Target Analysis and CARVER2 (infrastructure protection, infrastructure security)

Roosters and security personnel have the same problem: When danger threatens, be it the fox slipping under the wire or terrorists trying to enter the country with a dirty bomb, both rooster and security manager must decide what is most important to protect.

In reality, fiscal and physical resources for infrastructure protection are limited. As noted recently by Michael Chertoff, secretary of the U.S. Department of Homeland Security (DHS), it's not possible to protect everything against everything without bankrupting the country. Choices must be made; some areas and people will be protected, and some will not. And a process called target analysis will help identify the optimum protection plan.

S I D E B A R

Spell It Out

The traditional target analysis methods are used to determine an area or agency's optimum protection plan.

CARVER: Criticality, Accessibility, Recoverability, Vulnerability, Effect/Espyability (Notoriety), Redundancy/Recognizability

MSHARPP: Mission, Symbolism, History, Accessibility, Recognizability, Population, Proximity of secondary/collateral targets

PSRAT: Port Security Risk Assessment Tool

Few civilian personnel are fully trained in target analysis techniques, which can sometimes cause headaches and financial strain on agencies needing to assess attack or defense strategies, but a new tool is making this assessment a little bit easier.

Playing the Game
Target analysis is the system that an attacking force uses to decide on the method and locality to maximize the attack's effectiveness with minimum cost -- in personnel losses, fiscal resources or both. Defenders, or security personnel, also use target analysis to identify the same factors an attacking force might use to better prepare countermeasures.

This "game" between attackers and defenders has always existed, and presented the same problem to the captain of the guard in 12th Century Venice when the Doge asked him to defend the harbor against the Genoa fleet, as it does to modern day DHS personnel who must make decisions as to what infrastructures are most important to the nation.

As such, it is imperative to have a standard method to determine how to best manage the available protection resources so they are applied in the most useful and efficient manner.

Conducting Analysis
There are several well-known, traditional planning programs to conduct a target analysis. Among these are CARVER, MSHARPP, PSRAT, and the myriad risk assessment methodology (RAM) programs. Which of the specific techniques to use is often a matter of a "Coke vs. Pepsi" argument.

However, probably the best known and most widely used of these schemes is the CARVER -- Criticality, Accessibility, Recoverability, Vulnerability, Espyability (Notoriety) and Redundancy -- process.

The CARVER technique identifies the factors, listed above, that are known as important in protecting infrastructures. The various attack scenarios are rated against the noted factors in a grid, and the goal or scenario with the highest additive score is deemed the most likely to succeed and/or achieve the desired goal. Attack or defense plans are then made using the identified attack possibilities. For example, if an attacking force wanted to prevent a drawbridge from being used, they could employ any of several scenarios using the CARVER grid system (i.e. blowing up from underneath, blowing up from a vehicle on a roadway, destroying the electric lift mechanism, etc.).

After comparing each scenario with the factors noted above, the attacking force would identify the attack that produced the desired result with the least effort and/or most chance of success by weighing the point scores for each type of attack.

Traditional Methods
There are several drawbacks to the aforementioned traditional methods of target analysis, the first of which relates to the "Maginot Line" syndrome -- named for the series of forts and defensive positions built by the French in the wake of World War I to defend against a German invasion in World War II.

Unfortunately for the French, they built their defensive line so that it was static and could only protect against an attack from the East. The Germans, however, understood the problem -- presumably via target analysis -- and attacked from the North, thus easily defeating the premise of this defense plan.

This situation highlights the problem that an attack scenario is limited only by the attacker's imagination. If one develops a defensive plan using CARVER, or any other program, and believes the site is fully protected against all perils, then he or she may be very wrong.

The best examples of this are the remarks attributed to a spokesman for the Irish Republican Army (IRA) after the detonation of a bomb in a hotel in Brighton, England, that destroyed the hotel, but failed in the attempt to kill then-Prime Minister Margaret Thatcher. The IRA spokesman is said to have told the British security services, "Remember, we only have to be right once, you have to be right every time."

Having noted the above, however, target analysis schemes are great at identifying the most likely scenarios of attack and/or weakness, and are the backbone of any defensive scenario. Using the information learned from target analysis is vital toward hardening any given target.

The second problem with these procedures is they require technical expertise in conducting the target analysis through site survey -- knowledge of the target analysis process and general knowledge about "standard" vulnerabilities of any type of facility/human factor, or weakness that can impact facility protection, the preferred method of attack, etc. -- and knowledge of the specific infrastructure's weaknesses, vulnerabilities and critical operations. In other words, the person performing the target analysis must know both about attack scenarios and the specifics of any type of infrastructure.

In addition, for those who must make decisions as to which infrastructures are more "important" to protect, the traditional target analysis schemes do not cross-relate to different types of infrastructure, or to DHS defined sectors, such as water versus electricity versus health care, etc. Essentially the scenarios identified for each infrastructure are unique and of little value in determining where to spend limited resources to have the most impact on all the infrastructures within one's purview. Thus, the numbers developed for one's hospitals do not relate to the electric grid or road system, etc.

Few Experts
It is estimated that in the U.S. there are fewer than 1,000 -- and probably fewer than 500 -- civilian personnel fully trained in traditional target analysis techniques. This problem is best illustrated by comments from a vendor of target analysis programs who stated, "It is an expert program to be used by experts."

The lack of "experts" in the U.S. is a problem. Large cities may have someone trained in target analysis, but most localities do not, and would be forced to pay a "consultant" to conduct the surveys. Every dollar spent on consultants is one less dollar that can be spent on actual target protection plans and equipment.
In an effort to turn these numbers around, the National Infrastructure Institute-Center for Infrastructure Expertise (NI²-CIE) developed a PC-based software program in May 2003 that allows those charged with the protection of multiple assets to identify the relative "worth" of each asset, and to rank and rate these assets across sector lines.

This program, CARVER2^® (C2), alters the traditional CARVER analysis in a way that forces the user to ask the same security questions about all assets regardless of sector type. In addition, C2 is non-technical, uses only open source information, and is designed for use with less than one hour of training. C2 is designed for non-specialists, and uses only information that is in the public domain and is easily understood.

C2 has also been designed to identify the inter-relationships between various infrastructures. For example, if a bridge were lost in the transportation sector, any electric lines in the energy sector or aqueduct in the water sector that ran under the bridge would be lost as well.

C2 also can be used when doing an analysis based on a structural attack, including natural hazards or during a chemical or biological attack. C2 is being used in a variety of forms by literally hundreds of localities in the U.S. and foreign (NATO) countries.

C2 should not be considered a replacement for traditional target analysis. For example, C2 can identify the most important infrastructure in a community, but it will not identify the best method to protect it. If, in this example, the reservoir dam, hospital and river crossing bridge were identified as the most important infrastructures, that community could then spend its homeland security funds wisely in a "true" target analysis of those places -- dam, hospital, and river crossing bridge that really matter to that locale.

C2 should be thought of in relation to a medical exam. When you first arrive, basic information concerning height, weight, blood pressure, respiration sounds, etc. are recorded. Only when some problem may be identified are the high tech procedures (MRI, CAT scan, etc) employed. C2 is the basic exam and will identify, rank and rate critical infrastructures. The exact method of protection will be determined by the more technical traditional target analysis procedures.

Creating a Standard
Use of C2 means there is a standard by which emergency managers and security personnel can make honest decisions regarding the relative worth of any infrastructure. Thus the information from Manchester, N.H., and Manchester, Tenn., for example, can be compared by the DHS, as each city would be conducting a target analysis using common and comparable rating factors. However, each community is prohibited from seeing data outside their purview.

C2 is also designed to be self-validating as the generated reports show the numerical range of scores for infrastructures. For example, security personnel could quickly recognize that something was amiss if the score from a particular community's dam was vastly different from other communities of similar population.

Population is a very determinate factor in C2. A community of 10,000 people will never have the assets of New York City, but using C2, one can intelligently and fairly compare the needs of one area with needs of similar size areas, as well as identifying the most important facilities in each locale.

The clear and cogent reports produced by C2 are easily understood, and require no math calculations or engineering analysis by the user.

C2 Enhanced
The original version of C2 has been available since May 2003, but in September, a client/server version of C2 was released.

This version, CARVER2web^TM (C2W), is designed for installation on a Windows XP PC (client) where it can run in standalone mode, but also installed on a Microsoft server. In this manner, multiple users can upload data from their laptops onto the server via the organization's Intranet. Thus, the homeland security manager for an entire state can have all the data for every community in his or her state in a central database.

As with C2, C2W should not be considered a replacement for traditional target analysis, but as a primary assessment tool for an area's critical infrastructures.

The Web version also includes GPS/GIS mapping capabilities via use of U.S. Geological Survey maps and/or proprietary mapping programs being used by some states. The user can pinpoint infrastructures on a map, or manually input the GPS locale and have the data recorded.

Plans for future enhancements include photo imbedding via GPS mapping of pictures from cell phones.

CARVER2 is available free to any state, local, regional, other community government entity, or military organization that makes a request to the National Infrastructure Institute Web site via e-mail at carver2web@ni2.org. C2W may also be obtained without charge by educational institutions, research centers or other non-profit organizations.