Security Vulnerability Analysis 6531 Introduction

Step #3: Decide Which Approach to Vulnerability Analysis to Use. Security vulnerability analysis (SVA) is the activity of identifying how potential terrorists can breach security at your site in order to impact an asset and cause a terrorist event. In this context, asset can mean a piece of equipment, a store of product, a key building, a computer system, a person, or anything else of importance to your company or organization. Security is vulnerable when three factors coexist: (a) an identified terrorist threat, (b) an asset that terrorist can possibly exploit, and (c) insufficient security measures to deter, detect, or delay the terrorist, and protect the asset from attack. There are numerous approaches to security vulnerability analysis, some of which are described in Table 6.17. The main factors that differentiate these methods are customizations relative to a particular sector.

All vulnerability analysis methods fall within a spectrum ranging from qualitative ("Asset-based") to quantitative ("Scenario-based"). In general, one will choose an SVA method on the scenario-based end of the spectrum when

• the asset or the consequences resulting from attacking the asset is particularly attractive to a terrorist;

• when you simply cannot afford the consequences of an attack; or

• when little prior experience exists for analyzing that asset's vulnerability.

By contrast, one will choose an asset-based SVA when the consequences are relatively less or when considerable experience exists for analyzing the asset.

For example, the U.S. Secret Service uses an exhaustive scenario-based approach to protect the President of the United States. Likewise, the nuclear industry uses a rigorous scenario-based approach. In the former case, the symbolic value of a U.S. President makes him or her a very attractive target. In the latter, the political

TABLE 6.17. Security Vulnerability Analysis Approaches

Method

Developer

Basis

Reference

ACC Tier 4 SVA

American

Asset-based approach

www.responsiblecare

Chemistry

for low-hazard,

toolkit.org

Council

low-impact sites

CARVER

U.S. Department of Defense

Asset-based approach with wide general applicability

CCPS SVA

Center for

Practical scenario-

www.aiche.org/ccps/

Chemical

and asset-based

sva

Process Safety

approaches for

(American

fixed

Institute of

manufacturing sites

Chemical

Engineers)

SOCMA SVA

Synthetic Organic Chemical Manufacturers Association

Asset-based approach for small, specialty chemical manufacturers

www.socma.org

VAM and RAM

Sandia National

Scenario-based

(various

Laboratories

approaches tailored

versions)

for specific sectors (chemical, water, dams, etc.)

and actual consequences of a nuclear loss of containment are significant enough that we cannot afford to let it happen.

On the other hand, asset-based SVA approaches tend to be used in situations where many assets are similar, like public buildings. Once the symbolic value of the asset, the potential consequences of attack, and other factors are evaluated, security measures needed are determined based on prior experience with similar types of buildings.

In reality, almost all SVA methods lie somewhere between asset-based and scenario-based. This is simply practical: to the degree that shortcuts can be applied without sacrificing results, the faster countermeasures can be identified, and the more money remains available for protections.

The following description of SVA follows the treatment presented in "Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites," Center for Chemical Process Safety (AIChE, 2002).

6.5.3.2 Portfolio Screening

Step #4: Prioritize the Work. Unless your company needs to consider only one easily demarcated facility, it is important to prioritize your efforts to analyze vulnerability and implement security countermeasures. Prioritization should take into account the attractiveness of the asset or target, the difficulty with which an attack could be carried out, and the potential damage that could result. In the simplest form, attractiveness, ease, and damage could be ranked on a qualitative scale (e.g., 1-3), then the three scores summed. Screening approaches with more detailed scales may also be used if finer detail is needed.

The first factor to be considered is the damage that could be inflicted. Consider loss of life as well as economic loss, and try to envision the worst-case possibilities. In the case of chemical facilities, the worst case resulting from a terrorist attack may be worse than the so-called "worst-case scenario" developed for chemical facilities covered by the EPA's Risk Management Plan rule (EPA, 1996).

The second factor to be considered is the target attractiveness. Terrorists tend to consider national monuments, major cultural, political, and sporting events, and the financial sector to be particularly attractive, as an attack on such a target is viewed as an attack on their enemy's entire way of life. Likewise, key infrastructure components such as key bridges, tunnels, highways, and railways are more attractive. Finally, the public's fear of chemical and petroleum facilities may make these more attractive targets, more so if materials in the facility have potential off-site consequences if released.

To really understand what makes a target attractive to a terrorist, search the Internet for "The Al Qaida Manual." This document includes a sobering discussion of attractive targets. Another useful resource is the book "American Jihad."

The third factor is difficulty of attack. Consider the manpower, other resources, and planning that would be required in order to mount an attack that would cause significant damage.

6.5.3.3 Identify Assets

Step #5: Determine What You Need to Protect. An asset is anything the facility owns or employs that could possibly be exploited by a terrorist. In a chemical plant, physical assets include tanks, reactors, and warehouses. Bridges, trains, power lines, herds of cattle, and assembly lines are examples of assets in other sectors. In all sectors, people are assets, as are computer infrastructures. In the asset identification step, you need to identify everything under your control that you may need to protect.

6.5.3.4 Set the Scope of the Study

Step #6: Determine What You Cannot Protect (What Someone Else Needs to Protect). Before starting, decide the boundaries of your study. For example, are in-bound rail shipments to a facility considered only inside the facility gate? 100 yards outside? When it leaves the shipper? It should be clear that depending on where the boundaries are set, the problem of vulnerability analysis can become quite large. Regardless of where one sets boundaries, it would be prudent to identify the parties responsible up to your boundaries, and confirm that their boundaries line up with yours, so that areas are not neglected. Outside-boundary parties to keep in mind include rail, truck, and marine transportation, utilities, pipelines, and near-neighbors. It is also important to identify the kinds of antiterrorist activities you can realistically undertake, and distinguish these from those for which you must rely on local law enforcement and military. For example, you may decide that it could be appropriate to have unarmed guards, but not armed, and you will rely on the military to protect against an attack by air.

6.5.3.5 Estimate Potential Consequences

Step #7: Determine What Kind of Impact a Terrorist Can Have. For each asset, determine the potential consequences of a successful attack, including fatalities, injuries, economic impacts, and social impacts. For chemical releases, conventional release modeling techniques may be used - however, be sure to include consideration of toxic materials that are not on regulatory lists if significant consequences are possible. Consider both personal and regional/national economic consequences. When looking at personal economic consequences, include replacement costs, lost business, and clean-up costs. When considering regional/national economic consequences, ask if your plant might be one of many in the country that makes a product critical to public health or the military, or provides a material that is used in such a product.

6.5.3.6 Analyze Threats

Step #8: Identify the Types of Terrorist Attacks You Need to Consider. Find out about different terrorist groups, who each group targets, whether they are active in your sector or region, whether they may be targeting operations like yours, and what types of strategies they use.

In almost every case, you will not have the experience and current knowledge of terrorist activities to be able to conduct the threat analysis yourself. Involve local law enforcement, and discuss with them whether to involve regional, state, and national law enforcement and intelligence. If you do not have security expertise on staff, you should consider engaging a professional security consultant. It is also possible to subscribe to security alert services that provide updates on terrorist activities. These services are useful, but should not replace establishing a good relationship with law enforcement.

The final result of this step is a set of design basis threat statements that you can use to develop attack scenarios in the next step. Some examples are

• vehicle-borne improvised explosive device (VBIED);

• infiltration to place fixed explosives;

• stand-off assault, for example involving rocket-propelled grenades (RPGs);

6.5.3.7 Asset-Threat Pairing

Step #9: Match Threats to Potential Consequences to Identify Possible Attack Scenarios. In this step, you put together the information obtained in the previous three steps to establish scenarios for potential terrorist attacks using the design basis threats against your assets to produce adverse consequences. For example, you might identify that a terrorist could drive a VBIED close enough to an anhydrous ammonia storage tank that upon detonation, the tank will collapse and release ammonia, with resultant impact on the nearby population.

You should strive to identify all reasonable scenarios that terrorists that could be interested in your facility might use, without being unnecessarily duplicative. For example, if you have two ammonia tanks, you do not really need to consider a VBIED attack on each tank and on both tanks simultaneously. One scenario should be sufficient to represent all three possibilities.

In identifying scenarios, you should involve a team representing diverse backgrounds, including security and law enforcement, process, operation, and business knowledge, and use a brainstorming approach. Team members should attempt to place themselves in the minds of a potential terrorist, and consider how they would attack specific assets via the design basis threats. Such an approach is often called "Red-Teaming."

6.5.3.8 Evaluate Countermeasures. In this step, you evaluate whether the security measures you have in place are adequate to deter, detect, delay, or respond to an attack. In conducting this phase of the vulnerability analysis, again involve law enforcement and also include security experts. As a result of this step, you will identify action items to implement over time. You may also identify scenarios for which conventional security measures may not be adequate. In such situations, your relationship with law enforcement is critical, as a regional or national security solution may be required.

0 0

Post a comment