69.5 F
Washington D.C.
Wednesday, March 19, 2025
CounterterrorismIntelligenceInfrastructure Security

Single Point Vulnerabilities and Mission Failure of Critical Facilities

The proverbial Achilles Heel of critical facilities is typically our own doing

Mitchell Simmons
By Mitchell Simmons
vulnerability, door lock, security

In 1986, Gary Larson drew a cartoon of a huge Woolly Mammoth upturned with a small single arrow sticking out from its belly and a leopard skin wearing caveman is captioned saying to another caveman, “Maybe we should write that spot down.” This cartoon illustrates the epitome of a single point vulnerability (SPV) which is that one thing that can cause mission failure, in this case the Mammoth.  Vulnerability experts often call it the one switch in a facility that if flipped can cause the whole mission to fail. 

We take risks every day in our personal and professional lives, and we try to mitigate risk, but few appreciate that risk is the product of threat, vulnerability, and criticality. A recent terrorist attack occurred early in the morning of New Years Day 2025 in New Orleans when a pickup truck driven by a radicalized person (threat) sought to kill as many innocent people (criticality) as possible. To mitigate risk to those visiting Bourbon Street, the city each day installs short thick posts called “bollards” as barriers to prevent vehicular traffic from entering during times of high pedestrian area density. However, the terrorist found a physical gap (vulnerability) and squeezed a full-sized rented pickup truck through to gain access to this area. The spike in vulnerability and threat components of the risk equation, caused the risk equation to skyrocket. In a matter of seconds, all the other security actions in the area do reduce vulnerabilities were for not, and 14 people were killed, and dozens injured. That truck size gap was the SPV that caused mission failure from a physical infrastructure perspective. Interestingly, Reuters reported in an article that New Orleans was in the process of installing new bollards, but even so, the new bollards would not stop a vehicle going over 10 miles per hour. i  Reuters was pointing out that New Orleans seemed to be prioritizing the ease period bollard installation over their crashworthiness and protection of pedestrians.ii  

As bad as the example above illustrates how a SPV can cause mission failure, in this case loss of life, the impact of SPVs within critical facilities can be even more dire and often have far ranging implications.  The following are non-attributable examples from non-U.S. facilities that have been decommissioned and these generalized examples illustrate how a SPV could have caused mission failure during their operation. 

  • Homemade ramps were semi-permanently installed to ease the daily delivery of food over a door threshold into the facility. The ramps were left in place months at a time and created a SPV as protective facility doors would not fully shut if automatically triggered by a catastrophic detonation. The resulting blast wave would have breached the facility causing injury, death, and render mission equipment useless. This SPV occurred due to shortcuts to ease operations and a lack of understanding and oversight which drove up vulnerability and the facility’s overall risk. 
  • A hardened mission space was compromised with an unauthorized drilled hole done to feed a coaxial cable though so mission staff could watch a sporting event on a flat screen television during their shift. The hole created a SPV as an electromagnetic energy burst would easily render the internal mission equipment useless.  This SPV occurred due to operational procedure violations and a lack of understanding and oversight which drove up the vulnerability and the facility’s overall risk. 
  • An overheating computer facility required doors to be propped open to allow greater cooling which ran counter to operational procedures to protect the facility. It was discovered that the overheating was caused by a general lack of maintenance and blockage of facility air intakes by equipment which compromised the facility’s cooling efficiency. The propped doors created a SPV as an electromagnetic energy burst would have breached the facility and render the mission equipment useless. This SPV occurred based on shortcuts to ease operations, lack of understanding and oversight, and a lack of funding to find an expedited fix which drove up the vulnerability and the facility’s overall risk. 
  • A passive blast valve to protect a facility from overpressure from a catastrophic blast wave was removed for maintenance and a readily available thick steel plate blank was not installed. The open space caused by the missing blast valve and uninstalled plate blank created a SPV.  The SPV would have allowed a blast wave to breach the facility causing injury, death, and render mission equipment useless.  The open space also would have allowed an attacking force to easily enter the facility and destroy its mission function. This SPV occurred due to operational complacency, a lack of poor maintenance procedures, and a lack of oversight, that all resulted in an increase in vulnerability and the facility’s overall risk. 
  • Collocated utilities in a single facility room included air ventilation, electrical power feed, communication lines, and water for cooling. The collocated utilities created a SPV as an emplaced blast charge could destroy the vital mission support equipment. The collocated utilities occurred due to a poor initial design, which drove up the vulnerability, and change in threat posture over time, which drove up the threat level.  All of this resulted in an increase in the facility’s overall risk. The importance of the facility’s mission had also grown resulting in an increase in criticality and the facility’s overall risk. 
  • Collocated diesel generator, fuel tank, transformer, evaporative cooler, and communication equipment were all grouped outside a facility which was easily accessible by vehicles in a parking lot. The collocated equipment created a SPV as an emplaced blast charge or a ramming by a large vehicle could damage or destroy vital mission support equipment. The collocated equipment occurred due to a poor initial design that drove up the vulnerability, and a change in threat posture over time, that drove up the threat level.  All of this resulted in an increase in the facility’s overall risk.    

Understanding the interplay of vulnerability, threat, and criticality in terms of the risk equation hopefully points to the importance of identifying and mitigating SPVs in critical facilities.  Constant vigilance is needed to identify new or changing facility vulnerabilities in order to maintain the desired acceptable risk and to ensure SPVs have not been created.  When facility vulnerabilities spike, the easiest way to maintain a desired risk level is by lowering the threat through actions like more detailed screening of credentials, pushing back or enhancing facility access barriers, and showing a greater security posture, just to name a few.  When facility vulnerabilities spike, reducing criticality can be more challenging as it may require installing redundancy of mission primary and support equipment which often has large budgetary impacts.  However, for example, mission execution can be decentralized to other areas to reduce the criticality and overall facility risk.   

Constant vigilance cannot be overstated in maintaining the desired risk level for a critical facility as threats, vulnerabilities, and criticalities change over time.  Periodic and in-depth risk assessments and mitigations are essential, often best done by unconflicted outside teams, to ensure facility risk is acceptable to allow the mission to be achieved now and into a more uncertain future. 

The author is responsible for the content of this article. The views expressed do not reflect the official policy or position of the National Intelligence University, the Office of the Director of National Intelligence, the U.S. Intelligence Community, or the U.S. Government. 

References:

i Thevenot, B., Kirkham, C. “Exclusive-New Orleans’ planned new Bourbon Street barriers only crash-rated to 10 mph” Reuters. January 5, 2025.  As accessed on January 15, 2025 at Exclusive-New Orleans’ planned new Bourbon Street barriers only crash-rated to 10 mph 

ii Thevenot, B., Kirkham, C. “Exclusive-New Orleans’ planned new Bourbon Street barriers only crash-rated to 10 mph” Reuters. January 5, 2025.  As accessed on January 15, 2025 at Exclusive-New Orleans’ planned new Bourbon Street barriers only crash-rated to 10 mph 

Previous article
IBM to Acquire DataStax
Next article
Gun Intercepted at Pittsburgh International Airport Marks Fifth One Caught So Far This Month
Mitchell Simmons
Mitchell Simmons
Dr. Mitchell E. Simmons, Lieutenant Colonel, United States Air Force (Retired) is the Associate Dean and Program Director in the Anthony G. Oettinger School of Science and Technology Intelligence at the National Intelligence University in Bethesda, Maryland. Dr. Simmons oversees three departments consisting of five concentrations—Emerging Technologies and Geostrategic Resources; Information & Influence Intelligence; Counterproliferation; Cyber Intelligence; and Data Science Intelligence. He teaches courses in Intelligence Collection, National Security Policy and Intelligence, and Infrastructure Assessment Vulnerability, the latter course being part of a Homeland Security Intelligence Certificate program popular with students from the Department of Homeland Security and other agencies. Dr. Simmons has almost 30 years of experience in acquisition, engineering, program management, intelligence, and infrastructure vulnerability assessment within key agencies to include National Reconnaissance Office, Defense Threat Reduction Agency (DTRA), Office of the Director of National Intelligence, and multiple tours with the Defense Intelligence Agency (DIA). His technical expertise includes physical and functional vulnerability of critical infrastructure from conventional explosives, nuclear, ground forces, and asymmetric threats. Dr. Simmons’ niche expertise is the exploitation of hard and deeply buried targets and he has personally collected intelligence in dozens of strategic facilities in overseas locations to include South Korea, Norway, Italy, United States, and Iraq. He participated in targeting and weaponeering recommendations for operations Southern Watch, Northern Watch, Enduring Freedom, and Iraqi Freedom. Dr. Simmons is widely published in the classified and unclassified realm and his products have seen diverse readership, to include the national command authority and combatant commands. He is the author of the definitive DoD manual, published by DTRA entitled “Hard Target Field and Assessment Reference Manual” used to educate and drive intelligence collection of this important target set. He is also the co-author of DIA’s definitive Battle Damage Assessment Handbook and has participated in a study by the National Academic of Sciences, Engineering, and Math, entitled “Assessing the Operational Suitability of DOD Test and Evaluation Ranges and Infrastructure.” Dr. Simmons holds a B.S. and M.S. in Mechanical Engineering from Ohio University, a M.S. from Central Michigan University which focused on human motivation, and a Ph.D. in Engineering Management from The Union Institute and University which focused on human and organization behavior.

Related Articles

- Advertisement -

Latest Articles

Load more
All content copyright ©2024 Homeland Security Today. All rights reserved.

POWERED BY MHA Visuals