1
CHEMICAL SECURITY RISK ASSESSMENT AND
SELF-ASSESSMENT MODEL (CHEM-SAM)
BACKGROUND AND METHODOLOGY
INTRODUCTION
Sandia National Laboratories’ (SNL) International Chemical Threat Reduction (ICTR) Program advances U.S. and
international threat reduction and counter terrorism goals by promoting safe, secure, and responsible use of
chemicals across the globe. Among ICTR’s primary sponsors are the U.S. Department of State (DOS) Bureau of
International Security and Nonproliferation (ISN), DOS Office of Cooperative Threat Reduction (CTR), and DOS
Chemical Security Engagement Program (CSP). ICTR, with support of CSP, has been working with chemical
academic laboratories and chemical industrial facilities around the globe to help implement chemical risk
management which supports chemical security and safety. ICTR relies upon expertise in chemistry, chemical
engineering, safety, security, and risk assessment to help enable laboratories and facilities to better understand
any internal management gaps and identify strategies to reduce these gaps. The goal of the Chem-SAM model is
to provide laboratories and facilities tools that will support internal assessments of the chemical risks, support risk
management decision making, and provide better risk communication. Multiple tools across the globe are
specifically designed for chemical hazard assessment and a number of tools are designed to assess the security of
large scale industrial processes. Chem-SAM, while leveraging concepts from these tools, was designed for smallto-medium-sized laboratories, primarily located outside of the U.S., and therefore not subject to any of the U.S.
chemical security regulations.
The standard process for conducting a security risk assessment includes six steps: defining of the assets of interest,
defining the adversaries who have interest in those assets, defining scenarios based upon those assets and
adversaries, assessing the facility vulnerabilities based upon those scenarios, calculating the security risk for each
scenario based upon the vulnerabilities, and finally, determining if the risk is acceptable. The Chem-SAM model is
based upon this process; however, the adversaries and scenarios are predefined. The model aids in defining risk
for the chemical assets based upon an adversary intending malicious use; as a result, assets are prioritized
according to the attractiveness as a target and the consequences of a malicious release. Adversaries are
characterized as those with authorized access to a facility (and to the chemicals) and those without authorized
access to a facility (or to the chemicals). The scenarios are defined as theft of the chemical followed by a malicious
release by an adversary with and without authorized access, and sabotage of the facility by an adversary with or
without authorized access leading to a release of chemicals. The facility vulnerabilities are defined by
characterizing the in-place chemical security measures and the effectiveness of those measures at reducing the
potential for each of the four scenarios. From these data points, Chem-SAM provides a risk characterization for all
four scenarios, for all defined chemical assets, using a two-dimensional risk graph. This graph can be used to aid in
determining the acceptability of the chemical security risks for any or all of the chemicals in at a facility or
laboratory.
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of
Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC0494AL85000. SAND Number: 2012-9439P
2
CHEMICAL SECURITY PARADIGM
The chemical security paradigm that provided the foundation for Chem-SAM is based upon the risk of an adversary
using chemicals with a malicious intent. Chemicals have been used maliciously since the earliest records of war
and social unrest. Chemicals (in the form of bio-toxins) have likely been used maliciously far before any written
record. Unfortunately, chemicals are still used with malicious intent across the globe.
The intensions range from personal attacks (e.g., poisoning a spouse, destroying a laboratory due to a personality
dispute, etc.), economic attacks (e.g., selling of dangerous chemicals on the black market, destroying a facility to
remove competition, etc.), to political attacks (e.g., attacking political, military or civilian targets due to a political
(or religious) dispute, sabotaging a facility to highlight environmental issues, etc.). As part of an overall chemical
risk management regime, a facility or laboratory storing, selling, or processing chemicals should consider the risks
associated with an adversary who wants to use chemicals from the facility (or laboratory) maliciously, and should
implement the appropriate chemical security measures based upon the level of these risks.
Chemical security includes the physical protection of the chemicals, the specific defining of persons who have
access to the chemicals, and the management of the processes for transportation of chemicals within and outside
of a facility. Monitoring the specific chemicals within a facility may require a comprehensive inventory of
chemicals. Determining the potential security risks based upon those chemicals and the in-place chemical risk
management measures is the first step in implementing a chemical security program.
A chemical security program should be part of a holistic chemical risk management program and should be
supported by management (or directorship) of a laboratory or facility. Chemical risk management includes the
development of policies, training, documentation, and funding to support chemical safety and security programs
for the life cycle of the chemicals. A chemical security program stands upon five pillars—a chemical inventory
process, physical security, a personal reliability program, chemical receiving and disposal programs, and
information security processes; and a chemical security program must have an overall program management that
supports the five pillars.
CHEMICAL INVENTORY / MATERIAL CONTROL AND ACCOUNTABILITY
A chemical inventory should be a comprehensive system for defining what chemicals are in a facility, where they
are located, how they are secured, and who is accountable for the management (safety and security) of specific
chemicals. The creation of a comprehensive inventory system may be necessary to fully track the chemicals in a
facility, laboratory, or institution and to manage processes for safe and secure handling of these chemicals.
An inventory system will also support and help to sustain a chemical security program. An inventory system can
help reinforce good chemical management and will reduce the potential for chemical diversion. Not all chemicals
require the same level of detail in the inventory system; rather, a risk-based approach should be used to define the
level of information required in the inventory for the various chemicals on hand. Considerations for the inventory
may include defining where different chemicals can be used and stored, how they are identified, and how the
inventory is maintained. The person defined as accountable for the management of the chemicals should be the
person best able to answer questions about the chemicals and to ensure chemicals are not orphaned.
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of
Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC0494AL85000. SAND Number: 2012-9439P
3
PHYSICAL SECURITY
Performance requirements for the physical protection of chemicals are to define the risks (both safety and security
risks) posed by the specific chemicals in the following situations:



In long-term storage (supply areas, waste areas, obsolete chemicals),
In transit, and
In active use within the chemical processes.
Also, the needs of the facility, laboratory, or institution should be defined. Physical security principles are based
upon the detection an unauthorized entry, delay of the unauthorized entity, assessment of the entity, and a
response to the entry. The performance requirements for physical protection are based upon deterring theft or
sabotage of the material, denying theft of sabotage of the material, or containing an adversary prior to their
leaving the facility with the stolen material. For chemicals, because most are ubiquitous within a country and have
significant dual-use purposes, the performance requirements for physical security should focus on deterrence of
theft, but may also require preventing an adversary from performing sabotage.
Physical protection system requirements should include defining a graded approach to security with the first layer
being at the chemical itself and working outward to the facility, laboratory, or institutional perimeter.
Material security would include a secure container or cabinet the specific storage of the chemical(s).
Material security would act as a deterrent to persons unauthorized to work with the specific chemical(s).
Material security may offer delay, detection, assessment, and the opportunity for response when
warranted by the risk. Material security can also help support safety by limiting those who have access to
the chemical.
Room security is used as a deterrent to persons unauthorized for entry into the room and may offer
delay, detection, assessment, and the opportunity for response when warranted by the risk. Room
security can also help to support safety by limiting those who have access to the chemicals. An enclosed
fence or “cage” within a larger space could offer the same level of security as room security.
Building security is used as a deterrent to outsiders and may offer detection and delay depending upon
the building and organization when warranted by the risk.
Perimeter security is used to as a deterrent to outsiders, can offer detection and delay when warranted
by the risk, and can be used to define a security culture. The perimeter does not specifically protect the
material.
PERSONAL RELIABILITY
The performance requirements for defining persons who have are allowed to have access to the chemicals should
be based upon the risks posed by the specific chemicals and the needs of the facility/laboratory/institution. The
requirements should consider measures to confirm a person has been properly trained in chemical safety, use of
personal protective equipment, use of equipment, entry and exit procedures, etc.; training in the responsible use
of chemicals; and has been provided information as to the risks posed by the chemicals (has reviewed and
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of
Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC0494AL85000. SAND Number: 2012-9439P
4
understood the material safety data sheets). Measures could also include processes to determine the level of
integrity of the person; these can include verification of education and past employment and, when warranted,
can include formal background checks.
The requirements for access to chemicals should also consider the processes for visitors (short- and long-term) to
the facility or institution, the process for changing access following a person’s departure (long-term departure)
from the facility, and how access will be controlled and supported through procedures and, when required,
electronic or key access control systems.
TRANSPORTATION / CHEMICAL RECEIVING AND DISPOSAL
During movement of chemicals within and between facilities or institutions, the level of security for the transport
should be consistent with the requirements defined for the security of the chemical within the facility. There may
be limitations during chemical transport, but the performance requirements for the physical protection system and
for defining the persons involved in the transportation should be equivalent (when possible).
Considerations should include when and how chemicals are transported and how they are stored and secured
between movements. A facility should specifically confirm the level of chemical risk management processes for
any facility chemicals are being supplied to. This will help to reduce the potential for a safety or security incidents
at the recipient site. When warranted, a formal chain of custody should be considered.
INFORMATION SECURITY
Considerations for the protection of sensitive information should be implemented. Sensitive information would
include information which could lead an adversary to theft or sabotage and help in their avoidance of any
implemented security measures. Electronic as well as paper-based information should be protected.
CHEMICAL SECURITY RISK ASSESSMENT METHODOLOGY
As defined by Kaplan and Garrick,1 risk analysis consists of answering three specific questions:
1.
2.
3.
What can happen?
What is the chance that it will happen?
If it happens, what are the consequences?
ICTR, in support of CSP, has defined a set of security scenarios that may be of concern to a laboratory or facility
storing, selling, or processing chemicals.2 Based on these scenarios, the chemical security risk self-assessment
model was designed to provide the answers to the three risk analysis questions for four specific scenarios:
1.
The risk of an adversary without authorized access to the facility (or to the chemicals) successfully stealing
chemicals and using them with malicious intent.
1Stanley
2
Kaplan and B. John Garrick, “On The Quantitative Definition of Risk” Risk Analysis, 1981
Example design basis threat located in Appendix A
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of
Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC0494AL85000. SAND Number: 2012-9439P
5
2.
3.
4.
The risk of an adversary with authorized access to the facility (and the chemicals) successfully stealing
chemicals and using them with malicious intent.
The risk of an adversary without authorized access to the facility (or to the chemicals) maliciously causing
a release of the chemicals (sabotage) within the facility.
The risk of an adversary with authorized access to the facility (and the chemicals) maliciously causing a
release of the chemicals (sabotage) with the facility.
In this methodology, a chemical security risk is defined as a function of the likelihood of targeting a chemical and
the likelihood of successful theft of the chemical from the facility (or laboratory) and the consequences of
malicious release of the chemical.
Chemical Security Risk
Theft Potential
Likelihood of targeting the
chemical for theft by an
adversary based upon the
attractiveness of the
chemical by an adversary
Consequences of malicious
chemical use (release)
Likelihood of successful
theft by an adversary
based upon the in-place
chemical risk management
practices
Figure 1: Chemical Risk Assessment Methodology
This methodology combines these elements for each specific scenario uniquely to define the relative risks for each
scenario. These risk calculations can be compared to each other and used to help determine risk acceptance,
support risk communication, and to help focus risk reduction efforts.
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of
Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC0494AL85000. SAND Number: 2012-9439P
6
RISK ANALYSIS PRINCIPLES
MULTI-OBJECTIVE DECISION ANALYSIS
The Chem-SAM model is not intended to be a formal quantitative assessment of absolute risk; rather it is intended
to provide a structured method for the comparison of the relative risks posed by an adversary acquiring and
exploiting chemicals with malicious intent. There are many approaches to structured risk assessment and decision
analysis; multi-objective decision analysis (MODA) is one of these methods. MODA and its parent process, multicriteria decision analysis (MCDA), have been identified as scientifically sound methods for decision analysis and
have been extensively validated for use in risk analysis.
“Research on quantitative decision making has proceeded from the study of decision theory founded on single
criterion decision making towards decision support for more realistic decision making situations with multiple,
often conflicting, criteria, and more than one decision-maker. In particular, MCDA stands out as a promising
category within decision support methods.” 3
Linkov4 and others have advocated the use of a multi-criteria decision analysis as part of a traditional risk
assessment in situations where there is a limited set of empirical data and a high level of uncertainty. MODA (and
MCDA) are robust disciplines, and these processes are useful in illustrating and justifying decisions. MODA has
been accepted by the risk community as a process for conducting structured risk assessments, focusing on areas
with limited detailed knowledge and on areas where information may vary with time. In addition to the structure,
MODA also offers a transparent method for conducting risk assessment since it can help in quantifying and
communicating the risks, and support decision-makers’ choices on risk management. MODA provides a
mechanism to combine multiple information sources, including those based upon expert judgment, to assess
risks.5
The basic structure of MODA modeling is to define the relevant objectives or criteria for the problem(s) to be
addressed, attach numerical measurements and relative importance to the criteria, and combine the numerical
values to arrive at a relative ranking.6 In MODA, several mathematical models define how the numerical
measurements and relative importance rankings are determined. Likewise, combining of measurements varies
from model to model. The method used in this analysis is based upon a weighted sum algorithm, which is one of
the most common approaches. This method combines all the criteria and weights into a single score (A) by
summing all the weighted numerical values (aij,wj):
𝑛
𝐴= ∑
𝑎𝑖𝑗, 𝑤𝑗
𝑗=1
3
Mona Riabacke, Mats Danielson, Love Ekenberg, and Aron Larsson “A Prescriptive Approach for Eliciting Imprecise Weight
Statements in an MCDA Process,” Algorithmic Decision Theory: First International Conference, 2009.
4 Igor Linkov, “Comments on the OMB Risk Assessment Bulletin,” 2006.
5 Igor Linkov, F. Kyle Satterstrom, Jerrery Steevens, Elizabeth Ferguson, and Richard C. Pleus, “Multi-Criteria decision analysis
and environmental risk assessment for nanomaterials,” Journal of Nanoparticles Research, 2007.
6 Evangelos Triantaphyllou, Multi-Critera Decision Making Methods: A comparative Study, Kluwer Academic Publishers, 2000.
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of
Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC0494AL85000. SAND Number: 2012-9439P
7
When using MODA for risk analysis, the resulting score of the weighted sum is a component in the creation of the
relative risk ranking. In this methodology, the weighted sum is used to define the likelihood and the consequences
independently. These two values are combined to create the relative risk characterization.
RISK GOVERNANCE
Risk governance7 provides a framework to enable risk assessment and risk management activities for an
organization to take place in a sustainable way. While improving decision making, planning, and prioritization; it
contributes to a more efficient allocation and use of the resources within an organization. From this standpoint,
risk management is seen as a process that creates value by ensuring that the resources consumed by risk
management and control are used efficiently to guarantee the sustainability of the activities and the achievement
of the strategic objectives. Thus, risk governance should appear as a central part of any organization's strategic
management.
The basis of risk governance is thorough risk assessment, sound decision making, strict and consistent
implementation of appropriate risk mitigation measures, monitoring, and reviewing. Chemical risk management
should be founded on risk assessment.8
As stated in the International Risk Governance Council (IRGC) Risk Governance Framework,9 risk assessment is
preceded by a pre-assessment step to provide a structured definition of the problem and identify how it may best
be handled. This pre-assessment defines a variety of issues, at a strategic level, without omitting any of the riskrelated factors that could have a significant impact on the activities. Pre-assessment includes "risk framing" to
ensure a common understanding of the risk issues by all stakeholders, followed by “risk appraisal,” which includes
technical risk assessment as well as a concern assessment to identify the perception of the stakeholders as well as
possible sociological, economic, and political consequences and implications. Results of the risk appraisal are then
judged regarding risk tolerability and acceptability, which corresponds to risk evaluation according to the ISO
terminology.10 Decisions are made on the risk management basis, they are implemented implementation of the
risk management approach is then carried out accordingly. Communication is a major component of the whole
process.
As part of the larger goal of strengthening chemical security risk management, the IRGC Risk-Governance
framework offers an important structure for understanding that societies have different organizational capabilities
for assessing and mitigating chemical risks as well as different societal notions of what chemical risks embody.
DISCUSSION ON RISK ACCEPTANCE
This methodology provides a structured method of categorizing the risk; however, this methodology does not
evaluate the absolute level of risk. Unless the risk is eliminated, there will always be some level of risk.
7
White paper on Risk Governance, The International Risk Governance Council, 2006 http://www.irgc.org/The-IRGC-riskgovernance-framework,82.html.
8Terms used in relation to risk assessment are based on those of draft ISO Guide 73, "Risk management - Vocabulary", 2009
(http://www.npc-se.co.th/pdf/iso31000/ISO_DGuide_73_(B).pdf).
9 http://www.irgc.org/IMG/pdf/IRGC_WP_No_1_Risk_Governance__reprinted_version_.pdf.
10 http://www.npc-se.co.th/pdf/iso31000/ISO_DGuide_73_(B).pdf.
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of
Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC0494AL85000. SAND Number: 2012-9439P
8
Determining whether the risk is acceptable, controllable, or unacceptable is part of the risk management decision.
Several factors can influence risk acceptance, such considerations of the level of available resources to mitigate or
control the risks, the regulatory requirements overseeing the risk, the value of work to the community or to
industry, and the public’s general perception regarding the risk.
The public perception of risk is often a driving factor in setting the priorities and the agendas of regulatory bodies.
The IRGC recommends considering the public concerns as a separate analysis from the technical risk assessment.
Technical experts try to assess risks based on well characterized factors, and to be objective and rational. The
public perception of risk is often based upon hypothetical notions and emotions. 11 The emphasis of this
methodology is on the technical assessment and characterization of the risks.
However, the risks associated with public perception should not be ignored. There are some key factors that can
be used for evaluation of public perception. Decision Research studies conducted in 1978 compared perceptions
of risks of 30 activities and technologies, and the studies conducted in 1984 on the same data refined the factors
based upon the interrelationships. Two parent factors, dread and the unknown, were defined in the 1984 study.
The sub-factors for dread include:




What is the public’s trust that the situation can be controlled?
What is the national or global impact?
What is the risk to future generations?
What is the ability to mitigate the consequences, and did the impacted individual(s) voluntarily engage in
the activity?
The sub-factors that define the unknown include:




Is the event observable?
Is there a delayed effect from the event
Has this event occurred previously?
What is the level of understanding of the event prior to the occurrence?
RISK ASSESSMENT PROCESS SPECIFICALLY USED IN CHEM-SAM
The Chem-SAM model consists of three components: scoring of attributes used to define the chemical properties
or used to define the in-place chemical security measures, the weighting of each attribute, and defining an
algorithm for combining the attribute scores with their weights to produce an overall relative risk score.
Chem-SAM captures scores for the attributes of the chemicals and the level of in-place chemical security
management measures by using linguistic definitions that correlate to predefined absolute scales ranging from
zero to four. The linguistic definitions are designed to capture expert judgment based upon the defined chemical
security paradigm. The scales have been designed to be linear; that is, the linguistic definitions moving from zero
to four are phrased to represent equal steps between scores of zero to one, one to two, two to three, etc. This
allows users to be more specific in “scoring” chemicals or chemical security measures by allowing the use of any
11
Paul Slovic, Public Perception of Risk, Journal of Environmental Health Volume 59, Issue 9, 1997.
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of
Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC0494AL85000. SAND Number: 2012-9439P
9
numeric value between zero and four. The linguistic definitions and predefined scales were defined by security
and chemical threat experts.
The relative weights for each attribute were defined by chemistry, chemical engineering, safety, security, and risk
assessment subject matter experts. The weights and defined attributes are unique to each of the four risks being
assessed.
The scores and weights are combined using a standard additive value model except where the attributes are
interdependent:
𝑛
𝐴= ∑
𝑎𝑖𝑗, 𝑤𝑗
𝑗=1
The likelihood of targeting a specific chemical and the likelihood for successful theft of that specific chemical are
not independent attributes and, as a result, these two factors are combined using a geometrical value model:
𝑛
𝐴 = ∏ 𝐴𝑖𝑗, 𝑤𝑗
𝑗=1
CONCLUSIONS
Chem-SAM is designed to provide a systematic prioritization of chemical security risks. Chemical security risks are
based upon the potential for an adversary to use a chemical acquired from a facility with malicious intent. The
Chem-SAM model is focused on theft of chemicals and sabotage of a chemical process within a facility causing a
release of chemicals.
A systematic process will allow for reassessment of the risks of a facility or laboratory, which can be comparable
and can be used to determine performance metrics. The process is also valuable in making strategic mitigation
and management decisions that reduce the risk, as well as for communicating the risk internally and externally.
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of
Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC0494AL85000. SAND Number: 2012-9439P
10
APPENDIX A – EXAMPLE DESIGN BASIS THREAT FOR CHEMICAL FACILITIES
A Design Basis Threat (DBT) is a set of security scenarios derived from baseline threat categories and facility assets.
The DBT sets the boundary conditions for the threat and risk assessment and is a tool used by management to
determine the design and evaluation of risk mitigation measures. It provides a reasonable assessment of the
possible intentions, motivations, and physical capabilities of adversaries against which the system must be
designed. Because it is not possible to predict the future with certitude, the DBT does not identify what threat is
imminent or what threat will arrive at the facility at any specific time. If credible information regarding an
imminent threat is obtained, compensatory measures can and should be implemented immediately.
PURPOSE
The purpose of this DBT policy is to:
o
o
o
o
Define the assets to be protected,
Define the threats to protect those assets against,
Establish the objectives of the risk mitigation systems, and
Provide for the basis of evaluation of the implemented systems.
This statement sets as policy the scenarios that should be used for assessing the risks and implementing the
appropriate risk mitigation measures. This policy also defines the scope of system evaluation. These scenarios
consist of the defined facility assets and the spectrum of threats against which those assets should be protected. A
site-specific risk assessment should be used to evaluate the relative probability and consequences of the scenarios
articulated in this DBT, the assessment results should be used to prioritize the scenarios from a risk perspective,
enabling the institutions or facilities to determine acceptable and unacceptable risks and identify the security
resources required to implement the necessary protection strategies. A graded approach to implementation of the
protection strategies will be applied based on the degree of risk associated with the defined scenarios.
ASSETS
Chemical assets are categorized as:



Priority chemical weapon precursors
Priority precursors to precursors
Other toxic/flammable/reactive/corrosive chemicals
Information assets are categorized as:





Material management (Inventory data)
Personnel information
Unique facility operating information (e.g., blueprints, security documentation)
Process systems information (e.g., information that might lead to sabotage of a process with a
catastrophic result)
Handling and operating procedures involving target materials
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of
Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC0494AL85000. SAND Number: 2012-9439P
11
THREATS
It should be understood that the types of individual or groups included in the threat spectrum represent the scope
of possible adversaries to be considered but does not reflect any specific threat information.
INSIDERS
This DBT Policy divides the potential inside adversary into two types of insiders (employees and visitors), each with
varying levels of access to the assets. Visitors may include working visitors (e.g., short-term researchers),
individuals attending training courses, meeting attendees, maintenance personnel, etc.
The insider adversary acts alone and will wait for an opportune time to commit a malicious act with the goal of
covert theft or sabotage. The employee would be expected to abort any theft or sabotage attempt to avoid being
caught and is non-violent (violence is not necessary to achieve the desired outcomes). Authorized access gives this
individual systems knowledge that can be used to his/her advantage in conducting the malicious act; the level of
knowledge about the facility and its operating systems is assumed to correlate with the level of authorized access.
The intent of this malevolent insider is to steal or destroy an asset without detection. His/her motivation might
be disgruntlement, expression of a grievance, coercion, or psychological imbalance. This person could also have
the same motivations as an outside adversary (terrorist, extremist, or criminal).
Specific classes of insider possible adversaries:


Employee with
o Full access to the asset
o Building access
o Site access
Visitor with
o Full access to the asset
o Building access
o Site access
OUTSIDERS
This DBT document sets as policy the classes of outside adversaries.
The single terrorist outsider adversary is assumed to act alone, by definition. This adversary is not externally
funded, but may be well equipped, trained, and able to rehearse. Systems knowledge will be limited to publicly
available information plus anything that can be gathered through site surveillance activities. This individual’s
motivation is to acquire an asset for use in committing a terrorist act; they do not need the theft to be covert.
A terrorist group is an adversary who is assumed to be motivated to conduct terrorism using a chemical weapon or
toxic chemicals, and who is focused on covertly acquiring chemical material for use in a later attack. This adversary
may be skilled and funded, but has indirect information about the facility, that is, they do not have specific inside
knowledge.
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of
Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC0494AL85000. SAND Number: 2012-9439P
12
The criminal outsider is motivated by financial gain. This adversary is assumed to be either a single individual or a
criminal group who may use weapons and hand tools. The criminal’s tactics include theft for financial gain or
damage/destruction against a competitor. Their knowledge about the institution is limited to publicly available
information.
An activist is an adversary motivated to damage the facility or disrupt activities as a form of personal or political
protest. This type of adversary would include animal rights activists, environmental protection activists, etc.
Specific classes of outsider possible adversaries are:
o
o
o
o
Single terrorist
Terrorist group
Criminal outsider
Activists
SCENARIOS WITH CHEMICAL ASSETS
Three categories of scenarios are outlined below based on the types of chemical assets sought by adversaries. In
each scenario, the types of adversaries are listed followed by scenarios outlining the defined threats for attacks
against the defined assets of concern. The relative probability and consequences of each of these scenarios is
assessed through the site-specific risk assessment.
ASSETS: PRIORITY CHEMICAL WEAPON PRECURSORS OR PRECURSORS-TO-PRECURSORS
Adversaries:



Insiders
o Employee
 Full access to the asset
 Building access
 Site access
o Visitor
 Full access to the asset
 Building access
 Site access
Outsiders
o Single Terrorist
o Terrorist Group
o Criminal Outsider
An insider(s) working with an outsider(s)
Scenarios:

Adversary covertly steals chemicals to later produce a chemical weapon for use in a malicious act of
terrorism.
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of
Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC0494AL85000. SAND Number: 2012-9439P
13


Adversary overtly steals chemicals to later produce a chemical weapon for use in a malicious act of
terrorism.
Adversary sabotages facility and releases priority precursors or precursors-to-precursors that are toxic or
reactive in a malicious act.
ASSETS: TOXIC/FLAMMABLE/REACTIVE/CORROSIVE CHEMICALS
Adversaries:



Insiders
o Employee
 Full access to the asset
 Building access
 Site access
o Visitor
 Full access to the asset
 Building access
 Site access
Outsiders
o Single terrorist
o Terrorist group
o Criminal Outsider
o Activists
An Insider(s) working with an outsider(s)
Scenarios:


Adversary sabotages facility and releases toxic/reactive industrial chemicals in a malicious act.
Adversary steals toxic/reactive chemicals for use in a malicious act.
SCENARIOS WITH INFORMATION ASSETS
Adversaries:

Insiders
o Employee
 Full access to the asset
 Building access
 Site access
o Visitor
 Full access to the asset
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of
Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC0494AL85000. SAND Number: 2012-9439P
14




Building access
Site access
Outsiders
o Single Terrorist
o Terrorist Group
o Criminal Outsider
o Activists
An Insider(s) working with an outsider(s)
Scenarios:


Adversary covertly steals operations-specific information to facilitate a later attack.
Adversary steals information for unknown reasons.
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of
Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC0494AL85000. SAND Number: 2012-9439P
15
APPENDIX B – ATTRIBUTES AND ATTRIBUTE WEIGHTS FOR EACH SCENARIO
DEFINING THE CHEMICAL ASSETS BASED UPON POTENTIAL FOR TARGETING OF A
CHEMICAL FOR THEFT AND CONSEQUENCES OF RELEASE
Attribute Weights for Measuring the Likelihood
of Targeting a Chemical for Theft
Quantity or
volume of the
chemical present
20%
Harmful chemical
50%
Form of the
Chemical
30%
Figure 2: Weights Based upon SME Consensus
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of
Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC0494AL85000. SAND Number: 2012-9439P
16
Hazardous
Decomposition
8%
Attribute Weights for Measuring the
Consequence of a Chemical Release
Toxic via inhalation
18%
Volume
20%
Toxic via Ingestion
3%
Toxic via Contact
with Skin, Eyes or
Other Mucus
Membranes
8%
Persistent in Soil
5%
Lethal
Persistent in Water
3%
Acute
Disease
Chemical Weapon
4%
Chronic Disease
5%
18%
10%
Figure 3: Weights Based upon SME Consensus
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of
Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC0494AL85000. SAND Number: 2012-9439P
17
Attribute weights for measuring the availability of
consequence mitigation measures
Area
decontamination
10%
National Level police
response
17%
Environmental testing
15%
Public Health Care
System
32%
Treatment
13%
Person
Decontamination
8%
Diagnosis
5%
Figure 4: Weights based upon SME consensus
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of
Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC0494AL85000. SAND Number: 2012-9439P
18
DEFINING THE EFFECTIVENESS OF IN-PLACE SECURITY MEASURES ON REDUCING THE
POTENTIAL FOR SUCCESSFUL THEFT
Attribute weights for measuring the effectives of inplace security measures based upon theft by an
unauthorized individual
Chemical Disposal (or
sales when
appropriate)
4%
Personnel
Reliability
0%
Chemical Receiving
Material Control and
4%
Accountability
6%
Program
Management
11%
Information security
10%
Physical Security of
chemicals while at the
facility
65%
Figure 5: Weights based upon SME consensus
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of
Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC0494AL85000. SAND Number: 2012-9439P
19
Attribute weights for measuring the effectives of inplace security measures based upon theft by an
authorized individual
Chemical Disposal (or
sales when
appropriate)
1%
Information
security
1%
Program Management
11%
Chemical
Receiving
7%
Material Control and
Accountability
20%
Personnel Reliability
48%
Physical Security of
chemicals while at the
facility
12%
Figure 6: Weights based on SME consensus
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of
Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC0494AL85000. SAND Number: 2012-9439P