ANSI API STD 780-2013 Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries (FIRST EDITION).pdf

1、Security Risk Assessment Methodology for the Petroleumand Petrochemical IndustriesANSI/API STANDARD 780FIRST EDITION, MAY 2013Special NotesAPI publications necessarily address problems of a general nature. With respect to particular circumstances, local, state, and federal laws and regulations shoul

2、d be reviewed.Neither API nor any of APIs employees, subcontractors, consultants, committees, or other assignees make any warranty or representation, either express or implied, with respect to the accuracy, completeness, or usefulness of the information contained herein, or assume any liability or r

3、esponsibility for any use, or the results of such use, of any information or process disclosed in this publication. Neither API nor any of APIs employees, subcontractors, consultants, or other assignees represent that use of this publication would not infringe upon privately owned rights.API publica

4、tions may be used by anyone desiring to do so. Every effort has been made by the Institute to assure the accuracy and reliability of the data contained in them; however, the Institute makes no representation, warranty, or guarantee in connection with this publication and hereby expressly disclaims a

5、ny liability or responsibility for loss or damage resulting from its use or for the violation of any authorities having jurisdiction with which this publication may conflict.API publications are published to facilitate the broad availability of proven, sound engineering and operating practices. Thes

6、e publications are not intended to obviate the need for applying sound engineering judgment regarding when and where these publications should be utilized. The formulation and publication of API publications is not intended in any way to inhibit anyone from using any other practices.Any manufacturer

7、 marking equipment or materials in conformance with the marking requirements of an API standard is solely responsible for complying with all the applicable requirements of that standard. API does not represent, warrant, or guarantee that such products do in fact conform to the applicable API standar

8、d.Users of this Standard should not rely exclusively on the information contained in this document. Sound business, scientific, engineering, and safety judgment should be used in employing the information contained herein.Work sites and equipment operations may differ. Users are solely responsible f

9、or assessing their specific equipment and premises in determining the appropriateness of applying the Standard. At all times users should employ sound business, scientific, engineering, and judgment safety when using this Standard.All rights reserved. No part of this work may be reproduced, translat

10、ed, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission from the publisher. Contact the Publisher, API Publishing Services, 1220 L Street, NW, Washington, DC 20005.Copyright 2013 American Petroleum

11、 InstituteForewordNothing contained in any API publication is to be construed as granting any right, by implication or otherwise, for the manufacture, sale, or use of any method, apparatus, or product covered by letters patent. Neither should anything contained in the publication be construed as ins

12、uring anyone against liability for infringement of letters patent.Shall: As used in a standard, “shall” denotes a minimum requirement in order to conform to the specification.Should: As used in a standard, “should” denotes a recommendation or that which is advised but not required in order to confor

13、m to the specification.This document was produced under API standardization procedures that ensure appropriate notification and participation in the developmental process and is designated as an API standard. Questions concerning the interpretation of the content of this publication or comments and

14、questions concerning the procedures under which this publication was developed should be directed in writing to the Director of Standards, American Petroleum Institute, 1220 L Street, NW, Washington, DC 20005. Requests for permission to reproduce or translate all or any part of the material publishe

15、d herein should also be addressed to the director.Generally, API standards are reviewed and revised, reaffirmed, or withdrawn at least every five years. A one-time extension of up to two years may be added to this review cycle. Status of the publication can be ascertained from the API Standards Depa

16、rtment, telephone (202) 682-8000. A catalog of API publications and materials is published annually by API, 1220 L Street, NW, Washington, DC 20005.Suggested revisions are invited and should be submitted to the Standards Department, API, 1220 L Street, NW, Washington, DC 20005, standardsapi.org.iiiC

17、ontentsPage1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

18、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.3 Sequential Activities . . . . . . . . . . . . . . . . . . . . .

19、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Normative References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Terms, Definitions, Acronyms, Abbrevia

20、tions, and Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23.1 Terms and Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23.2 Acronyms, Abbreviations, and Symbols . .

21、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Introduction to SRA Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104.1 General . . . . . . . . . . . . . . .

22、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104.2 Security Risk Assessment and Security Management Principles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104.3 Risk Definition for SRA and Key Va

23、riables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114.4 Likelihood ( L) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124.5 Consequences

24、(C) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134.6 Threat (T ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

25、. . . . . . . . . . 144.7 Attractiveness (A) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154.8 Vulnerability (V) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

26、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 SRA Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165.1 Concept and Relationship to Security Risk Management Process. . . . . .

27、. . . . . . . . . . . . . . . . . . . . . . . . . 165.2 Conducting and Reviewing the SRA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165.3 Validation and Prioritization of Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . .

28、 . . . . . . . . . . . . . . . . . . . . . . . . . . . 175.4 Risk-based Screening. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 SRA Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

29、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196.2 Planning for Conducting a SRA. . . . .

30、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236.3 SRA Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236.4 SRA Objectiv

31、es and Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246.5 Information Gathering, Review, and Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256.6 Sources of

32、 Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256.7 Identifying Information Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

33、 . . 266.8 Locating Required Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266.9 Information Collection and Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

34、 . . . . . . . 276.10 Analyzing Previous Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276.11 Conducting a Site Inspection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

35、. . . . . . . . . . . . . . . . 276.12 Gathering Threat Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276.13 Steps of the API SRAStep 1: Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

36、 . . . . . . . . . . . . . . . . . 276.14 Steps of the API SRAStep 2: Threat Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326.15 Steps of the API SRAStep 3: Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

37、. . . . . 356.16 Steps of the API SRAStep 4: Risk Analysis/Ranking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386.17 Steps of the API SRAStep 5: Identify Countermeasures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406.18 Summary of

38、 Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416.19 Follow-up to the SRA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

39、. . . . 42vContentsPageAnnex A (informative) Forms and Worksheets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44A.1 Form 1Characterization Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

40、 . . . . . . . . . . . 44A.2 Form 2Threat Assessment Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46A.3 Form 3Attractiveness Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

41、. . . . . . . . . . . . . 48A.4 Form 4Vulnerability Analysis and Risk Assessment Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50A.5 Form 5Recommendation Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

42、. . 52A.6 Alternate Form 5Determine Residual Risk Based on Implementation of All Proposed Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54A.7 Optional Form 6 (if Alternate Form 5 is Used)P

43、roposed Countermeasure Risk Score and Priority Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Annex B (informative) SRA Supporting Data Requirements . . . . . . . . . . . . . . . . . . . . .

44、 . . . . . . . . . . . . . . . . . . . . 58Annex C (informative) Examples of the SRA Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59C.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

45、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59C.2 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60C.2.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . .

46、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60C.2.2 Example 1: Petroleum Distribution Terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61C.2.3 Example 2: Refinery. . . . . . . . . . . . . .

47、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73C.2.4 Example 3: Pipeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85C.2.5 Example 4: Truck Tra

48、nsportation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94C.2.6 Example 5: Rail Transportation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Bibliography . . .

49、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Figures1 Security Risk Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Target Attractiveness Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Recommended Times for Conducting and Reviewing the SRA . . . . . . . . . . . . . . . . . . . . . . .