"Designing for Sabotage," Feature Article, Sept. 2002

designing for sabotage

In the forest of possibility for mechanical failure, a new kind of tree takes root.

by Emily M. Smith

The expected causes of mechanical failure used to be accident, breakdown, Mother Nature, and vandalism. One method that engineers have used to make designs failsafe, or to create backups within a system to mitigate damage should failure occur, is to map the sequence of events that would follow any particular mechanical failure. In the circle of those who assess risk, that mapping of events is known as the Event Tree.

In the wake of September 11, a new limb on that Event Tree began to sprout. And in the 12 months since terrorists commandeered vehicles of mass transportation and turned them into weapons of mass destruction, that new limb has continued to grow in a meandering way as engineers wrestle with how the prospect of terrorism fits into the scheme of design for civilian as well as military projects.

Designing for sabotage "is a mindset we did not have to deal with in the past," Dick Madenburg, a mechanical engineer who has worked in counterterrorism for nearly a decade, said of engineers in general. While terrorism has always existed as a possibility for mechanical failure, he said, most engineers considered it a remote threat, until September 11, when "the threat was validated."

Motivational game theory could be used to develop risk exposure models for industrial facilities.

Designing for sabotage "is a whole new way of thinking" for engineers, said Bill Jones, an ASME Fellow in the Bush administration's Office of Science and Technology who is serving as a liaison to the U.S. Office of Homeland Security. "You design for the loads you expect."

As awareness of terrorism grows, designing for it will likely lead to new design criteria that will be dictated by regulation and market forces, said Jones, who has worked in the field of finite element analysis for more than 30 years. But what will make designing for terrorism and the development of any new criteria especially difficult for engineers, Jones and others say, is terrorism's unpredictable, illogical nature.

Safety has always been implicit in design, engineers explained. But without any scientific data to lead the way in countering terrorism, engineers will have to figure out "who decides what the terrorists are going to do, and what loads are needed," Jones said.

Right now, engineers, who work in the logical, predictable world of physics, don't have any scientific data to guide them as they look for ways to satisfy the demand for counterterrorism technology that, while sweeping the globe, is felt most acutely in the United States. Even some of the equations that engineers relied on in the past to make design judgments were mutated by the attacks. The mathematics of risk assessment, from which the Event Tree springs, is one of them.

Terrorism is a new variable in an equation that, before September 11, was relatively simple: Probability x Consequence = Risk. Since then, though, the probability in that equation is less easily defined. "What was considered a credible risk before 9/11 is a helluva lot less credible now," said Robert E. Nickell, an expert on the structural design of nuclear power plants and a past president of ASME.

Rewriting the Risk Equation

September 11 even rewrote the risk equation among engineers who work in the defense industry and are used to looking for weaknesses beyond accident, mechanical failure, acts of nature, and vandalism.

In designing for a defense contractor whose primary clients are U.S. government agencies, Northrop Grumman Corp. engineers participate in one of two teams. Blue team members devise the solution. Red team members devise ways to compromise the solution, so that any weaknesses can be remedied before a proposal is submitted to the client. Because the projects of Northrop's clients are also likely targets for terrorists, sabotage of any particular project was always a consideration.

September 11, however, "forced us to think more like terrorists than we did before," said Harry Armen, North- rop Grumman's director of technology development in the Airborne Early Warning and Electronic Warfare Business Area, headquartered in Bethpage, N.Y. He is an ASME member who has participated on red teams many times during his 38 years with Grumman. What September 11 introduced to engineers like Armen, with a red-team mindset, was the use of what those in this field call "asymmetric warfare"—not the big guns that the military is used to, but volatile weapons created by mixing ingredients that are commonly available and deploying them in ways for which they were never intended: passenger planes laden with fuel being used as guided missiles, rental trucks filled with excessive amounts of garden fertilizer being detonated in front of government buildings, or harmless-looking motorboats lined with explosives being used to blow holes in U.S. Navy ships.

Engineers believe that a newfound awareness of risk and its management will benefit technology development with new tools and novel uses for old ones.

Engineers are responding to those acts of terror by contributing to adjustments in U.S. building and design codes, which may call for materials that will withstand extreme heat or be blast-resistant to mitigate the chance that shattered pieces of materials will become shrapnel; structural design that will have enough redundancy in floor supports to deter a building collapse, and the hardening of ships with double hulls. But when considering risk now, and designing to either prevent or mitigate damage in the future, engineers will have to take into account the possibility of asymmetric weapons, Armen said.

And so, as engineers consider the possibility of terrorism and how it will be carried out, they must also contemplate changes in how risk is assessed and measured. Risk can be divided into two equally important areas: the emotional, or perceived, sense of risk and the actual risk, which is based on probability, according to Ted Meyer, a former chair of ASME's Safety Engineering and Risk Analysis Division and a mechanical engineer for 30 years at Westinghouse Electric Corp.'s, Pittsburgh office, where he is a consulting engineer in several disciplines regarding the integrity of nuclear power plants. Since September 11, Meyer said, "The actual risk may not have changed, but everyone's perception of risk has changed." And it is the perception of risk, he added, that is sometimes more important than the actual risk.

Managing risk is still a balancing act of safety, productivity, function, and cost, Meyer explained. But for the average engineer, he added, September 11 presented "a new risk item that wasn't on the table before—the terrorist act." Terrorism is a new element with the potential to affect any and all of the other elements of risk management in a variety of combinations. Thus, the whole idea of risk, Meyer said, "is different than what it was before."

Part of that difference may be found in the definition of acceptable risk in terms of safety, disruption of service, protection of an asset, probability, and cost, according to Madenburg, a senior vice president at Parsons Brinckerhoff Inc., who works out of the company's Orange, Calif., office. Headquartered in Manhattan, the engineering firm is involved in the redevelopment of the World Trade Center site. Parsons was also involved in security during the 2001 Winter Olympics and currently supports a variety of security efforts, including those at strategic U.S. ports.

In the year since the terrorist attacks on the United States occurred, he pointed out, more than 40,000 people have died in car accidents in the United States alone. In the philosophy of risk management, Madenburg, who is an ASME member, asked, how will engineers or society decide, "What's the acceptable risk for terrorism?"

Acquiring a better understanding of how the probability of terrorism influences risk means engineers will "need to look at some tools that engineers are not conversant with," said Gene Feigel, a vice president at The Hartford Steam Boiler Inspection and Insurance Co. in Hartford, Conn., who deals in risk analysis. Motivational game theory is one such tool, he said. Featured in a recent movie, A Beautiful Mind, about its creator, John Nash, game theory provides a mathematical structure to organizing possible outcomes. Feigel said that, since September 11, Hartford Steam Boiler has been "looking at the possibility of incorporating" game theory into its risk assessment process.

Motivational game theory could be used to determine where and how a terrorist attack is most likely to occur, Feigel, an ASME member, said. Therefore, it could be used to develop risk exposure models for industrial and commercial facilities. The probability of a strike on a particular facility, coupled with a plan to deal with any secondary impact, will go a long way toward combating terrorism, he added.

Understanding a New Tool

Effective use of game theory to combat terrorism, however, will require an understanding of the motivation, capability, and desired result of any particular group. One method for gaining that insight, and an approach that would demystify terrorism for the engineering community at large, is to join forces more regularly with security agencies that have studied terrorist groups, said Ed Jopeck, director of security analysis and risk management at Veridian Corp., which is headquartered in Arlington, Va. What security companies such as Veridian can offer engineers is a way of restoring some of the logical and predictable variables in standard equations of risk that disappeared in the aftermath of September 11.

A company that describes itself as providing mission-critical national security programs for the U.S. intelligence community, the Department of Defense, law enforcement, and other federal and local government agencies, Veridian is currently assessing the security of approximately a dozen dams in the United States.

Soon after the attacks of September 11, information about bridges and other structures in the United States made a quick disappearance from the Internet.

Jopeck, who was an intelligence and security analyst for the U.S. Central Intelligence Agency and has been in the security field for 18 years, said that, since September 11, he has seen what might have been described as an engagement between security and engineering firms turn into a full-fledged marriage. Security and engineering have always been two separate and distinct elements of a project solution, Jopeck said. Since September 11, he has seen them merge out of necessity.

Time weighs more heavily now for government agencies and commercial companies that are trying to ensure public safety and service within an acceptable budget and on a timeline that has been compressed by the terrorist attacks. As Jopeck explained, engineering solutions have to be reasonably cost effective, while security solutions must be effective without interfering with a project's operation. "The output is significantly better when the two groups work together," he said. "The solution is more accurate."

Counterterrorism at the Design Stage

A reservoir project in Portland, Ore., that Veridian worked on is one example of how the marriage between engineering and security can perform. When Jopeck, who studied civil engineering in college, assessed five reservoirs for improvement a few months ago, protecting the open drinking water system was an issue for the city. After his assessment, Jopeck presented two choices: cover the reservoirs with a Mylar-type substance, or move them underground. Because most coverings could be compromised by what he described as the intentional acts of malevolence by a motivated adversary, Jopeck said that the city decided to move the reservoirs underground. Although it was massively expensive, he said the city had the money to pay for the relocation through a bond issue it had already obtained to cover the expense of improving the reservoirs' aging infrastructures.

Counterterrorism measures will always cost less when considered at the design stage, Madenburg said. Security firms can help engineers with counterterrorism design by giving them information about the capability, history, and motivation of particular terrorist groups that companies such as Veridian have studied. An understanding of any of those factors will help pinpoint with better certainty which civilian facilities may be targeted, Jopeck said. By process of elimination, that understanding will also better direct resources at the local, state, and federal levels to fight terrorism.

The perception of risk can be more important than actual risk.

September 11 "greatly increased the nation's need to identify what assets need to be protected and how," Jopeck said. What would further that effort, he added, is the creation of national standards by which to measure risk. In fact, the need for a standard that could be used to effectively direct resources was included on a list of priorities enumerated in a recent report from the U.S. General Accounting Office.

Greater understanding among engineers about possible targets might have helped quell the public fear, prevalent after September 11, that nuclear power plants might be attacked, Nickell, an expert in power plant design, said. After the attacks, the Nuclear Regulatory Commission moved to assess hardening facilities that federal safety requirements had already made difficult to breach, he said. Because the critical structures of a nuclear power plant have a much lower profile than the World Trade Center and are more like the Pentagon, they are difficult to target from the air, even for experienced pilots, he said. Nickell has military experience flying single-engine, propeller-driven aircraft. The tallest structures are typically the cooling towers, which, he pointed out, would be an unlikely target because their destruction would yield little to nothing in terms of consequences.

One indication that more organizations are making risk assessment a priority for their staffs is the increase in requests for services that companies such as Veridian have experienced since September 11, said Jopeck, who, when at the CIA, was a developer and lead instructor of its Analytical Risk Management training program. The number of students who have signed up for the security risk analysis and risk management courses that he teaches for Veridian have increased since the terrorist attacks. So has the demand for providing threat, vulnerability, and risk assessments for the critical infrastructure of the U.S., and providing intelligence and antiterrorism analysis services for various police departments. Local, state, and federal agencies are also sending employees to take the courses, Jopeck explained. Registrants for these kinds of courses usually have to be vetted, he said.

Northrop Grumman, too, is in the process of developing protocols that can be used by agencies responding to terrorist attacks, said Ron Pirich, a technical manager responsible for chemical and biological warfare at the company's Advanced Early Warning and Electronic Warfare Integrated Systems unit.

Gaining an understanding of terrorist organizations combined with some standard risk factors will help engineers determine where counterterrorism applications must be made. But when it comes to communications, Parsons counterterrorist Madenburg expects some of those applications to run counter to the culture of the technical world.

The greatest impact of September 11 that Madenburg envisions will occur in the open, collaborative nature of the global technical community, which, on the whole, will have to be more wary. Although the advent of the Web and e-mail speeded the distribution of information, it also widened the circle of sharing by making multiple distribution both easy to do and difficult to police. Engineers and scientists, in particular, will have to become "more responsible in the disclosure of information," Madenburg said. "If someone asks for plans, you don't have to send them everything."

An Open Community Closes

Scrutiny—not only of whom but what is allowed into a construction site—is paramount, Madenburg said, because that's when a project can be most vulnerable. "That's when your guts are open," he explained. Engineers also have to acquire an appreciation for security needs at the operational level, he added. Those operating switching gear at power plants or the floodgates of a dam, for example, should have security clearance. Like standards for risk assessment, standards for proficiency and design from a perspective of operational security would also help engineers remain aware, he said.

Even Madenburg, whose near decade-long involvement with counterterrorism projects had already made him cautious about sharing information, went into higher alert after September 11. Since then, he said, "I'm more careful in what I say" and to whom.

The door to technical sharing began closing almost immediately after September 11, engineers said. Soon after the attacks, information about bridges, gas pipelines, power plants, and other elements of the U.S. infrastructure, which had been put on the Web by various government agencies for educational purposes, disappeared from the Internet and is unlikely to be restored, they said. In its June 2002 report on "National Energy Security Post 9/11," the United States Energy Association suggested "limited, specific exemptions from the Freedom of Information Act for certain sensitive information shared by the private sector and the federal government" to ensure that "highly sensitive information not be compromised or allowed to fall into the wrong hands." And engineers and security experts interviewed for this article were often reluctant to speak in more than generalities about counterterrorism efforts.

The Memorial Tunnel Program in West Virginia creates rescue scenarios, such as this one, which are used to train people responding first to emergencies caused by accident, nature, or terrorism.

This newfound awareness regarding risk and its management will benefit technology development, engineers said, not just in creating new technologies, but in identifying new applications for existing tools. Just as medicines have been found to combat physical illnesses they weren't created to treat, so engineers have begun to explore new counterterrorism applications for existing or even discontinued technologies.

Finding a new use for an existing technology is how Madenburg became involved in counterterrorism in the first place. In 1995, when terrorists in Japan released the deadly nerve gas, sarin, in a Tokyo subway, Madenburg had just finished work on a fire ventilation project in West Virginia, the Memorial Tunnel Program. In that project, an abandoned highway tunnel was refitted to serve as a facility to test fire, smoke, and ventilation systems. After the sarin attack and interest in combating such a weapon grew, Madenburg realized that the technology in the test facility could also be used to deal with gas attacks by terrorists. Spurred by Madenburg's vision, the facility operates today as the Center for National Response. Under the U.S. Department of Defense, it is an exercise training facility in consequence management and counterterrorism for those responding first to weapons of mass destruction.

Staying ahead of terrorism, on an engineering level, will require engineers to perform continual risk assessment as technology advances and new applications for existing technology are practiced, Meyer said. Ultimately, though, when it comes to preventing another September 11, he said, engineers will only be able to design against and manage for the risks they expect. They won't be able to eliminate the possibility of risk entirely.

Still, in a world that was painfully awakened a year ago to the possibility of terrorism's creeping and extensive reach, the fundamentals of risk assessment and management may prove a powerful counter to terror because they are tools that can be wielded anytime by anyone. When air travel resumed days after the terrorist attacks, the decision by many people to avoid flying was an act of risk assessment and management on an individual level, Meyer said. So was an earlier decision, by the passengers aboard United Airlines Flight 93, to storm the cockpit and overwhelm the hijackers once their intent was understood.

"We're all managing risk," Meyer said. "Every single person does it. They just didn't know they could."

Emily M. Smith is managing editor of ASME NEWS.