On Christmas Day 2020, a loner with ties to the security industry detonated a bomb outside the AT&T facility in downtown Nashville, Tenn. The attack seems to have targeted telecommunication, in particular the AT&T 5G network. The blast led to disruptions to wireless communications, internet and video across Tennessee, Kentucky, and Alabama. Local emergency 911 services were shut down, and the Nashville International Airport cancelled all incoming and outgoing flights. Although backup generators and other redundancies were in place, the blast prevented those systems from functioning properly and resulted in an immediate and widespread outage.
The event likely brought blast risk back to top of mind for many facility managers, who might wonder what should be done to mitigate a similar event at their facility. The first step in mitigating the effects of a blast is to conduct a risk assessment. This process typically involves the following:
Operational Analysis – Study of critical systems, processes, data and personnel
Asset Criticality Analysis – Identification and quantification of assets based on how critical they are to providing the service or products and the results of a loss or disruption of the assets. One method of determining asset criticality is calculating revenue lost if the asset was lost or destroyed.
Threat Analysis – Study of threats to include probability of incident, consequences, vulnerability and velocity. The probability of a deliberate attack using explosives is typically very low, but the consequences, vulnerability and velocity can all be very high. Explosions can result in widespread damage and significant loss of life, and they are difficult and expensive to mitigate. They can also happen with no notice, making this type of attack very difficult to prevent. Therefore, it is important to consider blast incidents and how they could impact your operations and assets.
Vulnerability Assessment – Determine how susceptible your personnel, operations and assets are to a blast incident. Elements to consider include standoff distance, access to critical facilities and assets, barriers, blast hardening measures, emergency response protocol and business continuity plans.
Calculate Risk – Risk is a factor of all of the elements above. The table is an example of how the risk method could notionally be applied to the Nashville bombing attack.
As you can see from the notational application of this methodology, the risk was moderate prior to the attack. It is easy to see that the high consequence and high velocity are offset by the low probability and moderate vulnerability. The vulnerability is moderate because backup systems were in place and there was a contingency plan in place to restore services using mobile equipment.
In the case of the Nashville bombing, the standoff distance between where the explosive device was detonated and the building was minimal. When planning for blast events, standoff is a vital component for consideration. In most cases, a matter of inches of additional standoff can often result in significant mitigation from blast incidents.
From photos available online of the aftermath of the Nashville bombing, one can also assume that the building and windows had minimal hardening to protect against a blast. It would make sense that these protective measures were not in place, given the moderate risk to the building and the cost to harden the facility.
Blast mitigation for high-risk facilities
Achieving additional standoff and building hardening can be expensive and oftentimes unachievable. For a moderate risk target, like the AT&T facility in Nashville, it might not be prudent from a financial or practicality perspective to implement expensive blast mitigation countermeasures. However, for some high-risk assets, the reduction of vulnerability is essential and can prevent significant loss of life and protect facilities that, if damaged, could have national or global implications.
For high-risk facilities, an engineering blast analysis can be conducted. This type of analysis can be conducted on existing or planned facilities and is typically performed by a structural engineer with experience in blast modeling. Blast analysis is conducted based on factors such as size of the explosive device — package, small vehicle, large vehicle, etc. — standoff distance from the device to the facility, and structural components of the building.
Mitigation strategies for blast can include physical measures, crowd management processes, operational procedures, and technological implementations. For example, large vehicles can be screened for explosives prior to being allowed close access to a critical facility. Fencing, barriers, bollards, access control systems, video surveillance countermeasures, planned deliveries, bomb detection technologies and, of course, trained and vigilant security personnel can also be deployed.
When the standoff distance and explosive size is known, engineers can harden the facility with proper design of construction materials including those for walls, windows, roofs, and interior elements. Window integrity can be enhanced with the use of protective film that can be anchored to the window frame. The objective of the hardening is typically to prevent progressive building collapse and to limit the distance glass shards can travel within the facility as a result of a blast.
Emergency response and business continuity planning
Having practical and realistic emergency response and business continuity plans specifically addressing blast incidents — intentional or accidental — is prudent and cost effective. Emergency response plans should include building evacuation plans, coordination with outside emergency response agencies and emergency communications. Business continuity plans should address how critical assets, systems and processes will continue should a blast incident occur. Seconds and minutes count in emergency response and business continuity, therefore having updated and well-rehearsed plans is critical to saving lives and continuing critical operations.
The recent attack on the AT&T building in Nashville highlights the key elements of risk and demonstrates that, although unlikely, blast attacks can occur. Fortunately, no innocent people were killed during this incident, and the duration of communication outages were mitigated by the effective emergency and business continuity plans that were in place.
Dan O'Neill (doneill@adrm-llc.com) is the founder and CEO of Advanced Data Risk Management, a risk management and security engineering company.
