A central theme of this book is the critical role that assessments of vulnerability and risk play in justifying both private and public investments to mitigate them. The challenge of setting priorities, whether in the corporate board room or in government, comes down to the capability of estimating vulnerabilities of critical services and the risks that these vulnerabilities might be exploited to generate consequences. Assessment methods for threat, vulnerability, consequence, and overall risk thus must have a very high priority in a national strategy for critical infrastructure protection. As noted in the previous chapter, as early as 1998 the Department of Energy began investing the talents of its national laboratories in the development and fielding of such methods. This chapter explores some of the progress that has been made in the quest for useful assessment methods through the eyes of one such laboratory.

Presidential Decision Directive (PDD) 63, discussed in the previous chapter, identified the Department of Energy (DOE) as the lead agency for security in the electric power and oil and gas production and storage sectors. In response to the directive, the DOE Office of Energy Assurance established a vulnerability assessment program in 1998. This program was staffed by technical experts from DOE's National Laboratory complex and tasked with following up on the work the laboratories had done over the previous two years in support of the President's Commission on Critical Infrastructure Protection and PDD 63, with field assessments in the assigned sectors.