The 9/11 attacks were a tragic example of what defense and terrorism experts call “asymmetrical methodologies,” using plane as bombs. In decades past, especially overseas and in the Middle East, terrorists either hijacked a plane or detonated a bomb. The 9/11 events combined those two in a devastating way. Are we creating defensive plans for today’s terrorist by thinking in these same asymmetrical terms?
In these uncertain times, security professionals must think like their attackers by combining different terrorism-driven methodologies:
How would terrorists attack our electrical grids—which would create panic—and disable a wide variety of necessary operations for grocery stores, banks and automatic teller machines (ATMs), gas stations, and other quality-of-life locations that the public relies on daily?
How would terrorists attack our water and wastewater treatment systems, possibly by attempting to use cyberhacks to knock out or take control of the water treatment facility’s Supervisory Control and Data Acquisition (SCADA) software system, which is one of the most common command and control technologies used in these types of water utilities?
How could terrorists use staged photographs or videos posted on social media or leaked to the press that show them putting poisons in the water supply tanks or reservoirs? Water treatment professionals know that this is actually difficult to do, because it would take literally tons of powder or gallons of liquid poison to affect the water quality in a detrimental way. But the public doesn’t know that, and the resulting fears could create a panic and lead to shortages in bottled water at the least and unnecessary mass evacuations at the worst.
How would they create massive traffic jams by staging accidents, using semi trucks or large cargo trucks in key areas in major cities? Everyone who has lived in any large city for even just a few months learns quite quickly where the most vulnerable traffic chokepoints are that could paralyze a city—and its first responders—if several vehicles blocked the travel lanes.
How would terrorists use hijacked or stolen semi trucks, cargo vans, and delivery trucks to stage vehicle-borne mass attacks at large public gatherings, like we’ve seen in Nice, Germany, and London? These resulting crashes not only can kill and injure many people, but the lasting chaos they create makes it difficult for the law enforcement, fire, and ambulance personnel to provide support and treatment.
All of these Doomsday-triggering scenarios—which may have seemed highly unlikely just before the events of 9/11—can (and should) cause sleepless nights for security professionals. But they should also encourage a proactive response from security people to look at the people, facilities, and assets they protect from the eyes of a terrorist. Starting at the parking lot of security professionals’ buildings, what methods would terrorists use to cause the most damage or the biggest loss of life? How would a terrorist disrupt the business in a catastrophic way? How could a lone-wolf attacker or an organized cell of attackers cause the most damage to the IT systems, electrical power sources, or water and gas utilities? How could terrorists use our own on-site hazardous materials to injure or kill people? Where would an explosive device or a vehicle-borne bomb be placed to do the most damage or injure and kill the most people? How could terrorists attack the company using cyberterrorism? Where are we the most vulnerable in our access control systems? And do we have the necessary crisis management response training and an Emergency Operations Center in place to continue operations, even in the face of a terror attack?