actionable, ultimately leading to an evidence-based awareness of the situation. In such a way, public health and related organizations are postured to react in proportion to the degree of confidence inferred from biosurveillance and other surveillance activities as time evolves. Such a picture highlights the connectedness of biosurveillance and situational awareness. 2 SURVEY OF EXTANT BIOSURVEILLANCE SYSTEMS This section provides brief descriptions of a sampling of current biosurveillance and situational awareness systems. Some are dedicated solely to global biosurveillance while others have biosurveillance as a component of their primarily domestic missions. Some are available and open to the general public while others limit user access. There is variability among capabilities for archiving and free-text searching, and these systems vary according to the languages included in sources. Each system was designed for a specific purpose, and each uses a customized approach to capture information useful to end users. In as much as this publication is dedicated to providing a resource for addressing homeland security issues, the compilation below should not be considered an exhaustive listing as similar, although largely domestic programs sponsored by many of the nearly 200 nations in the world are not included. There are systems (e.g. the US government BioWatch network of environmental sensors [13]) that are not included in this study because of a paucity of available information describing them. The systems are listed alphabetically; no ranking should be inferred from the order of presentation. This paper deals with systems that employ event-based unstructured data as opposed to structured data similar to that usually associated with syndromic surveillance. 2.1 Animal and Plant Health Inspection Service Animal and Plant Health Inspection Service (APHIS) is a US Department of Agriculture organization, and its mission is to protect the health and value of American agriculture and natural resources. •

For animal health (http://www.aphis.usda.gov/animal health/index.shtml), APHIS provides laboratory information services. It also has monitoring and surveillance components that include the National Animal Health Surveillance Systems

DATA SOURCES FOR BIOSURVEILLANCE

2433

(NAHSS), the National Animal Health Reporting Systems (NAHRS), the National Animal Health Laboratory Network (NAHLN), the National Aquaculture Program (NAP), Emerging Animal Disease Notices, and the National Surveillance Unit. • For plant health (http://www.aphis.usda.gov/plant health/index.shtml), APHIS includes prevention (plant import regulations and permits, international safeguarding activities, and pest protection) and preparedness (Pest Identification & Diagnostics National Identification Service and National Plant Diagnostic Network) as well as response and recovery activities. 2.2 Argus This project is a prototype biosurveillance system designed to detect and track biological events that may threaten global human, plant, and animal health. It is a cueing and alerting capability complementing both traditional and experimental biosurveillance activities. Argus examines real-time, local native-language media reports posted on the Internet to detect abnormal functioning of social systems; it is a taxonomy-based approach on the basis of direct, indirect, and enviroclimatic indication and warnings [3]. (An ontology is a set of concepts and keywords that are relevant to infectious disease surveillance. A taxonomy is a hierarchical organization of such concepts.) Analysts fluent in approximately 40 languages monitor the output of a large number of media sources and prepare approximately 40,000 reports per year. Argus scans about 1,000,000 articles per day of which 25% are archived. Argus reports can be accessed via http://www.opensource.gov. 2.3 BioCaster BioCaster [14] is an experimental system for global health surveillance under development at the National Institute of Informatics in Japan and is a collaborative research project among five institutes in three countries (http://www.biocaster.org). The system is fully automated using Really Simple Syndication (RSS) feeds from over 1700 sources with no human analysts. Human analysis is assumed to take place downstream by the recipients of its output. BioCaster focuses on the Asia-Pacific region posting approximately 90 articles per day in three languages (English, Japanese, and Vietnamese) with plans for expansion to Thai, Chinese, and other regional languages. Article capture and dissemination is done every hour. Until recently the primary sources were Google News, Yahoo! News, and European Media Monitor, but the system is now expanding to include sources from a commercial news aggregation company which greatly increases its coverage. BioCaster produces an ontology [15] in eight languages (Chinese, English, French, Japanese, Korean, Spanish, Thai, and Vietnamese) that is openly available and is the basis for the Global Health Monitor [16], an open access Web portal for displaying maps and graphs of health events to users (http://www.aclweb.org/anthology-new/I/ I08/I08-2140.pdf). The ontology covers approximately 117 infectious diseases of humans and animals as well as six syndromes. Future objectives include extending language and health threat coverage. 2.4 Centers for Disease Control and Prevention The US Centers for Disease Control and Prevention (CDC) supports many resources dedicated to domestic and global public health issues, a number of which are described below (http://cdc.gov).

2434 •

•

•

•

•

•

KEY APPLICATION AREAS

Global Disease Detection Centers (http://www.cdc.gov/cogh/gdd/gddCenters.htm). This network of centers is being developed around the world in partnership with Ministries of Health. Six centers, many with regional collaborations, are currently in place (China, Egypt, Guatemala, Kenya, Thailand, and Kazakhstan). These centers will assist CDC in coordinating its resources and expertise more effectively including CDC intramural programs such as the Field Epidemiology Training Program (FETP) (http://www.cdc.gov/cogh/dgphcd/), the International Emerging Infections Program (IEIP) (http://www.cdc.gov/ieip/), and influenza activities (http://www.cdc.gov/flu). They also support implementation of the International Health Regulations (2005) by assisting countries with developing the required core capacities for surveillance and response. Global Disease Detection Operations Center (GDDOC). This center serves as the clearing house and coordination point for international outbreak information acquisition and response. It collects information from the GDDOC, other CDC programs, and a wide range of public and private sources. The GDDOC consolidates and interprets information from all its sources to assess severity of outbreaks and to determine and facilitate the appropriate CDC response. Early Aberration Reporting System (EARS) (http://emergency.cdc.gov/surveillance/ ears/). This domestic capability was established as a method for monitoring bioterrorism and was put into operation in New York City and the national capital region after the terrorist attacks of September 11, 2001. It is used to acquire information about syndromic data, 911 calls, physician data, school and business absenteeism, and over-the-counter drug sales. Early Warning Infectious Disease Surveillance (EWIDS) (http://emergency.cdc.gov/ surveillance/ewids/) EWIDS is an early warning infectious disease biosurveillance program for the states bordering Canada and Mexico. It is a collaboration of state, federal, and international partners to provide rapid and effective laboratory confirmation of urgent infectious disease case reports in the border regions. Regional collaborations include the Eastern Border Health Initiative, the Great Lakes Border Health Initiative, the Pacific Northwest Alliance, and the US-Mexico Border Region Group. Epi-X (http://www.cdc.gov/epix/) initiated in December 2000, is the CDC’s secure web-based communications application for public health professionals. The network’s primary goal is to provide timely information to health officials about important public health events, to help them respond to public health emergencies, and to encourage professional growth and exchange of information. The main features of Epi-X include scientific and editorial support by CDC personnel, controlled user access, digital credentials and authentication, rapid outbreak reporting, and peer-to-peer consultation. Epi-X access is limited to public health professionals designated by each health agency. Health officials have posted about 6700 reports to date and approximately 4200 users are notified routinely of these postings by e-mail or additionally by pager and telephone depending on the acuteness of the event. Event postings and support are provided 24 h per day, 7 days per week. Epi-X also provides communications to the public through the Morbidity and Mortality Weekly Report (MMWR) and other sources. National Electronic Disease Surveillance System (NEDSS) (http://www.cdc.gov/ nedss/). NEDSS was developed to rapidly detect outbreaks, monitor the nation’s

DATA SOURCES FOR BIOSURVEILLANCE

2435

health and facilitate the electronic transfer of information from clinical information systems to public health departments. It promotes the use of data and information system standards for development of integrated and interoperable surveillance systems at the federal, state, and local levels. It is a major component of the Public Health Information Network (PHIN) (http://www.cdc.gov/phin/). • BioSense (http://www.cdc.gov/Biosense/) is a national human health surveillance capability developed and hosted by the CDC. It is system of systems that links data from a variety of largely domestic sources to provide a unified national view. It is designed to assist in validating the existence of an outbreak, monitor its status and provide local, state, and national situational awareness. 2.5 Emergency Prevention Program for Transboundry Animal Diseases This global animal health information system compiles, stores, and verifies animal disease outbreak information from many sources (http://empres-i.fao.org/empres-i/). For verification, Emergency Prevention Program for Transboundry Animal Diseases (EMPRES-i) uses both official and nonofficial sources and generates and disseminates early warning messages. 2.6 European Center for Disease Control and Prevention The European Center for Disease Control and Prevention (ECDC), a European Union (EU) agency, was established in 2005 and is based in Stockholm, Sweden (http://ecdc. europa.eu/en/). Its mission (http://ecdc.europa.eu/en/Activities/Epidemic Intelligence/) is to identify, assess, and communicate current and emerging threats to human health from infectious diseases. A number of information services/systems are operating or being developed at the ECDC that includes the following: • • • • • •

the ECDC web site (http://ecdc.europa.eu); the Eurosurveillance journal (http://www.eurosurveillance.org); TESSy—the integrated European communicable disease surveillance system; EPIS—the epidemic intelligence portal developed to support outbreak detection, risk assessment, outbreak investigation, and control measures at EU level; Knowledge and Information service (KISatECDC)—the content management system for scientific documents produced at the ECDC; Preparedness and Response Unit (PRU)—working in partnership with member states across Europe to develop surveillance and early warning systems, the ECDC maintains a staff with 24/7 duty officers and has an emergency operations center. It develops threat tracking tools and issues daily reports collated from a variety of sources numbering among which is the Unit that monitors emerging threats. http://ecdpc.europa.eu/About us/Preparedness&Response.html

2.7 European Influenza Surveillance Scheme European Influenza Surveillance Scheme (EISS) collects data on influenza in Europe and shares the information with 30 member countries via weekly surveillance reports (http:// www.eiss.org/. The reports are derived from information reported by 25,750 sentinel

2436

KEY APPLICATION AREAS

physicians. EISS objectives are described in more detail at http://www.eiss.org/html/lb objectives.html, and its methods are summarized at http://www.eiss.org/html/introduction. php. 2.8 Global Emerging Infections System Global Emerging Infections System (GEIS) was established in 1996 within the Department of Defense (DoD) for prevention, surveillance, and response to infectious diseases that could threaten military personnel or their dependents, reduce medical readiness or affect national security (http://www.geis.fhp.osd.mil/). It has a global reach, a number of partners within the DoD, and working relationships with other US and international health agencies. Electronic Surveillance for the Early Notification of Community-based Epidemics (ESSENCE), first developed within GEIS, is a web-based system in support of the DoD health mission (http://www.ehcca.com/presentations/hithipaa414/4 06 1.ppt). It tracks ambulatory and pharmacy data from the US military treatment facilities and alerts users to possible outbreaks of infectious disease and biological incidents. 2.9 Global Public Health Intelligence Network Global Public Health Intelligence Network (GPHIN) was established in 1997 and is managed by the Public Health Agency of Canada’s Center for Emergency Preparedness and Response (http://www.phac-aspc.gc.ca/gphin/index-eng.php). It uses the Internet to gather information on eight topics of public health interest. It has global reach and acquires articles from newsfeeds Al Bawaba and Factiva using keywords and terms within a specific taxonomy. Articles about events that may have serious public health consequences are sent to users as e-mail alerts. Machine translation is provided for nine languages (Spanish, French, Russian, Arabic, Farsi, Chinese Simplified and Traditional, Portuguese, and English). GPHIN functions on a near–real-time basis with 24/7 coverage and is staffed with analysts who provide linguistic and interpretive expertise. Customers include the World Health Organization (WHO) and other public and private sector organizations [17]. 2.10 Health Emergency Disease Information System Based in Italy, Health Emergency Disease Information System (HEDIS) was developed by the European Commission (EC) to support Directorate General for Health and Consumer Protection (DG SANCO) and public health authorities in Member States (http://hedis.jrc.it/). Its emphasis is crisis management rather than biosurveillance. It provides situational awareness and as such is a central jumping off point for crisis communication. It has approximately 300 users (users are Member States responsible for communicable diseases, CBRN [chemical, biological radiological, nuclear], and communicators) and provides capabilities and tools to assist its customers in dealing with an identified health threat. Included among the rapid alert mechanisms linking Member States with the EU are the following: •

Early Warning and Response System (EWRS) is a web-based system linking the EC with public health authorities in Member States responsible for communicable disease control measures. (http://ec.europa.eu/health/ph threats/com/early warning en.htm)

DATA SOURCES FOR BIOSURVEILLANCE

2437

•

Rapid Alert System for Biological and Chemical Agent Attacks (RAS BICHAT) is a system for information exchange on health threats from deliberate release of CBRN agents. (http://ec.europa.eu/health/ph threats/com/preparedness/rapid alert en.htm) • Rapid Alert System for Food and Feed (RASFF) facilitates information exchange on measures taken to ensure food safety. (http://ec.europa.eu/food/food/rapidalert/ index en.htm) • Animal Disease Notification System (ADNS) provides detailed information on infectious disease outbreaks in animals in Member States. (http://ec.europa.eu/food/ animal/diseases/adns/index en.htm) • European Food Safety Authority (EFSA) provides risk assessment advice on existing and emerging risks in food and feed safety. (http://www.efsa.europa.eu/EFSA/efsa locale-1178620753812 home.htm). 2.11

HealthMap

HealthMap is a fully automated resource that collects information from 14 sources (representing about 20,000 web sites) including Google News, ProMED, WHO, and others (http://www.healthmap.org/about.php). It was created as a unified and comprehensive resource for information on infectious disease and public health events in humans, animals, and plants and is freely available with sources and user interface in English, Chinese, Spanish, Russian, and French. Data are aggregated by disease and displayed by location with a link to the original text. HealthMap processes approximately 300 alerts per day and has documented 141 unique infectious disease categories from 174 countries. The HealthMap web site has approximately 1000–10,000 visitors per day with about 200,000 visitors since its launch [18]. 2.12 Institute de Veille Sanitaire Among a number of other responsibilities, the French Institute for Public Health Surveillance, Institute de Veille Sanitaire (INVS) provides surveillance and alerts of infectious diseases (http://www.invs.sante.fr/presentations/presentation anglais.htm). The INVS collaborates with other national networks and international organizations. It is part of the EWRS that links health ministries and surveillance organizations in EU Member States. Sources include WHO, ProMED, GPHIN, and OIE. Posting only verified news events, it has approximately 1400 subscribers. 2.13

Medical Information System

The EC’s Medical Information System (MedISys) (http://medusa.jrc.it/medisys/ aboutMediSys.html) is a fully automated 24/7 public health surveillance system run and maintained by the Joint Research Center (JRC) at the Institute for the Protection and Security of the Citizen (IPSC), in Ispra, Italy [19]. The developer team collaborates with the Health Threats Unit at the Directorate General for Health and Consumer Protection (DG SANCO) and University of Helsinki (PULS system). MedISys covers infectious human and animal diseases, bioterrorism, chemical, biological, and CBRN threats reported in open source news media. Approximately 80,000 to 90,000 articles from 5000 news sites in 45 languages are screened. Currently, 26 languages are available via the Web portal, but news in 45 languages is processed in

2438

KEY APPLICATION AREAS

predefined categories. MedISys started operating in August 2004 and is one of the several JRC-developed media monitoring applications that process news gathered by the Europe Media Monitor (EMM, on-line since 2002). MedISys provides daily automated e-mail alerts to subscribers and offers users a tool called Rapid News Service (RNS) to manage newsletters, e-mail distribution lists, and alerts via e-mail and/or mobile phone messages. 2.14 World Organization for Animal Health Created in 1924, the Organization for Animal Health (OIE) is an intergovernmental organization with 172 member countries and territories and charged with improving animal health worldwide (http://www.oie.int/eng/en index.htm). It maintains permanent relationships with other international and regional organizations. The World Animal Health Information Database (http://www.oie.int/wahis/public.php?page=home) provides access to OIE’s World Animal Health Information System (WAHIS) data. The reports include immediate notifications and follow-up reports from Member States, country biannual reports on OIE-listed diseases, and annual reports on animal health, laboratory, and vaccine production. The OIE is a participating partner in WHO’s Global Warning system for Major Animal Diseases, including Zoonoses (GLEWS) for early warning and responses to animal diseases. 2.15 Pattern-based Understanding and Learning System Pattern-based Understanding and Learning System (PULS) is an information system at the University of Helsinki (http://puls.cs.helsinki.fi/medical/) that in partnership with the EC’s JRC extracts metadata from MedISys articles [19, 20]. It is a fully automated global biosurveillance system designed to provide early warning of infectious and noninfectious disease outbreaks and its coverage will soon be extended to CBRN. Its focus is information retrieval, extraction, aggregation, and visualization, and it uses text mining and natural language processing to analyze incoming documents. Key attributes determined from text include disease/condition (if known), location, date, number of victims, whether human or animal, and victim survival. 2.16 Program for Monitoring Emerging Diseases Program for Monitoring Emerging Diseases (ProMED)-mail (http://www.promedmail. org) was established in 1994 and currently operates as a program of the International Society for Infectious Diseases with contributing corporate, foundation, and individual donor support [21, 22]. With the goal of promoting rapid communication within the international infectious disease community, it is an Internet-based reporting system for disease outbreaks and toxin exposures affecting humans, animals, and plants. Sources include local observers, media and official reports, and others. In a nonautomated process, reporting is screened and comments provided by subject-matter experts prior to posting to subscribers of which there are over 50,000 in 188 countries. ProMED-mail sends an average of 7–10 reports per day and is available in English, Spanish, Portuguese, French, and Russian languages. ProMED-mail has five regional programs with a staff in 15 countries.

DATA SOURCES FOR BIOSURVEILLANCE

2439

2.17 Real-time Outbreak and Disease Surveillance As its name implies, Real-time Outbreak and Disease Surveillance (RODS) was created to investigate methods to detect disease outbreaks in real-time (https://www.rods.pitt. edu/site/index.php?option=com content&task=view&id=14&Itemid=77). With support from US federal agencies and the State of Pennsylvania, its public health bioinformatics research includes outbreak detection algorithms, free-text classification, systems design, system evaluation, policy analysis, and outbreak simulation. RODS software has been made available to academia and health departments, and RODS operates the National Retail Data Monitor for information on sale of over-the-counter healthcare products [23]. RODS is currently in use in many cities, states, and countries and has served as a partner in the Department of Homeland Security’s BioWatch program. 2.18 National Association of Radio-Distress Signaling and Infocommunications Emergency and Disaster Information Service (RSOE-EDIS) Based in Hungary, the Havaria Information Service (http://www.oasis-open.org/events/ ITU-T-OASISWorkshop2006/slides/rafael.pdf) was established to monitor catastrophic events in Hungary, Europe, and the world and to forward information to stakeholders via e-mail alerts and RSS feeds (http://visz.rsoe.hu/alertmap/index.php?lang=). The service collects information from approximately 600 Internet portals among which are numbered inputs from EISS for European influenza status, WHO, and the US CDC for global epidemic events. 2.19

World Health Organization

WHO has put into place or provides administrative assistance to a number of resources which contribute to the detection of disease outbreaks and the response thereto (http:// www.who.int/en/). •

Epidemic and Pandemic Alert and Response (EPR, http://www.who.int/csr/en/). In addition to other services and capabilities, EPR provides Member States epidemic intelligence in the form of event verification, alerting, and coordinated outbreak responses within the framework of the International Health Regulations (2005). EPR seeks to ensure appropriate communications among stakeholders. • Global Outbreak Alert and Response Network (GOARN) (http://www.who.int/csr/ outbreaknetwork/en/). WHO provides administrative assistance and an organizational umbrella for GOARN although GOARN is not a formal component of WHO. GOARN is an association whose members and networks are brought together to assist in and enable early detection, identification, confirmation, and response to disease events with international implications. 3 ANALYSIS OF SYSTEMS Public health markers providing indications and warning (I&W) of new and emerging infectious disease events can be conveniently segregated into direct and indirect components [24]. The I&W paradigm provides a useful framework for interpreting the landscape of international biosurveillance defined by the systems described above. For the purpose of this article, the following classifications of I&W types are used as follows:

2440

KEY APPLICATION AREAS

•

Direct indicators are those commonly used in traditional disease reporting and include data derived from public health, clinical, and laboratory sources. Examples of direct indicators are reports of unknown human disease (i.e. syndromes and diseases of unknown etiology), geographical features (i.e. extent of affected area such as city, region, nation, etc.), noncontiguous geographic involvement, unique or unexpected clinical presentation, high morbidity/mortality, unexpected appearance of disease in relation to season, discrete population(s) involved (e.g. specific ethnic group, nosocomial [hospital] setting, healthcare workers, patients contracting unusual disease while in a medical facility, specific age groups, and specific occupations). While some specific features of direct indicators of animal disease may be different, their pattern is similar to those of human disease [24]. • Indirect indicators include human responses to infectious disease outbreaks that are expressed as social behavior. Other indirect indicators include environmental and climate/meteorological trends such as temperature and precipitation variations. Social behavior deviating from the norm in a particular group or society [24] include such items as (i) public health response including preparedness, implementation of countermeasures, activation of biosurveillance or screening, and demand for medical services; (ii) other government reaction such as official acknowledgment or denial of the bioevent, official action, information suppression, or criminal prosecution; (iii) business/organizational changes including business practice changes and integrity of infrastructure; and (iv) other social behavior such as local perception of threat. While extensive details regarding specific ontologies and taxonomies are not publically available for all the systems described above, it is possible to think of them within an I&W paradigm. When that is done for examples of direct and indirect indicators described in the preceding paragraph, some interesting features emerge that are illustrated in Figures 1–3. As shown in Figure 1, all systems monitor and report on direct I&W of disease. Fewer systems utilize indirect I&W markers, and those include Argus, GPHIN, HealthMap, ProMED, RODS, and RSOE. Figure 2 illustrates the results when direct I&W elements are broken down into specific categories. Not surprisingly, all the systems utilize public health information and 11 of the 19 systems collect clinical and laboratory information as well. While the direct I&W categories in Figure 2 are not inclusive of all that might be considered, they serve to both: (i) illustrate the diversity of the systems and (ii) suggest areas for capitalizing on system complementarities. Figure 3 suggests that coverage of indirect indicators is much less complete than coverage of direct indicators. As might be expected, “Public Health Response” is the most frequently used indirect I&W followed by “Meteorological Data.” Although the potential value of enviroclimatic indicators is yet to be demonstrated for a large class of diseases, compelling evidence for the role climate issues play for particular diseases can be found in the literature [25–27]. The lack of coverage of any particular direct or indirect I&W marker in any given system should not be considered a criticism or fatal system flaw, but rather as an opportunity to exploit complementarities between systems. It can also be argued that, since no system is perfect, some redundancy can be a positive attribute. The systems described above were designed to serve varying missions and stakeholder populations, and therefore, no one

DATA SOURCES FOR BIOSURVEILLANCE

System APHIS Argus BioCaster CDC EMPRES-i ECDC EISS GEIS GPHIN HealthMap HEDIS INVS MedISys OIE PULS ProMED RODS RSOE WHO

Direct I & W

2441

Indirect I & W

FIGURE 1 Summary of system usage of direct and indirect I&W markers.

Public Health Systems APHIS Argus BioCaster/GHM CDC EMPRES-i ECDC EISS GEIS GPHIN HealthMap HEDIS INVS MedISys OIE PULS ProMED RODS RSOE WHO

Direct I & W Clinical Lab

Vet Records

FIGURE 2 System usage of direct I&W subdivided by category. “Public Health” denotes data reported to public health authorities (e.g. notifiable diseases and conditions), “Clinical” denotes acute or long-term healthcare facility data (e.g. clinical lab tests and information recorded in patient data records), “Lab” denotes public health laboratory surveillance records, practices and standards (e.g. the Laboratory Response System in the United States), and “Vet” denotes veterinary records.

2442

KEY APPLICATION AREAS Indirect I&W

Systems

Public Health Response Other Government Reaction Business/Organization Changes Other Social Behavior Meteorological Data

APHIS Argus BioCaster/GHM CDC EMPRES-i ECDC EISS GEIS GPHIN HealthMap HEDIS INVS MedISys OIE PULS ProMED RODS RSOE WHO

FIGURE 3 System usage of indirect I&W subdivided by category. “Public Health Response” is action by health officials to contain a disease event (e.g. health alerts and quarantine), “Other Government Reaction” denotes an official action in response to a disease event (e.g. implementation of countermeasures and official investigations), “Business/Organization Changes” refers to changes in normal business or organization practices (e.g. profiteering, business closure and black market formation), “Other Social Behavior” denotes societal anxiety or panic (e.g. fleeing and stockpiling of commodities), “Meteorological Data” refers to enviroclimatic, satellite and vegetation, and other data that could be used to identify favorable conditions for a biological event (e.g. flooding, abnormal temperature, and water contamination).

system can or should be expected to deliver insight into all possible variables associated with effective biosurveillance, especially, on a global scale where the need is greatest.

4 RESEARCH AND DEVELOPMENT NEEDS A dynamic approach to risk assessment and public health reaction remains difficult given current limitations in both early warning and real-time situational awareness of emerging biological events. If the paradigm of graded public health response is to be viable, a capability must exist to detect evidence of outbreak activity at the earliest stages and monitor them accurately and precisely as they progress. Such a capability would likely be a “systems of systems,” composed of discrete and complementary components acting in concert. Included in any such system would be a component that provides I&W of potential events. This I&W component would provide the first cueing and alerting of a potential disease event (or, potentially, risk of a future event). It is expected that with time after the event, additional information provided by other components in the graded alerting and response chain will refine and better characterize the event. The systems listed in this study (and potentially others not included here) likely provide the basic ingredients for such a system of systems. Important technological and methodological challenges remain in constructing a system providing comprehensive, dynamic situational awareness [28]. For both individual systems as well as systems of systems, some of the more prominent challenges facing surveillance systems include interoperability, interface customizability, scalability, and event traceability. Integration of geospatial visualization, event mapping, modeling, and

DATA SOURCES FOR BIOSURVEILLANCE

2443

trending tools are important for establishing metrics and baselines necessary for data interpretation and analysis. Additionally, expansion of the current biosurveillance capabilities via incorporation of emerging media such as video, digital audio, images, blogs, Short Message Service (SMS), and others is critical. 4.1 Source Assessment The value of various data sources must be defined. There are a massive number of sources on the Web (e.g. news media text, images, audio, and video; blogs; social networking sites; traditional public health; syndromic [29, 30], and laboratory surveillance [31]). Each source type will likely have associated with it varying degrees of confidence and geographic coverage, and at some point the value of each component in biosurveillance systems must be assessed. Quantifying variation in source reporting standards as well as catchment (i.e. the regions from which a source collects) and target population will be a critical first step toward understanding how these issues affect the validity of biosurveillance system output. Metrics must be defined, and these metrics need to be generalized to individual systems that may use different data and take a variety of analytical approaches. 4.2 Standards Development Approaches to integrating complementary systems must be investigated. Since the biosurveillance systems described in this study were created to address specific issues and utilize different methods and standards, integration of these systems will be challenging. No standards for collecting, processing, and exploiting biosurveillance products exist that can be applied across the spectrum of systems described here. Such standards, once agreed upon and implemented, would facilitate communication between international and domestic systems alike. 4.3 System Metrics Techniques for evaluating system performance must be developed. It is unclear how to evaluate the impact of biosurveillance on spatiotemporal detection and monitoring (i.e. situational awareness) of infectious disease outbreaks. In addition, standardized metrics quantifying the performance of different biosurveillance systems are needed to understand how different systems complement and add value to one another. Such metrics are also needed if end users are able to understand the performance of a given system, let alone any aggregation of systems. 4.4 System Communication Efficient and meaningful ways of communicating system outputs and findings must be identified. Current systems display and present the results of biosurveillance differently. How to present best results to the broader user community, which includes researchers as well as public health workers and decision makers, is an issue that will have to be addressed. Many unknowns remain including identifying the most appropriate interactive visual interfaces; best practices regarding techniques for visually synthesizing biosurveillance data; and how to present dynamic, ambiguous, and potentially conflicting information to consumers of biosurveillance. Can a biologically common operating system be developed that effectively addresses the needs of different users?

2444

KEY APPLICATION AREAS

There are nearly 200 countries in the world. Although much effort has been devoted to the automated acquisition of massive amounts of relevant information (e.g. from the Internet), global biosurveillance must sooner or later have the ability to capture and analyze information in many languages. In the future, the most informative and useful systems will likely have access to an analyst cadre collectively fluent in many languages and cultures.

5 ASSESSMENT OF THE CURRENT GLOBAL BIOSURVEILLANCE LANDSCAPE That rapid reporting of disease outbreaks is vital for both the public health and national security communities is not disputed. It is also clear that this can only be accomplished with an effective, integrated global biosurveillance capability with a near–realtime reporting component. While such a capability does not yet exist, similarities and differences among systems such as those described in this work suggest that exploiting system complementarities could provide a very powerful global biosurveillance resource. In 2003, Woodall and Aldis reported “enormous gaps in terms of geographical and disease coverage and timeliness of reporting” and concluded that open source on-line reporting with an emphasis on speed would likely heavily use the Internet [32]. More recently, Morse [33] reviewed the gaps that hindered progress to global biosurveillance, and those gaps included among others, political will, resources for reporting, and improved coordination and sharing information; he also noted that increased availability of communications and information technologies offered new opportunities for reporting. These observations are certainly consistent with the analysis of the biosurveillance systems presented in Section 2 above and with the recent results of studies using Internet search engines to track influenza [34–36]. With the appropriate communication and data sharing regimes, there do not appear to be technical barriers to integrating existing global and regional biosurveillance systems, biosurveillance systems dedicated to single diseases, and open source reporting into an effective global biosurveillance capability. Even a cursory examination of the systems presented here shows a tremendous reservoir of creative thought and achievement that, if policy and political barriers were to be eliminated, could be the foundation of global biosurveillance in the not too distant future. Although, each of the individual systems examined here have different missions and approaches, most complement the others. There is no obvious reason why a hierarchal system of systems could not be assembled with currently existing biosurveillance systems. This would require enlightened leadership and the will to cooperate, not new technology. Although much remains to be done that will require dedication of the appropriate financial and intellectual resources, there is a solid foundation upon which to build.

ACKNOWLEDGMENTS The authors thank system owners Drs John Brownstein (HealthMap), Nigel Collier (Biocaster), Jens Linge (MedISys), Larry Madoff (ProMed-mail), Abla Mawudeku (GPHIN), Germain Thinus (HEDIS), and Roman Yangarber (PULS) for their gracious review and helpful comments during preparation of this manuscript. CDC’s Dr Ray Arthur provided valuable insights and comments on this manuscript.

DATA SOURCES FOR BIOSURVEILLANCE

2445

REFERENCES 1. World Health Organization. (2007). International Health Regulations (2005). http://www. who.int/mediacentre/news/releases/2007/pr31/en/index.html. 2. Institute of Medicine. (2003). Microbial Threats to Health: Emergence, Detection, and Response. National Academy Press, Washington, DC. 3. Koch, D. E., Mohler, R. L., and Goodin, D. G. (2007). Stratifying land use/land cover for spatial analysis of disease ecology and risk: an example using object-based classification techniques. Geospat Health 2(1), 15–28. 4. Beck, L. R., Lobitz, B. M., and Wood, B. L. (2000). Remote sensing and human health: new sensors and new opportunities. Emerg. Infect. Dis. 6, 217–227. 5. Gage, K. L., Burkot, T. R., Eisen, R. J., and Hayes, E. B. (2008). Climate and vectorborne diseases. Am. J. Prev. Med. 35, 436–450. 6. Linthicum, K. J., Anyamba, A., Tucker, C. J., Kelley, P. W., Myers, M. F., and Peters, C. J. (1999). Climate and satellite indicators to forecast Rift Valley fever epidemics in Kenya. Science 285, 397–400. 7. Cazelles, B., and Hales, S. (2006). Infectious diseases, climate influences, and nonstationarity. PLoS Med. 3, e328. DOI: 10.1371. 8. Barrett, R., and Brown, P. J. (2008). Stigma in the time of influenza: social and institutional responses to pandemic emergencies. J. Infect. Dis. 197, S34–S37. 9. McGrath, J. W. (1991). Biological impact of social disruption resulting from epidemic disease. Am. J. Phys. Anthrop. 84, 407–419. 10. Lombardo, J., Burkom, H., Elbert, E., Magruder, S., Lewis, S. H., Loschen, W., Sari, J., Sniegoski, C., Wojcik, R., and Pavlin, J. (2003). A systems overview of the electronic surveillance system for the early notification of community-based epidemics (ESSENCE II). J. Urban Health. 80, i32–i42. 11. National Academy Press (2007). Institute of Medicine Infectious Disease Surveillance and Detection: Assessing the Challenges—Finding Solutions. National Academy Press, Washington, DC. 12. Wilson, J. M., Parker, M. F., Hartley, D. M., McEntee, T., Tilton, E. L., and Cardwell, K. (2004). Proceedings integrated research team workshop on the role of indications and warnings for prediction and surveillance of catastrophic biological events. U.S. Army Medical Research and Materiel Command , Fort Detrick, Maryland, pp. 9–10. 13. Fitch, J. P., Raber, E., and Imbro, D. R. (2003). Technology challenges in responding to biological or chemical attacks in the civilian sector. Science 302, 1350–1354. 14. Collier, N., Doan, S., Kawazoe, A., Goodwin, R. M., Conway, M., Tateno, Y., Ngo, Q. H., Dien, D., Kawtrakul, A., Takeuchi, K., Shigematsu, M., and Taniguchi, K. (2008). Biocaster: detecting public health rumors with a Web-based text mining system. Bioinformatics, Oxford: Oxford University Press, DOI: 10.1093/bioinformatics/btn534. 15. Collier, N., Kawazoe, A., Lihua, J., Shigematsu, M., Dien, D., Barrero, R., Takeuchi, K., and Kawtrakul, A. (2007). A multilingual ontology for infectious disease outbreak surveillance: rationale, design, and challenges. J. Lang. Resour. Eval. 40, 405–413. 16. Doan, S., Hung-Ngo, Q., Kawazoe, A., and Collier, N. (2008). Global Health Monitor-a web-based system for detecting and mapping infectious diseases. Proceedings of the 3rd International Joint Conference on Natural Language Processing (IJCNLP), Companion Volume, pp. 951–956. 17. Blench, M. (2008). Global public health intelligence network (GPHIN). Eighth Conference of the Associatin for Machine Translation in the Americas, USA, pp. 299–303.

2446

KEY APPLICATION AREAS

18. Brownstein, J. S., Freifeld, C. C., Reis, B. Y., and Mandl, K. D. (2008). Surveillance Sans Frontieres: internet-based emerging infectious disease intelligence and the HealthMap Project. PLoS Med. 5(7), e151. DOI: 10.1371/journal.pmed.0050151, 1019–1024. 19. Steinberger, R., Fuart, F., van der Goot, E., Best, C., von Etter, P., and Yangarber, R. (2008). Text mining from the web for medical intelligence. In Mining Massive Data Sets for Security, F. Fogelman-Soulie, D. Perrotta, J. Piskorski, and R. Steinberger, Eds. IOS Press, Amsterdam, The Netherlands, pp. 295–310. 20. Yangarber, R., von Etter, P., and Steinberger, R. (2008). Content collection and analysis in the domain of epidemiology. Proceedings of First International Workshop on Describing Medical Web Resources: the 21st International Congress of the European Federation for Medical Informatics, G¨oteborg, Sweden. 21. Madoff, L. C. (2004). ProMED-mail: an early warning system for emerging diseases, Clin. Infect. Dis. 39, 227–232. 22. Madoff, L. C., and Woodall, J. P. (2005). The internet and global monitoring of emerging diseases: lessons from the first 10 years of ProMED-mail. Arch. Med. Res. 36, 724–730. 23. Espino, J. U., Wagner, M. M., Tsui, F. C., Su, H. D., Olszewski, R. T., Lie, Z., Chapman, W., Zeng, X., Ma, L., Lu, Z. W., and Dara, J. (2004). The RODS open source project: removing a barrier to syndromic surveillance. Stud. Health Technol. Inform. 107, 1192–1196. 24. Wilson, J. M., Polyak, M. G., Blake, J. W., and Collmann, J. (2008). A heuristic indication and warning staging model for detection and assessment of biological events. J. Am. Med. Inform. Assoc. 15, 158–171. 25. Pavlovsky, E. N. (1966). Natural Nidality of Transmissible Disease. N. D. Levine, translated by F. K. Plous, Ed., University of Illinois Press, Urbana and London. 26. Vora, N. (2008). Impact of anthropogenic environmental alterations on vector-borne diseases. Medscape J. Med. 10(10), 238. 27. Peterson, A. T. (2008). Biogeography of diseases: a framework for analysis. Naturwissenschaften 95, 483–491. 28. Brownstein J. S., Freifeld, C. C., and Reis, B. Y. (2007). HealthMap: internet-based emerging infectious disease intelligence. In Global Infectious Disease Surveillance and Detection: Assessing the Challenges-Finding Solutions. Forum on Microbial Threats, S. M. Lemon, M. A. Hamburg, F. Sparling, E. R. Choffnes, and A. Mack, Eds. Rapporteurs. The National Academy Press, http://www.nap.edu/catalog/11996.html, pp. 122–135. 29. Buehler, J. W., Berkelman, R. L., Hartley, D. M., and Peters, C. J. (2003). Syndromic surveillance and bioterrorism-related epidemics. Emerg. Infect. Dis. 9, 1197–1204. 30. Buehler, J. W., Sonricker, A., Paladini, M., Soper, P., and Mostashari, F. (2008). Syndromic surveillance practice in the United States: findings from a survey of state, territorial, and selected local health departments. Adv. Dis. Surveill. 6, 1–20. 31. Cant´on, R. (2005). Role of the microbiology laboratory in infectious disease surveillance, alert and response. Clin. Microbiol. Infect. 11(Suppl 1), 3–8. 32. Woodall, J., and Aldis, R. (2003). Gaps in Global Surveillance. Bioweapons Prevention Project Occasional Paper, 1, pp. 1–15. 33. Morse, S. S. (2007). Global infectious disease surveillance and health intelligence. Health Affairs 26, 1069–1077. 34. Eysenbach, G. (2006). Infodemiology: tracking flu-related searches on the web for syndromic surveillance. Am. Med. Inform. Assoc. 2006 Proceedings, 244–248. 35. Polgreen, P. M., Chen, Y., Pennock, D. M., and Nelson, F. D. (2008). Clin. Infect. Dis. 47, 1443–1448. 36. Hulth, A., Rydevik, G., and Linde, A. (2009). Web queries as a source for syndromic surveillance. PLoS ONE 4(2), e4378.

BIOSURVEILLANCE TRADECRAFT

2447

FURTHER READING Beatty, A., Scott K., and Tsai, P. (2008). Rapporteurs, Achieving Sustainable Global Capacity for Surveillance and Response to Emerging Diseases of Zoonotic Origin. The National Academy Press. http://books.nap.edu./catalog.php?record id=12522#toc. Bravata, D. M., McDonald, K. M., Smith, W. M., Rydzak, C., Szeto, H., Buckeridge, D. L., Haberland, C., and Owens, D. K. (2004). Systemic review: surveillance systems for early detection of bioterrorism-related diseases, Ann. Intern. Med. 140, 911–922. Buehler, J. W., Hopkins, R. S., Overhage, J. M., Sosin, D. M., and Tong, V. (2004). Framework for evaluating public health surveillance systems for early detection of outbreaks. Morb. Mortal. Wkly. Rep. 53(RR05), 1–11. http://www.cdc.gov/mmwr/preview/mmwrhtml/rr5305a1.htm. Hitchcock, P., Chamberlain, A., Van Wagoner, M., Inglesby, T. V., and O’Toole, T. (2007). Challenges to global surveillance and response to infectious disease outbreaks of international importance. Biosecur. Bioterror.: Biodefense Strategy, Pract. Sci. 5, 206–227. Ostfield, M. L. (2008). Strengthening biodefense internationally: illusion and reality. Biosecur. Bioterror.: Biodefense Strategy, Pract. Sci. 6, 261–267. Wagner, M. M., Moore, A. W., and Aryet, R. M. editors. (2006). Handbook of Biosurveillance. Elsevier Academic Press, London.

BIOSURVEILLANCE TRADECRAFT James M. Wilson and Craig Kiebler Georgetown University Medical Center, Argus Research Operations Center, Imaging Science and Information Systems Center, Washington, D.C.

Ronald A. Walters Pacific Northwest National Laboratory, Richland, Washington, D.C.

John Davies-Cole Center for Policy, Planning and Epidemiology, DC Department of Health, Washington, D.C.

1 INTRODUCTION The term “biosurveillance” is not currently associated with a universally accepted definition [1]. For the purposes of this article, we consider the definition of biosurveillance to be the detection and tracking of biological events that represent a deviation of what is considered normal endemic baseline. A “biological event” refers to disease events affecting humans, animals, and/or plants; here we focus primarily on biological events

2448

KEY APPLICATION AREAS

affecting humans or animals. The prospect of rapid detection of socially disruptive biological events that are triggered through natural, accidental, or intentional mechanisms is of interest not only to the public health community but to the agricultural, law enforcement, intelligence, and homeland security communities as well. From a public health perspective, biosurveillance must embrace grounded public health surveillance methodology as well as near-real-time situational awareness (i.e. event detection). The public health community has traditionally focused on health-related information such as patient care, disease reporting, and diagnostic information. This represents but a small portion of the necessary data potentially useful to detect and track an evolving biological event [1].

2 EMERGENCE OF THE BIOSURVEILLANCE TRADECRAFT At the time of writing this manuscript, there did not exist a formalized professional discipline in operational biosurveillance with rigorous research, education, and training support. Biosurveillance requires a synthesis of analytic approaches derived from the natural disaster, intelligence, public health, epidemiological, medical, veterinary, agricultural, meteorological, anthropological, and sociological communities, among others. Functional modes of biosurveillance analysis span the tactical, strategic, and forensic domains. The tradecraft of biosurveillance follows similar tenets of the intelligence cycle, which is a useful construct to codify operations. Figure 1 displays an overview of the biosurveillance cycle. Data collection is driven by a comprehensive targeting analysis, which stems from a mission analysis (see below). Targeting enables identification of the key required information elements and what sources can provide such information in a timely and credible manner. Analysis of the information is driven by mission objectives (see below).

Collection

Analysis

Targeting

Dissemination

FIGURE 1 The biosurveillance cycle.

BIOSURVEILLANCE TRADECRAFT

2449

Dissemination is an important step; control of information flow can be as much an asset to an operations team performing biosurveillance as well as a detriment if information is not controlled appropriately. Feedback provided from customers of the information enables refinement of the overall process through never-ending targeting analysis. Targeting is a perpetual component of operational biosurveillance that ensures improvement. 3 MISSION ANALYSIS An operational biosurveillance organization, especially if it is to function in the tactical environment, must exist as a highly disciplined entity. The creation of such an organization begins with a mission analysis, which comprises a mission statement, critical information requirements (CIRs), targeting analysis, and operations plan that eventually evolves into standard operating procedures (SOPs). It is the operations plan that codifies the process of data collection, analysis, and information dissemination. The mission statement is an important first step. It defines the customer(s), the product outputs and operational objective, and implies the eventual CIRs and primary operational tempo (tactical, strategic, and forensic). An example of a mission statement might be the following: The ACME Biosurveillance Organization provides decision makers early recognition of biological events of potential local and regional significance, to include natural disease outbreaks, accidental, or intentional use of biological agents, and emergent biohazards through the acquisition, integration, analysis, and dissemination of information from existing human disease, food, water, meteorological, and environmental surveillance systems and relevant threat information.

The CIRs are typically a list of 5–10 (preferably five) statements that define the key items the customer is primarily concerned about. An example of a CIR is any credible evidence of an act of intentional biological agent release. Targeting analysis refers to defining the data collection requirements and implied social networks and information providers needed to obtain the data. For national, state, and local considerations, reporting requirements are legally mandated for specific diseases such as plague. These requirements have not traditionally included indication and warning (I&W) reporting, which are additional important considerations. I&Ws fall into two categories: direct and indirect. Direct indications refer to explicit local reporting of disease in humans, animals, or plants that may describe epidemiological features of the event [2]. Here, it is important to monitor with a species-agnostic approach. Species tropism exhibited by diseases may give important initial clues as to the diagnosis. For example, prairie dog illness in Colorado is an important indicator of the possible presence (and imminent threat to human health) of plague. Indirect indicators are further subdivided into additional categories such as official acknowledgement, official action, local perception of threat, business practice changes, and integrity of infrastructure. The indicators within these categories are numerous and beyond the scope of this article, however, they enable approximation, over time, of social functioning in the context of a biological event. The key objective in the use of indirect indicators is to provide an assessment of containment status and concurrent level of social disruption [2]. When considered as a whole, these reporting requirements enable operational monitoring of an entire society as though it were a patient in a hospital bed.

2450

KEY APPLICATION AREAS

Once a combined disease-specific and I&W reporting requirement table has been established, the next step involves prioritization. For example, a report of diarrhea in a day care center may take lower precedence than reports of the primary trauma care hospital for the city reporting a sudden inundation of its infrastructure with an unidentified influenza-like illness. Such prioritization will naturally lead to categorization of reporting requirements into classes that are easily understood by the user community, such as “warning”, “watch”, and “advisory”. Note, this prioritization is dependent upon, and partly defined by the user community, whether for internal monitoring purposes or to provide reporting to the health care community or the general public. Examples of this process are highlighted in Table 1. Once prioritized reporting requirements have been established, an examination of social networking is required that attempts to cross-match the requirements to data and information sources; the product of this analysis is referred to as a targeting matrix . For example, if a key direct indicator is reports of disease in rodents, then one may need to consider building a network of reporting that includes the local sanitation authority. If a key indirect indicator is local depletion of ventilator supplies, then one may need to build a relationship with the local distributor of ventilators as well as medical facilities that use ventilators. Prioritized reporting requirements drive the operations tempo, where “warning” implies a tactical, near-real-time reaction by the analyst versus an “advisory” that may be monitored over the course of a week. In other words, this categorization is an easy way to impart the severity and importance of the report to the user community. The operations plan draws together all of these components into a document that precisely defines how the mission will be executed, from mission statement to CIRs, prioritized reporting requirements, operation tempo modes, communication channels that TABLE 1 Example of Prioritized Reporting Requirements Events Any indication of intentional use of any biological agent or a biowarfare attack Any indication of public health system failure or social collapse associated with a biological event involving humans or animals A biological event associated with illness of health care, veterinary, or laboratory workers Public panic documented by local media in context with an active biological event (includes mass evacuations and conflict with officials) Any incident of unexplained illness requiring additional response or assistance, especially of health care, veterinary, or laboratory workers Any acute cluster (>3) of unexplained illness in humans Any acute cluster (>10) of unexplained illness in animals Vaccine accident triggering a biological event Any increased demand for ventilator or intensive care unit support Vaccine or therapeutic failure or compromise

Warning

Watch

Advisory

X X

X X

X

X X X X X

BIOSURVEILLANCE TRADECRAFT

2451

include the social network of reporting, and so on. While the document itself eventually becomes a desk reference for the biosurveillance analyst, it is a living document that is modified to reflect changes in operational requirements and refinements in the analytic process.

4 BIOLOGICAL EVENT EVOLUTION Investigators have attempted to define event evolution as a function of media reporting. Cieri and colleagues [3] proposed that an event be defined as “a specific thing that happens at a specific time and place along with all necessary preconditions and unavoidable consequences” [3]. Makkonen [4] observed that a seminal event can lead to various related events and outcomes, and the initial cause of these events may become less obvious over time [4]. Chen and colleagues proposed that a media-reported event can be considered “a life form with stages of birth, growth, decay, and death”; maintenance of the reported event is dependent on sensationalism [5]. We propose that biological events are reported through various data inputs as increasingly complex phenomena over time, whose “nourishment” is dependent on whether the biological agent in question continues to transmit above what is locally considered baseline disease [2]. For example, in 2002, the emergence of severe acute respiratory syndrome (SARS) in the People’s Republic of China (PRC) appeared to be largely unnoticed by the international community. I&Ws of “unseasonal bad flu” appeared in September in local Chinese vernacular media. Diagnosis of the pathogen in question would not have been apparent beyond “bad flu”; however, “unseasonal” indicated a local awareness of a potential departure from local baseline disease. In October, social anxiety was reported. By November, official concern was expressed regarding potential public panic. In December, an abrupt decrease in reporting, indicating possible information suppression, was a key indicator of a change in local awareness of this novel threat. In January, reports of supply depletions and mobilization of resources appeared, indicating severe shifts in supply and demand. By April, reports documented martial law and rioting due to SARS-related social disruption. This event likely was a complex event involving a variety of respiratory pathogens; to date, there remains uncertainty as to precisely when SARS emerged within this context. In any case, reports of “unseasonal bad flu” in September and, more important, of social anxiety in October would have been key to the analyst’s assessment of whether unusual disease was present. The overall pattern was one of recurrence, elevation, and diversification of the I&Ws of a biological event declared unusual followed by reports of containment loss [6]. As recent history has shown, SARS was not recognized to be a transnational threat until it had translocated through the air traffic grid to eight countries including the United States. The challenge revolved around near-real-time access to transparent disease reporting, understanding of what were indications of social disruption due to containment loss, and effective analysis to determine the nature of what ultimately constituted a true transnational issue [6]. The 1995 epidemic of Venezuelan equine encephalitis (VEE) in Venezuela and Colombia presented a complex picture of flood-induced infrastructure collapse; the presence of a disease affecting horses and humans (i.e. VEE), and possibly the presence of other diseases as well, such as dengue fever. In March and April 1995, flooding was reported in local vernacular Venezuelan media. In April, equine health evaluations were reported,

2452

KEY APPLICATION AREAS

but there was no explicit declaration of an outbreak of disease. By June, enough information was available to note the presence of a multifocal biological event in equines, co-occurring with at least a unifocal event in humans. In July, infrastructure strain was reportedly related to equine disease (e.g. depletion of local vaccine supplies), along with indications of a multifocal human disease also present. In August, strain on the medical infrastructure was reported (e.g. hospitals overrun with infected individuals), followed by signs of social collapse in September. Flooding was a key factor promoting the vigorous progression of this epidemic because of not only its effects on expansion of the vector population, but also its direct effect of disrupting multiple sectors of Venezuela’s local infrastructure, such as power lines, roadways, and communication. In this example, although documentation of infrastructure collapse due to flooding appeared as early as June, local reporting of social collapse specifically due to disease did not appear until September. It could easily be argued that the effects of flooding on local infrastructure greatly increased the probability of rapid loss of containment. It was later hypothesized that this epidemic was due to a possible laboratory accident, highlighting the time-delays inherent in determination of attribution [7]. The VEE epidemic represented a possible translocation issue for the United States given air traffic from Maracaibo, Venezuela, connected directly to Miami (with unknown connector flights to other destinations within the United States) that seasonally peaked during the month of containment loss. To date, it is unknown whether it would have been possible that VEE could translocate to Miami, trigger an outbreak that progressed to an epidemic, ecological establishment, and repeated seasonal transmission thereafter for years to come. A comprehensive assessment of the transmission competency of endemic mosquito species in Miami would be necessary to determine if this was a valid hazard concern [7]. In 1979, a laboratory accident involving aerosolized anthrax occurred in Sverdlovsk, Russia. From April 14 to May 18, 1979, local media in Sverdlovsk explicitly reported the occurrence of a series of human cases of inhalation anthrax along with draconian countermeasures as officials sought to rapidly contain and conceal the true etiology of the event. In 1992 and 1993, a team of American and Russian researchers led by Meselson and colleagues traveled to Sverdlovsk to investigate evidence for two hypotheses of anthrax epidemic of 1979, the official USSR version that infected meat caused the outbreak and the US intelligence claims that the true etiology of the epidemic was an accidental release of aerosolized anthrax spores from the Compound 19 within the Voyenny Gorodok 47 biological weapons laboratory located in the city. The Meselson team concluded that an accidental aerosol release had indeed occurred on April 2, 1979, resulting in what is thought to be the largest documented outbreak of human inhalation anthrax in history. Declassified US intelligence archives suggest that the intelligence community was unaware of this event until months after the fact [8]. This example highlights the requirement for a tactical approach to detect biological events and baseline not only the epidemiological data for the disease itself, but social responses as well. Identifying “unusual” biological events that are evolving rapidly, with an attendant recurrence, elevation, and diversification of the I&Ws, may assist in a time-sensitive evaluation of whether there may be questions of attribution [8]. In each of these case scenarios, the biological event in question produced a “ripple effect” whereby I&Ws appeared in media. However, to fully capture the range of indications that appear over time, other sources of data produced through a wide variety of scientific disciplines and mechanisms are needed.

BIOSURVEILLANCE TRADECRAFT

2453

Magnitude

B A

Time

FIGURE 2 Naturally occurring epidemic with attendant social disruption [A = epidemic and B = social disruption]. The y axis represents time and the x axis represents magnitude (case count for curve A and number of reports of social disruption for curve B). TABLE 2 Surveillance Modes and Example Data Sources Required to Detect and Track the Hypothetical Biological Event Shown in Figure 2

Human epidemic (curve A) Social disruption (curve B)

Surveillance Mode

Example Data Source

Syndromic, voluntary reporting Tactical open source monitoring, infrastructure status monitoring

Clinical encounter data and public health hotlines Pharmaceutical purchase information, real-time hospital census data, real-time ambulance diversion data, and media

5 TARGETING THE ANATOMY OF A BIOLOGICAL EVENT Figure 2 shows a hypothetical naturally occurring biological event. Table 2 shows example data necessary to detect and track the event. Syndromic surveillance is considered an important asset. Originally funded in the early 1990s as a means to rapidly detect acts of biological terrorism, syndromic surveillance utilizes hospital data thought to contain early disease information such as patient chief complaints and emergency department-generated diagnostic codes for disease. To date, however, no public health organization in the United States has demonstrated consistent operational validation of the use of syndromic surveillance as a means to rapidly detect first appearance of a biological event. The astute clinician is still considered the primary source of this information [9–12]. Our team’s observations, however, indicate perhaps a different reality, where public health organizations utilize a wide variety of sources that “tip” the analyst; provide context and relevancy; enable decisions to increase sensitivity of their network of sources (e.g. health care provider advisories); or enable a decision to engage in a full epidemiological investigation or response campaign. In Figure 3, a naturally occurring zoonotic epidemic for pathogens such as VEE (i.e. an epidemic affecting both animals and humans) may produce essentially two time-lagged periods of disease with attendant social disruption. Experientially, our team has noted that social disruption for animal disease tends not to be of the same magnitude as social disruption caused by human disease. Table 3 outlines example modes of surveillance and data sources. Note that some zoonotic diseases such as the example of VEE above, require monitoring of meteorological, environmental, and vector insect species.

2454

KEY APPLICATION AREAS D

Magnitude

B

C

A

Time

FIGURE 3 Naturally occurring zoonotic epidemic with attendant social disruption (A = animal epidemic, B = social disruption due to animal epidemic, C = human epidemic, and D = social disruption due to human epidemic). TABLE 3 Surveillance Modes and Example Data Sources Required to Detect and Track the Hypothetical Biological Event Shown in Figure 3 Surveillance Mode Animal epidemic (curve A) Human epidemic (curve B) Social disruption (curves B and D)

Other Parameters

Syndromic, voluntary reporting Syndromic, voluntary reporting Tactical open source monitoring, infrastructure status monitoring Meteorological, vector, environmental

Example Data Source Veterinary encounter data, agricultural and public health hotlines, and media Clinical encounter data, public health hotlines, and media Agricultural commodity monitoring, pharmaceutical purchase information, real-time hospital census data, real-time ambulance diversion data, and media Meteorological data, satellite imagery, mosquito surveillance data

“Other parameters” would become important if the pathogen in question is a mosquito-transmitted virus such as VEE.

These modes of surveillance provide such information, for example, as identification of conditions favorable for mosquito emergence and whether the mosquito pools are increasingly positive over time for the pathogen in question. It is known that for some mosquito-transmitted viruses, ambient environmental temperature is an important driver of transmission. Obviously, it is important to determine up front whether local endemic mosquitoes are transmission competent for the pathogen in question. What is poignant to note in this example is the anticipatory information potentially available when tracking animal illness. Die-offs or illness in different species of animals may portend eventual presence of disease in humans. Understanding the signs of disease and apparent tropism expressed through the involvement of different animal species can provide valuable clues to the possible diagnosis. In the case of mosquito-vectored viral disease such as VEE, an awareness of when ambient temperature optimization will occur provides anticipatory information regarding when the height of human cases may be observed. Figure 4 and Table 4 shows a hypothetical biological event that followed a natural disaster such as flooding. This is often the case in equatorial regions of the world involving

BIOSURVEILLANCE TRADECRAFT

2455

B A Magnitude

C

Time

FIGURE 4 Natural disaster-induced social disruption preceding biological event (A = flooding, B = epidemic, and C = social disruption). TABLE 4 Surveillance Modes and Example Data Sources Required to Detect and Track the Hypothetical Biological Event Shown in Figure 4 Surveillance Mode Natural disaster (curve A)

Social disruption (curve B)

Human epidemic (curve C)

Tactical open source monitoring, meteorological, disaster reporting services, environmental sensors Tactical open source monitoring, infrastructure status monitoring Syndromic, voluntary reporting

Example Data Sources Disaster response community listservs, satellite imagery, disaster and humanitarian emergency reporting, seismic sensors, and media Agricultural commodity monitoring, pharmaceutical purchase information, real-time hospital census data, real-time ambulance diversion data, and media Clinical encounter data and public health hotlines

countries with poor access to safe drinking water. For example, in many parts of India, seasonal monsoon rains result in reports of heavy rainfall, followed by flooding, civil infrastructure and crop damage, and attendant social disruption. This information can be captured in local media sources, nongovernmental organization reporting, meteorological data, and satellite imagery. In time, public anxiety about possible increase in waterborne illness such as cholera beings to appear, followed by scattered reports of cholera that may or may not represent true excession of baseline disease. If an outbreak is triggered by compromised sanitation, then reports of high cholera case counts with attendant social disruption are observed. In this case, we see natural disasters potentially accelerating the time to local loss of containment of a biological event that may have international public health implications. As with the example in Figure 3, anticipatory information is present should the operator be sensitive to which areas of the world report this kind of phenomenon. Each piece of anticipatory information is a driver for increased analytic sensitivity to the evolving event. In Figure 5 and Table 5, a hypothetical foreign biological event, with its attendant social disruption, is translocating to the United States to generate a domestic biological event. In this case, tactical detection and tracking of the foreign biological event can provide anticipatory information regarding a potential transnational issue. The challenge

2456

KEY APPLICATION AREAS

D

Magnitude

B A

C

Translocation

Time

FIGURE 5 Naturally occurring epidemic translocating from one site to another with attendant social disruption (A = epidemic at the donor site, B = social disruption at the donor site, C = epidemic at the recipient environment, and D = social disruption at the recipient community). TABLE 5 Surveillance Modes and Example Data Sources Required to Detect And Track The Hypothetical Biological Event Shown in Figure 5 Surveillance Mode Foreign epidemic (curve A)

Tactical open source CDC advisories, WHO Global monitoring, voluntary Outbreak Alert and Response reporting, international public Network, and media health surveillance Tactical open source monitoring Media

Social disruption (curve B) Translocated Syndromic, voluntary reporting domestic epidemic (curve C) Social disruption Tactical open source (curve D) monitoring, infrastructure status monitoring Other parameters

Example Data Sources

Transportation and commerce monitoring

Clinical encounter data and public health hotlines Agricultural commodity monitoring, pharmaceutical purchase information, real-time hospital census data, and real-time ambulance diversion data Commodities trade and transportation data

CDC, United States Centers for Disease Control and Prevention; WHO, World Health Orginization.

is determination of the criteria for declaring a true translocation advisory, whom to advise (i.e. which local departments of health or agriculture), and advise regarding how they should respond. Nevertheless, anticipatory information resides in detection of the foreign biological event for which containment has been lost; in other words, indicators of this event are essentially pre-event indicators from the perspective of the United States given the event is not directly affecting the domestic infrastructure yet. On the other hand, US assets deployed in the same countries may become directly or indirectly affected by this event, whether or not translocation takes place. Figure 6 and Table 6 displays a hypothetical intentional release of a biological agent (curve A), followed by an epidemic (curve B) with attendant social disruption (curve C). In this particular example, biosensors become an important asset to rapidly detect a possible release and cue local public health response before human cases actually present

BIOSURVEILLANCE TRADECRAFT

2457

C

Magnitude

B

A

Time

FIGURE 6 Intentional release of biological event, followed by epidemic and social disruption (A = biological agent released, B = epidemic, and C = social disruption).

TABLE 6 Surveillance Modes and Example Data Sources Required to Detect and Track the Hypothetical Biological Event Shown in Figure 6 Surveillance Mode

Example Data Sources

Release of biological agent (curve A) Human epidemic (curve B) Social disruption (curve C)

Biosensor

BioWatch

Syndromic, voluntary reporting

Other parameters

Meteorological

Clinical encounter data and public health hotlines Pharmaceutical purchase information, real-time hospital census data, real-time ambulance diversion data, and media Meteorological data

Tactical open source monitoring, infrastructure status monitoring

to health care providers. Thus, detection of a biological agent by a biosensor can prompt sensitization of the entire surveillance network and possibly cue response planning ahead of reports of actual human casualties. In summary, a wide variety of data sources are required for biosurveillance, which have varying usefulness in biological event detection, providing context and relevance of the information, enabling outbreak alert and verification, and determination of attribution. Table 7 displays a summary table of example data sources required for biosurveillance. Discussion of data requirements for biosurveillance would be incomplete without consideration of how the data would be used and whether data or information derived from data is more operationally relevant. Process and operational requirement definition is a critical consideration. This includes consideration of whether the organization in question is functioning at the national, state, or local level and whether the operations tempo is tactical, strategic, or forensic. How the information is to be used, by whom, and under what distribution control are additional considerations. Although biological events themselves cause social disruption, improperly managed risk communication stemming

2458

KEY APPLICATION AREAS

TABLE 7 Summary of Example Data Sources and Functional Modes of Biosurveillance Surveillance Mode

Primary Function

Disaster reporting services

Anticipatory information regarding conditions favorable for rapid containment loss should a biological event appear; anticipatory information regarding environmental conditions favorable for disease emergence Anticipatory information regarding environmental conditions favorable for disease emergence Anticipatory information regarding possible act of biological terrorism Anticipatory information regarding potential for act of biological terrorism Anticipatory information regarding transmission rate influencing by meteorological conditions Biological event detection and tracking

Environmental sensors

Biosensor

Threat reporting

Meteorological

Infrastructure status monitoring International public health surveillance

Biological event detection and tracking

Tactical open source monitoring Voluntary reporting

Biological event detection and tracking

Syndromic surveillance (animal) Syndromic surveillance Vector surveillance Transportation and commerce monitoring

Example Data Sources International: disaster response listservs; domestic: National Geological Survey reporting and seismic sensors

International and domestic: satellite imagery

Domestic: BioWatch

International and domestic: intelligence

National Weather Service meteorological data

Domestic: pharmaceutical purchase information, real-time hospital census data, and real-time ambulance diversion data International: CDC advisories, WHO Global Outbreak Alert and Response Network, FAO and OIE reporting, and nongovernmental organization reporting International: media; domestic: media

Biological event detection and tracking Context

Domestic: public health and agricultural community hotlines Domestic: veterinary encounter data and laboratory data

Context

Domestic: clinical encounter data and laboratory data Domestic: local department of health mosquito surveillance reporting International and domestic: commodities trade and transportation data

Context Determination of hazard relevance

This is not an all-inclusive list but meant to provide an illustrative example. FAO, Food and Agriculture Organization; QIE, World Animal Health Organization.

BIOSURVEILLANCE TRADECRAFT

2459

from biosurveillance information can generate social disruption as well to the detriment of the organization seeking to maintain resources for their activities.

6 SOCIAL NETWORKING FOR SOURCE MANAGEMENT The “astute clinician”, be they a human or animal health care provider, is generally thought to be the primary source of valuable biosurveillance data. It is through the astute clinician that the first case of what may eventually be a health catastrophe is most likely reported. As mentioned above, there are other indicators that may precede human cases such as animal die-offs or runs of over-the-counter drug purchases. This requires engineering a complex social network of reporting that is heavily based on human– human interactions, regardless of whatever information technology may or may not be supporting the particular data source. Several important considerations should be kept in mind when utilizing social networks. It is important to understand the incentive, or abject lack thereof, to report. Physicians, while socially conscientious, may not have the time in a resource-constrained clinical environment to report on a list of over a hundred reporting requirements. However, a health care data management system that can be configured to automatically report certain infrastructure indicators such as ventilator census would be nonintrusive to the busy clinician. Pet store owners, fearing regulatory intervention, may not be inclined to report rodent illness in their stock. However, if they could be educated about the potential risks of importing exotic rodents, it may result in protection of their business’ assets. Social networks can function both passively and actively against reporting requirements. Detection of a key indicator such as avian die-offs in the city park may prompt a health care advisory to “be on the lookout” for human encephalitis, other animal species illness, and refer to mosquito surveillance data due to a concern for the potential presence of actively transmitting West Nile virus in the local environment. Thus, indications of a potential problem may prompt a verification cycle. A social network of partners who can reliably and credibly report is essential to the biosurveillance analyst. Reporter fatigue is a major consideration that is mitigated through a careful management of the social network that includes judicious use of network sensitization. A health care provider network that has received frequent advisories of what are deemed inconsequential reports may be less likely to pay attention to the organization in times of a serious need to report. Further, social network development that leads to timely reporting may, in some cases, require a monitoring group to assure a reporting source of a certain level of anonymity depending upon that source’s personal considerations, much like a media reporter protects his/her sources. Finally, components of a social network report in different ways that can be considered from the standpoint of specificity, credibility, reliability, and timeliness. For example, a report from a sanitation worker suggesting that the sewer is full of dead rats is associated with a different specificity than a laboratory reporting a plague-positive rat. One may receive the information earlier from the laboratory; however, this depends on sampling location and frequency versus reliable reporting from a sanitation worker who monitors the sewers on a daily basis. These considerations will influence the circumstances and degree to which the network will need to be “pinged” to obtain more specific information. Table 8 provides an example of an indicator cross-matched to sources associated with information type, credibility scores, and estimated reliability of reporting.

2460

KEY APPLICATION AREAS

TABLE 8 Example Indicator Cross-Matched to Sources and Source Characteristics

Indications and Warnings Reports of disease or death in: Birds (including poultry) Birds (including poultry) Birds (including poultry) Birds (including poultry) Birds (including poultry) Birds (including poultry) Birds (including poultry)

Potential Source?

Information Type (Event Tipping, Clinical/Syndromic, Diagnostics or ALL OF THE ABOVE)

Credibility (1 is LOW, 5 is HIGH)

% Probability of Receiving Daily Report IF There is a Perceived Issue

General public

Event tipping

4

100

Fish and Wildlife Service Animal hospital

All of the above

5

100

All of the above

5

100

Poultry farmers

Event tipping and clinical All of the above

5

50

5

50

Event tipping

5

100

All of the above

5

100

Local zoo Birdwatchers/ naturalists Veterinarians

7 CONCEPTUALIZING OPERATIONS: THE PERSPECTIVE OF LOCAL PUBLIC HEALTH Until the anthrax attack of 2001, the US public health and agriculture communities had not conceived of a concept of biosurveillance operations that functioned in a near-real-time environment. Their operations were, up to that point, focused on preventive strategies coupled loosely to response and recovery operations within a highly reactive, versus proactive, organizational posture. The idea of coupling graded biosurveillance I&Ws to graded response remained highly experimental. Figure 7 displays an actual decision-making framework for the District of Columbia Department of Health (DC DOH). Of interest is the number of sources of information and how the information is actually used. Each source either tends to function as an event detection (or “tipping”) source or as a source that provides context after a tip is received. As event information from sources such as laboratory notification of a select agent is discovered, DC DOH analysts engage in discussion as to the relevance of the information, whether a shift from a passive to active surveillance posture is warranted, and whether health care providers should be sensitized. Decisions made at one point in the process may be reassessed as new information becomes available. Gradual shifts in local network sensitivity in reaction to biosurveillance information may be considered a form of response in effect, acting as a feedback loop to further refine reporting and response. It is within this framework that biosurveillance influences tactical situational awareness within local public health. The investigative process is typically one of increasing specificity of information over time. Thus, depending on the timeliness, validity, and access to information, the process

DHS

FBI

FDA

USDA

CDC

Local partners

BioWatch

Nurses

veterinarians Public hotline

Physicians

2461

Passive surveillance

Event detection

Astute health care providers

Clinical laboratories

BIOSURVEILLANCE TRADECRAFT

Wlidlife, domestic, zoological and agricultural surveillance

ESSENCE syndromic surveillance

Regional outreach

YES

Issue internal alert ? YES

Cross-check other data sources for context and shift into active local surveillance? YES

Outbreak alert and verification

Vector surveillance

Is the event a relevant concern ?

Active surveillance

Positive feedback reporting loop

Local Department of health Epidemiology Analytic Group

Suspicious findings? YES

Request additional information and reassess YES

Issue advisory to local medical community?

FIGURE 7 Biosurveillance information processing within the DC DOH.

involves a certain length of time until informed decisions are able to be executed at each step. Table 9 shows estimates provided by the DC DOH in regards to local sources of information and how relative percentages of information may change with community sensitization. A decision made to sensitize the health care community is used judiciously due to the high risk of desensitization and reporter fatigue. The DC DOH understands

2462

KEY APPLICATION AREAS

TABLE 9 Relative Percentages of Source Reporting Within the Category of “Astute Clinician” and Comparison Between Nonsensitized and Sensitized Situations

Laboratory worker Nurse Physician Veterinarian

Not Sensitized—Passive Surveillance (%)

Sensitized—Active Surveillance (%)

80 15 4 1

45 25 25 5

fully that physicians in particular have little time in their daily routines to report issues not perceived to be of immediate importance. Local public health organizations are typically resource constrained, and therefore have a low tolerance for high daily volumes of nonrelevant biosurveillance information. The challenge of determining information relevance is a critical one to the local public health professional. 8 BRIDGING RAW DATA TO ACTIONABLE INFORMATION There is an important difference between raw data and actionable information. Releasing raw data to a user community is fraught with risk such as inappropriate interpretation and user desensitization. Translating raw data into preliminary information typically requires subject-matter expert input. Without context, it is difficult for end users to interpret the data. Another step is processing the preliminary information by comparing it with other data or information sources for additional context. This may then be followed by first-, second-, or third-order analytics. The final piece of information, or finished information product, may require additional analysis to determine relevance for the individual user. The typical public health analyst, in a resource-constrained environment, will not be as willing to engage in examination of noncontextualized raw data versus a finished assessment. Finished assessments resulting from the abovementioned process take a significant amount of time to produce. Further, the typical public health analyst is generally focused on his/her immediate local health concerns and not necessarily aware, in a timely fashion, of developing regional and international situations that have potential to translocate to his/her area of responsibility. When considering the need for near-real-time detection and tracking of biological events, a balance must be struck whereby a form of preliminary information is passed to the user community in lieu of a finished assessment that follows later. 9 AN ADVISORY SYSTEM FOR BIOSURVEILLANCE For several decades, the National Weather Service and the natural disaster community have made effective use of an advisory system to alert users and the general public of impending issues. The advisory system for storms not only informs and cues the meteorological community to closely follow the event in question but also has a translated response implication for the lay public. For example, the average citizen has an inherent

BIOSURVEILLANCE TRADECRAFT

2463

TABLE 10 The Wilson–Collmann Scale for Biological Event-Related Social Disruption Stage 0 1 2 3 4

Condition Conditions favorable to support the appearance of a biological event Unifocal biological event Multifocal biological event Severe infrastructure strain and depletion of local response capacity Social collapse

understanding that a category 1 hurricane is associated with a lower implied need to evacuate the area than a category 5 hurricane [13, 14]. The Wilson—Collmann Scale, a prototype staging system for social disruption due to biological events, has been established and in use by Project Argus since 2004, as summarized in Table 10. This heuristic model enables an analyst to rapidly assess the severity of a biological event based on the level of social disruption generated using a standardized terminology. This information, when placed in context with the suspected pathogen, can assist the analyst in making a decision to issue an advisory to the user community [2]. However, this staging system has not been tested domestically in the United States. Standards for a biosurveillance-informed advisory system have not been developed at the national, state, or local levels for biological events that affect humans, animals, or plants. Reporting requirements beyond legally mandated disease-specific reporting for the biosurveillance environment have not been integrated and standardized across different communities of interest. This then presents a key challenge: how does one define data requirements when no operational requirements have been generated? What should national, state, and local level watchboards post as advisories? What would a warning, watch, and advisory look like from each of these perspectives? How would a warning posted on a national level watchboard be translated in a local watchboard? And of key importance, precisely who at the national, state, and local levels should receive these advisories? This becomes a particularly difficult question when considering the community health care provider is likely to be the first line of response. A nonsensitized health care provider is not as likely to consider exotic diagnoses versus one who has been sensitized to look for a particular disease. Relevance of the information to the user is difficult to predict. Some users are interested in select agents such as anthrax, others are primarily interested in international public health issues such as polio, and other users are concerned about any disease that may affect a ground deployment. This translates to a high degree of complexity when attempting to design an advisory system. Defining relevance is partly a user-defined process; however, the use of disease risk and transmission models may enable refinement of what advisories are relevant to which US local communities and which biological event may truly present a critical national or homeland security issue. Advisory systems have value in controlling distribution, in a net-centric manner, to the biosurveillance community. Further, they enable control of network sensitization, where various components of the community can be cued to look for certain indicators of an event of interest. Advisory systems enable operational translation of biosurveillance data into actionable information, which is the key objective.

2464

10

KEY APPLICATION AREAS

DISCUSSION

Biosurveillance as a professional discipline is nascent but rapidly emerging. While the process is largely art versus science, the discipline is certainly approaching a point where robust modeling and statistical rigor may be applied. Similar to medicine, this is a discipline of processing uncertainty, intuition, and hunches. Computer algorithms and sophisticated IT platforms cannot replace such experience gained by trial and error over time by an operational biosurveillance group; however, facilitation of effort is a key objective when dealing with global biosurveillance information. We often liken the emergence of the biosurveillance tradecraft to the history of tornado forecasting, where in the 1950s humans learned how to collect and process information related to an event associated with morbidity and mortality (i.e. tornadoes). Over the decades, enough information was gathered to enable mathematical modeling and eventual expansion of a multidiscipline community of professionals that span the private, academic, and public sectors. We see biosurveillance following this same exciting evolutionary path.

ACKNOWLEDGMENTS The authors would like to thank the anonymous reviewers of this manuscript and Dr Bradley Clark (Trinity Applied Strategies Corporation), Noel Williams, and Dakota Wood (Systems Planning and Analysis, Inc.).

REFERENCES 1. Association of State and Territorial Health Officials (2006). Position Statement: Biosurveillance, March 17. Available from http://www.astho.org/pubs/BiosurveillancePositionStatement FINAL030706.pdf. 2. Wilson, J. M., Polyak, M. G., Blake, J. W., and Collmann, J. (2008). A heuristic indication and warning staging model for detection and assessment of biological events. J. Am. Med. Inform. Assoc., 15(2), 158–171. 3. Cieri, C., Strassel, S., Gra, D., Martey, N., Rennert, K., and Liberman, M. (2002). Corpora for topic detection and tracking. In Topic Detection and Tracking—Event-based Information Organization, J. Allan, Ed. Kluwer Academic Publisher, Norwell, MA, pp. 33–66. 4. Makkonen, J. Investigations on event evolution in tdt. Proceedings of HLT-NAACL 2003, Human Language Technology Conference of the North American Chapter of the Association for Computational Linguistics Student Workshop 2003 . Edmonton, Alberta, CA. 5. Chien Chin, C., Yao-Tsung, C., Yeali, S., and Meng Chang, C. (2003). Life cycle modeling of news events using aging theory, lecture notes. Comput. Sci. 2837, 47–59. 6. Polyak, M. G., Blake, J. W., Collmann, J., and Wilson, J. M. (2008). Emergence of Severe Acute Respiratory Syndrome (SARS) in the People’s Republic of China, 2002–2003: a case study to define requirements for detection and assessment of international biological threats. J. Am. Med. Inform. Assoc., 15(2), 158–171. 7. Blake, J. W., Polyak, M. G., Gambale, P., Pinzon, J., Tucker, C. J., Collmann, J., and Wilson, J. M. (2008). Venezuelan equine encephalitis: a case study in international biological threat detection and assessment. J. Am. Med. Inform. Assoc., 15(2), 158–171. 8. Polyak, M. G., Blake, J. W., Hartley, D., and Wilson, J. M. (2006). Anthrax in Sverdlovsk, U.S.S.R., April–June 1979: A Case Study in Examining Open-Source Media for Indications

THE NORTH CAROLINA BIOSURVEILLANCE SYSTEM

9.

10.

11.

12. 13.

14.

2465

and Warnings of an Accidental Biological Weapons Release, Argus Research Operations Center Internal Report, Argus Research Operations Center, Imaging Science and Information Systems Center, Georgetown University Medical Center, Washington, DC. United States General Accounting Office (2003). Infectious Disease Outbreaks: Bioterrorism Preparedness Efforts Have Improved Public Health Response Capacity, but Gaps Remain, GAO-03-654T April 9. Available from http://www.gao.gov/new.items/d03654t.pdf. United States General Accounting Office (2003). Infectious Diseases: Gaps Remain in Surveillance Capabilities of State and Local Agencies, GAO-03-1176T September 24. Available from http://www.gao.gov/new.items/d031176t.pdf. United States General Accounting Office (2004). Emerging Infectious Diseases: Review of State and Federal Disease Surveillance Efforts, GAO-04-877 September 30. Available from http://www.gao.gov/new.items/d04877.pdf. Buehler, J. W., Berkelman, R. L., Hartley, D. M., and Peters, C. J. (2003). Syndromic surveillance and bioterrorism-related epidemics. Emerg. Infect. Dis., 9(10), 1197–1204. National Hurricane Center, National Weather Service, National Oceanic and Atmospheric Administration The Saffir-Simpson Hurricane Scale, Available from: URL: http://www. nhc.noaa.gov/aboutsshs.shtml. National Weather Service, National Oceanic and Atmospheric Administration Fujita Tornado Damage Scale, Available from: URL: http://www.spc.noaa.gov/faq/tornado/f-scale.html.

THE NORTH CAROLINA BIOSURVEILLANCE SYSTEM Anna E. Waller and Amy I. Ising Department of Emergency Medicine, School of Medicine, University of North Carolina, Chapel Hill, North Carolina

Lana Deyneka General Communicable Disease Control Branch, North Carolina Division of Public Health, Department of Health and Human Services, Raleigh, North Carolina

1 INTRODUCTION On October 17, 2007, President George W. Bush issued the Homeland Security Presidential Directive 21 (HSPD 21) [1]. HSPD 21 outlines immediate steps for improving the nation’s preparedness for natural and intentional disasters, and includes specific criteria

2466

KEY APPLICATION AREAS

for effective biosurveillance systems. Biosurveillance systems must be able to “identify specific disease incidence and prevalence in heterogeneous populations and environments and must possess sufficient flexibility to tailor analyses to new syndromes and emerging diseases”. In addition, all stakeholders, from public health officials at all levels to data providers and clinicians, must be involved in system design. The North Carolina Disease Event Tracking and Epidemiologic Collection Tool (NC DETECT), is North Carolina’s statewide biosurveillance system. Although its roots date back to an electronic emergency department (ED) data collection initiative launched in 1999, NC DETECT embodies those characteristics outlined in HSPD 21. 2 BACKGROUND NC DETECT is an advanced, statewide public health surveillance system made possible through a unique combination of leaders in North Carolina from public health, business, and research working together toward a common goal: to enhance the protection of the NC population. NC DETECT is managed through a collaboration between the North Carolina Division of Public Health (NC DPH) and the University of North Carolina at Chapel Hill Department of Emergency Medicine (UNC DEM). 2.1

Data Sources Timeline

The North Carolina Emergency Department Database (NCEDD) project, spearheaded by UNC DEM in 1999, laid the groundwork for electronic ED data collection in North Carolina by developing best practices for collecting and standardizing quality ED data. NC DPH and UNC DEM jointly started developing the hospital arm of the NC DETECT syndromic surveillance system in 2002. In 2004, a partnership between the North Carolina Hospital Association (NCHA) and NC DPH was instrumental in establishing ED data transmissions from the hospitals not yet participating in NC DETECT, including support for a new law making this reporting mandatory as of January 1, 2005 [2]. As of January 7, 2008, there are 109/111 (98%) hospital-based, acute care, 24/7 EDs submitting over 10 000 new visits on a daily basis to NC DETECT, as shown in Figure 1. These data are also transmitted twice daily to the Centers for Disease Control and Prevention’s (CDC’s) BioSense program. In addition to ED data, NC DETECT initiated the collection of additional data sources in 2004. Data collection from multiple data sources provides a more comprehensive view of population health and offers redundancy on the occasion one data source has lapses in data transmission. Currently, NC DETECT loads data from roughly 1800 new records for ambulance runs and 285 statewide poison center calls a day. Animal health data from a regional wildlife center and veterinary medicine laboratories are in pilot testing. Future goals include the incorporation of additional animal health data, as well as data from ambulatory and urgent care centers and Veterans Administration (VA) hospitals. 3 TECHNOLOGICAL OVERVIEW NC DETECT is an electronic biosurveillance system that does not require any manual data entry [3]. All data are secondary or dual use; in other words, data are generated as part of the registration, treatment, and/or billing of human and animal patients. Data

THE NORTH CAROLINA BIOSURVEILLANCE SYSTEM

FIGURE 1

2467

Hospitals reporting ED data to NC DETECT.

are transmitted securely to a centralized server. Before loading into NC DETECT, all data are automatically checked to ensure that all values match established business rules for acceptable quality. Outliers are logged for future follow up and data providers with missing data are notified. As part of the data processing, all data sources are “binned” into one or more syndromes. Public health epidemiologists (PHEs) monitor these syndromes daily, by facility and/or patient’s county of residence, to detect unusual events of potential public health significance. 3.1 Syndrome Development and Classification NC DETECT classifies ED visits into zero, one or more “syndromes” based on the presence of certain keyword terms in either the chief complaint or triage note, as well as the documented temperature (if available). Syndrome definitions are designed to capture both potential bioterrorist threats and common community-acquired disease outbreaks. The keyword terms searched for include both syndrome-specific (e.g. dyspnea, cough, or tachypnea for respiratory syndrome) and constitutional (e.g. fever, malaise, or myalgias) signs and symptoms. Each syndrome definition also searches for common misspellings, abbreviations, truncations, and acronyms for these terms. In order for a record to match a syndrome, it must contain either a single term, which, by itself, is highly suggestive of the syndrome in question (e.g. “flu” for influenza-like illness (ILI)) or the mention of a bioterrorism (BT) related agent. A record will also match a syndrome if it contains the combination of both a syndrome-specific and a constitutional term. Text-based syndrome case definitions published by the CDC [4] form the basis for the syndrome definitions. The syndromes have been developed and refined through an iterative process by the NC DETECT Syndrome Definition Workgroup and are based on the experience and judgment of the workgroup members with feedback from NC DETECT end users. The workgroup comprises state and local public health officials,

2468

KEY APPLICATION AREAS

epidemiologists, physicians, and public health informatics researchers. A collaborative research project between the UNC DEM and RTI International is ongoing and has the overarching goal of optimizing the sensitivity and specificity of syndrome definitions for the purposes of early event detection and situational awareness [5]. This work is funded by the CDC’s BioSense program. While the ED data can provide a wealth of information for effective syndrome binning, the chief complaint and triage notes most often contain free form text. The textual data are unstructured and include abbreviations, misspellings, and negation, which require specialized processing. Tools available in the public domain to assist with this processing include the Emergency Medical Text Processor (EMT-P) for chief complaint standardization [6] and NegEx [7] for negation processing, both of which are in use in NC DETECT. While NC DETECT does capture ICD-9-CM final diagnosis codes from all EDs, the codes are most often sent from hospital billing systems that are updated days to weeks after the initial visit [8]. This latency severely limits the utility of this data element for early event detection. In contrast to the ED data, poison control center data are entered into a nationally standardized electronic system, the National Poison Data System (NDPS), by trained nurses and, therefore, are relatively easily binned into syndromes based on documented clinical effects. EMS data are grouped into seven syndromes based on the standardized pick lists for dispatch complaint and primary symptom. Table 1 lists the syndromes monitored for these three data sources and the bioterrorism agents the syndromes are designed to detect. 3.2 Web-Based Application The NC DETECT Web application provides authorized users with secure, Java-based reports with various customization options. It provides syndrome-based monitoring by patient’s county of residence and, for ED data, by hospital. Users can review signals or aberrations using the CDC’s EARS CUSUM algorithms [9] for the entire population, as well as stratified by nine age groups. In addition to aggregate views, the application provides users with access to patient-specific line listing reports for the ED, poison center, and EMS data. Authorized users are able to drill down further to retrieve identifiable data as needed for further public health investigation. All NC DETECT Web functionality is developed in a user-centered, iterative process, with user feedback from all stakeholder groups guiding enhancements and new development. This feedback, along with the need for improved situational awareness and the desire to improve communication among users, drove the development of the Annotation Reports and the Custom Event Report. As explained in HSPD-21, effective disease surveillance alone does not constitute a comprehensive surveillance system. The system must be flexible enough to respond to emerging infections and other public health events not previously anticipated [1]. The NC DETECT Custom Event Report is a separate module that allows for the rapid implementation of new reports designed to monitor known or suspected events that might not be captured by existing syndromes. New custom reports can be added to the system as soon as the search criteria have been finalized and tested, usually 1–2 h. These reports search for suspected cases in the chief complaint and triage notes, as well as ICD-9-CM final diagnosis codes (keeping the latency effect in mind). The queries account for misspellings and abbreviations, and exclude terms that would create false positives; for example, search for fire but not fire ant. Again, authorized users can retrieve

THE NORTH CAROLINA BIOSURVEILLANCE SYSTEM

TABLE 1

Syndromes Monitored in NC DETECT

ED

Poison Center

EMS/Ambulance

Botulism-like

N/A

N/A

N/A

Cardio

N/A

N/A

Fever

Fever

Gastrointestinal-all, gastrointestinal-severe

Gastrointestinal Gastrointestinal

N/A

N/A Influenza-like Illness Meningo-encephalitis

-

2469

Hematologic/ hepatic

N/A N/A Neurological

N/A

Hemorrhagic N/A Neurological

Related BT and Chemical Agents (If Applicable) BT agents: Botulism Chemical agents: Cyanide Ricin (ingested) BT agents: Smallpox BT agents: Anthrax (gastrointestinal) Food safety threats (e.g. Salmonella species, Escherichia coli O157:H7, Shigella) Water safety threats Ricin (castor bean oil extract) Chemical agents: Vesicants/blister agents: sulfur mustard, lewisite, nitrogen mustard, mustard lewisite, and phosgene-oxime T-2 mycotoxins: Fusarium, Myrotecium, Trichoderma, Verticimonosporium, and Stachybotrys Chemical agents: Radiation Ricin (ingested) N/A N/A BT agents: Viral encephalitis Chemical agents: Nerve: Sarin (GB), Tabun (GA), Soman (GD), Cyclohexyl Sarin (GF), VX, Novichok agents, organophosphorous compounds (carbamates and pesticides) Cyanides: hydrogen cyanide (HCN), cyanogen chloride T-2 mycotoxins: Fusarium, Myrotecium, Trichoderma, Verticimonosporium, Stachybotrys (continued overleaf)

2470

KEY APPLICATION AREAS

TABLE 1 (Continued )

ED

Poison Center

EMS/Ambulance

N/A

Nerve agent

N/A

N/A Fever/Rash

N/A Dermal

Poisoning Rash

N/A

Ocular

N/A

N/A

Renal

N/A

Respiratory

Respiratory

Respiratory

Related BT and Chemical Agents (If Applicable) Chemical agents: Nerve: Sarin (GB), Tabun (GA), Soman (GD), Cyclohexyl Sarin (GF), VX, Novichok agents, organophosphorous compounds (carbamates and pesticides) N/A BT agents: Anthrax (cutaneous) Plague (bubonic) Smallpox Tularemia (cutaneous) Viral hemorrhagic fevers (e.g. Ebola, Marburg, Old World Lassa, Junin, and Machupo) Chemical agents: Vesicants/blister agents (e.g. sulfur mustard, lewisite, nitrogen mustard, mustard lewisite, and phosgene-oxime) BT agents: Botulism Chemical agents: Nerve: Sarin (GB), Tabun (GA), Soman (GD), Cyclohexyl Sarin (GF), VX, Novichok agents, organophosphorous compounds (carbamates and pesticides) Cyanides: hydrogen cyanide (HCN), and cyanogen chloride T-2 mycotoxins: Fusarium, Myrotecium, Trichoderma, Verticimonosporium, and Stachybotrys Chemical agents: Ricin (ingested) BT agents: Anthrax (inhalation) Plague (pneumonic) Tularemia (pneumonic)

THE NORTH CAROLINA BIOSURVEILLANCE SYSTEM

TABLE 1

ED

2471

(Continued )

Poison Center EMS/Ambulance

Related BT and Chemical Agents (If Applicable) Chemical agents: Vesicants/blister agents: sulfur mustard, lewisite, nitrogen mustard, mustard lewisite, and phosgene-oxime Pulmonary/choking agents: phosgene, chlorine, diphosgene, chloropicrin, oxide of nitrogen, sulfur dioxide, etc. Ricin (castor bean oil extract) T-2 mycotoxins: Fusarium, Myrotecium, Trichoderma, Verticimonosporium, and Stachybotrys

the hospital’s original medical record number from the Web-based report for follow up directly with the hospital. While early event detection systems aim to detect disease outbreaks before traditional means, following up on the many alerts generated by these systems can be time-consuming and a drain on limited resources [10]. NC DETECT offers Annotation Reports to allow users to view the EARS signals for each syndrome, drill down to the patient-specific information, add comments to signals, and view the comments of other users who have access to the same signals. Users also assign an investigation status to the signal: active investigation, monitoring, no action needed, or investigation complete. If NC DETECT does not generate a signal for a known or suspected public health situation, users have the option of adding an event with their own parameters to the Annotation Reports for comments and monitoring, as shown in Figure 2. The NC DETECT Annotation Reports have improved communication and information exchange among active NC DETECT users. However, these tools need to be more widely adopted by less active local health departments, regional surveillance teams, and infection control practitioners before statewide situational awareness can reach its potential [11]. 3.3

Users Roles and Users

As a statewide system, NC DETECT serves users in multiple jurisdictions with varying responsibilities. As a result, the Web-based application provides access to the data based on state mandates governing public health investigation [2]. Users whose job responsibilities include outbreak investigation and response have more data access privileges than users at similar levels in more administrative and/or managerial roles. The NC DETECT role-based security model is based on geography, data source, the right to access aggregate data, line listing data, protected health information (PHI), and annotations. While most of the user roles can be predefined, the system is flexible enough to allow for

2472

KEY APPLICATION AREAS

FIGURE 2 NC DETECT screenshot of Annotation Report.

customized data access; thus, it is possible to meet the needs of all potential NC DETECT users. Access to PHI is strictly controlled. PHI is encrypted in the database and only authorized users have access to it through the SSL-enabled Web portal. The window that displays the PHI closes automatically after 1 min and all access to PHI is logged in detail. In addition to state level epidemiologists who monitor NC DETECT on a daily basis, the most active user group is the hospital-based PHEs. The PHEs have been funded by NC DPH for over four years as part of state efforts to strengthen public health preparedness and disease surveillance in North Carolina, while fostering communication and relationships between local hospitals and public health departments. Currently staffed in North Carolina’s 11 largest hospitals, PHEs serve as in-hospital liaison to local health departments, perform active in-hospital surveillance for community-acquired infections, and conduct biosurveillance using NC DETECT [12].

4 NC DETECT OUTCOMES 2005–2008 NC DETECT allows PHEs and infection control specialists to significantly increase the speed of detecting, monitoring, and investigating public health events statewide. The system has proven useful for a variety of public health surveillance needs, including, but not limited to, early event detection, public health situational awareness, case finding, contact tracing, injury surveillance, and environmental exposures.

THE NORTH CAROLINA BIOSURVEILLANCE SYSTEM

2473

4.1 Early Event Detection The early event detection capabilities of NC DETECT have contributed to more timely and effective public health intervention in North Carolina, as illustrated in the following examples. •

A Norovirus outbreak was detected in a sorority at UNC Chapel Hill, in 2006. The spread of the disease was prevented by rapid case finding and implementation of control measures. • Investigation of a possible familial cluster of meningitis in Pitt County, in 2006. The NC DETECT signal helped public health officials to trace the meningitis case, and to provide follow up for the family of five children and one adult through the local health department. • In early 2007, a public health epidemiologist’s investigation of a NC DETECT fever/rash signal in Rowan County revealed a positive diagnosis of meningococcemia (a severe bacterial infection in the blood stream) in a child, prior to reporting by the laboratory or the attending physician. Meningitis prophylaxis was provided to 30 of the patient’s close contacts through the Rowan County Health Department. • The most recent event was a Salmonella London outbreak in a Catawba County Mexican restaurant. From October 29 through November 5, 2007, NC DPH documented 173 cases. NC DETECT was used to monitor this outbreak. The application of age stratification in NC DETECT helped to define the affected population, the majority of which were young adult employees of a nearby plant, as shown in Figure 3.

39 36 33 30 27 24 21 18 15 12 9 6 3 0

C2C3

C1C2C3

C2C3

20

07

7 /0 5/ 11

/2 00 04

11 /

3/ 11 /0

/2 00 02

11 /

20 07

7

C3

7

7

01 /2 00 11 /

/2 00 31 10 /

/2 00 30 10 /

/2 00 29 10 /

7

C3

7

SyndromeCount

ED: SyndromeCount Gl all syndrome grouped by date Date range: 10/29/2007–11/5/2007 County: Catawba

Date Young adult (>24, ≤44)

FIGURE 3 Salmonella outbreak, Catawba County, NC, October–November 2007 evident in NC DETECT GI-All syndrome.

2474

KEY APPLICATION AREAS

4.2 Public Health Situational Awareness With the NC DETECT system in place, surveillance for new conditions can be established easily and rapidly, as demonstrated with injury and illness surveillance after hurricane Ophelia in NC in 2005. Setting up the specific criteria for surveillance took 2 h, in contrast with similar surveillance after hurricane Isabel in 2003, which required months of labor-intensive data collection, entry, and analysis [13, pp. 26–27]. Querying programs maximize accuracy in analyzing the free text ED data to the greatest extent possible. Detecting unexpected cases and outbreaks earlier in their course than traditional disease-based surveillance has allowed prompt implementation of public health control measures when needed. 4.2.1 Hurricane Katrina Evacuees. At the time of hurricane Katrina, 51 of 111 NC EDs were transmitting data daily to NC DETECT. A new filter was rapidly applied to capture hurricane-associated events. This filter was applied to data transmitted from August 28, 2005, the date of issue of the voluntary evacuation order in the city of New Orleans. Terms used in this filter included: “hurri, storm, flood, Katrina, evacua, New Orleans, refuge, Louisiana, Texas, Alabama, Mississippi, Florida, and fema and not (female)”, including variations of misspellings and abbreviations. Surveillance of these data rapidly provided information on the medical needs of hurricane Katrina evacuees in North Carolina. The information from these sources was available to public health officials at the state level on a daily basis, within 24–48 h of the visits. Reasons for evacuee’s visits to EDs in North Carolina included medications and prescription refills (15%), specific illnesses and injuries (62%), and mental health issues (7%) [14]. 4.2.2 Apex Chemical Explosion. In October 2006, a chemical plant fire forced thousands of people to evacuate from areas of Apex, North Carolina. NC DPH monitored ED data (updated daily) and poison control center data (updated hourly) in NC DETECT to monitor potential human health impact. Near real-time investigation of patients associated with this event was essential, as the list of chemicals stored at the explosion site went unknown for several days. NC DETECT users documented 83 ED visits related to the explosion, including 14 evacuees from an area nursing home and 13 emergency responders. Nearly all patients reported only minor complaints, including gastrointestinal, upper respiratory, and eye and skin irritation, and were discharged home following treatment. 4.2.3 Peanut Butter Contamination. On February 14, 2007, the FDA warned consumers not to eat certain jars of Peter Pan or Great Value peanut butter due to risk of contamination with Salmonella tennessee [15]. Surveillance for peanut butter–related ED visits and poison center calls was established within an hour. During the week of February 14, statewide hospital data included 135 ED admissions with peanut butter related gastrointestinal complaints from 39 counties. The poison control center received 370 peanut butter related symptomatic food poisoning calls from 30 counties and adopted a public health message in line with guidance from the NC DPH. In this particular example, the use of the poison center data provided a population-based measure of the reaction to the recall in the general public from persons affected to a degree that did not warrant a visit to a hospital ED.

THE NORTH CAROLINA BIOSURVEILLANCE SYSTEM

2475

NC DPH staff documented 16 confirmed cases associated with the S. tennessee outbreak in February 2007 in 12 different counties, 7 of which were under 18 years old. Two closely related DNA fingerprint patterns of S. tennessee isolates were associated with this outbreak. 4.2.4 Canned Food Botulism Recall. Following reports of four botulism cases in Texas and Indiana associated with commercially canned chili products, the CDC issued a recall in July 2007 [16]. NC DPH increased surveillance for botulism by sharing available information with public and private health care providers through regular communication and also by issuing an alert with the NC Health Alert Network. The NC Department of Agriculture led the product recall activities. Using NC DETECT helped the epidemiologists reviewing North Carolina data by: (i) having immediate access to ED data from 104 hospitals throughout the state, where botulism patients would likely be seen due to the severity of the disease; (ii) having immediate access to all ED patient records matching botulism-like illness, a syndrome continuously monitored with NC DETECT, regardless of this recall; and (iii) focusing on ED visits with records that included words that could associate them with the recall. As an indicator of the “zooming” power of NC DETECT, while 233 patients were picked up by the system between July 16 and July 25 due to the presence of one or more signs or symptoms compatible with the “botulism-like” case definition, only 9 cases during all of July matched a more narrow case definition, restricted to those with records including key words used in this recall. The situation specific “filter” was designed and installed in less than 2 h using the Custom Event Report. 4.2.5 Heat-Related Illness. A report to monitor effects of record heat was added to NC DETECT in early August 2007. Results not only showed an increase of heat-related ED visits as expected but also found that 15–19 year olds and 25–44 year olds had the highest rates of ED visits. As a result, warnings during future heat waves will target these age groups as well as prior target populations, the elderly and those who care for young children [17]. 4.3 Case Finding and Contact Tracing With NC DETECT, users with investigative access rights are able to view patient-specific line listing information and to retrieve the hospital’s original medical record number. With this information, users are able to conduct follow-ups with much greater ease and reduce the burden on hospital staff. •

In January 2007, users in Guilford County were able to use the arrival date and time information in NC DETECT to locate potential contacts of an ED patient diagnosed with measles more easily and efficiently. • During a Hepatitis A outbreak investigation in 2006 in Buncombe County, additional Hepatitis A cases were identified and followed up using NC DETECT. • NC DETECT and another North Carolina-based system called the investigative monitoring capability (IMC) were used in a salmonellosis outbreak investigation in New Hanover County (May 2007). Five additional cases were identified using these systems.

2476

KEY APPLICATION AREAS

TABLE 2 Carolinas Poison Center Chemical Exposure Signals Number of Cases

Exposure

Date

Mercury Prime 2B

10/20/05 11/06/05

10 3

Tetrachloroethylene 04/26/06

8

Site Residence Hospital School

Apex hazardous exposure

10/06/06

83

Residence

Pepper spray

10/10/06

11

School

Hydrochloric acid Lead exposure

06/07/07 06/12/07

12 5

Hotel Residence

Co

Syndrome

Orange Alleghany

Gastrointestinal Respiratory, dermal Granville Respiratory, neuro Gastrointestinal, respiratory, neuro Wake Respiratory, dermal Mecklenburg Respiratory Davidson Gastrointestinal

4.4 Environmental Exposures Data from poison center calls (Carolinas Poison Center, CPC) allow public health officials to detect and monitor environmental exposures that may otherwise go unreported. For example, a signal investigation during the summer of 2007 revealed a pesticide exposure in Davidson County. The landlord treated the house with an unknown pesticide. The family of 9 (6 adults, 1 of them pregnant, and 3 children) developed gastrointestinal (nausea) and neurological (headache) symptoms, and called CPC for advice. Additional public health investigation revealed that the family lives in a house with bats. The family was provided rabies vaccination and immune globulin prophylaxis through the state program. Numerous clusters of exposure to chemicals have been identified analyzing signals in the NC DETECT CPC data stream. Some examples are shown in Table 2. While some of the CPC signal investigations listed in Table 2 did not pose a widespread public health threat, they demonstrate the ability of NC DETECT to identify both environmental and infectious disease clusters and potential bioterrorism events. 4.4.1 Influenza. The NC DETECT ILI definition is used to monitor the influenza season in NC each year, providing data up to two weeks earlier than the traditional, manually tabulated sentinel provider network. The difference in proportion of ILI seen in Figure 4 reflects differences in the case definitions and patient populations rather than a difference in the sensitivity of these surveillance systems. NC DETECT continues to evolve in response to changing user needs and the increased adoption of timely public health surveillance. While NC DETECT was designed and continues to be used primarily for early event detection and situational awareness, the utility for broader public health surveillance continues to be explored. NC DETECT data have been used to monitor varicella in lieu of mandated reporting and have also been used for a variety of injury-related analyses, from the use of all-terrain vehicles to injuries from specific toys to heat-related injuries. Use of the NC DETECT data for chronic diseases continues to expand. Throughout the development of NC DETECT,

THE NORTH CAROLINA BIOSURVEILLANCE SYSTEM

2477

Influenza-like illness in North Carolina 2005–2006 8% 7% 6%

%ILI

5% 4% ED 3% 2% 1%

SPN

40 41 42 43 44 45 46 47 48 49 50 51 52 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

0% (WK # 40=Oct 8 2005)

WEEK #

(WK # 20=May 20, 2006)

Influenza-like illness in North Carolina 2006–2007 10% 9% 8% 7%

%ILI

6% 5% 4%

ED

3% 2% 1%

SPN

40 41 42 43 44 45 46 47 48 49 50 51 52 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

0% (WK # 40=Oct 7 2006)

WEEK #

(WK # 20=May 19, 2007)

FIGURE 4 Influenza-like illness in North Carolina, 2005–2007. SPN: 74 volunteer practitioners report weekly their patient workload; using ILI case definition: “fever and cough or sore throat”. ED: as of 5/19/2007, 103 hospitals report daily ED visits electronically through the NC DETECT System, using ILI case definition: “ILI cases must include any case with the term “flu” or “influenza” or have at least one fever term and one influenza-related symptom”.

leaders from UNC DEM and NC DPH have adhered to the goals of comprehensive, timely, and quality data; strong partnerships; flexibility; and user-centered design.

5 LESSONS LEARNED AND CONCLUSIONS Biosurveillance systems that aim to provide comprehensive population health views need to extend beyond ED chief complaints. The additional ED data elements in NC DETECT, including triage notes, dispositions, and final diagnosis codes, provide opportunities for more efficient case finding, investigation, and follow up. The American Health Information Community (AHIC) Biosurveillance minimum data set aims to establish the ideal

2478

KEY APPLICATION AREAS

set of data elements for detailed but de-identified surveillance using hospital data, including ED, inpatient, and laboratory data [18]. Leaders involved in the implementation and testing of the AHIC Biosuveillance MDS must be well prepared for the increased data quality vigilance necessary to ensure that this larger data set—that goes far beyond basic demographics and chief complaint—is as accurate and timely as possible for the public health decision-makers relying on it. 5.1

Emergency Department Data Collection

Collecting timely, electronic ED data that include clinical data elements, rather than just billing data, is a complicated process. Typically, previous efforts to work with the ED data from a hospital have been limited; therefore, no one really knows what is and is not available or how complete and accurate the data actually are. Bringing a hospital into production with NC DETECT often requires several iterations of test data feeds and programming modifications, primarily because the data must frequently be extracted from multiple hospital information systems. In addition, electronic health records (EHRs) may not store clinical data elements useful for biosurveillance in an easily extractable format, as these data are not normally exchanged between health information systems. EHR vendors must develop systems that store clinical information in discrete data elements so that these data can be used by multiple entities for public health surveillance and research. Because NC DETECT was designed from the beginning to meet public health data needs beyond bioterrorism surveillance, both administrative and clinical data elements were included from the outset. Although leaders from UNC DEM and NC DPH took an opportunistic approach, accepting the data readily available electronically, the data elements and data sources collected have proven useful beyond original expectations. Within the ED data, triage note is a very valuable data element for a variety of public health surveillance purposes. However, it is not available electronically from all EDs. The data from the poison center calls have provided insight into environmental exposures and community concerns that would not be possible with the ED data alone. 5.2 Other Data Sources The data sources other than ED data in NC DETECT present different challenges. As other organizations collect and store these data and provide only a subset of their information to NC DETECT for biosurveillance, troubleshooting data quality and completeness issues in a timely manner is more difficult. The desire to add novel data sources for biosurveillance continues to grow in North Carolina as it does nationally. Ideally, this process should include an assessment of the data needs of NC DETECT end users and a thorough feasibility assessment. Adding data from less familiar data sources presents challenges of accurate data interpretation. For example, interpreting veterinary laboratory results, including tests for a variety of species, is very different than interpreting human patient lab results, particularly without veterinary medicine expertise on staff. 5.3 Data Quality ED data are notoriously dirty, even by health care data standards. NC DETECT policies require that specific business rules be met before data are available in the production

THE NORTH CAROLINA BIOSURVEILLANCE SYSTEM

2479

system. Metadata collected about each data source are extremely helpful in making sense of the data collected in NC DETECT. The metadata allow data quality checks to go beyond the file level (such as, file format, file receipt, and presence of mandatory data elements); each data element is checked for accuracy, timeliness, and appropriate distributions. Examples of typical metadata questions include the following: •

What is the expected percentage of admitted and discharged patients on a given day? • What is the average daily visit count? Data checks must be performed using metadata as well as trends. If the data are inaccurate or incomplete from the start, then trends analysis will never be accurate. The metadata also act as the Gold Standard for data quality for several indicators in lieu of performing labor-intensive periodic data audits for each data provider. A small data validity audit is in progress for just a few hospitals, which will be comparing the data available in the hospital’s electronic ED record for each visit to what is stored in NC DETECT. The goal of this audit is to understand and document the potential data quality issues that arise as dual use data are transmitted and used by disparate systems. Addressing data quality is an ongoing and never ending effort for NC DETECT. Daily communications occur among UNC DEM, NC DPH, and data providers about data quality issues and effecting improvements to data quality. This issue is complicated by the myriad of stakeholders in the system and the fact that the burden of remedying identified problems often falls back on the data providers. The impact of biosurveillance systems on data providers, both to provide and maintain their data feeds, cannot be underestimated. 5.4 Engage Users The developers of NC DETECT at UNC DEM and NC DPH have been committed to a user-centered, iterative design process that informs how our data are collected, analyzed, and reported. NC DETECT is a biosurveillance system that requires a human element. PHEs at the state, regional, and local levels actively use the system everyday for public health surveillance. Because they are familiar and comfortable with the system, they are ready to use it in an emergency situation. Another benefit of involving end users in the design and development of NC DETECT is that they trust the system to provide the information they need. When it does not, they know how and to whom to communicate what changes and improvements are needed. 5.5 Security While North Carolina has mandates for the collection of ED and EMS data for public health use [2], role-based access ensures that users see only the data they need and are authorized to see. The data in NC DETECT belong to NC DPH; all access to the data is through a standardized authorization process and must be approved at the state level. Data use agreements and business associate agreements are used as appropriate and for most access. Aggregate data are more readily shared than visit level data. Balancing privacy/security concerns with the need for public health information is an ongoing challenge.

2480

KEY APPLICATION AREAS

5.6 Conclusions Timely, flexible public health surveillance tools are crucial for effective preparedness and response. North Carolina has demonstrated that such a system can be built, and used daily, for statewide public health surveillance including biosurveillance. Continuous evaluation of NC DETECT is required to insure a quality, evidence-based system. We continue to strive to meet our goal of a well used and useful system for biosurveillance in North Carolina. REFERENCES 1. Homeland Security Presidential Directive 21, (2008). http://www.whitehouse.gov/news/ releases/2007/10/20071018-10.html. 2. North Carolina General Statute 130A, (2008). http://www.ncleg.net/EnactedLegislation/ Statutes/HTML/ByChapter/Chapter 130A.html. Accessed January 17. 3. Henning, K. J. (2004). Overview of syndromic surveillance: what is syndromic surveillance? MMWR 53(suppl), 5–11. 4. Centers for Disease Control and Prevention (2008). (October 23, 2003). Syndrome Definitions for Diseases Associated with Critical Bioterrorism-associated Agents, http://www.bt.cdc.gov/ surveillance/syndromedef/index.asp. Accessed January 20. 5. Scholer, M. J., Ghneim, G., Wu, S., Westlake, M., Travers, D., Waller, A. E., McCalla, A. and Wetterhall, S. F. (2007). Defining and applying a method for improving the sensitivity and specificity of an emergency department early event detection system. Proceedings of the 2007 AMIA Annual Symposium. Chicago, IL, 651–655. 6. Travers, D. A., and Haas, S. W. (2004). Evaluation of Emergency Medical Text Processor, a system for cleaning chief complaint data. Acad. Emerg. Med. 11(11), 1170–1176. 7. Chapman, W. W., Bridewell, W., Hanbury, P., Cooper, G. F., and Bu-chanan, B. G. (2001). A simple algorithm for identifying negated findings and diseases in discharge summaries. J. Biomed. Inform. 34, 301–310. 8. Travers, D. A., Barnett, C., Ising, A., and Waller, A. (2006). Timeliness of emergency department diagnoses for syndromic surveillance. AMIA Annu. Symp. Proc. 769–773. 9. Hutwagner, L., Thompson, W., Seeman, G., and Treadwell, T. (2003). Bioterrorism preparedness and response Early Aberration Reporting System. J. Urban Health 80(2 Suppl 1), i89–i96. 10. Heffernan, R., Mostashari, F., Das, D., Karpati, A., Kulldorff, M., and Weiss, D. (2008). Syndromic surveillance in public health practice, New York City. Emerg. Infect. Dis. 10. [serial on the Internet]. 2004 May http://www.cdc.gov/ncidod/EID/vol10no5/03-0646.htm. Accessed January 18. 11. Ising, A., Li, M., Deyneka, L., Barnett, C., Scholer, M., and Waller, A. (2007). Situational Awareness using web-based annotation and custom reporting. Adv. Dis. Surveill. 4, 167. 12. MacFarquhar, J. (2008). Hospital-based public health epidemiology program: a novel approach to public health in NC. Webinar Symposium Series on Public Health Preparedness, NC Center for Public Health Preparedness. Chapel Hill, NC. December 2006. http://nccphp.sph.unc.edu/ symposium/HospEpiDec-06.pdf, Accessed January 18. 13. Davis, M. V., Temby, J. R. E., MacDonald, P., and Rybka, T. P. (2008). Evaluation of Improvements in North Carolina Public Health Capacity to Plan, Prepare and Respond to Public Health Emergencies, North Carolina Center for Public Health Preparedness, The North Carolina Institute for Public Health, September 2004. http://nccphp.sph.unc.edu/hurricane 10 19 04.pdf, Accessed January 18.

PRACTICAL SYSTEMS FOR BIOSURVEILLANCE

2481

14. Barnett, C., Deyneka, L., and Waller, A. E. (2006). Post-Katrina Situational Awareness in North Carolina. Adv. Dis. Surveill. 2, 142. 15. FDA News (2008). FDA Warns Consumers Not to Eat Certain Jars of Peter Pan Peanut Butter and Great Value Peanut Butter, Feburary 14, 2007. http://www.fda.gov/bbs/topics/ NEWS/2007/NEW01563.html. Accessed January 18. 16. FDA News (2008). FDA Issues Nationwide Warning to Consumers About Risk of Botulism Poisoning From Hot Dog Chili Sauce Marketed Under a Variety of Brand Names, July 18, 2007. http://www.fda.gov/bbs/topics/NEWS/2007/NEW01669.html. Accessed January 18. 17. North Carolina Department of Health and Human Services Press Release (2008). Heat Wave Emergency Department Monitoring Yields Surprising Results, http://www.ncdhhs.gov/pressrel/ 8-28-07.htm. Accessed January 18. 18. Population Health and Clinical Care Connections Workgroup–Archives, (2008). October 20, 2006. http://www.dhhs.gov/healthit/ahic/population/pop archive.html#16. Accessed January 18.

FURTHER READING Lombardo, J. S., and Buckeridge, D. L., Eds. (2007). Disease Surveillance: A Public Health Informatics Approach, Wiley-Interscience, Hoboken, NJ. http://www.syndromic.org, (2008). http://www.NCDETECT.org, (2008).

ESSENCE: A PRACTICAL SYSTEMS FOR BIOSURVEILLANCE Julie A. Pavlin Uniformed Services University of the Health Sciences, Bethesda, Maryland

Kenneth L. Cox USAF, MC, SFS TRICARE Management Activity (TMA), Office of the Assistant Secretary of Defense (Health Affairs), Falls Church, Virginia

1 BACKGROUND In 1999, the Department of Defense Global Emerging Infections Surveillance and Response System (DoD-GEIS) piloted a disease surveillance system using data collected

2482

KEY APPLICATION AREAS

at outpatient visits in the national capital area. This system, the electronic surveillance system for the early notification of community-based epidemics (ESSENCE), collected diagnostic information from International Classification of Diseases, 9th Revision (ICD-9) codes entered after outpatient and emergency room visits at all military treatment facilities (MTFs) in order to detect and track potential infectious disease outbreaks. With advances in knowledge of the utility of newly available data sources, statistical programs for aberration detection, and visualization techniques, the ESSENCE program has expanded to incorporate medical information from all MTFs worldwide and has developed partnerships with universities and government agencies to coordinate population health information for military and civilian public health agencies across the United States. Publications before the US anthrax mail attacks in 2001 discussed how public health infrastructure had declined over time and decried our nation’s lack of readiness for an emergency relating to a lethal disease outbreak [1–3]. Besides the intentional release of anthrax spores in the US mail, natural disease outbreaks, such as hantavirus pulmonary syndrome [4], West Nile virus [5], monkeypox [6], SARS [7], and avian influenza [8], have caused considerable concern for US security. With new ideas proliferating for ways to more rapidly detect and monitor the spread of disease outbreaks, the DoD-GEIS held a symposium in May 2000 to share experiences and foster efficient progress in creating innovative, responsive surveillance systems [9]. Partnerships formed consequent to this meeting have resulted in enhanced methods for disease monitoring that continue to be used and improved in both the military and civilian sectors. 1.1 Traditional Surveillance Practices Traditionally, most infectious disease surveillance systems have relied on laboratory reporting for a list of diseases of public health importance. As in the civilian community, military health providers are required to report any cases of these diseases, whether hospitalized or not, to the public health officials on the military installation as well as the local public health department. Unfortunately, many health care providers are unaware of the notifiable disease list, or whom to contact, or cannot find the time to report; therefore, most reporting is done by laboratory staff after confirmation of a positive test result. However, many diseases are not diagnosed in the laboratory, either because there is no test available or because a specimen is not taken. Reports on completeness and timeliness of active reporting of hospitalized notifiable conditions in the military to the respective service’s reporting system show rates of 57% in the Army, 30% in the Navy, and 31% in the Air Force for 2003 based on the ICD-9 codes recorded as diagnoses upon discharge of the patient from the hospital [10–12]. In addition, the cases were not reported in a timely fashion, with 15% of Navy, 69% of Army, and 80% of Air Force cases reported within one month. 1.2 Other DoD Surveillance Systems To supplement reportable disease surveillance, the DoD initiated special surveillance programs for high-risk populations or diseases. The Air Force Institute of Operational Health (now known as the US Air Force School of Aerospace Medicine (USAFSAM))

PRACTICAL SYSTEMS FOR BIOSURVEILLANCE

2483

has been operating a military global influenza surveillance program since 1976 [13, 14]. This system now covers all three services as well as local residents in areas where DoD overseas research activities occur and collects respiratory specimens for viral isolation and typing. The Naval Health Research Center operates a febrile respiratory illness surveillance program at all basic training sites [15]. This system collects symptom data on trainees and calculates when rates of respiratory illness exceed the expected rate in order to initiate preventive measures. The Army performs acute respiratory disease (ARD) surveillance at all basic combat training sites [16]. This program monitors the incidence of positive streptococcal cultures in the trainee population and allows the local preventive medicine staff to decide whether to initiate or expand penicillin prophylaxis. The DoD maintains the Defense Medical Surveillance System (DMSS) [17], which integrates a wide range of health event-related data on all military beneficiaries. The DMSS includes individual demographic information, outpatient/inpatient events, immunization status, and other data for care provided within all permanent MTFs worldwide as well as from the TRICARE purchased care network. As most of these data are received monthly, DMSS has not been useful for near-real-time surveillance purposes, but plays a critical role in retrospective analyses. The DoD also monitors deployed troops who are routinely in areas with high rates of endemic diseases and at risk for deliberate attacks involving biological agents. Most deployed medical units capture health event data using electronic patient encounter modules. These data, which include ICD-9 codes as assigned by the attending health care provider, and other related information in both structured-note and free-text formats are forwarded at least daily to the Joint Medical Workstation (JMeWS). Analysts monitor trends in various groupings of diseases and nonbattle injuries (DNBI) on at least a weekly basis. During periods of high threat, the frequency of reporting and analysis is on a daily basis, and more focused category definitions related to biological attacks are activated. Additional deployed health event data are available from newer systems including the joint patient tracking application (JPTA) and the US TRANSCOM Regulating and Command and Control Evacuation System (TRAC2 ES). Both of these systems support direct clinical care of casualties as they move between different medical treatment facilities, both inside and outside of the military theater of operations. The Armed Forces Institute of Pathology (AFIP) includes a full medical examiners office, which maintains a DoD mortality registry. AFIP performs full autopsies and extensive investigations on all service members who die while on active duty with special emphasis on identifying sentinel infectious deaths. The DoD established the Department of Defence serum repository (DoDSR) in 1989 for the purpose of storing serum specimens that remained following mandatory HIV testing within the active and reserve components of the Army and Navy [18–20]. Later, the mission expanded to include the collection and storage of specimens collected before and after operational deployments, for example, Operation IRAQI FREEDOM, and to include Air Force, US Coast Guard, and Federal civilian employee specimens. The DoDSR currently houses more than 40 million specimens and continues to grow by approximately 2.3 million specimens per year. The availability of serial serologic specimens throughout an individual’s career, as well as relevant demographic, occupational, and medical information, within the DMSS enables the DoDSR to make significant contributions to clinical and seroepidemiologic investigations.

2484

KEY APPLICATION AREAS

1.3 Need for Improved Surveillance Despite the previously mentioned surveillance programs for specific illnesses and populations, a real-time, comprehensive system to determine disease status for all military beneficiaries was still needed. With increasing amounts of electronic health data available, to include early diagnostic information, it became feasible to develop ways to visualize and analyze multiple health data streams in novel and potentially useful ways. New surveillance systems such as ESSENCE, initially envisioned for early outbreak detection and later adapted for outbreak investigation aids, situational awareness, temporal and geographic disease tracking, and other augmentations, started to provide the immediate knowledge that public health officials, decision makers, and military leaders required.

2 ESSENCE RESEARCH AND DEVELOPMENT Many academic, public health, commercial, and government institutions have designed what is termed syndromic surveillance systems to have more timely knowledge of disease impact in communities. “Syndromic surveillance” typically refers to the use of routinely collected early or prediagnostic health information for timely disease surveillance. It is defined by secondary use of early or prediagnostic data and a focus on prospective disease surveillance and timely outbreak detection. Syndromic systems typically use electronically collected and disseminated data, but can include paper-based, manual methods such as daily reviews of chief complaint logs. On the basis of the work done by the New York City Department of Health and Mental Hygiene using prescriptions of antidiarrheal medications and number of stool samples submitted for testing to detect gastrointestinal outbreaks [21] and on the basis of the use of coded 911 calls to track influenza outbreaks [22], the DoD-GEIS investigated the use of ICD-9 codes to detect potential infectious disease and bioterrorism outbreaks in the greater Washington, DC area [23]. This project resulted in the creation of the ESSENCE surveillance system. 2.1 History of ESSENCE Development ESSENCE initially relied on the use of ICD-9 codes, grouped into syndromes such as respiratory, gastrointestinal, febrile, and neurological illnesses, to detect abnormal changes in disease incidence rates. At every MTF, the health care provider codes each outpatient and emergency room visit with up to four ICD-9 codes that are recorded electronically. These codes are entered at or near the time of patient visit, but transfer to a central facility could be delayed by 2–3 days or longer. (This situation is changing with the implementation of the Armed Forces Health Longitudinal Technology Application (AHLTA) as the new enterprise health information system. With AHLTA, the data are transmitted in real time, as soon as the provider closes out the record, to a central data repository. The analyzed data are available to military public health officials on a password protected website.) Since its inception in 1999, ESSENCE has expanded from the DC region to all MTFs worldwide and has undergone numerous revisions to improve usefulness, data quality, and algorithm sensitivity and specificity. Early in the development of the ESSENCE project, DoD-GEIS and the Johns Hopkins University Applied Physics Laboratory (JHU/APL) developed a collaboration to work jointly on a syndromic surveillance system for the Washington, DC region. JHU/APL

PRACTICAL SYSTEMS FOR BIOSURVEILLANCE

2485

had already developed a system in Maryland using nursing home illness cases, medicare billing information, and civilian hospital emergency room chief complaints. With the combination of the two systems, the new ESSENCE II provided a more representative view of the region. Together, the DoD-GEIS and JHU/APL team received a grant from the Defense Advanced Research Projects Agency (DARPA) to further develop a prototype disease surveillance test bed and to evaluate new data sources [24]. Under the DARPA program, ESSENCE II expanded to include over-the-counter (OTC) pharmacy sales, school absenteeism, medication prescriptions, laboratory test orders, and veterinary clinic data in the Washington, DC region. The system also included improved statistical methods to detect both temporal and spatial anomalies and advanced web-based interfaces for the user. ESSENCE II integrated military and civilian data and became the first system to make both available for daily disease surveillance [24]. Development and testing of ESSENCE continued with the ESSENCE III project, funded by the Defense Threat Reduction Agency (DTRA), to evaluate different syndromic surveillance systems in the Albuquerque, NM region. BioNet, a cooperative program between DTRA and the Department of Homeland Security, then selected San Diego as a pilot city to test how to improve detection and event characterization of a biological attack. At the same time, the Joint Services Installation Pilot Project (JSIPP) expanded chemical, biological, and radiological detection and response capabilities at nine military installations and the surrounding communities. As part of JSIPP and BioNet, ESSENCE IV was created to use summary data from military emergency room and outpatient visits, pharmacy prescriptions, procedure codes, and civilian hospital emergency room chief complaints together in an integrated system with advanced on-line analysis capabilities. In addition, depending on the data sources available at each location, sets of daily records of school absenteeism, school nurse visits, ambulance runs, nurse advice calls, and OTC pharmacy sales were also integrated, and their surveillance utility was evaluated. The time series plot in Figure 1 includes a sharp early January increase in case counts representing an outbreak detected by ESSENCE IV. 2.2 Lessons Learned During the initial expansion of ESSENCE, extensive evaluations were conducted through research of data sources and statistical techniques and surveys of users. The results of the evaluations were disseminated to all stakeholders. The major conclusions included the need for validation of data sources for both accuracy and usefulness, utility for public health use beyond bioterrorism detection, simplicity of web-based interaction, portability between different information technology systems, and designated funding for continuation of programs. Table 1 summarizes these findings. Data sources need to be validated before inclusion into any syndromic surveillance system. The validation does not need to be extensive, but should include, at a minimum, comparison between an existing, evaluated surveillance system and other data sources being included in the syndromic surveillance system. 2.3

Strengths and Limitations

There are limitations to any surveillance system, and syndromic surveillance systems are no different. It is important to clearly state the goals of a system being developed to decrease false expectations. Syndromic systems like ESSENCE should augment existing

2486

KEY APPLICATION AREAS

FIGURE 1 Gastrointestinal outbreak in military personnel depicted in the ESSENCE IV system.

systems by extending the ability to detect and track disease outbreaks in a community. Some of the strengths and limitations found in ESSENCE development and piloting are listed in Table 2.

3 IMPLEMENTATION A surveillance system has value only if people use it. ESSENCE has clearly demonstrated its value as a key tool in the practice of military public health. Still, it is important to establish policy explaining this value and identifying performance expectations. 3.1

Recent ESSENCE Enhancements

One of the best ways to gain user acceptance and loyalty is to provide a product that meets the user’s needs and minimizes additional work. DoD has redesigned ESSENCE based on user feedback. The most common criticism of earlier versions of ESSENCE was the inability of the local user to access the personal identifying information of individuals contributing to an alert or alarm. This made investigation difficult and time consuming. Consequently, the new ESSENCE allows role-based access at the local level to protected health information [supervisor approved, following Health Insurance Portability and Accountability Act (HIPAA) guidelines]. Since this change, the local military public health practitioner is instantly able to access the name and other personal identifying information. The system will also map outpatient diagnoses against the current tri-service reportable medical events list, allowing local staff to promptly investigate these events. Additionally, automated e-mail and mobile phone alerts of possible disease outbreaks

PRACTICAL SYSTEMS FOR BIOSURVEILLANCE

TABLE 1

2487

Recommendations for Evaluation of New Disease Surveillance Systems

Validate data sources – Ensure that any “gold standard” comparison sources are truly gold standard. It is possible that the standard could be less accurate than the new data source being tested – The data source should be evaluated across different types of outbreaks. For example, a more severe disease indicator such as ambulance dispatches might be an indicator during influenza season, but may not show any abnormality during a gastrointestinal outbreak – Before eliminating or including a data source, the elements that make up the syndrome groups should be manipulated to determine the best groupings possible for the population and the database – Many disease outbreaks are small and of low impact. Data sources that detect these outbreaks are not necessarily unreliable as an indicator of disease rates Use reliable and user-preferred data sources—most often from interactions with medical care providers – Emergency room chief complaints and diagnostic information from outpatient visits are the most useful. Ambulance runs provide information slightly earlier, but may miss less severe outbreaks that do not require ambulance transport – Earlier alerting data such as OTC sales and school absenteeism are good collaborating sources, but cannot be relied upon for confirmation of an outbreak Evaluate data sources from specific populations for their contribution to the overall surveillance – Representative populations are best for determining disease rates in large geographic areas, but special subsets of the population can provide critical information if properly utilized Evaluate timeliness and representativeness – A new data source should provide population information previously unavailable at low cost and should be timely enough to improve the current surveillance system – Even if the initial purpose of the system is for bioterrorism detection, ensure the surveillance system can recognize and assist with response to other public health infectious disease outbreaks – Data sources should also be evaluated for any potential public health use, including noninfectious disease related ones. This will make the overall system more cost effective and sustainable Allow link to identifiers within public health and privacy laws – Rapid access to identifying information can assist with a public health emergency and in finding and tracking reportable disease events User interfaces should emphasize simplicity while still allowing advanced users access to manipulate variables – For example, provide the ability to manipulate ICD-9 codes or text words in syndrome groups and to select algorithms and change their sensitivity Ensure portability of systems to new locations for ease of expansion – Information technology support should be obtained in the beginning to ensure ease of transitions later on Out-year funding or designation of the organization that will provide financial and personnel support after the initial program ends needs to be determined early and continually updated throughout the life of the program – Without dedicated support, no one will invest the time and commitment a successful system needs

2488

KEY APPLICATION AREAS

TABLE 2 Strengths and Limitations of ESSENCE Strengths

Limitations

Tracking of community-wide disease outbreaks, both locally and across geographic regions Quick method to find most up-to-date information on general disease status of a community (situational awareness during threat of outbreak) Ability to link identifiers if needed for outbreak investigation Increased ability to find and investigate notifiable diseases Sharing information with local public health officials Inability to detect small outbreaks for some disease syndromes Lag-time for some data acquisition can result in outbreak detection occurring after optimal time for intervention False alarms occur and detract from user confidence Lack of trust that data reflects true health status since acquired early in course of illness Complex detection algorithms can be difficult to interpret

are now available. This new version of ESSENCE was fielded on September 28, 2006, by the TRICARE Management Activity Executive Information and Decision Support (EIDS) (now known as the TMA Defense Health Services Systems (DHSS)) office. 3.2 Monitoring Requirements A Health Affairs policy memo published January 17, 2007 identifies ESSENCE as an essential component of military installation protection and a key part of the US national public health surveillance system [25]. The Services must have appropriately trained public health or preventive medicine professionals monitoring ESSENCE at each military installation. These individuals will routinely monitor ESSENCE alerts and associated graphs and data tables for any MTF within their direct jurisdiction as well as other nearby military installations. The monitoring frequency will be at least once each routine work day, but will increase to include weekends and holidays during periods of increased threat, for example, specific local terrorist threat, World Health Organization/national pandemic influenza alert phase 5 or 6, and so on. There must be active communication between the ESSENCE monitors and the local public health emergency officer [26]. The installation medical professionals responsible for public health must maintain a strong relationship with the local civilian public health office, advising them of potential outbreaks and forwarding reportable medical events information as required by local, county, or state law. 3.3 Future ESSENCE Enhancements In keeping with the lessons learned by DoD and other syndromic surveillance experts across the country, a number of enhancements are planned for the near future. For instance, potential complementary data streams are undergoing evaluation for possible inclusion. These include laboratory orders and results, radiology orders and results, and chief complaints from primary and emergency care settings. The DoD continues to collaborate closely with JHU/APL, the Centers for Disease Control and Prevention’s BioSense program, and other national research and development centers in order to identify the best data sources and statistical analytical procedures.

PRACTICAL SYSTEMS FOR BIOSURVEILLANCE

2489

4 CONCLUSIONS In development and use of a surveillance program such as ESSENCE, it is most important to first determine the overriding purpose of such a system. The purpose of a surveillance system determines which attributes are most important. To monitor long-term trends in disease rates or to evaluate the effectiveness of a public health prevention program, accuracy is more important than timeliness. However, to decrease the time needed to detect an outbreak or to monitor its spread, the rapid acquisition and analysis of surveillance data become a priority, as long as it can be done with enough correct information to be useful. Rapid access to disease surveillance data can provide more than an early indication. Information in this system, such as geographic location of the patients, can assist in a more in-depth outbreak investigation. Once detected, it can be used to monitor the rate and spread of the outbreak, and the effectiveness of control measures. It can also provide situational awareness, letting health officials know the general status of acute disease in a population. And finally, surveillance information can be used by decision makers to determine at-risk populations, decide how to best allocate resources, and provide the public information on how to decrease their risk. REFERENCES 1. O’Toole, T. (2001). Emerging illness and bioterrorism: implications for public health. J. Urban Health 78(2), 396–402. 2. Inglesby, T., Grossman, R., and O’Toole, T. (2001). A plague on your city: observations from TOPOFF. Clin. Infect. Dis. 32(3), 435–436. 3. Khan, A. S., and Ashford, D. A. (2001). Ready or not–preparedness for bioterrorism. N. Engl. J. Med. 345(4), 287–289. 4. Centers for Disease Control and Prevention. (1993). Outbreak of hantavirus infection– Southwestern United States. Morb. Mortal. Wkly. Rep. 42, 495–496. 5. Fine, A., and Layton, M. (2001). Lessons from the West Nile viral encephalitis outbreak in New York City, 1999: implications for bioterrorism preparedness. Clin. Infect. Dis. 32(2), 277–282. 6. Reed, K. D., Melski, J. W., Graham, M. B., Regnery, R. L., Sotir, M. J., Wegner, M. V., Kazmierczak, J. J., Stratman, E. J., Li, Fairley, J. A., Swain, G. R., Olson, V. A., Sargent, E. K., Kehl, S. C., Frace, M. A., Kline, R., Foldy, S. L., Davis, J. P., and Damon, I. K. (2004). The detection of monkeypox in humans in the Western Hemisphere. N. Engl. J. Med. 350(4), 342–350. 7. Peiris, J. S., Yuen, K. Y., Osterhaus, A. D., and Stohr, K. (2003). The severe acute respiratory syndrome. N. Engl. J. Med. 349(25), 2431–2441. 8. Fauci, A. S. (2006). Pandemic influenza threat and preparedness. Emerg. Infect. Dis. 12(1), 73–77. 9. Pavlin, J. A., Mostashari, F., Kortepeter, M. G., Hynes, N. A., Chotani, R. A., Mikol, Y. B., Ryan, M. A. K., Neville, J. S., Gantz, D. T., Writer, J. V., Florance, J. E., Culpepper, R. C., Henretig, F. M., and Kelley, P. W. (2003). Innovative surveillance methods for rapid detection of disease outbreaks and bioterrorism: results of an interagency workshop on health indicator surveillance. Am. J. Public Health 93(8), 1230–1235. 10. Army Medical Surveillance Activity (now known as the Armed Forces Health Surveillance Center). (2004). Completeness and timeliness of reporting hospitalized notifiable conditions, active duty servicemembers, US Army medical treatment facilities, 1995–2003. Med. Surveill. Monthly Rep. 10(4), 9–13.

2490

KEY APPLICATION AREAS

11. Army Medical Surveillance Activity (now known as the Armed Forces Health Surveillance Center). (2004). Completeness and timeliness of reporting hospitalized notifiable conditions, active duty servicemembers, US Naval medical treatment facilities, 1995–2003. Med. Surveill. Monthly Rep. 10(4), 14–17. 12. Army Medical Surveillance Activity (now known as the Armed Forces Health Surveillance Center). (2004). Completeness and timeliness of reporting hospitalized notifiable conditions, active duty servicemembers, US Air Force medical treatment facilities, 1995–2003. Med. Surveill. Monthly Rep. 10(4), 18–21. 13. Williams, R. J., Cox, N. J., Regnery, H. L., Noah, D. L., Khan, A. S., Miller, J. M., Copley, G. B., Ice, J. S., and Wright, J. A. (1997). Meeting the challenge of emerging pathogens: the role of the United States Air Force in global influenza surveillance. Mil. Med. 162(2), 82–86. 14. Canas, L. C., Lohman, K., Pavlin, J. A., Endy, T., Singh, D. L., Pandey, P., Shrestha, M. P., Scott, R. M., Russell, K. L., Watts, D., Hajdamowicz, M., Soriano, I., Douce, R. W., Neville, J., and Gaydos, J. C. (2000). The department of defense laboratory-based global influenza surveillance system. Mil. Med. 165(7, Suppl. 2), 52–56. 15. Gray, G. C., Callahan, J. D., Hawksworth, A. W., Fisher, C. A., and Gaydos, J. C. (1999). Respiratory diseases among US military personnel: countering emerging threats. Emerg. Infect. Dis. 5(3), 379–385. 16. Army SG policy memo DASG-PPM-NC (40), (2001). Army Acute Respiratory Disease Surveillance Program, 18 Jul 2001. 17. Department of Defense Directive 6490.2, (2004). Comprehensive Health Surveillance, 21 Oct 2004. 18. 10 US Code sec 1074f, 2007. 19. Public Law 105–85sec 765, 18 Nov 1997. 20. Department of Defense Instruction 6490.03, (2006). Deployment Health, 11 Aug 2006. 21. Miller, J. R., and Mikol, Y. (1999). Surveillance for diarrheal disease in New York City. J. Urban Health 76, 388–390. 22. Mostashari, F., Fine, A., Das, D., Adams, J., and Layton, M. (2003). Use of ambulance dispatch data as an early warning system for communitywide influenzalike illness, New York City. J. Urban Health 80(2, Suppl. 1), i43–i49. 23. Lewis, M. D., Pavlin, J. A., Mansfield, J. L., O’Brien, S., Boomsma, L. G., Elbert, Y., and Kelley, P. W. (2002). Disease outbreak detection system using syndromic data in the greater Washington, DC area. Am. J. Prev. Med. 23(3), 180–186. 24. Lombardo, J., Burkom, H., Elbert, E., Magruder, S., Lewis, S. H., Loschen, W., Sari, J., Sniegoski, C., Wojcik, R., and Pavlin, J. (2003). A systems overview of the electronic surveillance system for the early notification of community-based epidemics (ESSENCE II). J. Urban Health 80(2, Suppl. 1), i32–i42. 25. Assistant Secretary of Defense for Health Affairs. Policy memorandum (2007). New Electronic System for the ESSENCE Medical Surveillance System and Monitoring Requirements, published 17 Jan 2007. 26. Department of Defense Directive 6200.3, (2003). Emergency Health Powers In Military Installations, 12 May 2003.

FURTHER READING Advances in Disease Surveillance Journal at www.isdsjournal.org, 2006. Bravata, D. M., McDonald, K. M., Smith, W. M., Rydzak, C., Szeto, H., Buckeridge, D. L., Haberland, C., and Owens, D. K. (2004). Systematic review: surveillance systems for early detection of bioterrorism-related diseases. Ann. Intern. Med. 140, 910–922.

BIODEFENSE PRIORITIES IN LIFE-SCIENCE RESEARCH: CHEMICAL THREAT AGENTS

2491

Buehler, J. W., Hopkins, R. S., Overhage, J. M., Sosin, D. M., and Tong, V. (2004). Framework for evaluating public health surveillance systems for early detection of outbreaks. Morb. Mortal. Wkly. Rep. 53(RR05), 1–11. Centers for Disease Control and Prevention. (2004). Syndromic surveillance: reports from a national conference, 2003. Morb. Mortal. Wkly. Rep. 53(Suppl, 1–268). Centers for Disease Control and Prevention. (2005). Syndromic surveillance: reports from a national conference, 2004 Morb. Mortal. Wkly. Rep. 54(Suppl, 1–212). Information on syndromic surveillance and the International Disease Surveillance Society at www.syndromic.org, 2006. Information on the new military electronic health record at www.ha.osd.mil/ahlta, 2006. Pavlin, J. A. (2005). Medical surveillance for biological terrorism agents. Hum. Ecol. Risk Assess. 11(3), 525–537. Pavlin, J. A., and Kelley, P. W. (2005). Department of defense global emerging infections system programs in biodefense. In Biological Weapons Defense: Infectious Diseases and Counterterrorism, L. E. Linder, F. J. Lebeda, and G. W. Korch, Eds. Humana Press, Totowa, NJ, pp. 361–385. Wagner, M. M., Moore, A. W., and Aryel, R. M., Eds (2006). Handbook of Biosurveillance. Elsevier Academic Press, Burlington, MA.

BIODEFENSE PRIORITIES IN LIFE-SCIENCE RESEARCH: CHEMICAL THREAT AGENTS David A. Jett National Institutes of Health/National Institute of Neurological Disorders and Stroke, Bethesda, Maryland

Gennady E. Platoff Jr. National Institutes of Health/National Institute of Allergy and Infectious Diseases, Bethesda, Maryland

1 BACKGROUND The attacks of September and October of 2001 have resulted in heightened awareness of the vulnerability of the United States civilian population to terrorist groups or individuals armed with unconventional weapons. While most of the attention has been given to biological agents, the civilian threat spectrum encompasses radioactive, explosive, and

2492

KEY APPLICATION AREAS

chemical weapons as well. Chemicals are particularly attractive to terrorists because they are relatively inexpensive and easy to obtain, and have the potential to cause mass casualties when used in a variety of scenarios. Unlike biological and radiological threats, there have actually been several recent chemical attacks that have resulted in mass casualties. For example, sulfur mustard and nerve agents were used against Iraqi Kurdish villages in the late 1980s, and more recently, nerve agents were used by the Japanese cult organization Aum Shinrikyo in two separate attacks against civilians in Japan [1, 2]. Not only does this stress the importance of increasing efforts to prepare for future chemical attacks in the United States, but it also provides the opportunity to analyze these events to learn about potential gaps in our response capabilities. Chemical threat agents can be categorized on the basis of the target tissues and types of primary acute effects they produce (Table 1) [3]. The traditional chemical warfare agents (CWAs) developed during the first and second World Wars include the organophosphorus

TABLE 1 Examples of Chemical Warfare Agents and Toxic Industrial Chemicals

Type

Common Name (Symbol)

Time to Onset of Initial Symptoms

Nerve agents

Tabun (GA) Sarin (GB) Soman (GD) Cyclosarin (GF) VX

Seconds Seconds Seconds Seconds Minutes

Vesicants or blister agents

Sulfur mustard (H and HD) Sulfur mustard-T mixture (HT) Nitrogen mustard (HN-1, 2 or 3) Lewisite and other arsenicals (L) Phosgene (CG)

4–6 h

Pulmonary (choking agents)

Chlorine (Cl)

Blood agents (cellular poisons)

Diphosgene (DP) Hydrogen cyanide (AC) (vapor and liquid) Cyanogen chloride (CK) (vapor)

to to to to

4–6 h 4–6 h

minutes minutes minutes minutes

Acute Effects Miosis, anxiety, confusions, excess secretions, muscle fasciculations, bronchoconstriction, paralysis, cardiorespiratory depression, convulsions and seizures, coma, and death Tearing, burning eyes, rhinorrhea, sneezing, cough, erythema, corneal damage, dyspnea, pulmonary edema, and vesication

Immediate Immediate irritant effects; Cough, dyspnea, pulmonary edema pulmonary edema, and 4–48 h postexposure respiratory failure Immediate irritant effects; pulmonary edema in 2–4 h Similar to CG 40,000 Functional system: interstate plus STRAHNETa Navigation preservation Main span length >165 ft and structure types Main span length Detour distance >3 miles for ADT >60,000 ON STRAHNET and/or on MTMCb , power projection routes serving forts 165 ft; no ADT limits Metro size (top 78) Functional system: freeways, expressways, and principal arterials 5% of critical bridges Roads on dams, pipelines, utilities, and so on.

Source

National Bridge Inventory (NBI) NBI

NBI NBI NBI MTMC

Federal Highway Administration (FHWA) NA NA

a STRAHNET b MTMC

is the strategic defense highway network. is the military traffic management command.

Source: [9].

In passenger transportation, the critical nodes would include airports, train stations, bus terminals, and so on. The net effect of this network characteristic is to concentrate flows at well defined locations, resulting in potential targets that not only provide the maximum harmful physical and psychological effect at that location (for example, harming large numbers of people at a rail terminal), but which could also produce economic effects beyond that location (for example, the domino effect in the logistics supply chain of not being able to transship goods at a port).

TRANSPORTATION SYSTEM AS A SECURITY CHALLENGE

TABLE 3

2605

Critical Highway System Assets

Infrastructure Arterial roads Interstate roads Bridges Overpasses Barriers Roads on dams Tunnels

Facilities

Equipment

Personnel

Chemical storage areas Fueling stations Headquarters Maintenance yards Materials testing labs Ports of entry District/regional complexes Rest areas Storm water pump stations Toll booths Traffic operations centers Vehicle inspection stations Weigh stations

Hazardous materials Roadway monitoring Signal and control systems Variable messaging systems Communications systems Vehicles

Contractors Employees Vendors Visitors

Source: [10].

Diverted route

Blockage

FIGURE 1 Effect of network design on disruption: (a) network redundancy and (b) critical link disruption.

The above discussion focused on critical network nodes, but a similar phenomenon occurs in networks when, for efficiency or cost reasons, movements are “funneled” into critical links. Figure 1 illustrates this phenomenon. As shown in the figure, a disruption to the network in Figure 1a would cause much less disruption to network flows than severing a network critical link as shown in Figure 1b. The network redundancy shown in Figure 1a allows a network to recover more quickly by moving flows through different parts of the network, whereas the lack of such redundancy in the second network has more serious economic consequences and, depending on the circumstances, potentially catastrophic impacts. The level of redundancy in the US transportation system varies by mode and by geographic area, depending largely on how a network has been designed. The national railroad network, for example, has a high level of redundancy built into it. A disrupted link at

2606

KEY APPLICATION AREAS

one location could be handled by rerouting cargo along other network paths or, for certain types of cargo, even by transferring the goods to trucks, both options most likely increasing the costs of transport. At national flow levels similar network redundancy exists for the air, road, and port networks. The most disruptive aspects associated with deficient network redundancy occur at smaller geographic scales. Thus, for example, severing a critical bridge over a river in a major metropolitan area could be very disruptive for local travelers and to the local economy, even though flows going through the metropolitan area would most likely find alternative bypass routes. Given the transportation network design in most metropolitan areas, which often does not provide much network redundancy, there are numerous opportunities to create significant disruption in the nation’s metropolitan areas. Another characteristic of a network, especially one that is connected to a much larger transportation system, is the spatial nature of movement along the network links. In other words, a person or commodity located at one location at time t will most likely be located somewhere else on the network at time t + 1 . Thus, for attacks whose intent is to spread fear and disruption as wide spread as possible, such as the release of a biological agent in an airport whose effects might not be felt hours or days after the release, the structure of the transportation network permits the potential spread of harmful pathogens worldwide. Given the size and extent of a typical transportation network, tracking those entities that have been exposed or infected by some form of contagion would be challenging. 2.3 Transportation Nodes as Gateways Transportation systems provide the major points of access into the United States, both for international freight and passengers. Thus, they can be viewed as one of the most vulnerable points of access for someone entering the United States with the intention to cause harm. For freight movements, they represent gateways to the US economy for much of the international trade entering the country. For example, it is estimated that over 26 million containers enter US ports each year, originating from all directions. Table 4 shows container flow through the top 30 container ports in the United States. With the flow of containers, which occurs at ports throughout the country, security monitoring of container movement becomes an important, albeit challenging, task. The international nature of freight movement introduces additional complexity into transportation security. For example, a recent report from the Department of Homeland Security identified the following principles in enhancing the security of the international supply chain [11]. 1. Accurate data in the form of advance electronic information is necessary to support the risk assessment of the cargo. This information is needed early in the process to identify high-risk cargo before it approaches the United States. In the case of containers, the information is needed before vessel loading in a foreign port. 2. Information must be appropriately shared among US government agencies and US trading partners, while simultaneously being safeguarded from improper disclosure. 3. Secure cargo requires a procedure to ensure that the cargo conforms to the cargo information electronically transmitted to the authorities. This process connects first-hand knowledge of the cargo with the validation of the cargo information. This process also ensures that safeguards are in place to prevent unlawful materials (or

TRANSPORTATION SYSTEM AS A SECURITY CHALLENGE

2607

TABLE 4 Top US Container Ports, Twenty-Foot Equivalent Units (TEUs), 2005 Port Los Angeles, CA Long Beach, CA New York, NY Charleston, SC Savannah, GA Oakland, CA Seattle, WA Norfolk, VA Houston, TX Tacoma, WA Miami, FL Port Everglades, FL Baltimore, MD San Juan, PR Gulfport, MS New Orleans, LA Wilmington, DE West Palm Beach, FL Philadelphia, PA Jacksonville, FL Boston, MA Portland, OR Newport News, VA Wilmington, NC Chester, PA Freeport, TX Honolulu, HI San Diego, CA Richmond-Petersburg, VA Anchorage, AK United States, total

Rank

Import

Export

Net

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

4864 4378 3387 1509 1469 1374 1339 1319 1222 1155 772 578 382 213 182 174 162 159 158 144 130 120 103 101 101 54 51 49 41 33 25,868

1043 1024 972 615 670 611 464 540 599 362 324 302 137 48 73 101 41 121 20 99 56 60 42 33 45 26 28 3 19 32 8578

3821 3355 2415 894 800 763 875 779 623 793 448 276 244 165 109 73 120 39 139 45 74 61 61 69 56 28 23 46 21