National Research Council report on security at federally managed dams

WASHINGTON -- Since the terrorist attacks of 2001, the Bureau of Reclamation (BOR), which operates and manages dams that provide water and power to millions of people, has invested significant resources in security and is better able to protect its facilities and personnel, says a new report from the National Research Council. However, BOR needs better communication among security staff, regional and area office staff, and local law enforcement personnel; security plans that are designed to meet realistic, site-specific threats; and more consistent support within the organization. The bureau should take a more strategic approach to its security program and develop a long-term plan that addresses policy, programmatic, and resource issues, said the committee that wrote the report.

There are approximately 80,000 dams in the U.S. today, many of which would become significant hazards if they should fail. Of these, BOR operates and manages 479 dams and dikes in 17 states, including five national critical infrastructure facilities: Hoover, Grand Coulee, Folsom, Shasta, and Glen Canyon dams. Because of the wide geographical region serviced, BOR has a largely decentralized organizational structure and relies on partnerships with local contractors and regional and area office staff for day-to-day dam operations. In contrast, the security system put in place after Sept. 11, 2001, is centralized in the Security, Safety, and Law Enforcement Office, located in Denver. This difference in organizational structures has seriously impeded communications and working relationships between the Denver-based security staff and the regional and area BOR personnel (see findings 17-21).

The decentralized operations of BOR mean that the first responders to a security incident are local law enforcement, although Hoover Dam has an on-site police department and Grand Coulee Dam has a security force trained as first reponders. The chain of command during a security-related incident is unclear, says the report, and the proper procedures for security response are not well understood by BOR's regional and area office staff. In addition, the distinction between security and law enforcement is unclear, resulting in ambiguities regarding the use of deadly force during a security-related incident.

Since 2001, BOR has installed cameras, fences, and other design measures; hired security guards at some facilities; closed certain roads that cross dams; and formulated security and threat assessments. However, BOR security has evaluated only a limited number of standard threat scenarios to date. Because BOR's dams are in different settings, the types of threats that facilities can encounter are various. The report says that in the future, BOR should use intelligence-based information to develop site-specific and realistic scenarios for individual facilities.

BOR also has not adequately addressed the threat posed by insiders, including its own staff, facility operators, and contractors. The committee said that security defenses appear "brittle" and "lacking in depth" and could be overridden, allowing an intruder to take control of dam operations. To improve security, BOR needs to implement bureauwide policies regarding site access and the safeguarding of project plans and drawings. The agency also needs to streamline the identity verification process for employees and contractors; regional staff reported that identity checks can take as long as six to eight months.

To create an effective and sustainable security program at BOR, increased staff, expertise, and funding are needed. Folsom Dam, which sits outside of Sacramento, Calif., requires special consideration due to the level of devastation that would occur in the event of dam failure. The committee recognized, however, that increasing resources for security will need to be done in a way that does not compromise other activities that are critical to BOR's primary mission of providing water and power.

The report identifies an uneven commitment within BOR to the development of an effective security program (see finding 22). BOR senior management needs to communicate a consistent commitment to security by incorporating it into the organization's mission and vision statements, and by developing and communicating a plan for a sustainable security program with clear objectives and goals.

Source: National Academy of Sciences