return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Generic elements and process of a Design Basis Threat (DBT) protection system ]

Generic elements and process of a Design Basis Threat (DBT) protection system


Part 1, Structured IT risk remediation: Integrating security metrics and Design Basis Threat to overcome scenario spinning and fear mongering

An international design basis threat (DBT)

The aftermath of the 11 September attack brought renewed urgency to US, EU and Russian efforts to strengthen physical protection of nuclear materials and all nuclear facilities, power and weapons. While Sandia's Jim Blankenship noted that a "Design Basis Threat (DBT) has been used by the United States since the 1970s as the basis for the design and evaluation of a nuclear facility’s physical protection system and as a standard for comparison as the threat changes", the DBT was too often scenario-based rather than procedural - a condition not challenged until the Khobar Towers attack. From Multisourcing: belated recovery of forgotten first principles, part 2:

Scenario-based responses are dangerously omissive, driving clients to extraordinary cost and diversion, often without merit, but is prevalent in part because it is simple. It requires no procedural rigor or grounding in fact, only the ability to ask "What if?" endlessly, yet is virtually ineffective for deferring, deflecting, or interdicting an adversary's preparation.

Witness the events of the July 2005 mass transit bombings in London where the UK had had a thirty-year history of dealing with a variety of terrorist attacks and bombings, the "scenario" and "lessons learned" from the earlier transit attacks in Madrid, Spain, were well-known, yet proved little benefit to the British in interdicting the London attacks of July 2005.

Scenario-spinning has no logical end and provides no threat assessment, vulnerability assessment, or risk assessment that would normally be enshrined in a firm’s Governance Model.

Scenarios were an Army staple until the terrorist truck bomb attack along the northern perimeter of Khobar Towers, Dhahran, Saudi Arabia, on June 25, 1996. (Khobar Towers was a facility housing U.S. and allied forces supporting Operation SOUTHERN WATCH, coalition air operations over Iraq.) The report by Wayne A. Downing, General, U.S. Army (Retired) which has become known as the Downing Report (Introductory Letter, Preface and Report), reinvigorated the uphill effort to substitute procedurally consistent threat and vulnerability analyses in place of scenario generation.

Without guiding bounds, scenarios proliferate endlessly, often crippling most well-intended, protective efforts (paralysis by analysis). Defenders must define a coherent view of their risk tolerance before they can craft a response strategy that can reasonably and consistently respond to the threats on offer.

Rising from efforts at Sandia, DoE and the NRC, the "IAEA desired an international approach for a DBT methodology that could be offered to all Member States." By 2002 member states had agreed upon a DBT "international standard model" that reconciled varying approaches as to where "risk" was accommodated.

The DBT has become the basis for the design of the physical protection system (PPS), the evaluation of a PPS under assault and the means to document and absorb future threats. Within this framework, each state can modify "the DBT process to better accommodate their culture, the technical resources of their facilities and authorities, and their regulatory frameworks."

Blankenship paints the need for DBT in bold relief:

  1. If the facility does not know who the adversaries may be and what the adversaries’ resources may be, then the design of the [protection system] probably is inaccurate...
  2. Without a DBT, the evaluator has no objective measure for evaluating the effectiveness of the  [protection system]. This lack could lead to inconsistent evaluations...
  3. [Changes] could not be documented, and in fact might not even be noticed, if there were not a standard DBT created at some point in time, against which the future threats are compared...

Nine steps were recommended for developing, using, and maintaining a DBT:

  1. Identify Roles and Responsibilities of all Organizations
  2. Develop Operating Assumptions for Use with the DBT
  3. Identify the Range of Potential Generic Adversary Threats
  4. Identify an Extensive List of Threat Characteristics
  5. Identify Sources of Threat-related Information
  6. Analyze and Organize Threat-related Information
  7. Develop Threat Assessment and Gain Consensus
  8. Create a National DBT
  9. Introduce the DBT into the Regulatory Framework

The outcome of the first six steps [is] the Threat Assessment (TA) document, which contains a description of the full range of credible threats to the nuclear facilities in the State… This TA is then sent to the competent authority, which implements the State’s regulatory framework and sets policy for the physical security provisions in the State. The competent authority evaluates the risks associated with the DBT, the consequences of a successful attack by the DBT, and the probability of such an attack. The agency knows the State resources that are available or could be made available to counter the DBT. This agency then reduces the threat assessment document to incorporate the risk that the state is willing to accept. This produces a Design Basis Threat (DBT) statement against which the facilities must protect and against which they will be evaluated by the State competent authority.

Redrawing Blankenship's model for added clarity:

Generic elements of a DBT protection system

Axel Hagemann, a GRS (Gesellschaft für Anlagen und Reaktorsicherheit mbH) representative to IAEA undertook a description of DBT for IAEA member states in DBT - Basis for developing a European physical protection concept. Hagemann's DBT procedural descriptions for a state implementation are noted in its appendix which I have attempted to generalize for a corporate setting without losing Hagemann's original presentation model.

The result of Blankenship's threat assessment enters in box 1, having documented an analysis of the credible motivations, intentions, and capabilities of potential adversaries that could cause undesirable consequences:

Generic Elements of a DBT Protection System

The consequences represented in box 2 are defined as the potential level of impact on the interests of the public, nation, key interest groups, and possibly the international community. Consequences could be defined in relation to the class of event derived from end-items. The concern on potential consequences will influence policy of the decision making process in the development of a DBT. This decision making process is represented in diamond 3, which represents the Governance committee’s responsibility to decide with the definition of a DBT on the level of protection. The decision making process represented by diamond 3 can include technical, resource, administrative and political concerns. This reduces the influence of emotions on the concern and opens provides opportunities to adjust existing definitions of the DBT.

The key elements in the creation of a DBT are threat assessment and decision making considering potential consequences. Threat assessment and decision-making are separate and different processes even though in practice they may be carried out simultaneously. The threat assessment process, and the document that describes the conclusions, scopes all the realistic and credible threats that the Governance committee needs to consider.

Some threats may not be manageable in terms of a DBT because some aspects of the protection system fall outside the responsibility of the Governance committee. These threats are described as being out of scope of the DBT, i.e., "Outside DBT" does not necessarily describe a magnitude of threat above that described in the DBT, but can describe threats that are inappropriate to include in a DBT.

Those threats still need to be accounted for and either ruled out of scope or other competent authorities need to be involved to define a response. The diamond 13 represents this additional decision making process for which the Governance committee is responsible. The decisions symbolized by diamond 13 could be of high relevance if new concepts emerge that were not included in the design basis. The goal is to achieve a process which results in achieving acceptable risk, box 14. The Governance committee can, as available, draw on external agencies for provide intelligence and data to support creation of the Threat Assessment and maintenance of the DBT.

The protection definition shown in box 6 must be designed against the DBT and will be evaluated by the Governance committee using the definition of the DBT. Protection objectives will be specific for the items transiting the system. The security functions in box 8, detection, deter, deflect, defend and recovery must be defended against the DBT.

Responses may be graded or immediate depending upon the current evaluation of the threat, the relative attractiveness and potential of items and the potential consequences associated with diversion of that item. The requirements on the security function "Deter" can vary depending on the desired response time, response capability and method.

Process steps

Threat assessment (box 1): An analysis documenting the credible motivations, intentions, and capabilities of potential adversaries that could cause undesirable consequences from diversion of end-items. The result of the threat assessment process describes the credible threats.

Consequences (box 2): The potential level of impact on the interests of the public, nation, key interest groups, and possibly international community.

Decision process (diamond 3): Consideration of the results of the threat assessment, the consequences and the policy leads to definition of the DBT. The corporate Governance committee coordinates the development of a DBT and is responsible for its maintenance.

Outside DBT (box 4): Describes those threats identified in the Threat Assessment that will not be included in the DBT, but still remain as a credible threat. Threats outside the DBT must be considered and ruled out of scope and indefensible or an external authority must be involved to complete the mediation required by the DBT.

Design Basis Threat – DBT (box 5): Describes the attributes and characteristics of potential insider and external adversaries who might attempt acquisition of items deemed sensitive, and against whom a protection system has been designed and evaluated.

Protective envelope (box 6): Describes the total protection against unauthorized acquisition or diversion and will likely require a design that includes procedures, facility design, and hardware.

Specific protection objectives (box 7): Describes the means of protecting items that are moving through the system, and all other items defined as having some risk.

Specific responses (box 8): Describes methods to "Detect" or "Defer" an acquisition of an item or to invoke emergency containment responses as appropriate under the DBT.

Vulnerability assessment and capacity evaluation (box 9): A test of the system’s ability to respond to both the DBT and ongoing threats "in the wild".

Decision process (diamond 10): Represents internal decisions made during the design or evaluation of the protection process to include an evaluation as to whether the specific objectives are achieved. This decision box includes any decision regarding improvement, redesign or post damage crisis management.

Crisis management (box 11): Describes an internal post-incidence damage control in response to an undesired acquisition of an item.

Internal emergency response (box 12): Describes actions required to mitigate an inadvertent breach or loss of control of an item.

Decision process (diamond 13): Describes a process under which the Governance committee achieves an acceptable level of risk for all items in the DBT.

Acceptable Risk (box 14): Defines acceptable risk in which the term "risk" is used as the likelihood that a threat will be able to affect an undesirable consequence. Risk can be reduced but not eliminated. All the judgments and decisions imply an acceptance of a degree of risk.

External competent authority (diamond 15): Describes how to respond to credible threats not included in the DBT. (The DBT may be revised or extended in this process.)

External authority responsibility (box 16): Describes a class of external action, protection or assistance taken by external authority.

External authority response (box 17): Describes external authority response in support of the corporation.

External security (box 18): Describes measures taken by external authority in support of corporation that acknowledge a credible threat as External to the DBT. Any such measures are made in concert with internal emergency response measures.

Use of Design Basis Threat at Department of Energy

It is instructive to consider one of the best practitioners of the Design Base Threat and Vulnerability Assessment process, the Department of Energy (DOE). DOE is also remarkable in its rigor, and among the few in and out of government that reject a scenario based ‘threat’ definition.

The key component of DOE’s risk-based security practices is the DBT, a classified set of characteristics of potential threats to DOE assets. The DBT traditionally has been based on the Postulated Threat, a classified, multi-agency intelligence community assessment of potential terrorist threats. The DOE DBT considers external threats that include terrorists, criminals, psychotics, disgruntled, employees, violent activists, and spies. The DBT also considers internal threats by insiders who have authorized unescorted access within DOE facilities and programs. These insiders may operate alone or in concert with an adversary group, and are routinely considered to provide assistance to a terrorist group noted in the DBT. The DOE generally considers the threat of terrorist groups to be the most demanding threat contained in its DBT.

For over a decade, DOE has employed a risk management approach that seeks to direct resources to its most critical assets (Category I special nuclear material) while mitigating the risks to these assets to an acceptable level. Levels of risk are derived from a mathematical equation that compares a terrorist group’s capabilities with the overall effectiveness of the crucial elements of the site’s protective forces and systems, and then assigned classified numerical values.

DOE counters its terrorist threats noted in the DBT with a multilayered protective system. While specific measures may and do vary among sites, all DOE protective systems at the most sensitive sites employ a in-depth defense that includes sensors, physical barriers, hardened facilities and vaults, and heavily armed paramilitary protective forces equipped with such items as automatic weapons, night vision equipment, body armor, and chemical protective gear. The effectiveness of the protective system is formally and regularly examined through vulnerability assessments.

A vulnerability assessment is a systematic evaluation process in which qualitative and quantitative techniques are applied to detect vulnerabilities and arrive at effective protection of specific assets. To conduct these assessments, DOE uses subject matter experts (SMEs), computer simulated attacks, and force-on-force performance testing in which the site’s protective forces undergo simulated attacks by a group of mock terrorists.

Assessment results are documented at each site in a classified document known as the Site Safeguards and Security Plan which, in addition to identifying known vulnerabilities, risks, and protection strategies for the site, it formally acknowledges how much risk the contractor and DOE are willing to accept.

Historically, DOE has strived to keep its most critical assets at a low risk level and may insist on immediate compensatory measures should a significant vulnerability develop that increases risk above a low risk level. Through a variety of complementary measures, DOE ensures that its safeguards and security policies are being complied with and are performing as intended, e.g., identified high and moderate risks require corrective actions and regular reporting. Response measures can go so far as to curtail operations until the asset can be better protected.

While contractors must perform regular self-assessments and are encouraged to uncover any problems themselves, DOE requires its field offices to comprehensively survey contractors’ operations for safeguards and security annually. All deficiencies identified during surveys and inspections require the contractors to take corrective action.

The DOE’s May 2003 DBT reflecting a post-September 11 environment by identifying a larger terrorist threat than did the 1999 DBT and expanding the range of terrorist objectives to include radiological, biological, and chemical sabotage. Notable issues of the 2003 DOE DBT included an expansion of terrorist characteristics and goals, and an increase in the size of the terrorist group threat:

Expansion of terrorist characteristics and goals: "The 2003 DBT assumes that terrorist groups are the following: well armed and equipped; trained in paramilitary and guerrilla warfare skills and small unit tactics; highly motivated; willing to kill, risk death, or commit suicide; and capable of attacking without warning. Furthermore, according to the 2003 DBT, terrorists might attack a DOE facility for a variety of goals, including the theft of a nuclear weapon, nuclear test device, or special nuclear material; radiological, chemical, or biological sabotage; and the on-site detonation of a nuclear weapon, nuclear test device, or special nuclear material that results in a significant nuclear yield. DOE refers to such a detonation as an improvised nuclear device."

Increase in the size of the terrorist group threat: "The 2003 DBT increases the terrorist threat levels for the theft of the department’s highest value assets—Category I special nuclear materials—although not in a uniform way. Previously, under the 1999 DBT, all DOE sites that possessed any type of Category I special nuclear material were required to defend against a uniform terrorist group composed of a relatively small number of individuals. Under the 2003 DBT, however, the department judged the theft of a nuclear weapon or test device to be more attractive to terrorists, and sites that have these assets are required to defend against a substantially higher number of terrorists than are other sites. For example, a DOE site that, among other things, assembles and disassembles nuclear weapons, is required to defend against a larger terrorist group. Other DOE sites, such as an EM site that stores excess plutonium, only have to defend against a smaller group of terrorists. However, the number of terrorists in the 2003 DBT is larger than the 1999 DBT number. DOE calls this a graded threat approach."

The moral of DBT: a living instrument

The moral is that a DBT must be a continuously maintained instrument as "Things Change" as David Mamet so wittily showed in his film of the same name: New attackers with expanded characteristics and goals will appear. Attacker group size may swell unexpectedly - and that includes swarms of seemingly unrelated attackers operating against different parts of one's organization. Higher authority may mandate extended protective strategies. Corporate environments can weakened under stress, sometimes degraded imperceptibly, due to issues of financial pressure, takeover, expansion, new roll-outs or other restructuring.

A Russian Perspective on Cooperation Threat Reduction
Dmitry Kovchegin
BCSIA Discussion Paper 2007-04, Kennedy School of Government,
Harvard University, April 2007

Systems Security Engineering: An Updated Paradigm
John W. Wirsbinski
INCOSE Enchantment Chapter
November 8, 2006

Nuclear Security: DOE Needs to Resolve Significant Issues Before It Fully Meets the New Design Basis Threat
Report to the Chairman, Subcommittee on National Security, Emerging Threats, and International Relations, Committee on Government Reform, House of Representatives
April 2004

Using Bilateral Mechanisms to Strengthen Physical Protection Worldwide
Nuclear Terrorism and International Policy
Dr. Edwin Lyman
Union of Concerned Scientists
Institute of Nuclear Materials Management, 2004

Approaches to Design Basis Threat in Russia in the Context of Significant Increase of Terrorist Activity
Dmitry Kovchegin
Presented at the INMM 44th Annual Meeting, Phoenix, Arizona. Conference Paper, 2003

DBT - Basis for developing a European physical protection concept
Axel Hagemann
EUROSAFE, Towards convergence of technical nuclear safety practices in Europe, Paris
Nuclear material security, Seminar 5, p. 59-68
25-26 November 2003

Protection against Sabotage of Nuclear Facilities: Using Morphological Analysis in Revising the Design Basis Threat
Stig Isaksson, Tom Ritchey
Swedish Nuclear Power Inspectorate and Swedish Defence Research Agency
Adaptation of a Paper delivered to the 44th Annual Meeting of the Institute of Nuclear Materials Management - Phoenix, Arizona, July 2003

Jim Blankenship, Sandia National Laboratories
EU-High Level Scientific International Conference on PHYSICAL PROTECTION
Salzburg, Austria
8-13 September, 2002

Jim Blankenship, Sandia National Laboratories
EU-High Level Scientific International Conference on PHYSICAL PROTECTION
Salzburg, Austria
8-13 September, 2002

List of Papers
EU-High Level Scientific International Conference on PHYSICAL PROTECTION
Salzburg, Austria
8-13 September, 2002

COMBATING TERRORISM: Threat and Risk Assessments Can Help Prioritize and Target Program Investments
Report to Congressional Requesters
General Accounting Office
April 1998

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  


  discuss this article

<<  |  July 2020  |  >>
view our rss feed