The events of 11 September 2001 shook the world. As the first of two hijacked planes crashed into the World Trade Centre in New York, reverberations were felt around the globe. Almost immediately, the security of the US’ national infrastructure was under close scrutiny.

Such an attack highlighted an urgent need for security systems in the US, with a growing awareness that recent business trends, such as deregulation and globalisation, may have heightened infrastructure vulnerability by increasing the interdependence of one infrastructure upon another. Threats that had previously been considered as low security risks were re-examined and incorporated into emergency plans and procedures. Inevitably, security measures at the US’ 75,000 dams were put under the spotlight.

‘Dams are an important national resource and are recognised as such,’ says Rudy Matalucci from Sandia National Laboratories, a US Department of Energy research lab specialising in the physical security of the nation’s infrastructure. ‘They have significant functions such as hydroelectricity, flood control, water supply and navigation, and can have higher consequences of failure, particularly if located near communities.

‘Dams with distinguishing characteristics, such as being the highest or oldest dam in the country, also prove to be the focal point of attention. And all of this adds to the risk of being a terrorist target.’

A cause for concern

William R Young, former special agent with the US’ Federal Bureau of Investigation, is quick to serve a reminder that terrorism and terrorist acts are not new inventions. ‘Throughout history, significant conflicts among people often led to acts that we would call terrorism today,’ he says. He takes an example dating back to the 1920s, where the residents of Owens Valley issued a serious threat to the Los Angeles Bureau of Water. Upset by the diversion of water which would affect their livelihoods, and in an attempt to reduce water supplies to Los Angeles, the residents called the LA County Sheriff and announced plans to dynamite St Francis dam.

Nature, however, beat the residents to it. The local terrain and seismic fault lines contributed to the dam’s collapse on 12 March 1928, killing more than 470 people downstream.

Bill Bingham, president of the United States Society on Dams, says that terrorism at dams has long been a concern for federal dam owners and agencies. In 1997, the US Bureau of Reclamation acknowledged that although they had not received terrorist threats, they were stepping up security. ‘Before 11 September there was concern about security at dams,’ Matalucci says. ‘And the information we received showed that we had to do something. Tragically, the events of 11 September confirmed this.’

Bingham agrees: ‘Our awareness was raised by the order of the magnitude of this event. It drastically altered our attitude about security at dams.’

Ongoing efforts in the US to upgrade the security of infrastructure projects now have greater importance and urgency. The latest talking point for the hydro community is the development of a risk assessment methodology for dams (RAM-DSM) and transmission systems (RAM-TSM). The two new processes take the owners, operators and security managers of dams and transmission systems through a magnifying glass examination of each facility’s unique situation. Its potential adversaries, vulnerabilities, consequences of attack and existing security measures are examined before providing a cost-benefit analysis of possible security upgrades.

Security solutions

RAM-DSM is the first tool to be developed and validated by the Interagency Forum for Infrastructure Protection (IFIP). Established in response to a presidential directive in 1997, IFIP provides a forum to exchange security information among the owners and operators of federal dams and other infrastructure. Members of the group include the US Army Corps of Engineers, Bonneville Power Administration, US Department of Energy, Federal Bureau of Investigation, Sandia National Laboratories and others.

Sandia has a history of providing security solutions for high consequence facilities. IFIP was keen to utilise this and invited Sandia to bring its knowledge of nuclear security issues to the table. This, combined with IFIP members’ experience of operational and safety issues concerning dams, created a new approach to dam security.

‘We borrowed from nuclear security and dam safety but this product is completely new,’ says a spokesperson from Sandia. ‘The partnership of different experts was what made this project so successful and satisfying. It was (and is) a great team.’

Rudy Matalucci is the project leader for RAM-DSM.’The methodology is primarily a starting point for improved security measures,’ he says. ‘It encourages dam owners and operators to go through and identify any vulnerability, make recommendations to enhance security measures and to mitigate


Four dams were chosen for the trial of the methodology. ‘We can’t name these,’ says Matalucci, ‘but they were four large, federal dams of significant value and interest. We used them as they had a variety of features, such as an earthen embankment, high water requirements, a navigation lock and hydroelectric facility, which enabled us to develop a generic system for all dams in the country.’

While trialing the methodology, significant inadequacies were not apparent in existing security measures. ‘We did find that dams built over the years have few security measures but this does not mean they were deficient,’ Matalucci explains. ‘It’s just that there wasn’t any real threat before. Previously the threat was from natural disasters and a safety perspective, and consequently dams were equipped in this way.’

However, the situation is changing. ‘Things have changed over the past six months,’ RAM-DSM’s project leader added. ‘We’re on high alert and emergency and security plans are big issues.’

Risk analysis

Sandia and IFIP started working on RAM-DSM in 1997. Calling it ‘a tragic, timely accomplishment’, Matalucci says the product was completed just weeks before the events of 11 September 2001. Would it have been taken so seriously without this? ‘Yes, it would have had an effect without 11 September,’ says Matalucci. ‘Efforts would have continued but they would not have been so accelerated as they are now.’

The field manual for RAM-DSM comprises a series of checklists and work sheets that have to be completed. The assessment starts with a screening process to determine which dams require a full examination. It identifies undesired events, their consequences, and prioritises these to decide whether a particular dam should be fully analysed.

The screening process is simple and inexpensive, with the main focus on protecting life, property and the mission of the dam (ie hydro power, navigation etc). Matalucci estimates that if a dam owner or federal agency owns several hundred dams it will only take a couple of weeks to complete the screening process.

‘If the owner knows which type of dams he has then it will be immediately obvious which dams are a high risk,’ he explains. ‘By looking at the available data and asking questions, such as is the facility near a community, or is it a valuable water resource, will enable the owner to judge if the scheme is a high consequence consideration.’

High risk dams are then put through their paces with the risk assessment. The planning stage involves gathering published and other information about the dam; threat assessment; assessing the consequences of undesired events that prevent the successful accomplishment of the dam’s mission; and a site survey to collect any information missing from the work sheets and checklists.

The core of RAM-DSM is based on risk analysis. One of its aims is to estimate the effectiveness of current security systems, and the likelihood that the adversary can defeat these using the following equation:

PA * C * (1-PE) = R

where: PA = Likelihood of the attack

C = Consequence of the attack

PE = Security system effectiveness in preventing undesired event

(1-PE) = Likelihood that the adversary attack is successful (also the likelihood that security system is not effective against the attack)

R = Risk associated with adversary attack.

The methodology is currently available in the US but as it contains sensitive information all those who request it are screened and requested to sign a non disclosure statement. Those who qualify are given a free licence to use RAM-DSM. Matalucci says they do not want to restrict access to the methodology but they don’t want the information to get into the wrong hands.

‘We do need to protect this information,’ he says. ‘It is a proprietary document for official use under select approval but we are trying to distribute it nationwide.’

Matalucci has recently conducted a RAM-DSM workshop in Washington, DC, for two major non federal companies: one which specialises in designing and building dams, and the other with a presence in security measures infrastructure. The companies joined forces and sent 30 employees to a one-week training workshop. A local dam in Virginia was used as a prototype for training purposes.

‘They found it very useful,’ says Matalucci. ‘Some had never experienced such risk application and were somewhat surprised. They identified that this process is part science and part art. It’s not exact risk assessment but is relatively subjective.

‘A lot of judgement is involved but the system is robust and can be repeated,’ he adds. ‘The same method can be used by different people on the same dam, and they will most likely come to the same conclusion.’

False sense of security

However, Matalucci cautions that the methodology must not lull dam owners into a false sense of security. Spending money on security measures will not guarantee a reduction in risk. ‘When we train people we make them aware that this is a serious matter. If there are deficiencies we need to take measures to correct these. But one main concern is that we may become over zealous and spend money that has no return on investment. Security systems need to be well integrated and demonstrate they reduce risks, or we do not recommend them.’

Matalucci says that in the past safety was the main concern at federal dams, but now security issues have to be addressed. His hope is that in the future safety and security can be integrated, and implemented at an earlier stage in a dam’s life cycle.

‘We need to rethink how we build and design dams in future,’ he says. ‘Civil engineers, like myself, say that if we had to design new dams we would follow security principles from the beginning and install security systems during construction. This would minimise the cost. Retrofit is so much more expensive.’

And what of Matalucci’s other hopes for the future development of RAM-DSM? His answer is quite simple.

‘We hope in the long run that we can protect lives. This is the number one thing. We want to ensure that lives are not at risk from a dam that has been designed to provide a service to the public.’

How real is the threat?

According to a report in the Washington Post on 7 February 2002, CIA director George Tenet has evidence to suggest that multiple high profile attacks have been considered against US landmarks, such as major airports, bridges, harbours and dams.
On 16 January 2002 Edison Electric Institute put out an alert reporting receipt of indications that US municipal websites were being used to obtain information about water reservoirs and dams.
John Moyle, president of the Association of State Dam Safety Officials (ASDSO), explains how states have heightened security awareness since 11 September. Twenty-seven states replied to an ASDSO survey. Their actions have included:
• Sending letters to dam owners to increase security awareness.
• Heightening security measures around dams and hydro facilities.
• Placing restrictions on or delaying posting information about specific dams to websites.
• Co-ordinating with other state agencies in developing infrastructure protection programmes.
• Reviewing emergency actions plans with consideration to possible terrorist actions.
• Considering new legislation dealing with dam security.
Rudy Matalucci from Sandia National Laboratories says that more dam owners are now applying security measures. Dams are often open to the public but operators are aware of possible associated risks. To help improve security they are minimising and controlling access to certain parts of the dam.
‘We hope to minimise the effect of this on recreational activities but it probably will have an impact,’ Matalucci says. ‘Some owners are restricting recreation and cutting down on access to the site.’
ASDSO’s Moyle adds that possible future actions could include establishing national guidelines for counter-terrorism measures, as well as state-wide implementation of the RAM-DSM system.