Security of Flood Defenses 9783110622577, 9783110620610

Citation preview

Jos de Lange Security of Flood Defenses

Integrated Security Science

Edited by Genserik Reniers, Nima Khakzad, Pieter Van Gelder

Volume 2

Jos de Lange

Security of Flood Defenses

Author Jos de Lange TU Delft Faculty of Technology, Policy and Management Jaffalaan 5 2628 BX Delft The Netherlands

ISBN 978-3-11-062061-0 e-ISBN (PDF) 978-3-11-062257-7 e-ISBN (EPUB) 978-3-11-049776-2 ISSN 2367-0223 Library of Congress Control Number: 2019933229 Bibliographic information published by the Deutsche Nationalbibliothek The Deutsche Nationalbibliothek lists this publication in the Deutsche Nationalbibliografie; detailed bibliographic data are available on the Internet at http://dnb.dnb.de. © 2019 Walter de Gruyter GmbH, Berlin/Boston Typesetting: Integra Software Services Pvt. Ltd. Printing and binding: CPI books GmbH, Leck Cover image: POOL / Auswahl / AFP / gettyimages.com www.degruyter.com

Preface Security risk assessment (SRA) is the foundation of the security risk management (SRM) system since management cannot make optimal decisions when not informed of security risks. SRAs done effectively blend with accidental risk assessments to find optimal solutions to achieve higher levels of performance in (chemical) safety and security. These were the opening remarks of David A. Moore, PE, CSP in volume 1 Security Risk Assessment in the Chemical and Process Industry of the De Gruyter Integrated Security Science series. Although targeted at the chemical and process industry, the SRA methods described in that book hold universal value and can be applied in any security-risk-prone environment. This second volume in the Integrated Security Science series is proof of that since it elaborates on the methods described in the first volume, but is situated in a totally different setting – namely, that of the large flood defense systems that protect low-lying areas from the sea, or higher country from river floods. This book is based on an exploratory study into the security risks of major flood defenses in the Netherlands and elsewhere. This study was made possible by both LDE and DSyS. The Centre for Safety and Security | Leiden•Delft•Erasmus (LDE) is a collaboration between Leiden University, Delft University of Technology, and Erasmus University of Rotterdam. The Delft Safety and Security Institute (DSyS) is the “local” LDE counterpart at Delft University of Technology. TU Delft is world renowned for its water management and engineering skills. In addition to safety aspects, it is only logical that security aspects should also be taken into account when looking at water management and flood defense designs. The study and this resulting book took much more time than had been anticipated. The underlying study took more than two years, partly because of a serious flying accident. I thank the director of DSyS, Prof. Pieter van Gelder, for his patience and support. I would also like to thank the Scientific Review Board of LDE for making research funds available to make this project possible. Special thanks also to my colleague, DSyS coordinator Bas Kolen, who pointed me to perspectives that make the book interesting for a wider audience. Jos de Lange LL.M, MPA, EMFC Delft, December 2018

https://doi.org/10.1515/9783110622577-201

Contents Preface 1 1.1

V

1.2 1.3 1.4 1.5 1.6 1.7

Introduction 1 Vulnerability of water management and flood protection systems 1 What is this book about? 1 Flood security research project 2 Considerations 2 Scenario analysis 3 Scientific, military, and professional approaches 3 The Netherlands – location of many types of flood barriers

2 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11

Summary 5 History of flood defenses and flood barriers Vulnerabilities of flood defenses 6 Modern flood barrier constructions 7 Storm surge barriers 8 Flood defenses in defensive strategies 10 Flood defenses in offensive strategies 11 Vulnerabilities of flood defenses 12 Calculating security risks 14 Terrorism threat against flood surge barriers Conclusions 18 Recommendations 20

3 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.7.1 3.7.2 3.7.3 3.8 3.8.1 3.8.2 3.9

History of flood defenses in the Low Countries 21 2,000 years ago 21 Historic flood defenses 22 Historic sluices 23 Development of pound locks 24 Levee breaches and floods, Middle Ages to 1900s 25 1916–1932, Zuyder Zee flood defenses 27 Levees, dams, and water locks, safety-related observations 28 Levee constructions are vulnerable 28 River entrances and sluices interrupt a flood defense 29 Flood defense vulnerability table 29 Levees, dams, and locks, security-related observations 31 Levee systems and security risks 32 Vulnerable spots in a system imply security risk 32 Conclusions 33

4

5

16

VIII

Contents

4 4.1 4.2 4.3 4.4 4.4.1 4.4.2 4.4.3 4.5 4.5.1 4.5.2 4.5.3 4.5.4 4.6

Delta Plan flood defense 34 1953 Flood Disaster 34 Delta Plan flood defenses 35 Three Islands Plan, Haringvliet dam 35 Delta Plan, safety-related observations 38 New flood barrier constructions relate to new safety risks Moving parts imply increase of safety risks 39 Flood defense safety risk table (extended) 40 Delta Plan, security-related observations 40 Security assessment of levees and dams 40 Security assessment of flood barriers 42 Hollandse IJssel Storm Surge Barrier, security risks 43 Delta Plan safety and security risk matrix 44 Conclusions 44

5 5.1 5.2 5.3 5.4 5.5 5.5.1 5.5.2 5.5.3 5.5.4 5.6 5.6.1 5.6.2 5.6.3 5.6.4 5.6.5 5.7

Storm Surge Barriers 47 Eastern Scheldt Storm Surge Barrier 47 Maeslant Storm Surge Barrier 48 Hartel Storm Surge Barrier 49 Ramspol Bellows Weir Storm Surge Barrier (2002) 50 Storm surge barriers, safety-related observations 52 Eastern Scheldt and Haringvliet Storm Surge Barriers 52 Maeslant Storm Surge Barrier 52 Hartel Storm Surge Barrier 52 Ramspol Bellows Weir 53 Storm surge barriers, security-related observations 53 Eastern Scheldt Storm Surge Barrier 54 Maeslant Storm Surge Barrier 54 Hartel Storm Surge Barrier 55 Ramspol Bellows Weir 56 Delta Plan dam and flood barrier overview 58 Conclusions 59

6 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8

Flood barriers in defensive strategies 61 Fifteenth century: brick walls and water for defense 61 Sixteenth century: Dutch earth and water fortresses 62 Flooding as a first line of defense 63 Dutch water defense lines 63 Amsterdam water defense line 64 Water defense lines, safety-related observations 66 Water defense lines, security-related observations 66 Conclusions 67

39

Contents

7 7.1 7.2 7.3 7.4 7.5 7.6 7.7

Flood defenses in offensive strategies 68 Flood defenses and violent actions 68 Physical attacks on dams (2001–2011) 69 Attacks on dams and levees in Europe 69 Dam Buster attacks in 1943 70 Attack modes and attack-types table 71 Offensive strategies, safety and security observations Conclusions 73

8 8.1 8.1.1 8.1.2 8.1.3 8.1.4 8.1.5 8.1.6 8.1.7 8.1.8 8.2 8.2.1 8.2.2 8.2.3 8.2.4 8.3 8.3.1 8.3.2 8.3.3 8.4 8.4.1 8.4.2 8.4.3 8.4.4 8.5 8.5.1 8.5.2 8.5.3 8.6 8.6.1 8.6.2 8.7

Systematic analysis of flood barrier technologies 74 Flood defense categories 74 Types of primary flood defenses 75 Vulnerabilities of dams and levees 76 Sheet pile levee reinforcement 77 Concrete levees or flood walls 77 Security lessons 78 Dam and levee vulnerability table extended 78 Dams and levees attack-type table 79 Dams and levees: security implications 81 Hydraulic structures 82 Navigation locks 82 Vulnerabilities of lock constructions 83 Navigation lock attack-type table 84 Navigation locks: security implications 88 Flood barriers in secondary flood defenses 88 Guillotine-shaped flood barriers 89 Guillotine-shaped flood barriers, vulnerabilities 91 Guillotine-shaped flood barriers, attack-type table 93 Visor-shaped flood barriers 94 Neder-Rijn visor weirs (Driel, Hagestein, and Amerongen) Thames Barrier 97 Visor-shaped flood barriers, vulnerabilities 99 Visor-shaped flood barriers, attack-type table 99 Flood barriers with sector gates 101 St. Petersburg sector gate flood barrier 101 Flood barriers with sector gates, vulnerabilities 102 Flood barriers with sector gates, attack-type table 103 Flood barriers and computer technology 104 Hacking of flood barrier systems 106 Barrier operating systems, vulnerabilities 106 Conclusions 106

72

96

IX

X

Contents

9 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9 9.10 9.11

Calculating security risks 108 Flood defense system approach 108 Risk and probability 109 Flood defenses and normal risks 110 Cascading risks, bowtie model 111 Swiss Cheese model 114 Exploring the bowtie input side 115 Determining relative vulnerabilities using numbers 118 Attack fault tree analysis 125 The “(man-portable) explosive device” attack scenario 126 Chemical plant protection scenario 128 Conclusions 130

10 10.1 10.2 10.3 10.4 10.5 10.6 10.7 10.8

Terrorism threat and flood defenses 133 A definition of terrorist attack 133 Terrorism in the Netherlands 134 Terrorism in Europe 137 Lessons learned from European attacks 138 A crystal ball gazing exercise; introduction to Game Theory Game Theory and terrorist threat 141 Game Theory scenario approaches 144 Conclusions 147

11 11.1 11.2 11.3 11.4 11.5 11.6 11.7 11.8 11.9 11.10 11.11 11.12

Conclusions 150 Why this book? 150 Relation safety and security risks 151 Research into flood defenses 151 Historical research 152 Smarter design of flood defenses 152 New designs, new vulnerabilities 153 Feasible attack options 153 Flood defenses for security protection 153 Fundamentals of Flood Protection 154 Flood safety risks versus security risks 154 A matter of perception 155 Final observations 155

12

Recommendations

13

Epilogue

158

157

140

Contents

Appendix

160

List of Figures

168

List of Tables

170

Bibliography

172

Source account Index

179

178

XI

1 Introduction 1.1 Vulnerability of water management and flood protection systems Water is life and your friend (when it behaves itself). That is an adage as old as humanity. The hanging gardens of Babylon and the rich granaries of ancient Egypt could only be made possible with ingenious water systems that regulated the water level of the rivers, and provided the surrounding lands with water. There was, and is, a downside to all that water. The people in low-lying areas were time and time again confronted with floods. And when they started building levees, the structures frequently did not stand up to the natural violence of storm surges, hurricanes, and in the worst case, tsunamis. The people living on higher grounds for their part were regularly confronted with overflowing rivers due to melting glaciers and excessive rainfall. Apart from natural threats, there are also human threats related to water. From ancient times on, water was a good defense against enemy threats. Fishing villages built on poles could easily defend themselves. Castles and cities alike built moats and extensive canal systems that could serve both for transporting goods and as a defensive against aggressors. Over time, water management and flood defense systems such as levees, sluices, and harbors have grown bigger and more complicated, just as our society has grown bigger and more complex. Hundreds of millions of people live in river deltas lying below sea level, in cities that sink extra as a result of excessive use of fresh groundwater. Levees and freshwater supplies are important to many and are therefore becoming more and more vulnerable to people with malicious intent. It is therefore not only mandatory to pay attention to the safety of such critical infrastructures but also to their security.

1.2 What is this book about? In this book we look at safety-related vulnerabilities of flood defenses in general, and levees, sluices, weirs, and navigation locks in particular. The book itself is about how to develop security risk scenarios. We want to link safety and security risk analysis, with flood defenses as an example. Attackers or perpetrators (we use the two terms together, depending on the nature of the security threat we are discussing) often use weaknesses in technical designs to let them malfunction or even destroy them. Safety shortcomings and safety hazards are a “good” indication of weaknesses that can be taken advantage of by perpetrators. https://doi.org/10.1515/9783110622577-001

2

1 Introduction

A frequently heard comment is that when the safety of a technical installation is in good order, security risks will be covered for about 70%. We think there is a lot of truth in that assumption. If factory workers prevent unaccompanied persons from accessing the machines by keeping the doors closed, the chances of accidents occurring are greatly reduced. At the same time, this also prevents perpetrators with bad intentions reaching the same machines.

1.3 Flood security research project The research in this book does not stand alone. An early LDE/DSyS study (see Preface) into the security of dams and levees focused on the vulnerability of such structures to (light) explosives (Melin, 2014). As a follow-up to that study, the goals of the research underlying this book were formulated as follows. The main goals were to model the destructive power of various modus operandi and to determine gaps in flood defense security. The follow-up question(s) then would be where to place preventive or strengthening measures, such as cameras, sensors, barriers, walls, and checkpoints. The scope of this underlying study was set rather generic. It was suggested that the study should produce a matrix with at one axis the type of levee, seawall, bosom quay, dune, lock, or dam and at the other axis the modus operandi (ranging from a shovel, a backpack with explosives to, for instance, a lorry as a means of attack). The cells in the matrix should then show some indicative weight of actions leading to the (part) disruption of a particular type of flood defense or flood barrier. A suggestion for such a matrix is given in the 2012 DHS guide to dam security (DHS, 2012). We use this approach when we construct in this book what we call flood defense vulnerability tables, attack vulnerability tables, and attack-type tables.

1.4 Considerations We started the study for this book with the analysis and categorization of different flood defense types. Based on the results of individual flood barrier observations, a typology of flood defense systems was developed. Then a method was sought to find out whether each type of flood barrier can be coupled to security risk data typical for that type of flood barrier. This approach corresponds with the goals described in the previous section. However, a safety risk matrix is not complete without a broader assessment of these risks, and the testing of the starting points in an operational environment. Although in the specially developed test polder of Delft University of Technology operational tests of levee breaches have been carried out (and recently comparable tests have been carried out by the Dutch Department of Waterways and Public Works on real levees), it is hardly feasible to test the effect of real explosives on a

1.6 Scientific, military, and professional approaches

3

levee. This can only be done by modeling. Another way of assessing the effect of explosives on flood defenses is by looking at historical examples of such attacks. Those examples give an idea of the effectiveness of such attacks in reality. We can then use and test the information (or “data” in scientific jargon) by way of scenario modeling or scenario analysis.

1.5 Scenario analysis Scenario modeling makes it possible to study the vulnerability of flood defenses methodically, based on military operational analysis and security practice. The research approach should be logical and practical. A scientific paper should preferably be based on both qualitative and quantitative appraisal. Since there is little scientific data available regarding physical threats against flood defenses, the results of this study depend for a large part on historical research and qualitative analysis (of the structure) of existing flood barriers. Ultimately this book presents a matrix of vulnerabilities of flood barrier constructions and a (not necessarily complete) overview of implied security risks. For a security professional, such a matrix gives clear indications which security measures should be implemented and, in case of limited resources, in what order. In case of security threats, a normal order of implementing defenses would be to establish defensive perimeters, to limit access to the most vulnerable parts of the object to be protected and to organize supervision and rapid response in case of imminent breaches of boundaries or fences. A security risk scenario describes and analyzes the various possible attack paths perpetrators most probably will take, given the local circumstances. These possible paths, and the ease with which the ultimate target can be reached, give an indication which defense measures will probably be most effective. These are the defense measures that should be implemented first. However, we must remind ourselves that there are many scenarios possible. Therefore, choices have to be made in what scenarios to choose as a starting point.

1.6 Scientific, military, and professional approaches In his master thesis on “Intentional breaches of levees using limited resources,” Tobias Melin assumes that extremist groups only have limited access to (large amounts of) explosives. They therefore have to resort to small quantities of explosives when attempting to disrupt flood defenses. The scientific element in the Melin study is then to calculate the force necessary to damage a levee body, and with what results. For various reasons, Melin concludes that such an attack on dike bodies is less likely (Melin, 2014).

4

1 Introduction

We conclude otherwise. In our opinion, a scientific approach should not so much depend on applying statistics or calculations, but in the words of Ben Ale, professor emeritus of safety science, “by taking a step back and reviewing a problem from various angles” (Ale, 2009). We compare Melin’s approach to that of a (military) engineer. The basic question for a military engineer is: “I have an obstacle in front of me, how to remove it quickly.” In many cases, this would be by using explosives. One should also keep in mind that military engineers, when there is no obstacle, tend to blow up things in order to create an obstacle to prevent the enemy from advancing. The most likely victims of such actions are bridges across rivers and canals. We consider Melin’s assumption that most extremist groups have only limited access to large amounts of explosives not always correct. The Oklahoma City bombing, on 19 April 1995, shows that persons eager enough can easily acquire the means for large-scale attacks (that is, where it concerns the results). That is why security professionals consider security threat variables like motive, possible targets, possible results, and the possible “advertising” impact when assessing terrorist acts. Follow-up questions then concern possible locations, opportunity, ways of access, and escape, resulting in possible modi operandi that can be made visible in a scenario description. In a military approach these possible modi operandi would then be countered by composing attack and defense scenarios in which all possible counter measures can be assessed. A scientific follow-up then can be to statistically analyze these scenarios by way of – for instance – a game theory approach. In this book we make use of all three approaches, professional, military, and scientific, albeit in varying degrees because of limited resources and the restriction to use only public sources. We want to present a comprehensive security risk analysis and a scenario approach based on thorough safety analyses that appeal to, and are understood by, both scientists as well as military and security professionals.

1.7 The Netherlands – location of many types of flood barriers This study focuses on the design aspects of major flood defense systems like levees and dams, and gigantic flood barriers like the Eastern Scheldt Storm Surge Barrier in Zeeland province in the Netherlands. Dutch flood barrier engineering is world famous. Although being a small country, a large variety of flood barriers can be found here, grouped in a relatively small area. This helps in case of research restrictions such as limited time and resources. In this study, we therefore primarily research flood defenses that are located in the Netherlands. We will however also refer to innovative (storm) flood barrier designs in, for instance, Saint Petersburg (Russia) and the Thames Storm Flood Barrier near London (Great Britain).

2 Summary Abstract: In this chapter we present a summary of the main contents of this book. According to the Mayfield Handbook of Technical & Scientific Writing (Perelman, Barrett, & Paradis, 1996, 2001), an abstract is “a brief summarizing statement. . . read by parties who are trying to decide whether or not to read the main document.” However, since the main conclusions of each chapter are also included, this chapter can also be read as a summary, “which, unlike an abstract, is a document in miniature that may be read in place of the longer document” (same source). For pictures, tables, and other illustrative material, we refer to the various chapters of this book.

2.1 History of flood defenses and flood barriers We start our study into the security of flood defenses in Chapter 3: history of flood defenses in the Low Countries with a history of the construction of levees and dams, sluices, and navigation docks in what is now the Kingdom of the Netherlands (or Holland as it is frequently called in tourist brochures, but those are only two of the 12 provinces of the Netherlands). Why do we start this book with looking at the history of flood defenses? Flood defenses are technical designs, and it often takes a long time before technical constructions attain their definitive shape and composition. In the case of flood defenses, the development has taken centuries. Over the ages, the principle “form follows function” has been clearly leading. We can learn from the past how form and function of flood defenses have influenced the lives of people in the past, and how they may influence our lives today. History may also teach us lessons about inherent shortcomings of specific flood defense or flood barrier designs. It is important to note at this point that we talk about both flood defenses and flood barriers. According to the Dutch Fundamentals of Flood Protection manual (ENW, 2017, p. 18), there are primary and secondary flood defenses. Most primary flood defenses provide direct protection from flooding. Primary flood defenses are dunes, levees and dams, and hydraulic structures (p. 22). Flood barriers and storm surge barriers are almost always hydraulic structures. We also refer to flood defense systems. Systems are more complex, like the combination of dams, levees, and movable flood barriers constructed in the Dutch Delta Plan (discussed in Chapters 3 and 4), or shore improvement of a combination of rivers and lakes in a large part of the country. An important observation, when looking to waterworks over time, is that the basic contours of flood barrier constructions have not really changed over the ages. What has changed, however, is the massiveness of, and the technologies used in, modern flood defense and flood barrier constructions. In the Netherlands, like in many other countries bordering the North Sea, this change has been accelerated by the many large dike bursts and floods, leading to the Southern Sea Waterworks (1916–1932) https://doi.org/10.1515/9783110622577-002

6

2 Summary

and Delta Plans (1957–present) in the Netherlands. Due to advancing construction techniques and modern scientific developments, dam, lock, and harbor structures have become much larger, and therefore much more difficult to damage or even breach. We agree with the Department of Homeland Security (DHS) that therefore “the vulnerabilities of dams to manmade attacks greatly depend on site-specific conditions and characteristics that could be exploited by potential adversaries to cause structural damage or to disable or disrupt operations or critical functions” (DHS, 2012).

2.2 Vulnerabilities of flood defenses According to the Dutch Fundamentals of Flood Protection manual, particular attention is required where a flood defense structure or levee segment adjoins high ground. This is because of the differences in composition, and – among others – varying influences of the flow of the water and subsidence of the high ground (ENW, 2017, p. 23). The same applies to the transition from levees to dunes. We assume that this also applies to transitions between levee systems and water intakes, ports, or estuaries. In these cases, a continuous levee system is interrupted, which may indicate a vulnerable spot in the flood defense. According to some this does not influence flood risk. However, from a security risk perspective, these transitions require additional monitoring. A security risk implies a vulnerability in a flood defense system that can be exploited by a perpetrator or an attacker. Advanced construction techniques and the use of modern operating systems in flood defenses and flood barriers imply increased safety. However, such techniques and systems do not necessarily reduce safety risks. Reason’s “Swiss Cheese” cascading risks model predicts that growing complexity makes a system more vulnerable to safety threats (Reason, 1990). In the introduction we have mentioned the overlap between safety and security, and the similarity between safety and security risks. Deliberate malfunction or even breaches of levees and dams can only be attained by applying (excessive) force. Because of the robust construction of levees and dams, more obvious targets would be older or less maintained sections, transitions in levee constructions, river or harbor entrances, and water or navigation locks. Lock gates, and especially the hinges, are especially vulnerable to the use of force, either by jamming or impact. Lock chambers can be blocked by sinking boats in them. The weather is also of influence. Most floods in Northern Europe occur during the winter months, when the weather is at its worst and sea water levels rise because of gales in combination with spring tides. When spring tides combine with North-Western storms, the situation becomes most dangerous. Rivers usually overflow in the early month of spring, when melting snow and ice from Swiss and German mountains fill up downstream rivers. In these periods levees are more vulnerable, creating a “window of opportunity” for perpetrators.

2.3 Modern flood barrier constructions

7

At the end of Chapter 2 we present a first draft of a flood defense vulnerability table. In this table flood defense types, construction, structural weaknesses, and safety risks are listed side by side. In the course of the following chapters, we will extend the flood defense (safety related) vulnerability table to a (security-related) attack vulnerability table of flood defenses. We will in turn expand this table into a flood defense attack-type table. The attack-type table actually presents a collection of mini scenarios that can help to identify security risks of, and security threats to, flood defenses. We also attempt to systematically link the construction of specific flood defenses and the associated safety hazards to some security risks.

2.3 Modern flood barrier constructions In Chapter 3 we looked at 2,000 years of history of flood defenses. In the following chapters, we move a lot faster through time. When it comes to the design and construction of flood defenses and flood barriers, there has been enormous technical development in the last 70 years. We will discuss this development in two chapters, using the Dutch Delta Plan for illustration. In Chapter 4, we discuss the construction of the various parts of the Delta Plan in the Netherlands, which started with the construction of the Hollandse IJssel Storm Surge Barrier in 1958. The reason for the plan was the storm surge of 1953, in which levees in large parts of the southern Netherlands gave way and 1,836 people lost their lives. The Delta Plan is a combination of dams, levees, and movable flood barrier designs that – because of its massiveness and application of never before used techniques – was then (and now) a vanguard of modern hydraulic engineering and technology. The Delta Plan was realized in a relatively short period of time (less than 40 years). The Delta Plan consists of a variety of flood barrier systems, ranging from fixed dams like those in the Three Islands Plan (1957–1971) to the Haringvliet Dam (1957–1971), which consists of a dam with a huge sluice complex with a length of about 1 km. With the Hollandse IJssel Storm Surge Barrier (1954–1958), the first hydraulic storm surge barrier in the Netherlands was built. From a failure perspective, there are two sides to any technical design. First there are the safety aspects. Safety has to do with unintentional hazards that can befall a technical system, like flaws in the construction plans, floods, and earthquakes, misuse, or mismanagement. In contrast, security has to do with all deliberate actions that aim for the same effects that occur accidentally in the case of safety failures (and then some more). Regarding safety, we observe that new flood barrier constructions may lead to new safety risks. It is, for instance, difficult to predict how the different hydraulic parts of modern flood barriers will behave over time. There is also politics involved. In the case of the Haringvliet Dam, the first plans opted for a fully closed dam. The safety risks related to closed dams are minimal. Resistance from fishers and environmentalists ultimately led to the construction of

8

2 Summary

a semi-closed dam that was also much more expensive than initially planned. The (relatively) weaker hydraulic parts and gates of a sluice in a (much) stronger levee or dam imply a greater chance of safety risks occurring. In this chapter we also discuss some security-related vulnerabilities of the new flood barriers. In fact, we are already working toward simple scenario analysis. In Chapter 3, we introduced a (safety-related) flood defense vulnerability table that we now expand with the safety-related Delta Plan observations discussed in this chapter. We do the same for the security-related observations. We also present an integrated Delta Plan safety and security risk matrix. We conclude that the chance of anything happening to the structure of modern levees and dams is relatively low, under normal conditions. Flood barriers that contain hydraulic elements and movable parts may be more vulnerable to both safety and security risks, simply because they contain movable parts.

2.4 Storm surge barriers In Chapter 5 we review the construction of more recent Delta Plan-related flood defenses in the Netherlands. By far the largest is the 9 km long Eastern Scheldt Surge Flood Barrier with its 62 vertical lift gates and computerized SCADA controls (1997–1986). Other modern Delta constructions are the Maeslant Storm Surge Barrier (1991–1997), the Hartel Storm Surge Barrier (1997), and the Ramspol Bellows Weir (2002). We compare the Eastern Scheldt Storm Surge Barrier with the Haringvliet Storm Surge Barrier that we discussed in Chapter 4. The gates of the Eastern Scheldt Storm Surge Barrier are of the vertical lift gate type and about 42 m long and 6–12 m high, which is twice as high as the gates in the Haringvliet Storm Surge Barrier. The gates are hydraulically operated. The water locks in the Eastern Scheldt Storm Surge Barrier are designed to withstand a high water situation that occurs statistically only once in 4,000 years. The Maeslant Storm Surge Barrier near the Dutch port city of Rotterdam is of a similar construction as one of the navigation sluices in the St. Petersburg’s Storm Surge Barrier. Since the construction of the Maeslant Barrier was planned in a busy shipping route, at the mouth of a fairly wide river, a double floating sector gate design was chosen, spanning 360 m (Fig. 2.1). Not only the gates are large but also the hinge constructions are of enormous proportions. It is like rotating the complete Paris Eiffel Tower on its side, pivoting around the very top of the structure. This means that the surface over which the hinges are pivoting has to be completely flat and free of blocking objects. This has proven to be a vulnerable construction. The maintenance costs are high (Dijk & van der Ziel, 2010). In the same year when the Maeslant Storm Surge Barrier was finished (1997), the construction of the Hartel Storm Surge Barrier in the Hartel canal near the

2.4 Storm surge barriers

9

Maeslant Storm Surge Barrier 1991–1997 Rotterdam

Brielle Haringvliet Dam 1957–1970

Hartel Storm Surge Barrier 1991–1997

Brouwers Dam 1957–1960

Philips Dam 1977–1997

Eastern Scheldt Storm Flood Barrier 1978–1986 Veersegat Dam 1958–1961

Volkerak Dam 1953–1969

Grevelingen Dam 1958–1965 Zealand Bridge 1963–1965

Zandkreek Dam 1957–1960 Oister Dam 1980–1986

Middelburg

Bergen op Zoom

Flushing

Breskens

Terneuzen

Antwerp

Fig. 2.1: Dutch Delta Plan.

Dutch city of Spijkenisse also reached completion. Purpose of the Hartel barrier is to close off surge floods into the New Waterway to the port of Rotterdam, without interrupting excessive (river) water flows from Switzerland and Germany. The Europoort harbor area itself would be defended by an added levee running from the Maeslant Storm Surge Barrier to the Hartel Storm Surge Barrier (Rijkswaterstaat, 2013). Like the Hollandse IJssel Storm Surge Barrier, the Hartel Storm Surge Barrier is of the vertical lift gate type with two gates.

10

2 Summary

The Hartel Storm Surge barrier is operated by the same fully computerized flood barrier operating system that operates the Eastern Scheldt Storm Surge Barrier. The barrier operating system decides whether or not the barriers need to be closed. In case of need, both barriers close at the same time. The Ramspol Bellows Weir Storm Surge Barrier, although not an official part of the Delta Plan, was completed in 2002 at the Ramspol location near the Dutch city of Kampen. Ramspol bellows weir is an inflatable dam. In 2002, it was the biggest inflatable dam in the world, and the first to be used as an (inflatable) flood barrier. In this chapter, we also make a vulnerability analysis of these Storm Surge Barriers, both in terms of safety and security aspects. We present our findings in a table combining safety and security risks. An important conclusion is that these installations are so large that it is difficult to imagine what the purpose of damaging one or more water locks would be. To disable these constructions completely is only imaginable in a war-like situation. Moreover – with the exception of the Maeslant Storm Surge Barrier – these are all water locks, not navigation locks. The flood barriers are also always open. From a security viewpoint, the inflatable Ramspol bellows weir is a very secure design since it resides under water for most of the time. And like with the other storm surge barriers, it is very difficult to predict when the barrier will inflate.

2.5 Flood defenses in defensive strategies In order to better understand the relation between flood defenses and security, we discuss the use of flood defenses as water retainer for use in water defense lines in Chapter 6. Flood barriers can be used as defense against water, but they can also be used to stop enemy forces from advancing. The Dutch invented an ingenious combination of waterworks for such purpose. Knowledge of these constructions not only increases our insight into the vulnerabilities of flood defenses, but also offers solutions to secure the various components of flood defenses. We study the construction and use of water defenses and fortresses in the Netherlands from the fifteenth to the twentieth century. In the Late Middle Ages, engineers used brick walls and water for defense. Earthen walls proofed to be more efficient and less costly than brick ones. Lower walls had the added advantage that defenders also could use cannon to shoot from behind the walls. Famous are the city defenses of Antwerp in Belgium (1540) and the Rammekens fortress near the Dutch coastal town of Flushing (1547). The extensive bastions were designed by Simon Stevin, “inventor” of mathematical science, which he applied to the layout of his fortresses. Most fortresses were built at the intersection of levees, since the roads on these levees also acted as natural lines of communication and trade. The party that held the fortress thus dominated the lines of communication and trade in the region.

2.6 Flood defenses in offensive strategies

11

It then became an official Dutch strategy to flood large parts of the country as a first line of defense against invading troops. A fairly modern water defense line is the Amsterdam Water Defense Line, which failed its purpose in the early days of the Second World War. Flooding polders for defense reasons is nowadays an obsolete practice. However, many of the old specially designed sluices and breach points in levees and dams are still present, and can still be vulnerable spots in today’s water defenses.

2.6 Flood defenses in offensive strategies In this book we several times refer to the study of Tobias Melin on “Intentional breaches of levees using limited resources”. Melin assumes that extremist groups will have little access to (large amounts of) explosives, and therefore have to resort to limited amounts of explosives in order to disrupt flood defenses. Melin ultimately concludes that such an attack on levee bodies is less likely (Melin, 2014). The scenario in which attackers use (limited amounts of) explosives against flood defenses is reflected by the “Man portable (explosive device)” and “Assault team (explosive device)” scenarios in our flood defense attack tables (e.g., see Tab. 2.1). Melin’s assumption that most extremist groups have only limited access to (large amounts of) explosives is refuted by practice. The Oklahoma City bombing, on April 19, 1995, shows that persons eager enough can easily acquire the means for large-scale attacks. The overview in the appendices shows that the use of explosives is the preferred modus operandi in the majority of terrorist attacks in Europe. The question is whether such attacks are also effective against flood defenses. Since it is hardly feasible to experiment with large amounts of explosives on real levee or dam bodies, we look at historic examples of dam and levee attacks. In Chapter 7 we discuss the Ruhr dam attacks in 1943 and the massive aerial attacks on the levees of the Dutch Zealand province in 1944. The Ruhr dam attacks were successful, but had little effect. The 1944 levee attacks were successful in the end, but only after multiple bomb raids and the discharge of an unbelievable amount of explosives. Historic research by Gleick shows that pinpointed attacks against flood barrier components such as lock doors, hinges, levers, and controls are more effective than using explosives randomly (Gleick, Water and terrorism, 2006). This observation is supported by recent DHS dam-related research. The DHS study concludes that there are an infinite number of possibilities regarding potential combinations of resources, tactics, tools, and weapons that could be employed against (water management) assets (DHS, 2012).

12

2 Summary

2.7 Vulnerabilities of flood defenses In the previous chapters we discussed various flood defense and flood barrier constructions, following a historic footpath according to the year that the barrier was completed and became operational. We can call this method of looking at the development of flood defense constructions over time an analogous approach. A scientific approach requires a more systematic analysis of both the technical structures that we study, and the safety and security risks associated with each structure. In Chapter 8 we do not group the flood defenses and barriers according to the moment of building, but according to their main construction characteristics. We also add some flood barriers that we have not discussed before. A classification of flood barrier types helps us to identify and compare vulnerabilities of different types of flood barrier. This also helps us to gain insight in the way these differences influence possible security threat scenarios. For a subdivision of flood defenses, we base ourselves on the Dutch Fundamentals of Flood Protection manual. The manual makes a distinction between primary flood defenses that offer protection against flooding from major bodies of water (or “outer waters”), and other secondary flood defenses. Primary flood defenses include levees, dams, dunes, and structures forming part of them, such as cuts (“denominations” in Dutch/French) and water and navigation locks. River levees are not mentioned in this list, but we do consider river levees to be primary flood defenses, especially along the big European rivers Rhine, Meuse, and Waal. The manual lists hydraulic structures as a separate category of primary flood defenses. Most primary flood defenses provide direct protection from flooding. Some do so indirectly, by limiting the load on other flood defense structures situated further away. If such a water defense structure fails, the hydraulic load on the secondary flood defenses beyond increases. Examples are the Afsluitdijk causeway and the Ramspol Bellows Weir in the Netherlands. Apart from levees and dams, we focus in this chapter on flood barriers that contain hydraulic parts. In relation to levees and dams, we specifically look at sheet pile reinforcements. Sheet piles are increasingly used, especially in places where there is no room to build levees with a wide levee foot. Sheet piles are relatively cheap construction materials with a relatively long life. From a security viewpoint, we have reservations, especially in places where sheet piles are used to erect high, towering embankments alongside rivers. A variation to pile sheet embankments are concrete levees or flood walls like they were (and at places still are) used in New Orleans, and in sunken highways and railways and in aqueducts in the Netherlands. Like sheet pile-reinforced embankments, this kind of levee is vulnerable to projected force. We present our findings in the Dams and levees attack-type table as shown in Tab 2.1. We describe what the different types of attack entail, such as an attack with mechanical equipment (no nail scissors, but concrete shears to cut hydraulic hoses and data cables), or an attack with “(man-portable) explosive device and/or

2.7 Vulnerabilities of flood defenses

13

Tab. 2.1: Dams and levees attack vulnerabilities. Dam and levee attack types Attack mode

Attack type

Land

Mechanical equipment Small arms (Man-portable) explosive device and/or incendiary device Assault team (without/with explosives) Vehicle-borne explosive device Stand-off weapons

Water

Water-borne explosive device Underwater explosive device

Air

Aerial bombing or strafing Aircraft impact

Dams/levees – impact − − + −/++

Concrete levees/flood walls – impact − − ++ −/++

+ ++

+++ +++

++ ++

+++ ++++

+++± −/+

+++++/+ +++

incendiary device.” In the attack-type table, the destructive effect of an attack type is shown by one or more pluses. The number of pluses shows at a glance the relative effectiveness of a certain kind of attack. Apart from the nature of the attack, the environmental factors are also important. Attackers must reach their goal to make the attack effective. A successful attack implies that the object that is attacked can be easily accessed. There must be no moats, fences, locked doors, or other defenses restricting access. And if there are, the obstructions must be easily bypassed. Other variables in an attack scenario are the absence of supervision (which translates in opportunity for the attackers), the time it takes supervisors to adequately respond to an attack (offering a window of opportunity to attackers), and the ease with which perpetrators can withdraw after an attack. We also make such attack-type tables for hydraulic structures. We first discuss the history of the North Sea navigation locks at IJmuiden, which closes off the North Sea Channel to Amsterdam from the North Sea. Before the construction of the Panama Canal navigation locks, the IJmuiden locks were the biggest navigation locks in the world. When assessing safety and security-related vulnerabilities of sluices like this in combination with assessing the environmental variables, we have in fact started to develop basic security threat scenarios. We recognize various categories of flood and storm surge barriers. We distinguish between guillotine-shaped flood barriers (flood barriers of the vertical lift gate type) and visor-shaped flood barriers (with segment gates). Visor-shaped barriers resemble the visor of a knight in the Middle Ages. An example of a guillotine-shaped flood barrier is the Hollandse IJssel Storm Surge Barrier. The Thames Flood Surge Barrier in the

14

2 Summary

Thames estuary near London is another example of a visor-shaped barrier. A third kind of storm surge barrier are flood barriers with sector gates like the Maeslant Storm Surge Barrier in the Netherlands and navigation lock S1 in the St. Petersburg Storm Surge Barrier. These flood barriers are as big as the Paris Eifel tower lying on its side, and pivoting around the top. These flood defenses are susceptible to errors and are maintenance sensitive. Although guillotine-type flood barriers tower high above the landscape, they are less likely targets. The doors are almost always open, and next to them there is always a navigation lock. Visor-like barriers often have a different function, for example, for freshwater supply or to keep the water level in a river arm at a height. The vulnerability depends on the motive of a possible attacker. The Thames Storm Surge Barrier visor gates have been constructed in such a way that navigation is always possible, even for the biggest ships like aircraft carriers. This is possible because its rotary segment gates have a horizontal axis, and the gates normally lie dormant in a concrete container on the riverbed. The vulnerability is low for the same reasons as for the large flood defenses in the Netherlands (lots of water locks that can hardly all be disrupted at the same time), and the bellows weir at Ramspol in the Netherlands, which is stored underwater most of the time. We present these and other findings in various attack-type tables. In hydraulic structures, we can identify various (safety-related) failure mechanisms, such as construction faults or parts of the structure, general loss of stability in a hydraulic structure, failure of transition structures, and not closing or not closing in time. These are failure mechanisms with which hydraulic engineers are familiar. The security threats that we identify are actually nothing more than the deliberate enforcement of the same failure mechanisms. The outcomes of the attack-type tables imply that it is much more effective to carry out a targeted attack on the most vulnerable parts of a lock structure. These are the operating mechanisms, the lock gates, and the hinges on which they rotate. The tables also indicate that the controls of flood barriers that are computer operated from a distance (SCADA) are the most vulnerable.

2.8 Calculating security risks In Chapter 8 we concluded that some flood barriers are more prone to security risk than others. Scenario-based security risk analysis can help to pinpoint which flood defense systems are more security risk prone than others. In Chapter 9 we go deeper into the meaning of risk, and the ways in which risks can be mapped and calculated. Because of the many different technical components used in flood barrier designs, they can be labelled complex technical systems. In a complex system, several subsystems can be identified. Each subsystem can be studied as a complete system on its own. Subsystems, for instance, are the gates, the operating mechanisms and

2.8 Calculating security risks

15

water in- and outlets in flood defenses. In the various flood defense vulnerability tables in this book, we categorize both attack types and flood defense subsystems, and project possible security threats in the resulting matrix. In this way, our vulnerability tables develop toward mini-scenarios that give us an indication of the main security threats against the whole of the flood defense system. How attackers can reach their target can be mapped out in a fault tree analysis or displayed visually in a critical path diagram. Multiple attack paths result in a more complex display. Because we do not know which path or paths attackers will eventually choose, we have to calculate the chances that a certain path will be followed and that possible barriers (such as moats, fences, and access doors) on that path will be effectively bypassed. Security professionals can rely on methods for risk calculation that have been developed in other disciplines. Calculating the probability of risks that can occur over a certain period of time will warn us at an early time about what risks to expect and what measures to take in order to prevent the risky events from happening. Ale defines risk as the probability that, given a certain set of circumstances, a certain situation or (mal)function will occur with negative consequences. The calculation of this event actually occurring over a certain amount of time, with given circumstances, is called risk (Ale, 2009, p. 5). Probability and risk calculations are important elements in the design of flood defenses. The Fundamentals of Flood Protection manual extensively elaborates on probability and risk. According to the Bayesian interpretation that the manual accepts as leading, the probability of flooding is a measure of the likelihood that a flood will occur, given the knowledge at our disposal. Probability is a subjective “degree of belief” that can only be overcome by exchanging data, second opinions and the establishment of best practice (p. 35). This is the same approach that we take when analyzing security threats and attack paths. Flood risk in hydraulic engineering concerns both the possible impact of flooding and the probability that it will occur. It indicates the consequences and also the probability of these consequences. Flood risk can be expressed as probability × economic damage, but also in terms of the estimate that individuals or a large group of people will lose their lives. The Dutch approach considers three measures of risk: the annual expected damage, the individual risk, and the societal risk (p. 37). In the case of security, a simple concept of risk can be considered the sum of probability × consequence. Since there are so many unknowns in assessing security risk, Smith and Brooks rather prefer to speak about likelihood than probability (Smith & Brooks, 2013, p. 54). Designing flood defenses involves the calculation of failure probabilities and designing flood barriers in such a way that the failure will not occur (given time and circumstances). In the case of security threat we only add a new failure mechanism to these calculations: that of deliberate failure. One failure can lead to multiple others. A cascading failure is a process in a system of interconnected parts in which the failure of others can be triggered. Likewise, one risky event can lead to multiple other risks occurring.

16

2 Summary

The total of cascading risks leading to a disastrous event can be mapped out in a fault tree analysis and presented in a fault tree diagram. The consequences of that event can then be traced and presented in an event tree. The fault tree and the event tree together show a bow tie, depicted in a bowtie diagram, with the disastrous “central event” in the middle. A bowtie diagram helps to determine which risky events must be blocked to prevent the central event from taking place, or its effects becoming reality. According to the Reason paradigm, there can exist many risky situations at the same time, but they will only lead to the central event when several risks line up behind each other, offering a window of opportunity for the central event to happen. The Swiss Cheese model as it was later called also states that “accidents in high-risk technologies (Chernobyl, Challenger disaster, Harold of Free Enterprise) have their primary origins in a variety of delayed-action human failures committed long before an emergency state can be recognized.” Translated to security, this means that preparatory activities can take place much earlier in time. Theft is often based on impulsive actions or sudden opportunities. In the case of group or terrorist attacks, there is often a long preparation time. We further develop an attack fault tree analysis on the basis of the (man-portable) explosive device attack scenario in our flood vulnerability and attack-type tables. Because there are so many options for attackers to achieve the ultimate attack goal, we work out the different possibilities in chance calculations. To facilitate these calculations, we replace the pluses and minuses in our vulnerability tables with numbers. This makes it easier to calculate the probability of various attack paths to the central event. The use of numbers also makes it possible to calculate the possible costs of the various preventive measures to block the various attack options (Zhang L., 2018, p. 184).

2.9 Terrorism threat against flood surge barriers Reason identified groups of events where wrong decisions early in the fault tree may eventually lead to undesired events much later in time. This is particularly the case when it comes to terrorist acts. The time needed for planning and execution often takes years and closely resembles the preparation time needed for military operations. We argue several times in this book to include security threats in the failure probability calculations of flood defenses. The frequent reply of hydraulic engineers is that there is too little data available for that. We want to refute this in Chapter 10 on the basis of terrorism data in the Netherlands and in Europe. We use the overview of terrorist attacks in the Dutch Elsevier publication “Terrorism in the Netherlands” for a starting point (Andersson Toussaint, van der Plicht & Vrijssen, 2014). This publication lists 78 terrorist attacks in the Netherlands in the period from the 1970s till 2014. First we dissect this list of attacks in categories

2.9 Terrorism threat against flood surge barriers

17

according to the attack type. A first difference can be made between attacks against people, and attacks against objects like buildings. In case of attacks against buildings, we can distinguish between bombings, fire bombings, and other attack types. Then there are attacks to individuals and groups of people. Both categories can also fall victim to hijacking. Apart from the many criminal killings that never seem to cease, the Netherlands has also known a few political and Islamist murders and murder attempts. We only know of one particular threat against a Dutch levee. In case of terrorist attacks in Europe, we refer to the yearly European Union Terrorism Situation and Trend Report (Te-Sat) (Interpol, 2016/2018). The Te-Sat report distinguishes different motives behind the various attacks in the European Union: Jihadist terrorism, Ethno-Nationalist and separatist terrorism, Left-Wing and Anarchist terrorism, Right-Wing terrorism, and single-issue terrorism. Jihadist inspired terrorism is by far the largest group of attacks. In 2018, Europol states that in recent years there has been an increase in the frequency of jihadist attacks, but a decrease in the sophistication of their preparation and execution. This corresponds with the observation that many perpetrators of Jihadist inspired terrorists are home grown and derive their knowledge and means of attack from the internet. The (man-portable) explosive device and assault team (with explosives) scenarios as shown in our flood barrier attack-type tables are the most favored attack types, although recently we notice a shift toward the attack of “soft” targets in the form of large, unprotected groups of civilians in public spaces (squares, sidewalks, cafes, theaters) by using lorries or gun attacks. These attack types were quickly copied by other terrorists. In order to be better prepared against terrorist attack, we introduce Game Theory as a method for assessing various options for both attackers and defenders. Sandler and Arce examined how game-theoretic analyses of terrorism have provided policy insights that do not follow from conventional strategic analyses (Sandler & Arce M., 2003). We refer to Section 10.6 for an example. We then compare the outcomes of the navigation lock attack-type table and the guillotine lock attack-type table, and discuss some scenario options and attack-type outcomes. We conclude that a team attack against parts of hydraulic flood barrier systems has the highest chance of being effective. At the end of this chapter, we once more discuss the application of Game Theory on the basis of a security risk scenario in a chemical process plant. Game Theory complements the way security professionals normally estimate the probability of burglary by activists, terrorists, or thieves. According to professor Genserik Reniers (Delft Safety and Security Institute), a Game Theory approach – though an academic exercise – will help plant managers and security professionals to better design the layout of their facilities, and take such security measures that will give first responders time to either prevent or mitigate the effects of a successful terrorist attack (verbal quote). For an extensive elaboration on Game Theory and security scenario development, we refer to Zhang (2018).

18

2 Summary

2.10 Conclusions The research in this book is based on the assignment to investigate different modes of operation to attack flood defenses. However, the act of undermining or blowing up a levee must be seen in the context of a complete plan of attack. When aggressors attack, there is almost always a motive in combination with preparatory and implementing actions. Defenders can prepare for such an attack by reflecting on what actions that may be, and what the effect would be of those actions on the assets to be defended. These actions can be mapped out and plotted in time in a scenario analysis. In addition, a scenario approach helps to consider alternative scenarios. This gives defenders an idea where and how to set priorities in security measures. When designing, constructing, and maintaining flood defenses, hydraulic engineers already have to take into account the associated safety risks. Safety is associated with the vulnerabilities that are inherent to the design of a technical installation. This may not only involve, for example, design errors, but also vulnerabilities that have to do with the way people work and the weaknesses of people. If people are tired, they do not pay attention. When doors are left open, people who are not authorized can easily enter hazardous areas. People with malicious intent use such circumstances to come in, steal money and goods, or to damage or demolish things. We therefore assume that if the safety risks in a technical environment are adequately covered, the same will probably apply to 70% of the security risks. Since we wanted to give this book a scientific dimension, the history of flood defenses plays an important role in our research. Technical constructions often have developed over a long period of time. In case of flood defenses, the shape and technical construction have not changed much over the course of many centuries. Flood defenses have become (much) bigger, with hydraulics and computer managed controls. But in essence, the function (flood defense) still determines to a large extent the form (that over the ages practically has remained the same). Modern materials make it possible to create increasingly smart designs. This also positively influences security. The bellows weir at Ramspol in the Netherlands is only inflated when needed. The Thames Storm Flood Barrier gates are stored at the bottom of the river when not in use. Furthermore, the size of modern levees is so big that it hardly makes sense to attack them with a terrorist objective. Attackers have to look for more refined options if they successfully want to attack flood defenses. However, new designs of flood defenses may lead to new vulnerabilities. Making sea and river levees higher is not possible everywhere, often because of housing or industrial development on or near the levees or flood defenses. The levee base can then not be broadened, which is a problem with high levees with a trapezoid shape. This problem is solved by applying iron sheet piles. High sheet pile walls are vulnerable to explosive attacks.

2.10 Conclusions

19

The results of our attack-type tables show that a team attack with explosives, or a remote attack on the control systems via the Internet, are possible (and effective) attack options. However, terrorist attacks in the Netherlands and in Europe on flood defenses seem less likely, because there are much more attractive – and easier to reach and attack – targets. This may be different in less developed and remote areas in Asia and Africa. There is a close relationship between safety and security. In the Netherlands, the Fundamentals of Flood Protection manual is an important guideline for the design, construction, and maintenance of levees and other flood defenses. The manual assumes the same risk approach for safety as we have chosen for security. The starting point for the manual is flood risks, which can be calculated in different ways. Subsequently, all sorts of other factors are added that determine the way in which flood defenses must be designed and which additional control measures are required. This approach can be illustrated in various ways, for example by using a bowtie diagram. The risk is roughly expressed in the formula . This risk formula is actually the same in the case of both safety and security. The Fundamentals or Flood Protection manual takes an acceptable risk of flooding as a starting point, taking into account a certain chance of failure of the flood defense. Various failure mechanisms can occur. How these risks are dealt with is described in detail in the manual, starting from a predetermined minimum limit of possible victims. Possible security risks are not considered because the chances for security risks occurring cannot be calculated or are unknown. The same applies to the defensive measures against such risks. The flood defense vulnerability and attack-type tables show that for each flood defense or hydraulic structure a certain increased “deliberate” failure probability can be determined. Additionally we have to look at how appealing the object is from the point of view of an attacker. There are enough historical data available for such an exercise. Our attack-type tables show that a team attack with explosives, or a remote attack on the control systems via the Internet, is possible (and effective) attack options. However, where it concerns terrorism in the Netherlands and in Europe, such attacks on flood defenses seem less likely, because there are much more attractive – and easier to reach and attack – targets. This may be different in less developed and remote areas in Asia and Africa. Ultimately, one may conclude that there is a reduced terrorism-related risk regarding flood defenses in general and (storm) flood barriers in particular. In the case of storm flood barriers, an attack is only effective during a storm surge. However, it is difficult to calculate at what moment a storm surge will occur exactly. However, no one saw “9/11” coming, except for a few film scenario writers. In parts of the world, large dams and freshwater reservoirs have been regularly attacked. The security risks identified in this book can therefore not completely be ignored.

20

2 Summary

2.11 Recommendations If one implements security measures in flood defenses, this may have safety consequences. We discussed blocking the critical paths to the vulnerable areas in flood defenses. The question remains to what extent this kind of security measure is effective. An effective way of reducing safety risks in flood defenses is by placing a second flood barrier behind another. A security measure then would be to place a third barrier behind the second one (in case barriers one or two should be breached). This example raises the question of what would be effective security measures in the case of flood defenses. These are interesting questions, worth to be investigated further.

3 History of flood defenses in the Low Countries Abstract: In this chapter we discuss the history of the Netherlands as a land of sea, rivers, levees, and polders. Water and levees are part of the Dutch genes. In order to understand the constant struggle of the Dutch against the threatening water of the sea and an abundance of rivers, we start our research in the beginning of our era. This also gives us an understanding of the development of flood defense construction techniques, and the intrinsic weaknesses of flood barrier constructions. Where it concerns basic shapes and techniques, not much has changed in flood barrier construction in the past 2,000 years.

3.1 2,000 years ago The recorded history of the Netherlands goes back to around the beginning of the Christian era. The Northern border of the Roman Empire ran along the Old Rhine river, as it then stretched from what is today Katwijk at Sea eastward to Germany. Nowadays, the Old Rhine looks like a narrow canalized river and does not resemble the river as it must have looked 2,000 years ago. The Northern and Western parts of what is nowadays the Netherlands consisted of marshes that occasionally flooded during high water or Western storms. There was then, as there is now, just a shallow line of sand dunes that protected the back lands from periodical flooding. People defended themselves against rising tides and floods by erecting hundreds of terps or dwelling mounds. In due time these dwelling mounds were extended to comprise whole villages. In the present landscape many of these can be recognized by the churches that were erected in the center of those villages, clearly built on elevated grounds. Incidentally, this type of landscape was not unique for the north of the Netherlands. In response to Ter Borg, who claimed that surviving this harsh environment was one of the sources for the unique Dutch character (ter Borg, 2001), environmental historian Verstegen writes in the newspaper Trouw: “From Le Havre to Riga, the entire European North Sea and Baltic coast consisted of lakes, rivers and marshes. The Wash in East Anglia north of London, was a South Sea in the making, until the British decided to reclaim large parts of this bay. This also applies to the Dollard in the German-Groningen border area, the Jade near Bremen, the bend in Lübeck and the Gulf of Riga.” (Verstegen, 2001)

https://doi.org/10.1515/9783110622577-003

22

3 History of flood defenses in the Low Countries

3.2 Historic flood defenses On 15 January 1996, construction workers in the city of Vlaardingen, now a suburb of Rotterdam, were busy constructing a concrete dam in a business park boulevard. Immersed in the dam were three PVC pipes connecting two adjacent artificial lakes. The dam itself served as a bridge connecting to a side road. Under the new dam, amateur archeologist discovered an older, wooden dam. This dam was estimated to have been constructed between the years 120 and 150 AD. In this older dam a wooden drainage tube was found running through the dam, connecting both sides of a previous creek that was cut in two by the wooden dam. Remarkably the old tube, made of a hollowed alder tree, followed the exact same route as the new PVC drains, positioned at the same location some 2,000 years later (de Ridder, 2001). The tube was in fact an early example of a watering sluice, the construction of which we will discuss later in this chapter. A dam is a barrier of earth, clay, or concrete that is built across a water, lake, river, or stream to obstruct or control the flow of water, or divide two or more water areas. Dams can have different functions, like connecting two land masses through water (for traffic), to block unwanted water flows (closing dams) or direct the water flow (river dams or breakwaters). A river dam is usually made of sand, covered with fascine mats and stone, parallel to the flow of the water.

In the Northern part of the Netherlands, what is now the province of Friesland, the inhabitants discovered that it was far more economical not to build dwelling mounds to escape rising waters, but to erect levees that circled some farms and the adjourning farmland. The oldest known levee in the Netherlands is situated near the Frisian village of Peins and is about 2,000 years old. It was made of layers of pressed turf. In later times levees were strengthened with clay. Eventually these levees were extended to enclose whole areas like the Frisian areas of Oostergo and Westergo. In the seventeenth century, Oostergo, Westergo, and Zevenwouden were the three country quarters that, together with the eleven main cities, made up de Province of Friesland (or Frisia). Shallow marshes and lakes were incorporated into the newly acquired lands. From the eleventh century, Frisian monks started to encircle high-lying outer sea beds with levees. A levee or dike is an embankment built along the shore of a sea or lake or beside a river to hold back the water and prevent flooding. In British English often the word dyke is used. Americans prefer to use the word levee. In accordance with the English translation of the Dutch Fundamentals of Flood Protection manual we will use the word levee as a general indication for (non-hydraulic) flood defenses or barriers (ENW, 2017).

In the sixteenth century levees were strengthened at the seaside with double rows of wooden poles. The space in between the wooden poles was then filled with reeds

3.3 Historic sluices

23

and turf and topped with stone or masonry. In order to break the waves that pounded on these erect walls, wooden or stone breakwaters were built. The breakwaters protruded at a straight angle from the levees into the sea and were meant to prevent levees from slowly eroding.

3.3 Historic sluices At the archeological site in the Dutch city of Vlaardingen many different water sluices were found. This implies that the local inhabitants not only constructed dams but also more continuous embankments to prevent lands from flooding. Signs of these embankments however were not found, apparently they gradually washed away due to wind, rain, and floods. The many different dams and water sluices that were found in Vlaardingen show the previous existence of an ingenious system of ditches and canals. The construction of almost every sluice was different, indicating that every farm household had its own way of constructing sluices. This system also had its disadvantages. Through dehydration the peat soil subsided, which allowed the land to subside. As a result, contrary to what was intended, the land became very wet. Only in the late Middle Ages, people were able to overcome this problem by using windmills for draining low-lying lands (de Ridder, 2001). In the Vlaardingen area, the oldest recorded windmill dates back to 1407 (Molendatabase, 2015). Between 70 and 120 BC a big dam was constructed in the Vlaardingen area with a drain tube or water inlet made of two hollowed tree trunks. One trunk was shoved into the end of the other, resulting in a 6.3 m long tube. At one side of the tube a square frame was attached, presumably holding a trap door or valve, resulting in what in Dutch is called a “klepduiker” or valve drain. Where a trap door normally has its hinges at the top, in this case the door swung at the bottom. At this particular location the drain was exposed to a freshwater tide. At high tide, the valve was pressed shut by the rising tide. At low tide, excess rainwater automatically pushed open the door after which the water could flow out freely (de Ridder, 2001) (Figs. 3.1 and 3.2). The valve construction as described in the previous paragraph has been in use for over 1,000 years. During excavations in the center of Rotterdam (the Netherlands), the exact location of Rotterdam’s original Rotte hamlet was established by the discovery of one of the sluices in the dam in the river Rotte. This particular sluice was dated to 1360 AD. The dam itself was constructed around the year 1275. Although the size of the sluice is much bigger than those found in Vlaardingen, the basic construction is the same. As in the older examples, horizontal overhead beams were used to withstand side pressure from the dam body and thus prevent the dam bodies caving in. The same construction can still be found in the Dutch “Bleiswijkse Verlaat” sluice, built in 1774 (see Fig. 3.3, Sluice in the Rijswijkse Verlaat).

24

3 History of flood defenses in the Low Countries

Fig. 3.1: Low tide, river water pushes trap door open.

Fig. 3.2: High tide pushes trap door closed.

3.4 Development of pound locks A long shipbuilding history and the construction of complex windmills for various purposes also led to innovations in sluice and navigation lock construction. Boats and seagoing ships grew bigger, and therefore other sluice and lock gate constructions had to be invented. A lock with gates at either side is called a pound lock. The first recorded doublegated or pound lock in the world was built at the northern end of the Shan-yang YunTao section between the Yangtze and Huai-yin in AD 984 by Chiao Wei-Yo, Assistant Commissioner of Transport for Huainan (Canal Monuments List, 1994). In the Netherlands, a lock resembling a pound lock was first built in Vreeswijk, a former village and

3.5 Levee breaches and floods, Middle Ages to 1900s

25

Fig. 3.3: Sluice in the Rijswijkse Verlaat near Rotterdam built in 1774 (Jos de Lange, 2018).

municipality in the Dutch province of Utrecht located at the Lek river. This lock was built in 1373 and could handle several ships at once. The Lek river was normally at a slightly higher level than the canal leading to the city of Utrecht . In times of flood it was much higher. Therefore it would not be possible to let boats enter or leave without flooding the surrounding land. By adding an extra gate, only the thus realized basin needed to be lowered or raised. The first true pound lock in Europe was the Damme pound lock built in 1396 in Belgium near Bruges (Van Damme, 2009). A famous civil engineer of pound locks in Europe was the Italian Bertola da Novate (1410–1475), who constructed 18 pound locks on the Naviglio di Bereguardo (part of the Milan canal system sponsored by Francesco Sforza) between the years 1452 and 1458 (Clarke, n.d.). The height of the river water could more easily be regulated by building several sluices or locks behind each other, like the flight of 16 locks at Caen Hill on the Kennet and Avon Canal in England (Canal-and-River-Trust, n.d.). Figure 3.4 shows the gates in the Rijswijkse Verlaat sluice near Rotterdam. The sluice is big enough to let relatively large boats pass. The overhead beam construction is still there, but the trap door(s) have been replaced by hinged doors at the sides. The doors are hinged at an outward angle of 18%, which helps the rising tide push the doors closed and keep them closed. At low tide the doors are opened easily by the outflowing river current. Also visible is the winch that operates the doors, by way of hand and gears.

3.5 Levee breaches and floods, Middle Ages to 1900s The history of the Netherlands is riddled with dike bursts and floods. One of the best known floods is the Saint Elizabeth Day flood of 1424. Large parts of the later provinces

26

3 History of flood defenses in the Low Countries

Fig. 3.4: Sluice and navigation lock in the Rijswijkse Verlaat, rear entrance (Jos de Lange, 2018).

of Zeeland and Holland were flooded. Although the weather was bad and water levels were high, levees did not brake because of a combination of gales and spring tides. The most probable cause was lacking maintenance due to the civil wars that then raged in the Dutch provinces (Sweers, 2009). We must also take into consideration that both river and sea levees in those times consisted of not more than earth and turf that could easily erode by all kinds of causes. Another great flood was the All Saints Day flood of 2 November 1532. Large parts of the provinces of Zeeland, Holland, and Utrecht were flooded. Many flooded areas in Zeeland province would remain under water for hundreds of years to come. Not only Dutch provinces but also parts of Northern Germany were flooded. The city of Hamburg was severely damaged. That floods coincided with specific seasons and weather conditions is shown by other All Saints Day floods as they occurred in 1570 all along the Dutch coast, in 1675 in the North-Western parts of Holland and Friesland and in 2006 in the Northern parts of the Netherlands and Germany. In 2006 actually no flooding of in-lying lands occurred because of the Delta plan (see below). Water levels however rose to their highest point in recorded history: 4.83 m above Amsterdam Ordnance Datum or Dutch Ordnance Datum, the reverence average water level at high tide declared in 1872 (Waterstaat, n.d.).

3.6 1916–1932, Zuyder Zee flood defenses

27

It should be noted that most floods in the Netherlands occur during the winter months, when the weather is at its worst and sea water levels rise because of gales in combination with spring tides. Spring tide is the two-weekly occurrence where differences between low and high water levels are highest. When string tides combine with northwestern storms, the situation becomes most dangerous (KNMI, stormvloed, n.d.). Rivers usually overflow in the early month of spring. Melting snow and ice from the Swiss and the German mountains fill up downstream rivers. When the river capacity is exceeded, river levees overflow or brake. One of the biggest storms ever recorded was that of December 1703. In large parts of Wales, England, the North Sea area, the Netherlands and Germany, sea and river levees broke and large areas were flooded (KNMI, decemberstorm-van-1703, n.d.).

3.6 1916–1932, Zuyder Zee flood defenses On 13 and 14 January, 1916 large parts of the area surrounding the Dutch Zuyder Zee were flooded due to a combination of excessive high water levels (spring tide) and gale force Western winds. High water levels were caused by a massive water supply from rivers flowing from Switzerland and Germany. Western winds blowing in an Easterly direction across the North Sea added to the water masses already threatening the levees in the Southern Sea (Deltawerken, n.d.). Since the Zuyder Zee is a water mass almost completely surrounded by land, water could only get out over the levees, or, at many places, through them. Many levees did not hold and broke. Others were thoroughly damaged at their cores and at their land sides due to the storm. Already in the seventeenth century, plans were proposed to close off the Zuyder Zee with a dam (Stevin, 1667). In 1886 the Zuyder Zee Society was founded with the aim of researching possibilities for the draining of the Zuyder Zee. Its member Cornelis Lely drafted a first design in 1891. As a result of the 1916 flooding, Cornelis Lely, then Minister of Water Management, initiated the Zuyder Zee Law in 1918 with the aim of building the Afsluitdijk causeway (a causeway refers to a dam (or bridge) over a lake or sea channel). Work on the Afsluitdijk causeway started in January 1927 and was finished in 1932. Because of its length of 32 km, the Afsluitdijk causeway is not a completely closed dam. There are two lock complexes situated at the Eastern and Western sides of the dam. The Stevin locks are located near the village at the tip of NoordHolland Province, which is at the western side of the dam. The Lorentz locks are located at Kornwernderzand at the eastern side of the Afsluitdijk causeway. Apart from water locks, both complexes also contain navigation locks. Where earlier levees and dams were built from earth, layers of pressed turf and later clay, the Afsluitdijk causeway was built of boulder clay. Boulder clay is a mix of boulders, small rocks, sand, and clay deposited by melting glaciers or ice sheets (Florida, n.d.). In the 1930s, the locations where boulder clay could be found were

28

3 History of flood defenses in the Low Countries

pointed out by a local fisherman who called this clay hard clay or stone clay. Later the dam was fortified with stone cladding (Rijkswaterstaat, 2007) (Fig. 3.5).

N.V.

MAATSCHAPPIJ

TOT

UITVOERING

CROSS

VAN

PROFILE

ZUIDERZEEWERKEN

M.U.Z.

AFSLUITDIJK 85.20 M

SEA SIDE

7. M

4. M+

IJSSELMEER

34. M

N.A.P

Bolder Sand

Bolder and Clay Stone Cladding

Collar Piece

Fig. 3.5: Cross profile Afsluitdijk causeway (based on 1929 postcard “Fight against water”).

3.7 Levees, dams, and water locks, safety-related observations From early times on, levees were not a continuous line of defense against the sea. Because of the continuing extension of levees, villages that were first lying next to the sea, suddenly found themselves separated from it. By way of canals and canalized rivers, the village harbors remained connected to the sea. This however meant that levee systems were interrupted. Therefore the canal borders and the harbor quays had to be heightened and strengthened also. This in time lead to the funny sight of villages lying low behind enormous sea levees, where even the harbor itself is lying far above the water levels of the polders behind the flood defenses. When traveling through the Netherlands, one can frequently observe canals and rivers that flow between levees, where the levees and water levels are higher than the surrounding lands and the water levels in the adjoining polders. In case of a levee break, this would certainly result in flooding of the surrounding areas. This is a safety hazard inherent to levee systems bordering low-lying lands. 3.7.1 Levee constructions are vulnerable In our historic overview we saw that levees, apart from the influence of elements like wind and water, regularly collapsed due to lack of maintenance. We must also

3.7 Levees, dams, and water locks, safety-related observations

29

keep into account that for many centuries, levees could only be constructed and maintained by hand with the aid of shovels, wheelbarrows, and horse carts. Levees could only be reinforced with wooden poles and boards. This led to another threat to levee structures that became apparent in the seventeenth century. Intensive shipping to the Far East brought the pile worm to the Netherlands. Wooden flood barriers and reinforcements had to be replaced by stone cladding on top of the turf layers that made the core of the levees. This leads to a different style of levee structure. Instead of straight sided, the sides of the levees became sloped. This has remained one of the major shapes of levee structures until the present day, depending on the local situation of course. Sloped or trapezoid levees are vulnerable to erosion through winds or currents, or dehydration and consecutive shifting of embankments. Levees and dams are artificial earthen structures. Unlike dunes, which are eroded by wave overtopping, levees should be able to withstand some overtopping, due to their smaller dimensions. Levees derive their erosion-resistance from the materials used to build them, such as clay covered with grass, stone cladding, or asphalt. The shape of the basic earthen structure, often trapezoid in section, is characteristic of these structures. The flood protection capacity of the structure is determined by its height, its shape in profile and the ground on which it stands. Levees must be sufficiently resistant to shearing (stability) and watertight. Stability depends on the shear strength of the levee body and of the subsurface. Fundamentals of Flood Protection, chapter 2.2.2. p.18

3.7.2 River entrances and sluices interrupt a flood defense In the course of time, levee systems extended and became wider and higher. As a result, their protective value increased. River and harbor entrances then had to be reinforced too. Some of the more vulnerable parts of a flood defense system are therefore harbor and river entrances, in many cases regulated by water and navigation locks. This is also indicated in the Fundamentals of Flood Protection manual, which states that the connection of a flood defense to another type of flood defense, such as a dune or high ground, can be a vulnerable transition in the flood defense system (ENW, 2017). Furthermore, where the levees and quays themselves are high and wide earth and stone structures, lock gates usually are only about 50–80 cm thick. Examples of sluice-related safety risks are inadequate handling of the lock gates or lack of maintenance, resulting in malfunctioning of the locks with unwanted water levels in the hinterland as a result.

3.7.3 Flood defense vulnerability table One of the goals of this book is to make the design of security risk scenarios more transparent, and thus more robust. In order to be able to make a good security risk

30

3 History of flood defenses in the Low Countries

scenario, it is necessary to first have an indication of the strengths and weaknesses of the objects or assets we want to protect. That can be a flood defense, but also a harbor facility, a bank building, a supermarket, or the local Christmas market. In practice, it turns out that people with malicious intent abuse the vulnerable spots of a target, such as open doors and unsecured areas, to gain access and steal or wreck things. If one house is well protected, a burglar goes to the less secured house next to it. And why would a terrorist bother with bombs, if it is so much easier to drive a truck into a crowded street? In case of technical structures like flood defenses, the vulnerable spots in the design will most probably correspond with places where safety is at risk. For instance, because people don’t pay attention to what is happening on the work floor, because of a poor design of the technical structure or because of unrestricted access to the surrounding premises. These are most likely vulnerabilities that will be exploited by perpetrators. Before looking at security risk areas, we first want to map the safety weaknesses of flood defenses. These automatically lead us to the vulnerable parts of a technical design that can also be used by perpetrators. We present our findings of structural weaknesses and safety risks of flood defenses in the following table (see Tab. 3.1).

Tab. 3.1: Flood defense types, construction, structural weaknesses, and safety risks. Type

Construction

Structural weaknesses

Natural threats

Man-induced flaws

Primary Boulder clay, defenses, sea covered with fascine levees mats, stone, or asphalt

Designed to withstand great force

Spring tides in combination with western storms, dehydration of the core structure

Lack of maintenance due to high costs, corrosion of materials used

Secondary defenses, river dams, and levees

Sand or river clay, covered with fascine mats and stone, parallel to the flow of the water

Designed to withstand great force

Melting snow and ice upriver, flood surges in river estuaries, dehydration of the core structure

Lack of maintenance due to high costs, corrosion of materials used

Dewatering gates and navigation locks

Timber, stone Moving parts, masonry and timber, lock gates less concrete and iron strong than stone or concrete quays

Obstruction, material bending and distortion, jamming

Construction flaws, lack of maintenance, opening and closing mistakes, accidents

3.8 Levees, dams, and locks, security-related observations

31

This table is anything but complete. Where it concerns “man-induced flaws,” safety risks in a levee design can be manifold. Over the past few centuries, overdue maintenance has been a recurring cause of levee failure. It is also possible that a levee is simply not erase strong enough. The reasons for this can also be many. The legal standards that the levee must meet can be out of date. The standards applied may no longer be in line with – for example – climate developments, soil subsidence, or rising water levels. Or the forces that work into the structure are unprecedented and so high that the levee cannot withstand them. It is also possible that during a storm that would have to take place statistically only once every 200 years, the water just overtops and/or overflows the flood defense. These are recognized failure mechanisms for flood defenses (ENW, 2017). Based on the safety-related observations presented in the previous paragraphs, we can now draw an elementary table with flood defense types, main construction elements, and safety vulnerabilities (see Tab. 3.1). In the following paragraph, we will link safety hazards to security risk elements.

3.8 Levees, dams, and locks, security-related observations Natural threats, constructional weaknesses, and human error constitute safety risks in technical designs. Safety is related to risks that can lead to unintentional damage or the no longer optimal functioning of a technical design. No-one in his right mind will intentionally want to break a levee, or damage a water or navigation lock, resulting in the flooding of adjacent polders and lands. The only difference between a safety and a security risk is that in the case of security the (possible) damage is intended. In Dutch criminal law this is called: “wilful intent” or “premeditation.” An idea that is increasingly taking root in the security domain is that “security is for seventy percent safety.” This means to say that perpetrators will above all try to exploit the structural and human weaknesses in a technical design in order to create havoc and mischief. From this follows that when the safety defects in a technical design (and its controls) are eliminated, this will greatly reduce the security risks related to that design. This assumption is also an important guideline in this book when it comes to identifying security weak spots in flood defenses. There is a lot more to say about defining safety, security, and risk, as Clifton L Smith and David J. Brooks elaborately point out in their standard work The Theory and Practice of Security (Smith & Brooks, 2013). For now we will suffice with the statement of our mentor Ben Ale, emeritus professor of Safety Science at Delft University of Technology, who states that “safety is associated with incidents and accidents. Security deals with malicious acts, such as sabotage and terrorism. There is a grey area, however, where the distinction between security and safety, between accident and criminal act, is difficult to draw” (Ale, 2009).

32

3 History of flood defenses in the Low Countries

3.8.1 Levee systems and security risks We observed that levees and dams are (usually) long, stretched structures consisting of large sand and clay bodies. At least at the dividing line between wind and water they are covered with stone or concrete. From a safety perspective we saw that such structures are vulnerable – among others – to erosion due to wind or currents. The inner structures are vulnerable to dehydration. When we think of deliberately damaging structures like this, the use of explosives comes to mind. Considering the assumption that “safety is seventy percent safety,” it is logical to assume that attackers will focus on flood defenses that are ill maintained and therefore in poor condition. The same applies to levee sections that are lower or less wide than others. We will more completely discuss the use of excessive force in Chapter 7, Flood defenses in offensive strategies.

3.8.2 Vulnerable spots in a system imply security risk In this chapter we observed that the most vulnerable parts of a levee or dam structure are river and harbor entrances, especially when there is a watering sluice or navigation lock. Opening (or closing) the lock gates at the wrong time or in the wrong sequence could lead to flooding downstream (or upstream) of the lock. It would be a human safety error if this were done by mistake. The estimated or calculated chance that this could be done deliberately, is a security risk. The observation that this would be a feasible security risk, implies a shortcoming in flood defense security. Such a security risk should be “designed out” of the flood defense system by implementing security measures. We will discuss various security risks in relation to flood defenses in more detail in the following chapters. These security observations can also be presented in a table (see Tab. 3.2).

Tab. 3.2: Levees, dams, and dewatering gates and navigation locks, security-related observations. Type

Construction

Security Risks

Levees and Layers of earth, dams pressed turf or clay, covered with stone or concrete

Vulnerable to erosion or dehydration. Processes can be speeded up by applying (excessive) force. More obvious targets are older or less maintained sections, river, or harbor entrances, and dewatering gates and navigation locks

Dewatering gates and navigation locks

Lock gates, and especially the hinges, are vulnerable to the use of force, either by jamming or impact, possibly leading to distortion. The lock pound could be blocked. Repair would take time

Stone and concrete constructions with wooden or steel gates

3.9 Conclusions

33

3.9 Conclusions In this chapter we discussed how the Dutch have learned to fight the elements, and especially the surrounding waters of rivers and sea, by erecting levees, canalizing rivers, and draining lakes in order to create arable land. In order to even water levels, special dewatering gates and navigation locks were built. From a security perspective, we made the following observations: Conclusion 3.1 Sloped levees and dams are vulnerable to erosion or dehydration. Safety hazards are inherent to levee systems bordering low-lying lands. Safety risks lie in the inadequate handling or failure of lock gates or lack of maintenance of levees and locks, resulting in shifting or collapse of levees or the malfunctioning of locks, with unwanted water levels in the hinterland as a result. Conclusion 3.2 Deliberate malfunction or even breaches of levees and dams can be attained by applying (excessive) force. Because of the robust construction of levees and dams, more obvious targets would be older or less maintained sections, transitions in levee constructions, river, or harbor entrances, and water or navigation locks. The use of excessive force (such as explosives) can be viewed as accelerating natural processes such as macro and micro instability in flood defenses. These are failure mechanisms that hydraulic engineers have to take into account when calculating the strength of flood defenses. It should therefore not be too big a challenge to include malicious acts as an intended failure mechanism in the standard failure probability calculations of flood defenses.

Conclusion 3.3 Dewatering gates and navigation locks are mostly concrete constructions with wooden (or in later times: steel) gates. Lock gates, and especially the hinges, are vulnerable to the use of force, either by jamming or impact. The lock chamber could be blocked. Repair would take time. Conclusion 3.4 Also the weather is of influence. Most floods in the northern parts of Europe occur during the winter months, when the weather is at its worst and sea water levels rise because of gales in combination with spring tides. When string tides combine with North-Western storms, the situation becomes most dangerous. Rivers usually overflow in the early month of spring, when melting snow and ice from the Swiss and German mountains fill up downstream rivers. In these periods levees are more vulnerable, creating a “window of opportunity” to bring damage to massive flood defenses like this. Water level must then be really high. As a result of the long dry period in the summer of 2018, water levels in the major European rivers such as the Rhine and the Meuse were still too low in the beginning of December.

4 Delta Plan flood defense Abstract: In this chapter we continue our history of flood defenses in the Low Countries with an introduction to the Delta Plan. The Delta Plan was (and is) the major Dutch defense plan against flooding, either from the sea or from overflowing rivers. The Delta Plan has also confirmed the world renowned fame of the Dutch as the world’s leading water and flood defense engineers. The flood defenses constructed as a part of the Delta Plan show the rapid development of flood defense engineering in the past 70 years, and present a wide variety of flood defenses and flood barriers that we can use as examples to develop flood defense vulnerability tables and security threat scenarios.

4.1 1953 Flood Disaster In the night of 31 January, 1953, when spring tide coincided with a severe NorthWestern gale (force 12), levees broke in large parts of the Zeeland, Zuid-Holland, and Brabant provinces. In the North Sea flood of 1953 a total of 1836 people lost their lives. Innumerable livestock drowned. 200,000 hectares of land were flooded. Floods also occurred in England, Belgium, and Germany. In itself, the force of the storm in combination with spring tide, was not unique. Almost the same conditions applied in 1949, and then the levees held. The North Sea is shaped like a funnel, wide at the top, and narrow at the bottom at the Street of Dover. Western storms push the North Sea water masses into the funnel, as a result of which water levels rise. In 1953 the storm lasted 23 h, which meant that an enormous water mass accumulated in the lower part of the North Sea. Levees breached or simply washed away at numerous places. The Delta Committee was established immediately afterwards to draw up plans for preventing any such disaster in the future. The Commission recommended closing off a number of sea inlets, shortening the coastline by about 700 km. The Delta Act was passed in 1958 in response to these recommendations. The most innovative element of the project is the Eastern Scheldt Storm Surge Barrier (ENW, 2017). The recommendations of the Delta Commission provided the basis for safety standards to be enshrined in law. The Delta Commission proposed design high water levels that levees must be able to defend against. This was a simplified way of specifying safety requirements in terms of the probability of flooding which only took account of water levels (ENW, 2017). A flood defense structure should be able to safely defend against a certain peak water level (Fundamentals of Flood Protection, p.13). At the time, this represented a new way of thinking about flood defense. Whereas, in the past, levees had been heightened on the basis of the highest known local water level, from now on they would be reinforced on the basis of the probability that a certain design peak water level would be

https://doi.org/10.1515/9783110622577-004

4.3 Three Islands Plan, Haringvliet dam

35

exceeded. It was no longer a matter of responding to flooding, but of taking a proactive approach based on statistical analysis. The Delta Commission underpinned the standards by balancing the costs of reinforcement against the reduction in flood risk (Fundamentals of Flood Protection, p.14).

4.2 Delta Plan flood defenses Based on earlier plans, in 1950 the construction of two sea-blocking dams started in order to protect the Botlek harbor area of Rotterdam, and close of the Brielse Maas flowing in the direction of Rotterdam. The islands of East and West Zeeuws Vlaanderen were then connected by a third dam in the Braakman estuary (1952). Other levee improvements were planned, but were not implemented in time to prevent the 1953 levee breaches. Immediately after the 1953 Flood Disaster, plans were proposed by the Delta Committee to raise the Schouwen levee encircling the island of Schouwen-Duiveland from 3 to 5 m (!) above sea level. This plan was not considered to be a part of the Delta Plan in general. The Delta Committee then recommended to close off the Hollandse IJssel river estuary from the sea. This was a critical recommendation. The Hollandse IJssel connects Rotterdam to the North Sea. In the event of unusually high water, the river water would be unable to flow away. The combination of high tides and Western storms and the resulting rise of seawater levels would effectively stop the flow of river water to the sea. The river would then easily overflow or burst its banks, endangering an industrialized area with more than a half million inhabitants. The Hollandse IJssel actually flows through the lowest lying area of the Netherlands. Ultimately a movable construction was chosen, the Hollandse IJssel Storm Surge Barrier (also called the Algera Storm Surge Barrier, which is the name of the adjacent bridge). The barrier would only be closed in case of severe storm warnings. Work on the barrier started in 1954, and was completed in 1958. Characteristics of the Hollandse IJssel are the 45-m-high, concrete towers with two 80-m-wide lock gates in between. This barrier is the first hydraulic structure of the Delta Works (Mooyaart & Jonkman, 2017) (Fig. 4.1).

4.3 Three Islands Plan, Haringvliet dam In 1957, work started on the Three Islands Plan, part of the so-called Third Delta Plan. The plan gets its name from the three islands that would be linked by building two dams: the islands of Walcheren, North Beveland, and South Beveland. This work had already been planned before the 1953 disaster, but had never been implemented. Initial aim of the plan was land reclamation. After the 1953 flooding, the main objective became flood safety. Building the dams would also help generate

36

4 Delta Plan flood defense

Fig. 4.1: Hollandse IJssel Storm Surge Barrier (Jan van Galen, Collection Rijksdienst voor het Cultureel Erfgoed, object nr. 525.085).

the experience for building larger dams. Next to that, the dams would also improve road links between the islands. Innovative was the construction of the dam of Veere between 1958 and 1961. Because of strong tidal currents, open caissons with lock doors were used to first bridge the gap in the Veere estuary. After connecting the caissons and embed them on the bottom, the locks in the caissons were closed. The dam closes off the Veere lake from the Eastern Scheldt River and the North Sea (Fig. 4.2). The most complex dam in the Third Delta Plan was the Haringvliet dam. The Haringvliet dam would have two functions. First, the dam had to protect the further inward lying lands against future floods. Second, the dam should not hinder the draining of the rivers Rhine and Meuse in the North Sea. It was therefore logical to build an almost 1,000 m long lock complex, designed to regulate the amount of water flowing from the New Waterway shipping canal into the North Sea. The lock complex contains 17 water locks. Adjacent to the locks, a navigation lock was built (Fig. 4.3). Construction of the Haringvliet dam started in 1957 and was completed in 1971. In order to sustain the construction, 22,000 concrete pillars were driven into the weak estuary bed. Each of the 34 lock gates (one at the sea side and one at the river side of the 17 water locks) is 56 m wide and 6 m high. The dam is 4.5 km long and bridges the Haringvliet estuary between the Dutch islands of Goerree-Overflakkee and Voorne-Putte. In order to create a natural delta, the Haringvliet locks were to be put permanently ajar in 2018, but at the time of writing this decision was postponed.

4.3 Three Islands Plan, Haringvliet dam

Fig. 4.2: Closing of the dam of Veere (Collection Rijksdienst voor het Cultureel Erfgoed, object nr. 404.802).

Fig. 4.3: Haringvliet water locks (https://beeldbank.rws.nl, Rijkswaterstaat, 324.316).

37

38

4 Delta Plan flood defense

According to Mooyaart and Jonkman, a storm surge barrier is a fully or partly moveable barrier that can be closed temporarily to limit water levels in the basin behind the barrier and so prevent flooding of the area surrounding the inner basin. Storm surge barriers are opened during normal conditions to allow tidal exchange and facilitate navigation. The Haringvliet dam should therefore not be considered a flood surge barrier, since it mainly allows river runoff from the rivers Rhine and Meuse. Structures like this differ from storm surge barriers as water only flows in one direction (Mooyaart & Jonkman, 2017). This view may be reconsidered once the barrier will stay open permanently.

4.4 Delta Plan, safety-related observations In Tab. 3.1, we presented a proposal for a flood defense (safety related) vulnerability table, based on a first analysis of (historic) dam, levee, and lock constructions. We identified several safety hazards. Levees for instance are vulnerable to erosion through winds or currents, or dehydration and consecutive shifting of embankments (in case of peat-based levees). We also concluded that some of the weakest points in flood defense structures are harbor and river entrances, in many cases controlled by dewatering gates, flood gates, and navigation locks. In the Delta Plan, new techniques such as testing levee and flood barrier constructions in flood wave simulating tanks, made it possible to design flood defense structures to withstand flood surges that statistically only occur every 100 or 200 years. This means that the levees and hydraulic structures of the Delta Plan are stronger than those of the Afsluitdijk causeway, built in the early 1930’s. Although there is only a time difference of about 30 years, technical expertise and engineering made a huge leap because of the scientific drive during the Second World War. The Fundamentals of Flood Protection manual refers to the Dutch Water Act. The Water Act stipulates different types of required reliability levels for flood defenses, based on a probability of flooding approach (ENW, 2017). This approach is part of a “multilayer” safety concept consisting of three layers: 1. Prevention: measures to stop floods from happening 2. Spatial design: to mitigate effects of flooding, and 3. Crisis management: to limit the consequences of flooding. (Fundamentals of Flood Protection, p.3). In the 1960s the Delta Commission calculated an appropriate flood probability of 1/125,000 per year for levee system 14 in Zuid-Holland province, which was eventually translated into an annual exceedance probability for the water level of 1/10,000 per year. Today the maximum permissible probability of flooding for the segments in levee system 14 ranges from 1/3000 to 1/30,000 per year (Fundamentals of Flood Protection, p.66). It is important to distinguish between calculating (security) risk and probability. Dake defines risk as “the probability of an event occurring, combined with an accounting for the losses and gains that the event would represent if it came to pass” ( Dake, 1992). According to Smith and

4.4 Delta Plan, safety-related observations

39

Brooks, “probability provides a quantitative approach to risk assessment, which for certain data sets may be suitable. However, security risks usually lack historical data sets. In addition, security risks are attempting to deal with intelligent humans who are trying to defeat risk mitigations strategies. For example, the probability of a terrorist event is almost impossible to calculate (. . .). Therefore, in security risk management, likelihood should be used over probability” (Smith & Brooks, 2013).

4.4.1 New flood barrier constructions relate to new safety risks This does not mean however that the modern flood defenses of the Delta plan, and other recent flood defenses and flood barriers, are without safety risk. It is for instance difficult to predict how the different parts in modern hydraulic structures will stand up to time in the decades to come. There is also politics involved. In the case of the Haringvliet dam, the first plans opted for a fully closed dam. The safety risks related to closed dams are minimal. Resistance from fishers and environmentalists ultimately led to the construction of a semi-closed dam that was also much more expensive than initially planned. The (relatively) weaker hydraulic parts and gates of a sluice in a (much) stronger levee or dam imply a greater chance of safety risks occurring.

4.4.2 Moving parts imply increase of safety risks The Hollandse IJssel Storm Surge Barrier, like the Haringvliet sluices, is a construction with moving parts. Moving parts in any construction imply the increase of safety risks. There may be inherent construction flaws that engineers are not (yet) aware of, like structural failure or general loss of stability in a hydraulic structure. Moving parts may jam or distort (and then jam). Lifting constructions (cables) may jam or break. Operators may make mistakes with the result that gates get stuck in either closed or opened state. (Automatic) response to (surge) flood warnings may be inadequate with the result that gates fail to close, or fail to close on time. Inadequate maintenance increases the chance that operating mechanisms will function inadequately at the moment(s) that they are most needed. These observations are of course place (and time) bound. There will certainly be places, looking around the world, where the construction or maintenance of flood defense systems has defects. When it comes to the Dutch situation, those responsible state that the water levels and the weather conditions are known 14 days in advance. This gives ample warning to take the necessary preventive measures. Furthermore, the Fundamentals of Flood Protection manual explicitly refers to periodic safety assessment and the necessity of crisis management when things threaten to go wrong.

40

4 Delta Plan flood defense

4.4.3 Flood defense safety risk table (extended) In Chapter 3 we introduced a basic (safety related) flood defense vulnerability table (see Tab. 3.1). We can now expand that table for the Delta flood defenses discussed in this chapter (see, Tab. 4.1). Although not discussed before, in the table we can also add failure of computer controls or advanced warning systems. We will discuss these systems in more detail in the following chapters.

4.5 Delta Plan, security-related observations Based on our first safety risk table for flood defenses, we presented a tentative security risk analysis of flood defenses. We presented the results in a separate table. We will try to extend these tables based on our findings in this chapter. We will also try to integrate the safety and security risk tables into one table.

4.5.1 Security assessment of levees and dams We observed that levees and dams are relatively simple, although quite massive, structures. The chance that anything will happen to the structure of modern levees and dams under normal conditions is relatively low. Unless of course nature throws the 200 year “perfect” storm at them that the dam designers envisioned. When this leads to overtopping (waves rolling over the levees), this does not necessarily mean that a levee structure fails. Should Tsunami like waves roll over the levee and dam structures, this would be a calculated risk. Overtopping does not have to lead to flooding of the rear lying lands. Should the levees or dams however be breached, than this would imply a safety hazard. For the moment, we use the words safety risk and hazard in such a way, that we can connect more easily to security risk principles. The approach in the Fundamentals of Flood Protection manual is based on reliability analysis, where a required level of reliability imposes a maximum on the probability that a certain limit state will be exceeded within a certain period of time. Exceeding an ultimate limit state is also referred to as failure. Failure and breaching are not the same thing. Breaching refers to the loss of integrity or a major geometric change. A flood defense structure can fail without breaching. The water might for example overtop the structure, causing flooding, without a breach appearing in the structure. Conversely, a flood defense structure can breach without failing. Surface slide on the landside of a levee does not necessarily lead to flooding, for example (Fundamentals of Flood Protection, p.70).

The difference between safety and security in relation to levees and dams is that in the case of security, the (threat of) failure or breaching of a levee or dam is

Structural failure of parts of the structure, general loss of stability in hydraulic structure, failure of transitional structures, (as a result of internal erosion, for example) See above

Concrete pillars, steel gate construction, designed to withstand excessive water pressure due to melting snow and ice or incoming tidal or flood waves

Concrete bridge pillars and span;  water locks with a total of  hydraulic lock gates

Hollandse IJssel storm surge barrier

Haringvliet dam, semiopen (tidal) storm surge barrier

Designed to withstand excessive combinations of wind and tide

Sand, clay, boulder clay, covered with fascine mats and stone; Veerse Gat dam core strengthened with concrete caissons

Three Islands dams

Structural weaknesses

Construction

Type

Tab. 4.1: Delta Plan flood defenses, safety risks. Man-induced flaws

See above

Erosion of steel and concrete parts, unexpected combinations of wind (storm) and in and out flowing water surges

See above

Inherent construction flaws, lack of maintenance, human error resulting in failure to close, or to close on time (failure of computer controls or advanced warning systems)

Erosion by wind, tidal waves, Lack of maintenance currents, excessive gales and storms; natural forces in excess of designed capacity

Natural threats

4.5 Delta Plan, security-related observations

41

42

4 Delta Plan flood defense

intentional. The failure or breaching of the flood defense is the explicit aim of a perpetrator’s actions. In case of levees and dams, the force needed for such intentional disruption would be high. Furthermore, the Melin study implies that destructive material should be buried into the levee bodies to have effect (Melin, 2014). At this moment in our analysis, we do not see such an event happening in the near future. The probability of such a security risk occurring can therefore be classified as low. The security risk qualification we will use for now is not the outcome of a scientific comparison, but a relative, subjective judgement. Opposed to a quantitative assessment, this constitutes a qualitative assessment. In a table indicating security risks, we can mark the qualitative assessment of a perceived risk with “plus” (“+”) signs. Since we assess the security risks for levees and dams to be relatively low, we can suffice with one plus (Tab. 4.2).

Tab. 4.2: Levees and dams, security risks. Object Levees and dams

Perceived security risk(s) +

4.5.2 Security assessment of flood barriers In Section 4.4.1 we observed that new flood barrier constructions relate to new safety risks. Moving parts imply increase of safety risks. This in turn implies that the construction(s) become more vulnerable to deliberate actions aiming to put the flood barrier out of operation. It is after all easier to make use of existing (safety) vulnerabilities, than to look for new vulnerabilities that may be exploited to do damage. As we have seen, the Haringvliet dam with its 17 water locks and adjacent navigation lock is a large and complex construction. Because of the number of locks and gates it is difficult to imagine harmful intent against all 17 locks at the same time. And if that seams impractical, what good (or in this case: bad) would it then do to harm only one or several of the lock gates? The answer to this question might be different in case of a full-scale war, but that is the topic of another chapter (Chapter 7, Flood defenses in offensive strategies). We therefore assume the security risks in relation to the Haringvliet water locks to be low. The Haringvliet navigation lock would be a more obvious target. For this reason we mark the Haringvliet dam with two plusses in our security risk table (see Tab. 4.3 (1)).

4.5 Delta Plan, security-related observations

43

Tab. 4.3: Delta Plan, security risks (1). Object Levees and dams Haringvliet dam (navigation lock)

Security risk + ++

4.5.3 Hollandse IJssel Storm Surge Barrier, security risks As mentioned in Section 4.2 Delta Plan flood defenses, the Hollandse IJssel Storm Surge Barrier consists of four 45-m-high towers, placed on both sides of the IJssel river near the Dutch city of Capelle aan den IJssel. Two enormous gates measuring 80 m wide and 11.5 m high hang vertically between the towers. The doors are strengthened with half ellipse shaped steel constructions. When there is a risk of flooding, the doors are lowered into the water. Next to the barrier a navigation lock was built for those ships that are too high to pass under the doors. A bridge, the Algera bridge, crosses the barrier and shipping channels between the lifting towers. We do not want to delve too deep into the security aspects of the barrier at this point. However, there are a few things that catch the eye. The Hollandse IJssel Storm Surge Barrier is a complex, mechanical structure. Where the water sluices in the Haringvliet have relatively low contours on the horizon, the four towers of the Hollandse IJssel Storm Surge Barrier dominate the landscape. Since the gates are normally open, this strengthens the formidable impression of the construction. In comparison the adjacent shipping sluice is of simple construction. The combination of high rising towers and the gates hanging between them offers an impressive sight. For persons wanting to make a statement, this could be an attractive target. Having said that, we note that this is easier said than done. When it comes to causing floods, this can only be done by leaving the flood gates open. This does not necessarily have to lead to flooding, the levees in the hinterland may hold. The probability of flooding also depends on variables such as water level, the time of year, and weather conditions. If shipping is to be impeded, both the barrier gates and the gates of the navigation lock must be barred. All together a laborious “task” to undertake. We consider the chance that such an action will be carried out to be low. However, that chance is higher than in the case of the locks in the Haringvliet dam. We therefore note three pluses for the Hollandse IJssel Storm Surge Barrier in our security risk table (see Tab. 4.4 (2)).

44

4 Delta Plan flood defense

Tab. 4.4: Delta Plan, security risks (2). Object Levees and dams Haringvliet dam Hollandse IJssel Storm Surge Barrier

Security risks + ++ +++

4.5.4 Delta Plan safety and security risk matrix Safety (science) and security (science) are closely linked. We already noted that many security professionals agree on the notion that “security is for 70 percent safety.” This because perpetrators will most likely try to exploit safety weaknesses in a technical construction in order to create the highest possible damage. This has the “handy” side-effect that less effort is needed to attain the pursued effect. We will therefore try to integrate the safety and security tables that we presented until now into one. Since we assume that perpetrators will most possibly try to exploit structural weaknesses and man-induced flaws or errors to their advantage, we will retain the “structural weaknesses,” “natural threats” and “man-induced flaws” columns. The “type” and “construction” columns however will be bundled into one “construction” column. Last, we will add a fifth column containing our security-related observations. In the following chapters we will use this table layout as a starting point. The security-related observations in the table show only a first analysis, that we will expand later in this book (Tab. 4.5).

4.6 Conclusions In this chapter we discussed the first flood defenses constructed as a result of the Dutch Delta Plan (1953–1971). We used them as an example for security risk analysis and the construction of basic security risk tables.

Before we present the conclusions of this chapter, we like to make a note, a disclaimer if you like. Our goal in this book is to develop methods in order to make the development of security risk scenarios more transparent. The flood defenses and flood barriers described in this book are “real world” structures that do run specific security risks. One could say that this book helps people with bad intentions on their way. However, we base our observations on open sources. In most cases, Google Maps and Google Street View give ample information to make a reasonably accurate security risk analysis. Everybody could do this.

4.6 Conclusions

45

Managers and operators should therefore look at this book as a way to help improve current security management plans, or if there are no such plans, to develop them. Ultimately we hope that the methods proposed in this book will be incorporated in flood defense, lock and harbor reliability analyses in order to cope with malicious intent at the earliest stage possible: the design stage.

Tab. 4.5: Delta Plan safety and security risks (1). Construction

Structural weaknesses

Natural threats

Man-induced flaws

Security threats

Designed to Erosion, withstand dehydration excessive combinations of wind and tide

Lack of maintenance

Massive levee and dam structures; very low threat perception

Dam structure: see above

Dam structure: see above

Dam structure: see above

Dam structure: see above

Dam structure: see above

Concrete bridge pillars and span;  steel gates, hydraulic lift arms

Hydraulics, lifting mechanisms

(Steel) corrosion, unexpected combinations of wind (storm) and in- and outflowing water surges

Construction flaws, lack of maintenance, human error resulting in failure to close, or to close on time (failure of controls)

Complex mechanicalhydraulic structure; obstruction, jamming, tampering with hydraulics and controls

See above

Complex mechanical structure, obstruction, jamming, tampering with controls

Levees and dams Sand, clay, boulder clay, covered with fascine mats, stone, or asphalt

Haringvliet dam

Hollandse IJssel Storm Surge Barrier Concrete pillars, free hanging steel gates, four elevator towers with cables and winches

Moving parts, See above heavy gates, vertical lifting against gravitational forces

46

4 Delta Plan flood defense

Regarding the security risks discussed in this chapter, we made the following observations. Conclusion 4.1

Levees and dams are relatively simple constructions, their main characteristic is their massive earth or clay body. The Delta Plan levees and dams are therefore less vulnerable to malevolent action then (for instance) river levees. Deliberate failures can only be induced by applying (excessive) force. For this to have result additional action would be needed, such as digging (deep) into the body of the flood defense. Conclusion 4.2 Instead of the flood defenses such as the levees and dams discussed in this chapter, more obvious targets would be sluices or navigation locks. The same applies to movable parts in the bigger flood barriers. Conclusion 4.3 In case of the Haringvliet dam, the 17 water locks are obviously the weakest element in the dam structure. Since these are only water locks, it is difficult to perceive what would be gained by a permanent malfunctioning, either in closed or open state of the gates. For the same reason, failure of only several of the locks, would not very much reduce the effectiveness of the flood barrier as a whole. Conclusion 4.4 The oldest, and at the same time one of the most complex constructions of the Delta Plan, is the IJssel Storm Surge Barrier. Because of its high rising construction, the always open massive gates, and the nearby bridge and vertical lift bridge, the construction is vulnerable. Most parts of the barrier construction are rather easy to reach. Gates, hinges, and lift constructions are vulnerable to the use of force, either by impact or jamming. The sluice channel can be blocked, as can the navigation lock. Repair would take time. The high rising construction would make it an easy target for propelled weapons.

5 Storm Surge Barriers Abstract: In the previous chapter we discussed the design and construction of flood defenses and flood barriers in the first 21 years of the Dutch Delta Plan. We use the realization of the Delta Plan as an example for the enormous development of flood defenses and flood barriers in a relatively short time. In this chapter, we conclude our review of the Delta Plan flood barriers by looking at various storm surge barriers. As in the previous chapters, we will also assess the safety and security risks associated with these flood barriers and we extend our safety and security risk table accordingly.

5.1 Eastern Scheldt Storm Surge Barrier The next, and at the same time, biggest undertaking of the Delta Plan works was the construction of the Eastern Scheldt Storm Surge Barrier (Fig. 5.1). First plans suggested that a 9 km long dam should be build. Work on the dam started with building three so-called work islands in the Eastern Scheldt estuary (Roggenplaat, 1969; Neeltje Jans, 1970; and Noordland, 1971) and damming the space between them. In 1973 only a section of 4 km wide was left to be closed. Massive protests from fisheries, shellfish growers, sailors, and environmental organizations led to a political crisis at cabinet level and eventually a (very costly) change of plans. In order to preserve the salt water environment of the Eastern Scheldt estuary, ultimately a design was chosen based on lockable moving gates. The construction is such that there will be no need to replace the barrier for the next 200 years. Needless to say that building a fully closed dam would have resulted in a less lower chance of flooding, and much reduced cost. Building the sluices in the flood barrier started in 1997 and finished in 1986. Then the flood barrier also established an 8 km long road link between the islands of Schouwen-Duiveland and Noord-Beveland. The Eastern Scheldt Storm Surge Barrier is 9 km long and equipped with water locks over a length of 3 km. The locks close on average once a year. The locks are designed to withstand a high-water situation that occurs statistically only once in 4,000 years. The barrier has 65 colossal pillars. In between, vertical lift gates of about 42 m long and 6–12 m high are hydraulically operated. The gates weigh between 260 and 480 tons. The Eastern Scheldt Storm Surge Barrier will close when a water level of 3 m above NAP is predicted (Rijkswaterstaat, n.d.). The Eastern Scheldt Storm Surge Barrier is manually operated. If human control should fail, or staff is not present, an electronic security system acts as a backup. The gates are then closed automatically based on measured water levels (Rijkswaterstaat, n.d.).

https://doi.org/10.1515/9783110622577-005

48

5 Storm Surge Barriers

Fig. 5.1: Eastern Scheldt Storm Surge Barrier (Jos de Lange, 2015).

5.2 Maeslant Storm Surge Barrier In the original Delta Plan, no provisions were made for closing the access to both the Western Scheldt river to Antwerp and the New Waterway to Rotterdam. Instead, the river embankments would be raised and strengthened. Eventually the planned embankments of the New Waterway were thought to be too low to protect the densely populated area of South Holland Province. The construction of raised and fortified levees would also be a very costly affair. Major parts of the planned levee reinforcements would need a very wide base, which would use up valuable land space in this densely populated and industrialized province. Widening the base of levees and dams to be fortified would only be possible at the expense of existing buildings and infrastructure. As a less costly solution, it was decided to build a storm surge barrier in the entrance to the Dutch IJssel river. As a result, many river levees would not have to be strengthened and raised. Work started on the Maeslant Storm Surge Barrier in the Hollandse IJssel estuary in 1991. The storm surge barrier became operational in 1997 (Fig. 5.2). Since the construction of the Maeslant Barrier was planned in a busy shipping route, at the mouth of a fairly wide river, a double floating sector gate design was chosen, spanning 360 m. A sector gate consists of a double gate. Each gate has a circular shape, transferring forces through a steel frame to the hinges at each side of the opening. It operates by rotating around two vertical axes. During operation the doors will rest on the river bed. In nonoperational condition, the doors are stored in special docks in the river banks (Kerssens, Oorschot & Pot, 2018). In Russia, the Saint Petersburg Storm Surge Barrier has a design similar to that of the Maeslant Storm Surge Barrier.

5.3 Hartel Storm Surge Barrier

49

Fig. 5.2: Maeslant Storm Surge Barrier (https://beeldbank.rws.nl, Rijkswaterstaat, 406.305 / Joop van Houdt, 2007).

5.3 Hartel Storm Surge Barrier In the same year when the Maeslant Storm Surge Barrier was finished (1997), the construction of the Hartel Storm Surge Barrier in the Hartel canal near the Dutch city of Spijkenisse also reached completion (Fig. 5.3). Purpose of the Hartel barrier is to close off surge floods into the New Waterway to Rotterdam, without interrupting excessive (river) water flows from Switzerland and Germany. The Europoort harbor area itself would be defended by an added levee running from the Maeslant Storm Surge Barrier to the Hartel Storm Surge Barrier (Rijkswaterstaat, 2014). Like the Hollandse IJssel Storm Surge Barrier, the Hartel Storm Surge Barrier is of the vertical lift gate type with two barrier gates. Hydraulic cylinders lift the gates. The flood barrier gates are ellipse shaped. The towers are oval shaped. This helps deflect unexpected currents. The ellipse shape of the doors and the oval shape of the towers also help deflect wind surges. The gates are always open during normal weather conditions. When there is an exceptional storm, the slides can be lowered into the water. The barrier does not completely close off the water flow. The water flows over the barrier. In this way, excess seawater or river water can freely flow either upstream or downstream. The Hartel barrier is operated by the same fully computerized barrier operating system that operates the Eastern Scheldt Storm Surge Barrier. The barrier operating

50

5 Storm Surge Barriers

Fig. 5.3: Hartelkering (Quistnix, 2009) (Flickr, CC BY-SA 2.0).

system decides whether or not the barriers need to be closed (Rijkswaterstaat, 2013). It was thought that the circumstances of closure could be more objectively determined by a computer than by humans. It was calculated that the barrier would need to be closed about once or twice every ten years at the most. There is however a team of five people present during operation (Nogueira & Walraven, 2018). When the barrier is closed, no ships can pass through the Hartel canal. During closure, the navigation locks next to the Hartel Storm Surge Barrier are also closed. Every two weeks, checks are made to ensure the gates can still move. The gates are then moved only for a few centimeters, which is enough for defects to be traced early. The only time that the Hartel flood barrier reportedly was closed was on 8 November, 2007, for a period of 20 hours during a North-Westerly storm. At the same time, the Maeslant Storm and the Eastern Scheldt Storm Surge Barriers were also closed.

5.4 Ramspol Bellows Weir Storm Surge Barrier (2002) Although not an official part of the Delta Plan, a new flood surge barrier was completed in 2002 at the Ramspol location near the Dutch city of Kampen (Fig. 5.4). Ramspol bellows weir is an inflatable dam, situated between the Ketel Lake and the Black Lake near the city of Kampen. A weir is a barrier across a river designed to

5.4 Ramspol Bellows Weir Storm Surge Barrier (2002)

51

Fig. 5.4: Ramspol Bellows Weir (https://beeldbank.rws.nl, Rijkswaterstaat, 508.170 / Herman Scholten).

alter its flow characteristics. In most cases, weirs take the form of obstructions smaller than most conventional dams, pooling water behind them while also allowing it to flow steadily over their tops. Weirs are commonly used to alter the flow of rivers to prevent flooding, measure discharge, and help render rivers navigable (Wikipedia, 2017). The Ramspol bellows weir was constructed in order to protect the area alongside the Black Lake from pressuring water masses from the Ketel Lake. In 2002, it was the biggest inflatable dam in the world, and the first to be used as an (inflatable) flood barrier. The Ramspol bellows weir consists of three rubber elements or chambers that are automatically filled with air and water during North-Westerly storms, when the water level has risen to 50 cm above N.A.P. A computer system follows predefined procedures and decides whether or not to close the barrier depending on measured water levels and flow direction (Nogueira & Walraven, 2018). When inflated, the weir prevents excessive water flows toward the Black Lake (in Dutch: Zwarte Meer). Each bellows has a span of 80 m and is 10 m high from top to bottom when fully inflated. The complete barrier is 360 m wide, including a small stretch of dam in the middle of the river. Shipping is not possible when the storm surge barrier is closed. The barrier was put into operation for the first time in January 2012 when a North-Westerly storm pushed water from the IJssel Lake up the IJssel river (Rijkswaterstaat, 2015).

52

5 Storm Surge Barriers

5.5 Storm surge barriers, safety-related observations 5.5.1 Eastern Scheldt and Haringvliet Storm Surge Barriers Where the Haringvliet Storm Surge Barrier consists of gates of a visor like construction, or in technical language: segment gates rotating around a horizontal axis (Mooyaart & Jonkman, 2017), the Eastern Scheldt Storm Surge Barrier is equipped with vertical lift gates, with a construction that resembles a guillotine. Some of the gates of the Eastern Scheldt Storm Surge Barrier are up to 12 m high, which is twice as high as the gates in the Haringvliet Barrier. This means that the forces of currents, winds, and (storm) tides may have a greater influence (force) on the construction. The hydraulic cylinders operating the gates tower high over the locks, and give spectators on the bridge annex road that spans the whole of the barrier an indication of the depth of the estuary at that particular gate. The construction of the hydraulics in the Eastern Scheldt Flood Barrier seems to be of a more complex nature than that of the Haringvliet Barrier. How this influences the probability of safety risks occurring is unclear. Dijk and van der Ziel indicate that the maintenance category for both segment gate and vertical lift gate is “average.” The probability of failure for both gate types is low (Dijk & van der Ziel, 2010).

5.5.2 Maeslant Storm Surge Barrier The Maeslant Storm Surge Barrier is a huge construction. Not only the gates are large but also the hinge constructions are of enormous proportions. It is like rotating the complete Eiffel Tower on its side, pivoting around the very top of the structure. This means that the surface over which the hinges are pivoting has to be completely flat and free of blocking objects. According to Dijk and van der Ziel, the maintenance category for this type of flood barrier gate is “high.” The failure probability for this gate type is also “high” (Dijk & van der Ziel, 2010). It is clear that the sector gate construction is susceptible to risk. The construction is vulnerable to obstruction by larger objects. Distortion of the moving arms will lead to blocking the gates from operating. Damage to the pivoting pins would render the whole flood barrier useless. Damage to the hydraulics has the same effect. Damage by floating objects in the canal during closing is also conceivable.

5.5.3 Hartel Storm Surge Barrier The Hartel Storm Surge Barrier, like the Hollandse IJssel Storm Surge Barrier, is of the vertical lift gate type. The sliding gates are driven by hydraulic cylinders with a long piston which are hinged to the side towers (Mooyaart & Jonkman, 2017).

5.6 Storm surge barriers, security-related observations

53

According to Dijk and van der Ziel, the maintenance category of this type of gate is “average.” The failure probability for both gate types is low (Dijk & van der Ziel, 2010). However, the gates that are each hung between two elevating towers are normally open. They are then vulnerable to gusting winds and storms. The construction must therefore be strong enough to resist these forces of nature. Like with the Hollandse IJssel Storm Surge Barrier, parts of the elevating mechanisms are in the open and therefore maintenance intensive and vulnerable.

5.5.4 Ramspol Bellows Weir The Ramspol Bellows Weir is of a modern, innovative construction that has many advantages. The weir is of a relatively simple construction. It resembles inflatable cycle tires, be it of enormous size. Since the weir normally rests deflated on its threshold at the bottom of the lake, this also reduces its vulnerability to for instance impact. Vulnerability will be highest when the weir is inflated. In that case however the weather circumstances will be such that there is no shipping in the vicinity. When the weir is inflated, holes in the rubber casing will possibly only result in relatively minor damage. Water and air inside the weir will most probably only flow out slowly. This means that repair is possible in relatively little time, even during a storm.

5.6 Storm surge barriers, security-related observations In the previous chapters we observed that safety risks can be exploited by perpetrators intending harm to technical designs such as flood barriers. Safety risks imply weak spots in flood defenses, and those weaknesses are the first vulnerabilities that attackers will look for. In this and previous chapters we observed that some flood barrier types have a more complex structure than others. Technical designs becoming increasingly complex implies an increased vulnerability to safety risk. Vulnerability takes into account both the effect and the likelihood of safety risks occurring. An increase in possible safety risks in turn implies increased vulnerability to security risks. In case of security threats, an extra risk dimension is added to the risks in the safety risk domain: that of human intent and intentional disruptive actions. In the Netherlands, the Fundamentals of Flood Protection manual (ENW, 2017) is an important guideline for the design, construction, and maintenance of levees and other flood defenses. Starting point for the manual are flood risks, which can be calculated in different ways. The risk of flooding is roughly expressed in the formula . Security risks can be expressed in the same formula. However, security risks are not taken into account in the manual. We advise to do so. With security risks we simply add a new failure mechanism into the failure calculations of flood defenses: willful failure.

54

5 Storm Surge Barriers

5.6.1 Eastern Scheldt Storm Surge Barrier Like the Haringvliet Storm Surge Barrier, the Eastern Scheldt Storm Surge Barrier contains vertical lift gates. The Eastern Scheldt Barrier, however, is much longer than the Haringvliet Storm Surge Barrier, since it contains more water locks. The amount of gates, however, is roughly the same, since in the Eastern Scheldt Barrier every lock only contains one gate. In the Eastern Scheldt Barrier, the casings for the hydraulic cylinders are protruding above the pillars sustaining the lock gates. The upper part of the lock gates are visible from the road that spans the barrier construction and the lateral beams connecting the pillars. Like in the case of the Haringvliet Bridge, it is difficult to imagine what good it would do to damage one or more of the water locking gates. This would be more of a political statement than an effective operation to render the complete barrier inoperable. Damaging the whole of the barrier would be more conceivable in a full-scale war, but even then the reason behind such an action would be unclear. Since there is a manually operated control system, there is a theoretical chance that control of the barrier as a whole is taken over, and the gates are opened when they should be closed. However, such an event would only be of consequence in a relatively small time frame during excessive weather conditions. Since the barrier control room would then also be manned, the likelihood of such an occurrence happening is even less. In the case of SCADA controls (control from a distance over the internet), there is a theoretical chance that those controls are hijacked. Given these observations, we give the Eastern Scheldt Storm Surge Barrier two pluses in our security risk table (see Tab. 5.1). Tab. 5.1: Delta Plan, security risks (3). Object

Assumed security risks

Eastern Scheldt Storm Surge Barrier

++

5.6.2 Maeslant Storm Surge Barrier The complex mechanical structure of the Maeslant Storm Surge Barrier and its relatively high contours above ground imply that various methods for obstruction or even destruction are feasible. The most obvious way for preventing the proper operation of the flood barrier would be to damage the controls, the hydraulics, or obstruct or distort the swing arms moving the giant gates. Relative to the size of the structure, only little force would be needed to achieve this. An obvious way to hamper the operation of the barrier would be to place a heavy object (or several of those objects) in the path of the swivel arms. The engineers that

5.6 Storm surge barriers, security-related observations

55

designed this particular structure will, however, have foreseen such an event, and will have implemented a safety mechanism into the barrier system. Like with all dams and barriers that block waterways, there are two scenarios. In case one would want to block shipping traffic, the closed flood barrier should remain closed. If the goals would be to cause flooding, then the flood defense should be open in bad weather conditions. The surge flood barrier closes only a few times a year, and during testing only a little. And, as we stated before, the “window of opportunity” for interference in bad weather conditions would be small. Yet, compared to the other flood barriers discussed until now, we consider the Maeslant Storm Surge Barrier the most vulnerable. We therefore give the Maeslant Storm Surge Barrier three pluses in our security risk matrix (see Tab. 5.2).

Tab. 5.2: Delta Plan, security risks (4). Object

Security risks

Eastern Scheldt Storm Surge Barrier

++

Maeslant Storm Surge Barrier

+++

5.6.3 Hartel Storm Surge Barrier Since the construction features of the Hartel Storm Surge Barrier are the same as those of the Hollandse IJssel Storm Surge Barrier, it is logical to expect security risks of the same order (see Section 4.5.3). Contrary to the Hollandse IJssel Storm Surge Barrier, where two gates are placed behind each other to reduce risk of failure, in the Hartel Storm Surge Barrier the gates are placed next to each other. The construction is also of a newer design (1997), which made it possible to use larger gates, and comparatively less bulky lifting towers. Like the Hollandse IJssel Storm Surge Barrier, the Hartel Storm Surge Barrier is a complex, mechanical-hydraulic design with four dominating lift towers. The gates are normally open, which is clearly visible from the embankments, and the bridge and road running parallel to the flood barrier construction. Next to that, both bases of the outer lifting towers are relatively easy to reach, since access is only restricted by a fence (Fig. 5.5). Because of the bridge and public road next to the storm surge barrier, and the nearby service roads that are easy accessible, the storm surge barrier is vulnerable. However, this is a giant structure, and the various parts are huge. This means that considerable effort and force are needed to bring harm to the structure. We have already discussed the motives for blocking a storm surge barrier in opened or closed state. Actually, we consider the time frame, or “window of opportunity,” for such

56

5 Storm Surge Barriers

Fig. 5.5: Hartel Storm Surge Barrier closed (Quistnix, 2009) (Wikimedia CC A-SA 3.0).

action to be limited. Incidentally, shipping traffic can always make use of the adjacent navigation lock. Altogether this makes harmful actions with limited intent less likely. A more obvious target would be the controls; in case of SCADA controls most likely from a distance over the internet. Given these considerations, we will give the Hartel Storm Surge Barrier three pluses in our security risk matrix (Tab. 5.3). Tab. 5.3: Delta Plan, security risks (5). Object

Security risks

Eastern Scheldt Storm Surge Barrier

++

Maeslant Storm Surge Barrier

+++

Hartel Storm Surge Barrier

+++

5.6.4 Ramspol Bellows Weir The more modern, the more simple the design of surge flood barriers seems to become. We can only applaud this. In case of complex technical structures, perpetrators will most likely make use of safety deficiencies like structural failures caused

5.6 Storm surge barriers, security-related observations

57

by lacking designs or inattentiveness of operators and supervisors. We already mentioned “security is seventy percent safety.” We like to add the assumption that “less mechanical complexity leads to less safety risks. And less safety risks means less opportunity for security risks.” Looking at the Ramspol Storm Surge Barrier, these sayings certainly hold true. For how simple can you make a structure? We already mentioned that the Ramspol Storm Surge Barrier very much resembles a huge bicycle tire. Seen from the N50 highway road crossing the bridge parallel to the storm surge barrier, there are only six small cylindrical pump houses at both ends of the three bellows sections. Next to the pump house on one of the embankments there is a glass structures that serves as a small museum (Fig. 5.6).

Fig. 5.6: Ramspol Bellows Weir seen from route N50 (https://beeldbank.rws.nl, Rijkswaterstaat, 508.171 / Herman Scholten).

Since most part of the storm surge barrier resides under water, the construction as a whole is very difficult to damage. This would be different when inflated, but the chance that the weir will inflate is already low and therefore difficult to predict. The effect of a damaged weir is also difficult to predict, since this is a not a densely populated area. In case the weir should not deflate, ships can easily take another route. Given these considerations, we give the Ramspol Storm Surge Barrier one plus in our security risk matrix (see Tab. 5.4). Tab. 5.4: Delta Plan, security risks (6). Object

Security risks

Eastern Scheldt Storm Surge Barrier

++

Maeslant Storm Surge Barrier

+++

Hartel Storm Surge Barrier

+++

Ramspol Storm Surge Barrier

+

58

5 Storm Surge Barriers

5.6.5 Delta Plan dam and flood barrier overview We presented a first overview of safety and security features of the Delta Plan in Tab. 4.5. We will add the observations in this chapter to the next, extended matrix (Tab. 5.5). As we cautioned before, the security threats perceived are derived from a Tab. 5.5: Storm surge barriers, safety, and security risks. Construction

Structural weaknesses

Natural threats

Man-induced flaws

Security threats

Erosion of foundation and sills; obstruction

Construction flaws, lack of maintenance, human or computer error in operating flood gates

Complex mechanicalhydraulic structure; low threat perception, no obvious threats

See above

See above

Complex mechanicalhydraulic structure, various ways for obstruction imaginable (however limited time frames)

The flood surge See above barrier is designed in such a way that during extreme floods, a large volume of water can flow over the gate; strong structural design

See above

Complex mechanicalhydraulic structure, various ways for obstruction imaginable; object rather easy to approach; adjacent bridge and road vulnerable

Eastern Scheldt Storm Surge Barrier Largest cumulative span of all the storm surge barriers.  hydraulic gates of the vertical lift type with a span of  m

Designed to withstand excessive combinations of wind, storms, and currents; gate lift construction (hydraulics) vulnerable to wear

Maeslant Storm Surge Barrier Double floating sector gate spanning  m. The storm surge barrier has the deepest sill level of all storm surge barriers,  m below mean sea level

Huge pivoting swing arms and gates, susceptible to wear and deformation

Hartel Storm Surge Barrier Two lens-shaped vertical lifting gates with spans of  and . m, with a height of . m. The sliding gates are driven by hydraulic cylinders with long pistons that are hinged to the side towers

5.7 Conclusions

59

Tab. 5.5 (continued ) Construction

Structural weaknesses

Natural threats

Man-induced flaws

Security threats

Obstruction or jamming by debris, heavy floating objects

See above

Construction vulnerable when inflated; limited time frames; low threat perception; adjacent bridge and road vulnerable

Ramspol Storm Surge Barrier Modern and innovative design, inflatable rubber tubes

More easily damageable than steel or concrete; dependent of pump mechanisms

rather superficial, subjective scenario-based analysis, which we use as a starting point for further reflection.

5.7 Conclusions In this chapter we discussed the design of newer Delta Plan storm surge barriers, as an example for the development of flood defenses over time. We extended our Delta Plan safety and security risk table accordingly. We made the following security risk-related observations. Conclusion 5.1 Like in the Haringvliet Dam, the 62 water locks in the Eastern Scheldt Flood Dam are the weakest elements in the dam structure. Since these are only water locks, it is difficult to perceive what would be gained by a permanent malfunctioning of (all) the gates, either in closed or open state. At the same time, a malfunction of only one or two of the locks would not very much reduce the effectiveness of the Haringvliet Storm Surge Barrier as a whole. Conclusion 5.2 Damaging the navigation lock in the Eastern Scheldt Flood Dam Levees would possibly result in some delay in shipping movements, but since this is not a main shipping route, the net effect would be minor. Conclusion 5.3 It would be fairly easy to damage the Maeslant Storm Surge Barrier because of its giant pivoting swing arms and the wide unrestricted area needed for movement. However, like with other surge flood barriers, the time frame for doing so effectively is limited. Normally there are only a few days in the year that the barrier is closed. On the other hand, when closed, the barrier

60

5 Storm Surge Barriers

prevents shipping in one of the major shipping lanes in and around Rotterdam harbor. However, the adjacent canal and navigation lock would still facilitate restricted shipping. Conclusion 5.4 Like the IJssel Storm Surge Barrier, the Hartel Storm Surge Barrier is a high-rising construction with gates that are always open. In case of obstruction, there is an adjacent navigation lock. The parallel running bridge and highway are vulnerable. There is only a simple fence around the lifting towers on both sides of the river. Gates, hinges, and lifting constructions are vulnerable to the use of force, either by jamming or impact. Damage to the barrier would result in blocking the channel. Repair would take time. Conclusion 5.5 Since the main body of the Ramspol Bellows Weir resides under water, its vulnerability is low. Since the barrier is located in a little populated area, this further reduces security risks.

6 Flood barriers in defensive strategies Abstract: In the previous chapters we went back in history to see how the construction of flood defenses developed over time. At the same time, we also looked at the safety and security aspects of those flood defenses. However, over the centuries, water has not only been a threat. It can also be a friend (if it behaves itself). In relation to security, we can learn a lot from the use of water in defensive applications. In Europe, and in Dutch history, water defenses have frequently been used as a defense against foreign invasions and dominance. Flood barriers can not only be used as defense against water, but they can also be used for retaining water. The Dutch invented an ingenious combination of waterworks for such purpose. Understanding of these constructions increases our insight into flood barrier weaknesses, and security-related vulnerabilities.

6.1 Fifteenth century: brick walls and water for defense Since early times, water has been used for defensive strategies. Indigenous peoples who were threatened hid in marshes, and eventually became marsh- or water people. Huts that originally were built on poles against the tides also proved effective against human enemies. From 605–562 BC, Nebuchadnezzar, King of Babylon, built immense walls around Babylon, using the Euphrates and extending canals as defensive moats surrounding the inner castle (Drower, 1954). The Romans built huge fortresses surrounded by ditches that also could be filled with water. In the Middle Ages, the rich and powerful built castles that were surrounded by moats (Fig. 6.1). During the Middle Ages, cities acquired the rights to erect walls as an outer defense. Because cities grew to be much larger than castles, moats were replaced by canals. These canals could also be used for transporting goods in and out of the city. Cities relied on their walls for security far into the fifteenth century. By the end of the fifteenth century, the introduction of guns in Italy required a different type of city wall. In 1527, the German Albrecht Dürer published a design where city walls were extended with protruding round towers (later called bastions). From here canon could fire from different angles and parallel to the adjourning walls. This added to the defensive capabilities of the walls. Both Dürer’s and the Italian way of building thick stone walls however relied heavily on the use of expensive brick and mortar. Eventually, stone walls were reduced to heights that were less vulnerable to gun fire. Earthen walls proofed to be more efficient and less costly than brick ones. Lower walls had the added advantage that defenders also could use cannon to shoot from behind the walls. Because of their recoil, it was rather perilous to shoot with guns from high castle or city walls. https://doi.org/10.1515/9783110622577-006

62

6 Flood barriers in defensive strategies

Fig. 6.1: Muiderslot, 1891 (Collection Rijksdienst voor het Cultureel Erfgoed, object nr. 016.396).

6.2 Sixteenth century: Dutch earth and water fortresses In the Netherlands, around the time of the Eighty Years’ War (1568–1648), instead of brick, a cheaper form of earthen defenses and moats was developed. Famous are the city defenses of Antwerp (1540) and the Rammekens fortress near Flushing (1547). The extensive bastions were designed by Simon Stevin. In the service of the Dutch fieldmarshal and Prince of Orange, Maurits, Simon Stevin designed earthen wall fortresses with extensive overlaying bastions. The moats followed the shape of the earthen battlements and bastions (Fig. 6.2). Simon Stevin is renowned for laying the foundations of mathematical science, which he applied to the layout of his fortresses. Most fortresses were built at the intersection of levees, since the roads on these levees also acted as natural lines of communication and trade. The party that held the fortress thus dominated the lines of communication and trade in the region.

6.3 Flooding as a first line of defense Apart from fortresses at strategic levee intersections, the abundant availability of water in the Northern parts of the Netherlands could also be used for military purposes. During the Eighty Years’ War in the Netherlands, during the siege of Alkmaar (1573), Diederik Sonoy ordered his soldiers to open the locks at Krabbendam and Aardswoud in order to flood the Zijpepolder (Beukers, 2007). This forced the Spanish army to abandon the area and halt the siege of Alkmaar. Flooding a polder was usually easy to

6.4 Dutch water defense lines

63

Fig. 6.2: Naarden fortress bastions (Collection Rijksdienst voor het Cultureel Erfgoed, object nr. 521.734).

initiate. Experts who could point to the places where a levee breach would sort the maximum effect were normally quickly found. But plans for the restoration of the levees after the scheduled flooding were mostly missing. It took sometimes decades before damaged levees were repaired. The effects of deliberate floods are still visible in many places. The tidal canals of the Saeftingher Hole, Hellegat, Braakman, and Havengat in the Dutch province of Zeeland were a result of deliberate inundations during the War of Independence against the Spanish in the 1580s (De Kraker, 2015). Flooding was not always an effective military tool. In order for flooding to be effective, the water height in the inundated area should not be more than 50 cm. Too high to be traversed on foot, and too low to be traversed by boat. Next to that, the bottom of flooded land (previously probably being a marsh or lake) is not always level. Thus, military commanders could never be sure that enemy soldiers would not be able to cross the inundated polders. In 1672, during the French invasion of the Dutch Northern provinces, 9,000 French troops were able to traverse the frozen flooded area along the Old Rhine river near the city of Woerden. As a result, the villages of Bodegraven and Zwammerdam were annihilated (Fig. 6.3).

6.4 Dutch water defense lines The French invasion of the Dutch Northern Provinces in 1672 forced the province of Holland to quickly build a water defense line between the Southern Sea and the Merwede river. The defense line successfully deterred the French invasion of Holland. In the next 120 years, the defense works were extended and many bastions, forts, and special sluices for quick flooding were built.

64

6 Flood barriers in defensive strategies

Fig. 6.3: Village of Bodegraven, 1749 (H. Spilman, Collection Rijksdienst voor het Cultureel Erfgoed, object nr. G-152).

After the Napoleonic occupation of the Netherlands, the year 1815 marked a new period in Dutch history. The new King of the Netherlands, William I, initiated commercial and military endeavors to improve the state of the impoverished country. Work started on a new water defense line in the eastern parts of the provinces of North and South Holland. In 1872 the water defense line was officially named “New Holland Water Defense Line” as opposed to the old Water Defense Line.

6.5 Amsterdam water defense line From 1880 to 1920 work started on a new water defense line encircling the city of Amsterdam. This so-called “Stelling van Amsterdam” (Amsterdam Defense Line) consisted of interconnected lakes, canals, guard locks, navigation locks, and 45 forts at the intersection of levees and roads. According to some, the Stelling van Amsterdam and the New Holland Water Defense Line effectively deterred the Germans from invading the Netherlands in 1914. Nevertheless, at the start of the construction of the defense works, the design already lagged behind military developments. In 1883, the first fort to be build had to be redesigned and was built in concrete due to the invention of the high-explosive shell. The New Holland Water Defense Line played a significant role in Dutch military thinking and planning until the start of the Second World War in 1940. In 1914, the Dutch military were lucky that the potential of the aircraft was not understood as it is today. In the first and beginning of the second year of the First World War, planes were merely used for reconnaissance and the guidance of artillery fire. In Flanders, the flooding of the area around the IJzer river proved to be an effective measure against a further advance of the Germans. In the Netherlands, levees, fortifications, and battlements were therefore continuously adapted to new developments in artillery fire power and range. Even in the early months of 1940, new concrete bunkers

6.5 Amsterdam water defense line

65

and pill boxes were added in order to strengthen the Amsterdam Defense Line fortifications against modern weapons (Fig. 6.4).

Fig. 6.4: Stelling van Amsterdam, Ossenmarkt Weesp (N. de Jong, Collection Rijksdienst voor het Cultureel Erfgoed, object nr. 10785-8595).

When the Dutch government in 1921 decided to build the Afsluitdijk causeway to dam the entrance to the Southern Sea estuary, the Ministry of War proposed to extend the Amsterdam Defense Line with defense works consisting of concrete bunkers and pill boxes near the Stevin dewatering gates and navigation locks at Den Oever (at the most northwestern point of the province of Northern Holland) and the dewatering gates and navigation locks at Kornwernderzand. Because the water locks were integrated in the defense plan, bridges over the locks were not designed as high rising drawbridges but as revolving bridges. Both complexes also contain concrete artillery and machine gun firing positions. The fortifications at Kornwernderzand were one of the few fortifications in Europe that effectively withstood the German Blitz Krieg in 1940. Regretfully, the Germans eventually circumvented the Kornwernderzand fortifications and crossed to North Holland province by boat. With the introduction of full-scale air warfare, the dropping of paratroopers behind defense lines and “strategic bombing” (bombing defenseless “open” cities), static defenses like the Holland Water Line became obsolete.

66

6 Flood barriers in defensive strategies

6.6 Water defense lines, safety-related observations The Amsterdam and Holland Water Defense Lines were effectively used three times: in 1870 because of the French–German war, during the First World War and up to the beginning of the Second World War. The extensive use of modern weaponry, tanks, airplanes, and ultimately the bombing of the city of Rotterdam, forced the Dutch government to surrender on May 15, 1940. From a present day perspective, the Dutch water defense lines had in-built deficiencies. In order to quickly flood the area in front of the defense structures, special water inlets or outlets were built. Many of these water locks still exist today. These docks constitute as many vulnerable spots in present day levees. However, since these are nowadays mostly secondary water defenses, we must not overrate the importance of the still existing flooding locks. In modern days it is not even necessary to use flooding locks to let water in. In some polders it suffices to stop draining them for a period of three days. Then, the water level will automatically rise to 50 cm above ground level.

6.7 Water defense lines, security-related observations The most prominent disadvantage of extended water defense works such as moats, canals, and fences, is that they have to be constantly guarded in order to be effective. When this is not feasible, a quick intervention or reaction force should be available to respond quickly to the intrusion. Even in older days, the flood locks in water defense lines had to be guarded by soldiers. Not because of a potential enemy, but because of farmers who did not want their lands flooded. Their aim was to block the locks and make it impossible to open them. However, we think that the lessons from the past can help to make modern flood defenses more secure. Defense works don’t necessarily have to guard complete levees. We are thinking of critical objects such as dewatering gates and navigation locks, pumping stations, river control towers, and radar towers. Water works like canals and artificial lakes can be used to deter perpetrators with malevolent intent. Even dry moats can help to prevent burglary in for instance office buildings, when rightly designed. This is one of the study objects in the CPTED discipline, which stands for Crime Prevention Through Environmental Design. The biggest disadvantage of static (water) defense lines was shown in the early days of May 1940. If you cannot go around a defense line, you can still fly over them. The most famous example was the capturing of the Eben-Emael fort in Belgium, near the Dutch border and the Dutch city of Maastricht. On May 10, 1940, Germany launched Fall Gelb, an invasion of the Low Countries. By attacking through the Netherlands, Luxembourg, and Belgium, the German High Command believed correctly that German forces could outflank the French Maginot Line and

6.8 Conclusions

67

then advance through southern Belgium and into northern France. This would cut off the British Expeditionary Force and a large number of French forces, and then force the French government to surrender. Part of the plan was to get hold of three bridges over the Albert Canal, two of which were covered by artillery fire from the Eben-Emael fort. The fort was taken in a daring raid, landing glider planes with paratroopers on top of the defense works (Harclerode, 2005). In this book we make a clear distinction between war like situations, and “local” situations of hooliganism, criminal behavior, and – ultimately – terrorism. CPTED measures like scaping the landscape around an object as a defense perimeter have proven to be effective. In case of war however, completely different considerations apply.

6.8 Conclusions In this chapter we looked at the specific use of flood defenses, in the sense of a water retainer for use in water defense lines. Flood barriers can be used as defense against water, but they can also be used to stop enemy forces from advancing. The Dutch invented an ingenious combination of waterworks for such purpose. Knowledge of these constructions not only increases our insight into the vulnerabilities of flood defenses, but also offers solutions to secure the various components of flood defenses. In this chapter we have made the following comments: Conclusion 6.1 Levees and flood barriers can not only be used as a defense against water, they can also serve as a means to retain water in flooded polders. This prevents enemy forces from making use of the inundated lands. Conclusion 6.2 Flooding polders for defense reasons implied the use of specially designed sluices, and breach methods for levees and flood barriers. These facilities are nowadays obsolete, but can still be vulnerable spots in modern water defenses. Conclusion 6.3 To inundate lands is not always effective. Polders in many cases used to be lakes, the bottom of which are seldom level. This means that some areas will flood earlier than others, or not at all. Flooded lands also can not be used by friendly parties. Plans for future restoration are many times lacking. Conclusion 6.4 The historical methods of using water as a defensive resource can be useful when it comes to securing (parts of) flood defenses against vandals, criminals, and other perpetrators.

7 Flood defenses in offensive strategies Abstract: In the previous chapter we looked at the historical use of flood defenses for defensive purposes. Adversaries on the other hand will want to break through these defenses. In this chapter we will research events in the more recent history of the Second World War. Offensive actions during Second World War show that there can be many reasons for attacking flood defenses like levees and dams. These Second World War attacks give us an impression of the vulnerability of flood defenses, and the forces needed to breach them. This in turn tells us something about the effectiveness of offensive weapons in relation to flood defenses. It may also give us an indication of possible protective measures such as strengthening or defensive redesign.

7.1 Flood defenses and violent actions In an extensive study about water and terrorism, Gleick gives an overview of violent actions against water-related facilities both in the United States and abroad. The first violent conflict that Gleick records regarding the use of water is the burning of the Ferry house on the Brooklyn shore of the East River in 1748. New Yorkers accused Brooklynites of having set the fire as revenge for unfair East River water rights. In the 1840s, several attacks on water reservoirs and dams occurred because local inhabitants considered them a health hazard (Gleick, Water and terrorism, 2006). Since these are all offensive actions within a local setting, we do not consider these to be terrorist acts. The partly successful attempt to destroy a lock on the Welland Canal in Ontario, Canada, in 1890, could certainly be labeled as a terrorist act against a foreign country. By then the Canadian Confederation was already in existence (1867). This act was allegedly carried out either by Fenians (people from Irish descent fighting for independence from England) protesting against English politics in Ireland, or by agents of Buffalo NY grain handlers unhappy at the diversion of trade through the canal (Gleick, Water and terrorism, 2006). Another Irish related raid took place on April 21, 1900, when a dynamite charge was set off against the hinges of Lock No. 24 of the Third Welland Canal, doing minor damage (Welland Tribune, 2010). Gleick reports still another interesting incident, in this case concerning disputes about fresh water supplies. Especially since fresh water supply is still an issue in California today. In the period 1907–1913 in Owens Valley, Los Angeles, the Los Angeles Valley aqueduct and pipeline suffered repeated bombings in an effort to prevent diversions of water from the Owens Valley to Los Angeles. Local farms suffered from reduced water levels and even droughts (Gleick, Water and terrorism, 2006, p. 487). Although these bombings happened more than a century ago, they are a https://doi.org/10.1515/9783110622577-007

7.3 Attacks on dams and levees in Europe

69

warning of what may happen in the near future in similar circumstances in other countries. California is increasingly threatened by water shortages. According to some, this is mainly a result of the blocking and redirecting of natural water flows in order to direct sweet water to big cities such as Los Angeles. At the same time the amount of water city dwellers may use is not limited. An extensive chronological list of water-related offensive actions can be found on worldwater.org, a project of the Pacific Institute (worldwater.org, 2018).

7.2 Physical attacks on dams (2001–2011) The United States Department of Homeland Security (DHS) describes in its 2012 summary a number of attacks on dams worldwide between 2001 and 2011. By providing a historical perspective and describing previous attacks, the study aims to enhance the ability of SSA partners (Dams Sector-Specific Agency) to identify, prepare, and protect against potential security threats (DHS, 2012). See also the overview in the Appendix, Tab. A.1, Dam Attacks 2001–2011. Many of the attacks mentioned in this study relate to events in Third World countries. This is understandable since insurgents in Africa, South-East Asia, and the Middle East operate in some of the least densely populated areas in the world. Electricity-generating river dams are in many cases situated upstream and (far) away from coastal cities. These river dams are often the biggest mechanical structures in the area. When insurgents want to make a political statement, dams like these are an obvious target.

7.3 Attacks on dams and levees in Europe As we saw in Section 6.3, flood defenses can also be used offensively. At the siege of Alkmaar (1573) locks were opened deliberately to flood the Zijpe polder and thus frighten away the Spanish forces. But what to do when you cannot reach the locks, since they are (far) behind enemy lines? The first offensive action in the Netherlands that comes to mind is the bombing of the levees of the island of Walcheren in 1944. Because of the failure to capture the bridges at Arnhem as a springboard for a quick invasion of Germany, the Allied Forces realized that they first had to capture the harbor of Antwerp as their main supply route for future actions against the Germans. In order to open the Scheldt River route to Antwerp, the Germans had to be denied access to the northern side of the river banks. The island of Walcheren however was heavily fortified, and could not be invaded by the Allies without heavy casualties. On October 2, 1944, the local population of Walcheren Island was warned for the coming bombing raids. But evacuation routes were closed off by the Germans, so people could not go anywhere.

70

7 Flood defenses in offensive strategies

In the afternoon of October 3, 1944, the 5-km-long Westkappel Sea Dike was attacked by 247 (!) Lancaster bombers. The dam literally evaporated over a length of 120 m. The village of Westkappel was almost fully destroyed. The bombardment however did not achieve the complete flooding of Walcheren Island. On 7 October, a second bombardment followed with 59 Lancasters on the Nolle levee near the port city of Flushing. This bombardment only succeeded to breach the levee over a length of 20 m. A simultaneous attack at the primary levee near Rammekens (near Flushing) succeeded in breaching the levee over a length of 400 m. For the Allies the extent of the resulting floodings were still not sufficient. On October 11 an attack followed at the Oostwatering levee near the city of Veere by 60 Lancasters. At the end of November, almost 80% of Walcheren Island had flooded. The numbers of aircraft used in these air raids, and the amount of explosive loads they carried, gives us an idea of the enormous amount of force necessary in order to breach levees successfully. And then most raids did not even succeed in the first attempts!

7.4 Dam Buster attacks in 1943 The use of so many planes for the Westkappel bomb raid is the more peculiar, since in 1943 a famous bombing raid was flown to the German industrial area of the Ruhr, using far less planes. Each plane was equipped with a single specially designed dam busting bomb. For this so-called Operation Chastise, the versatile Lancaster bomber was chosen. The Lancasters were adapted to carry the so-called “Bouncing Bomb,” designed by Barnes Wallis. It was thought that the Germany Ruhr valley dam attacks would destroy large industrial areas, but in the end had little effect (Fig. 7.1). What the 1943 Dam Buster attacks show us is that the results of underwater explosions are unpredictable and have to be planned very carefully. The explosives have to be placed in exactly the right place, very next to the object that is to be destroyed or damaged. When there is even a little space between the explosion and the object, the water in between will dampen the blast effect considerably. In order to achieve the best effect, a special rotating bomb was designed, which – when it hit the dam – “rolled” to the foot of the dam and exploded there. According to the Canadian Bomber Command Museum, during Second World War, the Lancaster was the most successful bomber used by the Royal Air Force and the Royal Canadian Air Force. The Lancaster had speed, ceiling, and lifting power that no other aircraft of the day could match. Weighing 36,900 pounds empty, the Lancaster was capable of taking off with an additional 33,100 pounds of fuel and bombs; in other words, it could almost carry its own weight again. The “Grand

7.5 Attack modes and attack-types table

71

Slam,” a 22,000 pound special purpose bomb designed to penetrate concrete and explode below the surface to create an earthquake effect, could only be delivered by the Lancaster and the Lancaster was thus chosen for special operations such as the “Dam Busters” raid and the attack which sunk the German Battleship Tirpitz (bomber command museum, 2018).

Fig. 7.1: Lancaster Bomber, blockbuster bomb attached (public domain, source: Wikimedia, https://commons.wikimedia.org/wiki/File:Upkeep_in_Lancaster.jpg).

7.5 Attack modes and attack-types table In its 2012 study, DHS concludes that attacks can be carried out by individuals, small teams of a few perpetrators, or larger groups acting in a coordinated fashion. There are an infinite number of possibilities regarding potential combinations of resources, tactics, tools, and weapons that could be employed against water management and water defense assets. DHS has defined a reference set of attack modes and attack types that represent convenient sets of different possible combinations (DHS, 2012). Based upon a superficial analyses of dam attacks, the following notional classification of physical attacks modes and types can be presented (see Tab. 7.1) (Source: DHS, 2012)) We will extend this table in the following chapters.

72

7 Flood defenses in offensive strategies

Tab. 7.1: Attack modes and attack types (Source: DHS, 2012). Attack mode

Attack type

Land

Mechanical equipment Small arms (Man-portable) Explosive device and/or incendiary device Assault team (with/without explosives) Vehicle-borne explosive device Stand-off weapons

Water

Water-borne explosive device Underwater explosive device

Air

Aerial bombing or strafing Aircraft impact

7.6 Offensive strategies, safety and security observations In previous sections we observed that safety weak spots offer opportunities to perpetrators to easily inflict harm or damage. This is especially the case in complex industrial environments. Compared to business and industrial environments, flood barriers, levees, and dams are a completely different category. They vary from simple, monolithic structures (such as levees and dams) to large hydromechanical complexes that combine various functions such as water management, navigation locks, harbors, and industrial facilities. Most flood defenses, although huge in appearance, are nevertheless basically relatively simple technical designs. Over the years, storm surge barriers have become state-of-the-art, ultra-modern but increasingly simple structures that either work, or do not. As a result, safety has become less of an issue. Storm surge barriers are designed to withstand great forces of various nature. That in itself is a guarantee for safe(r) operations. While they are normally in “stand-by” mode, the only thing that is required of flood barriers is that they function in case of need. This in turn requires state-of-the-art, fail-safe machinery and operating systems. This may lead to more complexity in the system, but the goal is safer operations and less complexity for the operators. This again diminishes safety risks. When it comes to offensive actions against flood defenses like storm surge barriers, it depends to a large extent on the barrier shape to what extent such an action is effective. An advantage is that, over time, the technical designs of flood defenses have become less and less complex. Modern flood barriers are also easier to repair or replace when damaged. That is why the search for weak spots in water defenses is becoming increasingly important. It is clear that when it comes to small-scale “enemy” actions, water

7.7 Conclusions

73

defense elements such as dewatering gates and navigation locks are obvious targets. Stretched-out levee elements are much less obvious targets. When it comes to offensive actions against flood defenses like storm surge barriers, it depends to a large extent on the barrier shape to what extent such an action is effective. An advantage is that, over time, the technical design of flood defenses has become less complex. Modern flood barriers are also easier to repair or replace when damaged. That is why the search for weak spots in water defenses is becoming increasingly important. It is clear that when it comes to small-scale “enemy” actions, water defense elements such as dewatering gates and navigation locks are obvious targets. Stretched-out levee elements are much less obvious targets. That is also what we learn from history. If it was effective in 1840 to blow a lock gate out of its hinges, than that probably still is the case today. In a military setting, a massive force attack is still feasible. Covert actions against selected targets require more subtle approaches, but may be much more effective. Flood defense managers have to prepare for that kind of actions.This observation is in line with the conclusion(s) of the Melin study (Melin, 2014).

7.7 Conclusions Where in Chapter 6 we looked at the history of using water as a means of defense, we researched several offensive uses in this chapter. We made the following observations: Conclusion 7.1

Conclusion 7.2

The more simple flood defenses like levees and dams are difficult to damage, even when applying massive force. Even when there is a breach, the land behind the flood barrier may not flood immediately, or evenly. With modern techniques and equipment, breaches may be restored rather quickly. Contrary to massive attacks, offensive actions focusing on weak spots in the (hydromechanical) structure of more complex flood barrier designs may be (much) more effective, and generate results more quickly. The resulting effects however may be of a lesser size. Since damaging actions have a local focus, the effects can be combated faster and more effectively.

8 Systematic analysis of flood barrier technologies Abstract: In the previous chapters we discussed various flood defense and flood barrier constructions, following a historic footpath according to the year that the barrier was completed and became operational. This approach helped us to stepby-step broaden our insight in the technological progress in flood barrier construction. At the same time, we started developing our flood defense vulnerability and attack-type tables for various types of flood barrier. In order to be able to look at these vulnerabilities form a wider perspective, we looked at the use of water for defensive purposes, and the effects of flood defenses under attack. This approach helped us to better understand the safety risks and security threats associated with flood defenses and flood barriers. We can call the method of looking at the development of flood defenses over time an analogous approach. A scientific approach requires a more systematic analysis of both the technical structures that we study, and the safety and security risks associated with each structure. We therefore partly repeat the observations from the previous chapters, but only the essentials. We also add a number of flood barriers to our list. A classification of flood barrier types helps us to make a comparison between the vulnerabilities of each flood barrier type. This also helps us to gain insight in the way these differences influence the development of security threat scenarios.

8.1 Flood defense categories The Dutch Delta Commission that we mentioned earlier only considered the defenses along the coast. It was not until later that other bodies, building on the ideas of the Delta Commission, set safety standards for the Dutch river levees. The standards proposed by the Delta Commission and subsequent commissions relate to what in the Netherlands are called primary flood defenses that offer protection against flooding from major bodies of water (or “outer waters”). Outer waters in the Netherlands are the sea, the major rivers, and the large lakes. Primary flood defenses include levees, dams, dunes, and structures forming part of them, such as cuts and locks (ENW, 2017, p. 15). A cut or “coupure” in Dutch/French, is an interruption in a water defense in hydraulic engineering. Usually, a cut in a levee is made where a road has to pass the water barrier. Cuts are most usually found in and around villages and cities, where it is easier for cars, trams and pedestrians to cross the flood barrier at street level. In case of threatening high water, the space is filled up with boards that fit into incision in the walls at either side of the cut, and is then most times strengthened with sandbags.

https://doi.org/10.1515/9783110622577-008

8.1 Flood defense categories

75

Besides primary defenses, the Netherlands also has regional defenses along canals and man-made lakes. A breach in regional defenses will generally have a smaller impact than a breach in the primary defenses, though it can still have considerable consequences. The safety standards for these defenses are set by the provincial authorities. Finally, the country also has many kilometers of flood defenses with no specific status, for which no safety standards have been specified in national or provincial legislation (ENW, 2017, p. 15).

8.1.1 Types of primary flood defenses According the Fundamentals of Flood Protection manual, most primary flood defenses provide direct protection from flooding. Some do so indirectly, by limiting the load on other flood defense structures situated further away. In this approach, the Afsluitdijk causeway that we discussed earlier is a primary flood defense. It reduces the loading on the flood defenses around the IJsselmeer or IJssel Lake in the center of the Netherlands. Storm surge barriers like the Ramspol Bellows Weir are also considered primary flood defenses. If such a water defense structure fails, the hydraulic load on the secondary flood defenses beyond increases. This will also increase the probability of flooding, although this does not necessarily mean that a flood will actually occur (ENW, 2017, p. 18). The Fundamentals of Flood Protection manual lists the following types of flood defenses: dunes, levees and dams, and hydraulic structures. In this book we do not consider high grounds to be flood defenses. River levees are not mentioned in this list, but we do consider river levees to be primary flood defenses, especially along the big European rivers Rhine, Meuse, and Waal. Dunes are natural landscape features. They are formed by the wind from sand that washes ashore, in interaction with vegetation that captures and retains the sand. Stabilization can be expedited or enhanced by planting marram grass. Because of their shape and width, dunes normally have a natural “defense in depth” capacity. Although this defense in depth capacity is lagging in specific dune rows that are only one row deep, we will not discuss them further in this book. We already discussed levees and dams extensively. The shape of the basic earthen structure – often trapezoid in section – is characteristic of these structures. The flood protection capacity of the structure is determined by its height, its shape in profile and the ground on which it stands. Levees must be sufficiently resistant to shearing (stability) and watertight. Stability depends on the shear strength of the levee body and of the subsurface (ENW, 2017, p. 18). The third category of primary flood defenses mentioned in the Fundamentals of Flood Protection manual are protective hydraulic structures. This kind of flood protection is defined in the manual as “safeguard for another function that intersects the flood defence.” They include structures like the IJmuiden navigation locks; storm

76

8 Systematic analysis of flood barrier technologies

surge barriers like Hollandse IJssel, Maeslant, and Eastern Scheldt; and sluices like in the Haringvliet dam (ENW, 2017, p. 21). To allow the various functions to operate, hydraulic structures generally have one or more moving closure mechanisms. When closed, the mechanism transfers the forces working on it to the rigid part of the structure. The storm surge barrier in the Eastern Scheldt protects the land behind it, while still allowing tidal movements (ENW, 2017, p. 21). According to the Fundamentals of Flood Protection manual, it is not always possible to draw a sharp distinction between the different types of flood defenses and the elements that comprise them. A combination of a hydraulic structure and an earthen structure is also known as a water-retaining structure. Such structures may reinforce, complement, or completely replace earthen structures. Examples include sheet piling, cofferdams, and retaining walls. They are also referred to as longitudinal structures. The Fundamentals of Flood Protection manual specifically points to the connection between the water retaining structure and the adjoining earthen structure, which requires particular attention in the design process. This implies that this is a vulnerable part of the water defense structure. This in turn may indicate both a safety and, consequently, a possible security risk.

8.1.2 Vulnerabilities of dams and levees Although construction techniques have improved drastically in the last 100 years, the earth and clay composition of levees and dams has changed little over the ages. However, because of the introduction of new machinery and cladding materials, the chance of natural deterioration and destruction has been greatly reduced. Nevertheless, some inner construction flaws of earth and clay levees and dams have remained the same. The main threat to modern levee and dam structures is, apart from strong currents and tidal waves, subsidence through fluid withdrawal (Donaldson, Chilingarian, & Yen, 1995). This can even result in the dislocation of (parts) of a levee. A shocking example of this occurred in Wilnis, the Netherlands, in 2003. Potential failure mechanisms mentioned by the Fundamentals of Flood Protection manual are overflow, overtopping, macro-instability in landside slopes, macro-instability in waterside slopes, micro-instability in the landside (or waterside) slope due to outward seepage through the structure, erosion of waterside slopes due to wave action or currents, and uplift and piping as a result of seepage through the subsurface. The different failure mechanisms can impact on each other. Sliding of the landside slope can, for example, compromise the erosion resistance of the slope. The Fundamentals of Flood Protection manual explicitly states that interactions such as these must be taken into account when performing reliability analyses (ENW, 2017, p. 74). We have already noted that the application of excessive force to such flood defenses is in fact similar to the accelerated execution of these failure mechanisms. Such a security risk could therefore easily be included in existing failure probability calculations.

8.1 Flood defense categories

77

8.1.3 Sheet pile levee reinforcement The main difference between modern levees built in the twentieth century and those built in earlier times is their massiveness. They are much higher, which by nature requires a much wider base. In places where there is not enough space for a wide base, steel sheet piles are used to heighten the levees while keeping their base profile at a minimum. They can also be used to strengthen the inner core of a levee. The term “sheets,” however, does not fully cover the massiveness and durability of the materials being used. The use of steel sheet piles makes it possible for the height of river levees to rise considerably above mean water level without further strengthening. The main disadvantage of using sheet piles is that, ultimately, the sheet piles will start to rot at the dividing line between wind and water. This is indeed the main weak spot of any material used on the dividing line between water and air in river, lake, and sea embankments. The advantage of modern iron sheet pile over wood is that it will last longer. The life of iron sheet pile can be extended by special treatment or coatings. On the other hand, new ways of wood preservation have also come into use. For aesthetic and nature conservation reasons, tropical hard wood is being used in small-scale embankment renovation projects. This is of course much more expensive than using iron sheet piles. According to some engineering manuals, sheet pile walls are most economical where retention of higher earth pressures of soft soils is required, but cannot resist very high pressure. The reason that we discuss the use of sheet piles more extensively is because they are applied in places where dikes already are less deep. These are the same places where levees are more vulnerable to high force attacks.

8.1.4 Concrete levees or flood walls An alternative method for using pile sheets are concrete levee or flood walls. In 1927, the Mississippi was flooding so the people of New Orleans destroyed some of the upstream levees to save the city before the flood reached New Orleans. Much of the city lies 10 ft (3 m) below sea level. Over the course of the city’s history, lowlying, boggy areas have been pumped dry to create new land. Much of this reclaimed land has sunk as it dried out. The entire city now depends on the levees, along with massive pumping stations, to keep the water out. After Hurricane Betsy in 1965, the Army Corps of Engineers rebuilt the levee system by constructing concrete I-walls (basically slabs of concrete shaped in an upturned “T”), which are the cheapest and least stable form of protection. That was the last time the New Orleans levee system was seriously updated (Colten, 2006). On 29 August 2005, as a result of Hurricane Katrina, the New Orleans levee system failed once again. Due to the continuous expansion of the city and build-up of newly developed areas, material damage and loss of lives was considerable. The

78

8 Systematic analysis of flood barrier technologies

steel pilings driven into the soil were too shallow, and the soil foundations in which the concrete walls were anchored in were poor, too soft, and permeable. Water was able to seep through and undermine the foundations and wedge the wall from its foundations, causing the whole wall to be pushed over and water to enter the city. The canals, which are supposed to pump water out of the city, actually caused much of New Orleans to flood by letting water into the city. The breaches at the 17th St. Canal and London Avenue Canal were caused by engineering failures. The levees were built on poor soil, the pilings were not deep enough and the pumping system was designed poorly (Colten, 2006) (Braun, 2005) (Rickard, 2009) (Robertson, Campbell, & Schwartz, 2015).

8.1.5 Security lessons The Katrina levee failure in New Orleans holds important lessons for water managers elsewhere. The reason for applying concrete I-shaped levees in New Orleans was two-fold. First, they were cheap, much cheaper than wider-based levees. At the same time, wider-based levees would use up large chunks of valuable land in New Orleans urban areas. Much the same reason as why in the Netherlands river and canal embankments are more and more strengthened using steel pile sheets. The American Federal Emergency Management Agency (part of the United States Department of Homeland Security) now advises to use earth walls for levees and concrete pile sheet-like constructions for floodwalls (FEMA, 2013). The reason that we discuss the New Orleans levee failure to some extent is that these constructions resemble other uses of concrete walls and water retainers in sunken highways and railways beneath aqueducts, as they can frequently be found in the Netherlands. These roads and railways often constitute the main lines of transport between the important harbors, industrial areas, and cities in the Western part of Holland and the hinterland of the German industrial Ruhr area. Without going too deep into locations and other details, this is an observation that worries us. After all, we are working on a comprehensive security risk analysis. Local canals and aqueducts are not flood barriers, but in the context of this research they do attract our attention.

8.1.6 Dam and levee vulnerability table extended With the realization that there are more types of stationary flood defenses than dams and levees alone, we can extend our vulnerabilities table(s) with pile sheets, concrete levees, and flood walls. Pile sheets are – among others – used in river levees with a narrow base, on top of low earthen dams and sometimes even as a stand-alone water deterring solution. Erect pile sheet walls are vulnerable to projected force. We can express this in the safety and security risk tables that we are developing (see Tab. 8.1).

8.1 Flood defense categories

79

Tab. 8.1: Vulnerabilities of pile sheet reinforcements, concrete levees, and flood walls. Construction

Structural weaknesses

Natural threats

Man-induced flaws

Security threats

High standing walls vulnerable to projected force or undermining of base

Pile sheets, concrete levees, and flood walls Pile sheet cladding and reinforcements

Relatively weak core, prone to overloading

Corrosion, especially on the dividing line between water and air

Lack of maintenance, weak base, or weak implementation in overall structure

Concrete levees

Relatively narrow base, vulnerable to overtopping, displacement of base structure

Overload, uplift, and piping as a result of seepage

See above; design See above flaws like weak struts behind Ishaped levees

Concrete flood walls

See above, normally lower structure than levees, therefore relatively stronger

Overload, overtopping, uplift, and piping as a result of seepage

See above

See above

8.1.7 Dams and levees attack-type table In Section 7.5, we introduced an overview of possible attack modes in relation to flood defenses, based on a proposal for such a table by DHS (2012). We will elaborate on this way of presenting attack related vulnerabilities of flood defenses in the following paragraphs. Generally speaking, any construction can be damaged. It depends either on the amount of force being used or on the (technical) ingenuity applied to disrupting the operating mechanism and/or system. In the initial instruction for the study on which this book is based, using a shovel was mentioned as a possible means for disrupting the effective functioning of a flood defense system. However, we have aptly shown that most flood defenses have such dimensions that the use of shovels is not going to have any effect. Unless you throw the shovel into a gear mechanism, but most movable flood barriers are operated by means of hydraulic systems. In this case a simple plier or cutter for cutting a hydraulic oil supply hose is probably much more effective. Shovels and cutters are mechanical equipment. For reasons of simplicity, we will categorize these as “mechanical equipment” in our attack-type table (see Tab. 8.2). To ascertain that a mechanical construction is vulnerable to an attack using mechanical equipment is not enough by itself. Vulnerability to (mechanical) attack

80

8 Systematic analysis of flood barrier technologies

implies that the structure can be easily accessed, that is, that there are no moats, fences, locked doors, or other defenses restricting access to that part of the structure. Since there are many different ways to restrict access to a structure, we will not incorporate such options in our table. We will consider elements like these in Chapter 9 when we try to estimate the probability of certain attack types through security risk scenario development. This also applies to other elements in an attack scenario, like the absence of supervision (which translates in opportunity for the attackers), the time it takes supervisors to adequately respond to an attack (offering a window of opportunity to attackers) and the ease with which perpetrators can withdraw after an attack. Vulnerability to attack, location checklist: – Accessibility (to the site) – Supervision (or lack thereof) – Opportunities for the attackers – Ability supervisors to adequately respond (creating window of opportunity for attackers) – Possibilities for attackers to withdraw

In the case of solid levees and dams, it is not very likely that mechanical tools or instruments will result in destructing or even damaging the levee or dam in such a way that it will effectively loose its function as a flood defense. On the other hand, when a perpetrator is offered a window of opportunity of a thousand years, probably a nail scissor will be an effective weapon for levee destruction. If we consider the application of directed force by using TNT, the equation comes down to a comparison between the thickness and composition of the dam body versus the amount of energetic force applied in order to damage or breach the dam body (Melin, 2014). Since the amount of explosives one can carry in a backpack is far less than the amount of fertilizer one can load in a lorry, the effect of the (amount of) applied force in case of a backpack is far less than in case of a fertilizer attack. In case of levees and dams, stand-off weapons (with a highly concentrated impact mass) will possibly have a far greater effect than – for instance – vehicle-borne explosive devises (VEDs in American military terms). We will try to make these differences in results visible in our attack-type table by way of pluses and minuses, like we did in our Delta Plan security risk tables. The number of pluses (or minuses) shows the estimated effectiveness of an attack, expressed in the amount of damage that a particular attack type may result into. The number of pluses and minuses for each attack mode in relation to the kind of structure it is being used against is based on an expert and therefore subjective judgment of the effects of that particular attack type on the flood defense (or specified part of the barrier). It is, for instance, logical to assume that if the same amount of force is applied to massive earthen levees or (smaller) concrete levees and tunnel walls, the attack will be far more effective in the case of concrete levees and tunnel walls. This results in more pluses in the table in the case of concrete levees and tunnel walls.

81

8.1 Flood defense categories

As we have seen in Section 7.4, underwater explosive devices (EDs) are more effective if applied (very) close to the base of the flood defense structure. The water mass adjacent to the structure will direct the explosive force (in)to the structure. Because shockwaves will easily bounce of sloped (barrier) structures, EDs will be (much) more effective in the case of vertical barrier constructions or lock doors. For the same reason, vehicles loaded with EDs placed on top of structures are (far) less effective than the same vehicles placed in a closed, roofed environment like under a bridge or jetty. These observations lead to the relative grading of (the effects of) specific attack types in Tab. 8.2. One way of objectifying these gradings would be to let several experts give their opinions, and subsequently combine these estimations into one overview.

Tab. 8.2: Dams and levees attack vulnerabilities. Dam and levee attack types Attack mode

Attack type

Land

Mechanical equipment Small arms (Man-portable) explosive device and/or incendiary device Assault team (without/with explosives) Vehicle-borne explosive device Stand-off weapons

Water

Water-borne explosive device Underwater explosive device

Air

Aerial bombing or strafing Aircraft impact

Dams/levees – impact

Concrete levees/flood walls – impact

– –

– –

+

++

–/++ + ++

–/++ +++ +++

++ ++

+++ ++++

++++/– –/+

+++++/+ +++

8.1.8 Dams and levees: security implications Table 8.2 shows us at a glance that when more force is being used against dams and levees, the resulting damage will increase accordingly. In other words, an attack will presumably be more successful when more (explosive) force is being applied. The table also substantiates the observation that when the same force is being applied to earth/clay levees or concrete levees and flood walls, the results will be more devastating in the case of concrete levees and flood walls. We already came to the same conclusion earlier in this study, but we need the more “objective” presentation of this table in order to adequately apply our observations in the quantitative (versus qualitative) approach to risk analysis that we will present in Chapter 9.

82

8 Systematic analysis of flood barrier technologies

8.2 Hydraulic structures In Section 8.1.1, we already mentioned that the third category of primary flood defenses the Fundamentals of Flood Protection manual mentions are protective hydraulic structures. The manual lists several structures like the IJmuiden navigation locks; storm surge barriers like the Hollandse IJssel Storm Surge Barrier, the Maeslant Storm Surge Barrier, and the Eastern Scheldt Storm Surge Barrier; and sluices like those in the Haringvliet dam (ENW, 2017, p. 22). On the basis of this list, we can already make a global subdivision of hydraulic applications in flood defenses. In the previous paragraph, we mentioned locks, among other structures. We distinguish between dewatering gates and navigation locks. We also mentioned various types of storm surge barrier. We have seen that they do not all have the same shape. The shape of storm surge barriers is for an important part determined by the construction of the lock gates. All these differences are important, because we want our method for assessing security risks and building security risk scenarios – of which vulnerability assessment is an important part – to have a scientific perspective. This requires a systematic analysis of flood defense categories and their respective vulnerabilities and implied security risks. The Fundamentals of Flood Protection manual specifically states that besides overflowing and overtopping, the following failure mechanisms are also important when it comes to hydraulic structures and other special structures: – structural failure of parts of the structure; – general loss of stability in a hydraulic structure; – failure of transitional structures (as a result of internal erosion for example); and – failure to close or to close on time. Failure to close, or to close on time, is very different from all the other mechanisms listed, as it not only involves the failure of materials but also the behavior of humans and machinery (ENW, 2017). The use of explosives or mechanical destructive actions has the same effects as the failure mechanisms mentioned above. In fact, bombing and mechanical actions do nothing more than to accelerate the effects of these failure mechanisms. This means that the negative influences of such offensive actions can easily be integrated in existing design and reliability analyses of flood defenses.

8.2.1 Navigation locks The Fundamentals of Flood Protection manual mentions the IJmuiden navigation locks as an example of protective hydraulic structures. In the seventeenth century,

8.2 Hydraulic structures

83

the Southern Sea became too shallow for sea-going ships to reach Amsterdam harbor. Even smaller ships had to be loaded in floatable docks in order to carry them over the Pampus shallows in front of Amsterdam harbor. As a means of improving the Dutch economy after the Napoleonic wars, King William of Orange I initiated the construction of the North Holland artificial waterway. Basically the canal was created by connecting several water reservoirs, lakes, and polder encircling canals. Ships got bigger, and as a result the capacity of the North Holland canal diminished accordingly. Plans were made to make a straight connection from Amsterdam to the North Sea by way of the coastal city of IJmuiden. In 1859 the Water Management Council proposed a plan to construct a big sea-going lock of 140 m long (later reduced to 120 m), 18 m wide, and 7.75 m deep. A second, smaller lock would be 70 m long, 12 m wide, and 5 m deep. Work on the locks finished in 1872. The lock complex was officially opened on 1 November 1876, by King William III of the Netherlands. Since the two locks could not be used for shipping during the draining of the North Sea canal, in 1885 a proposal was made for a third and larger navigation lock. The plan provided for a lock of 205 m long (ultimately lengthened to 225 m), 25 m wide, and 8.50 m (ultimately 10 m) below sea level. On 12 December 1896, the navigation lock was officially put into operation. The lock then had cost 5.8 million guilders (about 58 million Euros in present-day value). Until the opening of the locks of the Panama Canal in 1913, the IJmuiden locks were the biggest navigation locks in the world (Arends, 2001). At the time of writing, a Dutch contractor combination is busy enlarging the sea locks of IJmuiden to huge proportions, but is suffering huge losses due to the increase in excessive cost. However, it is obvious that it would not be easy to recover quickly from damage done to navigation locks of such dimensions. We must also not forget that this is an “always high-water” location, which underlines the importance of proper functioning.

8.2.2 Vulnerabilities of lock constructions We already mentioned the fact that the weakest point in any primary flood defense (and every other flood defense for that matter) is the entrance to a river or harbor. In the Netherlands, as in many other sea-bordering countries, most river and harbor entrances are in some way protected against extreme high water and differences in tide and river water levels. The oldest way to regulate water levels and still facilitate shipping transport to the hinterland is by way of water or navigation locks. The paradox is that these locks, in spite of their sturdy construction, at the same time constitute the most vulnerable element in any flood defense system. The obvious way therefore to block a channel or waterway (or contrary: keep it open to allow floods to enter unhindered) would be to put one or more locks out of action. Sinking one or more boats in the lock or between the lock doors is an obvious choice in order to obtain both objectives. Removal would not be too difficult,

84

8 Systematic analysis of flood barrier technologies

however, and would only take a relatively short time. If one would like to keep the water flowing unobstructed (at, for instance, a time of high water or river floods), sinking boats between the lock doors would lead to the same effect. In case a boat would not be available, the same effect could be obtained by blowing the lock doors out of their hinges. Gleick’s extensive water and terrorism chronology gives ample examples of similar actions (Gleick, Water and terrorism, 2006). Our historic overviews in the previous chapters show that dewatering gates and navigation locks are particularly attractive targets to perpetrators and terrorists, since they present the weakest and most vulnerable spots in otherwise massive dams and levees. The examples give us enough information to show various safety and security vulnerabilities in a well-organized table. That makes it easier to discuss the various weak spots in more detail in the following paragraph (Tab. 8.3). Tab. 8.3: Vulnerabilities of water and navigation lock constructions. Construction

Structural weaknesses

Natural threats

Man-induced flaws

Security threats

Erosion of wooden or steel parts, obstruction by floating debris

Lack of maintenance, human error in operating lock gates

Rather simple mechanical structures, various ways for jamming, obstruction or even destruction

Water and navigation lock constructions Combination of inner and outer lock gates, most often at a narrow spot in rivers and estuaries and near or in harbor entrances

Fairly simple but sometimes huge structures; moving parts, most obviously the lock gates, are vulnerable

8.2.3 Navigation lock attack-type table In Section 8.1.7 we showed the first example of an attack-type table, in the case of levees and dams. We now want to draw up a similar table for navigation locks. As a starting point, we assume that most navigation locks generally have the same shape. At a specific location, a water inlet or canal is being narrowed, and the quays on both sides of the passage are reinforced with concrete or sheet pile walls. In order to be able to move ships from one side of the lock to the other side, there must be a double set of lock gates. The water in between can then be brought up or down to level by pumping water into or out of the inner basin. This means that the distinction between the different lock constructions is determined by the shape of the lock gates. We base our lock gate grouping on the typology proposed by Dijk and Van der Ziel (Dijk & van der Ziel, 2010) regarding storm surge barriers. A similar grouping can also be found in Mooyaart, Jonkman, de Vries, van der Toorn & van Ledden

8.2 Hydraulic structures

85

(2014). This classification can also be applied to navigation locks. We limit ourselves to frequently used gate types. When we discuss storm surge barriers later in this chapter, we will discuss some other innovative gate types. We started this book with a historic description of trap or valve lock doors that have been in use until the Middle Ages. In the late Middle Ages, bigger navigation locks were built with hinged gates at either side of the lock. The gates were usually hinged at an outward angle of 18%, which helps the rising tide push the doors closed and keep them closed. An added advantage of hinged gates at both sides is that the doors can be smaller. There is also less friction on the hinges, since the doors are smaller and, therefore, lighter in weight. The downside of this is that, especially in the past, point door locks also had a maximum size. A logical variation to the point door lock is the swing door lock, where a single gate is hinged to one side of the lock. A modern innovation is the rolling gate, a sliding panel stored in a recess adjacent to the navigation lock. The gates of the new IJmuiden sea sluices are so big that one necessarily had to resort to the use of this kind of lock gates. For a consideration of the security aspects, we will concentrate on the point door lock type. For an overview of the various gate types, see Tab. 8.4. Modern navigation locks are most times made of reinforced concrete quays with steel gates, pivoting on hinges attached to the quays on either side of the lock basin. War-time attacks at concrete bunkers, defense works, and infrastructure reveal that even massive, direct attacks to concrete structures often result in little damage. Such in spite of the often huge amounts of force applied. This implies that it is much more effective to stage a targeted attack at the most vulnerable parts of a lock structure. These are the operating mechanisms, the lock gates and the hinges they pivot on. The gates in older lock constructions are often mechanically operated, but more modern structures use hydraulics. Hydraulic systems work with pumps, valves, pipes, and electronic controls. These signify as many weaknesses in the entire system. In order for our attack-type table to be complete, and to be able to make an adequate risk assessment, we have to clearly distinguish between the various vulnerabilities. In Section 8.1.7, we showed that there are many variables to be taken into account when trying to analyze plausible risk scenarios. In these scenarios, access, supervision (window of) opportunity, response (interception), and possibilities for retreat are key elements. But an attack cannot possibly succeed without thorough knowledge of the layout of the lock structure, easy access to the vulnerable parts, and the effective appliance of force against one or more of these (vulnerable) parts. When it comes to mechanical attack modes, we have suggested that one possible way of operation is to ram or jam a lock gate (in either open or closed state). This may result in damage that is easily, and therefore quickly, repaired. This in turn might lead to the conclusion that (in a particular scenario) a bombing attack would be more effective. War time experiences, however, show that this requires special skills, detailed planning, and consistent implementation.

86

8 Systematic analysis of flood barrier technologies

Tab. 8.4: Navigation lock constructions, adapted from (Dijk & van der Ziel, 2010) (pictograms) and (Mooyaart & Jonkman, 2017) (descriptions). Hydraulic gate type

Pictogram

Description

Point door

Gates are hinged to both sides of the lock, pivoting around a vertical axis to close

Swing door

Gate is hinged to one side of the lock, pivoting around a vertical axis to close

Rolling gate

Sliding panel is stored in a recess adjacent to the navigation lock (PIANC-IAPH, )

Vulnerability to attack, location checklist (supplemented): – Accessibility (to the site) – Supervision (or lack thereof) – Opportunities for the attackers – Ability supervisors to adequately respond (creating window of opportunity for attackers) – Possibilities for attackers to withdraw – Knowledge of layout – Access to vulnerable parts – Effective appliance of force – Special skills – Detailed planning – Consistent implementation

87

8.2 Hydraulic structures

So more attack modes and types are conceivable than we have included in our attack-type table for levees and dams. In addition, we are talking about possible attacks on movable flood defense systems. This implies that we also must take into account computer-controlled or computer-operated (autonomous) control systems. This cyber dimension adds to the complexity, and therefore vulnerability, of the flood defense system we are evaluating. We will extend our attack-type table accordingly (see Tab. 8.5).

Tab. 8.5: Navigation locks attack types. Navigation lock attack types Attack mode

Attack type

Land

Mechanical equipment Jamming or battering Small arms (Man-portable) ED *) and/or incendiary device Assault team (without/with ED) Vehicle-borne ED Stand-off weapons

Water

Air

Cyber

Quays

Gates

Hinges

Operating mechanism

− − −

− −

+ + −

−

−

+

+++ ++ − ++

−/+ −/+ ++

−/+ ++ +++

+ + +++

++ +++ ++++

Jamming or battering Water-borne ED Underwater ED

− + ++

+++++ +++ +++++

++ +++ +++

+ ++ +++

Aerial bombing/strafing Aircraft impact

++± −/+

+++++/+ +++

+++/+ +++

+++++/+++ +++++

−

−

−

+++++

−

−

−

++++(+) **)

Mechanical approaches (destruction of controls) Cyberattacks such as virus or control take over

*) ED stands for explosive device **) Since we have not been able to find real-world examples of such actions in public domain publications, the effect of such actions are unclear

We will improve our attack-type tables in Chapter 9, where we will transform the pluses and minuses to numbers. In this chapter we will, however, keep using the pluses and minuses approach. Using numbers is easier for calculating complex risk scenarios, but we first want to discuss differences between uncertainty, probability and risk (see Chapter 9).

88

8 Systematic analysis of flood barrier technologies

8.2.4 Navigation locks: security implications Table 8.5 shows us at a glance what the greatest vulnerabilities are in case of navigation locks. With movable structures, the most vulnerable parts are the operating mechanisms such as the controls in the control room and the hydraulic systems operating the lock gates. The vulnerability also depends on variables such as the accessibility of the lock complex as a whole and the control area in particular. Since control facilities are most times built above ground (in many cases in control towers for better vision of the lock complex), they are more vulnerable to for instance stand-off weapons (to be fired from a distance). A moat or fence with a separate (controlled) access (such as a gate) is no safeguard against this kind of attack. This added vulnerability becomes immediately apparent in the table. As we pointed out earlier, thinking of attack modes and attack types is actually a paper exercise. We use flood defenses as an example in this book, but we could also talk about bank buildings or courts of justice. Recently a Dutch court was actually fired at with a stand-off weapon. In this book we want to show how to categorize vulnerabilities and security risks of objects with generally the same characteristics that are nevertheless very different in detail. Flood defenses are an excellent example.

8.3 Flood barriers in secondary flood defenses When assessing the vulnerabilities and the security risks of flood defenses, we more or less follow the grouping used in the Fundamentals of Flood Protection manual. Mooyaart and Jonkman describe a selection of 17 existing storm surge barriers and one that was under construction at the time of writing (the storm surge barrier near Venice in Italy). They base their selection on functional characteristics such as a minimum span of the movable gates of 24 m (Mooyaart & Jonkman, 2017). Ledden et al. identify eight storm surge barrier gate types: vertical lift gates, vertical rising gates, rotating segment gates, double-gated sector gates, inflatable gates, flap gates residing on the river bed, floating barge gates, and rolling gates (Mooyaart, Jonkman, de Vries, van der Toorn & van Ledden, 2014). An overview is included in the appendices. In the previous chapters, we have already looked at some examples of these gates, among others where it concerns navigation locks. We will therefore not only focus on primary flood defenses like surge flood barriers. In the Netherlands there is a lot of interest in applying storm flood barrier techniques in secondary flood defenses; actually everywhere around the world where river deltas and coastal cities are threatened by rising sea levels and sinking soil because of the excessive extraction of fresh groundwater. There is another reason why we would like to look at secondary flood defenses in rivers and lakes. Gradually we have come to the conclusion that, from a security perspective, those risks are more substantial for secondary flood defense systems than for primary flood defenses. We will explain this later.

8.3 Flood barriers in secondary flood defenses

89

8.3.1 Guillotine-shaped flood barriers The Hollandse IJssel Storm Surge Barrier was the first vertical design of a storm surge barrier. It has two vertical lift gates measuring 80 m wide and 11.5 m high, which serve as a backup to each other. Vertical lift gates are lifted vertically from the sill to open. Lifting can be done using a tower with overhead cables, sheaves, and bull wheels to support the gate during its operation (Mooyaart, Jonkman, de Vries, van der Toorn & van Ledden, 2014). A movable barrier was chosen in order to hinder shipping movements as little as possible. Adjacent to the storm surge barrier, a navigation lock was built for ships that are too high to pass under the gates. The elevator towers, together with the normally open gates, very much resemble a guillotine (Fig. 8.1). An added advantage of a guillotine-shaped flood barrier is that it influences the flow of the river as little as possible.

Fig. 8.1: Hollandse IJssel Storm Surge Barrier (Frans Berkelaar, 2014) (Flickr, CC BY-SA 2.0).

The Hartel Storm Surge Barrier near the Dutch city of Spijkenisse is another clear example of a guillotine-shaped storm surge barrier. The Hartel Storm Surge Barrier is provided with 49.3 and 98 m wide, also oval-shaped, lock gates, each elevated between two lift towers. When the barrier is open, the doors rest about 14 m above sea level. When the doors are lowered, they can withstand a water level of 3 m above Amsterdam Ordnance Datum (or Dutch Ordnance Datum (DOD)) (Rijkswaterstaat, 2013). The Hartel Barrier is fitted with a guardrail in order to protect the barrier from large and heavy floating debris, such as empty sea containers (Fig. 8.2).

90

8 Systematic analysis of flood barrier technologies

Fig. 8.2: Hartel Storm Surge Barrier (Quistnix, 2009, Wikimedia, CC BY-SA 3.0).

Another example of a guillotine-like flood barrier construction is that of the weir at Wijk en Aalburg in the Netherlands (2001). De Kromme Nol weir is situated at the entrance of the Dammed Meuse, connecting the Waal and Meuse rivers. The barrier is situated at the entrance to the Dammed Meuse in the Northern embankment of the Berg Meuse (or “Bergse Maas” in Dutch) (Fig. 8.3). At the Northern side the channel is closed off by the Wilhelmina navigation lock (built 1896). It is interesting that the barrier was constructed because of high river water levels in 1993 and 1995. About 250,000 residents of the area were then evacuated. When the coastal (primary) flood barriers were closed, the river water accumulated and threatened to overflow the embankments. Strengthening of levee sections in the Meuse River however was tricky because of their intensive use for housing and other activities such as industrial production. It was therefore decided to build a flood barrier. We have already discussed the need to strengthen narrow levees with sheet piles. This is often necessary in places where there is industry, or where many people live. The foot of the levee cannot be further extended at that location. Instead of strengthening the levees, building a flood barrier is then another cost-reducing option. The Wijk and Algra flood barrier has a lifting door of 50 m wide and 9 m high. It weighs 350 tons. When the barrier gate is closed, the upper side is 6 m above DOD. The threshold of the concrete barrier is 3 m below DOD. The gate is held in position by two hydraulic cylinders. The two towers each contain 1,500 L of hydraulic oil. The gate has a rubber seal at the underside. There is one electrical

8.3 Flood barriers in secondary flood defenses

91

Fig. 8.3: Kromme Nol Flood Barrier (Hullie – Eigen werk) (Wikimedia, CC BY-SA 3.0).

connection and a connection for a power unit on the western tower. The barrier is operated by a four-man team. The barrier is not permanently manned (International Network for Storm Surge Barriers, 2018).

8.3.2 Guillotine-shaped flood barriers, vulnerabilities The maintenance costs of vertical lift gates or guillotine-shaped flood barriers are relatively low. The maintenance costs are average (Dijk & van der Ziel, 2010). This probably explains why many secondary flood barriers in the Dutch hinterland have vertical lift gates. An added advantage is that they allow unhindered river transport. Although of enormous proportions, the construction of this kind of flood barrier is relatively simple. In most cases, the gate guiding rails are attached to the exterior of the lifting towers, which simplifies maintenance. However, since lifting cables or hydraulic cylinders usually face inward to the navigation lock or waterway, we consider this kind of construction to be less vulnerable to attack. The flood gates and lifting constructions are furthermore protected by the quay banks and lift towers, and cannot easily be approached in most cases. We conducted a survey of the Princess Marijke sluices in the Amsterdam-Rhine canal near the Dutch villages Rijswijk (Gelderland) and Ravenswaaij. The complex consists of a 220 m long navigation locks and a flood barrier to separate the Betuwe part of the Amsterdam-Rhine canal from the Lek river. Under normal circumstances,

92

8 Systematic analysis of flood barrier technologies

the flood barrier is open and ships can pass unimpeded under the flood barrier. At a water level of 5.55 m + DOD, the flood barrier is closed and ships must then use the navigation lock. The flood gate is 80 m wide, suspended between two concrete towers. A pumping station is part of the complex to be able to pump excess water from the Betuwe area (Wikimedia, 2016). What we particularly noticed was the enormous surface of the gate, and the relatively small suspension points in the sliding mechanism (Fig. 8.4).

Fig. 8.4: Princess Marijke sluice near Ravenswaaij (Jos de Lange, 2018).

The easiest way to obstruct the unimpeded functioning of guillotine-like flood barriers is by jamming the gates. This will prevent the gates from fully closing, or opening again. As a result, high-water levels upstream will result in flooding downstream. Sabotage of the lifting construction would have the same effect. Sabotage of the lifting construction when gates are down would lead to flooding upstream. However, these what–if scenarios are only realistic during seasons when rivers transport more water than usual, or sea levels rise higher than usual. Furthermore, it is of course much easier to disrupt the unimpeded functioning of a flood barrier with only one or a few gates, than of a flood barrier with many gates. We present our findings regarding the various vulnerabilities of guillotine-like flood barriers in Tab. 8.6.

93

8.3 Flood barriers in secondary flood defenses

Tab. 8.6: Vulnerabilities of guillotine-like flood barriers. Construction

Structural weaknesses Natural threats

Man-induced flaws

Security threats

Vulnerabilities of guillotine-like flood barriers (Maeslant, Hartel, Kromme Nol) Vertical lift gates, moved up and down by hydraulic cylinders or cable trolleys

Huge dimensions, always open, very small suspension points in relation to size of gate

Erosion, strong wind currents

Construction flaws, lack of maintenance, and human and computer operation errors

Various ways for obstruction, sabotage of lift construction and/ or controls

8.3.3 Guillotine-shaped flood barriers, attack-type table As before, we can translate our security-related observations of the various guillotine-shaped barrier constructions in risk values in our attack mode table (Tab. 8.7). As we observed earlier, the higher the flood barrier, the more vulnerable it is to (for Tab. 8.7: Guillotine-shaped flood barriers, attack types. Guillotine barrier attack types Attack mode

Attack type

Land

Mechanical equipment Jamming or battering Small arms (Man-portable) ED or ID Assault team (with/without explosives) Vehicle-borne ED Stand-off weapons

Water

Jamming or battering Water-borne ED Underwater ED

Air

Aerial bombing or strafing Aircraft Impact

Cyber

Mechanical approaches (destruction of controls) Cyberattacks such as virus or control take over

*) only when gates are lowered into the water **) depending on SCADA implementation

Gates

Lifting towers

Cables/ hydraulics

Controls

− ++ − +

− − − +

++ − − ++

++/−

++/−

+++/−

− ++++

− ++

− +

− ++

+++ +++++ *) +++++

+/− − −

− − −

− − −

++++± +++++

+++/− ++

++/− +

++++/+ +++

−

−

−

+++

−

−

−

+++ **)

+/− + − +++ +++/+

94

8 Systematic analysis of flood barrier technologies

instance) standoff weapons or EDs placed near or under the construction. This results in more pluses in the table. However, we must take into consideration that the use of (high explosive) standoff weapons more resembles a war-like scenario than in case of scenarios based on “low-scale” attacks by single persons or assault teams. Light shoulder fired weapons are (presumably) far less effective. We will discuss these variations in scenario-based risk approaches more deeply later in this book.

8.4 Visor-shaped flood barriers Vertical lift gates are moved vertically from the flood barrier sill by way of overhead cables and bull wheels, or, alternatively, hydraulic cylinders. A lift tower at either side supports the gate during its operation. A big advantage of this type of flood gate is that ships that are not too high can pass the flood barrier unhindered. In places where there is no question of shipping traffic, the use of a segment gate is much more economical. The segment gate in its simplest form consists of a curved skin plate formed to a cylinder segment, supported by radial compressed arms that transfer the hydraulic forces to fixed bearings. The segment gate rotates about a horizontal axis, which passes through the bearing center and usually coincides with the center of the skin plate curvature radius. By this arrangement, the resultant thrust from the water pressure passes through the point of rotation and has no tendency to open or close the gate (Erbisti, 2014). In closed position, the segment gate rests on the sill and in open position it is lifted (Mooyaart & Jonkman, 2017). We already discussed the Haringvliet dam in Section 4.3. Part of the dam is the Haringvliet Storm Surge Barrier, completed in 1971. The storm surge barrier contains 34 lock doors (one at the sea side and one at the estuary side of the locks) that are each 56 m wide and 6 m high. The main use for the flood barrier is to protect the Haringvliet estuary and surrounding islands against North Sea storm surges. Since the sole purpose of the water locks is to facilitate water management in the Haringvliet estuary, segment gates were used. Ships are served by a separate navigation lock. The Haringvliet Storm Flood Barrier was the first Dutch flood barrier to use segment-type flood gates. The four arms of each gate are attached to the concrete cross beam spanning the lock pillars (Fig. 8.5). The cross beams also support the fourlane highway and two-lane service road that run on top of the water barrier. Each gate is moved up and down by way of a fairly small hydraulic lift arm at one side of the lock gate (Fig. 8.6). The massiveness of the Haringvliet Storm surge Barrier hides the fact that the gate moving mechanisms themselves are of a rather simple construction. The gates, the concrete pillars, and the cross beam supporting the highway and service roads

8.4 Visor-shaped flood barriers

Fig. 8.5: Haringvliet Storm Surge Barrier, mounting arm construction (Jos de Lange, 2015).

Fig. 8.6: Haringvliet Storm Surge Barrier, lifting arm (Jos de Lange, 2015).

95

96

8 Systematic analysis of flood barrier technologies

are massive, but the gate arms are not. Compared to the gate arms, the lifting arms are even tiny. The lifting arms are therefore the weak elements in the barrier construction. On the other hand, it is not obvious what the objective of tampering with this barrier could be. The most obvious result of (blowing up a water lock) would be a (temporary) breach in the land link between the islands. One should also consider the fact that the flood gates can only easily be accessed from the water by boat. This is, for instance, necessary for maintenance. Divers have to regularly clean or repair the sills and the guide rails at the sides of the gates that are below water level. It is fairly easy to prevent a single door from closing by jamming it with a boat. Since there are two doors at each side of the barrier, and 17 locks altogether, it is not easy to see what the objective of such an action would be.

8.4.1 Neder-Rijn visor weirs (Driel, Hagestein, and Amerongen) A lock form that we would like to mention in this context are the visor-shaped flood barriers in the Lower Rhine and Lek rivers near the Dutch villages of Hagestein, Amerongen, and Driel (Fig. 8.7). In 1958 work started on the construction of the three weir complexes. Each complex contains two weirs and a separate navigation lock. Purpose of building the three weirs was to improve (drinking) water

Fig. 8.7: Neder-Rijn weir at Driel (https://beeldbank.rws.nl, Rijkswaterstaat, 117.654).

8.4 Visor-shaped flood barriers

97

management in the Northern Netherlands and ensure the navigability of the rivers. The weir at Driel, together with the Haringvliet sluices, the sluices in the Afsluitdijk causeway, and those at IJmuiden, is also important for regulating the discharge and the distribution of fresh water in most parts of the Netherlands. The Hagestein weir complex was completed in 1960, the Amerongen complex in 1965 and the weir complex at Driel in 1970. The three complexes are of the same design. The visor-shaped gates ensure free fanning of the water flow, which reduces erosion of the sediment on the river bed. The weirs are 23.20 m high, measured from the upper side of the weir floor up to the upper side of the engine room at the top of the concrete pillars at either side of the lock gates. The gates are opened by two wire rope mechanical hoists and their closure is done by gravity. Generally the doors of each weir are closed. When water levels in the Rhine threaten to rise too high, the weirs are opened in order to prevent flooding. Normally ships have to pass the barrier using the shipping dock next to each barrier. On average, the floodgates at Hagestein open about 40 days a year. Four electric motors of 3 hp each drive cable drums that will lift each slide within 2–2.5 h. In an emergency, the slides can also be raised by hand. This is remarkable, knowing that each visor slide weighs around 270.000 kg. Erbisti remarks that the visor gate cylindrical curvature is a logical solution to the character of the hydraulic load. Since the water pressure has an isotropic behavior (the water pressure having identical values in all directions), a cylindrically traced retaining wall will only be loaded by normal forces, not by bending moments. This allows for a very economical material use. Despite its curvature, the visor gates are, therefore, much lighter than a number of comparable vertical lift gates (Erbisti, 2014). The reason why we discuss these flood defenses is because they have a different function than we have seen so far. They are important for the freshwater supply of a part of the country. And in some rivers they keep the water level at height, so that they remain navigable. This could indicate a certain degree of vulnerability, assessed from a security viewpoint. However, the gates themselves are less easily accessible. That increases security again.

8.4.2 Thames Barrier Another example of a visor-like barrier can be found in the Thames estuary near London. What makes the Thames Flood Barrier different from those in the Haringvliet dam and the Neder-Rijn weirs is that the Thames Barrier is constructed in such a way that shipping remains possible when closed (Fig. 8.8). Instead of upward, the lock gates tilt downward. Similar to a segment gate, the rotary segment gate has a horizontal axis. It lies in a recess in the concrete sill in the bed of the river. The

98

8 Systematic analysis of flood barrier technologies

Fig. 8.8: Thames Storm Surge Barrier (Arpingstone, 2005, Public Domain, WikimediaCommons).

rotary segment gate contrasts the normal segment gate as it is possible to sail over the gate in this position. Operation of the gate is achieved by the rotation through approximately 90°, thus raising the gate to the ”defense” position. A further 90° of rotation of the gate positions if ready for inspection or maintenance (Tappin, Dowling & Clark, 1984). This type of flood gate is also called a rotary segment gate, since the construction looks somewhat like a drum that is cut in half, fitted to a rotating plate that facilitates the lifting of the gate. The Thames Barrier spans 520 m across the River Thames near Woolwich, and it protects 125 sq km of central London from flooding caused by tidal surges. It has 10 steel gates that can be raised into position across the River Thames. When raised, the main gates stand as high as a five-story building and as wide as the opening of the Tower Bridge. The Thames Barrier has been closed 182 times since it became operational in 1982 (correct as of February 2018). Of these closures, 95 were to protect against tidal flooding and 87 were to protect against combined tidal/fluvial flooding (Environment Agency, 2018). In spite of the fact that the gates can be tilted in an overhead position for easy cleaning, Dijk and Van der Ziel classify the maintenance category of this type of flood barrier as high. They also rate the probability of failure as high (Dijk & van der Ziel, 2010). Nevertheless, in spite of their size, gates and operating mechanisms are of a relatively simple construction, and a showcase of modern engineering.

8.4 Visor-shaped flood barriers

99

8.4.3 Visor-shaped flood barriers, vulnerabilities High-definition pictures like those of Google Maps show that the weirs in the Neder-Rijn are coming of age. Pillars and drum housing show signs of concrete decay. The gates themselves are also not maintenance free. The lifting cables are attached to the outer sides of the visor slides, and run exposed over the ovalshaped guiding arms. In 2015, plans were revealed to extend the lifespan of the weirs. Of the various sector gates found in the Netherlands, the water retaining barriers in the Neder-Rijn are the most vulnerable. There are only a few of this type of water barriers, but they have important water management functions that security experts should be aware of. The weirs are normally closed. Impeding the functioning of the weir gates would only be hazardous during the circa 40 days a year that they are opened. Considering the main functions of the weirs, provisioning of sweet water to the North of the Netherlands, and maintaining water levels in the IJssel river, it would be more inconvenient if the weirs were left open. This may be an indication for a probable security risk such as breaching. We have already talked several times about the floodgates in the Haringvliet dam. Because there are so many, it is very difficult to simultaneously halt the proper functioning of all sluices with physical means. The same applies to the Thames flood barrier. It is difficult to imagine why someone would want to hinder the proper functioning of such large barriers. The Thames barrier, however, is close to London, and that city can be an attractive target in certain scenarios. In that light it is obvious that an attacker will rather focus on influencing the proper functioning of an entire flood barrier by putting the control system out of service (Tab. 8.8). What we have not discussed in this chapter is the inflatable flood defense at Ramspol. Regarding security, it has some of the same characteristics as the Thames Barrier. For the greater part of the year, the flood defense resides at the bottom of the river. That is a very safe storage place. Having noticed this, we will not further discuss the Ramspol weir in this chapter.

8.4.4 Visor-shaped flood barriers, attack-type table Like in the previous sections, we will once again try to display our vulnerability assessment of water defenses with segment gates in an attack-type table. We have only discussed a few attack types, but in the context of our analysis approach we have filled in all the boxes of the table matrix. The results in the various tables can then easily be compared (Tab. 8.9).

100

8 Systematic analysis of flood barrier technologies

Tab. 8.8: Vulnerabilities of visor-like flood barriers. Construction

Structural weaknesses

Natural threats

Man-induced flaws

Security threats

Vulnerabilities of visor like barriers (Haringvliet, Neder-Rijn, Thames) Sector gates rotate around a horizontal axis, which passes through the bearing center (Erbisti, ): rotary segment gate is more complex

Probability of failure of sector gate is low, high in case of rotary sector gate

Corrosion, obstruction of gate and lift mechanisms

Construction flaws, lack of maintenance, and human and computer error in operating controls

The bigger flood barrier structures are more complex, but less likely targets. Controls are most vulnerable

Tab. 8.9: Visor-shaped flood barriers, attack types. Visor barrier attack types Attack mode

Attack type

Land

Mechanical equipment Jamming or battering Small arms (Man-portable) ED/ID Assault team (with/without explosives) Vehicle-borne ED Stand-off weapons

Water

Gates

Lever pillars

Levers/ hydraulics

Controls

− ++ − + +/− − ++

− − − − +/− − +

+ − − ++/− ++/+ − −

+/− + − ++ +++/+ − ++

Jamming or battering Water-borne ED Underwater ED

+++ +++ *) +++ *)

−/− − −

− + −

− − −

Air

Aerial bombing or strafing Aircraft Impact

+++/− +++

+/− +/−

+± +

++++/+ +++

Cyber

Mechanical approaches (destruction of controls) Cyberattacks such as virus or control take over

−

−

−

+++

−

−

−

+++ **)

*) only when gates are lowered into the water **) depending on SCADA implementation

8.5 Flood barriers with sector gates

101

8.5 Flood barriers with sector gates We have now looked at a number of flood barriers, and have assessed their vulnerabilities in outline. We have even elaborated these vulnerabilities in various vulnerability tables. We also looked at flood defenses with sector gates in the same way. We will discuss the outcomes in this section. If you find this merely a repetition of the previous paragraphs, you can read further about the vulnerabilities of SCADA applications in flood barriers in Section 8.6. We then end this chapter with some conclusions.

The Maeslant Storm Surge Barrier is a double floating sector gate design, spanning 360 m. Each gate of the Maeslant Barrier is 220 m wide (Rijkswaterstaat, 2013). A sector gate consists of double gates. Each gate has a circular shape, transferring forces through a steel frame to the hinges at each side of the opening by rotating around two vertical axes. During operation the doors are filled with water, and sink to the sill on the river bed. Operation of the Maeslant Storm Surge Barrier is fully automated, and functions in conjunction together with the Hartel Storm Surge Barrier that we discussed earlier in this book. The Maeslant Storm Surge Barrier is a primary flood defense, which means that it is meant to protect the secondary flood defenses in the hinterland.

8.5.1 St. Petersburg sector gate flood barrier A similar design as the Maeslant Storm Surge Barrier can be found in Russia in the Neva estuary near St. Petersburg. The St. Petersburg Dam (in Russian: Комплекс защитных сооружений Санкт-Петербурга от наводнений) protects St. Petersburg city against flooding. The dam separates the Neva bay from the Finnish Gulf. Construction lasted from 1980 to 2011. The dam is designed to resist water levels up to 5 m (NEDECO consortium, July 2002) (Fig. 8.9). The St. Petersburg Dam contains six water locks that are not suitable for shipping, but are necessary for the discharge of excess water and ice in the Winter season. The St Petersburg Dam contains two separate navigation channels, named S1 and S2. S1 is a 200 m wide main navigation channel located just south of Kotlin. It has a width of 200 m and a vertical size of 16 m. The S1 is closed with two very large sector gates comparable to the Maeslant Storm Flood Barrier. The secondary shipping channel, S2, is located east of Kotlin and is 110 m wide with a threshold lying 7 m below sea level. This channel is closed with a vertical gate of the guillotine type (Hunter, 2012).

102

8 Systematic analysis of flood barrier technologies

Fig. 8.9: St. Petersburg Dam, aerial view of navigation pass S1 (Ssr 2014, thanks to N. Rubliva and A. Davydov for help and equipment) [Wikimedia, CC BY-SA 3.0].

8.5.2 Flood barriers with sector gates, vulnerabilities There are only a few flood defenses with sector gates of these dimensions in the world. This will certainly have to do with the costs of such water barriers. They also take a considerable amount of space. It depends, among other things, on the width of the waterway, whether such a construction is used. One of the first things to notice is the enormous forces that the driving axes have to endure in order to move the gate constructions. The system that makes this possible has to be of considerable power and mechanical and hydraulic strength. This means that a breakdown somewhere in the system will quickly lead to less or no functioning at all. If something goes wrong, the consequences will also be more serious because of the forces generated by the system. This makes the system more vulnerable to tampering and (part) destruction. The size and the complex hydraulic and mechanical structure of sector gate flood barriers imply that various methods for obstruction or even destruction are feasible. The most obvious way for preventing the proper operation of the flood barrier would be to damage the controls and hydraulics, or obstruct or distort the swing arms moving the giant gates. Relative to the size of the structure, only little force would be needed to achieve this. Because of these obvious safety and security hazards, the engineers designing the barriers will most certainly have thought of safety mechanisms to detect

8.5 Flood barriers with sector gates

103

obstruction, halt any movement, and thus prevent further damage to the construction. This implies the presence of fail-safe mechanisms, and computer controls monitoring the uninterrupted operation of the flood defense. We will again present our general safety and security comments in Tab. 8.10. Tab. 8.10: Vulnerabilities of flood barriers with sector gates. Construction

Structural weaknesses

Natural threats

Man-induced flaws Security threats

Vulnerabilities of flood barriers with sector gates (Maeslant, St. Petersburg) Sector gates contain two giant gates rotating around a vertical axis, hinges of giant proportions

Because of huge dimensions, prone to obstruction, and therefore distortion

Erosion by wind, currents, storms, and tidal waves; obstruction of gate and hinge mechanisms

Construction flaws, lack of maintenance, and human and computer error in operating flood barrier

Complex mechanical structures, hydraulics, computer-operated controls. Various ways for obstruction and distortion

8.5.3 Flood barriers with sector gates, attack-type table Both the Maeslant Storm Surge Barrier in the Netherlands and the St. Petersburg Flood Barrier in Russia are among the biggest moving flood barrier constructions in the world. Both the flood gates and the pivoting arms of these flood barriers are of immense proportions. The surface over which the arms of the flood barriers are moving must be completely flat and free of obstacles. Distortion of the arms alone would probably leave the flood barriers inoperable. This can be achieved by applying high force to the hinges (explosives, jamming, or battering). Because of the size of the structures, this implies the use of vehicles or vessels. This in turn implies that with proper (surface) access limiting measures, the vulnerability of the structures will be greatly reduced. Because of the open structure of the barrier arms, impact should be (very) close to the hinge structure in order to be effective. Because of these observations, it is extra important to look at the local factors that influence the security of the surrounding area of the barriers. We already mentioned ease of access, (lack of) supervision leading to (windows of) opportunity, the ability of the operators or security personnel to respond quickly, and intercept possible intruders. Because of the open structure of the flood barriers with sector gates discussed here, a bombing attack would probably be less effective. A scenario involving an assault team targeting the controls,

104

8 Systematic analysis of flood barrier technologies

hydraulics, or driving axis of the flood gates would probably be more effective. We will fill in Tab. 8.11 accordingly.

Tab. 8.11: Flood barriers with sector gates, attack types. Sector gate barrier attack types Attack mode

Attack type

Land

Mechanical equipment Jamming or battering Small arms (Man-portable) ED/ID Assault team (with/without) explosives) Vehicle-borne ED Stand-off weapons

Water

Jamming or battering Water-borne ED Underwater ED

Air

Aerial bombing or strafing Aircraft Impact

Cyber

Mechanical approaches (destruction of controls) Cyberattacks such as virus or control take over

Gates

Arms

Pivoting core

Controls

− _ _ _

− _ _

+ + − ++

+/_

++/-

+++/+

+++ ++ − +++ ++/++

_/+ +

++++ ++

+++++ ++

+++ ++

_ + ++

+++++ ++++ ++++

++ +++ +++

+ ++ +++

+++/+

+++/_ ++

+++/+ +++

+++/++ +++

_

_

_

_

_

_

++++ ++++(+)

8.6 Flood barriers and computer technology At the time that the first flood barriers were built in the Netherlands, computers did not exist. Barriers were controlled by hand, or by simple electric relays setting hydraulic pumps in motion. Over time, this has changed. It is nowadays unthinkable that a major technical construction with movable parts is designed without computerized controls. From a security viewpoint this is not a problem, as long as those controls are not operated from a distance through the internet. The control of (parts of) industrial facilities by way of the internet is called SCADA. SCADA is an acronym for Supervisory Control and Data Acquisition. Basically this refers to industrial computer systems that monitor and control industrial processes. In the case of a flood barrier system, SCADA applications can monitor and control the opening and closing of dewatering gates and navigation locks, sluice gates, and the guidance of ships to and through the locks. SCADA systems are

8.6 Flood barriers and computer technology

105

typically used to control geographically dispersed assets that are often scattered over thousands of square kilometers (SUBNET, 2018). In the Netherlands, SCADA is, for instance, used in the control of multiple canal bridges by a single operator, the control of river shipping, and the supervision of sewerage pump stations. By centralizing operating controls and supervision, human operator costs can be greatly reduced and safety is generally improved. The main disadvantage of applying remote monitoring via the internet is that this leaves the possibility of hacking and taking over the remote control. Slowly the amount of reports about the (possible) takeover of industrial installations at a distance is increasing. It is clear that managers and operators are not very keen about making such incidents public. A further disadvantage of SCADA applications is that they are very costly (a) to design and (b) to regularly upgrade the software. As a result, many industrial processes are still operated using legacy software from the 1980s such as Windows 3.1 (introduced in 1992) and Windows 95 (introduced in 1995). Although meant for use on the so-called personal computers or PCs, these computer systems were affordable and strong enough to control industrial processes. Over time these “on site” control systems have been connected to each other. Many newer operating systems still use (part of) the old computerized control systems implemented in the eighties and nineties of the previous century. Since the internet has become commonplace in the end of the 1990s and the beginning of the twentyfirst century, SCADA systems facilitate not only control and supervision but also maintenance. In the case of flood barrier systems, SCADA systems have become fully automated. Human operators only serve as a backup or have a supervising role. This increases the need for reliable, un-interrupted monitoring and control from a distance. According to the Dutch Rijkswaterstaat, part of the Ministry of Infrastructure and Water Management, the control of the Maeslant Storm Surge Barrier (1997) is completely computerized (Rijkswaterstaat, 2018). Under extreme threat, the doors will close automatically (Rijkswaterstaat, 2013). The Hartel Storm Flood Barrier is controlled by the same computer system as the Maeslant Barrier, and closes at the same time. The Maeslant Storm Surge Barrier and the Hartel Storm Surge Barrier, together with the new levee connecting them are the primary flood defenses of one of the biggest harbor and shipping areas in the world.

In the case of the Maeslant Surge Flood Barrier, the computer-operated control system (or “BOS,” barrier-operating system) constantly calculates the expected water level in the New Waterway. When a water level of more than 2.60 m above DOD is anticipated, the BOS system initiates the closing procedures without any human interference. The barrier must be closed when the water level reaches 3.00 m DOD. Six hours before the barrier will fully close, the Harbor Coordination Center is warned by the BOS. The Harbor Coordination Center prepares to warn ships that the barrier is going to close, and that shipping movement will be postponed. This may constitute a vulnerability in the procedures.

106

8 Systematic analysis of flood barrier technologies

Theoretically, if there is no warning, ships could ram the closed barrier and damage it in such a way that the river would be completely blocked. On the other hand, it would be very difficult for outsiders to forecast a possible closure, since calculations are done by the BOS system.

8.6.1 Hacking of flood barrier systems Anything done over the internet can eventually be “hacked” by the so-called hackers. In 1998, the Washington Post reported that a 12-year-old computer hacker broke into the SCADA computer system that runs Arizona’s Roosevelt Dam, giving him complete control of the dam’s massive floodgates. The cities of Mesa, Tempe, and Phoenix, Arizona, are downstream of this dam. This report later turned out to be incorrect. A hacker did break into the computers of an Arizona water facility, the Salt River Project in the Phoenix area. But he was 27, not 12, and the incident occurred in 1994, not 1998. And while clearly trespassing in critical areas, investigators concluded that the hacker never could have had control of any dams and that no lives or property were ever threatened (Gleick 2006, p. 488). al-Qaeda have reportedly been investigating how to carry out devastating attacks through cyberspace by seizing control of dam gates or power grids using the internet. Evidence found on al-Qaeda laptop computers in Afghanistan indicates that cyber terrorism is a realistic threat. Logs showed that al-Qaeda members visited websites that offer software and programming instructions for the digital switches that run water, power, and communications facilities. One computer contained models of a dam, including software that could simulate a catastrophic failure. According to the FBI, the computer had also been running Microstran, a structural analysis and design software program for analyzing steel and concrete structures (Harnden, 2002).

8.6.2 Barrier operating systems, vulnerabilities It is clear that SCADA systems are vulnerable to external influences, and that therefore BOS systems are vulnerable. We have discussed this in this and previous chapters. We have valued the corresponding relevant cells in the flood defense vulnerability and attack-type tables accordingly.

8.7 Conclusions In this chapter we chose a more scientific approach when assessing the safety and security of flood defenses. This requires a systematic appreciation of comparable objects, and an analysis of the vulnerability of equivalent or different parts of the

8.7 Conclusions

107

various systems. Such an approach makes it easier to understand and categorize the security risks associated with various types of flood barriers. We made the following security-related observations. Conclusion 8.1 In this chapter we identified levees and dams of different construction, varying from earth and clay constructions to combinations reinforced with sheet pile and concrete, or even free standing (reinforced) concrete constructions. The thinner (and higher) the body of the construction, the more easily the construction can be damaged, either by forces of nature or by applied force. Conclusion 8.2 The vulnerable parts in dams and levees are usually the entrances to harbors and rivers. In the Netherlands, like in many other countries, the majority of primary flood defenses can be found in the entrances of rivers and larger estuaries. This has led to the development of huge flood barriers, some of them containing a large number of water locks. However, we found that the size of a flood barrier, and an increasing amount of water locks, does not necessarily lead to more security risks. For what would be the use of destroying one or several water locks when there are still many left? Conclusion 8.3 The previous observation leads automatically to the conclusion that (therefore) the probability of security risks occurring is higher in smaller flood defenses. This assumption holds true for older water barriers. However, modern constructions with (rotary) segment gates and inflatable bodies that are stored on the bottom of the river or estuary run less security-related risks. Conclusion 8.4 The more exposed the body of the construction, like guillotine- or visor-shaped barriers that rise high above the landscape, the more vulnerable an object is to directed force, either from a distance or through ED attacks. This leads to a higher (security related) risk profile of older flood barrier constructions. Conclusion 8.5 Based on our assessments, we first concluded that primary flood defenses are the most vulnerable to attack. However, on closer inspection, we came to the conclusion that the vulnerability of secondary flood defenses may be higher. Especially when it concerns flood barriers in rivers that also have functions in other systems, like fresh water supply. Conclusion 8.6 The previous observations lead to the conclusion that some flood barriers are more prone to security risk than others. Scenariobased security risk analysis can help to pin point which flood defense systems are more security risk prone than others.

9 Calculating security risks Abstract: In the previous chapters we looked at flood defenses from different perspectives. In our historic overview we saw flood defense systems growing both in size and technical complexity. The most recent development however is that flood barriers tend to get smaller and simpler in design (but with advanced technology being used). We assume that both size and complexity increase the chance of safety risks. We gave an overview of such safety risks in several flood defense vulnerability tables. Structural weaknesses in, and vulnerabilities of, flood defenses may be exploited by possible attackers. By adding such security risks to our vulnerability tables, and then assessing the impact of specific attack types to vulnerable parts of the flood defense, the (safetyrelated) vulnerability tables become (security-related) attack vulnerability tables.

In this chapter we will further discuss the concept of (security) risk, cascading (security) risks and how the occurrence of a security threat and the connection with effects and consequences can be presented in a bowtie diagram. We also introduce new risk variables that transform our attack vulnerability tables into attack-type tables that help us draft a complete attack scenario and calculate the probability and effectiveness of various attack types. With this approach we hope to link thorough vulnerability analyses with security risk analyses that can be effectively used in security practice.

9.1 Flood defense system approach In the previous chapters we discussed a wide variety of flood defenses, varying from dams, levees, water retention, and navigation locks to huge storm surge barriers. These flood barriers provide navigable waterways, flood and storm surge protection, recreation, environmental stability, and many other critical economic, environmental, and social benefits (DHS, 2012). Where levees and dams in most cases are a combination of earth or clay topped with stone cladding, sluices, water retention, navigation locks, and flood barriers are far more complex technical structures. The design of navigation locks itself has not changed much over the ages. However, where lock doors were first handled by hand and later by steam, they are now operated by computer operated hydraulic systems. Simple valve operated water locks grew into the huge flood barrier systems that are now considered to be “Wonders of the World”. Because of the many different technical components used in these designs we also speak of complex technical systems. In a complex system, several subsystems can be identified. Each subsystem can be studied as a system on its own. We can identify various mechanical components in a (navigation) lock design, such as the lock itself, the gates and the mechanisms operating the doors and the water in- and https://doi.org/10.1515/9783110622577-009

9.2 Risk and probability

109

outlets. Other (sub-) systems in modern lock constructions are the hydraulic system, the electrical system and the computerized control system. In the flood defense vulnerability tables that we developed in the previous chapters we did nothing more than to identify the various subsystems in the complex flood defenses that we looked at. We then identified attack vulnerabilities related to the various subsystems, based on (safety-related) vulnerabilities and the accessibility of each subsystem. Together these “‘mini-scenarios” give us an indication of the largest vulnerabilities (leading to the biggest security risks) for the whole of the flood defense system.

9.2 Risk and probability We started this study with looking into flood defenses and safety risks. In the case of levees and dams, under certain circumstances, the body of the structure may dehydrate and eventually collapse. This is a safety hazard that has several sides to it. First there is the design element. According to the Fundamentals of Flood Protection manual, hydraulic engineers constructing a levee or dam must consider dehydration. They have to implement safe guards against levee failure by dehydration. Likewise there are many other safety hazards that hydraulic engineers have to take into account when designing complex structures such as flood barriers and navigation locks. The question is, how far does one has to go in order to “design-out” the chance that a structural part will fail, with the added effect that the complete system fails. Hydraulic engineers face a myriad of possible causes for failure in complex water works such as navigation locks and computer operated flood barriers. Many things can go wrong, varying from design flaws, natural causes such as earth quakes, and human error or oversight. If hydraulic engineers should have to take into account every conceivable hazard, the cost of all preventive measures combined would be astronomic (actually, the construction costs of the Eastern Scheldt Flood Barrier in the Netherlands came close). Therefore, flood defenses such as levees and dams are not constructed 100% failure proof, but with a failure rate such as “once in 200 years” in mind. A failure rate such as “once in 200 years” does not imply that a destructive event, such as a huge Tsunami, cannot happen tomorrow or next week. Likewise it is not possible to predict the malfunctioning of a hydraulic-mechanical structure or system at a specific point in time. It is possible however to calculate the probability of the risky situation occurring over a certain period of time. Risk is the probability that, given a certain set of circumstances, a certain situation will occur with negative consequences. “Risk is a combination of consequences and probabilities” (Ale, 2009, p. 5). Uncertainty and probability in flood protection According to the Fundamentals of Flood Protection manual, the way in which uncertainty and probability are factored into calculations of flood risk and the probability of flooding has a major impact on the outcomes of such calculations (ENW, 2017).

110

9 Calculating security risks

Uncertainty exists when more outcomes are conceivable than can actually occur. The magnitude of a risk refers both to the size of the differences between the possible outcomes and to the likelihood of the various outcomes. It is impossible in practical terms to predict how high the highest water level at a specific location will be over the coming year. At most, we can indicate the probability that a particular water level will be reached or exceeded. Since there are only limited data about past water levels, hydraulic engineers must resort to statistical extrapolation (p.31). In practice, the actual strength of hydraulic structures, dunes, and levees is uncertain (p.32). The consequences of flooding depend on many uncertain factors, such as the location of levee breaches, how the breach develops and the rate at which the water spreads through the affected area (p.33). Risk In hydraulic engineering, flood risk is a concept that concerns both the possible impact of flooding and the probability that it will occur. The Dutch approach considers three measures of risk: the annual expected damage, the individual risk, and the societal risk (p.37). The probability that a flood defense structure will fail is determined by the probability of a particular load and the probability that the structure will not be able to withstand this load (p.40).

9.3 Flood defenses and normal risks In relation to the functioning of complex organizations, Charles Perrow coined the term “normal accident” in his 1981 essay on the infamous Three Mile Island nuclear facility accident (Perrow, Normal accident at Three Mile Island, 1981)(see also chapter 1 in Perrow, Normal Accidents, Living with high-risk technologies, 1999 (1984). This has led to a whole “school” of organization theorists who think that serious accidents in organizations managing hazardous technologies may be rare, but they are inevitable over time (Sagan, 1993). The question, of course, is whether the management of flood defenses requires, or is, a complex organization. Throughout the centuries, a very efficient organization has been created in the Netherlands and other water-rich countries that manages the levees and other flood defenses. We therefore think that “complexity” is not so much associated with the organizations that manage flood defenses, as with the complexity of the technical structures themselves. In itself there is not that much complexity in a dam or levee. What makes water management complex is the combination of all kinds of water defenses, the dependence of data on water levels, the weather, and all sorts of other influences that together determine the safety against the water. This does not alter the fact that we find the term “normal risks” very useful in relation to flood defenses. “Normal” risks associated with flood barrier systems arise from natural hazards such as floods and earthquakes, structural deficiencies because of design or material flaws, equipment malfunctions, ageing of infrastructures, and in many cases human error or oversight. We call these “normal” risks, because we can “predict” them happening in the future, under certain conditions. This also implicates that we can prevent these risks by “designing them out” of the structural design of the flood barrier. Even then there will still remain the chance that (eventually) something may go wrong with the flood barrier(s). In this connection this is a safety risk.

9.4 Cascading risks, bowtie model

111

If there are risks that every organization must learn to live with, there are also risks where this should not be the case. In our flood defense vulnerability tables we have frequently qualified human error as a major safety hazard that can lead to the malfunctioning of complex structures or systems such as flood defenses. However, how devastating the effects of human error sometimes can be, human error never occurs on purpose. The kaleidoscope changes the moment that premeditation or purpose (or in Latin law terms: dolus) comes into play. Purpose at the same time marks the difference between safety and security. Security is by definition associated with deliberate malicious intent. Having said that, sometimes things can actually go wrong on purpose. In recent Dutch testing environments “live” levees were tested for overflow and overtopping situations. In 2008, a real small-scale levee breach was effected at the IJ river embankment near Amsterdam in order to gather data (ANP, 28 sept 2008). The research in this book focuses on hazards for flood defenses that are provoked deliberately, or actions that are aimed at the deliberate malfunctioning or (part) destruction of flood defenses. Risk in this case is translated as “the chance that deliberate aggressive actions occur against flood defences, such as those associated with terrorism. In addition, several overarching issues, such as cyber security or international border security, constitute potential sources of risk that are contextual in nature, but not necessarily specifically related to flood barriers” (DHS, 2012). These risk sources could potentially lead to a temporary disruption of critical functions or severe damage to – and even structural failure of – dams, levees, and other types of flood and storm flood barriers (DHS, 2012).

9.4 Cascading risks, bowtie model A cascading failure is a process in a system of interconnected parts in which the failure of one or few parts can trigger the failure of other parts and so on. Such a failure may happen in many types of systems, including power transmission, computer networking, finance, human body systems, and transportation systems (Wikipedia, n.d.). Cascading failures may occur when one part of the system fails. When this happens, other parts must then compensate for the failed component. This in turn overloads these nodes, causing them to fail as well, prompting additional nodes to fail one after another (Wikipedia, n.d.). The failure or disruption of flood defenses can lead to floods which in turn may lead to severely harmful results, including human casualties, massive property damage, and other severe long-term consequences. Flooding can also have significant impacts to other critical infrastructure sectors such as energy, transportation, and the supply of potable water. The consequences of a deliberate attack on any of these critical assets could be wide ranging and depend on a number of variables, including type of facility, failure, or disruption mode, critical functions (water supply, hydroelectric power generation, navigation, etc.), system

112

9 Calculating security risks

redundancies, downstream population density, regional infrastructure, and seasonal conditions (DHS, 2012). A security incident, or with other words a breach in security ultimately leading to a successful aggressive action against a flood defense, is never an isolated event. There are always events and actions preceding that particular incident, like information gathering, planning, reconnaissance, and the acquiring of equipment. These actions are very much comparable to the cascading safety failures leading to a single part of, and ultimately the complete, flood defense system failing. When one of the activities such as information gathering, planning, exploration, or purchase of equipment is thwarted, then there is a good chance that the aggressive action against the flood defense will not take place. But this does not have to be the case. Other perpetrators can take over parts of the preparatory activities. If some equipment cannot be purchased at a particular place, it may be acquired at another. We can call this preparatory or prior security risks. The various prior security risks can ultimately lead to one or more deliberate aggressive acts. Those acts in turn can have many consequences. The act(s) may lead to a levee breach, which in turn may lead to flooding the adjacent lands, disrupting cities, industries, farms, infrastructure, and not in the least, people’s lives. Prior or cascading security risks leading to a specific event, and the consequences of this event, can be represented in a so-called “Bow Tie” (or bowtie) diagram (see Fig. 9.1). The bowtie model combines the so-called fault tree analysis and the event tree methodology. Fault tree analysis was pioneered by the Boeing company

Fig. 9.1: Bowtie diagram with risk barriers.

9.4 Cascading risks, bowtie model

113

in conjunction with Bell Laboratories during the design of the Minuteman missile for the United States Airforce during the 1960s to prevent inadvertent launches (Keller W., 2005). Fault tree analysis corresponds with the left side of the bowtie model. The original fault tree analysis model shows pyramid wise, from bottom to top. In the bowtie the model is tilted to the right. Fault tree analysis was used in the 1970s Reactor Safety Study (RSS), better known as the Rasmussen Report (WASH-1400). Since integration of the overall fault tree analysis for (the) entire nuclear power plant(s) was too complex, given constraints in time and resources, an event tree concept was developed to model the approximate time-line of the possible accident scenarios (Keller W., 2005). In the nuclear energy domain, event trees start with an initiating event that causes a reactor to enter a transient from its steady-state operating condition. In this book this “trigger event” corresponds with the event that disrupts the normal functioning of the flood defense, in the bowtie drawn in the exact center of the bowtie. The bowtie also schematically presents the scenario-based approach to security risks that we introduce in this book. Since the central event can be any event, it can also display the break-in or terrorist act that security officers will want to prevent. The events displayed on the left of the central event are those that (individually or together) may eventually lead up to the actual break-in or terrorist act. They are causes that eventually lead to the central event happening. In security risk theory, some authors make a further distinction between causes and threats. Cause implies a greater distance from the central event than more immediate threats. These are the events that we want to block in order to prevent the central event from happening (the blocking or preventive measure imagined by black squares in Fig. 9.1). The events on the right of the central event, resulting from it, are the consequences. It is interesting to note that several security theorists make a further distinction between the (immediate) tangible effects of the central event, and the (later occurring) after effects or consequences of the central event. Should it not be possible to prevent the central harmful event of happening, then additional protective measures must be implemented to prevent the possible immediate effects and later consequences from happening. The consequences of a levee breach may be prevented or reduced by constructing a secondary levee ring behind the primary flood defenses. The Fundamentals of Flood Protection manual expressly states that flood protection is not only aimed at the prevention of flooding, but also at mitigating the consequences through crisis management. According to the manual, crisis management involves preparing for potential flooding, responding to the threat of flooding and taking action after flooding has actually occurred. In this case the bowtie diagram combines risks, threats, preventive, and remedial measures in one model. This application of risk barriers in the fault tree leading up to the central event, and the event tree leading away from the central event, corresponds with the

114

9 Calculating security risks

PPRR Model

Prepare

Plan

Respond

Consequences

Central Event

Effects

Threats

Bow-Tie Model

Causes

planning, preparation, response, and recovery phase in the PPRR risk management model that is well known among crisis and risk management professionals (Crondstedt, 2002). This model was translated by Talbot and Jakeman into what they call Security Risk Management Activity Areas: intelligence, protective security, incident response and recovery & continuity (Talbot & Jakeman, 2009, p. 223). See Fig. 9.2.

Recover

Intelligence

SRMBOK Activity Areas

Protective Security Incident Response Recovery and Continuity

Fig. 9.2: Risk models compared (after Talbot & Jakeman, 2009).

9.5 Swiss Cheese model Next to the bowtie diagram, the Swiss Cheese model is a useful tool for explaining our scenario-based approach to (possible) flood defense security breaches. Although then not labeled as such, the Swiss Cheese paradigm was first described by J. Reason. Reason posited “that accidents in high-risk technologies (Chernobyl, Challenger disaster, Harold of Free Enterprise) had their primary origins in a variety of delayed-action human failures committed long before an emergency state could be recognized” (Reason, 1990). According to Reason, during critical failures in complex technological system environments the operators most times “only provided the triggering conditions necessary to manifest systematic weaknesses (created by fallible decisions made earlier in the organizational and managerial spheres)”. We could go so far as to state that the Swiss Cheese model is a scientific variation to Murphy’s law. Murphy’s law states that things that can go wrong, eventually will go wrong (Wikipedia, 2018). According to the Swiss Cheese postulate, when circumstances are right and various risk factors (that in themselves would not lead to the undesired central event) eventually line up, the dreaded central risk in the bowtie will actually occur with all the undesired effects as a consequence (Fig. 9.3).

9.6 Exploring the bowtie input side

115

Inadequate Defenses Active and Latent Failures

Interaction with Local Events

Accident Unsafe Acts Active Failures

Psychological Precursors Latent Failures

Line Management Deficiencies Latent Failures

Fallible Decisions Latent Failures

Allignment of Failure Opportunities

Fig. 9.3: The contribution of human failures to the breakdown of complex systems (after Reason, 1990).

9.6 Exploring the bowtie input side Reason identified several groups of events where wrong decisions eventually may lead to undesired events lining up, facilitating the undesired accident to happen. Ultimately, in a technical environment, operators have to do something wrong, or forget to take specific action, in order for the undesired event or accident to happen. One can also imagine computer programs making a wrong decision at the wrong time. At least until today, most computerized operating systems are driven by software programs that are written by real persons, through manual labor (typing on a keyboard). Reason found that operator actions with negative results in most cases were preceded by wrong decisions (or the absence of decisions) by line managers or – in many cases – the corporate management. Since Reason was a psychologist, he also identified (a combination of) (individual) psychological factors and group

116

9 Calculating security risks

behavior that ultimately lead to unsafe acts and inadequate defenses against undesired central events happening. An example is company culture, preventing managers from making deviant – but needed – decisions. In Section 8.1.7 Dams and levees attack-type table, we presented a checklist for identifying vulnerabilities to attack of flood defenses and harbor facilities. When a flood barrier or a harbor and their surroundings can be easily accessed by perpetrators they are vulnerable to attack. The presence of moats, fences, locked doors, and similar defenses is a serious obstacle for attackers. Taking the right precautions through implementation of security measures will significantly reduce the chance of certain types of attack occurring. Like the combination of failure conditions stipulated by Reason, the same applies to the presence of opportunities for attackers to ultimately reach their “goal” of the central event in the bowtie diagram happening. Easy access will not grant success, when there is adequate supervision. The absence of supervision translates into better opportunities for the attackers. The time it takes supervisors to adequately respond to an attack offers an added window of opportunity to attackers. And the ease with which perpetrators can withdraw after an attack makes it more attractive to actually undertake the attack. In Section 8.2.3 Navigation lock attack-type table, we extended the abovementioned scenario variables with elements such as knowledge of the layout of the flood barrier, easy access to specific vulnerabilities, and the effective appliance of force against one or more of these (vulnerable) parts. In situations where a bombing attack could be effective we observed that this kind of attack requires special skills, next to detailed planning and consistent implementation. Like in Reason’s approach, these security scenario variables are successive hurdles that attackers have to overcome in order to successfully execute the central event in the bowtie (see Tab. 9.1). Tab. 9.1: “Swiss Cheese” security scenario variables. Reason failure categories

Security measures

Scenario variables

Fallible Decisions

No or limited security precautions

Opportunity

Line Management Deficiencies

Inadequate or no security organization

Supervision, response

Psychological Precursors of Unsafe Acts

Security culture and/or awareness lacking

Unsafe Acts (local elements) Lacking (local) supervision, doors/gates left open, visitors unchecked

Access, retreat

Inadequate Defenses (local elements)

Access, vulnerabilities

Lacking barrier maintenance or no barriers at all

9.6 Exploring the bowtie input side

117

The Reason model actually lists more failure categories than the attack-type tables we have prepared. Our attack-type or attack vulnerability tables mainly list technical vulnerabilities of flood defenses, and if – and to what extend – they could be damaged by specifically mentioned types of attack. The tables do not expressively mention the fact that a lack of adequate security barriers (like fences, access control, or supervision), facilitate perpetrators to damage or disable flood defenses or navigation locks. This has to be derived from the table. The risk components mentioned in the attack-type tables mainly fall in the Reason categories Fallible Decisions (no or limited security precautions), Unsafe Acts (lacking supervision, doors and gates left open, visitors unchecked) or Inadequate Defenses (lacking barrier maintenance or no barriers at all). This indicates that there are more security risks to be considered than implied in the various attack vulnerability tables. This observation in turn suggests that the left side of the bowtie is much longer than is shown in Fig. 9.1. We can even go as far as to conclude that in the case of flood defense attack vulnerability tables the same conclusion as that of the Rasmussen Study (WASH-1400) is justified. Since integration of the overall fault tree analysis for nuclear power plants was too complex, given constraints in time and resources, an event tree concept was developed to model the approximate time-line of the possible accident scenarios (Keller W., 2005). This means that both the left side of the bowtie (the fault tree) and the right side (the event tree) should be drawn much wider than shown in Fig. 9.1. The bowtie model should look more like the diagram shown in Fig. 9.4.

Fig. 9.4: Bowtie and Reason models integrated.

118

9 Calculating security risks

The Reason or Swiss Cheese model focuses on decisions within (commercial) organizations. But both the fault tree and the event tree in the bowtie model actually extend far beyond company borders. In the next chapter we will discuss the observation that in case of terrorism threat, political decisions may influence the fault tree in very early stages.

9.7 Determining relative vulnerabilities using numbers Our barrier attack vulnerability tables are suboptimal in more aspects than the amount of failure or vulnerability categories mentioned. The use of a combination of pluses and minuses to indicate the vulnerability of specific barrier subsystems might give the impression that the relative weight of the various vulnerabilities in the barrier (sub-) system(s) was arbitrarily chosen. A first step to objectify the vulnerability values in the attack tables, is by replacing the pluses (and minuses) by numbers. Numbers can range from 1 to infinite, but this is hardly workable. A solution is to transform the plus-notations in Likerttype scales. A well-documented explanation can be found on Wikipedia (Wikipedia, n.d.). In a Likert-type scale respondents specify their level of agreement or disagreement on a symmetric agree–disagree scale for a series of statements. Thus, the range captures the intensity of their feelings for a given item (Burns & Bush, 2007). The vulnerabilities in our attack-type tables are ordered relative to each other, based on subjective interpretations of local situations by security experts. Likert-type scales are well suited for indicating the relative weight of each vulnerability. In a Likert-type scale, numbers are preferably ranged from 1–5 or 1–7. Since it is easier to indicate a value of zero (meaning “no vulnerabilities identified”) by the number “0,” we will use a range of zero (“0”) to four (“4”). As an example conversion from a “plus”- to a “number”-table, we will utilize Tab. 8.5 The first thing we notice in Tab. 9.2 is that some vulnerabilities in the table carry the relative weight of five pluses. Since some cells have a minus notation (indicating “no – or minor – vulnerabilities identified”), this brings the total range of relative values to six. Since we made the decision to use a maximum range of five, this means that we have to re-evaluate the relative weight of every vulnerability in every cell of the table. This in itself is a valuable exercise, since it forces us to reconsider every vulnerability, and its relative impact compared to every other vulnerability in the table. Since we only use a relative scale of five (scores or values), the highest scores (and therefore the highest vulnerabilities) become more easily apparent (see Tab. 9.3). Also notice that, since we started using numbers, we replaced Word tables with Excel tables. In a spreadsheet it is far easier to immediately calculate and show relative weights.

119

9.7 Determining relative vulnerabilities using numbers

Tab. 9.2: Navigation locks, attack types (identical to Table 8.5). Navigation Lock Attack Types Attack mode

Attack type

Land

Mechanical equipment Jamming or battering Small arms (Man-portable) ED *) and/or incendiary device Assault team (without/with ED) Vehicle-borne ED Stand-off weapons

Quays

Gates

Hinges

Operating mechanism

− − − −

− − −

+ + − +

+++ ++ − ++

−/+

−/+

+

++

−/+ ++

++ +++

+ +++

+++ ++++

− + ++

+++++ +++ +++++

++ +++ +++

+ ++ +++

Water

Jamming or battering Water-borne ED Underwater ED

Air

Aerial bombing/strafing Aircraft impact

+++/−/+

+++++/+ +++

+++/+ +++

+++++/+++ +++++

Cyber

Mechanical approaches (destruction of controls)

−

−

−

+++++

Cyberattacks such as virus or control take over

−

−

−

++++(+)

Converting pluses to numbers makes us realize something else. Since the various attack types mentioned in the table have a different outcome for quays, gates, hinges, and operating mechanism, the overall effectiveness of each attack type may vary. This is the reason why we converted pluses to numbers, because now we can calculate the combined weight of the values that we attributed to each lock component by adding or multiplying them. We opt for adding the individual values in a new column labeled “Effectiveness,” as shown Tab. 9.4. The effectiveness column gives a much better indication of the combined relative weights that we have attributed to each attack type, given the various weaknesses or vulnerabilities that may be exploited by that attack type. The impact of the various scenarios is now more apparent, and the effect weight of the various scenarios can now be compared. Looking at the values in the table, it is immediately noticeable that gates are vulnerable parts in a navigation lock construction. Gates are especially vulnerable to attacks with (high) explosives. Because of the size of modern lock designs, it stands to reason that the destruction of lock

120

9 Calculating security risks

Tab. 9.3: Conversion from pluses to numbers. Navigation Lock Attack Types Attack mode

Attack type

Land

Mechanical equipment

−



+



+



+++



Jamming or battering

−



+



+



+++



Small arms

−



−



−



+++



(Man-portable) Incendiary Device

−



−



+



++



(Man-portable) Explosive device

−



−



+



++



Assault team (without explosives)

−



+



+



++



Assault team (with explosives)

+



+++



+



++++



Vehicle-borne explosive device

+



+



+



+++



Stand-off weapons

++



+++



++



+++



Jamming or battering

−



++++



++



++



Water-borne explosive device Underwater explosive device

+ ++

 

++++ ++++

 

+++ +++

 

++ ++

 

Aerial strafing

−



+



+



+++



Aerial bombing

+++



++++



++



+++



Aircraft impact

+



++



+++



+++



Mechanical approaches (destruction of operating controls)

−



−



−



+++



Cyber approaches (cyberattacks such as virus or taking over of the controls)

−



−



−



++++



Water

Air

Cyber

Quays

Gates

Hinges

Operating Mechanism

doors require heavy loads of explosive that are more easily delivered by truck, boat, or plane. When delivered by lorry, heavy loads are much better handled by a team instead of a single person. These observations are supported by the (relative) effect weights mentioned in the “effectiveness” column.

9.7 Determining relative vulnerabilities using numbers

121

Tab. 9.4: Adding “effectiveness” column. Navigation Lock Attack Types Attack mode

Attack type

Land

Water

Air

Cyber

Quays

Gates

Hinges

Operating mechanism

Effectiveness

Mechanical equipment











Jamming or battering











Small arms











(Man-portable) Incendiary device











(Man-portable) Explosive device











Assault team (without explosives)











Assault team (with explosives)











Vehicle-borne explosive device











Stand-off weapons











Jamming or battering











Water-borne explosive device











Underwater explosive device











Aerial strafing











Aerial bombing











Aircraft impact











Mechanical approaches (destruction of operating controls)











Cyber approaches (cyberattacks such as virus or taking over of the controls)











122

9 Calculating security risks

The number approach that we take for assessing vulnerabilities of flood defenses very much resembles the CARVER method. While writing the underlying study that this book is based on, we were not aware of this. However, the approach that we follow has more or less become standard (military) practice for assessing vulnerabilities in relation to security risk analysis. During the Vietnam war the US Army Special Forces required a system of target acquisition that would rank potential targets according to a scale. The CARVER matrix system was developed to fulfil those needs (Bennett, 2007). The CARVER method is a logical way to look at what one would like to achieve and whether or not that would be possible, given the available resources. CARVER is the acronym for Criticality, Accessibility, Recoverability, Vulnerability, Effect, and Recognizability. In the offensive, employing the Carver matrix can help identify targets that are vulnerable to attack. For defensive purposes the Carver matrix can indicate “High Risk” targets that require additional security measures to prevent damage or loss because of enemy or terrorist acts (Fay, 2007). As we have seen, the method has also been adopted by DHS. There are a number of different methods for completing a vulnerability assessment, such as a site survey, red-teaming, community vulnerability analysis from Sandia National Laboratories and target analysis (Smith & Brooks, 2013).

There are more conclusions that we can derive from the table. The use of explosives is quite brutal and has an element of randomness in it. An assault team or even a single person, using small detonating devices, can be much more effective in that they can pinpoint and demolish the weakest parts of the lock design. We concluded earlier that these are the gate hinges and the operating mechanism. When using brutal force, there are no certainties that – for instance – the complete operating mechanism will be destroyed. It is much more difficult to replace an entire operating system. Damaged lock doors may be replaced more easily. In this respect, there is something else that stands out. The table shows that cyberattacks against the operating mechanisms of (navigation) locks are very effective. Since these kinds of attacks are directed to the operating mechanisms alone, and not the quay, gate, or hinge constructions, only the operating mechanisms are affected. In the table, this results in a low overall result for cyberattack effectiveness. However, on the condition that the operating system is approachable (either local or through the internet), this kind of attack implies a very low personal risk for the attackers. From a personal viewpoint, one could say that there is no risk whatsoever. From an operational viewpoint, under these conditions a cyberattack is the preferred “modus operandi.” The cyberattack scenario as preferred modus operandi does not follow from the assessments in the attack-type table that we have presented so far. The attack-type table is therefore not complete, and should be expanded further. We therefore propose to add another column named “operational ease” (or a similar variable). In order to express the importance of this variable we posit that the “operational” variable should be multiplied with, and not added to, the “effectiveness” variable. This results in the table shown in Tab. 9.5. Now the table expresses that one of the easiest ways to effectively interrupt the operation of a lock would be by cyberattack,

Water

           

           

Mechanical equipment

Jamming or battering

Small arms

(Man-portable) Incendiary device

(Man-portable) Explosive device

Assault team (without explosives)

Assault team (with Explosives)

Vehicle-borne explosive device

Stand-off weapons

Jamming or battering

Water-borne explosive device

Underwater Explosive Device

Land

Gates

Quays

Attack type

Attack mode

Navigation Lock Attack Types

























Hinges

























Operating Mechanism

Tab. 9.5: Adding the “operational ease” column and calculating overall attack-type effectiveness.

























Effectiveness

























Operational Ease

(continued )

























Overall attack-type effectiveness

9.7 Determining relative vulnerabilities using numbers

123

Cyber

   



   



Aerial strafing

Aerial bombing

Aircraft impact

Mechanical approaches (destruction of operating controls)

Cyber approaches (cyberattacks such as virus or taking over of the controls)

Air

Gates

Quays

Attack type

Attack mode

Navigation Lock Attack Types

Tab. 9.5 (continued )











Hinges











Operating Mechanism











Effectiveness











Operational Ease











Overall attack-type effectiveness

124 9 Calculating security risks

9.8 Attack fault tree analysis

125

since no personal proximity to the facility is needed. This scenario also poses the least personal risk for a possible attacker. The new table, where the “effectiveness” rating for various attack types is multiplied with the appreciation of the “operational ease” of those attack types, gives a much better insight into the overall effectiveness of certain attack types against this kind of sluice. Security professionals however should always be aware of the assumptions that are underlying the table. The overall effectiveness of cyberattacks is high, on the condition however that the attackers have immediate access to local control systems or through a Supervisory Control And Data Acquisition (SCADA) network. The outcomes of the attack-type table also tell us that a “single-operative with explosives” attack is far less effective than an assault team operating with several members at once. This is understandable since the latter can carry more explosives, and spread out to pinpoint and damage different parts of the navigation lock. In another scenario, the accidental ramming of a river retention barrier in the Meuse River near the Dutch village of Heumen on December 29, 2016, shows how effective hijacking a single ship (and using it as a battering ram) can be in certain situations. This is also expressed by the high value of the corresponding attack type in the navigation lock attack-type table. When we look at attack-type tables for various flood defenses it also becomes apparent that we always see the same high scores for certain scenarios. Evidently some attack scenarios are more effective than others. Attack scenarios that stand out are attacks by teams at specific components of a flood defense, jamming, or battering lock doors or mechanical barrier constructions and cyberattacks against SCADA-operated (storm) flood barriers.

9.8 Attack fault tree analysis We started with constructing flood defense vulnerability tables (a safety angle of approach), that we then converted to attack vulnerability tables (answering the question what construction elements can be exploited by attackers). The third step in our approach was to convert the “exploit” tables into real attack-type tables. These attack-type tables are actually elementary security risk tables, given certain attack options. In this way the tables already present elementary, scenario-based, security risk analyses. These security risk scenarios are far from complete. Security professionals, looking at the outcomes of the tables and based on their professional knowledge and experience, will automatically fill in missing scenario elements such as ease of access, the presence of camera’s, fences and (locked) doors, and the presence (or absence) of supervisors. They will then be able to draw up an elementary defense plan, deciding where and how specific security measures should be implemented.

126

9 Calculating security risks

Problem is that an important part of this kind of security threat analysis, and finding solutions, for a large part takes place in the minds of professionals. That is not a complete and verifiable security risk analysis. We need a complete and clear presentation of all risk elements that together form a plausible attack scenario that point to as many opportunities for possible attackers. We already indicated that the various scenarios and their parts can be graphically pictured in attack fault trees. Attack fault trees graphically picture the critical path to the central event, representing the succeeded intrusion and subsequent destruction of the flood defense, the (navigation) lock system or critical parts of them. A free program (available on the internet) that can help picture and analyze such fault trees is “Storybuilder,” developed for RIVM, the Dutch Institute for Public Health and the Environment (RIVM, sd). (See Fig. 9.5) Deductive modeling backtracks the (possible) causes leading to the (part) destruction, going backwards from the (supposed) destruction of (part of) the lock system. It is also possible to start with an initiating event (earlier labeled cause or threat) that can have undesired consequences, like a gate that is kept unlocked through which perpetrators can enter the lock premises and create havoc. This is an inductive modeling approach. Deductive and inductive modeling approaches play mainly in the fault tree part of the bowtie model. An inductive approach can lead to infinite possible results and is therefore very time and resource consuming. Deductive analysis is a more manageable approach. It is much easier to imagine a lock gate blown out of its hinges and analyze the possible ways how that came to be, than to imagine where a left open door could possibly lead to. A disadvantage of the deductive method is that eventually a number of possible causes will be found. That these causes represent all possible threats is not very likely. A big question then remains which possible causes (and therefore threats) are overlooked. An extensive fault tree course can be found in the NASA “Fault Tree Handbook with Aerospace Applications” (NASA, 2002). A free to use fault tree program can be found at http://www.fault-tree-analysis-software.com/ (ALD Group, 2018).

9.9 The “(man-portable) explosive device” attack scenario The deductive or fault tree approach to building security risk scenarios is basically the same method as we have used in our navigation lock attack-type table. However, we left important parts of the attack scenarios to the imagination of the reader. For instance, the “(man-portable) explosive device” attack scenario implies that an intruder (I) carrying an explosive device in a backpack can approach (A) the navigation lock area unimpeded, is able to open or cross the gate (G) or fence (F) once again unseen, and ultimately is successful in strategical placing (P) and then detonating (D) the device.

9.9 The “(man-portable) explosive device” attack scenario

127

Fig. 9.5: Storybuilder bowtie example.

Fault tree analysis implies that various options are considered; for instance, more than one way to enter the lock area (through G1, G2, G3 and F1, F2, F3), various options for strategically placing the explosive device (P1, P2, P3) and more than one option for setting the device off (for instance, with or without operators present that may be harmed by the explosion), resulting in options D1 and D2. The (immediate) effects or (later) consequences of each “step” in the fault tree may get different numerical values, like we described in the previous section, thus increasing the precision of the fault tree analysis. This approach results in extensive scenarios with many options. The “(man-portable) explosive device” scenario can be presented in a simple mathematical equation. If we consider that gates can either be open (shown by the number “1”) and therefore traversed by the attacker, or closed (shown by the number “0”), than the scenario “(man-portable) explosive device” can be shown as: I = A*G*F*P*D meaning: . An effective scenario implies that the value of every single variable is positive (or “1” in our approach). Each subsequent value must be one, in order for the solution of the equation to be “1” (indicating a successful intrusion). The moment a value is zero, the result of the equation becomes zero, indicating an unsuccessful intrusion. This of course is a very simple example, but the equation becomes much more complex when every variable is divided in more than one possibility, such as options G1, G2, G3. I = A*G1, G2, G3 * F1, F2, F3 * P1, P2, P3 * D1, D2

128

9 Calculating security risks

Each element in the equation represents a layer of defense (“L”). Since we are discussing the development of scenarios, we are actually not talking about numerical values, but about chances (the chance that an intruder manages to pass either gate 1, gate 2, or gate 3). Chance is presented by the letter “P.” The chance that defense layer 2 (the gate(s)) is breached, is a summation of the chances that either (sub-) gates 1, 2, or 3) were successfully passed. PI = PLA * PLG ðPG1 + PG2 + PG3 Þ * PLF ðPF1 + PF2 + PF3 Þ * ð. . . .Þ Suppose we have a situation where there are four (“4”) defense layers, with as many chances to breach these layers (chances P1, P2, P3, and P4). In defense layer 2 there are two gates that can be breached with as many chances to crash these gates (PA and PB). A chance is always smaller than “1” (if it would be “1” than it would represent not a chance but a reality). If chance PA = 0,5 and chance PB = 0,6 than chance P2 = 0,8 (since PA + PB = 1,1, and P2 cannot exceed 1, P2 must be corrected by the summation of PA * PB = 0,3). The mathematical equation for this scenario (four defense layers) looks as follows: Pi =

4 Y

Pi

i=1

9.10 Chemical plant protection scenario We will end this chapter describing a scenario labeled by Zhang and Reniers as a “general intrusion detection approach in a chemical plant” (Zhang and Reniers 2016). Fig. 9.6 shows the layout of a chemical plant divided in several zones. The higher the number of each zone, the better the defense layout (and the more important the assets that must be protected). The defense layout of each zone consists of security countermeasures at the perimeters – or outer edges – (e.g., employee and visitor access control, car checkpoint) and in the zones (e.g., patrolling and security barriers). The combination of security countermeasures makes the possible targets in higher zones more secure (i.e., less vulnerable). How to display the layout of a chemical plant for security purposes, and to draw conclusion about best practice security measures, is discussed in detail in API Standard 780, Security Risk Assessment for the Petroleum and Petrochemical industries (ANSI/API Standard 780, 2013). The following illustration Fig. 9.7 visualizes potential attackers’ behavior in a bowtie diagram. Note that the path that the attacker takes starts at the left (starting point: “Zone 0,” which is outside of the outer perimeter of the plant). This means that this scenario is based on an inductive approach, as discussed in Section 9.8 Attack fault tree analysis. There is more than one central event in this bowtie, since multiple “attack worthy” assets have been identified (in zones 1_1, 2_2, and 3_1).

9.10 Chemical plant protection scenario

Fig. 9.6: General intrusion prevention in process plants (source: Zhang and Reniers 2016).

Intrusion

PERIMETER 1

PERIMETER 2

PERIMETER 3

A21 A22 A23

A11

ZONE 2_1

A12 A24 ZONE 0

A13

ZONE 1_1

A25

ZONE 2_2

A14 A31

A26 A27

Attack

ZONE 2_3

A32

ZONE 3_1

Assets in ZONE 2_1 Assets in ZONE 1_1

Assets in ZONE 3_1 Assets in ZONE 2_2

Assets in ZONE 0 Assets in ZONE 2_3

Fig. 9.7: Critical intrusion path in a process plant (source: Zhang and Reniers 2016).

129

130

9 Calculating security risks

In this process plant scenario an attacker would first decide which target to attack, and then choose the easiest way to reach the target (the critical path). An attacker would also have to decide on the attack scenario (e.g., armed or not). These steps are not separate options. An attacker will choose his or her target while considering the difficulties of reaching the target, at the same time deciding on his or her modus operandi (Laobing Zhang, 2018, p.184). The following formula gives the probability of successfully reaching the target. P=

YI i=0

Piz ·

YI j=1

Pjp .

The I indicates the zone level number of the target, for example I = 3 for zone 3_1. P zi indicates the probability of successfully passing zone level i. P pj indicates the probability of successfully passing perimeter j (adapted from (Reniers, Khakzad, van Gelder (Eds.), 2018). We will elaborate on this scenario in the game approach in the next chapter. Note that for a complete scenario build-up of our navigation lock attack-type table we would have to follow and calculate the critical path of every attack type in the table. Next we would have to compare all outcomes, and determine which attack types to focus on, in order to effectively implement the appropriate security countermeasures. Since such an approach would be extremely time and therefore resource consuming, we suffice with the information presented in the various attack tables in this and the previous chapter. In the next chapter we will focus and elaborate on a Game Theory-based scenario approach.

9.11 Conclusions In this chapter we identified (safety) vulnerabilities in flood defenses – specifically navigation locks – that can be exploited by possible attackers. Safety risks then become security risks. In the previous chapter we started with constructing flood defense vulnerability tables (a safety angle of approach), that we then converted into attack vulnerability tables (answering the question what sluice or lock elements are vulnerable to specific types of attack). By adding scenario elements such as effectiveness and operational ease we converted the attack vulnerability table (that gives an indication of what vulnerabilities attackers can best exploit to be effective) into an attack-type table (giving an indication what vulnerabilities attackers can target with the best effect). By combining the identified vulnerabilities and possible targets with an analysis of the accessibility of the lock complex, we effectively started with scenarios-based security risk analysis. In this chapter we made the following security-related observations.

9.11 Conclusions

Conclusion 9.1

Conclusion 9.2

Conclusion 9.3

Conclusion 9.4

Conclusion 9.5

131

In the previous chapters of this book we have always looked at relationship (s) with the Fundamentals of Flood Protection manual. The manual however is all about designing safe flood defenses. In this chapter we focused on how to identify and categorize security risks. The manual does not deal with security risks. Like an official of the Dutch Ministry of Infrastructure and Water Management stated, security is not part of the regular design process of flood defenses. This does not mean however that in case of a security threat no additional measures are taken. This however may be too late. The effects of security hazards on flood defenses are roughly the same as the effects of safety hazards on flood defenses. This means that there is not much difference between calculating the safety and security-related dimensions of a flood defense structure. If the possible effects of security hazards are included in the design calculations, it may be easier – and cheaper – to prevent security threats from becoming reality. We have discussed several steps to map security risks properly and transparently. Flood defenses in general, and sluices and navigation locks in particular, are complex technical systems, composed of multiple components or subsystems. Structural parts of sluices, navigation locks, and (storm) flood barriers such as quays, gates, hydraulic mechanisms, and controls are such subsystems. In our attack vulnerability tables we identified several types of attacks. We also analyzed in what way – and to what effect – each attack type could effectively disable or even destroy each subsystem (and ultimately the whole of the flood barrier). How perpetrators can exploit the various vulnerabilities, the alternative ways in which they can reach their target, and the possible effects and consequences of the accomplished damage or even (part) destruction of the flood defense, can be presented in a bowtie diagram. The bowtie diagram consists of the fault tree at the left side (the various actions and activities leading to the central event), and the event tree with the actions and activities leading to the effects and consequences of the central events. The bowtie can also be used to schematically present the scenariobased approach to security breaches. The central event represents the break-in or terrorist act that managers, operators, and security officers will want to prevent. The bowtie combines (security-related) risks, threats, preventive and remedial measures together in one model.

132

9 Calculating security risks

Conclusion 9.6 Bowtie diagrams are often limited in scope. We have seen that in the case of security risk analysis, the time frame over which the analysis takes place can be very long. Related to time, Reason concluded that even distant events such as misguided management decisions may eventually lead to security hazards becoming reality. Ultimately it may be operators that switch the wrong lever (or leave a door open for strangers). This however can be the result of a lack of safety and security culture, which is maintained by the management. Conclusion 9.7 Once all vulnerabilities have been identified, and an assessment has been made of how these vulnerabilities can evolve to security hazards, it ultimately comes down to an old-fashioned security risk analysis of the flood defense premises, perimeters, and environment to get an idea how attackers might achieve their goal. The larger the built area, and the more complex the structure of the flood defense, the more difficult it is to value all elements of the risk analysis and to present them in an orderly manner. In that case we have to use formulas to identify the most critical pathways that result in the highest security risks. Doing so, it is important to keep an eye on the original valuations, so that all those involved know how the final scores have been calculated and what the considerations have been to take certain security measures. Conclusion 9.8 Looking at the various attack-type tables it becomes apparent that some scenarios always receive the highest scores. Some (flood defense) attack scenarios evidently are (far) more effective than others. Attack scenarios that stand out are attacks by teams targeting specific components of a flood barrier, the jamming or battering of lock doors and cyberattacks against SCADA-operated hydromechanical flood barrier constructions. It should be possible to take these observations into account when designing flood defenses, sluices, and navigation locks. This would save a huge amount of effort (and money), should it be necessary to arrange security at a later time.

10 Terrorism threat and flood defenses Abstract: In the previous chapter we discussed the functioning of the bowtie model, and its significance for the development of security risk scenarios. We concluded that it can take a long time before causes and threats in the fault tree (the left side of the bowtie model) become evident in the event tree through the emergence of unwanted (immediate) effects and (later) consequences. Reason identified groups of events where wrong decisions (very) early in the fault tree may eventually lead to undesired events lining up, facilitating undesired accidents to happen at a much later time. Reason mainly looked at business processes but the same is true when it comes to terrorism, an important implicit motive in the attack vulnerability tables that we introduced in the previous chapters. In the case of (threat of) terrorist attacks the time between planning and execution can take years. The possibility of such attacks occurring depends – among others – on geopolitical circumstances and developments.

Officials in charge of the protection of flood defenses told us that it is hardly feasible to calculate the likelihood of a terrorist attack. According to them, this is because there are no historical data. With this view we disagree. We think that enough data is available to say at least something about the likelihood of specific types of terrorist attack in specific circumstances. In this chapter we evaluate the probability of possible terrorist attacks against flood barriers (we use the Netherlands and Europe as an example). If we want to give a realistic estimate of the chance of such an attack occurring, we have to consider the historic context of terrorist attacks (in this case in the Netherlands). Additionally, in our quest for finding objective approaches to terrorist attack scenarios, we explore the application of game theory in scenario building in some detail.

10.1 A definition of terrorist attack It is almost impossible to give a precise definition of a terrorist attack because of the political context terrorism is immediately drawn into. In short, what is considered a “terrorist” by some (mostly those currently in a position of power or government office) may be considered a “freedom fighter” by someone else. This controversy is well explained in an article by Brian Whitaker in the May 7, 2001 issue of The Guardian (Whitaker, 2001). Many sources refer to the Oxford Dictionary for an “a-political” reference: “terrorism” is defined as “The unlawful use of violence and intimidation, especially against civilians, in the pursuit of political aims.” The origin of the word terrorism is stated as “Late eighteenth century (in reference to the rule of the Jacobin faction during the period of the French https://doi.org/10.1515/9783110622577-010

134

10 Terrorism threat and flood defenses

Revolution known as the Terror): from French terrorism, from Latin terror (see terror)” (oxforddictionaries.com). Whitaker mentions that the use of “terrorist” in an antigovernment sense is not recorded until 1866 (referring to Ireland) and 1883 (referring to Russia). Since it is very unlikely that “common” criminals will utter bombing threats against levees for extortion purposes, we presume that possible attacks (as hypothesized in our attack scenarios) against flood barriers will always be directed against the government, holding the life of innocent civilians in the adjacent polders for ransom. “Terrorists target infrastructure to inconvenience government authorities, influence populations, and cripple corporations” (Veilleux & Dinar, 2018). We only know of one incident where a Serbian man threatened to blow up a Dutch levee. See Fig. 10.1.

Fig. 10.1: April 2012, Serbian threatens to blow up Dutch levees (news, screenshot RTL.nl).

10.2 Terrorism in the Netherlands Title 22, Section 2656f of the United States Code requires the Department of State to include in its annual report on terrorism “to the extent practicable, complete statistical information on the number of individuals, including United States citizens and dual nationals, killed, injured, or kidnapped by each terrorist group during the preceding calendar year.” The definition found in Title 22 of the U.S. Code provides that terrorism is “premeditated, politically motivated violence perpetrated against non-combatant targets by subnational groups or clandestine agents (Jewish Virtual Library, 2018).” In this chapter we take attacks with clear political motives as a starting point. An overview of terrorist attacks in the Netherlands can be found in the Elsevier (nowadays, “Relx”) publication “Terrorism in the Netherlands” (Andersson Toussaint, van der Plicht & Vrijssen, 2014). This publication lists 78 (78!) terrorist attacks

10.2 Terrorism in the Netherlands

135

in the Netherlands in the period from the 1970s till 2014. Since then a rather large amount of attacks and shootings with deadly result have occurred, but the overview gives sufficient information to assess the chance of a certain type of terrorist attack occurring. The complete list is included in the appendices. Looking at the list a couple of things draw our attention. First, the list can be divided in several attack categories. Over time, also a change in modus operandi becomes apparent. A first distinction is that between attacks against people, and attacks against objects (mostly buildings owned by, or representing, a company or government organization). In case of attacks against objects (mostly buildings) we can distinguish between bombings and other attack modes (mostly fire bombings). This is shown in Tab. 10.1.

Tab. 10.1: Attacks against institutions and (government and commercial) organizations. – Fire and other attacks against companies and (government) institutions –  RaRa attack at Makro Cash & Carry –   attacks at Shell gas stations –  Arson attack at Van Leer Packaging Int. –  RaRa attack at Makro Cash & Carry –  RaRa attack at Makro Cash & Carry –  Arson attacks at Shell gas stations – Bombing attacks against companies and (government) institutions –  RaRa bomb attack at Ministry of Social Affairs –  Bomb attack at Banque Paribas –  Bomb attack at BASF in city of Arnhem –  Failed attack Dam Palace in Amsterdam –  RaRa attack at Shell

In the 1980s there was a preference for setting fire to buildings or firebombing them. It is also possible that this was the preferred modus operandi of the then active RaRa activist group. What people were behind this group was never solved. The 1990s were characterized by bombing attacks, one of which (the most devastating) was claimed by RaRa. In case of attacks against people, we can distinguish between attacks against groups of people and individuals. In case of attacks against groups of people, we can make a distinction between hostage taking, and attacks with the intent of maiming or killing. As is shown in Tab. 10.2 there is a distinction over time when looking at attacks against groups of people. The 1970s were characterized by hostage taking, while the 1980s were characterized by (fire) bombings. The 1990s seem to be a period of relative quiet, perhaps because of individual terrorists or activists settling down and having children. In the first decennium of the new era we then see a new, young breed of

136

10 Terrorism threat and flood defenses

Tab. 10.2: Attacks against groups of people and individuals. – Attacks against groups of people –  Hostage taking at Residence of Indonesia –  Hijacking KLM Jumbo  –  Hostage taking French ambassador –  Train hijacking near village of Wijster –  Hostage taking at Indonesian consulate –  Train hijacking near De Punt; hostage taking school Bovensmilde –  Hostage taking Provincial building Drenthe Province –  Bomb attacks against Olympic Games –  Arson attack at Centrum Party conference – Attacks against individuals –  Abduction of Hanns-Martin Schleyer (president German employer organization) –  Attack at British ambassador –  Attack at son of Turkish ambassador –  Attack at oil merchant John Deuss –  Attack at Amsterdam mayor Van Thijn –  Attack at Under-Secretary of Justice Kosto –  Murder attack at Pim Fortuyn –  Murder attack at Theo van Gogh –  Car attack at Royal family parade

activists appearing. Note that we almost imperceptibly changed to referring to activist(s) instead of terrorists. This is partly due to the fact that in the cases of the murder attacks of politician Pim Fortuyn and film maker Theo van Gogh and the attack against the Royal family in Apeldoorn (not necessarily directed at the Royal family in our opinion) the individually operating perpetrators and their motives are (sort of) known. These were motives to bring harm to individuals or particular government officials, but not “to cause a chronic state of psychological vulnerability and instability in the targeted population (where) death and destruction are merely a mean to achieve these ends” (Gorski, 2001). Then there are the attacks against government officials such as police officers or custom officials. They may have been specially targeted, but it is also possible that those officials were “just” in the way of activists or terrorists with a grudge against the government. Some of these attacks were undertaken by foreign terrorist cells against people or officials from their own country (Tab. 10.3). Clearly falling outside aforementioned categories are attacks by “animal liberation front”-like groups (ironically killing and maiming animals), which according to some fall in another category than terrorism (Tab. 10.4). When we consider all these attacks and the different modus operandi, it is apparent that there is (luckily) no example of an attack against anything remotely resembling a flood barrier or other water works. We already referred to the single

10.3 Terrorism in Europe

137

Tab. 10.3: Attacks against officials and foreign civilians and representatives. – Attacks against officials and foreign representatives –  Attack at Dutch police officers –  Gun fight with RAF terrorists in Amsterdam –  IRA attack at British soldiers –  ETA attacks at Spanish targets –  IRA attack at Australian tourists –  Two ETA attacks

Tab. 10.4: “Animal liberation front”-like attacks. – “Animal liberation front”-like attacks –  Terror against mink breeding farm –  Arson at pig slaughterhouse Dumeco

example of a Serbian person who threatened to blow up the levee (actually a boulevard with low dunes behind it) near the coastal village of Zandvoort (Fig. 10.1). This seems to have been a “lone wolf” threat by an individual having lived close to the threatened location.

10.3 Terrorism in Europe Browsing the internet there are many sources tallying terrorist attacks in Europe. An objective government source is the yearly European Union Terrorism Situation And Trend Report (Te-Sat). However, the reports only give an overview of events during the previous year. This means that the latest report that we viewed (2018) gives an overview of the year 2017 (Europol, 2018). What is interesting is the difference in political and religious aims behind the various attacks. Looking at the index alone, Europol makes a distinction between several categories of terrorism (see Tab. 10.5). The number of pages dedicated to each topic gives an indication of the severity of the terrorist threat (the pages that we do not mention refer to the situation outside of Europe). Jihadist terrorism leads the enumeration by far. According to Te-Sat, this is partly due to a significant increase in the number of jihadist attacks, from 4 in 2014 to 17 in 2015, and the fact that EU Member States that then participated in the anti-IS coalition were regarded legitimate targets by violent jihadist groups. We should also note – again according to Te-Sat – that terrorist cells that are ready to perpetrate a terrorist attack in the EU are largely domestic and/or locally based (Europol, 2016, p. 22).

138

10 Terrorism threat and flood defenses

Tab. 10.5: Motives behind terrorist attacks (Source: Europol, 2016/2018). – Motives behind terrorist attacks in Europe () – Jihadist terrorism (pp. –) – Ethno-Nationalist and separatist terrorism (pp. –) – Left-Wing and Anarchist terrorism (pp. –) – Right-Wing terrorism (pp. ) – Single-issue terrorism (pp. )

A fairly accurate list of terrorist attacks in Europe can be found on Wikipedia (Wikipedia, n.d.). The Wikipedia listing is limited in that it only shows attacks leading to one or more deaths. Another well-documented source is the Global Terrorism Database (GTD) that ceased operating early 2018. The data – spanning a 40-yearperiod – however are still accessible on the web (Univ. of Maryland, 2018). Another reliable source can be found in the Jewish Virtual Library (Jewish Virtual Library, 2018). We also refer to the appendices. Then there is another reliable source with not very encouraging, if not outright frightening, worldwide terror-related data. If you are interested, please refer to the website thereligionofpeace.com (TheReligionofPeace.com, 2018).

10.4 Lessons learned from European attacks What can we learn from the recent wave of terrorist attacks in Europe? First, we must note that the attacks mentioned in Tab. 10.6 are terrorist attacks as we have defined them, since they were aimed at killing as much innocent people as possible, with the clear intent of disrupting social life and to provoke government officials into enforcing a state of “suppressive state terror” (our words). Looking at the lists compiled by TheReligionOfPeace.com there were many more attacks at the same time outside of Europe that did not make the “big” news. The attacks listed in Tab. 10.6 and recent attacks at Christmas markets in Berlin (16 December, 2016) and Strasbourg (11 December, 2018), the Manchester Arena bombing (22 May, 2017), and the London Bridge attack (3 June, 2017) show a preference for lorry attacks and (suicide) bombings with the aim of killing as many people as possible. The strategic goal that can be derived from such actions is to draw immediate global media attention and disrupt social life as much as possible. In 2018, Europol states that in recent years there has been an increase in the frequency of jihadist attacks, but a decrease in the sophistication of their preparation and execution. Jihadist attacks, however, cause more deaths and casualties than any other terrorist attacks. Again according to Europol, recent attacks by jihadist terrorists have

10.4 Lessons learned from European attacks

139

Tab. 10.6: Terrorist attacks in Europe, 2004 onwards (excerpt, en.wikipedia.org).  Mar,  Spain

Madrid train bombings

 killed, , injured

al-Qaeda

 London bombings

 killed,  injured

al-Qaeda

 Jul,  Norway

 Norway attacks

 killed,  injured

Anders Behring Breivik

 Jan,  France

Île-de-France attacks (Charlie Hebdo)

 killed (incl.  perps.),  injured

Al-Qaeda in ArabiaIslamic State

 Nov,  France

November  Paris attacks

 killed (incl.  perps.),  injured

Islamic State

 Mar,  Belgium

Brussels suicide bombings

 killed (incl.  perps.),  injured

Islamic State

Nice truck attack

 killed (incl.  perp.),  injured  killed,  injured

Islamic State

 Jul,  UK (England)

 Jul,  France

 Dec,  Germany

Berlin Christmas market attack

 Dec,  Germany

Friedrich-Krauze-Ufer;  killed “asylum seeker” murders a driver and steals his truck for use in another attack

Islamic State

Islamist

followed three patterns: indiscriminate killings (London, March and June 2017; and Barcelona, August 2017); attacks on symbols of Western lifestyle (Manchester, May 2017); and attacks on symbols of authority (Paris, February, June, and August 2017). New attacks in the EU by jihadist terrorists following one of these patterns or a combination thereof are highly likely (Europol, 2018). We observe that many Jihadist attacks in recent year actions are carried out by individuals or groups that follow the (Man-portable) explosive device and assault team (with explosives) scenarios as shown in our Flood Barrier Attack-Type Tables. These are apparently the easiest kind of attacks to plan and carry out, while apparently it is also relatively easy to acquire the necessary means of attack. Do the conclusions in this section imply that (therefore) a similar attack on flood barriers is less likely? Based on the examples shown here this may be the right conclusion. To conclude otherwise would be a crystal ball gazing exercise.

140

10 Terrorism threat and flood defenses

10.5 A crystal ball gazing exercise; introduction to Game Theory Yet that is what we want to try: to look into a crystal ball. Assessing the possibility of a terrorist attack on flood barriers succeeding comes close to a crystal ball gazing exercise. There are no historic data of such actions in Europe. Nonetheless, security professionals cannot afford the luxury of not thinking over every possible security threat in a certain threat scenario. That is what scenario-based threat analysis is really all about. The fault tree approach in threat scenario modeling is a rather linear exercise. Each critical path to a successful security breach or intrusion is considered on its own, and then compared to other possible critical paths. The use of critical path analysis is one of the underlying assumptions in the flood barrier vulnerability tables presented in this book. A score of “4” for the effectiveness of an attack on the controls of a flood barrier starts from the assumption that the flood barrier site was successfully entered, that the target was reached and then was successfully put out of action. An in-depth comparison between successful intrusion options (and calculating the probability that an option leads to the damaging or even destruction of a target) is offered by a Game Theory approach. Game Theory basically deals with human behavior, more specifically with people willing to cooperate for mutual benefit. Human tragedy is that there is (nearly) always one party that is willing to break that cooperation (called defection or cheating in Game Theory) for personal benefit. This is shown in the Tragedy of the Commons paradigm, where shepherds herd multiple sheep herds. Each herd is about as big as the other. Now one of the shepherds thinks he is clever, and adds one (or a few) sheep to his herd that he thinks the other shepherds will not notice. When all shepherds act the same, the herds will become too big and graze off all the arable land. In the end, everybody loses. By following the logic of self-interest, all actors involved have somehow landed everyone in a position where self-interest is the last thing that is being served. Game Theory makes no moral judgments about such attitudes. It simply accepts the fact that self-interest is one of our primary motivations and judges different strategies according to how they serve that interest (Fisher, 2008). The way self-interest by one party can be used by an adversary is shown in the Game Theory example where two criminals are arrested for a crime in which both criminals acted together. In this (American plea bargaining) example the prosecutor holds each of them in a separate room, and tries to frighten them in confessing their crime. If one of them confesses, the other person will receive a 10-yearsentence. The prosecutor has enough evidence to have them convicted for two years, so if neither of them confesses, they both get two years. If they both confess, both of them get a four-year-sentence. The question is, of course, why both of them would confess in the first place. This situation is what Dutch prosecutors are increasingly facing when trying to solve the frequent gang shootings and killings in

10.6 Game Theory and terrorist threat

141

the Netherlands. One of the criminals confessing in this example is the assumption in the paradigm, for else the paradigm would not work. The crux of the example is that the logical choice for both criminals – from a Game Theory perspective – would be always to confess. But the moment that one of the two decides to try and better his chances, they will both be worse off (a four-yearconviction). This is what is called a Nash equilibrium, by the famous mathematician John Nash (as depicted in the movie A beautiful mind). Only by making the cooperative, coordinated move by both not confessing, both criminals can get the minimal sentence of two years each. In Game Theory terms: a Nash equilibrium is a position in which both sides have selected a strategy and neither side can then independently change its strategy without ending up in a less desirable position (Fisher, 2008, p. 31). The various options are shown in the Prisoners Dilemma diagram by John von Neumann, the inventor of Game Theory, see Fig. 10.2.

Prisoner 1

Confess

Confess

Don’t Confess

4,4

0,10

10,0

2,2

Prisoner 2 Don’t Confess

Fig. 10.2: Prisoners Dilemma diagram by John von Neumann (adapted from Fisher 2008).

10.6 Game Theory and terrorist threat Sandler and Arce examined how game-theoretic analyses of terrorism have provided policy insights that do not follow from conventional strategic analyses. Since many terrorism-related games involve at least three players, they present two governments that are targeted by terrorists. Both nations must choose whether to focus their antiterrorism policy on deterrence or preemptive attacks. Deterrence diverts the attack by making such acts more difficult. Preemptive attacks seek out the terrorists by eliminating their base of operations and resources. Each nation (called a “player” in Game Theory) has two choices: each government can either concentrate on deterrence or preemptive attacks. The terrorists can either execute a spectacular terrorist action (e.g., 9/11 or the

142

10 Terrorism threat and flood defenses

1998 simultaneous bombings of the U.S. embassies in Nairobi, Kenya, and Dar es Salaam, Tanzania) or a normal terrorist attack. For a spectacular terrorist action, the costs of a preemptive attack exceed deterrence costs, whereas for a regular terrorist event, deterrence costs exceed preemption costs. In case of normal terrorism, threat deterrence can however be quite expensive because potential targets everywhere must be guarded (Sandler & Arce M., 2003). This example clearly shows the similarities with the Prisoner Dilemma Paradigm. According to Pieter van Gelder, professor of Safety and Security Science, Game Theory is best applied when comparing attack possibilities by one terrorist group against two (flood defense) facilities. Attack possibilities against more than two flood barrier facilities would greatly increase the amount of equations involved (Interview, Delft Safety and Security Institute, March 2017).

For a threat scenario comparison we will use Tab. 10.7 for a starting point. We first presented the same table in Chapter 9. The table shows that navigation locks or likewise constructed flood barriers show weak spots, that make them vulnerable to attack. While aerial attacks are not by all means to be excluded from our scenarios (as shown by the infamous “9/11” attacks) we disregard them for now. We view aerial attacks as acts of full-scale war, that therefore should be approached different from terrorist acts. This somewhat simplifies our attack-type tables. Apart from sluices and navigation locks with point door gates, we have seen that guillotine-shaped flood barriers with vertical lift or visor gates are also widely used. Some of the oldest weirs in the Netherlands are of the visor type. A big disadvantage of a guillotine-shaped flood barriers – when considering terrorist attack – is that they tower high above the landscape. Some of the most important mechanical parts are exposed. This is only less so in newer designs where the gates are stored beneath the water surface. In Tab. 10.8 we have translated the earlier pluses and minuses table into a numerical table, adding variables for effectiveness and operational ease for each attack type. We also normalized the relative weight of each value for use in a Likertlike scale (values ranging from “0” to “4”). Looking again at the guillotine attack-type table we have re-evaluated the scores given for each attack type, based on the new perspectives given in this book. This automatically led to the recalculation of the effectiveness and operational ease variables. Since most guillotine barriers are constructions made of steel and concrete, we assume that the use of incendiary devices has little damaging effect. Since a single person can only carry limited amounts of explosives, the effect on other than cables/hydraulics and controls will also have limited effects. The performance of an assault team is probably much more effective because a team can attack multiple vulnerable parts at the same time. In this case the question remains if, and how, it would be possible to acquire a large amount of explosives to undertake such an attack.

Attack type

Mechanical equipment Jamming or battering Small arms (Man-portable) Incendiary device (Man-portable) Explosive device Assault team (without explosives) Assault team (with explosives) Vehicle-borne explosive device Stand-off weapons

Jamming or battering Water-borne explosive device

Underwater explosive device Mechanical (destruction of controls) Cyberattack (virus, hacking controls)

Attack mode

Land

Water

Cyber

Navigation Lock Attack Types

Tab. 10.7: Navigation Lock Attack Types (simplified).

Gates              

Quays              

  

 

        

Hinges

  

 

        

Operating mechanism

  

 

        

Effectiveness

  

 

        

Operational Ease

  

 

        

Overall attack-type effectiveness

10.6 Game Theory and terrorist threat

143

144

10 Terrorism threat and flood defenses

Recent attacks have shown that it is easier to mix and transport high amounts of fertilizer and other composites in lorries, but this kind of attack is only effective when placed under, in, or close to a structure. Stand-off weapons can be highly effective against high rising structures, but the chance that cables or controls are hit are rather small. Concrete towers may be more resistant to impact than steel gates. And since many guillotine-shaped barriers are normally left open, the chance of (under-)water explosions having any effect is small. The results of these considerations are shown in Tab. 10.8. These outcomes lead to the conclusion that a team attack against the cables/ hydraulics and the controls of guillotine-like barriers would probably have the highest chance of a “positive” (in this case destructive) outcome. Comparison of the navigation lock and guillotine barrier attack-type tables lead to the conclusion that both barrier types are vulnerable to assault team attack with explosives, and sabotage of the operating and control mechanisms. Additionally, point door locks are vulnerable to battering and ramming of the lock doors and (under-) water explosive devices. These types of construction are therefore basically equally vulnerable to terrorist threat. The question which barrier would be more suitable to attack then depends on factors as accessibility for assault teams or the availability of ramming devices such as boats. The best way to calculate the vulnerability for each barrier would be to analyze the critical attack path for each attack mode, as we have shown in Section 9.10 Chemical plant protection scenario in the previous chapter.

10.7 Game Theory scenario approaches A security expert analyzing the vulnerabilities of the various flood barrier types and their components will mentally make an assessment of the defense measures that are necessary to prevent a successful attack against specific parts or the whole of the flood barrier. Since each table identifies multiple attack types with different outcomes for the various parts of a barrier type, the expert will have to make a choice what security measures to implement. In most organizations, this choice also depends on the amount of resources available in time, manpower, and money. In the end, choices will have to be made about what should and what should not be protected. The most simple solution in any circumstance would be to place a fence around the flood barrier, but most barriers are extremely large constructions in, or along, rivers and waterways that are in constant use. Therefore, choices have to be made about what to defend, how to defend it, and in what measure the risk of loss is accepted. A Game Theory approach supports this kind of decisions. In our flood barrier attack-type tables we enumerate various attack scenarios that are judged for their possible damaging effect on the barrier. In order to explain the advantages of a Game Theory approach, we revert to the chemical plant example of Section 9.10 Chemical plant protection scenario (for convenience shown again in Fig. 10.3).

Attack type

Mechanical equipment Jamming or battering Small arms (Man-portable) Incendiary device (Man-portable) Explosive device Assault team (without explosives) Assault team (with explosives) Vehicle-borne explosive device Stand-off weapons Jamming or battering

Water-borne explosive device Underwater explosive device

Mechanical (destruction of controls) Cyberattack (virus, hacking controls)

Attack mode

Land

Water

Cyber

Guillotine Barrier Attack Types

Tab. 10.8: Guillotine Barrier Attack Types (simplified).

Lifting towers              

Gates              

 

 

         

Cables/ hydraulics

 

 

         

Controls

 

 

         

Effectiveness

 

 

         

Operational ease

 

 

         

Overall attack-type effectiveness

10.7 Game Theory scenario approaches

145

146

10 Terrorism threat and flood defenses

Fig. 10.3: General intrusion prevention in process plants (Source: Zhang and Reniers 2016).

For an easier understanding of the Game Theory approach we suppose that the plant manager is taking into account three scenarios: the intrusion by either (A) activists, (B) terrorists, or (C) thieves. The objective of each group of intruders will be different: (a) the closing down of (part of) the plant, (b) (part) destruction of the plant, or (c) stealing valuable assets. In order for each group to reach its target, different “critical” paths can be chosen. The plant manager has to make an assessment of the various options and critical paths, taking into account the possibility (or chance) for each group actually intruding his plant. This is a logical (or “Bayesian”) decisionmaking process, resulting for instance in the chance of activist activity of 0,3, terrorist activity of 0,1, and theft activity of 0,5. The results of these equations can be described and presented in a table as we have done in our attack-type tables, or presented as a mathematical equation (the preferred method of Game Theorists). Essential in a Game Theory approach are the valuation of the vulnerability of the target (V), the strategy of the attackers to reach the target (S), and the consequences of the attack (C). When these variables are known (or estimated), the plant manager can make a weighted decision of what to protect, and to what extend security measures should be implemented. Essential considerations in Game Theory approaches are the costs for both attackers (activists, terrorists, thieves) in reaching their goal

10.7 Game Theory scenario approaches

147

and defenders (plant managers and security professionals) in effectively implementing defensive measures. In this book we have refrained from making this kind of equations because of the time (and therefore cost) involved. We have extensively considered the “V” (vulnerability) element in our attack-type tables, but only made superficial remarks about the “C” (consequences). We regularly referred to the “S” (or strategy) variable, in that this variable is defined by sub-variables such as accessibility of the flood barrier or navigation lock premises, the absence of supervision (translating into opportunity for the attackers), the time it takes supervisors to adequately respond to an attack (offering a window of opportunity), and the ease with which perpetrators can withdraw after an attack. Ultimately we concluded that the critical path or fault tree, represented by the left side of the bowtie model, should be extended by assessments of variables such as special skills, detailed planning, and consistent implementation. As a final thought we should keep in mind that there are, as with any methodology, drawbacks to the use of Game Theory modeling. Game Theory presupposes rational behavior at both the attacker’s and defender’s side. Especially terrorists have (and take) all the time to learn about a defender’s weaknesses. Their behavior is not always rational, at least not in the eye of a Western observer. At the same time the defending team (both management, security professionals, and operatives) has no indication whatsoever about the attacker’s intentions and strategy. Game Theory modeling helps to prepare adequate response strategies beforehand, which hopefully gives managers and security professional time to prepare themselves, and – while prepared – respond more quickly in case of a terrorist or any other kind of attack. We already indicated that for a complete scenario build-up of the various attack modes we would have to follow and calculate the critical path of every attack type in the tables. Next we would have to compare all outcomes, and determine which attack types to focus on, in order to be able to effectively choose and implement the appropriate security countermeasures. Even then this would not be enough, for we would also have to compare the outcomes for different flood barriers in different areas in a country or area in order to decide which ones run the highest risk of an attack. This would require far more resources than we had available during the research for this book. These tasks are somewhat simplified by the conclusion in the previous chapter that certain scenarios always receive the highest scores when comparing flood barrier attack types. Some attack scenarios are evidently more effective than others, such as attacks by teams targeting specific barrier components, the jamming or battering of (navigation) lock doors, and cyberattacks against SCADA controlled hydraulic–mechanical flood barrier constructions. This conclusion helps both managers and security professionals to focus on the most likely scenarios, and then take the best possible defensive security measures.

148

10 Terrorism threat and flood defenses

10.8 Conclusions Conclusion 10.1

Conclusion 10.2

Conclusion 10.3

Conclusion 10.4

According to some, it is very difficult – and therefore a waste of effort – to calculate the chance of a terrorist attack. Supposedly, there are not enough data available to make an effective assessment. In addition, in many Western countries politicians consciously seem to ignore certain kinds of terrorist threat. Attacks committed by Jihadist perpetrators are frequently labeled something else, like “actions of confused persons” (at least this is the case in the Netherlands). The relationship with Islam is denied, with the result that countries don’t deal adequately with terrorist threats. This is important because the religious angle enlarges the amount of irrational variables in a security risk scenario, thereby making it much more difficult to effectively compute the chances of certain attack types occurring in a specific defense scenario. We think that it is indeed possible to give an opinion about the chances of a terrorist attack taking place in a certain country, at a certain place and at a certain time. For instance, it is at least clear to us that, after attacks in Germany and recently in Strasbourg (France), it is unwise not to take security measures when a Christmas market is held in a big city. The symbolism of an attack on a gathering that by a specific group of attackers is considered a Christian religious expression par excellence, and that takes place at a time of year that is holy to Christians and highly appreciated by many others, should be clear to anybody. These are developments of the last 10 to 15 years. If we look at the history of terrorism in a particular country or area (in our case in the Netherlands and in Europe) it is possible to discover patterns that may give an indication of the likelihood that a terror attack will take place, and what that attack will probably look like. There is of course no guarantee, but the use of scenario-based analysis makes it possible to assess as many action paths as possible, given the knowledge that we have of actions in the past and comparable situations in the present. When looking at the history of terrorist activity in the Netherlands we were able to distinguish several types of terrorist attack, like attacks against groups of people or individuals, or hostage taking versus bombing attacks. The Te-Sat distinguishes between political and religious motives behind terrorist attacks in the European Union. Te-sat over the years reported a significant increase in the number of jihadist attacks in Europe.

10.8 Conclusions

Conclusion 10.5

Conclusion 10.6

149

In Te-Sat 2018 Europol however reports a decrease in the sophistication of their preparation and execution. Islamist attacks in Europe show a preference for “soft” targets in the form of large, unprotected groups of civilians in public spaces (squares, sidewalks, cafes, theaters). In these cases most terrorist groups followed the (Man-portable) explosive device and assault team (With explosives) scenarios. A fairly recent form of attack is to hijack a lorry and use that for driving over as many pedestrians as possible. These observations enhance the idea that attacks at flood defenses, being huge and complex structures by nature, are therefore less likely. This does not mean that managers, operators, and security professionals now can rest easy. Actually, there is much attention for security risk management, and there are also scenarios on how to act in case of security threats. Problem however is that security aspects are not normally included in the mandatory risk analyses that are required when (re-) designing flood defenses. We argue for this to be introduced. When safety and security risks are equally considered at an early stage in the design process, this will reduce the costs of taking security measures at a later stage enormously.

11 Conclusions Abstract: In this closing chapter, we outline the starting points of this book, and judge if we were able to meet the goals that we set in the beginning. Then we briefly review the main conclusions that we discussed at the end of each chapter. We are not going to repeat all conclusions again. In the next and last chapter, we make some recommendations, based on the conclusions in this chapter.

11.1 Why this book? There are two reasons that we started with the research that this book is the result of. First, the assignment was to investigate different modes of operation to attack flood defenses. This question ensued from an earlier study that looked at the effect of explosives on a levee body. We found that – without context – there is little point in looking at the effect of, for example, undermining or blowing up a levee. Such an action must be seen in the context of a complete plan of attack. When aggressors attack, there is almost always a motive in combination with preparatory and implementing actions. Defenders can prepare for such an attack by reflecting on what actions that may be, and what the effect would be of those actions on the assets to be defended. These actions can be mapped out and be plotted in time in a scenario analysis. In addition, a scenario approach helps to consider whether alternative scenarios are conceivable. This gives defenders an idea as to what security measures should be taken. Because one simply cannot secure everything, because of lack of time, resources, and money, a good scenario structure gives sufficient handles to determine priorities about what is, what is not, and what is less secure. In addition, in the professional security practice, many administrators, managers, operators, and security professionals tend to think almost directly in solutions. Without much thinking about the nature of the object to be protected, solutions are often sought in terms of placing cameras and fences and implementing access control. These kinds of security measures are very costly solutions in cities, in large industrial complexes such as production plants in the petrochemical industry, at airports, in harbors, and also around flood defense systems and flood barriers (the research object of this book). It is therefore wise to place the emphasis of security measures in the locations that are most probably at (security) risk.

https://doi.org/10.1515/9783110622577-011

11.3 Research into flood defenses

151

11.2 Relation safety and security risks Actually, when designing, constructing, and maintaining flood defenses, hydraulic engineers already (have to) take into account the associated risks. The Fundamentals of Flood Protection manual explicitly lists the risks that must be considered in failure calculations of flood defenses. The same applies to the design and construction of most technical installations like refineries and power plants. In the design phase, however, the focus is not on security, but on safety. Safety is associated with the vulnerabilities that are inherent to the design of a technical installation. This may involve, for example, not only design errors, but also vulnerabilities that have to do with the way people work and with the weaknesses of people. If people are tired, they do not pay attention to their environment, many times not even to the work at hand. This is extra dangerous when working with machines. Regarding security, if doors are left open, people who are not authorized can easily enter hazardous areas. Malicious people use such circumstances to come in, steal money and goods, or to damage or demolish things. A paradigm that is increasingly being accepted in the security world is that if you have properly covered the safety risks in a technical environment, this will probably apply to 70% of the security risks related to that technical environment. This statement relates to the aforementioned door to the hazardous area. If you keep the door tightly closed and supervise who comes in, no accidents can happen. And people with bad intentions cannot enter either. This paradigm has been our starting point in drawing up the flood defense vulnerability tables in this book, and the attack vulnerability tables of flood defenses based on them.

11.3 Research into flood defenses Several readers have asked: Why vulnerability tables of flood defenses and flood barriers? The simple answer is that this was the subject of the underlying research, based on a scientific question. It might as well have been about what is involved in designing safe inner cities. Then we would have recognized and written down many sorts of vulnerabilities. The first part of the Integrated Security Science series that the current book is part of is about security risk assessment in the chemical and process industry. That book also provides a lot of information about safety and security in those industries. However, we have regularly pointed out that the information in the current book is based solely on open sources and a few interviews. These interviews only concerned general information. Everyone can therefore retrieve the same information relatively easily. In this sense, this book is a warning for administrators, managers, operators, and security experts to be careful with information that is distributed via the internet, for example.

152

11 Conclusions

11.4 Historical research Technically oriented readers also asked why we have focused so much on history, both on the history of the hydraulic engineering works we discussed in this book, on the history of using flood defenses for defensive purposes, or as an object under attack in the Second World War. First of all, we have taken this historic approach because of the scientific dimension that we wanted to give to this book. Technical constructions and objects do not just suddenly appear. Often they have developed over a long period of time. It is often difficult to find out what the function of a certain design was, or why it was designed in the first place. The funny thing about flood defenses is that the shape and technical construction has not changed much over the course of many centuries. They have become (much) bigger, and nowadays there are ingenious technical applications such as the use of hydraulics and computer-managed controls, but in essence the function (flood defense) still determines to a large extent the form (that over the ages practically has remained the same).

11.5 Smarter design of flood defenses An important conclusion that we can draw from the history of the technical design of flood defenses is that modern materials make it possible to create increasingly smart designs, which also positively influences security. Consider, for example, the bellows weir at Ramspol in the Netherlands. The complexity of a bellows weir is greater than that of a simple soil body. However, the design is cleverly conceived because it is not visible during normal conditions. The weir is only inflated when really needed. The Thames Storm Flood Barrier gates are stored at the bottom of the river when not in use, which facilitates unimpeded shipping. The Thames Storm Flood Barrier is also equipped with multiple gates. The question then arises what the sense or effect would be of destroying one or more of those gates. Destruction of the entire flood barrier is, in our opinion, only relevant in the event of a war-like situation, but our study does not focus on that. Furthermore, the size of modern levee constructions is so big that it hardly makes sense to attack them with a terrorist objective. We have seen how it took a lot of effort at the end of the Second World War to destroy levees in Zeeland Province in the Netherlands. And if the levees breach, it will take a relatively long time for the effects to become noticeable. This gives defenders time to adapt to the newly created situation. These observations lead to the conclusion that attackers have to look for more refined options if they successfully want to attack flood defenses. This also follows from the comparison between the various attack-type tables that we developed.

11.8 Flood defenses for security protection

153

11.6 New designs, new vulnerabilities In addition, new technical developments in the design of flood defenses may lead to new vulnerabilities. Making sea and river levees higher is not possible everywhere, often because of housing or industrial development on or near the levees or flood defenses. A good example are the levees in and around the American city of New Orleans, which often consisted (and still consist) of nothing more than upright concrete slabs. In the Netherlands there is a similar situation, especially with many river levees, where residential and industrial areas adjacent to and on the levee make it impossible to broaden the levee. The levee base can then not be broadened, which is a problem for high levees with a trapezoid shape. This problem is solved by applying iron sheet piles. We have (fortunately) no examples where such reinforcements of embankments have been willfully damaged. The fact however that there is a situation of increased vulnerability seems clear to us, not least because in some cases pile sheet walls are very high. High sheet pile walls are vulnerable to explosive attacks (which we called somewhat euphemistically excessive force attacks in this book).

11.7 Feasible attack options Multiple flood defense attack-type tables show that a team attack with explosives, or a remote attack on the control systems via the internet, are the most likely (and effective) attack options. Our review of terrorism in the Netherlands and in Europe shows that a team attack on flood defenses is less likely, because there are much more attractive – and easier to reach and attack – targets, especially in the large, heavily populated cities of Europe (and North America). The data from Schweik and DHS show that attacks against dams and flood defenses in less developed and remote areas in Asia and Africa are more obvious. These are often the only technical constructions in a wide area. The negative impact on, for example, the electricity or water supply of an entire region, is also often enormous.

11.8 Flood defenses for security protection In our historical overviews, we saw that it was effective in the past to use water as a means of defense. Then it should not freeze of course, but nowadays there surely will be solutions for that. Today, water as a defense and protective device is again used in small-scale urban environments and on industrial sites, for example, in the context of crime prevention through environmental design (CPTED, de Lange, 2006). It is

154

11 Conclusions

worth noting that, at least in the Netherlands, many of the old technical provisions to flood polders are still present. These are as many vulnerabilities in the existing levee systems. For the sake of fairness, we must mention that it mostly concerns secondary levee systems, and not the levees along the coast and the major rivers. Moreover, the Fundamentals of Flood Protection manual points out that polders, being former lakes, do not have a flat surface. Some parts of a polder are therefore likely to flood earlier than others. This may offer time to take timely countermeasures like evacuating the people in the polder effectively.

11.9 Fundamentals of Flood Protection We have indicated in this book that there is a close relationship between safety and security. This is certainly the case in relation to flood defenses and flood barriers. In the Netherlands, the Fundamentals of Flood Protection manual is an important guideline for the design, construction, and maintenance of levees and other flood defenses. We have referred to the manual in several places in this book. The manual assumes the same risk approach for safety as we have chosen for security. The starting point for the manual is flood risks, which can be calculated in different ways. Subsequently, all sorts of other factors are added that determine the way in which flood defenses must be designed and which additional control measures are required. This approach can be illustrated in various ways, for example, by using a bowtie diagram. The risk is roughly expressed in the formula . This risk formula is actually the same in the case of both safety and security.

11.10 Flood safety risks versus security risks The safety risk in the Fundamentals of Flood Protection manual is precisely defined. The starting point is an acceptable risk of flooding, taking into account a certain chance of failure of the flood defense. Various failure mechanisms can occur. The failure probabilities must be recorded in a failure probability accounting. When the probability calculations change, the design of the flood defense must also be adjusted. For example, a levee may not be high enough, not strong enough, there can be piping (water seeps through the levee) or there may be a shift due to dehydration (this only applies to peat levees). All probability calculations together then lead to a failure probability of once every 10,000 years. How these risks are dealt with is described in detail in the manual, starting from a predetermined minimum limit of possible victims. Possible security risks are not taken into account in the manual because the chances for security risks cannot be calculated or are unknown. Also the possible defensive measures against such

11.12 Final observations

155

risks are unknown. In hydraulic engineering terms, one could say that the security risk does not contribute significantly to the chances of failure of a flood defense. But if the security risks turn out to be bigger than thought, then this conclusion has to be acted upon. In this book we give a guide on how to calculate the probability that there is a significant security threat. With security risks we actually add a new failure mechanism to the failure probability accounting: willful failure.

11.11 A matter of perception Regarding security risks, “Acts of God” (natural disasters) are accepted much more easily than “manmade hazards.” Political emotion plays an important role with terrorism. The safety risk for levees is viewed more objectively. In the communication toward the population about flooding, there is – at least in the Netherlands – a change in attitude. Government bodies show a greater tendency to inform citizens in advance about the flood risks they run. This is also evident, for example, from the flood risk map that we have included in the appendices. This map can be found in various publications and on the internet. What is special is that in Dutch politics attention seems to be shifting further and further toward climate issues, like elsewhere in Europe. Hundreds of billions of euros may be spent on CO2 reduction, with the hope of tackling climate change at the source. Attention to the further strengthening and preservation of levees however seems to be dwindling. This makes us fear the worst when it comes to making budget available in order to solve security issues.

11.12 Final observations The flood defense vulnerability – and attack-type tables show that for each flood defense or hydraulic structure a certain increased “deliberate” failure probability can be determined. However, this observation alone is not enough to be able to assess the security risks involved. We also have to look at how appealing the object is from the point of view of an attacker. There are enough historical data available for such an exercise. When we look at the different lists with terrorist attacks, we notice that terrorists in the (recent) past found certain targets more attractive than others. That is also logical. The hijacking of a truck and running down people, or attacking people with a knife, is much easier than destroying fairly robust flood defenses and water-retaining levees. However, that can change. No one saw “9/11” coming, at least, except for a few film scenario writers. In parts of the world large dams and freshwater reservoirs have been regularly attacked. The risks identified in this book can therefore not completely be ignored.

156

11 Conclusions

Based on the information in our flood defense vulnerability tables, attack-type tables, and the various security threat scenarios that we have described, one may conclude that there is a reduced terrorism-related risk regarding flood defenses in general, and (storm) flood barriers in particular. In the case of storm flood barriers, an attack is only effective during a storm surge. However, it is difficult to calculate at what moment a storm surge will occur exactly (high water figures can be found in an almanac). Therefore, from a scenario perspective, it is better to look at places where it is always high water, such as the Parksluizen at Delfland in the Netherlands, known from public sources (demolition would threaten the city of Rotterdam), the sea locks at IJmuiden at the mouth of the North Sea Canal to Amsterdam, and the famous levees of New Orleans (large parts of New Orleans under water as happened during the Katrina hurricane, 2005). These are flood defenses where there is a permanent situation of high water.

12 Recommendations Abstract: If one implements security measures in or around technical installations in general, or large water works in particular, this may have safety consequences. Consider, for example, stricter access requirements that make it difficult for people to enter a building. These security measures will also make it more difficult to get out of the building. This can be a hindrance in the event of a fire. We did not include this aspect in our investigation into security risks of flood defenses. It is an intriguing question, which is worth investigating further.

In this book we extensively discussed the effects of different types of attacks on flood defenses on the basis of attack vulnerability and attack-type tables. At first we concentrated on the components of various types of flood barriers and navigation locks. Later we also looked at the environment, and the critical paths to be followed in order to reach those vulnerable places. With this approach, we may have suggested that if one blocks access to the vulnerable parts of a flood defense, one also adequately covers the security risks. However, the question remains whether this assumption really holds true. This should be investigated further. The Dutch Maeslant Storm Surge Barrier has been implemented in such a way that the probability of failure is 1 in 100 (1%) per closing demand / opening demand which occurs on average once every 7 years. This mainly refers to the probability that the flood defense will not close or will not sufficiently close or open per demand. However, the levees behind the Maeslant Storm Surge Barrier have a failure probability of 1 in 10,000 per year (0.1%). Should we build a second, identical barrier behind the Maeslant Barrier, then this lowers the safety failure probability considerably (based on independence between the flood defenses). A security measure could then be to build a third Maeslant Barrier, in case one of the other two is disabled. This is of course an extreme example, but it illustrates how difficult it is to determine what – in the case of flood defenses and navigation locks – are cost-effective security solutions. More research should be done on this intriguing question. At harbors, the safety risks are not as high as in case of flood defenses and navigation locks. However, in the Second World War, the port of Antwerp was of strategic importance for the supply of troops and equipment. The same applies today to the supply of military equipment and troops in the port of Rotterdam. Here the security risks are considerably higher. In that context, there is an endless possibility of threat scenarios with different failure probabilities. The question is which scenario and risks one should accept. This is also a fascinating research question.

https://doi.org/10.1515/9783110622577-012

13 Epilogue A wonderful book on security of flood defenses Water infrastructures have been attractive targets for terrorists and history for over 2,500 years. After the 9/11 attacks, terrorist organizations, notably al-Qaeda, have shown strong interest in water defense structures and water supply facilities. ISIS had conquered the largest dam in Iraq, the Mosul Dam, early August 2014. Not much attention has been paid to the event. However, having control over the largest dam in Iraq can be considered equivalent to the possession of a weapon of mass destruction. A deliberate breach of the dam would have led to a flood wave of immense proportions. Mosul Dam is located at less than 50 km upstream of the city of Mosul, a city of 1.8 million people. The dam is over 100 m high and the length of the reservoir behind the dam is about 40 km long. In case of a breach, large parts of the city of Mosul would be flooded by 20 m of water within 2 h after the breach; 300 km further downstream, the capital of Baghdad could still be inundated with 5 m of water. Hundreds of thousands of people would lose their lives. Unfortunately, ISIS’ control over the Mosul Dam is not the only cause for concern. The dam was built in the 1980s on top of gypsum, which dissolves when it comes into contact with water. “In terms of internal erosion potential of the foundation, Mosul Dam is the most dangerous dam in the world,” the United States’ Army Corps of Engineers concluded in September 2006. If a small problem at Mosul Dam occurs, failure is likely. Apart from this safety threat, during the occupation by ISIS, Mosul Dam had become a severe security threat as well. One of the important topics of the underlying book by Jos de Lange (Delft University of Technology) is the combination of safety and security risks of flood defenses. Both deliberate attacks and security risks of flood defenses are not wellknown phenomena. Some people would call this “unknown unknowns.” However, in the Second World War physical attacks on flood defenses with explosives occurred regularly. Pilots from the Royal Air Force were called the Dam Busters. “Known unknowns” is therefore a better term. The study by Jos de Lange has investigated thoroughly and systematically for a large number of flood defense structures (levee, seawall, bosom quay, dune, lock, dam, and weir) and for a large number of modus operandi, the potential of (partial) disruption of a particular type of flood barrier. The book is the result of an LDE (the consortium of three Universities: Leiden, Delft, and Rotterdam, in the province of South Holland, the Netherlands) funded research project. The main goals targeted in the study were to model the destructive power of physical modus operandi and to determine gaps in flood security. Initially, the scope of the study was set rather generic. The study started as a comparative study of flood barriers in the Netherlands https://doi.org/10.1515/9783110622577-013

A wonderful book on security of flood defenses

159

(and in some cases abroad). Based on the results of individual flood barrier observations, a second analysis was then made in order to categorize types of barriers and to find out whether each type of barrier can be coupled to security risk data typical for that type of barrier. Jos de Lange followed an operational security-oriented research approach. He studied the vulnerability of flood defenses based on a military operational analysis and security practice. Since there is little scientific data available regarding physical threat to flood defenses, the results of this study depend for a large part on historical research and qualitative analysis (of the structure) of existing flood barriers. The study has produced a matrix combining (vulnerabilities of) flood barrier constructions and the implied security risks. For a security professional, such a matrix gives clear indications which security measures should be implemented, and in case of limited resources, in what order. In case of security threats, a normal order of defense layer implementation would be to establish defense perimeters, limit access to the most vulnerable parts of the object to be protected, and organize supervision and rapid response in case of imminent perimeter breaches. This book is now published as Volume 2 within the book series Integrated Security Science by De Gruyter and Jos de Lange has opened the door for many volumes to come with the conclusions and recommendations of this study. Researchers are challenged and kindly invited to contribute to the scientific debate on this important domain. Policy makers and regulators from ministries of water management, oversight committees, and intelligence and security services are also invited to join the debate. I would like to express my great appreciation to LDE for providing financial support to this project and to the team members involved. In particular to the author of this book, Jos de Lange LL.M, MGA, EMFC, who succeeded in delivering this high quality and comprehensive work on time. I also want to express my appreciation for the team members Tobias Melin MSc (Delft University of Technology), Dr.Ir. Bas Kolen (Delft University of Technology), Prof.Dr. Edwin Bakker (Leiden University), and Pieter Kuhlmann MSc (Leiden University). Delft, 24 December, 2018

Prof.Dr.Ir. Pieter van Gelder Director TU Delft Safety and Security Institute Delft University of Technology

Appendix Delta works Maeslant Storm Surge Barrier 1991–1997 Rotterdam

Brielle Haringvliet Dam 1957–1970

Hartel Storm Surge Barrier 1991–1997

Brouwers Dam 1957–1960

Philips Dam 1977–1997

Eastern Scheldt Storm Flood Barrier 1978–1986 Veersegat Dam 1958–1961

Volkerak Dam 1953–1969

Grevelingen Dam 1958–1965 Zealand Bridge 1963–1965

Zandkreek Dam 1957–1960 Oister Dam 1980–1986

Middelburg

Bergen op Zoom

Flushing

Breskens

Terneuzen

Antwerp

Fig. A.1: Main Delta Plan flood defenses and storm surge barriers.

https://doi.org/10.1515/9783110622577-014

Appendix

161

Dam Attacks 2001–2011 Tab. A.1: Overview of 25 attacks on dams between 2001 and 2011 (source: DHS, 2012). Dam Attacks - Facility

Country

Date

Attack type

Attacker type

Lhokseumawe Reservoir

Indonesia

 August, 

Explosive device

Separatist (Suspected)

Panauti Plant

Nepal

 November, 

Explosive device

Communist insurgent-Maoist (Suspected)

Kidapawan Reservoir

Philippines

 March, 

Stand-off weapons (Rockets)

Islamic insurgent (Suspected)

Kajaki Dam

Afghanistan

 May, 

Stand-off weapons (Rockets)

Islamic insurgent

Gomal Zam Dam

Pakistan

 September, 

Assault team

Islamic insurgent

Zelenchuck

Russia

 September, 

Assault team

Islamic separatist

Dumarao

Philippines

 December, 

Explosive device

Communist insurgent (Suspected)

Selaghat Dam Project

Nepal

 December, 

Explosive device

Communist insurgent-Maoist (Suspected)

Mirani Dam

Pakistan

 May, 

Explosive device

Unknown

Haditha Dam

Iraq

 August, 

Explosive device

Unknown

Haditha Dam

Iraq

 September, 

Stand-off weapons (Rockets)

Islamic insurgent

Kajaki Dam

Iraq

 September, 

Explosive device

Islamic insurgent

Hlaingbwe Dam

Burma

 May, 

Explosive device

Separatist (Suspected)

Hlaingbwe Dam

Burma

May  and  September, 

Stand-off weapons (Mortar)

Separatist (Suspected)

Waeng Station

Thailand

 August, 

Explosive device

Islamic separatist (Suspected)

Kajaki Dam

Afghanistan

 March, 

Explosive device

Islamic insurgent

Tipaimukh Dam

India

 April, 

Assault team, explosive device

Unknown

162

Appendix

Tab. A.1 (continued ) Dam Attacks - Facility

Country

Date

Attack type

Attacker type

Mosul Reservoir Dam

Iraq

 May, 

Explosive device

Unknown

Balimela Power Station

India

 December, 

Incendiary device

Communist insurgent-Maoist (Suspected)

Mytikyina Dam

Burma

 April, 

Explosive device

Ethnic separatist

Thawt Yin Kha Dam Burma

 April, 

Explosive device

Ethnic separatist

Black Rock Dam

United States

 July, 

Incendiary device

Unknown

Baksan Power Plant

Russia

 July, 

Assault team

Islamic separatist (Suspected)

Machlagho Dam

Afghanistan

 July, 

Assault team

Unknown

 July, 

Stand-off weapons (Rockets)

Ethnic separatist

Thawt Yin Kha Dam Burma

Appendix

163

Map of flood-prone areas in the Netherlands

Fig. A.2: Areas that lie below Amsterdam Ordnance Datum (NAP) and areas susceptible to flooding. Source: LIWO, Water Management Center for the Netherlands.

164

Appendix

Terrorist acts in the Netherlands Tab. A.2: Terrorist attacks in the Netherlands (Toussaint, van der Plicht, & Vrijssen, 2014). 

Hostage taking Indonesian residence

                                         

Red Youth Attack Attack Evolution building Eindhoven Hijacking KLM Jumbo  Hostage taking French ambassador Train hijack near Wijster Hostage taking Indonesian consulate Train hijack De Punt Hostage taking Bovensmilde Kidnapping Hanns-Martin Schleyer Attack on Dutch police officers Fire fight at the Calland lane Hostage taking Provincial Residence Attack Dutch border officials Attack at British ambassador Attack at son Turkish ambassador Attack by anti-militarists Attack at Van Heutsz monument Attack at John Deuss RaRa Attack at Makro wholesale mall Attack at mayor of Amsterdam Firebombing Centrum Party  attacks at Shell gas stations Firebombing at Van Leer Bomb attacks against Olympic Games Failed attack at Dam Palace Attacks Red Revolutionary Front Makro attacks by RaRa Makro attack by RaRa Fire bombings at Shell gas stations IRA attack at British soldiers Shell attack by RaRa ETA attacks at Spanish targets IRA attack at Australian tourists Two ETA attacks Bomb attack at Secretary of Justice Kosto RaRa attack at Ministry of Social Affairs Bomb attack at Banque Paribas Arnhem bomb attack at BASF Terror against mink breeding farm Firebombing pig slaughterhouse Dumeco Murder attack at Pim Fortuyn Murder attack at Theo van Gogh Suicide attack at Royal Family

Appendix

165

Terrorist acts in Europe, 1970 onwards Tab. A.3: Terrorist attacks in Europe (Wikipedia, 2018). -Feb- Switzerland

Swissair Flight  bombing

 killed

PFLP-GC

McGurk’s Bar bombing

 killed,  injured

Ulster Volunteer Force

-Jan- Czechoslovakia

JAT Flight  bombing

 killed

Ustaše (alleged)

-Sep- Germany

Munich massacre

 killed

Black September

Rome airport attacks

 killed,  injured

Black September

M coach bombing

 killed,  injured

Provisional IRA

-Dec- UK (Northern Ireland)

-Dec- Italy -Feb- UK (England) -May- Republic of Ireland

Dublin and Monaghan  killed, bombings  injured

Ulster Volunteer Force

-Aug- Italy

Italicus Express bombing

 killed,  injured

Ordine Nero

-Sep- Greece

TWA Flight  bombing

 killed

Abu Nidal Organization

-Sep- Spain

Cafetería Rolando bombing

 killed,  injured

ETA

-Nov- UK (England)

Birmingham pub bombings

 killed,  injured

Provisional IRA

Kingsmill massacre

 killed,  injured

Provisional IRA

La Mon restaurant bombing

 killed,  injured

Provisional IRA

-Jul- Spain

Hotel Corona de Aragón fire

+ killed

ETA (alleged)

-Aug- Italy

Bologna massacre

 killed, + injured

Nuclei Armati Rivoluzionari

Oktoberfest bombing

 killed (inc. Gundolf Köhler  perp.),  injured

Droppin Well bombing

 killed,  injured

Irish National Liberation Army

Train  bombing

 killed,  injured

Sicilian Mafia

-Jan- UK (Northern Ireland) -Feb- UK (Northern Ireland)

-Sep- Germany -Dec- UK (Northern Ireland) -Dec- Italy

166

Appendix

Tab. A.3 (continued )

-Apr- Spain

El Descanso bombing

 killed,  injured

Islamic Jihad

-Jun- Atlantic Ocean in Irish airspace

Air India Flight  bombing

 killed

Babbar Khalsa

-Nov- Malta

Egypt Air Flight  hijacking

 killed (inc.  perps.)

Abu Nidal Organization

-Dec- Italy

Rome and Vienna airport attacks

 killed (inc.  perps.),  injured

Abu Nidal Organization

-Jul- Spain

Plaza República Dominicana bombing

 killed,  injured

ETA

-Jun- Spain

Hipercor bombing

 killed,  injured

ETA

Remembrance Day bombing

 killed,  injured

Provisional IRA

Zaragoza Barracks bombing

 killed,  injured

ETA

City of Poros ship attack

 killed,  injured

Abu Nidal Organization

-Dec- UK (Scotland)

Lockerbie bombing

 killed

Abdelbaset al-Megrahi

-Oct- UK (Northern Ireland)

Shankill Road bombing

 killed (inc.  perp.),  injured

Provisional IRA

-Aug- UK (Northern Ireland)

Omagh bombing

 killed, + injured

Real IRA

Lake Radonjić massacre

– killed

Kosovo Liberation Army

-Jul- FR Yugoslavia

Staro Gracko massacre

 killed

Kosovo Liberation Army

-Feb- FR Yugoslavia

Podujevo bus bombing

 killed,  injured

Kosovo Albanian extremists

-Mar- Spain

Madrid train bombings

 killed,  injured

al-Qaeda

 London bombings

 killed,  injured

al-Qaeda

 Norway attacks

 killed,  injured

Anders Behring Breivik

-Nov- UK (Northern Ireland) -Dec- Spain -Jul- Greece

Sep- FR Yugoslavia

-Jul- UK (England) -Jul- Norway

Appendix

167

Tab. A.3 (continued )

-Jan- France

Île-de-France attacks

 killed (inc.  perps.),  injured

al-Qaeda in Arabia, Islamic State

-Nov- France

November  Paris attacks

 killed (inc.  perps.),  injured

Islamic State

-Mar- Belgium

Brussels suicide bombings

 killed (inc.  perps.),  injured

Islamic State

-Jul- France

Nice truck attack

 killed (inc. Islamic State  perp.),  injured

-Dec- Germany

Berlin Christmas market attack

 killed,  injured

-May- UK

Manchester Arena bombing

 killed (inc. Islamic State  perp.),  injured

 London Bridge attack

 killed (inc.  perps.),  injured

Islamic State

 Barcelona attacks

 killed (inc.  perps.),  injured

Islamic State (suspected)

-Jun- UK -Aug- Spain

Islamic State

List of Figures Fig. 2.1 Fig. 3.1 Fig. 3.2 Fig. 3.3 Fig. 3.4 Fig. 3.5 Fig. 4.1 Fig. 4.2 Fig. 4.3 Fig. 5.1 Fig. 5.2 Fig. 5.3 Fig. 5.4 Fig. 5.5 Fig. 5.6 Fig. 6.1 Fig. 6.2 Fig. 6.3 Fig. 6.4 Fig. 7.1

Fig. 8.1 Fig. 8.2

Dutch Delta Plan 9 Low tide, river water pushes trap door open 24 High tide pushes trap door closed 24 Sluice in the Rijswijkse Verlaat near Rotterdam built in 1774 (Jos de Lange, 2018) 25 Sluice and navigation lock in the Rijswijkse Verlaat, rear entrance (Jos de Lange, 2018) 26 Cross profile Afsluitdijk causeway (based on 1929 postcard “Fight against water”) 28 Hollandse IJssel Storm Surge Barrier (Jan van Galen, Collection Rijksdienst voor het Cultureel Erfgoed, object nr. 525.085) 36 Closing of the dam of Veere (Collection Rijksdienst voor het Cultureel Erfgoed, object nr. 404.802) 37 Haringvliet water locks (https://beeldbank.rws.nl, Rijkswaterstaat, 324.316) 37 Eastern Scheldt Storm Surge Barrier (Jos de Lange, 2015) 48 Maeslant Storm Surge Barrier (https://beeldbank.rws.nl, Rijkswaterstaat, 406.305 / Joop van Houdt, 2007) 49 Hartelkering (Quistnix, 2009) (Flickr, CC BY-SA 2.0) 50 Ramspol Bellows Weir (https://beeldbank.rws.nl, Rijkswaterstaat, 508.170 / Herman Scholten) 51 Hartel Storm Surge Barrier closed (Quistnix, 2009) (Wikimedia CC A-SA 3.0) 56 Ramspol Bellows Weir seen from route N50 (https://beeldbank.rws.nl, Rijkswaterstaat, 508.171 / Herman Scholten) 57 Muiderslot, 1891 (Collection Rijksdienst voor het Cultureel Erfgoed, object nr. 016.396) 62 Naarden fortress bastions (Collection Rijksdienst voor het Cultureel Erfgoed, object nr. 521.734) 62 Village of Bodegraven, 1749 (H. Spilman, Collection Rijksdienst voor het Cultureel Erfgoed object nr. G-152) 64 Stelling van Amsterdam, Ossenmarkt Weesp (N. de Jong, Collection Rijksdienst voor het Cultureel Erfgoed, object nr. 10785-8595) 65 Lancaster Bomber, blockbuster bomb attached (public domain, source: Wikimedia, https://commons.wikimedia.org/wiki/File:Up keep_in_Lancaster.jpg) 71 Hollandse IJssel Storm Surge Barrier (Frans Berkelaar, 2014) (Flickr, CC BY-SA 2.0) 89 Hartel Storm Surge Barrier (Quistnix, 2009) (Wikimedia, CC BY-SA 3.0) 90

https://doi.org/10.1515/9783110622577-015

List of Figures

Fig. 8.3 Fig. 8.4 Fig. 8.5 Fig. 8.6 Fig. 8.7 Fig. 8.8 Fig. 8.9

Fig. 9.1 Fig. 9.2 Fig. 9.3 Fig. 9.4 Fig. 9.5 Fig. 9.6 Fig. 9.7 Fig. 10.1 Fig. 10.2 Fig. 10.3 Fig. A.1 Fig. A.2

169

Kromme Nol Flood Barrier (Hullie – Eigen werk) (Wikimedia, CC BY-SA 3.0) 91 Princess Marijke sluice near Ravenswaaij (Jos de Lange, 2018) 92 Haringvliet Storm Surge Barrier, mounting arm construction (Jos de Lange, 2015) 95 Haringvliet Storm Surge Barrier, lifting arm (Jos de Lange, 2015) 95 Neder-Rijn weir at Driel (https://beeldbank.rws.nl, Rijkswaterstaat, 117.654) 96 Thames Storm Surge Barrier (Arpingstone, 2005, Public Domain, WikimediaCommons) 98 St. Petersburg Dam, aerial view of navigation pass S1 (Ssr, 2014) (thanks to N. Rubliva and A. Davydov for help and equipment) [Wikimedia, CC BY-SA 3.0] 102 Bowtie diagram with risk barriers 112 Risk models compared (after Talbot & Jakeman, 2009) 114 The contribution of human failures to the breakdown of complex systems (after Reason, 1990) 115 Bowtie and Reason models integrated 117 Storybuilder bowtie example 127 General intrusion prevention in process plants (source: Zhang and Reniers 2016) 129 Critical intrusion path in a process plant (source: Zhang and Reniers 2016) 129 April 2012, Serbian threatens to blow up Dutch levees (news, screenshot RTL.nl) 134 Prisoners Dilemma diagram by John von Neumann (adapted from Fisher 2008) 141 General intrusion prevention in process plants (Source: Zhang and Reniers 2016) 146 Main Delta Plan flood defenses and storm surge barriers 160 Areas that lie below Amsterdam Ordnance Datum (NAP) and areas susceptible to flooding. Source: LIWO, Center for Water Management Nederland 163

List of Tables Tab. 2.1 Tab. 3.1

Dams and levees attack vulnerabilities 13 Flood defense types, construction, structural weaknesses, and safety risks 30 Tab. 3.2 Levees, dams, and dewatering gates and navigation locks, security-related observations 32 Tab. 4.1 Delta Plan flood defenses, safety risks 41 Tab. 4.2 Levees and dams, security risks 42 Tab. 4.3 Delta Plan, security risks (1) 43 Tab. 4.4 Delta Plan, security risks (2) 44 Tab. 4.5 Delta Plan safety and security risks (1) 45 Tab. 5.1 Delta Plan, security risks (3) 54 Tab. 5.2 Delta Plan, security risks (4) 55 Tab. 5.3 Delta Plan, security risks (5) 56 Tab. 5.4 Delta Plan, security risks (6) 57 Tab. 5.5 Storm surge barriers, safety, and security risks 58 Tab. 7.1 Attack modes and attack types (Source: DHS, 2012) 72 Tab. 8.1 Vulnerabilities of pile sheet reinforcements, concrete levees, and flood walls 79 Tab. 8.2 Dams and levees attack vulnerabilities 81 Tab. 8.3 Vulnerabilities of water and navigation lock constructions 84 Tab. 8.4 Navigation lock constructions, adapted from (Dijk & van der Ziel, 2010) (pictograms) and (Mooyaart & Jonkman, 2017) (descriptions) 86 Tab. 8.5 Navigation locks attack types 87 Tab. 8.6 Vulnerabilities of guillotine-like flood barriers 93 Tab. 8.7 Guillotine-shaped flood barriers, attack types 93 Tab. 8.8 Vulnerabilities of visor-like flood barriers 100 Tab. 8.9 Visor-shaped flood barriers, attack types 100 Tab. 8.10 Vulnerabilities of flood barriers with sector gates 103 Tab. 8.11 Flood barriers with sector gates, attack types 104 Tab. 9.1 “Swiss Cheese” security scenario variables 116 Tab. 9.2 Navigation locks, attack types (identical to Table 8.5) 119 Tab. 9.3 Conversion from pluses to numbers 120 Tab. 9.4 Adding “effectiveness” column 121 Tab. 9.5 Adding the “operational ease” column and calculating overall attack-type effectiveness 123 Tab. 10.1 Attacks against institutions and (government and commercial) organizations 135 Tab. 10.2 Attacks against groups of people and individuals 136

https://doi.org/10.1515/9783110622577-016

List of Tables

Tab. 10.3 Attacks against officials and foreign civilians and representatives 137 Tab. 10.4 “Animal liberation front”-like attacks 137 Tab. 10.5 Motives behind terrorist attacks (Source: Interpol, Te-Sat 2016) 138 Tab. 10.6 Terrorist attacks in Europe, 2004 onwards (excerpt, en.wikipedia.org) 139 Tab. 10.7 Navigation Lock Attack Types (simplified) 143 Tab. 10.8 Guillotine Barrier Attack Types (simplified) 145 Tab. A.1 Overview of 25 attacks on dams between 2001 and 2011 (source: DHS, 2012) 161 Tab. A.2 Terrorist attacks in the Netherlands (Toussaint, van der Plicht, & Vrijssen, 2014) 164 Tab. A.3 Terrorist attacks in Europe (Wikipedia, 2018) 165

171

Bibliography (2013, Oct 15). Dagblad van het Noorden. Retrieved from http://www.dekrantvantoen.nl/vw/article. do?code=DVHN&date=20131015&id=DVHN-20131015-DO01010001 Al Qaeda plans cyber attacks on dams. (n.d.). The Telegraph. Retrieved 12 9, 2015, from http://www.telegraph.co.uk/news/worldnews/asia/afghanistan/1398683/Al-Qaeda-planscyber-attacks-on-dams.html ALD Group. (2018). fault-tree-analysis. Retrieved Dec 6, 2018, from www.fault-tree-analysissoftware.com: www.fault-tree-analysis-software.com/fault-tree-analysis?type=Aerospace Ale, B. (2009). Risk: an introduction, The concepts of risk, danger and chance. London: Routledge. Andersson Toussaint, P., van der Plicht, E., & Vrijssen, E. (2014). Terrorism in Nederland. Amsterdam: Elsevier. ANP. (28 sept 2008). Dijk opzettelijk doorgebroken. Volkskrant. Retrieved okt 27, 2016, from http://www.volkskrant.nl/binnenland/dijk-opzettelijk-doorgebroken~a892538 ANSI/API Standard 780. (2013). ANSI API 780 May 2013 Security Risk Assessment PetroChem. Washington: ANSI/API Standard 780. Arends, G. (2001). Sluizen en gemalen in het Noordzeekanaal. Utrecht: Matrijs. Bennett, B. T. (2007). Understanding, assessing, and responding to terrorism: protecting critical infrastructure and personnel (Vol. p.244). New Yersey: John Wiley & Sons. Retrieved Nov 21, 2018 Beukers, E. (2007). Hollanders en het Water deel II. Hilversum: Verloren. bomber command museum. (2018, 11). lancbomber.html. Retrieved 11 17, 2018, from www.bombercommandmuseum.ca: http://www.bombercommandmuseum.ca/lancbomber.html Braun, S. a. (2005, Dec 5). The Politics of Flood control. Levies Weakened as New Orleans Board, Federal Engineers Feuded. Los Angeles Times. Burns, A. C., & Bush, R. F. (2007). Basic Marketing Research: Using Microsoft Excel Data Analysis (2nd ed.). New Jersey: Pearson Education. Retrieved January 31, 2017 Canal Monuments List. (1994). Retrieved 1 26, 2016, from The International Canal Monuments List: http://www.icomos.org/studies/canals.pdf Canal-and-River-Trust. (n.d.). caen-hill-locks. Retrieved 6 22, 2018, from http://canalrivertrust.org.uk: https://canalrivertrust.org.uk/places-to-visit/caen-hill-locks Clark, D. The Irish relations: trials of an immigrant tradition. Vancouver: Fairleigh Dickinson Univ Press (January 1, 1982) Clarke, M. (n.d.). Bereguardo Canal. Retrieved 6 22, 2018, from www.britannica.com: https://www.britannica.com/topic/Bereguardo-Canal#ref960135 Colten, C. E. (2006). Conspiracy of the levees, the latest battle of new Orleans. New World watch Institute. Retrieved Feb 16, 2016, from http://www.slideshare.net/majesticshuttle73/ conspiracy-of-the-levees-the-latest-battle-of-new-orleans Crondstedt, M. (2002, Aug.). Prevention, Preparedness, Response, Recovery – an outdated concept? The Australian Journal of Emergency Management. Retrieved Nov. 15, 2016, from file: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.468.7635&rep=rep1&type=pdf Dake, K. (1992). Myths of nature: Culture and the social construction of risk. The Journal of Social Issues, 48 (4), 21. De Kraker, A. (2015). Flooding in river mouths: human caused or natural events? Five centuries of flooding events in the SW Netherlands, 1500–2000. Hydrology and Earth System Sciences, 19, 2637–2684. Retrieved Dec 23, 2018, from https://www.hydrol-earth-syst-sci.net/19/2673/ 2015/hess-19-2673-2015.html de Lange, J. (2006). CPTED, een integrale visie op veiligheid in de binnenstad. Leidschendam: Quist. https://doi.org/10.1515/9783110622577-017

Bibliography

173

de Ridder, T. (2001, May 30). De oudste deltawerken van West-Europa. Amsterdam: Nemo Kennislink. Retrieved Jul 30, 2018, from http://nemokennislink.nl: https://www.nemokennislink.nl/publicaties/de-oudste-deltawerken-van-west-europa/ Deltawerken, O. (n.d.). De-Zuiderzeevloed-(1916). Retrieved Jun 22, 2018, from www.deltawerken. com: http://www.deltawerken.com/De-Zuiderzeevloed-(1916)/223.html DHS, D. o. (2012). Worldwide Attacks on Dams, A Historical Threat Resource for Owners and Operators. Washington: DHS. Dijk, A., & van der Ziel, F. (2010). Multifunctionele beweegbare waterkeringen. Nijmegen: projectgroep afsluitbaar open rijnmond. Retrieved 11 13, 2018 Donaldson, E., Chilingarian, G., & Yen, T. (1995). Subsidence due to fluid withdrawal. Amsterdam: Elsevier. Drower, M. (1954). Water-supply, irrigation, and agriculture. In C. Singer, E. Holmyard, & A. Hall, A History of Technology. pp. 500–507. New York: Oxford University Press. Ecomare Ecyclopedia. (n.d.). Ecomare Ecyclopedia. Retrieved from Ecomare Ecyclopedia: http://www.ecomare.nl Engelfriet. (n.d.). sluizen. Retrieved 07 30, 2018, from www.engelfriet.net: http://www.engelfriet.net/Alie/Aad/sluizen.htm Environment Agency. (2018, 10 30). the-thames-barrier. Retrieved 11 25, 2018, from www.gov.uk: https://www.gov.uk/guidance/the-thames-barrier ENW. (2017, april). Fundamentals of Flood Protection. Ministry of Infrastructure and the environment and the Expertise Network for Flood Protection. Erbisti, P. C. (2014). Design of Hydraulic Gates (2nd Edition ed.). Leiden: CRC Press/Balkeema. Europol. (2016). European Union Terrorism Situation And Trend Report (Te-Sat) 2016. Europol. Retrieved Mar 6, 2017, from https://goo.gl/m3Sglo Europol. (2018). EUROPEAN UNION TERRORISM SITUATION AND TREND REPORT 2018. European Union Agency for Law Enforcement Cooperation 2018. doi:10.2813/00041 Fay, J. (2007). Encyclopedia of security management (Vol. p.500). Oxford: Butterworth-Heinemann. FEMA. (2013, Jul). Selecting Appropriate Mitigation Measures for Flood prone Structures. Retrieved Feb 16, 2016, from https://www.fema.gov/media-library-data/20130726-1608-20490-6445/ fema551_ch_05.pdf FEMA 453. (2006). Safe Rooms and Shelters, Protecting People Against Terrorist Attacks. Washington: FEMA. Retrieved Feb 24, 2017, from http://www2.iccsafe.org/states/FEMA/PDFs/ Safe%20Rooms%20and%20Shelters%20%20Protecting%20People%20Against%20Terrorist% 20Attacks.pdf Fisher, L. (2008). Rock, Paper, Scissors. New York: Basic Books (Perseus Books Group). Florida, S. o. (n.d.). science_book/mls_grade7_FL/281_286. Retrieved Jun 22, 2018, from www.classzone.com: https://www.classzone.com/science_book/mls_grade7_FL/281_286.pdf Free Articles from April 1916 Part 3. (1916, April). The new York Times. Retrieved Feb 24, 2016, from http://spiderbites.nytimes.com/free_1916/articles_1916_04_00002.html Geodelft. (Jan 2004). Onderzoek naar de oorzaak van de kadeverschuiving bij Wilnis. Geodelft, the Netherlands. Retrieved from https://www.deltares.nl/en/ Gleick, P. H. (2006). Water and terrorism. Water Policy 8, 481–503. Retrieved Feb 24, 2016, from http://www2.pacinst.org/reports/water_terrorism.pdf Gorski, T. T. (2001, Sep 12). Mental Health, Addiction, & Terrorism. Retrieved Mar 6, 2017, from http://www.tgorski.com/Terrorism/Terrorism.htm Hans. (2014). de-rivier-de-rotte-van-de-oorsprong. Retrieved 07 31, 2018, from http://natuurenlandschap.blogspot.com: https://natuurenlandschap.blogspot.com/2014/12/ de-rivier-de-rotte-van-de-oorsprong.html Harclerode, P. (2005). Wings of War: Airborne Warfare 1918–1945. London: Wiedenfield and Nicholson.

174

Bibliography

Harnden, T. (2002, 06 28). Al-Qa’eda plans cyber attacks on dams. Daily Telegraph. Hunter, P. (2012). The St Petersburg Flood Protection Barrier: design and construction. Wallingford UK. Retrieved Jan 16, 2016, from http://eprints.hrwallingford.co.uk/603/1/HRPP569_The_St_ Petersburg_Flood_Protection_Barrier_-_Design_and_Construction.pdf International Network for Storm Surge Barriers. (2018). krommenol.html. Retrieved 11 24, 2018, from www.i-storm.org: https://www.i-storm.org/nl/stormvloedkeringen/krommenol.html Jewish Virtual Library. (2018). statistics-on-incidents-of-terrorism-worldwide. Retrieved Dec 15, 2018, from www.jewishvirtuallibrary.org: https://www.jewishvirtuallibrary.org/statistics-onincidents-of-terrorism-worldwide Keller W., M. M. (2005). A historical overview of probabilistic risk assessment development and its use in the nuclear power industry. Reliability Engineering and System Safety 89, 271–285. Retrieved Jan 24, 2017, from http://ac.els-cdn.com/S0951832004002327/1-s2.0S0951832004002327-main.pdf?_tid=7852755a-e231-11e6-aa5f-00000aab0f01&acdnat= 1485261458_d331cd12ae551c95a913fbfd8925b4dd Kerssens, P. J., Oorschot, J., & Pot, B. (2018). Storm Surge Barrier in the Rotterdam Waterway. 6th Congress of the Asian and Pacific Regional Division of the IAHR. Kyoto, Japan: Delft Hydraulics Laboratory. kids.britannica.com. (n.d.). Retrieved 6 22, 2018, from Britannica Kids/Students: https://kids.britannica.com/students/article/levee-and-dike/274006 KNMI. (n.d.). decemberstorm-van-1703. Retrieved Jun 22, 2018, from www.knmi.nl: https://www.knmi.nl/kennis-en-datacentrum/uitleg/decemberstorm-van-1703 KNMI. (n.d.). stormvloed. Retrieved 6 22, 2018, from www.knmi.nl: https://www.knmi.nl/kennis-en-datacentrum/uitleg/stormvloed Melin, T. (2014). Intentional breaches of dikes using limited resources, Technical University of Delft. Delft: Delft UV of Technology. Min V&W. (2007). Leidraad Rivieren, parts 1, 2, 3 and 4. the Hague: Ministry of Transport, Public Works and Water Management. Molendatabase. (2015, Nov 20). molendatabase. Retrieved Jun 22, 2018, from http://molendatabase.nl: https://www.molendatabase.nl/nederland/molen.php?nummer=1122 Mooyaart, Jonkman, S., de Vries, P., van der Toorn, A., & van Ledden, M. (2014). STORM_SURGE_BARRIER_OVERVIEW_AND_DESIGN_CONSIDERATIONS. Coastal Engineering Proceedings. doi:DOI: 10.9753/icce.v34.structures.45 Mooyaart, L. F., & Jonkman, S. N. (2017, Feb). Overview and Design Considerations of Storm Surge Barriers. Journal of Waterway, Port, Coastal, and Ocean Engineering, 143(4). Retrieved Nov 11, 2018 NASA. (2002). Fault Tree Handbook with Aerospace Applications, Version 1.1. NASA. NEDECO consortium. (July 2002). Saint Petersburg Flood Protection Barrier, Environmental Impact Assessment Study, Executive Summary. Delft Hydraulics and the Finnish Environmental Institute. Retrieved Jan 26, 2016 Nogueira, H., & Walraven, M. (2018). Overview of storm surge barriers. the Hague: Rijkswaterstaat, Deltares. Retrieved Nov 12, 2018 oxforddictionaries.com. (n.d.). terrorism, definition. Retrieved Feb 2, 2017, from https://en.oxforddictionaries.com/definition/terrorism PBL, N. E. (2007). correction-wording-flood-risks. Retrieved 01 19, 2016, from www.pbl.nl: http://www.pbl.nl/en/dossiers/Climatechange/content/correction-wording-flood-risks Perelman, L. C., Barrett, E., & Paradis, J. (1996, 2001). Mayfield Handbook of Technical & Scientific Writing. New York: The McGraw-Hill Companies. Retrieved 4 6, 2018, from http://www.mhhe.com/mayfieldpub/tsw/abstract.htm Perrow, C. (1981). Normal accident at Three Mile Island. Society, 18 (5), pp 17–26.

Bibliography

175

Perrow, C. (1999 (1984)). Normal Accidents, Living with high-risk technologies. Chichester: Princeton University Press. PIANC-IAPH. (1997). Approach Channels – A Guide for Design. PIANC MarCom Working Group 30. Retrieved Dec 23, 2018, from https://www.porttechnology.org/technical_papers/harbour_ approach_channels_design_guidelines Reason, J. (1990, Apr. 12). The Contribution of Latent Human Failures to the Breakdown of Complex Systems. Philosophical Transactions of the Royal Society of London. Series B, Biological Sciences, 1990, 327, (1241), Human Factors in Hazardous Situations), pp. 475–484. Retrieved Nov. 23, 2016, from http://www.jstor.org/stable/55319 Reniers, G., Khakzad, N., van Gelder, P., & (Eds.). (2018). Security risk assessment in the chemical and process industry. Berlin/Boston: Walter de Gruyter GmbH. Rickard, C. (2009). Fluvial Design Guide, Chapter 9, Floodwalls and flood embankments. Retrieved from http://evidence.environment-agency.gov.uk/FCERM/Libraries/Fluvial_Documents/ Fluvial_Design_Guide_-_Chapter_9.sflb.ashx Rijkswaterstaat. (2007, nov). Hoe sterk is keileem. (Rijkswaterstaat). Rijkswaterstaat. (2013, Mar). De Hartelkering: Stormvloedkering in het Hartelkanaal. Factsheet over de Hartelkering. Rijkswaterstaat. Retrieved Nov 23, 2018, from https://www.rijkswaterstaat.nl/ water/waterbeheer/bescherming-tegen-het-water/waterkeringen/deltawerken/hartelkering.aspx Rijkswaterstaat. (2013, March). leaflet ZH0213VH2236. Rijkswaterstaat. Rijkswaterstaat. (2013, Mar). Maeslantkering, stormvloedkering in de Nieuwe Waterweg. (ZH0213VH2236). Rijkswaterstaat. Rijkswaterstaat (Ed.). (2014, Mar). Renovatie stuwensemble Nederrijn en Lek, Veilig en betrouwbaar de toekomst in. Ministry for Infrastructure and the Environment. Rijkswaterstaat. (2015, Aug). Stormvloedkering Ramspol. Factsheet Ramspol(wvl0815ll035), 2. Rijkswaterstaat. Retrieved Nov 13, 2018, from https://staticresources.rijkswaterstaat.nl/ binaries/Factsheet%20Ramspol_tcm21-65752.pdf Rijkswaterstaat. (2018). maeslantkering.aspx. Retrieved 11 26, 2018, from www.rijkswaterstaat.nl: https://www.rijkswaterstaat.nl/water/waterbeheer/bescherming-tegen-het-water/ waterkeringen/deltawerken/maeslantkering.aspx Rijkswaterstaat. (n.d.). Oosterscheldekering. Retrieved Nov 11, 2018, from www.rijkswaterstaat.nl: http://www.rijkswaterstaat.nl/water/waterbeheer/bescherming-tegen-het-water/ waterkeringen/deltawerken/oosterscheldekering/index.aspx RIVM. (n.d.). storybuilderdownload. Retrieved from www.rivm.nl: http://www.rivm.nl/storybuilder download/login.jsp Robertson, Campbell, & Schwartz, J. (2015, May 23). Decade After Katrina, Pointing Finger More Firmly at Army Corps. New York Times. Retrieved from http://www.nytimes.com/2015/05/24/ us/decade-after-katrina-pointing-finger-more-firmly-at-army-corps.html?_r=4 Sagan, S. D. (1993). The limits of safety, organizations, accidents and nuclear weapons. Princeton: Princeton University Press. Sandler, T., & Arce M., D. G. (2003). Terrorism & game theory. Simulation & Gaming, 34 (3), September 2003, pp. 319–337. Sage Publications. doi:10.1177/1046878103255492 Schilstra, J. (1969). Wie water deert. Hoogheemraadschap van de Uitwaterende Sluizen in Kennemerland en West-Friesland. Retrieved 6 22, 2018, from http://www.zaans-industrieelerfgoed.nl/index.html?pages_4/maritieme_gesch_poldersluizen.html&main_frame Smith, C. L., & Brooks, D. J. (2013). The Theory and Practice of Security. Oxford: Elsevier. Stevin, S. (1667). Wisconstich Filosofisch Bedrijf. In S. Stevin, Wisconstich Filosofisch Bedrijf (Vol. 12). Retrieved Jun 22, 2018, from http://books.google.nl: https://books.google.nl/books? id=rm0_AAAAcAAJ&pg=RA17-PA8&dq=Wisconstich+Filosofisch+Bedrijf,+volume+12&hl= nl&sa=X&ved=0ahUKEwjGle_Wk-fbAhXG16QKHeCxBvIQ6AEIKDAA#v=onepage&q&f=false

176

Bibliography

SUBNET. (2018). scada.aspx. Retrieved Nov 26, 2018, from www.subnet.com: http://www.subnet.com/resources/dictionary/scada.aspx Subnet Solutions Inc. (n.d.). scada.aspx. Retrieved 7 29, 2018, from www.subnet.com: http://www.subnet.com/resources/dictionary/scada.aspx Sweers, E. (2009, 10 25). de-hoekse-en-kabeljauwse-twisten. Retrieved 6 22, 2018, from http://www.historien.nl; http://www.historien.nl/de-hoekse-en-kabeljauwse-twisten/ Talbot, J., & Jakeman, M. (2009). Security Risk Management, Body of Knowledge. Hoboken, New Jersey: Wiley & Sons. Tappin, R., Dowling, P., & Clark, P. (1984). Design and model testing of the Thames Barrier gates. Structural Engineer, 62(4):115–124. April 1984. ter Borg, M. B. (2001, Feb 24). De macht van het water. Trouw, p. 3. Retrieved Jul 30, 2018 TheReligionofPeace.com. (2018). europe-attacks.aspx. Retrieved Dec 15, 2018, from thereligionofpeace. https://www.thereligionofpeace.com/attacks/europe-attacks.aspx Toussaint, P. A., van der Plicht, E., & Vrijssen, E. (2014). Terrorism in Nederland. Amsterdam: Elsevier (Relx). U.S. Nuclear Regulatory Commission. (1975, October). Retrieved 7 29, 2018, from http://journeesdetudes.org/atomescrochus/recherche/rapport-rasmussen.pdf Univ. of Maryland. (2018). gtd. Retrieved Dec 15, 2018, from www.start.umd.edu: https://www.start.umd.edu/gtd/ Van Damme, L. (2009). De drie deuren, De verbouwing van de sluis aan het Minnewater in Brugge (1519–1522). Biekorf, 109. Retrieved 6 22, 2018, from digitale bibliotheek voor de Nederlandse letteren. http://www.dbnl.org/tekst/_bie001200901_01/_bie001200901_01_0039.php#293 Veilleux, J., & Dinar, S. (2018, May 8). global-analysis-finds-water-related-terrorism-rise. Retrieved Jul 30, 2018, from www.newsecuritybeat.org https://www.newsecuritybeat.org/2018/05/ global-analysis-finds-water-related-terrorism-rise/ Verstegen, W. (2001, Mar 10). de-strijd-tegen-het-water-als-politieke-mythe. Retrieved Jul 30, 2018, from www.trouw.nl: https://www.trouw.nl/home/de-strijd-tegen-het-water-als-politiekemythe~a9db0222/ Vonk, O. (2001). Building dams 2000 year ago. De oudste deltawerken van West-Europa. Natuurwetenschap & Techniek. Retrieved 12 16, 2015, from https://www.nemokennislink.nl/ publicaties/de-oudste-deltawerken-van-west-europa/ Voorendt, M. (n.d.). Hartelkering 10.. Retrieved from https://commons.wikimedia.org/wiki/File:Har telkering_10.JPG#/media/File:Hartelkering_10.JPG Waterstaat, M. v. (n.d.). normaal-amsterdams-peil. Retrieved 6 22, 2018, from https://www.rijkswaterstaat.nl/zakelijk/open-data/normaal-amsterdams-peil/index.aspx Weimann, G. (2004). Cyberterrorism, How Real Is the Threat. Washington: United States Institute of Peace. Retrieved Dec. 9, 2015, from Institute for Peace: http://www.usip.org/sites/default/ files/resources/sr119.pdf Welland Tribune. (2010). canal has been terrorist target. Welland Tribune. Retrieved from https://www.wellandtribune.ca/news-story/3305383-canal-has-been-terrorist-targetbrock-prof/ Whitaker, B. (2001, May 7). The definition of terrorism. The Guardian. Retrieved Feb 24, 2017, from https://www.theguardian.com/world/2001/may/07/terrorism Wikimedia. (2016, Mar 28). Prinses_Marijkesluizen. Retrieved Nov 24, 2018, from http://nl.wikipedia.org: https://nl.wikipedia.org/wiki/Prinses_Marijkesluizen Wikipedia. (2017). Weir, definition. Wikipedia. Retrieved Nov 15, 2018, from https://en.wikipedia.org/wiki/Weir Wikipedia. (2018, Nov 24). Murphy’s_law. Retrieved Dec 1, 2018, from http://en.wikipedia.org: https://en.wikipedia.org/wiki/Murphy’s_law

Bibliography

177

Wikipedia. (n.d.). cascading_failure. Retrieved Nov 30, 2018, from http://en.wikipedia.org: https://en.wikipedia.org/wiki/Cascading_failure Wikipedia. (n.d.). Likert_scale#cite_note-4. Retrieved Jan 31, 2017, from http://en.wikipedia.org: https://en.wikipedia.org/wiki/Likert_scale#cite_note-4 (last visited) Wikipedia. (n.d.). list_of_terrorist_incidents. Retrieved Dec 15, 2018, from https://en.wikipedia.org/wiki/List_of_terrorist_incidents Wkipedia. (2018, 07 31). Terrorism_in_Europe#cite_note-Europol_statistics-8. Retrieved from Wkipedia: https://en.wikipedia.org/wiki/Terrorism_in_Europe#cite_note-Europol_statistics-8 worldwater.org. (2018). conflict/list/. Retrieved Nov 17, 2018, from www2.worldwater.org http://www2.worldwater.org/conflict/list/ Zhang, & Reniers. (2016). A Game-Theoretical Model to Improve Process Plant Protection from Terrorist Attacks. Risk analysis: an official publication of the Society for Risk Analysis. 2016; 36(12): 2285–2297 Zhang, L. (2018). Applying Game Theory for Adversarial Risk Analysis in Chemical Plans. Delft: Laobing Zhang. Zuiderzeewerken. (1929). Strijd tegen het water. Enkhuizen: Stichting Rijksmuseum het Zuiderzeemuseum.

Source account Pictures from Beeldbank Rijksdienst voor het Cultureel Erfgoed, the Netherlands, may be used on the bases of the Creative Commons Attribution-Share-Alike 4.0 Generic licence. Photos may be copied, distributed, and shared provided that the source is listed, and that there is a correct attribution of the author’s name (see also below). Publication rights from the Beeldbank Rijkswaterstaat have been verified on Dec 18, 2018 with Helpdesk Beeldarchief Rijkswaterstaat, XI-Digital (Jaap Boelens), Tel.: 06 - 20 97 40 22. Email: [email protected]. Photos that are already digitalized and available in sufficient resolution for download, may be used freely, under the condition of mentioning RWS Beeldbank. If available, we also mention the name of the author and the reference number. https://beeldbank.rws.nl The Creative Commons Attribution-Share-Alike 2.0 to 4.0 Generic licences (CC BY-SA 4.0) state that users are free to share (copy and redistribute the material in any medium or format) for any purpose, even commercially. Such under the terms that appropriate credit is given, a link is given to the license, and changes must be indicated. No changes are made in any picture. The requested link is the following: https://creativecommons.org/licenses/by-sa/4.0/ Fig. 7.1 Lancaster Bomber, was created by the United Kingdom Government and is in the public domain because it was taken prior to 1 June, 1957. HMSO has declared that the expiry of Crown Copyrights applies worldwide. Fig. A.1–A.2 Flood depth in the Netherlands, is copied from LIWO, Water Management Centre for the Netherlands (WMCN). Provided that the source is mentioned, parts of the content of the website may be copied. The Water Management Centre for the Netherlands is a division of Rijkswaterstaat, Department of Infrastructure and Water Management, the Netherlands. For information see the following link: https://basisinformatie-overstromingen.nl/liwo/#/about

https://doi.org/10.1515/9783110622577-018

Index Afsluitdijk causeway 65 Albrecht Dürer 61 Al-Qaeda 106 Amsterdam Ordnance Datum 89 Antwerp 48 attack type table 79 Barrier Operating System 49 Bleiswijkse Verlaat 23 bowtie 112 Braakman estuary 35 cascading security risks 112 closure mechanisms 76 concrete levee or flood walls 77 consequences 112 Cornelis Lely 27 Crime Prevention Through Environmental Design 66 cyber-attack scenario 122 Dam Buster attacks 70 dam of Veere 36 Damme pound lock 25 Deductive modelling 126 Delta Committee 34 Department of Homeland Security 69 dewatering gates 82 dwelling mounds 21

Haringvliet dam 36 Haringvliet Storm Flood Barrier 94 Haringvliet Storm Surge Barrier 52 Hartel Storm Surge Barrier 49, 52, 55 Hartel Storm Surge Barrier 89 Hollandse IJssel Storm Surge Barrier 35, 39, 43 Hollandse IJssel Storm Surge Barrier 89 hydraulic load 75 hydraulic structures 75, 82 IJmuiden navigation locks 82 inductive modelling 126 information gathering 112 inundated area 63 Kornwernderzand 65 Kromme Nol weir 90 levees 22, 75 Likert-type scale 118 Lorentz locks 27 loss of stability 82 Maeslant Storm Surge Barrier 48, 52, 101 malicious intent 30, 111 man induced flaws 44 monks 22 Murphy’s Law 114

ease of access 103 Eastern Scheldt Storm Surge Barrier 47, 52, 54 Eben-Emael fort 66 Eighty Years War 62 European Union Terrorism Situation And Trend Report 137

Nash equilibrium 141 Navigation lock attack type table 84 navigation locks 82, 85 Neder-Rijn visor weirs 96 New Waterway 48 normal accident 110 North Sea flood of 1953 34

failure mechanisms 31, 82 Failure to close 82 Fault tree analysis 113

Old Rhine river 21 overtopping 40 Owens Valley 68

Game Theory 140 Guillotine shaped flood barriers 89

Pacific Institute 69 pile worm 29 Pim Fortuyn 136 point door lock 85 pound lock 24

Hagestein weir 97 harbor entrances 32 https://doi.org/10.1515/9783110622577-019

180

Index

PPRR risk management 114 premeditation 111 primary flood defences 74 Princess Marijke sluices 91 Ramspol bellows weir 51 Ramspol Storm Surge Barrier 57 rational behaviour 147 regional defences 75 Risk 109 rolling gate 85 Roosevelt Dam 106 Rotte hamlet 23 Safety risk 31 Saint Elizabeth Day flood 25 SCADA 104 Second World War 64 security 40 Security assessment 42 security risk 31 segment gate 94 sheet piles 77 Simon Stevin 62 Spring tide 27 Stevin locks 27

St-Petersburg Dam 101 structural weaknesses 44 subsidence 76 supervision 85 Supervisory Control and Data Acquisition 104 swing door lock 85 Swiss Cheese model 114 terrorist attacks in Europe 137 terrorist attacks in the Netherlands 135 Thames Flood Barrier 97 Theo van Gogh 136 TheReligionOfPeace.com 138 threat scenario comparison 142 Three Islands Plan 35 Tragedy of the Commons 140 trap door 23 vertical lift gates 89 visor shaped gates 96 Walcheren 69 water defence line 64 watering sluice 22 Welland Canal 68 windmills 23

Also of interest Security Risk Assessment In the Chemical and Process Industry Reniers, Khakzad, Van Gelder,  ISBN ----, e-ISBN ----

Risk Management and Education. An Introduction Meyer, Reniers, Cozzani,  ISBN ----, e-ISBN ----

Engineering Risk Management. Meyer, Reniers,  ISBN ----, e-ISBN ----

Research Laboratory Safety. Kuespert,  ISBN ----, e-ISBN ----