1、Security Guidelinesfor the Petroleum IndustryAmerican Petroleum InstituteApril 2005PetroleumRefineriesLiquidPetroleum PipelinesPetroleumProductsDistribution and MarketingOil andNatural GasProduction OperationsMarineTransportationCyber/InformationTechnology forthe PetroleumIndustryThirdEditionHomelan
2、d Security Advisory SystemSEVERESevere Risk of Terrorist AttacksHIGHHigh Risk of Terrorist AttacksELEVATEDSignificant Risk of Terrorist AttacksGUARDEDGeneral Risk of Terrorist AttacksLOWLow Risk of Terrorist Attackswww.dhs.govSecurity Guidelinesfor the Petroleum IndustryAmerican Petroleum InstituteA
3、pril 2005PetroleumRefineriesLiquidPetroleum PipelinesPetroleumProductsDistribution and MarketingOil andNatural GasProduction OperationsMarineTransportationCyber/InformationTechnology forthe PetroleumIndustryThird EditionSPECIAL NOTES API publications necessarily address problems of a general nature.
4、 With respect to particular circumstances, local, state, and federal laws and regulations should be reviewed. API is not undertaking to meet the duties of employers, manufacturers, or suppliers to warn and properly train and equip their employees, and others exposed, concerning health and safety ris
5、ks and precautions, nor undertaking their obligations under local, state, or federal laws. Information concerning safety and health risks and proper precautions with respect to particular materials and conditions should be obtained from the employer, the manufacturer or supplier of that material, or
6、 the material safety data sheet. Nothing contained in any API publication is to be construed as granting any right, by implication or otherwise, for the manufacture, sale, or use of any method, apparatus, or product covered by letters patent. Neither should anything contained in the publication be c
7、onstrued as insuring anyone against liability for infringement of letters patent. Generally, API standards are reviewed and revised, reaffirmed, or withdrawn at least every five years. Sometimes a one-time extension of up to two years will be added to this review cycle. This publication will no long
8、er be in effect five years after its publication date as an operative API standard or, where an extension has been granted, upon republication. Status of the publication can be ascertained from the API Standards department telephone (202) 682-8000. A catalog of API publications, programs and service
9、s is published annually and updated biannually by API, and available through Global Engineering Documents, 15 Inverness Way East, M/S C303B, Englewood, CO 80112-5776. This document was produced under API standardization procedures that ensure appropriate notification and participation in the develop
10、mental process and is designated as an API standard. Questions concerning the interpretation of the content of this standard or comments and questions concerning the procedures under which this standard was developed should be directed in writing to the Director of the Standards department, American
11、 Petroleum Institute, 1220 L Street, N.W., Washington, D.C. 20005. Requests for permission to reproduce or translate all or any part of the material published herein should be addressed to the Director, Business Services. API standards are published to facilitate the broad availability of proven, so
12、und engineering and operating practices. These standards are not intended to obviate the need for applying sound engineering judgment regarding when and where these standards should be utilized. The formulation and publication of API standards is not intended in any way to inhibit anyone from using
13、any other practices. Any manufacturer marking equipment or materials in conformance with the marking requirements of an API standard is solely responsible for complying with all the applicable requirements of that standard. API does not represent, warrant, or guarantee that such products do in fact
14、conform to the applicable API standard. All rights reserved. No part of this work may be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission from the publisher. Contact the Publisher, A
15、PI Publishing Services, 1220 L Street, N.W., Washington, D.C. 20005. Copyright 2005 American Petroleum Institute ii FOREWORD This document is intended to offer security guidance to the petroleum industry. Individual companies have assessed their own security needs and have implemented security measu
16、res they consider appropriate. This document is not intended to supplant the measures adopted by individual companies or to offer commentary regarding the effectiveness of individual company efforts. With respect to particular circumstances, local, state and federal laws and regulations should be re
17、viewed. Information concerning security risks and proper precautions with respect to particular materials and conditions should be obtained from individual companies or the manufacturer or supplier of a particular material. API is not undertaking to meet the duties of employers, manufacturers, or su
18、ppliers to warn and properly train and equip their employees, and others exposed, concerning security risks and precautions, nor undertaking their obligation under local, state or federal laws. To the extent this document contains company specific information such information is to be considered con
19、fidential. API publications may be used by anyone desiring to do so. Every effort has been made by the Institute to assure the accuracy and reliability of the data contained in them; however, the Institute makes no representation, warranty, or guarantee in connection with this publication and hereby
20、 expressly disclaims any liability or responsibility for loss or damage resulting from its use or for the violation of any federal, state, or municipal regulation with which this publication may conflict. Suggested revisions are invited and should be submitted to API, RASA department, 1220 L Street,
21、 NW, Washington, DC 20005. iii TABLE OF CONTENTS Page Executive Summary. vii 1.0 Introduction.1 1.1 Scope and Objective.1 1.2 Organization of the Document.1 1.3 Underlying Basis of this Guidance2 1.4 Other Guidelines and Security References .2 2.0 Overview of Terrorism and the Petroleum Industry .3
22、2.1 Background on Terrorism and Security3 2.2 Threat to the Petroleum Industry .3 3.0 Threat Assessment4 3.1 The Value of Threat Assessment.4 3.2 Threat Assessment Process 4 3.3 Security Alert Level Systems.6 3.3.1 Introduction 6 3.3.2 Department of Homeland Security Alert System (HSAS).6 3.3.3 U.S.
23、 Coast Guard Maritime Security Levels 7 3.3.4 International Ship and Port Facility Security (ISPS) Alert Levels 8 4.0 The Security Management System Process 8 4.1 Initial Screening .9 4.2 Data Gathering .10 4.3 Initial SVA10 4.4 Example Elements of a Security Plan .12 4.4.1 Security Administration I
24、dentified existing standards, recommended practices, guidance and other operational practices, as well as ongoing initiatives that may mitigate these risks; Developed guidance on conducting Security Vulnerability Assessments (SVA)ain the petroleum and petrochemical industries; Developed Recommended
25、Practices for security for offshore oil and gas operations.b Worked with the Federal Government, other industry associations and petroleum companies to prepare appropriate guidance. 1.1 Scope and Objective The objective of this document is to provide general guidance to owners and operators of U.S.
26、domestic petroleum assets for effectively managing security risks and provide a reference of certain applicable Federal security laws and regulations that may impact petroleum operations. Domestic petroleum assets are widely distributed, consisting of over 300,000 producing sites, 4,000 offshore pla
27、tforms, 600 natural gas processing plants, 160,000 miles of liquid pipelines, numerous crude oil and liquefied natural gas (LNG) offloading ports and terminals, 144 refineries, 1,400 finished product terminals, 7,500 bulk stations and 170,000 gasoline retail stations. The vast majority of these asse
28、ts are small and geographically remote and do not present a significant security risk to the national economy, national security or public safety. However, the petroleum industry supports taking prudent measures to effectively minimize security risks posed by acts of terrorism where warranted. Certa
29、in petroleum facilities are covered by the Maritime Transportation Security Act of 2002 (MTSA), which was signed into law on November 25, 2002. In compliance with MTSA, the U.S. Coast Guard has promulgated federal rules under 33 CFR Subchapter H, Parts 101 106 that cover port, OCS and vessel securit
30、y. These regulations require certain vessels and port facilities that could be involved in a transportation security incident prepare a vessel or facility security plan and submit it to the USCG. See Appendix A for a reference table of Federal security regulations that affect the U.S. 1.2 Organizati
31、on of the Document This document is organized into seven chapters plus three Appendix items for reference. Chapter 1.0 describes the objectives, intended audience, and scope of the guidance and the various references for other security regulations. Chapter 2.0 includes an overview of terrorism and t
32、he petroleum industry. Chapter 3.0 describes a process for a threat assessment including the use of security intelligence and threat-based countermeasures systems such as the Department of Homeland Security Alert System (HSAS) and the USCG Maritime Security (MARSEC) levels. Chapter 4.0 describes the
33、 elements of a aAmerican Petroleum Institute/National Petrochemical and Refiners Association Guidance “Security Vulnerability Assessment Methodology, October, 2004” bAPI RP 70 Security for Offshore Oil and Natural Gas Operations, First Edition, March 2003 and RP 70I Security for International Oil an
34、d Natural Gas Operations, First Edition, May 2004. 1 AMERICAN PETROLEUM INSTITUTE security plan and provides a plan outline. Chapter 5.0 includes an overview of security vulnerability assessment. Chapter 6.0 includes security conditions and potential response measures. Chapter 7.0 provides an overvi
35、ew of information (cyber) security. The Appendix items provide useful reference information such as a matrix of certain Federal laws and regulations on security and a glossary of terms and references used to develop this document. 1.3 Underlying Basis of this Guidance Owners and operators in the pet
36、roleum industry can enhance the security of their assets and continuity of business operations through the effective management of security risks. By considering site-specific circumstances, security risks can be managed through a risk-based, performance-oriented management systems approach. The fou
37、ndation of a security management systems approach is to identify and analyze security threats and vulnerabilities, and to evaluate the adequacy of countermeasures provided to mitigate the threats. Security Vulnerability Assessment (SVA) is a management tool that is flexible and adaptable to a wide r
38、ange of applications and can be used to assist management is identifying and prioritizing security risks and determining the appropriate type and level of protection required at the local asset level. The need for and type of security enhancements will be determined based on site-specific factors su
39、ch as the degree of the threat, the degree of vulnerability, the potential consequences of a security event, and the attractiveness of an asset to an adversary. In the case of the terrorist threat, higher-risk sites are those that have critical importance, are attractive targets to the adversary, ha
40、ve a high level of potential consequences, where assets are vulnerable and the threat is great. In these high-risk situations, security enhancements/countermeasures should be considered that reduce one or several of these items to an acceptable level. Appropriate strategies for managing security ris
41、k can vary widely depending on site-specific factors such as the type of facility (fixed or mobile/remote or urban), the operation involved, the type of substances being stored and processed, and the threats facing the facility. As a result, this guidance does not prescribe specific security measure
42、s but provides a means of identifying, analyzing, and reducing vulnerabilities based on the unique needs of the location. Each facility should be evaluated individually by management using the best judgment of applicable practices and appropriate security risk management decisions should be made com
43、mensurate with the risks. This recognizes that there isnt a uniform approach to security in the petroleum industry, and that resources should be used effectively to reduce high-risk situations on a priority basis. It is recognized that while all security risks cannot be completely eliminated it can
44、be significantly reduced through implementing an effective security risk management program. The security objectives are to employ four basic strategies to manage the risk, including, Deter, Detect, Delay, and Respond. All owner/operators are encouraged to seek out assistance and coordinate efforts
45、with federal, state, and local law enforcement agencies, and with the local emergency services and Local Emergency Planning Committee as applicable. Owner/Operators can also obtain and share intelligence, coordinate training, and utilize other resources to help deter attacks and to manage emergencie
46、s. 1.4 Other Guidelines and Security References API has developed this guidance for the petroleum industry as a reference to be used with other available sources. This document does not attempt to provide an all-inclusive list of security considerations, but more as a basis for what might be conside
47、red when evaluating and implementing security measures. Additionally, it is recognized that certain information included in a security program needs to remain confidential. Petroleum companies should consider a confidentiality 2 SECURITY GUIDELINES FOR THE PETROLEUM INDUSTRY program to understand wh
48、at information can be shared and what should remain confidential. Other available resources on security include: American Petroleum Institute RP 70, Security for Offshore Oil and Natural Gas Operations, 1stEd., April 2003. American Petroleum Institute RP 70I, Security for Worldwide Offshore Oil and
49、Natural Gas Operations, 1st Ed., May 2004. American Petroleum Institute Std 1164, SCADA Security, 1stEd., September 2004. American Petroleum Institute / National Petrochemical and Refiners Association, “Security Vulnerability Assessment Methodology,” October 2004. American Chemistry Council, “Site Security Guidelines for the U. S. Chemical Industry,” 2001. American Chemistry Council, “Implementation Resource Guide for Responsible Care Security Codeof Management Practices: Value Chain Activities,” 2003. American Chemistry Council, “Transportation Security Guidelines
