top of page




The US Army’s Homeland Infrastructure Security Threats Office (HISTO) was tasked to develop a vulnerability assessment tool that was ubiquitous across all critical infrastructures, allowing infrastructure owners to better understand the risk presented by the current terrorist threat.  CARVER was originally developed as a targeting tool for used by US Special Operations Forces to quickly and thoroughly analyze enemy critical infrastructure to identify a critical node against which a small, well-trained force can launch an attack to disable or destroy that infrastructure.


With this in mind, we selected the CARVER targeting tool and reversed engineered it as a vulnerability assessment tool. This tool, known as the CARVER+Shock Vulnerability Assessment Tool was developed by HISTO leadership and was almost immediately put to use in protecting America's Critical Infrastructure. Over the past fifteen years this methodology has been used to uncover previously unidentified weaknesses in multiple agriculture commodities, food, power, energy, and transportation infrastructures. Listed below are organizations that have successfully used the tool under our supervision.

The White House Homeland Security Council, Bio Security Team

  •  The US Department of Agriculture

  •  US Department of Health and Human Services

  •  Food and Drug Administration Center for Food Safety and Applied Nutrition (CFSAN)

  •  Government of Mexico Food and Agriculture Officials

  •  Privately owned Nuclear Power Plants

  •  National Pork Producers Council

  •  Various Port and Airlift facilities



  •  Private Oil Companies within the Niger Delta Region of Nigeria



That said, let’s see how the tool works.







Using The CARVER+Shock Vulnerability Assessment Tool


We use the tenants of the great chinese general, Sun Tzu to manage risk.  The three main tenants of the general are listed below:



  • Know Yourself:  To Know Yourself, we must understand the entire project and all of its subsystems, complexes  and individual components henceforth called the Target System (See Targeting System Characterization) These components are the sources of consequence in our model. They are the tangible items that comprise your system and are broken down into service providers, infrastructure and equipment, consumables, and cyber.

  • Know Your Enemy: To Know Our Enemy, we must understand the level of motivation and capability of those who pose a threat to the Target System, to include their reasons for threatening the system; their desired outcomes or objectives; and their levels of training, equipment, financing, and recruiting.

  • Know Your Environment: What we currently have on hand to protect these components determines our level of vulnerability. T Knowing Our Environment requires us to understand the effects of the geography, climate, politics, economics, and religion of those areas and how they influence the Target System.




Target System:  A target system is all the targets situated in a particular geographic area that are functionally related. It also can be a group of targets so related that their destruction or degradation will produce a particular effect desired by the attacker. It may be international in scope (e.g., international banking) and may include modifying behavior or influencing and altering attitudes vice destruction. Examples of target systems include: 

  • Food Production

  • Air transportation systems

  • Port facilities

  • Highways

  • Railways

  • Waterways and Bridges

  • Communications networks

  • Bulk electric power systems

  • Bulk water systems

  • Public attitudes

  • Bulk petroleum, oil, and lubricants (POL) supplies

  • Political infrastructure

  • Economic infrastructure

  • Social welfare infrastructure

  • Health services infrastructure



Target Subsystem:A target subsystem is a major element of a target system. For example, generation, transmission, and distribution are subsystems of a bulk electric power system.


Target Complex: A target complex is a concentrated, integrated series of targets.  A target complex may be a subset of a target subsystem. It consists of geographically related facilities and activities that are close to each other in physical or cyberspace. Within a target complex, individual target components will be identified. Ports, airfields, and electric generating plants are examples of target complexes. 


Target Component:Target components are parts of the target that are necessary to the operation of the target as a whole. Target components are broken down into four separate types which include:

  • Service Providers.  This is any living thing that is a part of your system.  It might be a computer operator, a driver, or supervisor.  It may also be a service dog or livestock used as a foodstuff.

  • Infrastructure and Equipment.  This is anything piece of equipment necessary for the system to operate that is not consumed in the process.  Examples include buildings, storage facilities, processing equipment, vehicles, and transformers.

  • Consumables.  These include any tangible substance that is consumed in your systems operating process.  Examples include fuel, fresh/potable water, breathable air, chemicals, electricity, and food and food ingredients.

  • Intellectual Property.  We have expanded cyber to include communications equipment and networks.  In short, include anything that transmits information.  Internet, workstations, database software and records. e-mail, radios, repeaters, and telephones. Intellectual property such as computer files and a corporate reputation are listed here. Perhaps the most important piece of intellectual property is the organizations reputation.

Developing CARVER+Shock Definitions


Most groups that use the tool use the same set of definitions.  This is not an effective use of the tool nor will it give you the results you seek.  As we stated in previous sections, you have to establish bookends for your definitions.  The standing criticality definition states a death toll of 10,000 people.  If your system cannot make that level of impact, then you need to adjust the 9-10 definition for what ever that top level is. Another example is recognizability,  if your entire system is within a guarded building, then you need to drastically adjust the scale or you end up giving every component a score between 1-4.  Remember, the goal is to determine risk to each component in relation to the other components within  your system, not an absolute set of standards.  




















Once you have listed all of your systems, sub-systems, complexes and components, you need to develop definitions for each factor in the CARVER+Shock acronym.  There are some things you must consider when developing definitions and assigning values.  Here are the ones I have encountered most.


  • Many team members will have some issues with accepting mortality.  Most businesses are driven to a zero tolerance for accidents let alone deaths.  You need to be considerate and talk these folks through this decision.  The bottom line is that any company will react differently to the loss of one employee as opposed to the loss of 75 employees.  I do not care what the CEO says, the reaction is noticeably different.

  • The values you assign should all be used in the assessment.  This means there should be some 1's and there should be some 10's in each category.  If not, your definitions are not sensitive enough and you may be masking some vulnerability.  Do not be afraid to go back and change some of your definitions if this is the case.

  • If you have a certain category that is receiving the same score in all components, you will soon render that factor irrelevant.  The definitions are not sensitive enough and should be reevaluated.

  • Be cautious of a team member setting values too low or too high to either simulate vulnerability in an attempt to gain funding or to hide vulnerability to avoid accountability.


  •  If you are doing a tactical assessment (a single facility or complex), you may not always use the shock factor.  Just drop it from the spread sheet as the entity being assessed may not have a significant enough impact on society to register relevant Shock scores.


A Sample Matrix  (NOTE: Click here to contact us to receive a spreadsheet to conduct your assessment)

bottom of page