**6. Measures for countering terrorist threats**

**Figure 10.** Dynamic multi-sided terrorist assessment model.

270 Probabilistic Modeling in System Engineering

**Figure 9.** An illustrative example of the influence diagram from the perspective of community authorities.

#### **6.1. Measures aimed at increasing protection of a CES from terrorist threats**

The complexity of modern engineering systems and their interdependence with other systems make them vulnerable to attacks of technological and intelligent terrorism. This complexity stems largely from the vast functional and spatial dependencies and nonlinear interactions between the components of CES as well as from interdependencies that exist among the CESs which enable failures to cascade within one system and pass from one system to another.

Different historical, economic, political, social, as well as cultural traditions have formed different approaches to ensuring safety of complex engineering systems. Contemporary CESs, i.e., power, transport, and telecommunication networks, are becoming transboundary. Their significant spatial extension makes their functioning dependent on many factors and events in different parts of the world. The ensuring of CES's security is a complex interdisciplinary problem. It is impossible to solve this problem without joining efforts of experts in different fields and taking into account technical, social, psychological, and cultural-historical aspects.

Analysis of major disasters at CES in different countries shows that high-risk engineering systems in many cases are being designed and constructed according to traditional design codes and norms that are based on common and quite simple linear "sequential" risk assessment models and employ traditional design, diagnostics, and protection methods and procedures. This is being done in the assumption that a bounded set of credible design-basis impacts and subsequent failure scenarios could be determined for the CES, thus allowing one to create a system of protection barriers and safeguards that could secure the CES from the identified impacts with required substantially and high probability. This bounded set of impacts referred to as design-basis impacts includes normal operation events as well as abnormal events (component failures, human errors, extreme environmental loads, attacks of technological terrorism on CES) that are expected to occur or might occur at least once during the lifetime of the CES.

The currently available approach to ensuring security of complex engineering systems is based on the so-called protection approach that provides for the development of a set of protection barriers against the list of terrorist attack scenarios that were identified in advance. Within this approach, attacks of technological terrorism should be included into the list of design-basis events. To protect CESs from these scenarios of terrorist attacks, the following types of protection barriers should be developed (see **Figure 11**):


Circles "1," "2," and "3" stand for separate types of protection barriers. Areas of intersection ('1-2," "2-3," "1-3," and "1-2-3″) – correspond to combination of correspondent types of protection barriers. Security guard barrier "4″ is organized to ensure protection of all of the above mentioned barriers ("1," "2," "3," "1-2," "2-3," "1-3," and "1-2-3″).

Application of this protection approach allows one to reduce risks of design-basis scenarios of technological terrorism (compare FN curves 1 and 2; **Figure 12**). However, it should be noted that this protection-based approach does not allow one to reduce risk of unforeseen "lowprobability-high-consequence" scenarios of intelligent terrorism that could not be included into the list of design-basis events.

**6.2. Measures focused on ensuring CES's resilience to beyond design-basis events**

and from lack of knowledge of the system itself.

ligent terrorism (**Figure 13**) [24, 25].

resilience measures.

Complex engineering systems are becoming global networks. The currently available methodologies of risk assessment and reliability engineering were developed for technological systems with fixed boundaries and well-specified hazards for which exists statistical and/ or actuarial data on accident initiation events, component failure rates, and accidents' consequences which allow one to quantify and verify models taking into account uncertainties deriving from both natural variations of the system parameters (and performance conditions)

**Figure 12.** FN curves before and after realization of protection and resilience measures. (1) FN, curve before realization of any measure; (2) FN, curve after realization of protection measures; (3) FN, curve after realization of protection and

Analysis of Terrorist Attack Scenarios and Measures for Countering Terrorist Threats

http://dx.doi.org/10.5772/intechopen.75099

273

The protection-based approach is focused on developing safety barriers for countering the identified scenarios of terrorist attacks that were included in the list of design-basis events. This approach however has the weakness of neglecting the possibility of beyond design-basis events. To overcome this weakness, a new comprehensive strategy is needed. This strategy should not only include measures aimed at development protection barriers against designbasis attacks of technological terrorism but also development of special measures aimed at increasing the system's resilience to future yet-to-be-determined scenarios of attacks of intel-

The current accident models and risk assessment techniques such as fault and event tree analysis are not adequate to account for the complexity of modern engineering systems. Due to rapid technological and societal developments of the recent decades, modern engineering systems are becoming steadily more complex. It means that (a) in safety assessments for CES, there are too many details to be considered, and (b) some modes of CES's operation may

In currently applied protection-based approach, a number of low-probability impacts of extreme intensity are neglected as being practically incredible. Other impacts (such as attacks of intelligent terrorism) are not identified and, consequently, not analyzed. Such impacts are classified as beyond design-basis impacts. Thus, the issue of protection of CES from beyond design-basis impacts has not been addressed in a proper manner. These impacts however can cause large-scale disasters of extreme severity and induce tremendous property losses and a great number of victims.

**Figure 11.** Types of protection barriers.

design-basis events. To protect CESs from these scenarios of terrorist attacks, the following

• Rigid protection barrier (protection barrier that requires a powerful impact to be broken) • Functional protection barrier (protection barrier that in case of an accident could take on certain system's functions for a limited time or could prevent an accident from progressing

• Natural protection barrier (involves the use of passive natural phenomena and processes

Circles "1," "2," and "3" stand for separate types of protection barriers. Areas of intersection ('1-2," "2-3," "1-3," and "1-2-3″) – correspond to combination of correspondent types of protection barriers. Security guard barrier "4″ is organized to ensure protection of all of the above

Application of this protection approach allows one to reduce risks of design-basis scenarios of technological terrorism (compare FN curves 1 and 2; **Figure 12**). However, it should be noted that this protection-based approach does not allow one to reduce risk of unforeseen "lowprobability-high-consequence" scenarios of intelligent terrorism that could not be included

In currently applied protection-based approach, a number of low-probability impacts of extreme intensity are neglected as being practically incredible. Other impacts (such as attacks of intelligent terrorism) are not identified and, consequently, not analyzed. Such impacts are classified as beyond design-basis impacts. Thus, the issue of protection of CES from beyond design-basis impacts has not been addressed in a proper manner. These impacts however can cause large-scale disasters of extreme severity and induce tremendous property losses and a

types of protection barriers should be developed (see **Figure 11**):

mentioned barriers ("1," "2," "3," "1-2," "2-3," "1-3," and "1-2-3″).

aimed at limiting the scales of the accident)

into the list of design-basis events.

great number of victims.

**Figure 11.** Types of protection barriers.

further)

• Security guards

272 Probabilistic Modeling in System Engineering

**Figure 12.** FN curves before and after realization of protection and resilience measures. (1) FN, curve before realization of any measure; (2) FN, curve after realization of protection measures; (3) FN, curve after realization of protection and resilience measures.

#### **6.2. Measures focused on ensuring CES's resilience to beyond design-basis events**

Complex engineering systems are becoming global networks. The currently available methodologies of risk assessment and reliability engineering were developed for technological systems with fixed boundaries and well-specified hazards for which exists statistical and/ or actuarial data on accident initiation events, component failure rates, and accidents' consequences which allow one to quantify and verify models taking into account uncertainties deriving from both natural variations of the system parameters (and performance conditions) and from lack of knowledge of the system itself.

The protection-based approach is focused on developing safety barriers for countering the identified scenarios of terrorist attacks that were included in the list of design-basis events. This approach however has the weakness of neglecting the possibility of beyond design-basis events. To overcome this weakness, a new comprehensive strategy is needed. This strategy should not only include measures aimed at development protection barriers against designbasis attacks of technological terrorism but also development of special measures aimed at increasing the system's resilience to future yet-to-be-determined scenarios of attacks of intelligent terrorism (**Figure 13**) [24, 25].

The current accident models and risk assessment techniques such as fault and event tree analysis are not adequate to account for the complexity of modern engineering systems. Due to rapid technological and societal developments of the recent decades, modern engineering systems are becoming steadily more complex. It means that (a) in safety assessments for CES, there are too many details to be considered, and (b) some modes of CES's operation may

and measures for improving resilience of CES.

The CES's resilience is the capacity of the system potentially exposed to hazards to adapt, by resisting or changing in order to reach and maintain an acceptable level of functioning. This is determined by the degree to which the CES is capable of organizing itself to increase its capacity, of learning from past disasters for better future protection, and to improve risk

**Figure 14** presents the so-called resilience profile of the system: a powerful beyond design-

the figure BDEF that is located under the chart of the CES's performance characteristics in

*rec* when the system returns to its normal operation level and the square *Fn*

angular ADEF can be considered as a quantitative measure of the system's resilience [26, 28]:

As previously stated, due to the complexity of modern engineering systems and their potentially large-scale catastrophes, in order to ensure security of such systems, one needs to move beyond traditional design-basis risk management framework. The new paradigm needs to be focused on increasing CES's resilience (**Figure 13**). That means that if the beyond design-basis accidents are to be considered, the scope of the analysis should be widened. Security-related efforts should be focused not only on the development of protection barriers and safeguards from predetermined (postulated) set of design-basis attacks of technological terrorism but

∗

resulting in a slump of the system's per-

× 100% (7)

, when the beyond design-basis event occurs, and the

Analysis of Terrorist Attack Scenarios and Measures for Countering Terrorist Threats

*rec*. A ratio of the square *Fe*

http://dx.doi.org/10.5772/intechopen.75099

of

275

of the rect-

reduction measures.

moment *t*

basis event (BDBE) occurs at the time moment *t*

the period between the time moment *t*

*Res* <sup>=</sup> *<sup>F</sup>*

**Figure 14.** Resilience profile of CES.

formance characteristics *Q* which recovers at the time moment *t*

∗

\_\_*e Fn* = ∫ *t* ∗ *t c Q*(*t*)*dt* \_\_\_\_\_\_\_\_\_\_ (*t rec* − *t* <sup>∗</sup>) ⋅ *Qn*

Two groups of measures aimed at increasing the CES resilience can be identified:

• Measures focused on the reducing the duration of the outage Δt (**Figure 15b**)

• Measures focused on reducing the severity of outage ΔQ (**Figure 15a**)

**Figure 13.** A new comprehensive approach to ensuring CES's security based on implementation of protection measures

be incompletely known due to complex nonlinear interactions between components of CES, due to tight couplings among different systems, and because CES and its environment may change faster than they can be described. As a result, it is impossible to describe the performance of CESs in every detail. In other words for complex engineering systems, it is practically impossible to define a bounded set of design-basis impacts that are expected to occur or might occur at least once during the lifetime of the CES.

This problem can be solved by including the concept of resilience in the processes of designing and ensuring the safety and security of CESs [26, 27]. The proposed approach should not be considered as a substitute but rather a supplement to the traditional one. Adopting this view creates a need to move beyond traditional "threat-vulnerability-consequence" models that are limited to analyzing design-basis events and deal with beyond design-basis impacts and impact combinations. This comprehensive approach will be based on such concepts as resilience to provide more adequate explanations of accidents as well as identify ways to reduce risks caused by beyond design-basis impacts.

In other words, the new security paradigm for complex engineering systems should focus the efforts not only on development of protection barriers and safeguards against design-basis accidents but also on increasing the CES's resilience toward beyond design-basis impacts (**Figure 13**).

The CES's resilience is the capacity of the system potentially exposed to hazards to adapt, by resisting or changing in order to reach and maintain an acceptable level of functioning. This is determined by the degree to which the CES is capable of organizing itself to increase its capacity, of learning from past disasters for better future protection, and to improve risk reduction measures.

**Figure 14** presents the so-called resilience profile of the system: a powerful beyond designbasis event (BDBE) occurs at the time moment *t* ∗ resulting in a slump of the system's performance characteristics *Q* which recovers at the time moment *t rec*. A ratio of the square *Fe* of the figure BDEF that is located under the chart of the CES's performance characteristics in the period between the time moment *t* ∗ , when the beyond design-basis event occurs, and the moment *t rec* when the system returns to its normal operation level and the square *Fn* of the rectangular ADEF can be considered as a quantitative measure of the system's resilience [26, 28]:

$$\text{Res} = \frac{F\_{\text{s}}}{F\_{\text{s}}} = \frac{\stackrel{\text{\textsuperscript{f}}}{\stackrel{\text{\textsuperscript{f}}}{(t\_{\text{re}} - t\_{\text{s}}) \cdot Q\_{\text{s}}} \times 100\%} \times 100\% \tag{7}$$

Two groups of measures aimed at increasing the CES resilience can be identified:


As previously stated, due to the complexity of modern engineering systems and their potentially large-scale catastrophes, in order to ensure security of such systems, one needs to move beyond traditional design-basis risk management framework. The new paradigm needs to be focused on increasing CES's resilience (**Figure 13**). That means that if the beyond design-basis accidents are to be considered, the scope of the analysis should be widened. Security-related efforts should be focused not only on the development of protection barriers and safeguards from predetermined (postulated) set of design-basis attacks of technological terrorism but

**Figure 14.** Resilience profile of CES.

**Figure 13.** A new comprehensive approach to ensuring CES's security based on implementation of protection measures

be incompletely known due to complex nonlinear interactions between components of CES, due to tight couplings among different systems, and because CES and its environment may change faster than they can be described. As a result, it is impossible to describe the performance of CESs in every detail. In other words for complex engineering systems, it is practically impossible to define a bounded set of design-basis impacts that are expected to occur or

This problem can be solved by including the concept of resilience in the processes of designing and ensuring the safety and security of CESs [26, 27]. The proposed approach should not be considered as a substitute but rather a supplement to the traditional one. Adopting this view creates a need to move beyond traditional "threat-vulnerability-consequence" models that are limited to analyzing design-basis events and deal with beyond design-basis impacts and impact combinations. This comprehensive approach will be based on such concepts as resilience to provide more adequate explanations of accidents as well as identify ways to

In other words, the new security paradigm for complex engineering systems should focus the efforts not only on development of protection barriers and safeguards against design-basis accidents but also on increasing the CES's resilience toward beyond design-basis impacts

and measures for improving resilience of CES.

274 Probabilistic Modeling in System Engineering

might occur at least once during the lifetime of the CES.

reduce risks caused by beyond design-basis impacts.

(**Figure 13**).

[4] Frolov K, Baecher G, editors. Protection of Civilian Infrastructure from Acts of Terrorism.

Analysis of Terrorist Attack Scenarios and Measures for Countering Terrorist Threats

http://dx.doi.org/10.5772/intechopen.75099

277

[5] Makhutov N, Baecher G, editors. Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems. Amsterdam: IOS Press BV; 2012.

[6] Kaplan S. Applying the general theory of quantitative risk assessment (QRAC) to terrorism risk. In: Haimes Y, Moser D, editors. Risk-Based Decision-Making in Water Resources X: Proceedings of the Conference. Reston: ASCE Publications; 2002. pp. 77-81

[7] Garrick B, Hall J, et al. Confronting the risk of terrorism: Making the right decisions.

[8] Pate-Cornell E. Probabilistic modeling of terrorist threats: A systems analysis approach to setting priorities among counter-measures. Military Operations Research. 2002;**7**:5-23

[9] Berman A, Nikolaychuk O, Yurin A. Intellectual data system for analyzing failures.

[10] Makhutov N, Reznikov D. Assessment and regulation of risks related to operation of complex technical systems. Problems of Safety in Emergency Situations. 2012;**5**:3-9 (in

[11] Makhutov N, Reznikov D, Zatsarinny V. Two types of failure scenarios in complex technical systems. Problems of Safety in Emergency Situations. 2014;**2**:28-41 (in Russian) [12] Frolov K, Makhutov N, editors. Multi-Volume Addition Safety of Russia. Legal, Social, Economic, Scientific and Engineering Aspects. Znanie publ. Vol. 1-54; 1997-2018 (in Russian)

[13] Akhmetkhanov R. Stability of social system under terrorist impacts. In: Makhutov N, Baecher G, editors. Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems. Amsterdam: IOS Press; 2012. pp. 157-166 [14] Akhmetkhanov R. Risk management in natural and societal systems: Taking into account terrorist threats. In: Frolov K, Baecher G, editors. Protection of Civilian Infrastructure

[15] Makhutov N, Akhmetkhanov R, Dubinin E, Kuksova V. Problems of rationing of terrorist risks to critical facilities, taking into account the risks increase of regular functioning.

[16] Makhutov N, Reznikov D. Characteristics of technological terrorism scenarios and impact factors. In: Countering Terrorism: Biological Agents, Transportation Networks, and Energy Systems: Summary of a U.S.–Russian Workshop. Washington: The National

[17] Reznikov D. Technological and intelligent terrorism: Specific features and assessment approaches. In: Makhutov N, Baecher G, editors. Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems. Amsterdam: IOS

Reliability Engineering and Safety Systems. 2004;**86**:129-1768

from Acts of Terrorism. Dordrecht: Springer; 2006. pp. 7-20

Academy of Sciences Press. 2009. pp. 53-70

Press; 2012. pp. 45-60

Problems of Safety in Emergency Situations. 2017;**2**:30-44 (in Russian)

Journal of Machinery Manufacture and Reliability. 2012;**41**(4):337-343

Dordrecht: Springer; 2006. p. 244

p. 194

Russian)

**Figure 15.** Measures to increase CES resilience. (a) Reduction of the outage severity. (b) Reduction of the outage duration.

also on additional set of measures aimed at increasing complex engineering system resilience that would prevent catastrophic failure and long-term dysfunctioning of CESs in case of beyond design-basis attacks. Application of such comprehensive (protection and resilience focused) approach allows one to reduce risks of beyond design-basis scenarios of intelligent terrorism (compare FN curves 2 and 3; **Figure 12**).
