An Integrated Approach for Physical and Cyber Security Risk Assessment: The U.S. Army Corps of Engineers Common Risk Model for Dams

July, 2016
IDA document: P-8092
FFRDC: Systems and Analyses Center
Type: Documents
Division: Strategy, Forces and Resources Division
Yazmin Seda-Sanabria, James D. Morgeson, Jason A. Dechant See more authors
The Common Risk Model for Dams (CRM-D), developed by the U.S. Army Corps of Engineers (USACE) in collaboration with the Institute for Defense Analyses (IDA) and the U.S. Department of Homeland Security (DHS), is a consistent, mathematically rigorous, and easy to implement method for security risk assessment of dams, navigation locks, hydropower projects, and appurtenant structures. The methodology provides a systematic approach for independently evaluating physical and cyber security risks across a portfolio of dams, and informing decisions on how to mitigate those risks. The CRM-D can effectively quantify the benefits of implementing a particular risk-mitigation strategy and, consequently, enable return-on-investment analyses for multiple physical and cyber security risk-mitigation alternatives and facilitate their implementation across a portfolio of dams.

A cyber security risk model to facilitate high-level risk assessments of industrial control systems used to control dam critical functions is also being implemented