1、October 2004Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, Second EditionOctober 2004 Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, Second Edition American Petroleum Institute 1220 L Street, NW Washington,
2、 DC 20005-4070 National Petrochemical thereby enhancing the security of our nations energy infrastructure. API and NPRA wish to express sincere appreciation to the member companies who have made personnel available to work on this document. We especially thank the Department of Homeland Security and
3、 its Directorate of Information Analysis Identify and characterize threats against those assets and evaluate the assets in terms of attractiveness of the targets to each adversary and the consequences if they are damaged or stolen; Identify potential security vulnerabilities that threaten the assets
4、 service or integrity; Determine the risk represented by these events or conditions by determining the likelihood of a successful event and the consequences of an event if it were to occur; Rank the risk of the event occurring and, if high risk, make recommendations for lowering the risk; Identify a
5、nd evaluate risk mitigation options (both net risk reduction and benefit/cost analyses) and re-assess risk to ensure adequate countermeasures are being applied. This guidance was developed for the industry as an adjunct to other available references which includes: American Petroleum Institute, “Sec
6、urity Guidelines for the Petroleum Industry”, May, 2003; API RP 70, “Security for Offshore Oil and Natural Gas Operations”, First Edition, April, 2003; 2 AMERICAN PETROLEUM INSTITUTE AND NATIONAL PETROCHEMICAL “Vulnerability Analysis Methodology for Chemical Facilities (VAM-CF)”, Sandia National Lab
7、oratories, 2002. API and NPRA would like to acknowledge the contribution of the Center for Chemical Process Safety (CCPS) compiled in their “Guidelines for Analyzing and Managing the Security of Fixed Chemical Sites.” It was this initial body of work that was used as a basis for developing the first
8、 edition of the API NPRA SVA methodology. Although similar in nature, the SVA Method was developed for the petroleum and petrochemical industry, at both fixed and mobile systems. Examples have been added that demonstrate applicability at various operating segments of the industry. Owner/Operators ma
9、y want to use any of the methods above, or another equivalent and appropriate methodology in conducting their SVAs. These guidelines should also be considered in light of any applicable federal, state and local laws and regulations. The guidance is intended for site managers, security managers, proc
10、ess safety managers, and others responsible for conducting security vulnerability analyses and managing security at petroleum and petrochemical facilities. The method described in this guidance may be widely applicable to a full spectrum of security issues, but the key hazards of concern are malevol
11、ent acts, such as terrorism, that have the potential for widespread casualties or damage. These guidelines provide additional industry segment specific guidance to the overall security plan and SVA method presented in Part I of the API Security Guidelines for the Petroleum Industry. 1.3 SECURITY VUL
12、NERABILITY ASSESSMENT AND SECURITY MANAGEMENT PRINCIPLES Owner/Operators should ensure the security of facilities and the protection of the public, the environment, workers, and the continuity of the business through the management of security risks. The premise of the guidelines is that security ri
13、sks should be managed in a risk-based, performance-oriented management process. The foundation of the security management approach is the need to identify and analyze security threats and vulnerabilities, and to evaluate the adequacy of the countermeasures provided to mitigate the threats. Security
14、Vulnerability Assessment is a management tool that can be used to assist in accomplishing this task, and to help the owner/operator in making decisions on the need for and value of enhancements. The need for security enhancements will be determined partly by factors such as the degree of the threat,
15、 the degree of vulnerability, the possible consequences of an incident, and the attractiveness of the asset to adversaries. In the case of terrorist threats, higher risk sites are those that have critical importance, are attractive targets to the adversary, have a high level of consequences, and whe
16、re the level of vulnerability and threat is high. SVAs are not necessarily a quantitative risk assessment, but are usually performed qualitatively using the best judgment of the SVA Team. The expected outcome is a qualitative determination of risk to provide a sound basis for rank ordering of the se
17、curity-related risks and thus establishing priorities for the application of countermeasures. A basic premise is that all security risks cannot be completely prevented. The security objectives are to employ four basic strategies to help minimize the risk: 1. Deter 2. Detect 3. Delay 4. Respond Appro
18、priate strategies for managing security can vary widely depending on the individual circumstances of the facility, including the type of facility and the threats facing the facility. As a result, this guideline does not prescribe security measures but instead suggests means of identifying, analyzing
19、, and reducing vulnerabilities. The specific situations must be evaluated individually by local management using best judgment of applicable practices. Appropriate security risk management decisions must be made commensurate with the risks. This flexible approach recognizes that there isnt a uniform
20、 approach to security in the petroleum industry, and that resources are best applied to mitigate high-risk situations primarily. All Owner/Operators are encouraged to seek out assistance and coordinate efforts with federal, state, and local law enforcement agencies, and with the local emergency serv
21、ices and Local Emergency Planning Committee. Owner/Operators can also obtain and share intelligence, coordinate training, and tap other resources to help deter attacks and to manage emergencies. SECURITY VULNERABILITY ASSESSMENT METHODOLOGY FOR THE PETROLEUM AND PETROCHEMICAL INDUSTRIES 3 Chapter 2
22、Security Vulnerability Assessment Concepts 2.1 INTRODUCTION TO SVA TERMS A Security Vulnerability Assessment (SVA) is the process that includes determining the likelihood of an adversary successfully exploiting vulnerability and estimating the resulting degree of damage or impact. Based on this asse
23、ssment, judgments can be made on degree of risk and the need for additional countermeasures. To conduct a SVA, key terms and concepts must be understood as explained in this chapter. 2.2 RISK DEFINITION FOR SVA For the purposes of a SVA, the definition of risk is shown in Figure 2.1. The risk that i
24、s being analyzed for the SVA is defined as an expression of the likelihood that a defined threat will target and successfully attack a specific security vulnerability of a particular target or combination of targets to cause a given set of consequences. The complete SVA may evaluate one or more issu
25、es or sum the risk of the entire set of security issues. The risk variables are defined as shown in Figure 2.2. A high-risk event, for example, is one which is represented by a high likelihood of a successful attack against a given critical target asset. Likelihood is determined by considering sever
26、al factors including its attractiveness to the adversary, the degree of threat, and the degree of vulnerability. Criticality is determined by the assets importance or value, and the potential consequences if attacked. If the likelihood of a successful attack against an important asset is high, then
27、the risk is considered high and appropriate countermeasures would be required for a critical asset at high risk. For the SVA, the risk of the security event is normally estimated qualitatively. It is based on the consensus judgment of a team of knowledgeable people as to how the likelihood and conse
28、quences of an undesired event scenario compares to other scenarios. The assessment is based on best available information, using experience and expertise of the team to make sound risk management decisions. The team may use a risk matrix, which is a graphical representation of the risk factors, as a
29、 tool for risk assessment decisions. The API NPRA SVA Methodology has a two step screening process to focus attention on higher risk events. The key variables considered in the first screening are Consequences and Target Attractiveness. If either of those are either not sufficiently significant, the
30、 asset is screened out from further specific consideration. Later, the complete set of risk variables shown in Figure 2.1 are used in the second screen to determine the need for additional specific countermeasures. Figure 2.1Risk Definition Security Risk is a function of: Consequences of a successfu
31、l attack against an asset and Likelihood of a successful attack against an asset. Likelihood is a function of: the Attractiveness to the adversary of the asset, the degree of Threat posed by the adversary, and the degree of Vulnerability of the asset. Figure 2.2SVA Risk Variables4 Consequences Conse
32、quences are the potential adverse impacts to a facility, the local community and/or the nation as a result of a successful attack. Likelihood Likelihood is a function of the chance of being targeted for attack, and the conditional chance of mounting a successful attack (both planning and executing)
33、given the threat and existing security measures. This is a function of Threat, Vulnerability, and Target Attractiveness (see Figure 2.1). Attractiveness Attractiveness is a surrogate measure for likelihood of attack. This factor is a composite estimate of the perceived value of a target to a specifi
34、c adversary. Threat Threat is a function of an adversarys intent, motivation, capabilities, and known patterns of operation. Different adversaries may pose different threats to various assets within a given facility or to different facilities. Vulnerability Vulnerability is any weakness that can be
35、exploited by an adversary to gain access and damage or steal an asset or disrupt a critical function. This is a variable that indicates the likelihood of a successful attack given the intent to attack an asset. 4Ibid, AIChE. 4 AMERICAN PETROLEUM INSTITUTE AND NATIONAL PETROCHEMICAL Activists, pressu
36、re groups, single-issue zealots; Disgruntled employees or contractors; Criminals (e.g., white collar, cyber hacker, organized, opportunists). Threat information is important reference data to allow the Owner/Operator to understand the adversaries interested in the assets of the facility, their opera
37、ting history, their methods and capabilities, their possible plans, and why they are motivated. This information should then be used to develop a design basis threat or threats. Adversaries may be categorized as occurring from three general types: Insider threats External threats Insiders working as
38、 colluders with external threats Each applicable adversary type should be evaluated against each asset as appropriate to understand vulnerabilities. 2.6 VULNERABILITY Vulnerability is any weakness that can be exploited by an adversary to gain unauthorized access and subsequent destruction or theft o
39、f an asset. Vulnerabilities can result from, but are not limited to, weaknesses in current management practices, physical security, or operational security practices. In a SVA, vulnerabilities are evaluated either by broadly considering the threat and hazards of the assets they could attack or affec
40、t, or analyzed by considering multiple potential specific sequences of events (a scenario-based approach). For this SVA methodology, each critical asset is analyzed from at least an asset-based approach at first by considering consequences and attractiveness. If it is a specific high value target, t
41、hen it is recommended to analyze the asset further using scenarios. 2.7 SVA APPROACH The general approach is to apply risk assessment resources and, ultimately, special security resources primarily where justified based on the SVA results. The SVA process involves consideration of each facility from
42、 both the general viewpoint and specific asset viewpoint. Consideration at the general level is useful for determination of overall impacts of loss, infrastructure and interdependencies at the facility level, and outer perimeter analysis including access control and general physical security. For ex
43、ample, all facilities will maintain a minimum level of security with general countermeasures such as the plant access control strategy and administrative controls. Certain assets will justify a more specific level of security, such as additional surveillance or barriers, based on their value and exp
44、ected level of interest to adversaries. The benefit of evaluating specific assets is that individual risks can be evaluated and specific countermeasures applied where justified in addition to more general countermeasures. This SVA methodology uses this philosophy in several ways. The method is inten
45、ded to be comprehensive and systematic in order to be thorough. First, it begins with the SVA team gaining an understanding of the entire facility, the assets that comprise the facility, the critical functions of the facility, and the hazards and impacts if these assets or critical functions are com
46、promised. This results in an understanding of which assets and functions are critical to the business operation. This is illustrated in Figure 2.4. Criticality is defined both in terms of the potential impact to the workers, community, the environment and the company, as well as to the business impo
47、rtance of the asset. For example, a storage tank of a hazardous material may not be the most critical part of the operation of a process, but if attacked, it has the greatest combined impact so it may be given a high priority for further analysis and special security countermeasures. Based on this f
48、irst level of screening from all assets to critical assets, a critical asset list is produced. Next, the critical assets are reviewed in light of the threats. Adversaries may have different objectives, so the critical asset list is reviewed from each adversarys perspective and an asset attractivenes
49、s ranking is given. This factor is a quick measure of whether the adversary would value damaging, compromising, or stealing the asset, which serves as an indicator of the likelihood that an adversary would want to attack this asset and why. 6 AMERICAN PETROLEUM INSTITUTE AND NATIONAL PETROCHEMICAL The complexity and detail of the SVA method; and The nature of the output (probabilistic versus relative measures of risk). Ultimately, it is the responsibility of the owner/operator to choose the SVA method that best meets the needs of the company,
