2001 Systems Engineering Capstone Conference • University of Virginia
VIRGINIA’S CRITICAL INFRASTRUCURE PROTECTION:
A RISK ASSESSMENT AND MANAGEMENT STUDY
Student team: Scott Crenshaw, Krista Moses, Zach Slagel, Jason Wynegar
Capstone Faculty Advisor: Yacov Y. Haimes
E-mail: haimes@virginia.edu
Project Team: (Faculty) Stephanie Guerlain, Stan Kaplan, Jim Lambert, and (Research Assistant) Felicia Leung
Department of Systems Engineering
Client Advisors: Wayne Ferguson and John Miller
Virginia Transportation Research Council
Charlottesville, VA
E-mail: vtrcweb@vdot.state.va.us
KEYWORDS: Critical Transportation Infrastructure,
Risk Analysis, Risk Assessment, Risk Management,
Terrorism.
ABSTRACT
A comprehensive, methodological framework is
developed for the assessment and management of risks
to critical transportation infrastructures in the state of
Virginia. Five case studies are presented that focus on
performing quantitative risk analysis and developing
risk management options to increase safety and
functionality. Evolving from this project is a set of
management policies (structural and non-structural) and
decision-making tools that facilitate effective trade-off
analysis in terms of cost, risk-reduction, damage and
operability. From this analysis, decision makers will be
able to identify deficiencies in the system’s robustness,
resiliency, redundancy and security, and decide on what
measures to implement based on the trade-offs
associated with each option. Because of the universality
of the framework developed, this project will lay the
foundation for future risk assessment and management
plans for other critical infrastructures. This project
serves as a pilot study for increasing the safety and
security of transportation infrastructures in the state of
Virginia.
INTRODUCTION
nation’s defense or economic security): banking and
finance, continuity of government, electrical power
systems, emergency services, gas and oil
storage/transportation, telecommunication,
transportation, and water supply systems. The following
quotations are from Executive Order 13010, illustrating
the importance of these infrastructures.
America’s critical infrastructures underpin every
aspect of our lives. They are the foundations of our
prosperity, enablers of our defense, and the vanguard
of our future. They empower every element of our
society. There is no more urgent priority than assuring
the security, continuity, and availability of our critical
infrastructures. Our national defense, economic
prosperity, and quality of life have long depended on
the essential services that underpin our
society.(Clinton, 1996)
Needs
Transportation systems are extremely vulnerable to
planned and unplanned attacks because of their
“openness,” and are difficult to protect against terrorism
and natural threats. Therefore, a methodological
framework for identifying, prioritizing, filtering,
ranking, and managing risks is described. Furthermore,
an application of these tools is shown for five
transportation structures in order to determine what
risks are associated with a particular system and what
can be done to minimize these threats.
Background
Scope
On July 15, 1996 President Clinton issued
Executive Order 13010 which defined the following
eight infrastructures as critical (critical meaning their
loss would have a significant negative effect on the
The transportation infrastructure in Virginia is one
of the most vital systems on the Mid-Atlantic Coast of
the U.S. It contains major east / west connectors for
177
Virginia’s Critical Infrastructure Protection
travelers in the Mid-Atlantic region, the world’s largest
Naval base, the Port of Virginia, and the second most
complex system of underwater tunnels and bridges in
the world. In order to keep this system running, it must
have the utmost protection against threat to its critical
infrastructure. On top of the numerous physical
structures that move traffic in Virginia, there are
command, control, and communication centers that
monitor the traffic flows as well. With the complex
interconnectedness among critical assets in Virginia, it
is imperative that proper risk management practices be
applied to ensure the safety of the transportation
system. The interconnectedness among cyber control
systems, the threat of terrorist attack, and other extreme
events are the focus of the study.
METHODOLOGICAL APPROACH
Risk Assessment
Risk assessment is the first phase in analyzing a
system and determining what can go wrong and with
what likelihood. The risk assessment stage attempts to
answer three main questions: 1) What are the risks?, 2)
What are the likelihoods of the risks occurring?, and 3)
What are the associated consequences? (Garrick and
Kaplan, 1981). The first of the questions identifies the
risks. What are the scenarios that, if occurring, would
jeopardize the lives of the users and operators of the
system or damage the system’s functionality? There
are two possible perspectives in identifying risk
scenarios: (1) What can make the system fail? and (2)
What can be done to make the system fail? The latter
implies an intentional act, therefore, pertains to
terrorism scenarios; whereas the first perspective
involves natural hazards, accidental failures, and
maintenance issues.
Once the risks have been identified, the next
question is: What are the likelihoods of these risks
occurring? Given the risk scenario, what is the
probability that it will happen? The first step is to
determine the likelihoods using qualitative
measurements such as very likely, likely, not very
likely, seldom, etc. This step will allow us to complete
additional filtering of risks if we decide that the given
risk is not very severe and not very likely, and;
therefore, can be dropped from future analysis. The
second step is to actually measure quantitative
probabilities and use these in place of the qualitative
measurements for likelihood. These numbers will be
obtained through structured research as well as through
expert evidence from people who have detailed
understanding of the system. This knowledge will
allow us to refine our listing of the major risk scenarios
even further.
178
The last question is: What are the associated
consequences? What will happen to the structure,
surrounding area, government and military mobility,
and economic stability, among others, if these risks take
place? In other words, what will the impact be of the
resulting risks on the community and society as a
whole? Consequences may be categorized according to
public safety and health, functional impact, economic
impact, and environmental impact among others. After
this question is answered, we will iterate through this
entire process to determine what, if any, risk scenario
has been overlooked.
Risk Management
Following completion of the risk filtering,
assessment, and ranking procedures comes risk
management. Within the risk management framework,
three main questions are addressed: 1) What can be
done to minimize the given risks defined in the risk
assessment?, 2) What are the associated trade-offs of
implementing these risk management options?, and 3)
What will be the future impacts of management options
made in the present time? (Haimes, 1991, 1998).
Firstly, we seek to find what options can we
recommend that will increase the safety of people
involved, as well as the overall functionality of the
asset? We will be looking at factors such as structure
redundancy, resiliency, recovery, and security. These
classes of factors are defined as (Haimes, Kaplan,
Lambert, 2001):
 Redundancy is a measure that, if a component of an
asset fails, assesses how many other components
can take over for the failed component until the
component is repaired.
 Resiliency is a measure that, if a part of a structure
fails, calculates how capable the structure is in terms
of maintaining at least partial functionality.
 Recovery is pretty straightforward; it measures how
long it takes for the structure to regain total
functionality after an adverse event has occurred,
and how easy that process is. By optimizing these
characteristics, overall structure safety and security
will increase.
The next question to be answered is corollary to the
previous one: What are the associated trade-offs of
implementing these risk management options? Some of
the main factors that will determine what procedures
should be recommended are the following: cost,
benefit, ability to increase user safety, ability to
increase redundancy, resiliency, and recovery, other
risks imposed by implementation of a new procedure,
how long it will take to become functional, and many
others. Once these items are taken into consideration,
management options are recommended for
2001 Systems Engineering Capstone Conference • University of Virginia
implementation. Methodologies such as fault trees,
decision trees, and multi-objective trade-off analysis are
used.
The final question to be addressed in this stage is:
What will be the future impacts of management options
made in the present time? Namely, upon
implementation of a plan today, what are the possible
pros and cons that could result in the future? Would the
risk of overall system failure become smaller if a
procedure is assigned that would make the structure or
facility more resilient to attack? Would the benefits of
implanting such a procedure be worth more than the
cost? These are questions that will be attempted to
answer in this part of the risk management framework.
Site Selection
Case study sites in Virginia were chosen for
validation of the framework. The original intent was to
focus on bridges and tunnels, however, based on
consultation with advisors and clients, the case studies
were selected to include different types of assets. By
sampling various assets the framework could be tested
in a more effective manner. The following are the types
of sites selected:
 A command, control, and communications
center
 A critical bridge
 Two critical bridge/tunnels
 An intersection of two major highways
 An intersection of a major highway and a vital,
urban road
Risk Filtering, Ranking, and Management
Risk Filtering, Ranking, and Management, otherwise
known as RFRM, is a methodology developed by
Yacov Y. Haimes, Stan Kaplan, and James H. Lambert
in order to identify, prioritize, assess, and manage
multiple risk scenarios from different angles within a
large-scale system. RFRM is comprised of an eightphase process that uses qualitative and quantitative
assessments to achieve a listing of the most important
risks of a system. Phases I and II are interested in
realizing and narrowing down the areas of risk in terms
of the assessment. Phases III through V are concerned
with the filtering and ranking of risks specific to the
analysis. Phases VI creates risk management options,
and phases VII and VIII check the methodology and get
feedback, respectively.
Phase I: Scenario Identification. This phase is
accomplished through the construction of a Hierarchical
Holographic Model (HHM) (Haimes, 1991, 1998). The
HHM can be described as a diagram that categorizes
multiple perspectives of a system that encapsulates the
gestalt of the sources of risk to the system. An HHM
describes a series of ‘as planned scenarios’ that are
represented by head nodes and sub-nodes for each
perspective. Through the HHM, one can look at every
source and point of risk within and outside the system.
Phase II: Filtering on Scope, Decision Makers, and
Time Domains. This phase entails a process in which
the entire set of risks are narrowed down into levels that
the decision maker is more concerned with. Upon
completion of this phase the analyst will have identified
a more relevant subset of risk categories pertinent to the
decision maker’s domain and interest.
Phase III: Ordinal Filtering and Ranking. It is a
process in which the set of categories developed in
phase II can be reduced down even further. In this step,
a risk matrix, that describes likelihood and consequence
levels for sources of risk, is used. The matrix, similar
to Figure 1, combines consequence and likelihood in
order to create a relative ‘severity’ measure for each
risk source. The risk scenarios that the assessment is
concerned with are the ones with the highest severity;
therefore, we set aside the risks that fall into low
categories of severity. However, we will not disregard
low severity risks because they might be of interest
later in the RFRM process. Upon completion of this
phase approximately 50 risks should be left.
Likelihood
Most
Likely Effect
Unlikely
Seldom
Occasional
Likely
Frequent
Loss of life due to
system failure
Loss of entire
system
functionality
Security breach
Partial system
failure
Component failure
Extremely
High Risk
High Risk
Moderate
Risk
Low Risk
Figure 1. Risk matrix with natural language for Phase
III (After US Air Force [1988]).
Phase IV: Multi-Attribute Evaluation Phase. This
phase requires the use of eleven attributes, grouped into
three categories, in order to assess the defensive
capabilities of the system. Defensive capabilities are
defined in terms of resilience, robustness and
redundancy along with security. Each of the attributes
of defense ability are measured in terms of high,
medium, or low levels of significance. By evaluating
each risk the analyst can compare in more detail the
impacts these risks have on the system. This aids the
filtering in phase V.
179
Virginia’s Critical Infrastructure Protection
the system. These policies range from structural
improvements like reinforcing girders on an
interchange to non-structural measures such as
implementing security measures that restrict access to
the structures.
CONCLUSIONS
This Capstone Project has demonstrated that: 1)
There are hundreds of risks facing every transportation
infrastructure, 2) The aforementioned methods can
identify these risks, and then filter them down to a
manageable number, and 3) The risk management
techniques can provide invaluable information to policy
makers pertaining to the costs and benefits provided by
any potential policy. The figure below shows the costs
and the various damage degrees of 7 risk management
options. This chart shows the multi-objective trade-off
analysis conducted between two objectives - minimize
both cost and damage degree. Spending a certain
amount of money will enable you to decrease the risk of
a certain amount of damage by a given percentile.
Cost vs. Percentage of Degree Damage
$250,000
Option 3 & 4
combined
$200,000
Cost
Phase V: Filtering and Ranking using a Cardinal
Scale for Severity. This version of the filtering and
ranking uses a similar diagram to Figure 1; however,
there are probabilities associated with the likelihood
terms. The remaining sources of risk are applied to this
scale and are ranked in terms of severity again like in
phase III. Upon completion of this phase,
approximately 10-20 risks should still be apparent in
the analysis.
Phase VI: Risk Management. What can be done?,
What should be done?, and What are the trade-offs of
the options? Management options are developed and
applied to the final group of risk scenarios attained in
phase V. Looking at numerous possibilities for
managing the risks, one arrives at a set of Pareto
optimal options. One must remember that if
management options are implemented, the system will
be altered, thus phase VII addresses the potential future
problems.
Phase VII Safeguards Against Missing Critical
Items. It does this by; reviewing between inter / intradependencies of success scenarios and failures,
evaluating the risk policies against the previously
filtered out sources of risk, and revising the risk
management options developed in phase VI. By doing
this analysis, one gains insight into a number of
alternative management options that might have
otherwise been overlooked.
Phase VIII is the final stage and thus addresses
Operational Feedback. This looks at the methodology
as a whole in terms of the changing and dynamic nature
of risk assessment and management. Essentially, one
should be prepared to incorporate alternate and extra
means of analysis into this methodology in order to
maintain a complete model for risk assessment and
management.
(Haimes, Kaplan, and Lambert, 2001)
$150,000
Option 3
$100,000
$50,000
Option 2
Option 1
$0
0
10
20
30
40
50
Percentage of Degree Damage
RESULTS
The results of the Capstone project are comprised of
five individual case studies, each of which deployed the
Risk Filtering, Ranking, and Management methodology
from phase I through phase VI. Each case study
produced hundreds of risk scenarios that were
systemically filtered down to a top listing of critical
threats to the system. Management policies to mitigate
the risks were created specifically for each site. After
subjecting the policies to trade off analysis techniques a
smaller set of management policies were compiled for
each structure. The five infrastructures all shared some
common risks facing them, such as threats due to
terrorist attacks, both cyber and physical, as well as
natural hazards. The end result is a collection of risk
mitigation policies that can most effectively harden,
prevent an attack upon, or increase the recoverability of
180
Figure 2. – Multi-objective Trade-Off Analysis
This systemic risk assessment and management process
allows decision-makers to enact policies and projects
that truly benefit the public. Potential impacts of
implementing the framework may improve the
protection of areas, such as electric, water, and
telecommunication infrastructures. The final results
support the hypotheses that existing risk assessment and
management techniques can be applied to large-scale
infrastructures when managed correctly, and that there
is a definite need to protect the vulnerable
transportation infrastructures in Virginia and the U.S.
2001 Systems Engineering Capstone Conference • University of Virginia
REFERENCES
Clinton, President W. (1996) “Executive Order 13010,
establishing the President’s Commission on Critical
Infrastructure Protection (PCCIP),” The White House,
15 July.
study two critical bridge/tunnel structures in the state of
Virginia, applying the previously mentioned
methodologies. After graduation in May, Mr. Slagel
will be working for Pricewaterhouse Coopers in
Arlington, Virginia.
Garrick, B.J., and Kaplan, S. (1981) On the quantitative
definition of risk, Risk Analysis 1(1).
Haimes, Y. (1991) Total Risk Management, Risk
Analysis 11(2), 169-171.
Haimes, Y. (1998) Risk Modeling, Assessment and
Management. John Wiley & Sons, Inc., New York.
Haimes, Y., Lambert, J., and Kaplan, S. (2001) Risk
Filtering, Ranking, and Management Framework Using
Hierarchical Holographic Modeling. The Center For
Risk Management of Engineering Systems at the
University of Virginia.
BIOGRAPHIES
Scott B. Crenshaw is a fourth-year Systems
Engineering major from Richmond, VA, concentrating
in information systems and management. His major
contribution to the project was studying a command,
control, and communication transportation system
integral to a major urban area in Virginia. Mr.
Crenshaw’s future plans include attending graduate
school for Systems Engineering at the University of
Virginia in the fall after graduation in May.
Jason A. Wynegar is a fourth-year Systems
Engineering Major from Centreville, VA, concentrating
in computer information systems. Mr. Wynegar’s
primary contribution to the project was to study a large
interchange between two Virginia interstate highways.
Mr. Wynegar has accepted a position with
Pricewaterhouse Coopers in Arlington, VA, and will
begin work there this summer after graduating in May.
Krista L. Moses is a fourth-year System Engineering
major from Lima, NY, concentrating in military
systems. Miss Moses studied a complex bridge system
for her contribution to the project. Miss Moses will be
commissioned as an Ensign in the U.S. Navy in May
and will proceed to pilot school in June, where she will
train to become a naval aviator.
Zachary A. Slagel is a fourth year Systems
Engineering and Economics major from Richmond,
Virginia. His major contribution for the project was to
181