IMPROVE WP 1
advertisement
Security Vulnerability Assessment Tool Prepared by the IMPROVE consortium – August 2010 Improve knowledge of effective critical infrastructure protection With the support of the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme European Commission – Directorate-General Home Affairs This project has been funded with the support from the European Commission. This publication reflects the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein. This document contains sensitive information and is intended solely for the use and information of the organisation having obtained authorisation. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written permission of the authors. 116102555 Page 2 Improve knowledge of effective critical infrastructure protection MAIN AUTHORS OF THE DOCUMENT: Cefic – European Chemical Industry Council Filip Jonckheere EU.select Jim Castle, Pierre-Michael Gröning and Mike Zeegers NAVI – Dutch National Advisory Centre for the Critical Infrastructure Arno Bilderbeek and Marcel Spit INERIS – French National Institute for Industrial and Environmental Risk Samantha Lim WITH CONTRIBUTION FROM: JRC – Joint Research Centre FOI – Swedish Defence Research Agency Regional Government of Styria Technical University of Ostrava IMPROVE consortium – August 2010 All documents including the set of accompanying spreadsheets are available as electronic versions after registration at Cefic. For more information on the accessibility and the content please contact Filip Jonckheere (FJO@cefic.be). 116102555 Page 3 Improve knowledge of effective critical infrastructure protection TABLE OF CONTENT 0 Introduction and Overview....................................................................................................... 7 0.1 Scope of the Security Vulnerability Assessment (SVA) ............................................................. 7 0. 2 Cost Benefit Analysis of the SVA............................................................................................... 9 0.3 How and where to obtain the necessary expertise to complete the SVA .............................. 10 0.4 A brief management overview of the SVA process ................................................................. 11 0.5 The strategic and business benefits of completing the SVA and implementing regular review of SVA’s ............................................................................................................................................. 12 0.6 1 2 3 Justification of the selection of the CCPS methodology (versus RAMCAP and EURAM) ........ 13 Step 1 Project Plan for the SVA.......................................................................................... 22 1.1 Clarify the Objectives of a Security Vulnerability Assessment .............................................. 22 1.2 Define the scope of the SVA .................................................................................................. 23 1.3 Define the context of the SVA and familiarise with appropriate regulations ....................... 23 1.4 Selection of the SVA team ..................................................................................................... 23 Step 2 Facility Characterisation ......................................................................................... 26 2.1 Facility Description ................................................................................................................ 26 2.2 General security policy of the site ......................................................................................... 28 2.3 Existing countermeasures ..................................................................................................... 29 2.4 Determination of the site attractiveness .............................................................................. 30 Step 3 Assets Analysis ....................................................................................................... 34 3.1 Identification of the principal assets ..................................................................................... 34 3.2 Classification of attractiveness .............................................................................................. 37 3.3 Determination of the Asset Impact ....................................................................................... 40 3.4 Risk Profile of the Principal Assets ........................................................................................ 43 116102555 Page 4 Improve knowledge of effective critical infrastructure protection 4 5 6 Step 4 Threat Analysis ....................................................................................................... 45 4.1 Identification of Adversaries and Their Methods of Attack .................................................. 45 4.2 Ranking the Threats............................................................................................................... 47 Step 5 Security Vulnerability Assessment (SVA) ................................................................. 50 5.1 Creation of the Threat Scenarios........................................................................................... 50 5.2 Risk Matrix: Severity & Likelihood of a Threat Scenario ....................................................... 54 5.3 Vulnerability Analysis ............................................................................................................ 55 Step 6 Identification of Additional Security Countermeasures ............................................ 59 6.1 Analysis of additional permanent countermeasures ............................................................ 60 6.2 Prioritisation of the Proposed Additional Security Countermeasures .................................. 64 6.3 Enhanced countermeasures .................................................................................................. 65 7 Overview of the SVA methodology ..................................................................................... 66 8 Appendix 1 Links between the SEVESO DIRECTIVE requirements and the SVA .................... 69 9 Appendix 2 Protection Strategies for Site Security Management ........................................ 73 10 Appendix 3 Threat Catalogue ............................................................................................ 77 11 Appendix 4 Glossary, References and Bibliography ......................................................... 83 12 Appendix 5 Worked Example ............................................................................................ 85 12.1 Introduction ........................................................................................................................... 85 12.2 Step 1 and 2 ........................................................................................................................... 85 12.3 Step 3 Assets Analysis............................................................................................................ 86 12.4 Step 4 Threat Analysis ........................................................................................................... 93 12.5 Step 5 Security Vulnerability Assessment (SVA).................................................................... 95 116102555 Page 5 Improve knowledge of effective critical infrastructure protection 13 Appendix 6 The Operator Security Plan ............................................................................100 13.1 Introduction ......................................................................................................................... 100 13.1.1 Objectives of this Annex .............................................................................................. 100 13.1.2 Operator Security Plan ................................................................................................ 100 13.1.3 Why a Security Plan? ................................................................................................... 100 13.1.4 Effectiveness ................................................................................................................ 100 13.2 Best Practices ...................................................................................................................... 101 13.2.1 Process......................................................................................................................... 101 13.2.2 Selection of security measures .................................................................................... 102 13.2.3 Implementation and maintenance .............................................................................. 102 13.3 OSP Contents and structure ................................................................................................ 103 13.3.1 Introduction ................................................................................................................. 104 13.3.2 Security Program ......................................................................................................... 104 13.3.3 Operational Policies and Procedures .......................................................................... 104 13.3.4 Physical Security Measures ......................................................................................... 105 13.3.5 Personnel Security Measures ...................................................................................... 105 116102555 Page 6 Improve knowledge of effective critical infrastructure protection 0 Introduction and Overview 0.1 Scope of the Security Vulnerability Assessment (SVA) Risk can be defined as the combination of the probability of an event and its consequences (ISO/IEC Guide 73). Risk management protects and adds value to the organisation and its stakeholders through supporting the organisation’s objectives by: providing a framework for an organisation that enables future activity to take place in a consistent and controlled manner improving decision making, planning and prioritisation by comprehensive and structured understanding of business activity, volatility and project opportunity/threat contributing to more efficient use/allocation of capital and resource within the organisation reducing volatility in the non essential areas of the business protecting and enhancing assets and company image developing and supporting people and the organisation’s knowledge base optimising operational efficiency The methodology described in this toolkit is adapted to the European context based on the good practice identified in the ‘Secure Site’ project in order to be used broadly by SEVESO sites it also draws on the good practice identified by CCPS and we wish to acknowledge the American Institute of Chemical Engineers. Section 0.6 provides a justification for the selection of the CCPS methodology, reviewing in particular the RAMCAP and EURAM methodologies. The Security Vulnerability Assessment Toolkit (SVA) of Industrial Sites seeks to identify those risks which may result in catastrophic effect, it offers a methodology to both modify the risk and suggestions for controls which may mitigate or reduce the risks. The final part of the SVA Toolkit develops a risk log which will record information on which risks the company chooses to mitigate and which to accept. Ultimately the only mitigation of the risk available may be through financial means by accessing enhanced specialist insurance premiums and even these may still leave some residual risk with the company, however the SVA Toolkit will ensure that the full extent of these residual risks will have been identified. Undertaking this SVA may require additional expertise and this should be borne in mind when preparing the budget, these additional capital costs will, however significant, be considerably smaller than those required should a catastrophic event occur. The use of the SVA tool should form as useful part of the overall risk management of a company and therefore contribute to the more efficient use and allocation of capital within the organisation. Additionally, if an industrial company has several establishments with potential critical assets, they will need to prioritise sites in order to select the most critical infrastructures. A risk assessment or analysis (RA) is an examination including risk assessment, risk evaluation, and risk management alternatives, performed to understand the nature of unwanted, negative 116102555 Page 7 Improve knowledge of effective critical infrastructure protection consequences to human life, health, property, or the environment; an analytical process to provide information regarding undesirable events; the process of quantification of the probabilities and expected consequences for identified risks. A security vulnerability assessment (SVA) is an analysis to identify security hazards, threats, and vulnerabilities facing a facility, and to evaluate the countermeasures to ensure the protection of the public, workers, national interests, the environment, and the company. A RA may have a greater emphasis on prioritising risks by likelihood and consequences, handling of the highest risks and accepting lower risks whereas the emphasis of a SVA may be more on finding additional countermeasures to address the vulnerabilities of a facility. Concerned industries The security study should be performed by any industrial site designated as a critical infrastructure at the regional, national or European level by competent authorities. To be designated as a critical infrastructure, a preliminary screening shall have been performed by the authorities or by a corporate1 (depending on the national regulations and practices). The CI Directive2 defined a list of ECI-sectors in its Annex I, which are those assets, systems or parts thereof located in EU member states which are essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people (currently only the energyand transport sector), and the disruption or destruction of which would have a significant impact on at least two EU member states3. Thus, concerned critical infrastructures can be industrial sites subject to the SEVESO II Directive, which covers all those facilities where dangerous substances (toxic, flammable, explosive or pollutant) are present in quantities equal to or in excess of certain thresholds (see Art.2 and Annex I to the SEVESO II Directive). The SEVESO II directive requirements and particularly the Safety Report for SEVESO upper-tier sites could help in the SVA study. Annex 1 describes links between the SEVESO II Directive and the SVA requirements for the European Critical Infrastructures (ECI). 1 If a corporate has to identify its critical infrastructures, the “Enterprise Level Screening Process” (ELSP) described in the CCPS SVA Guidelines can be performed. 2 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, in OJ L Nr. 345/75 of 23.12.2009 3 Cf. Art 2 (b) ECI-Directive 116102555 Page 8 Improve knowledge of effective critical infrastructure protection Intentional acts under consideration for a security study Intentional acts should include the internal as well as the external threats, from malevolent to terrorist attacks. The Operator, i.e. the company that owns or operates the site, should define the limits of the threat events under consideration in a security study. Nevertheless, this report will focus on the threats which would have severe or catastrophic impacts on population, environment or economy. For this reason, the type of acts under consideration will be: loss of containment of hazardous substances on the site, contamination or spoilage of plant products to cause worker or public harm on or offsite, degradation of assets or infrastructures or value of the infrastructure through destructive acts. The threat of chemical theft or chemical misuse with the intent to use it or transform it in order to cause harm offsite will not be taken into account in this report, except if they result in catastrophic events on site. Therefore ‘supply chain security’ issues are outside the scope of this methodology. Indeed, this method intends to discuss on highly critical security events with severe direct effects on the site and the public while robbery or misuse would generally generate indirect effects on the public. As there is an increased financial burden in carrying out the SVA section 0.2 provides some hints and guidance as to how to develop the Cost Benefit Analysis to justify carrying out the SVA and section 0.3 provides guidance on where to obtain the necessary additional expertise to complete the SVA. Section 0.4 gives a management overview of the SVA and section 0.5 outlines the strategic and business benefits attained from the completion and regular review of the SVA. 0. 2 Cost Benefit Analysis of the SVA Security Vulnerability Assessments are now seen as crucial to effective Security Risk Management by most industry associations and stakeholders. This coupled with the increasing focus by government and other bodies on the perceived terrorist threat to Critical Infrastructure (CI) and a drive to enhance the protection of key industries means that now threat and vulnerability assessments (TVA or SVA) are both expected as part of good practice risk management. Although they are not yet a matter of regulation they are accepted as Best Practice and therefore, make eminently good business sense. 116102555 Page 9 Improve knowledge of effective critical infrastructure protection The use and practice of SVAs are not new, but are now used more as there is an increasing focus on formalised and auditable process although there is as yet no prescriptive process and a number of methodologies exist and are in use – many have a common approach. Indeed the absence of a formal Security Management System which includes a formal risk assessment (TVA/SVA) may be viewed as indicative of a lack of due diligence and effective risk management. Alongside the benefits to be gained from completing and maintaining and SVA we must consider the cost. Supplementary spending will mainly arise from costs due to additional staffing for the duration of the assessment and additional specialist security support that will be required. This additional specialist support may be available from within the company, depending on the size of the company, or possibly from relevant government agencies if however this is not available from these sources then the company should seek external support. 0.3 How and where to obtain the necessary expertise to complete the SVA The SVA team, who will conduct this study, should be multidisciplinary and gather several skills from outside the organisation, such as: Knowledge and expertise on man made threats such as terrorism, cyber crime and organised crime, Qualified security expertise (on security vulnerability and security risk analysis, security management systems, knowledge on terrorist groups and their methods of attack, etc.), Experience with procedures of first responders and government agencies, Knowledge of safety and security related legislation/regulations, etc. applicable to the site. In-depth security knowledge and experience may be required to facilitate the SVA process. Specific expertise may be required. For instance, the team may need a weapons effects expert (such as blast and ballistics) to answer specific questions regarding the vulnerability of a specific asset or component. By qualified, it is understood this to mean: - will hold recognised and relevant qualifications - references - 10-years of experience in this field - SVA-experienced (at least 7 SVA-studies) - preferably sector-experienced In some EU member states there is the possibility that the SVA team may be supported and complemented by officials of police departments, security services or other government bodies. Another option is to seek qualified security professionals from the security industry to assist in the SVA process. 116102555 Page 10 Improve knowledge of effective critical infrastructure protection 0.4 A brief management overview of the SVA process Figure 1 Process flowchart of the SVA toolkit across the 6 Steps 116102555 Page 11 Improve knowledge of effective critical infrastructure protection 0.5 The strategic and business benefits of completing the SVA and implementing regular review of SVA’s By completing the SVA and then implementing regular reviews the organisation will be best prepared for any incidents that may happen and will have had time to both implement appropriate countermeasures and put in place incident management plans. Specific benefits arising from these include: Understanding the vulnerabilities and their potential impact on the wider objectives of the business Meeting best practice guidelines Understanding the vulnerabilities in order to assist in the selection of treatment options Comparing the vulnerabilities and the risk in alternate systems or technologies Assist with establishing priorities The overall business benefit of implementing regular reviews is that the organisation has clear and up to date information on its vulnerabilities and the subsequent risk that it chooses to carry/ mitigate or insure against. Protection of Data There may be a requirement to treat the contents of the SVA as Security Sensitive Information which requires it to be protected in line with Government and/or company security policies. 116102555 Page 12 Improve knowledge of effective critical infrastructure protection 0.6 Justification for the selection of the CCPS Methodology An in-depth review of available Security Risk Assessment methodologies was conducted in 2007 as part of the SECURE-SITE research project. The task of selecting an appropriate security assessment methodology for the European Chemical Sector was specifically addressed in SECURE-SITE Work Package 3 (WP3) entitled ‘Selection of a Security Risk Assessment Methodology’ and further applied in SECURE-SITE Work Packages 4 and 5. SECURE-SITE WP3 recommended the selection of the American Institute of Chemical Engineers (AIChE) Center for Chemical Process Safety (CCPS): Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites4 which lays down a detailed ‘Security Vulnerability Assessment – SVA’ methodology., It also recommended that this methodology should be amended to take the European ‘landscape’ into account and specifically consider the benefits of the SEVESO II regulations and substantial associated safety documentation and information which would be available to an EU based security risk assessment, which would substantially influence the inputs and mechanism of the SVA. Work Package 6 (WP6) reiterated these findings by recommending the use of the CCPS SVA methodology stating that the CCPS methodology was already in use in the chemical sector and that the outcome of using this methodology was clear, understandable and defendable but again would require being adapted for use in European Seveso type (chemical) industries. Although fully recommending the use of the CCPS methodology, in its recommendations for the IMPROVE project SECURE-SITE WP6 5 states that; ‘Moreover, the security assessment methodology needs to be refined by improving and adapting CCPS SVA or RAMCAP 6 to current European considerations and developments (e.g. EURAM)’ 7.The single mention of RAMCAP in the WP 6 recommendations creates a requirement to re-consider the use of the RAMCAP SVA methodology, whereas, due to the timings of the outcome of the EURAM project, the latter requires to be evaluated for utility in the IMPROVE project. The purpose of this section therefore is to: review the use of the RAMCAP SVA methodology and: evaluate the EURAM project risk assessment methodology, in order to assess their utility as an SVA methodology for European SEVESO type (chemical) sites. 4 CCPS 2003 5 SECURE-SITE WP6 Final Report, November 2007 (p 28). 6 RAMCAP - Risk Analysis and Management for Critical Asset Protection. 7 EURAM - The European Risk Assessment Methodology. A research programme which was running concurrently to SECURE-SITE and published at around the same period. 116102555 Page 13 Improve knowledge of effective critical infrastructure protection A. Review of RAMCAP Methodology RAMCAP (Risk Analysis and Management for Critical Asset Protection) was introduced in 2005 and launched in 2006 in the US to provide a framework for analyzing and managing the risks associated with terrorist attacks against critical infrastructure assets. The work was commissioned by the US Department of Homeland Security (DHS) and conducted by the American Society of Mechanical Engineers – Innovative Technologies Institute (ASME - ITE) LLC8. The 80 page methodology is publicly available from the ASME-ITE website.9 The stated aims of the RAMCAP were as follows: To define a common framework that could be used by owners and operators of critical infrastructure to assess the consequences and vulnerabilities relating to terrorist attacks on their assets and systems. To provide guidance on methods that could be used to assess and evaluate risk through the use of the RAMCAP common framework. To provide an efficient and consistent mechanism which could be applied to diverse elements across both private and governmental sectors to report essential risk information to the US DHS. This input was at the time deemed essential to the execution of DHS responsibilities. One of the principle aims of RAMCAP was to provide a pan-sector assessment of vulnerabilities and possible impacts in order to both populate the DHS National Asset Database (NADB) and allow for resource allocation and prioritisation of effort at the strategic level. It was also intended that the generic RAMCAP methodology would be reinforced by sector specific guidance documents in due course. A.1 Subsequent US Developments It is important to note that since the inception of RAMCAP, the U.S. Department of Homeland Security has since invoked the US Chemical Facilities Anti Terrorism Standards (CFATS) - legislation which imposes comprehensive federal security regulations for high-risk chemical facilities. As part of the Homeland Security Appropriations Act of 2007, Congress directed DHS to identify and regulate “high risk” chemical facilities. Following this the DHS promulgated new regulations in the form of the Chemical Facilities Anti-Terrorism Standards (CFATS), Interim Final Rule on 8 June 2007. 8 A not-for profit company which acts as a research arm of ASME. http://www.asme-iti.org/ 9 http://www.asme-iti.org/RAMCAP/RAMCAP_Framework_2.cfm 116102555 Page 14 Improve knowledge of effective critical infrastructure protection CFATS requires any facility that handles hazardous chemicals above a certain threshold, to conduct an initial ‘Top Screening’ risk assessment exercise to enable DHS to apply one of four tiers. Thereafter, these facilities will be required to: Conduct and submit a Security Vulnerability Assessment (SVA), to be submitted on-line and thereafter; Produce and have DHS ratify their Facility Site Security Plan (SSP). The CFATS legislation establishes ‘Risk-Based Performance Standards’ for the security of chemical facilities. These were ratified in late 2008 and now form the core of US chemical facility protection efforts. Facilities are now required to apply these Risk Based Performance Standards (RBPS) with layered security measures and demonstrate how they intend to meet these requirements within their Site Security Plan (SSP). There are 19 categories of security performance standards which are increasingly demanding as one moves from the lowest, Tier 4 to the highest, Tier 1. Congress has also specifically mandated however, that the DHS cannot specify particular security measures, such as fence types and heights and therefore should aim to adopt a collaborative approach. It is therefore assumed, from a DHS perspective that RAMCAP has been superseded by CFATS as the sector specific vehicle for institutionalising security within the US Chemical sector, as has to an extent the American Institute of Chemical Engineers (AIChE) CCPS methodology. However, CFATS allows lower priority (Tier 4 on a scale of 4) categories of chemical facilities, in specified circumstances, to submit Alternate Security Programs in lieu of a Security Vulnerability Assessment, Site Security Plan, or both. The CCPS methodology qualifies as an approved alternative whereas it appears RAMCAP does not. A.2 RAMCAP Methodology RAMCAP uses a 7 step approach and requires input from both owner/operators and government agencies. The seven steps are shown in Figure 1. This process is broadly consistent with other appropriate security risk assessment methodologies. The stages, such as asset characterisation, consequence and vulnerability analysis and risk assessment and management use broadly similar criteria to the CCPS methodology and the American Petroleum Institute’s (API) publication ‘Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries’.10 It quotes both the CCPS and API methodologies in its list of references and appears to have drawn on the CCPS and API approach. It therefore does not appear to provide any additional approach or criteria which could be utilised in the IMPROVE project. The methodology is relatively straightforward to follow. However, it was designed primarily to conduct a ‘screening’ exercise in order to rank facilities both within a sector, and across sectors and 10 http://www.api.org/policy/otherissues/upload/SVA_E2.pdf 116102555 Page 15 Improve knowledge of effective critical infrastructure protection clearly states that it requires further detailed sector specific guidelines, in order to achieve the level of detail required. To quote the introduction to the RAMCAP Framework document: ‘the RAMCAP methodology is not a step-by-step guideline for conducting vulnerability assessments in specific industry sectors. Rather RAMCAP is a high-level methodology that can be tailored to various sectors, thereby providing a mechanism for comparing risk within a sector and between different sectors... is not intended to be the most comprehensive and detailed risk assessment methodology in the public or private sectors... and actually avoids .... detail, precision and cost in order to quickly and efficiently fill the National Asset Database... ‘ Much of this detail would have to be drawn from elsewhere, which has mostly already been reviewed and it is therefore assessed that the RAMCAP methodology and content would be of limited value to the project. In addition, the RAMCAP methodology specifically requires the detailed involvement of the authorities in the process, which although very desirable, has not been mandated for the IMPROVE guidelines. It is again reiterated that the principle recipients of the RAMCAP results are evidently the authorities (to conduct cross-sector assessments on priorities for action) and not the site owners/ operators. 116102555 Page 16 Improve knowledge of effective critical infrastructure protection CONSIDERATIONS PROCESS STEP Asset Characterisation and Screening Threat Characterisation Consequence Analysis Vulnerability Analysis Asset Identification. Assessment of potential severity of consequences. Consequence based screening. Target determination. Adversary characterization: Capabilities; Tactics; Weapons. Threat characterization provided separately by authorities. Owner/Operator may choose lesser threats for own purposes. Potential damage assessment for each threat. Worst reasonable case consequences Identify vulnerabilities leading to worst reasonable consequences Assessment of likelihood of adversary success in achieving worst reasonable consequences. Evaluate existing countermeasures & mitigation capability. Threat Assessment Risk Assessment Risk Management Asset attractiveness and deterrence (asset owner). Adversary capability and intent determination (authorities). Threat (relative Likelihood of attack) as a function of attractiveness and adversary capability and intent (authorities). Consequence from Step 3. Vulnerability from Step 4. Threat from Step 5. Risk = C * V * T Consider risk goals and determine need for recommendations. Determine recommendations. Evaluate options and decide on enhancements. Figure 1: RAMCAP Process A.3 Recommendation on the use of RAMCAP It is therefore recommended that the use of the RAMCAP methodology, for the purposes of Project IMPROVE be discounted. B. Review of EURAM Methodology B.1 General presentation of the risk assessment methodology The European Risk Assessment Methodology (EURAM) project’s aim is to develop a risk assessment methodology for assessing security that could be used by all European Critical Infrastructures sectors, whatever their activity and a higher level above the single infrastructure itself. Indeed, it will allow a comparative risk assessment across an entire sector of activity, of a region or at a national level. The development of the methodology is based on an inventory of good practices found in various risk assessment models. The methodology is described in the deliverable of the project EURAM named 116102555 Page 17 Improve knowledge of effective critical infrastructure protection “Development of an EU-common risk assessment methodology”. It aims at using the same methodology to assess risks in different aspects of security (organization, human security, physical security, information and communication security) in the same way and consists of seven steps. To help the operator determine the threats, the EURAM methodology suggests a list of critical infrastructure sectors and specifies for each of them the products or the sub-sectors that can be the preferential targets. This list includes energy, nuclear industry, information and communication technologies, water, food, health, financial sector, transport, chemical industry, special sector and research facilities. Using this list of critical sectors, the EURAM methodology suggests deriving a list of threats based on the taxonomy developed by the EU IST Vital Infrastructures Threats and Assurance (VITA) project rather than identifying threats specific for each sector. The VITA threat taxonomy is based on building trees, the root of the trees consists of distinguishing natural causes and direct and indirect human activities. The different branches are dedicated to seven types of relevant threats which are: earth and soil, air, all types of water, space, natural radiation and electromagnetic threats, naturally occurring fires and biological threats. Each branch is then broken down to explore all the aspects, in particular, environmental threats, economic and political threats, technical threats and threats due to human failure. The EURAM methodology objective is designed to be applied not only at the scale of single facilities, but also at a higher level: a sector, such as a region taking into account all the industrial sectors of the region or of a country, etc. It will harmonise critical infrastructure results at a national level or for an entire sector to compare risks. As such, it requires the development of adapted probability and severity scales and to have a systemic approach to the risk assessment. As the destruction or disruption of some key services or infrastructures may lead to the loss of other critical functions (supply chain, health, safety, economic and social aspects), the EURAM methodology recommends completing the classical steps of the risks analysis by a transversal approach to interdependencies analysis. This interdependencies analysis avoids problems of inter-operability and of cost-inefficiency between critical infrastructures (CI), especially at a European level. 116102555 Page 18 Improve knowledge of effective critical infrastructure protection PROCESS STEP CONSIDERATIONS Skills in technical knowledge, in information and communication management, in organisational and human aspects in the company. Definition of a leader An external control is recommended Definition of the scope of the risk assessment Identification of processes and of utilities Determination of organisational and human limits Definition of the scales for risk evaluation Risk = probability P x severity S Ranking scales on a 1 to 5 ranges Probability and severity scales uniformly applied across all the sectors Use of the feedback and the likelihood of an accident Probability P: Qualitative definition of each rank based on the feasibility of the attack, the attractiveness of the target, the protection level of the target and the skills/resources/motivation of the attacker. Severity S: Scale based on the evaluation of impact on: process, citizen security, image, citizen confidence, financial impact or other aspects. Constitution of the risk assessment team Understand the assets in the scope Understand the threats Identification of the critical infrastructures of a site as possible assets of an attack Identification of their weaknesses by analysing how they work (process), what they produce (products, services, what is critical?), operating organisation Definition of threats by using: common threats, Specific key issues of a given threat in each domain (organisation, human, technical aspects, etc.) of the infrastructure. a list of threats specific to critical infrastructure sectors specified by the EURAM methodology Review security and identify vulnerabilities Review of existing countermeasures Identification of vulnerabilities of the infrastructure (physical, organisational, human or information and communication technologies), taking into account existing countermeasures, threats and infrastructures assets Evaluation of risks Definition of scenarios using the analysis of vulnerabilities Evaluation of probability and severity for each scenario “A scenario of incident associated to vulnerability is a threat exploiting this vulnerability to harm assets and more largely the infrastructure” Figure 2: EURAM Risk assessment methodology process 116102555 Page 19 Improve knowledge of effective critical infrastructure protection B.2 EURAM methodology: the interdependency analysis Interdependency is when two infrastructures are directly or indirectly (via another infrastructure) mutually dependent on each other, because the state of one infrastructure is influenced by or correlated by the state of the other. According to literature, four types of dependency have been identified: physical dependency (electricity versus telecommunication equipment), cyber dependency (flight versus information about weather), geographical dependency (same duct for power & telecommunications cables and for pipelines), and logical dependency (petrol price and transportation traffic). The EURAM method suggests an interdependencies analysis in three steps. PROCESS STEP CONSIDERATIONS Determination of the scope Gathering of information Processing of the gathered information Levels of details for the assets (between 10 and 20 assets) Boundaries: assets to analyse (that we want to protect) and not the asset (external infrastructures) as “outside influences” Result: classification of the infrastructures (assets) for the study Collect correct and relevant information from independent sources Structuring the gathered info Result : Overview of dependencies and implemented measures Gathered dependency information suitable for the management process Result: Analysis of the risks generated by interdependency risk Figure 3: EURAM interdependency analysis process The expected outcome from the information gathering step is an overview on: - Item 1: dependencies between all the assets in scope and associated type (cyber, physical, ..) - Item 2: external dependencies for each asset - Item 3: measures taken for all the identified (inter)dependencies - Item 4: quality/level of service that the measures provide - Item 5: how long ‘measures’ can function without external resources - Item 6: internal and external dependencies of measures after interruption of external resources - Item 7: residual threats to external infrastructures, Items 1 to 3 are the common items, items 4 to 6 often omitted (effectiveness of measures) and item 7 almost never addressed (as information sources are external). The processing step provides an overview on the: - Total (cascading) effect of failure of a component on the functioning of the infrastructure under consideration(analysis of items 1 to 3) - Risk to external dependencies for functionality (analysis of items 1 to 3) - Time scale for degradation and restoration (analysis of item 4 to 6) - Risk of simultaneous failure through common vulnerabilities (based on item 7) 116102555 Page 20 Improve knowledge of effective critical infrastructure protection The assets identified in the risk assessment can be used as input for the dependency analysis, while the results from the dependency analysis can be used as input for risk management. A dependency analysis is difficult as it supposes the exchange of information which is sensitive and the ability to perform the risk assessment on a common basis. Beyond the sharing of the same jargon, language and of the use of uniform sources, it supposes a willingness to divulge information and an ability to share information which may be a conflict of interest. A complete transversal approach requires different areas of expertise to have an overview of the analysis and common methods for (inter)dependency between CI of same sectors and CI of different sectors or different countries that can be used by the CI stakeholders aimed at defining the European CIP priority areas and of CI sensitiveness to (inter)dependency to be shared. B.3 Feedback and advantages of the EURAM methodology The EURAM methodology allows the users to have a complete view of risks and to assess them in the same way whatever the type of risks, taking into account the interdependencies with the surroundings or with influence factors. This allows an easy and efficient comparison, in particular with the use of common probability and severity scales. However, the EURAM methodology takes into account threats that are very different (security, safety, workers safety). It needs a consensus to define severity and probability scales and these scales should allow segregation of events which should be spread over the different levels of the scale. This consensus will be difficult to establish. Moreover, the scales, and specifically the severity scale, are not accurate enough and as a consequence severity levels are not highlighted. Finally, the holistic point of view adopted in the EURAM project requires that technical and human barriers in a safety risk assessment will be considered as threats and not only as countermeasures, the failure of which will lead to an accident. B.4 Recommendations The scope of the EURAM project is significantly larger than that of the IMPROVE project which is limited to security risks. Moreover, the threats that will be studied in the IMPROVE project are intentional acts, which include internal as well as external acts, from malevolent to terrorist attacks, and that harm the security of the infrastructure. It will not study natural risks or a failure due to process failures (except if it is intentional). Besides, the steps of the EURAM risk assessment are similar to the CCPS SVA’s methodology and do not bring complementary added value to the risk assessment approach. However, the recommendations for the underlying principles of the dependency analysis remain valid for a risk assessment methodology and they will be taken into account during the in the IMPROVE project. It is therefore recommended that the use of the EURAM methodology should be discounted as a framework for the IMPROVE project. 116102555 Page 21 Improve knowledge of effective critical infrastructure protection 1 Step 1 Project Plan for the SVA Input step 1 Knowledge and information of the project team about: the objectives of a security vulnerability assessment, the scope of the security study in terms of concerned industries and in terms of concerned intentional acts (internal and external, malevolent and terrorist attacks) The project plan will be developed by the SVA team prior to arriving on site Expertise required (see section 0.3): Security Project Planning The purpose of step 1 is to develop a project plan that may be used throughout the SVA process in order that it is completed in an organised way. It is vital that the objectives, scope and criteria of the SVA should be established at the beginning of the study in order to limit and focus activities and to ensure that the SVA outcomes are effectively realised. The project planning should focus on four key issues: Clarify the objectives of a security vulnerability assessment Define the scope of the study Define the context of the SVA and familiarise themselves with appropriate regulations Define the team composition 1.1 Clarify the Objectives of a Security Vulnerability Assessment The objective of a security vulnerability assessment is to identify the critical assets of a CI-site and SEVESO site and the plausible threats (malevolence and terrorism) that could impact these assets. Following this identification of critical assets the SVA will then assess the countermeasures implemented onsite in order to protect the public, the environment, the company or the national interests. To achieve consistency across the SVA when using this tool the following definitions need to be considered. Critical assets of a CI-site may be defined as the site elements (material, equipment, personnel, information, etc.) which have value to the Operator as well as the assets that enable the activities of the site, such as the utilities or the SCADA system as well as hazardous substances which may also be labelled as critical assets. 116102555 Page 22 Improve knowledge of effective critical infrastructure protection Countermeasures can be defined as the technical or organisational measures taken to reduce or limit the vulnerability of an asset when considering threats or to mitigate the effects of such an attack. Threat can be defined as an adversary and his method of attack. A threat scenario can be defined as the combination of a specific attack by an adversary on an asset which would result in severe impacts on population, environment or economy. Vulnerability can be defined as a technical or organisational weakness that can be exploited by an adversary. 1.2 Define the scope of the SVA As a minimum the SVA should cover the analysis of intentional acts against critical assets of an industrial site that may cause any harm to the public, the environment, the company or the national interest. The specific scope for each SVA process should be identified and agreed by the SVA team. 1.3 Define the context of the SVA and familiarise with appropriate regulations It may be useful in the introductory part of the SVA to refer to the applicable national and international regulations to which the Industrial Site Operator is subjected to. As the security analysis proposed in this document is a general framework, these regulations may be helpful to define in another way the scope and objectives of the report and to tailor the SVA to the specific requirements of the applicable national and international regulations. 1.4 Selection of the SVA team The working team, who will conduct this study, should be multidisciplinary and gather several skills, such as: Security expertise (security risk analysis methodology, security management system of the site, knowledge on terrorist groups and methods, etc.), see also section 0.3; Knowledge of the installations (potential assets, process and equipment); Knowledge of the safety management system of the site; Emergency response procedures; Knowledge of safety and security related legislation/regulations, etc. applicable to the site. The working team should generally consist of three to eight persons, to be effective and will vary according to the size and complexity of the site. External expertise can supplement this team, especially if in-depth security knowledge is missing within the team. In any event, security expertise 116102555 Page 23 Improve knowledge of effective critical infrastructure protection (internal or external personnel) will be required to facilitate the SVA process. For further information of this aspect of the SVA refer to the ‘Business Case justification for the SVA’ Section A of this document for guidance on the specific nature and duration of required expertise or how to locate expertise. The team initially selected may not be the same throughout the whole process of the SVA due to the selection of the assets onsite (step 2) and also the threat analysis (step 3) these two steps may require additional skilled people to be co-opted into the team. For instance, the team may need a weapons effects expert (such as blast and ballistics) to answer specific questions regarding the vulnerability of a specific asset or component. Once the team is assembled the SVA methodology should be presented to the team. It is reminded that the external experts required for the SVA should be qualified experts in the fields quoted previously. In order to complete this step the project plan should as a minimum have the sections and headings as shown in Worksheet 1. The spreadsheets in this document can be filled in. To open them double click the inside any of the boxes; to leave them click on the page outside the spreadsheet. Filling in the different Worksheets in this document may be somewhat cumbersome. Therefore this document is accompanied by an Excel file containing all (blank) Worksheets, which can be filled in independently. A worked example of the forms and spreadsheet has been included in Appendix 5. 116102555 Page 24 Improve knowledge of effective critical infrastructure protection Scope of the Study intentional terrorist acts intentional criminal acts* Context Regulatory framework bloempetat Team Skill Profile List of skills required Identified Gaps Appoint Audit Leader Assign Responsibilities Responsibilities and named lead Housekeeping Time and duration of SVA and timings of key meetings Working language of SVA Reporting Report format Benchmarking required Follow up plans Output step 1 Comprehensive project plan Worksheet 1 General regulations framework to which the site is submitted in terms of security Definition of the multidisciplinary project team Presentation of the SVA methodology to the SVA project team 116102555 Page 25 Improve knowledge of effective critical infrastructure protection 2 Step 2 Facility Characterisation Input step 2 Identification and collation of the following information: Comprehensive project plan Worksheet 1 General regulations framework to which the site is submitted in terms of security, e.g. SEVESO Data which describes the site, its activities, assets and environment for use by the SVA team Description of the protective security measures for the site including existing countermeasures This step should be completed by: The SVA team Additional Expertise will be required in: To be decided by the SVA project team leader The purpose of the second step in the SVA is to characterise the industrial facility. In this step the facility is described in detail as well as the general security policy of the site. This step provides an overview of the site activities, processes, assets and equipment that could be considered as relevant to the SVA, and locates technical and other data to support the security analysis. 2.1 Facility Description An adequate description of the facility will enable the SVA team, the authorities, the reviewers of the SVA and all those involved in the SVA to have a clear picture of the purpose of the facility, its location, the main functions, activities, hazards, services and technical equipment. The extent of this description should be commensurate to the hazards present. The description should also aim at clarifying the interrelationship between the different installations and systems within the establishment, with respect to their technical parameters and management aspects. In general it is recommended to utilise as much as possible the documentation available for other purposes or legislation, e.g. SEVESO. This documentation can take the form of Operation permits, building plans, construction plans, the Safety Report for upper-tier SEVESO sites (see Annex 1) for lower-tier SEVESO sites, the Environmental Impact Assessment, technical procedures, technical documents resulting from a standards implementation (e.g. ISO 14001, ISO 9001...), etc. It is however advisable to try to summarise the information, since very often the level of detail of the documentation produced for different purposes might be higher – or differently focused – than the one needed for SVA. Contents The description of the facility should include the following items: 116102555 Page 26 Improve knowledge of effective critical infrastructure protection 1. General information: Purpose, main activities, relevant legislation 2. Description of the natural and human surroundings of the site Environment Human activities around the site: housing zones, public assembly building (schools, hospital, etc), population around the plant, presence of other industrial sites, presence of other critical infrastructures, presence of transport access ways (highway, airports, railways, ways, etc), presence of public network, electric utility, water supply system equipments Maps 3. Description of the site: activity, organisation and resources Main activities, main material flows Organisation, especially focusing on the safety and security functions Human presence: personnel, contractors, visitors Emergency response: Fire-fighting system, sprinklers, scrubbers, mitigation systems, etc. Control room Information and Communications Technologies (ICT) e.g. cyber systems, SCADA, etc. Security policy and system in place 4. Processes and installations Lay out of the facility as a whole and of its relevant units clearly presented on adequately scaled plans: The lay-out should adequately identify installations and other activities of the facility including: main storage facilities process installations location of relevant substances and their quantities relevant equipment (including vessels and pipes) spacing of the installations and their main sections utilities, services and internal infrastructure equipment location of key abatement systems location of occupied buildings (with an indication of the numbers of persons likely to be present) other units if relevant for security considerations Installations (tanks, important pipes, columns, etc.) Brief description of processes, i.e. storage, loading/unloading, production, etc. Utilities (power, gas, compressed air, nitrogen, process water, etc.), together with their interdependencies, backup systems, and reaction/impact times 5. Inventory of starting materials, raw materials, finished goods, intermediate products and waste Chemicals present; quantities; conditions; together with their main classification (toxic, explosive, flammable) Valuable and/or attractive materials or goods (ex.: gold, copper) 116102555 Page 27 Improve knowledge of effective critical infrastructure protection The description of the facility should be conducted at an appropriate level of detail in order to have both an overview of the site and of its environment and sufficient detail to inform the security analysis at the process and component level. 2.2 General security policy of the site This includes the identification and documentation of the general philosophy and concept of the facility’s management for the security of the site. It is important to identify: What is the general security policy followed, (Company and/or local policy)? Are there security requirements and if yes are they mandatory? Is there applicable security legislation? What are the principles on which it is based? How the security policy guarantees an appropriate level of security? What mechanisms are present to ensure that the security policy is properly implemented? The information necessary to be gathered in this step and to be documented may include: The general strategy to address security in the site* Leadership and commitment Review of layers of protection: their concept and design basis Organisational and Physical protection Access control policy Personnel policy: Selection, training and alert Management of information IT security (cyber attack, hackers, ...) Management of change Emergency communication and response Business Continuity Plan Incident management and investigation policy Measures to be taken in cases of increased alert (graduated security measures). Information Security Policy Recent SVA and/or Risk Assessment Report Recent Audit Report *A number of approaches can be considered for the implementation of the security strategy on a facility, including the following approaches: layers of Protection/Rings of Protection the “deter, detect and delay” principle implementation of measures to mitigate the effects These security protection strategies are detailed in the Appendix 2, Protection Strategies for Site Security Management of this report. 116102555 Page 28 Improve knowledge of effective critical infrastructure protection 2.3 Existing countermeasures This part aims at describing the existing countermeasures of the facility which have been implemented by the operator. A countermeasure is a technical and or organisational system and or an action that: reduces the attractiveness of an asset on the site reduces the likelihood of a successful attack reduces the consequences of a successful attack Existing countermeasures may include physical security of the facility, control of access (railway, roads, water), protection of control rooms and of control systems, policies and procedures, administrative controls, control of employees and of contractors, information security measures, emergency response measures. All of this information should be noted in Worksheet 2, the Key Document Register. To use the spreadsheet, double click inside any of the boxes, to leave the spreadsheet click on the page outside the spreadsheet. Alternatively it may be easier to use the separate workbook of SVA spreadsheets these can be downloaded from the Cefic Website. To review a worked example of the forms and spreadsheet see Appendix 5. 116102555 Page 29 Improve knowledge of effective critical infrastructure protection Worksheet 2 Key Document Register General Information Purpose of site Activities of site Location and Surrounding of the Site Natural Human Site Description Layout Organisation Chart Hazardous and Attractive Products Current Security Arrangments Policy Principles Current Countermeasures Site Safety Procedures Site Emergency Procedures Business Coninutity Plan Site Communication Plan 2.4 Determination of the site attractiveness The attractiveness depends on the value that an adversary would place on disrupting an asset to fulfil his motives, such as to create mass media attention through casualties or disruption; the disruptive impact may be classified by the following criteria: press coverage that an attack on the asset would imply. The media attention would depend on the geographical situation of the site (urban or rural, proximity of an importance city or of the capital), on the possibility of impacting an iconic or symbolic target, on the proximity to a national asset or landmark or well-known site. disruption of local, regional or national infrastructure (like electricity) and economy depending on the impact on national, regional or local access routes (roads, railways), on possible collateral damages to neighbouring installations, infrastructures or targets. the symbol represented by the asset and the symbolic aspect of the asset to the threatened operator, the impact on known terrorist target and on the company reputation and brand exposure. 116102555 Page 30 Improve knowledge of effective critical infrastructure protection ease of access to the asset depending on the localisation of the asset in the site considering the easiness of finding it onsite, the easiness of accessing to it or the easiness of striking the site. This assessment should consider the current countermeasures in place that reduce the accessibility of the site entrance, the free circulation on the site, the number of people working in the perimeter of the asset, etc. Often the more accessible an asset is, the easier an attack is and the more attractive the asset therefore becomes to the adversaries. It should be noted that the attractiveness of an asset rests not only on the characteristics of the asset, but also of the site. Site characteristics are also important as the adversary’s intent could be generally towards the company or the site, without the specific intention to attack a particular asset on the site. The following worksheet 3 provides the mechanism to gather the parameters in order to rank the attractiveness of the site. Each factor does not have the same weighting in the attractiveness assessment. For example among the factors related to the site, the “threatened operator” has the largest weighting for the site attractiveness. If a company is known as a terrorist target or if a country has received threats to its industry, the company or the industries of the threatened countries should be considered as very attractive targets. Attacks in the past years have shown that terrorist actions would aim at causing significant disturbances to the society. That is why the “economic disruption” factor has a higher weighting than the “company reputation” or the “proximity to iconic site” factors. The “economic disruption” factor should take into account the time aspect, of this impact such as the period of disruption and the time before recovery. This factor should be understood as the potential disruption to the national economy and not the disruption of the company economy at the national level. The score obtained for the site will remain the same for the calculation of the combined attractiveness score specific to an asset. 116102555 Page 31 Improve knowledge of effective critical infrastructure protection Worksheet 3 Site Attractiveness Total = score x weighting factor Factors Scores Weighting factor Total for the site Proximity of a major city a) No major or symbolic city // Rural zone // No major or symbolic icon or site or only locally symbolic icon or or of an iconic site: the site attack will no media attention or very locally SCORE 1 or well-known site b) In an urban zone // Regionally symbolic icon or site: the site attack will gain limited media attention SCORE 2 (media attention level) c) Next to a capital or in a major city // adjacent to a nationally symbolic icon or site: the site attack will imply a national media attention SCORE 3 d) In the capital // in the city centre of a major city // adjacent to an international famous or major recognizable landmark (e.g., European Commission, Eiffel Tower) world famous icon or site: a site attack will imply a substantial National or European event. SCORE 4 Societal disruption at a) Disruption of local society SCORE 1 the local, regional, b) Disruption of regional society // Disruption of a major regional supply SCORE 2 national or international c) level Threatened operator Disruption of national economy society // Disruption of a major national supply SCORE 3 d) Disruption of European / international economy or critical infrastructure SCORE 4 a) No known threat against the country or the operator SCORE 1 b) Operator threatened by employees or by local associations SCORE 2 c) Country threatened by regional activists (e.g. separatists), sector mentioned as or commonly thought to be a potential target for terrorist but no threat SCORE 3 1 3 5 d) Country of origin of the operator threatened by International terrorist organisation (e.g. USA, Israel, UK), site known as a terrorist target SCORE 4 Company reputation brand exposure a) No controversy or association actions known by the company against itself, company not known or only locally well-known company (ex. Local major employer) SCORE 1 and recognition b) Company which has been subject of a controversy at the local stage (because of its activities type, of its way of exploiting, of an accident, etc) or is the target of local associations or regionally well-known (ex. Major employer of the region) SCORE 2 c) Company which has been subject of a controversy in the national media (because of its activities type, of its way of exploiting, of an accident, etc) or Nationally well-known company SCORE 3 2 d) Company which has been subject of a controversy in the international media (because of its type of activities, of its way of exploiting, of an accident, etc) or Internationally well-known company SCORE 4 Total automatically moves to Worksheet 5 column 8 TOTAL 0 Output step 2 The SVA-team has an adequate understanding of the characteristics and current security measures of the facility. The characteristic and current security measures of the facility should be recorded in Worksheet 2 the Key Document Register and contain as a minimum General information: Purpose, main activities of the site, Description of the natural and human surroundings of the site, Description of the site: layout, organisation chart, Potential hazardous or attractive (for criminal acts) products, 116102555 Page 32 Improve knowledge of effective critical infrastructure protection Description of the existing general site security policy and principles plus any existing countermeasures and procedures applied on site Site safety and emergency procedures Worksheet 3 Attractiveness of the Site Communication Plan for the Site 116102555 Page 33 Improve knowledge of effective critical infrastructure protection 3 Step 3 Assets Analysis 3.1 Identification of the principal assets Input step 3.1 Definition of an asset Definition of a principal asset Worksheet 2 the Key Document Register Any document used in step 2.1 that enables the identification of high value assets (see Appendix 1 Links Between the SEVESO DIRECTIVE Requirements and the SVA) This step should be performed by: The SVA team Additional expertise is required in: To be decided by the SVA project team leader As reminded in Step 1, this SVA should be performed on any industrial site designated as a critical infrastructure by the authorities and a preliminary screening should be undertaken. A chemical or energy-related facility has numerous assets requiring adequate protection. The analysis cannot be extended to each and every piece of equipment, every vessel, every pipe, every valve as this would be an impossible task to carry out. For this reason it is necessary to focus on the important assets stored or used in the facility. The asset analysis aims at identifying the highest critical targets taking into account the existing situation of the site and of the asset with the existing countermeasures, the weaknesses of the asset and its value. This identification of the most critical targets requires a brainstorming by the SVA team. In principle, an asset is any material or non-material item that enables the facility to operate. In the first instance a list of targets is determined based on the characteristics of the target that make it valuable in terms of potential hazard or in terms of activities disruption. A principle asset is an asset deemed to be crucial to the continued operation of the site or an asset, which the SVA team suspect, if tampered with could have the potential to cause catastrophic effect. Factors to be considered are: Vessels, piping or processing equipment which contain highly dangerous substances considering the toxicity, flammability and explosion hazards of the chemicals, Particular reactions which can be hazardous (risk of drift in the reaction, thermal decomposition, explosive reactions, possibility of formation of hazardous chemicals, risk to drift towards an uncontrollable reaction), Personnel, Process control systems (including ICT, SCADA, etc.), Intellectual property, 116102555 Page 34 Improve knowledge of effective critical infrastructure protection Equipment without which the site would not be able to operate or otherwise with significant difficulties, such as the control rooms, the process control systems (SCADA systems), the communication network, the utilities, etc, Components needed for functioning such as the loading/unloading system, the raw material supply system and the waste disposal system, Components of the security system such as the fire-fighting system (tanks, piping, foams, etc.), power supplies to the perimeter fence surveillance or the access control or any system for which its disruption could cause a failure of the security system, Company Reputation The characterisation of the site in step 2.1 should help to make this inventory. For upper-tier SEVESO sites, data from the safety analysis should be used here, as explained in Appendix 1. Last, it is necessary to identify and take into consideration dependencies between the different assets. This is particularly important for utilities (e.g. power supply, water, compressed air, natural gas, nitrogen) or assets such as the control room, SCADA, fire-fighting system, etc. Analysis of dependencies can be performed through the systematic collection and analysis of information; however, in most cases it is sufficient to answer a few questions addressing the following: Identification of assets that are interdependent, The cascading effect of a failure in the considered asset to other assets or the functioning of the plant, The time characteristics of degradation and restoration, The risk of simultaneous failure of more than one asset through common vulnerabilities Off-site dependencies such as power, water, steam, upstream and downstream process inputs/outputs etc. 116102555 Page 35 Improve knowledge of effective critical infrastructure protection Worksheet 4 List of Principal Assets List of Principal Assets Justification and Description This step should be done at the asset level, without going into details or decomposing the asset itself. For example, a distillation process should be considered as an asset and not one particular distillation column. The component level will be addressed at the vulnerability analysis step (step 5). Worksheet 4 may help to carry out this step of asset identification. This selection should refer to justifications, such as hazards for the people offsite, environmental impacts, operational continuity, interdependencies, etc. One of the criteria for selection of asset can be the lack of spare components or excessive time to repair, especially for operational continuity aspects. 116102555 Page 36 Improve knowledge of effective critical infrastructure protection Output step 3.1 Worksheet 4 List of principal assets (in an alphabetical order or per process flow, for example) 3.2 Classification of attractiveness Input step 3.2 Definition of attractiveness Definition of Impact Tools: Attractiveness levels table Impact levels table Worksheet 3 attractiveness of the site Matrix Attractiveness / Impact This step should be completed by: The SVA project team Additional expertise is required in: To be decided by the SVA project team leader Identified principal assets are then assessed according to two criteria: the asset attractiveness and the asset impact. Here the selection of principal assets may differ from the selection of assets when considering a business/ operational continuity focus. The salient question of this assessment is “what types of events will cause the disruption of a critical infrastructure, the release of a chemical or the destruction of equipment or components in such a way that the most serious consequences will occur?” This assessment is done considering the existing situation of the site and of the asset, taking into account the benefits of existing countermeasures that protect the asset. There are nine factors for the determination of attractiveness, out of which four are focussed on the site (see worksheet 3)and five specifically focussed on the individual asset (see worksheet 5). This evaluation is completed by the SVA project team, using their best judgment to attribute values to all the factors for each potential target. As for the scoring of the attractiveness factors specific to the asset, a high weighting factor is attributed to the “merchandising” factor to take into account the malevolent acts of theft or product diversion as criminal acts are not acceptable in critical infrastructures. The three factors related to the easiness to find, access and strike of an asset are linked with the difficulty of attack for an adversary. The easier an asset is to access the more it will be attractive. .The function of the asset 116102555 Page 37 Improve knowledge of effective critical infrastructure protection should also be taken into account when assessing the factor of the asset and the continuity of the company activity (4th factor specific for an asset). The global attractiveness of a given asset is obtained by adding the score of the four asset attractiveness factors to the score of the five site attractiveness factors. The combined total score will define the overall global attractiveness of the target. Five final levels of attractiveness of the assets can be defined and classified as shown in table 1. This step results in the evaluation of all the assets potential attractiveness that can be perceived by adversaries and enables the identification of the high value assets according to their attractiveness. 116102555 Page 38 Improve knowledge of effective critical infrastructure protection WORKSHEET 5 ATTRACTIVENESS OF THE SITE AND THE ASSET Column 1 Column 2 Column 3 Easiness to find the asset in the site Weighting Factor 3 a) Hidden SCORE 1 b) Only employees can know where the asset is. Not noticeable from the exterior even on a map SCORE 2 Column 4 Easiness to access Weighting Factor 3 Column 5 Easiness to hit Importance of the asset to company continuity Weighting Factor 3 Weighting Factor 2 Column 6 Column 7 Value and merchandising TOTAL Weighting Factor 5 a) High security site and the asset is at the centre of rings of protection (Need to penetrate numerous robust rings of protection to reach the asset, with no possible common failure) SCORE 1 a) No line of sight from exterior a) Not at all or equipment without a and visible with difficulty from the major importance in exploitation site itself , also shielded from SCORE 1 internet SCORE 1 b) Restricted access to the site and to the asset: only a restricted number of employees have access to the asset and asset in the centre of numerous rings of protection SCORE 2 b) Asset protected by many b) Threats could be made or equipment b Asset with very low value but other buildings, vegetation, many which can be passed by-passed for a short very difficult to merchandise in other installations (presence of period and quickly replaced SCORE 2 parallel markets SCORE 1 major obstacles) SCORE 2 Column 8 SITE ATTRACTIVENESS Total for the site from wrksht 3 Column 9 a) No Value SCORE 0 From Worksheet 4 c) Not noticeable from the exterior c) Restricted access to the site but no but easy to spot on a map SCORE restricted access to the asset 3 SCORE 3 c) Asset protected by few other buildings, vegetation, few other installations (presence of few obstacles) SCORE 3 d) Everybody knows where the asset is or it is at the limit of the site SCORE 4 d) Sitting duck: no protection of d) key and irreplaceable process d Asset with high value and the asset SCORE 4 equipment or equipment without which rather easy to merchandise in the company cannot operate SCORE parallel markets SCORE 3 4 Principal Assets d) Site opened to the public SCORE 4 c) Threats have been made or c Asset with medium value but warnings are given against the asset difficult to merchandise in parallel or against similar assets or equipment markets SCORE 2 which can be by-passed during a short period but take time to replace SCORE 3 e. Asset with very high value and easy to merchandise in parallel markets SCORE 4 Asset attractiveness level Score A1 A2 A3 A4 22 – 38 39 – 54 116102555 55 – 73 74 – 90 A5 91 – 108 Definition Least attractive asset on the site Low attractive asset on the site Medium attractive asset on the site High attractive asset on the site Extremely attractive asset on the site TABLE 1 ASSET ATTRACTIVENESS LEVEL Page 39 Column 10 Total (site + Attractiveness asset) = level (Look up column table 1) 7+column 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Improve knowledge of effective critical infrastructure protection 3.3 Determination of the Asset Impact Next we need to determine an Asset Impact, this is the result should an adversary successfully compromise an asset. The asset impact level is decided by considering the various categories of consequence which are described in Table 2, the Asset Impact Table. The level should be taken as the highest level of consequence feasible from an attack on an asset. Human consequences and casualties: the attack will result in fatalities and in injured people. The magnitude of impact can be based on the impact ranking from the safety studies requested as the impact of major accidental scenarios is assessed for the environment and people offsite. Other parameters should also be studied such as the potential casualties in case of lack of gas, electricity, water and such in severe conditions (e.g. in winter or during drought). It should be remembered that the consequences from an intentional attack can be worse than in an accidental scenario as, for example, in a safety assessment the rupture of one tank is considered, whereas in intentional attack an adversary can simultaneously attack several tanks. Environmental consequences and indirect human consequences: direct consequences to the environment (air or river pollution) or indirect human consequences such as: The contamination of goods produced onsite (food chain, medicine, etc.) the long-term health effects due to the dispersion of a toxic substance or The impact on the basic needs of the population (heating systems, drinking water, etc.) Economic disruption Material damage: Material consequences onsite are defined by damages costs. Levels depend on costs levels that are defined by the Operator depending on its priorities, Company’s reputation For each asset, the impact is assessed assuming the successful execution of an attack and of its consequences, taking into account the existing countermeasures if they can efficiently reduce these consequences. In the following table, some thresholds for the impact levels are proposed, knowing that these figures can be modified according to the security objectives set by the Operator. The impact table should be adapted to distribute possible events on all the levels in order to allow attention to be concentrated on the most risky events. The impact level for each asset corresponds to the highest impact level amongst the five impact parameters as the security vulnerability analysis focuses on the most critical security events. For the material consequences, the value of damages determining each level will be determined by the operator according to its turnover, its reputational value and or its investment capacity. The following table, Table 2, The Asset Impact Table gives an example of levels that could be used: 116102555 Page 40 Improve knowledge of effective critical infrastructure protection Within table 2 each SVA team should discuss and set their own financial criteria for the property damage in each impact level as this will need to be appropriate for each particular industrial site where the SVA is carried out. Also clearly any level of casualty is a serious matter, however for the purpose of this SVA it is critical that the SVA team identifies the number of potential casualties and fatalities that would arise from each mode of attack. When selecting the impact level the SVA team should consider all the issues (a-e) in each impact level and base the level on the highest impact risk. 116102555 Page 41 Improve knowledge of effective critical infrastructure protection Table 2 The Asset Impact Table LEVEL I1 DESCRIPTION a. b. c. d. e. Casualties: no more than one dead person and less than 10 severely injured people Negligible environmental impacts, even if target has significant symbolic value (example: destruction of a prominent national monument) Negligible economic impact Over XX € property damage (estimated as less than in S2) Significant impact on the company reputation I2 a. b. c. d. e. Casualties: from 1 to 10 dead people and from 10 to 100 severely injured people Environmental impacts to immediate site area only Important economic disruption to the facility economy Over XX € property damage (estimated as less than in S3) High impact on the company reputation I3 a. Casualties : from 10 to 100 dead people and from 100 to 1’000 severely injured people Major environmental, food chain or product impact with no health impact on the population but widespread and visible effects (example: large environmental damage) Severe economic disruption to the regional or industry economy Over XX € property damage (estimated as less than in S4) High impact on the company reputation Casualties : More than 100 dead people and more than 1’000 severely injured people Major environmental, food chain or product impact with possible widespread lesser health impact on the population (example: contamination of food that causes widespread illness but no lasting effects except to sensitive populations) Severe economic disruption to the national economy Over XX € property damage (estimated as less than in S5) Very high impact on the company reputation Casualties : More than 1’000 dead people and more than 10’000 severely injured people Major environmental, food chain or product impact with possible widespread major health impact on the population (example: large scale toxic contamination or drinking water or pharmaceuticals) Severe economic disruption to the European economy Over XX € property damage Very high impact on the company reputation b. I4 I5 c. d. e. a. b. c. d. e. a. b. c. d. e. Proposal of impact levels for the vulnerability analysis (based on the CCPS SVA guidelines) 116102555 Page 42 Improve knowledge of effective critical infrastructure protection 3.4 Risk Profile of the Principal Assets Once the impact level of the potential consequences of a successful attack on a designated asset and the attractiveness level of this designated asset have been ranked, the critical level of the asset can be determined with the help of a matrix which combines the impact and the attractiveness for the principal assets. The rankings of each asset in attractiveness and impact are inserted into Worksheet 6, Impact and Attractiveness Worksheet. The Asset Code column can be used to identify each asset by assigning a letter ‘A to Z’ this will assist when plotting the asset on a risk map. Worksheet 6 Impact and Attractiveness Worksheet Worksheet 6 Impact and Attractiveness Worksheet Asset Code 116102555 Principal assets see Worksheet 5 column 10 Attractiveness level see Impact table Impact v 2 Attractiveness Impact level Page 43 Improve knowledge of effective critical infrastructure protection Worksheet 7 Asset Attractiveness and Asset Impact Matrix In the above matrix, two extreme critical levels for the asset are defined with two extreme positions: A highly critical level for the more attractive (high value) and the more severe impact targets (red) and A low-range critical level for the less attractive and less severe impact targets (green). The team seeks to identify the more attractive (high value) asset targets which if successfully attacked would result in more severe impact, these are therefore the most critical. In order to complete this matrix the SVA team must set the limits applicable to their own organisation or site facility for the three green amber and red zones As a result of this analysis, the SVA team have now determined a list with at least the highly critical assets. Output step 3. Ranking of the assets according to their level of attractiveness Ranking of the assets according to their level of impact given a successful attack Ranking of the assets according to their risk profile (attractiveness vs. impact) 116102555 Page 44 Improve knowledge of effective critical infrastructure protection 4 Step 4 Threat Analysis It is recommended to seek additional specialist expertise and advice in order to gain the data to fill the worksheets in this step. It should also be borne in mind that adversaries can and do change at short notice and therefore constant update on this data is also required. Details and guidance on obtaining specialist advice is given in the section 0.3 of this document. Input step 4.1 Concepts / definitions / necessary data: Definition of a threat Threat information from scientific institutions, commercial enterprise, police, intelligence and security services Feedback: inventory of past security events Definition of a threat Definition of the intent Definition of the capability Definition of the likelihood of an attack Tools: List of adversaries List of methods of attacks Table of Adversaries and their preferential methods of attack Additional Expertise Required: Threat expertise Security expertise Team Required: Full SVA team 4.1 Identification of Adversaries and Their Methods of Attack In the first steps of the critical infrastructure SVA, the facility was characterised, assets, interests, dependencies, the present policies and measures for security, business continuity, emergency management, consequence mitigation were identified and possible targets for adversaries were identified. In this fourth step of the SVA, the relevant adversaries will be considered in the light of the characterised facility and the existing security measures. In this step the SVA team will make an assessment of the man made threats to a Critical Infrastructure (CI). This CI could be part of a chemical, energy or other establishment. 116102555 Page 45 Improve knowledge of effective critical infrastructure protection When assessing these threats, the SVA team has to determine the likelihood of adversaries attacking their facilities and the probable method of attack they will use. Adversaries It is necessary to ascertain the characteristics of the relevant adversaries that can threaten the CI. The adversaries differ in motivation, goals to achieve, knowledge of the site, attack capabilities, risk acceptance and endurance. The following types of adversaries should at least be considered in this threat assessment: Terrorists (political, religious) Criminals (common, organised, Cyber) Hackers Violent activists (environmental, animal rights, anti-globalists) Vandals and deranged individuals Frustrated, disgruntled or addicted employees and contractors As mentioned before, the SVA-team has to decide which probable methods of attack will be used by the adversaries. The coupling of an adversary with a method of attack is defined as a threat. In the SVA an emphasis is put on threats that will or may disrupt the CI or cause mass casualties and serious societal and political disruptions. Some methods of attack may be used by more than one adversary. The following methods of attack should be considered in this threat assessment: bombing (by rucksack, car, boat, glider, plane) shooting (with handgun, rifle, RPG, mortar) arson (Molotov-cocktail, incendiary device, lighting a fire) sabotaging (manual, remote) manhandling cyber attack stealing of critical components Blackmailing, extortion, burglary, sneak-in, theft, hacking, bugging and eavesdropping should be taken into account if they are essential parts of the above mentioned methods of attack. The above mentioned threats are illustrative and can be considered as generic to a certain extent. However, which threats are likely or realistic, will depend on the individual establishment to be assessed. “General threats” that may be likely in a country or in a region, should be considered in close cooperation with intelligence and security services. A more detailed description of adversaries and their methods of attack may be found in Appendix 3 Threat Catalogue. 116102555 Page 46 Improve knowledge of effective critical infrastructure protection 4.2 Ranking the Threats The past security incidents of the site (successful or not) should be collected and analysed as lessons learned from these events may give relevant hints for the threat assessment step. The analysis of incidents provides data on potential adversaries, and on possible methods of attack. These incidents also provide information for the vulnerability analysis which takes place in the next step. The incidents on the site may not be numerous or significant enough under the high threats standpoint of the SVA however their analysis may help to identify weak points in the site security. Incidents that have occurred at other sites or in other countries can give complementary information on actual threats and may be useful input to this threat assessment. Assessment of Capability and Intent The likelihood of an adversary (attacker) coming to a facility and committing a specific attack is difficult to assess. However, some threats can be considered as more relevant than others. The likelihood of an attack or the likelihood of an adverse event can be defined as the likelihood that a particular adversary will exploit a vulnerability. This takes into account the intent of the adversary and its capabilities (human in terms of individuals and organisations and technical in terms of technical means with the mode of attack). The likelihood of these threats has to be determined by the SVA team by assessing the intent and the capability of the adversaries for a specific mode of attack. For this task, the SVA team, if the security expert skill is not available in the team, will need to collaborate with the national or regional intelligence service in order to rank realistically the intent and capabilities of the identified adversaries. The intent of an adversary can be defined as how an adversary is motivated to attack the site or a particular asset of the site. The capabilities of an adversary can be defined as the technical and human means that an adversary can rely on for his attack, such as a trained individual or group, with particular skills in weapons or in chemistry, financial means, ability to get weapons. The capabilities integrate also the notion of knowledge about the site and how to reach the asset, on how the adversary can get or not the useful information to plan his attack. Thus, the consideration of critical assets and associated countermeasures is underlying the ranking of the adversary capabilities. This consideration should not be done, at this stage, on a particular asset but more generally on the site. The team will assess the intent and the capabilities of the adversary on a scale of three levels, for each “adversary / mode of attack” that is considered as feasible by the security expert or the national intelligence information. 116102555 Page 47 Improve knowledge of effective critical infrastructure protection The threats described in worksheet 8 shows some preferential methods of attack for different adversaries. This worksheet is only indicative, but can be helpful for suggesting relevant threats. Worksheet 8 Ranking of the Most Relevant Threats I C I C I C I EMPLOYEES VANDAL ACTIVIST HACKER CRIMINAL METHOD OF ATTACK TERRORIST ADVERSARIES C I C I C CONCEALED IED VBIED CRASHED INTO CRITICAL ASSET VBIED PARKED NEAR CRITICAL ASSET IED PLACED NEAR CRITICAL ASSET IED’S BY BOAT, GLIDER OR PLANE RPG RIFLE MOLOTOV-COCKTAILS INCENDIARY DEVICE LIGHTING A FIRE BLOCKADE MANUAL SABOTAGE REMOTE SABOTAGE BY CYBER ATTACK STEALING PHYSICAL ASSAULT ON STAFF COUNTERFEIT CRITICAL COMPONENTS By characterising the threat in terms of intent and capabilities of adversaries, this worksheet enables the selection of the most relevant, plausible and realistic threats. Specialist knowledge will need to be harnessed from a range of sources to assess the intent and capabilities of terrorist organisations across the spectrum of perceived methods of attack. 116102555 Page 48 Improve knowledge of effective critical infrastructure protection Table 3 I = INTENT There is no justification to think the adversary has the intention to do so The adversary may have the intention to do so The adversary will certainly do so if there is an opportunity 1 2 3 C = CAPABILITY The adversary does not have the capability to do so The adversary may have the capability to do so The adversary certainly has the capability to do so 0 1 2 The 0 score for capability choice means that the adversary does not have the capability to do so and therefore reflects the fact that if this is the case then there is no threat resulting from this option. Worksheet 9 Ranking of the Most Relevant Threats According to Intent and Capability Multiply intent by capability to obtain score Adversary Attack Method Score Output step 4 Worksheet 9 Ranking of the most relevant threats (adversary x method of attack y) according to intent and capability 116102555 Page 49 Improve knowledge of effective critical infrastructure protection 5 Step 5 Security Vulnerability Assessment (SVA) 5.1 Creation of the Threat Scenarios Input step 5 Inputs Required Concepts / definitions / necessary data: Definition of threat scenario Definition of vulnerability Key Document Register (output step 2) Ranking of the assets according to their level of attractiveness (output step 3) Ranking of the most relevant threats (worksheet 9, output step 4) Definition of the likelihood of a threat scenario Threat information from other parties (commercial, police, security and intelligence service) Scenarios provided by other studies Tools: Table 10 for Likelihood of a threat scenario Table 11 for Severity levels of successful scenarios Risk matrix: Severity / Likelihood of an threat scenario Vulnerability assessment table Additional Expertise Required: Security Expertise Team Required: Step 5 should be undertaken by the full SVA Project Team Definition of threat scenario A threat scenario is defined as the coupling of a threat (the adversary and his method of attack) and a specific asset on the CI. A threat scenario can be identified in just a few words. For example: theft of a laptop by a criminal. This can be appropriate when there is an overload of scenarios to identify. For a thorough vulnerability assessment the most relevant threat scenarios must be written out more elaborately. By creating a storyboard the relevant threat scenarios may be drawn in a comprehensible fashion. A threat scenario will at a minimum combine the following items: adversary (with intent, capability and motivation), 116102555 Page 50 Improve knowledge of effective critical infrastructure protection method of attack (with tools, weapons, time frame, attack and escape route), target of the adversary (asset of the site), severity of the attack (economical loss, loss of life, loss of critical infrastructure), collateral damage (damage to buildings, possessions, environment) In the process of describing the different threat scenarios the relevant countermeasures onsite will be identified and the potential consequences of a successful attack will be estimated. Eventually the vulnerabilities for those threat scenarios will help to determine the security risk level of the site. In Step 4 (Ranking of the threats) the threats (adversary and attack) most likely to affect the site have emerged. These threats will be the starting point for developing the threat scenarios. The SVA team will have to choose the all relevant targets for these threats and thus create a data base of relevant threat scenarios. In Step 3 (Risk Profile of Principal Assets) the principal assets have been ranked in severity levels. This information and the Table for Severity levels will be input for describing the (successful) threat scenarios. Once the threat scenarios have been described, there is a clearer picture of the severity of a successful attack (threat scenario). These threat scenarios have then to be assessed in terms of likelihood and severity. This is completed in the Ranking of the likelihood of a threat scenario. The likelihood of a threat scenario depends on three parameters: The asset attractiveness The ranking of the attractiveness of the asset is the same as the combined attractiveness score evaluated for each asset in step 3. The asset vulnerability This parameter takes into account the number and the robustness of the countermeasures in place onsite for a threat scenario. The feasibility of the threat scenario This parameter takes into account the sophistication of the technical and organisational means (modus operandi) used by the adversaries to perpetrate their attack on the asset. Amongst these three parameters, the asset attractiveness is determining in the assessment of the likelihood of a threat scenario. Indeed, attractive assets are more appealing to terrorists, even if the means required need to be more elaborate. Furthermore, because of the almost unlimited amount of possible targets, the terrorist will not explore the in his opinion ‘unattractive’ targets. For this reason, the “asset attractiveness” factor has been given a higher weight than the two other parameters. 116102555 Page 51 Improve knowledge of effective critical infrastructure protection The severity in step 5 is assessed according to a specific threat scenario which targets an asset and which may result in partial or total compromise of the asset. This is an area that requires specialist expertise in order to ensure that the output provides reliable data. 116102555 Page 52 Improve knowledge of effective critical infrastructure protection WORKSHEET 10 LIKELIHOOD OF THREAT SCENARIO Column 1 Critical Assets Column 2 Adversary Column 3 Method of Attack Column 4 Column 5 Column 6 Column 7 Column 8 Feasibility of Threat Scenario TOTAL THREAT SCENARIO LIKELIHOOD Target Attractiveness Target Vulnerabiity (Ease of Access) Target Robustness of Construction Weighting Factor 5 Weighting Factor 1 Weighting Factor 1 Weighting Factor 1 a) Very high robustness SCORE 0 a) One or two individuals, little knowledge of site with simple technical means to achieve the desired effect (e.g. Hand gun) SCORE 0 a) Least Attractive asset on site SCORE 0 a) b) Low attractive asset on site SCORE 1 c) Medium attractive asset on site SCORE 2 d) Highly attractive asset on site SCORE 3 e) Most attractive asset on site SCORE 4 Very low Vulnerability SCORE 0 b) Low Vulnerability c) SCORE 1 b Medium vulnerability, at least one strong measure and several other measures to be breached SCORE 2 d) High vulnerability, measures are not strong, several countermeasures need to be breached but individual measures are not strong SCORE 3 e) Very high vulnerability, none or few measures and only a single weak measure that needs to be breached or effective measures do not exist SCORE 4 High robustness SCORE 1 c d Medium Robustness SCORE 2 b) Limited group, minimal knowledge of the site, not technically sophisticated (e.g. Regular weapons, hand gun, greandes, assult rifle) SCORE 1 c) Low robustness SCORE 3 Organised group, good knowledge of the site and sophisticated technical means(hand-man weapons such as IED) SCORE 2 d) Organised and trained group, good knowledge of site and some of its countermeasures, sophisticated technical means (e.g. Military weapons and hand made such as IED) SCORE 3 e) Very low Robustness SCORE 4 e) Highly trained group, very good knowledge of site and its countermeasures, very sophisticated technical means (e.g. Coordinated attack with war weapons) SCORE 4 Sum Weighting Factor x SCORE eg 5 x0 0 0 0 . TABLE 4 THREAT SCENARIO LIKELIHOOD 116102555 Level Score Threat Scenario Likelihood L1 0 Lowest Ranking L2 1-8 L3 9 - 16 L4 17- 24 L5 25 - 32 Highest Ranking Page 53 Improve knowledge of effective critical infrastructure protection Output step 5.1 Worksheet 10 Likelihood of an attack scenario 5.2 Risk Matrix: Severity & Likelihood of a Threat Scenario Once the levels of the severity and likelihood of a successful threat scenario have been assessed, the risk level of each scenario can be determined with the help of a risk matrix which defines the level of acceptability of the security risk when taking into account the countermeasures in place. In the following proposed risk matrix, three levels of risk are defined with two extreme positions: An inacceptable level of risk: further improvement in countermeasures have to be proposed (in red) An acceptable level of risk where it is considered that sufficient countermeasures have been implemented for the threat scenario, given that the level of confidence (robustness, availability, efficiency) of the countermeasures are guaranteed (in green) Worksheet 11 SEVERITY AND LIKELIHOOD OF A THREAT SCENARIO Asset Code Asset Name (from worksheet 10 column 8) TOTAL THREAT SCENARIO LIKELIHOOD THREAT SCENARIO SEVERITY RISK (severity and likelihood) (from worksheet 6 column 3) In worksheet 11 each critical asset and adversary combination should be re assessed for each attack method. 116102555 Page 54 Improve knowledge of effective critical infrastructure protection Worksheet 12 Risk Matrix Output step 5.2 Worksheet 11: Severity and Likelihood of an attack scenario Worksheet 12: Risk Matrix of likelihood and severity 5.3 Vulnerability Analysis As described in the preliminary step about the working team, the vulnerability analysis should not be done by an individual, but in a team with expertise of the business, safety issues, business continuity, risk management and security aspects of the site. If needed, the competencies for risk analysis and security can be externalised. For specific issues like IT-security additional experts can be needed. The relevant threat scenarios are those with the higher likelihood and higher severity. These are the higher risks (in the reddish area in the risk matrix). These relevant scenarios will be assessed in this SVA. For the vulnerability analysis the following is essential: review the relevant threat scenarios once more to determine how these will take place. If there are more options within one scenario choose the most likely ones to explore more 116102555 Page 55 Improve knowledge of effective critical infrastructure protection deeply. If these options are more or less equal, make one of these options into a new threat scenario; describe the scenarios precisely and in a detailed enough manner to identify the vulnerabilities of the site; Identify and keep track of possibilities to reduce the likelihood and severity of the threat scenarios. The SVA is an iterative process of the following assessments assets and dependencies (with threats in mind); adversaries and methods of attack (with assets in mind); threats and critical assets (with countermeasures in mind). Each of these assessments may and will influence the other two. It is up to the team to get the right iteration between these assessments and to determine the level of detail for the SVA documentation. All information from the SVA will need to be documented in a comprehensive fashion. Structure of SVA-files and a database An SVA file for each relevant threat scenario, as illustrated in Worksheet 13, Scenario 1, gives oversight and detailed information to enable a motivated choice in Step 6 for adequate countermeasures. These SVA files are a technical support for the vulnerability analysis to be fulfilled by the project team during work meetings. These allow the project team to apply a systematic approach for the analysis, particularly for the exploration of threat scenarios and assessing and identifying of the vulnerabilities. This systematic approach enables the team to be detailed and comprehensive in analysing the vulnerabilities of the site given the specific threats and the selected critical assets. By creating a SVA database gathering data for each relevant threat scenario, this information is available for analysis and later assessments and reports. The SVA database, including the tables and worksheets given in this document will also help the team to express their thoughts and differences. 116102555 Page 56 Improve knowledge of effective critical infrastructure protection Worksheet 13 Example Storyboard Scenario 1. Terrorists drive VBIED into chlorine tank 1. Threat scenario: Asset + Adversary + Attack Loss of containment of chlorine due to a VBIED attack by Islamic terrorists on the pipeline at the outlet of the chlorine tank 2. Consequences Toxic dispersion of chlorine Casualties onsite and offsite Limited material damage 3. “Story Board”: Plausible sequence of events (before, during after the attack) 1.The terrorists found information about the site and the chlorine tank on internet, and could observe the site from public grounds 2.The terrorists force their way into the site with the VBIED (destroying the entry barrier or threatening the guards at the entry) 3. The VBIED will be crashed into the pipeline killing the terrorists and causing a catastrophic event 4. Crisis-, disaster and BC-management will be activated 4. Likelihood SCORE = 5 (reason it is easy to find, identify, observe, hit, known target etc.) 5. Impact SCORE =5 (because more than 1.000 casualties, 10 billions euro’s damage, etc.) 6. Risk SCORE (5 x 5 = 25) 25 this is the highest risk score (dark red in the table) 7. Vulnerabilities (ineffective countermeasures for this threat scenario) 1. Information security measures did not prevent sensitive information from exposure on the internet. 2. Critical assets were not shielded from prying eyes. 3. The entry barriers were easily destroyed and forced by a vehicle. 4. The guardhouse offered the guards too little protection. 5. There was no physical barrier that could stop the VBIED on time / at sufficient stand off. 6. The pipeline and the tank did not withstand the pressure wave and the shrapnel of the VBIED. 7. The safety systems that might have secured a leaking pipe or tank could not mitigate the massive release of chlorine caused by the VBIED-attack. 8. Casualties increased because of the inadequate response of emergency services (people were not directed to a save area downwind). Etc. 8. Suggestions to improve the security of the site for this scenario (for the likelihood and/or the severity) This will be input for steps 4 and 5 1.The summary of the safety study, listing the catastrophic accidental scenarios and their consequences should be informative for the public but elusive for adversaries 2. The entrance barrier can be strengthened or bollards can be added. 3. The guards could be protected by special physical barrier. Etc. 116102555 Page 57 Improve knowledge of effective critical infrastructure protection The SVA-file for a single threat scenario is filed as follows: 1. Choose a relevant threat scenario from the risk matrix (starting from the reddish area). 2. Identification of the potential consequences of a successful attack from step 5.2. 3. Describe a plausible sequence of events of this treat scenario. This ‘story’ should be convincing enough for management who are not directly involved in the SVA. These stories are created throughout the process of the SVA. 4. The likelihood of the threat scenario is assessed in step 5.2. Put the classification and the highlights or a summery in this file. 5. The severity from step 5.3 is highlighted here. Also mention the classification. 6. The risk number is the position of the threat scenario in the risk matrix. It may be expressed as the product of the classifications for likelihood and severity. This risk profile can vary from low (green) up to high (dark red). 7. The listing of vulnerabilities is the outcome of the SVA. During the whole process of the SVA a record should be kept so that all relevant vulnerabilities will finally end op in this file. Future improvement and evaluations will probably be reverenced with this list. 8. Preliminary suggestions or ideas for improvements may be listed here. They may include measures that will reduce the likelihood or the severity of an event. Output step 5.3 A risk ranked database with all SVA-files (one file for each relevant threat scenario) A list of suggestions to reduce the likelihood and severity of the most relevant threat scenarios (to reduce the highest risks) 116102555 Page 58 Improve knowledge of effective critical infrastructure protection 6 Step 6 Identification of Additional Security Countermeasures Input step 6 Knowledge and Information Required: Security and relevant strategies for the site Implemented security and other relevant measures on the site A list of suggestions to reduce the likelihood and severity of the most relevant threat scenarios for the site A database with all relevant threat scenarios, ‘story boards’, vulnerabilities and the motivation of the mentioned suggestions Additional expertise required: To be decided by the SVA team It is acknowledged and accepted that the identification of appropriate additional security countermeasures, their implementation, installation, commission and acceptance into the site safety and security framework will represent a considerable commitment of time, effort, resources and finance on behalf of the site and staff. Step 6, therefore must not be underestimated and although this guidance is included, the process of identification of appropriate additional security countermeasures, should be considered as a project in its own right. In this step, additional security countermeasures should be proposed for the “unacceptable” and “critical” threat scenarios in order to lower the likelihood or the severity of these scenarios to acceptable levels of risk. Additional security countermeasures should complement and strengthen the ones already in existence. These additional countermeasures will have to be implemented according to the security strategies defined in the output of step 2. Security management principles share many similarities with existing industry safety and associated practices. Whilst process safety programmes usually do not explicitly address malicious acts, the process of identifying and managing incidents, such as fires, explosions and product releases means that there are significant commonalties between safety and security planning. Therefore, rather than create separate programmes to deal with events resulting from malicious acts and accidents 116102555 Page 59 Improve knowledge of effective critical infrastructure protection involving hydrocarbons, it is desirable to integrate the countermeasures for both safety and security programmes.11 Equally, industry practices for example restricting unauthorised access to sites on health and safety grounds, mustering, contraband control and supply chain security all significantly contribute to an effective security programme. Many sites will already have access control measures and perimeter fencing, to meet Health and Safety requirements, existing company security policies or mandated security regulations (such as the ISPS code). Whilst complementary, these measures are not necessarily intended to counter threats to critical infrastructure and require additional specific security measures. 6.1 Analysis of additional permanent countermeasures Counter measures may be focused on: reducing the attractiveness of targets reducing the likelihood of a successful attack reducing the severity of the consequences of a successful attack There are generally three areas that should be considered: Inherent Safety Measures (for example segregation of volatile fluids) Procedural Safety & Security Physical Security Including Operational Requirements (OR’s ) All of these should be included within the Operator Security Plan (OSP). This will provide a balanced, appropriate, site and asset security position that is specific and commensurate to all risks. Inherent Safety Consideration can also be applied to designing out vulnerabilities. This can be achieved by applying a combination of measures, such as introducing redundancy into the system or adding security related process safety components. Ensuring an effective rapid repair and recovery capability can also significantly enhance operational continuity. In basic terms for example, the addition of emergency shutdown valves can significantly reduce the effects of malicious events and are complementary to protective security measures. 11 Adapted from CCPS, 2003 (pp 73:74) and Protecting Industry Against Terrorism (p 12). 116102555 Page 60 Improve knowledge of effective critical infrastructure protection The feasibility of removing hazards or modifying processes in order to reduce the attractiveness of the asset or the potential impact of events can also be considered. This concept of ‘Inherent Safety’ may well help reduce the security risks of certain facilities. The four key principles of Inherent Safety are: Minimisation – reducing inventories of hazardous materials Substitution – utilising other materials that are not toxic, flammable or reactive Moderation – reducing processing conditions (pressures, temperature, flows etc) Simplification – reducing the complexity of processes and controls. These principles are described in more detail in the updated 2009 CCPS Inherent Safety Guidelines12. These principles have been applied successfully on SEVESO-sites and in some cases have significantly reduced the hazards present and can represent an extremely attractive and effective security measures. Procedural Safety & Security The establishment of a robust and well conceived range of safety and security procedures designed to complement the physical security arrangements are required to be written and available to all personnel. At Step 2 the Facility Characterisation we discuss the General Security Policy of the site and here there is a requirement to gather and assess the existing site documentation and procedures that are already available. This includes the identification and documentation of the general philosophy and concept of the facility’s management for the safety and security of the site. In doing so, the process should allow the SVA Team to identify any gaps in the procedural documentation and make recommendations to close any gaps and implement all of the required procedures and documents into the Operator Security Plan (OSP). In any event, there should be an overall generic Operator Security Plan (OSP) that encompasses the following policies and procedures within the relevant parts of the plan. The general Strategy and Security Policy for the site Security Roles & Responsibilities across the Site / Organisation Minimum Security Standards for Site / Company Current and Historical Security Vulnerability Assessments (SVA’S) Hazardous Vulnerable Points (HVP) & Vulnerable Points (VP) Assessments 12 CCPS 2009 ‘Inherently Safer Chemical Processes – A Life Cycle Approach (pp 147:160)) 116102555 Page 61 Improve knowledge of effective critical infrastructure protection Personnel Policy: Selection, Training and Development Static and Mobile Guarding Procedures Access Control Policy IT Security Policy Emergency Management Response Policy & Procedures Incident investigation Policy Graduated Security Procedures for Increased Threat Site Evacuation Policy & Procedures Bomb Search Plan & Procedures Physical Security The primary objectives of physical security when protecting an installation is to achieve positive control on protection of the facility and thereafter applying four key concepts of Deter, Detect, Delay and Respond to intrusions into the facility or designated zones. This is normally achieved by a combination of complimentary physical and procedural measures, which should be integrated to achieve maximum effect. This concept aims at creating sufficient time between detection of an attack and the point at which the attack becomes successful and should serve as a guideline for preventing and mitigating terrorist scenarios. Similarly when following this SVA process it should allow the SVA Team to identify any gaps in the physical security and make recommendations to close any gaps and implement all of the required procedures and documents into the Operator Security Plan (OSP). The following, although not exhaustive, are considered to be the core elements of physical security measures. Security fencing; walls; barriers; pedestrian and vehicle access gates; Perimeter Intruder Detection Systems (PIDS); Automated Access Control Systems (AACS); lighting systems; CCTV systems; alarm systems; cages, internal security fences; locking systems; safes and safe rooms. A number of standalone security systems are capable of being electronically integrated to create a fully integrated smart security technological capability. Ideally, a full Operational Requirement (OR) assessment will have been undertaken for each element. Additional security countermeasures, their implementation, installation, commission and acceptance into the site safety and security framework will represent a considerable commitment of time, effort, resources and finance on behalf of the site and staff. One of the main challenges when dealing with security countermeasures is the procurement of the most efficient, effective equipment or systems, their implementation, installation, commission and acceptance into the site safety and security framework. 116102555 Page 62 Improve knowledge of effective critical infrastructure protection Additionally, however it may be dependent upon the geographical location of the site in question, reference to certain governmentally sponsored or publically available security catalogues is recommended. British Standards Institute Manual of Protective Security British Cabinet Office; Security Equipment Assessment Panel (SEAP) Loss Prevention Certification Board (LPCB) Red Books Security Access Control BSEN 50133 CCTV for Security Applications BSEN50132 The SVA Team should always consider harnessing and utilising specialist security advice from a range of all available sources when considering additional security countermeasures. Operational Requirements Studies of security technology projects have revealed that on many occasions, the installed systems have either failed to meet the user expectations, to meet the perceived specification or have proved to be inappropriate for the task. Often, the root cause has been the lack of a clear definition of requirements at the outset of the project. Self evidently, the lack of a clear statement of requirement also makes it difficult to specify commission and test physical security projects against a procurement contract. A structured methodology was therefore produced by the British Security Service (MI5) to address these shortfalls13 both the user community and vendors have broadly welcomed this process. An Operational Requirement (OR) is simply a statement of need based on a thorough and systematic assessment of the problem to be solved and the hoped for solutions. It introduces the concept of a structured methodology for determining the security measures for specific sites. In outline the higher-level (Level 1) OR aims to articulate: The site or building under consideration. The assets to be protected. The perceived threats against the assets, and the probability of their occurrence. The physical areas containing the assets that give concern, and the perceived vulnerability of those areas to the threat. Success criteria Possible security solutions. Once this overarching statement has been produced, which involves all stakeholders; more detailed statements of requirements (Level 2) are produced for each area of concern, such as access control, barriers, Intruder Detection Systems (IDS) etc and link together. 13 MI5, 2006, Security Service Guide to Producing Operational Requirements for Security Measures. 116102555 Page 63 Improve knowledge of effective critical infrastructure protection 6.2 Prioritisation of the Proposed Additional Security Countermeasures A countermeasures analysis is the process of identifying where a shortcoming exists between the security measures in place and the desired level of security, or where additional suggestions may be justified to further limit risk. Each potential target is protected against the highest-level threat associated with that specific target. Appropriate measures can for example be selected from an available source guide such as the CCPS Guidelines or the suggested list of countermeasures in Attachment 17 – CCPS Security Vulnerability Analysis: Security Countermeasures Checklists. At this point the SVA team should make a determination using security expertise, as to the level of risk reduction selected countermeasures provide. These analyses should be documented as they provide the business case for the application of the countermeasures. The details of the countermeasures and the consideration of alternative risk reduction recommendation are left to the follow-up activities of the SVA. These activities include the need for a risk register and resolution management system to track the design, implementation and performance measurement of their effectiveness. In any case, the aim should be to document selected countermeasures and incorporate these into the Operator Security Plan (OSP). During the vulnerability analysis, the lack of effectiveness of some existing countermeasures and the absence of some security functions or countermeasures should have been identified. As a result, improvements by the enhancement of some existing countermeasures or additional countermeasures and alternative risk reduction recommendations that may impact the likelihood or the severity of the threat scenario will have been proposed. These additional countermeasures have to be studied in the light of different aspects such as: the number of threat scenarios that a measure mitigates the way in which a measure fits within the security strategy; the effectiveness to reduce the risk; The cost of the measure. It will be important to balance the likelihood of the threat, the level of security on the site, National Security and/or other regulatory requirements plus company level security requirements against the cost effectiveness of measures and the expected outcomes. By doing so, the countermeasures and alternative risk reduction recommendations can be prioritised. 116102555 Page 64 Improve knowledge of effective critical infrastructure protection Specific in-depth studies may be required to analyse the efficiency and implementation of proposed countermeasures and the range of possible alternatives. These countermeasures or ‘controls’ should be set against clear objectives as to ‘why’ they are being proposed with an associated statement of Operational Requirement’ to enable their effective implementation. 6.3 Enhanced countermeasures The aforementioned additional permanent countermeasures can be defined as the countermeasures to be implemented to reach an acceptable security level in the “normal” situation. Enhanced countermeasures can be defined as the countermeasures to be implemented when a national or local threat level increases. For example, when the current threat level is low, vehicles may be searched at random. But, when the level of threat increases, the adequate level of security may be the searching of all vehicles an example of an enhanced security measure for an increased threat is to reduce non-essential activities and restrict access to the site. These enhanced countermeasures should be documented within the Graduated Security Procedures for Increased Threat and all staff should be aware of their existence and content. Again identifying and implementing enhanced countermeasures may require specific specialist studies/ projects to be carried out in order to ensure that they are effectively scoped, identified and implemented. Output step 6 List of prioritised additional countermeasures Project Implementation Plan for additional countermeasures Study of the enhanced measures for the higher levels of threat 116102555 Page 65 Improve knowledge of effective critical infrastructure protection 7 Overview of the SVA methodology In the following figures are illustrated: The different steps and sub-steps of the SVA methodology as well as the inputs and outputs required to carry out these steps, The flowchart of the SVA methodology showing the use of each worksheet and table to carry out the SVA methodology at each step of the process. 116102555 Page 66 Improve knowledge of effective critical infrastructure protection Steps and sub-steps of the SVA methodology integrating the inputs and outputs of each step 116102555 Page 67 Improve knowledge of effective critical infrastructure protection Flowchart of the SVA methodology 116102555 Page 68 Improve knowledge of effective critical infrastructure protection 8 Appendix 1 Links between the SEVESO DIRECTIVE requirements and the SVA The Scope of the SEVESO directive Concerned industries The SEVESO II Directive (96/82/EC) on the control of major accident hazards defines a number of requirements for the operators of industrial sites where dangerous substances (toxic, flammable, explosive of dangerous to the aquatic environment) are present in quantities equal to or in excess of certain thresholds (see Art.2 and Annex I of the SEVESO II Directive). This definition covers a wide range of establishments, including: chemical production plants petrochemical industries refineries fuel storage facilities (liquid flammables) LPG storage LNG terminals (storage and re-gasification facilities) Pharmaceutical industries Fertilizers and agricultural products Pyrotechnics and explosives Requirements of the SEVESO II Directive According to the quantity of dangerous substances stored, two categories of SEVESO sites are defined: the lower-tier SEVESO establishments, with quantities exceeding the lower threshold, the upper-tier SEVESO establishments, with quantities exceeding the higher threshold. Requirements of the SEVESO II Directive are adapted to the level of danger and hence to the category of establishments. Then, operators of lower-tier SEVESO establishment have to provide a notification, to define a major accident prevention policy (MAPP), to draw up accident reports, to take into account land-use planning. Operators of upper-tier SEVESO establishments additionally have to establish a safety report, to implement a safety management system, to define an internal emergency plan, to provide all necessary information to the competent authorities to enable them to draw up external emergency plans and to inform the public. These requirements aim at preventing major accidents and mitigating their consequences, in order to protect human health and the environment. 116102555 Page 69 Improve knowledge of effective critical infrastructure protection Possible links between the SEVESO directive requirements and the SVA study Some steps of the SVA can use the results of the documents implemented due to SEVESO II Directive. A schematic description of the relation between the requirements of the SEVESO II Directive and the SVA, as well as the relevant information flows, is given in Figure 1. These flows are described below step by step. SEVESO ECI SCREENING/PRIORITISATION SCREENING/PRIORITISATION Cross-cut and Sectorial Criteria Quantity of hazardous substances NOT LOWER-TIER UPPER-TIER ECI INSTALLATION NOT ECI COVERED NOTIFICATION Description of establishment SAFETY REPORT OPERATOR SECURITY PLAN Description of establishment Description of establishment Description of environment Risk Assessment -Identification of Hazards -Identification of scenarios -Likelihood SAFETY MANAGEMENT SYSTEM -Circumstances EMERGENCY PLANNING -Consequences INSPECTION -Safety measures INFORMATION TO PUBLIC -Prevention LAND-USE PLANNING Risk Analysis -Identification of major threat scenarios -Vulnerability of Assets -Consequences (potential impact) Counter-measures and procedures: -Permanent Security measures -Prevention (Deter, Detect, Delay) Direct Input /issue covered -Response and Mitigation Input /issue partially covered -Mitigation INCIDENT REPORTING Identification of important Assets (e.g. ELSP) Needs to be adapted -Access control Conflict -Other Technical Measures Figure 1: Information flow between SEVESO and ECI requirements -Organisational measures / awareness/ training Facility characterisation (step 2 of the SVA) -Crisis management The description of the facility is one of the requirements of the Safety Report for upper-tier SEVESO -Security of informationof systems establishments (see Annex II of Directive 96/82/EC and “Guidance on the preparation a Safety Report to meet the requirements of Council Directive 96/82/EC as amended by Directive -Availability of information 2003/105/EC, available at http://mahbsrv.jrc.ec.europa.eu). Then, for upper-tier SEVESO -Graduated Security measures establishments a significant part of this information is already available through the facility’s Safety Report, which in such cases will be the main data source of the facility characterisation. 116102555 Page 70 Improve knowledge of effective critical infrastructure protection Less extended but still useful information exists in the Notification submitted to the Authorities by lower-tier SEVESO establishments, according to Articles 6 and 7 of Directive 82/96/EC. It is expected that information about lower-tier establishments will have to be complemented from different sources (e.g. the MAPP and its underlying safety documentation). Finally it should be noted that not all chemical and energy-related facilities are covered by the SEVESO II Directive. It is worth noting that as the SEVESO legislation focuses on the safety-related data, the description of the SEVESO establishment should be completed by data related to purely security functions, e.g. height of perimeter fences, access control details, etc., that may not be available in the SEVESO documentation and may have to be collected directly from the management of the site. Asset Analysis (step 3 of the SVA) The Safety Report should identify installations and other activities of a SEVESO establishment which could present a major accident hazard. This identification is done thanks to a screening method, as stated in the Safety Report Guidelines: “The installations of an establishment to be submitted to risk analysis have to be possibly selected through a screening method. The selection may follow the use of index methods or threshold criteria for hazardous substances or other suitable methods. The SMS should provide the necessary objectives and approach basics”. Different screening methods apply in the different Member States to support the selection of the facility parts that need further analysis: For example, in Belgium a “Vademecum” has been developed to “guide” this selection; in the Netherlands the “Purple Book” recommends a method for the same purpose. The latter is based on the calculation of an indication number, taking into account the hazardous properties of the substances, and a selection number based on the installation and the surrounding areas. This screening process will give the set of important chemical assets, which should be further analysed to identify “critical assets”. Usually this screening takes into account both the severity of possible consequences and their likelihood, both roughly estimated. While exclusion of assets from further analysis due to estimated low severity of their destruction is acceptable, cutting them due to low probability of occurrence is not appropriate in SVA. The process of identifying a list of assets can be summarized in the following steps: 1. Review the list of chemical assets deriving from the screening process for the purposes of the Safety Report 2. Consider all those chemical assets whose analysis has not been conducted in the Safety Report due to estimated low frequency of occurrence 116102555 Page 71 Improve knowledge of effective critical infrastructure protection 3. Consider non-chemical assets, in particular, utilities, process control, emergency system, personnel etc. 4. Consider interdependencies between the assets 5. Estimate the severity of attack and the attractiveness of the target (including difficulty of attack) in order to analyse them according to Step 3 of the SVA methodology This identification can be the starting point of the assets identification for the SVA and the data from the safety analysis should be used here, especially for identification of critical chemicals. However, it should be kept in mind that security events may not release the hazard source term in the same way that accidental events as the initial events will be the safety event and may be more intense and the safety measures (barriers) could be damaged. Security vulnerability assessment (step 5 of the SVA) This step aims at assessing the level of security for different combination of “threat / asset” (called a threat scenario) in a vulnerability assessment table. This table can be similar to the one used in industrial safety, such as those derived from HAZOP method, and is based on a scenario approach. In the Safety Report, accidental scenarios have been identified and the relevant hazards have been estimated. This information is important for the description of scenarios in the SVA and can be directly taken from the Safety Report. For lower-tier facilities, these scenarios need to be taken from the Safety Management System or other calculations (e.g. for land-use planning). For each scenario, the off-site consequence analysis may include estimates of the release rate, quantity and conditions, of downwind effects, and of the impact on surrounding population and the environment. The safety study if concerned (that may be required if the site is under the SEVESO directive), as the risk analysis can help to have an overview of the possible consequences of the loss of containment of a hazardous substance. Still, it should be reminded that the set of incident scenarios and the assessment of their consequences may have to be complemented with “worst-case” scenarios, whose occurrence following an intentional attack cannot be excluded while it could be reasonably excluded for safety purposes: For example, suppose that a facility contains 2 tanks full of a dangerous substance, which are connected with a short pipe to the supply pipe-line. If this short pipe has undertaken corrosion treatment and is regularly inspected, it is reasonable to exclude the scenario of simultaneous release from both tanks. However, for security purposes, it cannot be excluded the scenario that an intelligent activist places a bomb exactly at this short pipe, so that following its rupture the complete amount of both tanks will be released. As a conclusion, reasonably worst-case scenarios cannot be excluded from security risk assessment. 116102555 Page 72 Improve knowledge of effective critical infrastructure protection 9 Appendix 2 Protection Strategies for Site Security Management Layers of Protection/Rings of Protection ‘Layers of Protection’ is a concept well understood in the Chemical and Energy Sector Process Safety field. 14 A series of self supporting but interactive measures are applied to a process, in order to reduce the likelihood of an undesirable event occurring. This is shown graphically at Figure 1. SITE EMERGENCY PROCEDURES/ RESPONSES PHYSICAL MITIGATION (BLAST HARDENING/ BUNDING ETC) PHYSICAL PROTECTION (e.g. RELIEF DEVICES CRITICAL ALARM LAYER PROCESS CONTROL PROCESS DESIGN Figure 1: Layers of protection (adapted from CCPS et al.) This can be adapted to the security domain whereby layers of countermeasures are (conceptually) placed in concentric rings around an asset. These measures may include: Security Policies and procedures. Personnel Security. Physical Security. Cyber Security (of Information and Communication Technologies – ICT such as SCADA systems) Information Security. 14 CCPS Guidelines, Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites (2003), CCPS Layers of Protection Analysis: Simplified Process Assessment (2001, CCPS Inherently Safer Chemical Processes – A Life Cycle Approach (2009) and appropriate standards such as IEC 61511 ‘Functional safety – Safety Instrumented Systems for the Process Industry Sector". 116102555 Page 73 Improve knowledge of effective critical infrastructure protection Incident Management and Operational Continuity Management.15 Process Safety and other measures to mitigate the effects a security event (see comment on ‘Inherent Safety – IS’ which follows) This is similar to commonly understood security concepts16 such as ‘rings of protection’ or ‘defence in depth’ which are often applied to a facility or individual assets. These can consist of a series of procedural or organisational measures (e.g. categorising and controlling visitors/ contractors, applying information security controls to sensitive information) and: physical security measures such as access control, perimeter barriers, lighting and detection in concentric layers. These principles are also commonly applied to cyber systems where a mixture of procedural, cyber and physical security measures are applied to Information and Communications Technologies (ICT) systems in order to construct a layered ‘in-depth’ security system. A well designed system should aim to ensure that defeating one particular security control should not breach the whole security system. It should also be designed so that measures are both independent but complimentary of each other. 1. The “Deter, detect, delay” principle The primary objectives of physical security when protecting an installation from an unauthorised intruder are to achieve positive control on access to the facility and thereafter applying four key concepts of Deter, Detect, Delay and Respond to intrusions into the facility or designated zones. This is normally achieved by a combination of complimentary physical and procedural measures, which should be integrated to achieve maximum effect. This concept aims at creating sufficient time between detection of an attack and the point at which the attack becomes successful and should serve as a guideline for preventing and mitigating terrorist scenarios. These are discussed in more detail below. Deter: prevent breaching of security by instilling fear or doubt. If security measures serve to deter an intruder then they will have served their aim. Security measures should not be seen in isolation, but rather the combination of observable security countermeasures and other less tangible measures, such as target location, ease of reconnaissance etc. and security operations designed to disrupt the attackers’ activities. The deterrent factor of security measures will also depend on the determination and capabilities of the intruder. The overall operating environment plus motivation, morale, training and fitness of the intruder are all intangible factors and the deterrence value cannot therefore be objectively quantified. The concept of ‘displacement’ of the attacker from a well-protected 15 For example see ISO ISO/PAS 22399:2007, societal security – Guideline for Incident Preparedness and Operational Continuity Management. 16 Again as described by CCPS (2003). 116102555 Page 74 Improve knowledge of effective critical infrastructure protection site to another should also be borne in mind, especially where there are a number of sites from which to choose. Measures Deter attacks by the means of visible, professional, maintained security systems and measures, including well trained security staff, detection systems, fences and barricades, and hardened or reduced value targets Detect: identification of an antagonist before and/or during the attempt to execute a malevolent act. Detection should be designed to identify an intruder, preferably at the earliest point of the intrusion. This can be achieved by a variety of technological or human means, including the use of guard dogs or a combination thereof. Each has advantages and disadvantages with none being completely reliable, although some of the more sophisticated technologies and dogs, where installed or deployed effectively come close. All technologies require some level of human supervision, as all will have a false or spurious alarm rate. Technology solutions therefore require human intervention of alarm events but can offer significant efficiencies and increased effectiveness, especially over mobile patrolling. The whole system cost must however be considered from the outset, especially where physical verification of an alarm is required and entails deployment of a guard to the area of alarm. Security technologies are required to operate 24 hours per day, 365 days per year, to the required operational specification. Local conditions, such as weather, routine but extreme light changes, sun direction and angle, topography, site operations, wild life, traffic and interference from other systems can all adversely affect performance. In some cases, on very exposed sites extreme weather can seriously degrade alarm and surveillance systems. It is therefore imperative that proposed systems are specified and tested for the specific site and local conditions. Where a system, despite limitations, represents the best option, it is necessary to be aware of why and when degradation will occur and if necessary, have contingency measures to negate them. Delay: Delay an attack for a sufficient long period of time to enable appropriate response. Imposing Delay on an intruder can be achieved in a number of ways. Fences, walls, gates and pedestrian and vehicle gates/ barriers are obvious choices, but also enhancement of natural features and the site environment can be utilised. These issues will be covered in more detail below. On large sites it is may be more appropriate to accept a lower specification on the perimeter but add inner barriers around particularly critical points thereby using the space and time to traverse the site as a delaying factor. As all barriers can be surmounted given time and technique, it is important that barriers are under some form of surveillance, offer enough time for the evaluation of alarms and ideally impose enough delay in order to allow for an effective response. Respond: An effective response as appropriate to the nature of the alarm event is fundamental to any physical security regime. Whatever the nature of the response, be it to evaluate or verify alarms, or to observe, interdict or apprehend these require to be considered and clearly laid down. Given the nature of oil and gas installations, it is important 116102555 Page 75 Improve knowledge of effective critical infrastructure protection that external responders are adequately familiarised, trained and equipped for the task. Issues such as coordination between security and emergency responses, intrinsically safe communications, firearms and associated tactics and dynamic hazard assessment during an incident require to be addressed. Experience has shown that this aspect can require considerable local liaison and planning. It is important to work out what is required to be achieved in ‘functional’ terms and formalise this as an ‘Operational Requirement’ – OR and not to be swayed by the apparent attractiveness of a particular technology solution. Figure 2: Graphical description of Deter – Detect – Delay – Respond 2. Options for Mitigating Effects Furthermore and in addition to the concept of “Layers of Protection”, measures to mitigate the effects of an undesired event should be considered. Measures to harden facilities such as adding blast protection to key assets or components, extending the perimeter or moving assets to achieve ‘stand-off ‘ from explosive attack can be considered. In the case of hand placed charges, achieving a small stand-off from a key component can significantly reduce the effects of an explosive charge. In the case of large explosive devices, imposing even a few tens of metres stand-off from an asset can considerably reduce blast effects. It is important to seek expert security advice in this respect. Consideration should also be given to process safety related incident management and operational continuity measures. Process safe - shutdown and other measures to deal with hazards arising from possible security events should be considered and pre-planned. For example, the possibility of a suspect package being found within an installation requires to be considered and appropriate process related procedures established, documented and practiced. 116102555 Page 76 Improve knowledge of effective critical infrastructure protection 10 Appendix 3 Threat Catalogue Adversaries It is necessary to ascertain the characteristics of the relevant adversaries that can threaten the site. The adversaries differ in motivation, goals to achieve, knowledge of the site, attack capabilities, risk acceptance and endurance. The following types of adversaries should at least be considered in this threat assessment: Terrorists (political, religious) Criminals (common, organized, Cyber) Hackers Violent activists (environmental, animal rights, anti-globalists) Vandals and deranged individuals Frustrated, disgruntled or addicted employees and contractors Collusion Some of these adversaries may collude with each other. Some criminals will for example collude with hackers to obtain sensitive information such as credit card numbers and passwords. Internal vs. External All of these adversaries may be categorized as insiders or as outsiders. Insiders have routine, unescorted site access where outsiders do not. Their characteristics and capabilities are different. For example the criminal insider (employee) may embezzle company property whereas the criminal outsider (burglar) may force his way into the facility. Sometimes outsiders collude with insiders again changing the characteristics and capabilities of the adversaries. This collusion may be motivated by monetary gain, ideological sympathy, blackmail or coercion. Copy-cats Successful acts of adversaries that have gained mass media attention are likely to inspire Copy-cats of all sorts sooner or later. This has to be taken into account each and every time a relevant intentional act hits the media. Guidance on some general characteristics and capabilities of the mentioned adversaries are described below. Terrorists (political, religious) Terrorists are the most difficult adversaries to contend with, given that they may be highly trained, well equipped and prepared to die to achieve their objectives. A primary characteristic of terrorism is the willingness to inflict as much damage to the society as possible and kill civilians. Terrorists use violence or the threat of violence to achieve political, 116102555 Page 77 Improve knowledge of effective critical infrastructure protection religious or other ideological objectives. Many terrorists are willing to die for their cause. Some are willing to inflict maximum damage, many casualties, and psychological terror on the population, create political chaos or instability, social disruption and major economic damage to achieve their goals. Terrorists may seek targets with symbolic value. National treasures and landmarks, prominent public structures or a symbol of an ideology are examples of such iconic targets. Putting critical infrastructure out of business may well be one of their objectives. Some terrorist groups prefer to commit multiple attacks more or less simultaneously in order to increase the impact of their actions. If terrorists decide to commit an attack on a CI, their mode of operation may involve several conceivable strategies, ranging from threatening attacks to actually shooting at or blowing up critical assets such as production facilities, storage tanks, power generators and pipelines. Although terrorists might collude with other adversaries, they tend to keep things within trusted circles to avoid detection by government agencies. Collusion between terrorists and Insiders is a rare phenomenon, but they may seek to place someone in the organisation or coerce staff and should be taken into account by the SVA-team. Criminals If security concerns such as theft of goods, materials or information are a high management priority, then adversary motivation and capability analysis should be conducted for criminals. In general criminals will be looking for maximal financial gain obtained with minimal efforts. Criminals can steal easily marketable goods such as computers, valuable materials, ready-made products or semi-manufactures, components and measuring instruments. Criminal attempts to steal these goods usually involve trespassing and burglary. Some criminals will want to know beforehand where valuable products are stored and how they are protected. In order to obtain such knowledge they can try to get help from insiders, hack IT-systems or observe and explore the premises. Although these actions are not aimed at disrupting industrial processes or inflicting damage, this can surely be the case. High-jacking, kidnapping and extortion are also criminal offences, but these are not relevant for the SVA. Hackers Hackers try to break into third party computer systems. It is often just the intellectual challenge, which drives them. 116102555 Page 78 Improve knowledge of effective critical infrastructure protection It cannot be excluded that a hacker may manage to break into and manipulate systems controlling industrial processes of a CI. Hackers may also seek critical information about the security systems of the site that could facilitate an attack. So far hackers have rarely intentionally inflicted damage to CI. However, a real threat emanates from adversaries like criminals or terrorists who get hackers to work for them. Links between computers all over the world can be established via the Internet. Still, most industrial controls and SCADA systems are not linked to the internet but the risk is increasing due to the use of common operating systems and growing interconnectivity. Violent activists (environmental, animal rights, anti-globalists) Non-violent activists try to draw attention to their cause by means of public demonstrations or smallscale, relatively peaceful, actions such as climbing on objects or buildings. These activists are not the greatest concern in the SVA. However, the Violent Activists are willing to break the law and use violence to empower their actions. Trespassing, stealing and destroying property, setting fire, short circuiting and cutting power cables, clogging wastage pipes, breaking in, defacing websites and denial of service attacks are some examples of their capabilities. Violent activists are usually outsiders. Vandals and deranged individuals Vandals destroy or damage public property on a small scale, inspired by youthful bravado, alcohol, a need to impress people or just for fun. Deranged individuals cause similar damage for no apparent reason. In general vandals and deranged individuals are kept at bay by basic and down to earth security measures. Therefore usually the SVA does not need to address these adversaries. Frustrated, disgruntled or addicted employees and contractors Employees or contractors may be frustrated about job-related matters such as the absence of a promotion, problems with colleagues or financial problems. Others may have psychological problems in connection with stress or overwork, or marital or family problems. Another possibility is that employees are taking medication like psychiatric drugs or they are addicted to drugs or alcohol. All these factors may upset employees and contractors to such an extent that they go off the rails, which manifests itself in, for example, rowdy, careless or negligent behaviour, and unauthorised computer use, introduction of a computer virus, theft, and collusion with criminals, arson or sabotage on a small scale. As guidance thirteen general characteristics of the mentioned threats (an adversary and method of attack) are described below. 116102555 Page 79 Improve knowledge of effective critical infrastructure protection Bombings Bombings are the prerogatives of armies and terrorists and in some cases criminal groups. Some terrorists use devices made for the military, others make them themselves (home-made). These devices are called IED’s (Improvised Explosive Device). IED’s can be made in all forms, shapes and sizes. The following IED’s are distinctive: Concealed IED IED’s concealed on the body or in rucksacks have been used by suicide bombers quite frequently against soft targets. It is not unthinkable that concealed IED’s might one day be used against industrial sites. Vehicle Borne Improvised Explosive Device Vehicle Borne Improvised Explosive Devices (VBIED) can be used by terrorists to attack installations. In suicide attacks, the terrorist will crash the vehicle bomb through the gate into the desired target. The VBIED could be a car, a van or a truck. VBIED parked near critical assets It is relatively easy to hide explosives in a vehicle. Terrorists have frequently deployed vehicle bombs against civilian targets, but seldom against industrial compounds so far. Parking a car bomb on the grounds of a chemical plant near a crucial target requires some knowledge of the local situation (where is the right spot and how is it protected). Preparatory activities may well be necessary. But it is difficult for a terrorist to assess the effect of this attack. Furthermore a terrorist who intends to commit a car bomb attack has a choice of many other attractive targets which are often much easier (less risky) to target. IED placed near, on or against critical assets It is relatively easy to make a portable improvised explosive device. IED’s have been used against the chemical industry before, such as in the UK by the Provisional IRA and in the Netherlands by Black September. Putting a portable IED against a crucial target at a chemical plant requires some knowledge of the local situation (where is the right spot and how is it protected). Preparatory activities may be identified by employees of the plant or by security officers. It is difficult for a terrorist to assess the effect of his attack. It can be argued that a terrorist who intends to commit an attack with an IED has a choice of many other attractive targets which are easier (less risky) to be attacked. IED’s delivered by boat, glider or plane IED’s delivered by boat, glider or plane are variations of the VBIED’s mentioned above. The likelihood and possible impacts of these attacks may vary greatly. 116102555 Page 80 Improve knowledge of effective critical infrastructure protection Shootings Several adversaries might take a shot at an industrial site. In this SVA the terrorist shooting at critical assets on the site should be taken into account. Criminals would probably shoot at personnel instead of at critical assets. RPG Terrorists might shoot at critical assets on an industrial site with rocket propelled grenades (RPG’s). RPG launchers are rather easy to obtain within criminal circles. So far terrorists have not carried out any attacks on industrial sites in Europe with rocket launchers. However, it cannot be ruled out that terrorists in the Western world will carry out such an attack in the future. But it seems likely that such an attack will cause only limited damage and a few casualties at the most. Rifle Terrorists, criminals or others might shoot at critical assets on an industrial site with a rifle. But it seems likely that such an attack will cause only limited damage and a few casualties at the most. Terrorists might shoot their way onto a facility to bomb, arson or sabotage critical installations. Arson Several adversaries might set fire to critical assets on a CI. Molotov-cocktails Molotov-cocktails might be thrown by violent activists, vandals and deranged individuals. These adversaries would throw the cocktail from public grounds on flammable assets. Incendiary device Violent activists and terrorists might deploy an incendiary device. The attack with an incendiary device might be combined with an IED. The IED is meant to create a flammable atmosphere (by blowing up a container); the incendiary device will set this on fire. Lighting a fire Violent activists, vandals, deranged individuals and frustrated, disgruntled or addicted employees and contractors could light a (camp) fire near or under critical assets of a CI. This fire might cause the critical asset to malfunction or to ignite. Sabotage, Stealing and Manhandling Manual sabotage Violent activists, vandals, deranged individuals and frustrated, disgruntled or addicted employees and contractors might manipulate with or intervene in critical assets or operations on a CI. Remote sabotage by cyber-attack 116102555 Page 81 Improve knowledge of effective critical infrastructure protection Hackers, violent activists, vandals, deranged individuals and frustrated, disgruntled or addicted employees and contractors could try to manipulate with or intervene in critical operations using the IT-infrastructure of the facility. Stealing Several of the mentioned adversaries may consider steeling assets, products, tools etc. In this SVA only those thefts should be taken into account that may lead to serious consequents. Manhandling Violent activists, vandals, deranged individuals and frustrated, disgruntled or addicted employees and contractors could break or destroy critical assets or parts thereof. 116102555 Page 82 Improve knowledge of effective critical infrastructure protection 11 Appendix 4 Glossary, References and Bibliography Glossary CCPS CI DG JLS ECI EPCIP EURAM ICT IED HAZOP OSP RAMCAP RPG SCADA SVA VBIED WP Centre for Chemical Process Safety Critical Infrastructure Direction Générale Justice, Libertés et Sécurité European Critical Infrastructure European Programme for Critical Infrastructure Protection European Risk Assessment Methodology Information and Communications Technologies Improvised Explosive Device Hazard and Operability study Operator Security Plan Risk Analysis and Management for Critical Asset Protection Rocket-Propelled Grenade Supervisory Control and Data Acquisition, an IT system which carries out process control Security Vulnerability Analysis Vehicle Borne Improvised Explosive Devices Work Package References CCPS, “Guidelines for Hazard Evaluation Procedures”, American Institute of Chemical Engineers, New York, 2008 3rd edition, www.wiley.com/go/ccps CCPS, “Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites”, American Institute of Chemical Engineers, New York, 2003, www.wiley.com/go/ccps CCPS ‘Inherently Safer Chemical Processes – A Life Cycle Approach, American Institute of Chemical Engineers, New York, 2009, www.wiley.com/go/ccps Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, in OJ L Nr. 345/75 of 23.12.2009 MI5, “Protecting Industry Against Terrorism”, 2005, 2nd edition Further information may be found on www.mi5.gov.uk or CPNI.gov.uk 116102555 Page 83 Improve knowledge of effective critical infrastructure protection MI5, “ Security Service Guide to Producing Operational Requirements for Security Measures.” 2006, Further information may be found on www.mi5.gov.uk or CPNI.gov.uk CCPS “Layers of Protection Analysis: Simplified Process Assessment “ American Institute of Chemical Engineers, New York, 2001, www.wiley.com/go/ccps IEC 61511 ‘Functional safety – Safety Instrumented Systems for the Process Industry Sector". Bibliography Dr Larry Ness, “Securing Utility and Energy Infrastructures”, Wiley Interscience, New Jersey, 2006, www.wiley.com Mary Lynn Garcia, Sandia Corporation, (US Department of Energy)“ Vulnerability Assessment of Physical Protection Systems”, Massachusetts , 2006, www.books.elsevier.com ISO ISO/PAS 22399:2007, societal security – Guideline for Incident Preparedness and Operational Continuity Management 116102555 Page 84 Improve knowledge of effective critical infrastructure protection 12 Appendix 5 Worked Example 12.1 Introduction The worked example describes how the SVA tool was used for an assessment of a chlorine production plant, the plant studied was located next to a major town and river and there were extensive transport links running near to the plant. The site has multi-modal road and rail plus water (barge and Shipping) links and infrastructure. The site had a basic level of security already in place. A typical chlorine production plant consists of brine production/treatment, cell operations, chlorine cooling & drying, chlorine compression & liquefaction, liquid chlorine storage & loading, caustic handling, evaporation, storage & loading and hydrogen handling. Other key assets were pipe work, control systems (SCADA) and utilities (the process uses significant quantities of energy (electricity) and processed water -de-ionised. The Process flow used in the worked example was as follows: Sodium Chloride (Brine) -> Brine Saturation/ Treatment system -> Chlorine Production Unit (cell room) -> Chlorine cooling and drying -> Chlorine Compression and liquefaction -> Chlorine Storage and Loading 12.2 Step 1 and 2 Firstly we completed a Project Plan for the SVA (worksheet 1) and completed the Key Document Register (worksheet 2). Next we determined the site attractiveness using worksheet 3 which is shown below to use this table look at each Site description category, for example the first one is ‘proximity to a major city and media attention level’ and choose a description that best meets the site in question. Look at the score that best represents the site you are completing the SVA on and then multiply this score by the weighting factor. So in the first category ‘proximity to a major city and media attention level’ we chose description’ c)’ ‘Next to a capital or in a major city // adjacent to a nationally symbolic icon or site: the site attack will imply a national media attention SCORE 3’ and we then multiplied in by the weighting factor, which is 1 in this category, to give an overall score of 3. We then repeated the process for each category and put the score in the right hand column, finally we summed the scores to give an overall score for the attractiveness of the site which in the case of the worked example gave a total of 21. 116102555 Page 85 Improve knowledge of effective critical infrastructure protection Total = Score x Weighting factor Site Description Description and Scores Weighting Total for factor the site Proximity of a major city a) No major or symbolic city // Rural zone // No major or symbolic icon or site or only locally symbolic or of an iconic icon or site: the site attack will no media attention or very locally SCORE 1 or well-known site b) In an urban zone // Regionally symbolic icon or site: the site attack will gain limited media attention SCORE 2 and the media attention c) Next to a capital or in a major city // adjacent to a nationally symbolic icon or site: the site attack level will imply a national media attention SCORE 3 d) In the capital // in the city centre of a major city // adjacent to an international famous or major recognizable landmark (e.g., European Commission, Eiffel Tower) world famous icon or site: a site attack will imply a substantial National or European event. SCORE 4 Societal disruption at a) the local, regional, b) national or international c) level Threatened operator 1 3 3 9 5 5 2 4 Disruption of local society SCORE 1 Disruption of regional society // Disruption of a major regional supply SCORE 2 Disruption of national economy society // Disruption of a major national supply SCORE 3 d) Disruption of European / international economy or critical infrastructure SCORE 4 a) No known threat against the country or the operator SCORE 1 b) Operator threatened by employees or by local associations SCORE 2 c) Country threatened by regional activists (e.g. separatists), sector mentioned as or commonly thought to be a potential target for terrorist but no threat SCORE 3 d) Country of origin of the operator threatened by International terrorist organisation (e.g. USA, Israel, UK), site known as a terrorist target SCORE 4 Company reputation brand exposure a) No controversy or association actions known by the company against itself, company not known or only locally well-known company (ex. Local major employer) SCORE 1 and recognition b) Company which has been subject of a controversy at the local stage (because of its activities type, of its way of exploiting, of an accident, etc) or is the target of local associations or regionally well-known (ex. Major employer of the region) SCORE 2 c) Company which has been subject of a controversy in the national media (because of its activities type, of its way of exploiting, of an accident, etc) or Nationally well-known company SCORE 3 d) Company which has been subject of a controversy in the international media (because of its type of activities, of its way of exploiting, of an accident, etc) or Internationally well-known company SCORE 4 Total automatically moves to Worksheet 5 column 8 TOTAL 21 12.3 Step 3 Assets Analysis The next step is the Identification of the Principal Assets in this step the assets should be listed at the system level only; assets at the component level are dealt with later in the SVA. Principle assets should be listed in Worksheet 4 as shown on the following page. Alongside the principle assets the rationale for selecting the assets as principle ones should also be listed as shown below. In the case of our worked example 6 principal assets are listed all of whom form a key part in the operation of the chorine production plant. 116102555 Page 86 Improve knowledge of effective critical infrastructure protection Worksheet 4 List of Principal Assets List of Principal Assets Chorine production unit 'x' Justification and Description The site cannot continue operation without this asset Chlorine tank The volume of chlorine in the tank would cause a major impact offsite Site is dependent on these routes for continued operation Damage to this asset would cause a fire, attract media attention and close nearby roads and river This is a single point of failure and the site cannot continue operation without this asset Entrance and Exit routes Hydrogen pipe and storage tank Manifold 'y' Identified principal assets are then assessed according to two criteria: the asset attractiveness and the asset severity. Here the selection of principal assets may differ from the selection of assets when considering a business/ operational continuity focus. The salient question of this assessment is “what types of events will cause the disruption of a critical infrastructure, the release of a chemical or the destruction of equipment or components in such a way that the most serious consequences will occur?” This assessment is done considering the existing situation of the site and of the asset, taking into account the benefits of existing countermeasures that protect the asset. There are nine factors for the determination of attractiveness, out of which four are focussed on the site (see worksheet 3)and five specifically focussed on the individual asset (see worksheet 5). To do this copy the list of assets to Worksheet 5 and copy the overall site attractiveness score from Worksheet 3. The individual assets are each then scored and weighted according to their individual attractiveness and the total for each principal asset is then added to the site attractiveness which was developed in worksheet 3. The total then is used to look up the attractiveness level in table 1. In the case of our example the chlorine production unit ‘x’ gets a total score of 47 and an attractiveness level of A2 and the hydrogen pipe gets a score of 57 and an attractiveness level of A3. Five further categories of attractiveness of the assets can be defined and classified as shown in table 1. This step results in the evaluation of all the assets potential attractiveness that can be perceived by adversaries and enables the identification of the high value assets according to their attractiveness. 116102555 Page 87 Improve knowledge of effective critical infrastructure protection WORKSHEET 5 ATTRACTIVENESS OF THE SITE AND THE ASSET Column 1 Column 2 Column 3 Easiness to find the asset in the site Weighting Factor 3 a) Column 4 Easiness to access Easiness to hit Weighting Factor 3 Weighting Factor 3 Column 5 Importance of the asset to company continuity Weighting Factor 2 Column 6 Value and merchandising TOTAL Weighting Factor 5 a) High security site and the asset is at the centre of rings of protection (Need to penetrate numerous robust rings of protection to reach the asset, with no possible common failure) SCORE 1 a) No line of sight from exterior and visible with difficulty from the site itself , also shielded from internet SCORE 1 a) Not at all or equipment without a major importance in exploitation SCORE 1 b) Restricted access to the site and to the asset: only a restricted number of employees have access to the asset and asset in the centre of numerous rings of protection SCORE 2 b) Asset protected by many other buildings, vegetation, many other installations (presence of major obstacles) SCORE 2 b) Threats could be made or equipment b Asset with very low value but which can be passed by-passed for a short very difficult to merchandise in period and quickly replaced SCORE 2 parallel markets SCORE 1 c) Not noticeable from the exterior c) Restricted access to the site but no but easy to spot on a map SCORE restricted access to the asset 3 SCORE 3 c) Asset protected by few other buildings, vegetation, few other installations (presence of few obstacles) SCORE 3 c) Threats have been made or c Asset with medium value but warnings are given against the asset difficult to merchandise in parallel or against similar assets or equipment markets SCORE 2 which can be by-passed during a short period but take time to replace SCORE 3 d) Everybody knows where the asset is or it is at the limit of the site SCORE 4 d) Sitting duck: no protection d) key and irreplaceable process d Asset with high value and of the asset SCORE 4 equipment or equipment without which rather easy to merchandise in the company cannot operate SCORE parallel markets SCORE 3 4 Hidden SCORE 1 b) Only employees can know where the asset is. Not noticeable from the exterior even on a map SCORE 2 From Worksheet 4 Critical Assets d) Site opened to the public SCORE 4 Column 7 Column 8 SITE ATTRACTIVENESS Total for the site from wrksht 3 Column 9 Column 10 Total (site + Attractiveness asset) = level (Look up column table 1) 7+column 8 a) No Value SCORE 0 e. Asset with very high value and easy to merchandise in parallel markets SCORE 4 chorine production unit 'x' 6 6 6 8 0 26 21 47 A2 chlorine tank Facility Entrance and Exit routes 12 9 12 4 0 37 21 58 A3 12 12 12 4 0 40 21 61 A3 hydrogen pipe 12 9 9 6 0 36 21 57 A3 hydrogen storage tank 12 9 12 6 0 39 21 60 A3 manifold 'y' SCADA process control system, component 'z' 6 6 6 6 0 24 21 45 A2 3 6 3 6 0 18 21 39 A1 Asset attractiveness level Score Definition A1 A2 A3 A4 22 – 38 39 – 54 55 – 73 74 – 90 Least attractive asset on the site Low attractive asset on the site Medium attractive asset on the site High attractive asset on the site 91 – 108 Extremely attractive asset on the site A5 116102555 TABLE 1 ASSET ATTRACTIVENESS LEVEL Page 88 Improve knowledge of effective critical infrastructure protection Next we need to determine in Asset Impact, this is the result should an adversary successfully compromise an asset. The asset impact level is decided by considering the various categories of consequence which are described in Table 2, the Asset Impact Table. The level should be taken as the highest level of consequence feasible from an attack on an asset. For the material consequences, the value of damages determining each level will be determined by the operator according to its turnover, its reputational value and or its investment capacity. The following table, Table 2, The Asset Impact Table gives an example of levels that could be used. Within table 2 each SVA team should discuss and set its own financial criteria for the property damage in each impact level as this will need to be appropriate for each particular industrial site where the SVA is carried out. Also clearly any level of casualty is a serious matter, however for the purpose of this SVA it is critical that the SVA team identifies the number of potential casualties and fatalities that would arise from each mode of attack. When selecting the impact level the SVA team should consider all the issues (a-e) in each impact level and base the level on the highest impact risk. Once the impact level for each principal asset has been decided this should be entered into Worksheet 6 alongside the relevant asset. 116102555 Page 89 Improve knowledge of effective critical infrastructure protection Table 2 The Asset Impact Table LEVEL I1 DESCRIPTION a. b. c. d. e. I2 a. b. c. d. e. I3 a. b. I4 I5 c. d. e. a. b. c. d. e. a. b. c. d. e. Casualties: no more than one dead person and less than 10 severely injured people Negligible environmental impacts, even if target has significant symbolic value (example: destruction of a prominent national monument) Negligible economic impact Over XX € property damage (estimated as less than in S2) Significant impact on the company reputation Casualties: from 1 to 10 dead people and from 10 to 100 severely injured people Environmental impacts to immediate site area only Important economic disruption to the facility economy Over XX € property damage (estimated as less than in S3) High impact on the company reputation Casualties : from 10 to 100 dead people and from 100 to 1’000 severely injured people Major environmental, food chain or product impact with no health impact on the population but widespread and visible effects (example: large environmental damage) Severe economic disruption to the regional or industry economy Over XX € property damage (estimated as less than in S4) High impact on the company reputation Casualties : More than 100 dead people and more than 1’000 severely injured people Major environmental, food chain or product impact with possible widespread lesser health impact on the population (example: contamination of food that causes widespread illness but no lasting effects except to sensitive populations) Severe economic disruption to the national economy Over XX € property damage (estimated as less than in S5) Very high impact on the company reputation Casualties : More than 1’000 dead people and more than 10’000 severely injured people Major environmental, food chain or product impact with possible widespread major health impact on the population (example: large scale toxic contamination or drinking water or pharmaceuticals) Severe economic disruption to the European economy Over XX € property damage Very high impact on the company reputation Proposal of impact levels for the vulnerability analysis (based on the CCPS SVA guidelines) Once the impact level of the potential consequences of a successful attack on a designated asset and the attractiveness level of this designated asset have been ranked, the critical level of the asset can be determined with the help of a matrix which combines the impact and the attractiveness for the principal assets. The attractiveness level is taken from Worksheet 5. The rankings of each asset in attractiveness and impact are inserted into Worksheet 6, Impact and Attractiveness Worksheet. The Asset Code column can be used to identify each asset by assigning a letter ‘A to Z’ this will assist when plotting the asset on a risk map. 116102555 Page 90 Improve knowledge of effective critical infrastructure protection Worksheet 6 Impact and Attractiveness Worksheet Asset Code A B C D E F Principal assets see Worksheet see Impact 5 column 10 table 2 Attractiveness level Impact level Chorine production unit 'x' A2 Impact v Attractiveness Risk Map coordinates I2 A2 I2 A3 I5 A3 I5 A3 I2 A3 I2 A3 I1 A3 I1 A2 I1 A2 I1 SCADA process control system, component 'z' A1 I1 A1 I1 Chlorine tank Site Entrance and Exit Hydrogen pipe and storage tank Manifold 'y' Plot the Risk Map co-ordinates from Worksheet 6 onto Worksheet 7, Attractiveness versus Impact Risk Map. As a result of this analysis, the SVA team have now determined a list of some of the highly critical assets. 116102555 Page 91 Improve knowledge of effective critical infrastructure protection Risk Map VH 4.5 Attractiveness H 3.5 M 2.5 L 1.5 VL 0 VL 1.5 L 2.5 M Impact 3.5 H 4.5 VH In the above matrix, two extreme critical levels for the asset are defined with two extreme positions: A highly critical level for the more attractive (high value) and the more severe impact targets (red) and A low-range critical level for the less attractive and less severe impact targets (green). In this risk map the team seeks to identify the more attractive (high value) asset targets which if successfully attacked would result in more severe impact, these are therefore the most critical. In order to complete this matrix the SVA team must set the limits applicable to their own organisation or site facility for the three green amber and red zones. As a result of this analysis, the SVA team have now determined a list with at least the highly critical assets. As one can see in this example the Chlorine Tank at A3I5 would be within the red zone and is seen as the most attractive asset to an adversary and The SCADA process control system component ‘z’ is seen as the least attractive asset to an adversary. 116102555 Page 92 Improve knowledge of effective critical infrastructure protection 12.4 Step 4 Threat Analysis It is recommended to seek additional specialist expertise and advice in order to gain the data to fill the worksheets in this step. It should also be borne in mind that adversaries can and do change at short notice and therefore constant update on this data is also required. Details and guidance on obtaining specialist advice is given in the section 0.3 of this document. The threats described in worksheet 8 shows some preferential methods of attack for different adversaries. This worksheet is only indicative, but can be helpful for suggesting relevant threats. In the case of our example we choose a variety of IED related threats as being plausible a cyber attack and two criminal activities, then using table 3 these were scored according to capability and intent. Worksheet 8 Ranking of the Most Relevant Threats CONCEALED IED VBIED CRASHED INTO CRITICAL ASSET VBIED PARKED NEAR CRITICAL ASSET IED PLACED NEAR CRITICAL ASSET IED’S BY BOAT, GLIDER OR PLANE RPG RIFLE MOLOTOV-COCKTAILS INCENDIARY DEVICE LIGHTING A FIRE BLOCKADE MANUAL SABOTAGE REMOTE SABOTAGE BY CYBER ATTACK STEALING PHYSICAL ASSAULT ON STAFF COUNTERFEIT CRITICAL COMPONENTS I 1 1 1 1 1 1 1 C 2 2 2 2 0 2 I C 1 I 1 3 2 3 2 C EMPLOYEES VANDAL ACTIVIST HACKER CRIMINAL METHOD OF ATTACK TERRORIST ADVERSARIES I C 2 2 I C I C 1 By characterising the threat in terms of intent and capabilities of adversaries, this worksheet enables the selection of the most relevant, plausible and realistic threats. 116102555 Page 93 Improve knowledge of effective critical infrastructure protection Table 3 I = INTENT There is no justification to think the adversary has the intention to do so The adversary may have the intention to do so The adversary will certainly do so if there is an opportunity 1 2 3 C = CAPABILITY The adversary does not have the capability to do so The adversary may have the capability to do so The adversary certainly has the capability to do so 0 1 2 The 0 score for capability choice means that the adversary does not have the capability to do so and therefore reflects the fact that if this is the case then there is no threat resulting from this option. Once the threats were scored according to intent and capability they were then ranked by multiplying intent by capability to obtain the most relevant threats which in this case were stealing and an activist blockade. Worksheet 9 Ranking of the Most Relevant Threats According to Intent and Capability Multiply intent by capability to obtain score Adversary Attack Method Terrorist Concealed IED Terrorist VBIED CRASHED INTO CRITICAL Score 2 2 ASSET Terrorist VBIED PARKED NEAR CRITICAL 2 ASSET Terrorist IED placed near critical asset Terrorist RPG Activist BLOCKADE Criminal Stealing 2 2 4 6 The severity in step 5 is assessed according to a specific threat scenario which targets an asset and which may result in partial or total compromise of the asset. This is an area that requires specialist expertise in order to ensure that the output provides reliable data. Only three examples of critical assets are used in Worksheet 10 of the example below. 116102555 Page 94 Improve knowledge of effective critical infrastructure protection 12.5 Step 5 Security Vulnerability Assessment (SVA) Step 5 involves developing the threat scenarios; a threat scenario is defined as the coupling of a threat (the adversary and his method of attack) and a specific asset in the critical infrastructure. Once the threat scenarios have been described, there is a clearer picture of the severity of a successful attack (threat scenario). These threat scenarios have then to be assessed in terms of likelihood and severity. This is completed in the Ranking of the likelihood of a threat scenario. The likelihood of a threat scenario depends on three parameters: The asset attractiveness The ranking of the attractiveness of the asset is the same as the combined attractiveness score evaluated for each asset in step 3. The asset vulnerability This parameter takes into account the number and the robustness of the countermeasures in place onsite for a threat scenario. The feasibility of the threat scenario. This parameter takes into account the sophistication of the technical and organisational means (modus operandi) used by the adversaries to perpetrate their attack on the asset. The severity in step 5 is assessed according to a specific threat scenario which targets an asset and which may result in partial or total compromise of the asset. This is an area that requires specialist expertise in order to ensure that the output provides reliable data. Worksheet 10 takes each threat scenario and assesses it for overall likelihood by looking at the target attractiveness, vulnerability etc. Worksheet 10 calculates a score for the likelihood and then table 4 gives the likelihood level that corresponds to each score. In the case of our worked example a blockade of the site entrances by activists is given the highest likelihood score. 116102555 Page 95 Improve knowledge of effective critical infrastructure protection WORKSHEET 10 LIKELIHOOD OF THREAT SCENARIO Column 1 Column 2 Critical Assets Column 3 Adversary Column 4 Column 5 Target Attractiveness Method of Attack Column 6 Target Vulnerabiity (Ease of Access) Weighting Factor 5 a) Weighting Factor 1 Least Attractive asset on site SCORE 0 a) b) Low attractive asset on site SCORE 1 c) d) Medium attractive asset on site SCORE 2 Highly attractive asset on site SCORE 3 Target Robustness of Construction Very low Vulnerability SCORE 0 b) Low Vulnerability SCORE 1 c) d) High vulnerability, measures are not strong, several countermeasures need to be breached but individual measures are not strong SCORE 3 e) Most attractive asset on site SCORE 4 e) Very high vulnerability, none or few measures and only a single weak measure that needs to be breached or effective measures do not exist SCORE 4 Weighting Factor 1 Weighting Factor 1 a) One or two individuals, little knowledge of site with simple technical means to achieve the desired effect (e.g. Hand gun) SCORE 0 High robustness SCORE b) Limited group, minimal knowledge of the site, not technically 1 sophisticated (e.g. Regular weapons, hand gun, greandes, assult rifle) SCORE 1 c d Column 8 TOTAL THREAT SCENARIO LIKELIHOOD a) Very high robustness SCORE 0 b Medium vulnerability, at least one strong measure and several other measures to be breached SCORE 2 Column 7 Feasibility of Threat Scenario Medium Robustness SCORE 2 c) Organised group, good knowledge of the site and sophisticated technical means(hand-man weapons such as IED) SCORE 2 Low robustness SCORE 3 d) Organised and trained group, good knowledge of site and some of its countermeasures, sophisticated technical means (e.g. Military weapons and hand made such as IED) SCORE 3 e) Very low Robustness SCORE 4 e) Highly trained group, very good knowledge of site and its countermeasures, very sophisticated technical means (e.g. Coordinated attack with war weapons) SCORE 4 Sum Weighting Factor x SCORE eg 5 x 0 chorine production unit 'y' chlorine tank Terrorist VBIED 20 3 3 2 28 Activist Blockade 20 4 3 2 29 Terrorist VBIED 10 3 3 2 18 Entrances hydrogen pipe and storage tank manifold 'x' . SCADA process control system, component 'z' . TABLE 4 THREAT SCENARIO LIKELIHOOD Level 116102555 Score Threat Scenario Likelihood L1 0 Lowest Ranking L2 1-8 L3 9 - 16 L4 17 - 24 L5 25 - 32 Highest Ranking Page 96 Improve knowledge of effective critical infrastructure protection Once the likelihood level is established for the critical asset then the impact level of an attack on the asset is found from worksheet 6. As the impact is now related to an individual threat scenario this now becomes defined as the severity of an event. These to levels are then used to plot the likelihood and severity risk for each threat scenario on to Worksheet 12. In worksheet 11 each critical asset and adversary combination should be re assessed for each attack method, however for the example we have assessed only 3 possible threat scenarios. Worksheet 11 SEVERITY AND LIKELIHOOD OF A THREAT SCENARIO Asset Code Asset Name TOTAL THREAT SCENARIO LIKELIHOOD THREAT SCENARIO SEVERITY RISK (severity and likelihood) (from worksheet 6 column 3) A chlorine tank L6 S5 L6S5 B Entrances L6 S2 L6S2 C hydrogen pipe and storage tank L3 S1 L3S2 D E F Once worksheet 11 is completed the threat scenario can be plotted on worksheet 12, from our examples you will see that the vehicle borne IED threat against the chlorine tank carries the highest risk and is in the red zone and the VBIED against the hydrogen pipe and storage tank carries the lowest likelihood and severity risk. 116102555 Page 97 Improve knowledge of effective critical infrastructure protection Worksheet 12 We then use those scenarios with the highest likelihood and severity risk to form the basis for storyboards. These storyboards can then form the basis of an SVA file for each relevant threat scenario, as illustrated in Worksheet 13, Scenario 1, this gives oversight and detailed information to enable a motivated choice in Step 6 for adequate countermeasures. These SVA files are a technical support for the vulnerability analysis to be fulfilled by the project team during work meetings. These allow the project team to apply a systematic approach for the analysis, particularly for the exploration of threat scenarios and assessing and identifying of the vulnerabilities. This systematic approach enables the team to be detailed and comprehensive in analysing the vulnerabilities of the site given the specific threats and the selected critical assets. By creating a SVA database gathering data for each relevant threat scenario, this information is available for analysis and later assessments and reports. 116102555 Page 98 Improve knowledge of effective critical infrastructure protection Worksheet 13 Example Storyboard Scenario 1. Terrorists drive VBIED into chlorine tank 1. Threat scenario: Asset + Adversary + Attack Loss of containment of chlorine due to a VBIED attack by Islamic terrorists on the pipeline at the outlet of the chlorine tank 2. Consequences Toxic dispersion of chlorine Casualties onsite and offsite Limited material damage 3. “Story Board”: 1.The terrorists found information about the site and the chlorine tank on internet, and could observe the site from public grounds 2.The terrorists force their way into the site with the VBIED (destroying the entry barrier or threatening the guards at the entry) 3. The VBIED will be crashed into the pipeline killing the terrorists and causing a catastrophic event 4. Crisis-, disaster and BC-management will be activated Plausible sequence of events (before, during after the attack) 4. Likelihood SCORE = 5 (reason it is easy to find, identify, observe, hit, known target etc.) 5. Severity SCORE =5 (because more than 1.000 casualties, 10 billions euro’s damage, etc.) 6. Risk SCORE (5 x 5 = 25) 25 this is the highest risk score (dark red in the table) 7. Vulnerabilities (ineffective countermeasures for this threat scenario) 1. Information security measures did not prevent sensitive information from exposure on the internet. 2. Critical assets were not shielded from prying eyes. 3. The entry barriers were easily destroyed and forced by a vehicle. 4. The guardhouse offered the guards too little protection. 5. There was no physical barrier that could stop the VBIED on time / at sufficient stand off. 6. The pipeline and the tank did not withstand the pressure wave and the shrapnel of the VBIED. 7. The safety systems that might have secured a leaking pipe or tank could not mitigate the massive release of chlorine caused by the VBIED-attack. 8. Casualties increased because of the inadequate response of emergency services (people were not directed to a save area downwind). Etc. 8. Suggestions to improve the security of the site for this scenario (for the likelihood and/or the severity) This will be input for steps 4 and 5 1.The summary of the safety study, listing the catastrophic accidental scenarios and their consequences should be informative for the public but elusive for adversaries 2. The entrance barrier can be strengthened or bollards can be added. 3. The guards could be protected by special physical barrier. Etc. A more detailed discussion on countermeasures is given in Step 6. 116102555 Page 99 Improve knowledge of effective critical infrastructure protection 13 Appendix 6 The Operator Security Plan 13.1 Introduction 13.1.1 Objectives of this Annex The IMPROVE project focused on the development of a Security Vulnerability Assessment (SVA) tool with the intention of improving the security of Critical Infrastructure facilities. This Annex is aimed at assisting in the drafting of effective Operator Security Plans for these facilities once the strategies and objectives for security have been defined. The objectives for security measures should be derived from the mentioned SVA, but may also be found in legislation or company policies. 13.1.2 Operator Security Plan An Operator Security Plan (OSP) describes the security measures that an organization has implemented to reduce or control its security risks. The word “operator” refers to the owner or the person in charge of managing and operating the security of a critical infrastructure. A Security Management System (SMS) should be in place to properly address this issue. The OSP addresses the highlights and recommendations resulting from a security vulnerability assessment as described above. 13.1.3 Why a Security Plan? Security measures should be integrated into and become part of normal business procedures. All members of staff contribute to, and benefit from the security of the facility. There are several reasons for implementing security measures such as: risk management and control; loss prevention; international, national or local legislation and regulations; safety requirements, for example entrance control to prevent untrained or unprotected personnel from getting into hazardous situations; pressure from the public, unions or stakeholders. Security measures are often costly to implement, operate and maintain. Therefore it is important that the objectives of the different security measures are well determined. Measures will often only be effective if they are well understood, implemented and maintained. This may be achieved through a well developed OSP as part of an adequate SMS. 13.1.4 Effectiveness An effective OSP has the following characteristics: complies with legal security requirements and company security policies; is based on sound vulnerability and risk assessments; 116102555 Page 100 Improve knowledge of effective critical infrastructure protection leads to effective protection of assets and interests of the facility; helps to properly detect threats and deal with security incidents; contributes to achieving security goals in an effective way; ensures proper implementation, maintenance and evaluation of security measures. 13.2 Best Practices The following best practices provide useful guidance when drafting or evaluating an Operator Security Plan. The selection of appropriate security measures depends of course on the specific operations and surroundings of each site and therefore the following suggestions should be regarded as guidance only. 13.2.1 Process Draft and design the security measures in an orderly way First define the security objectives and corresponding measures, making sure that their implementation results into achieving these security goals. Measures that hardly contribute may be put aside. Principal questions are: What has to be secured? What are the threats that must be addressed? Why are the selected security measures appropriate? Build security awareness and commitment It is essential that throughout the organisation, including subcontractors, visitors and other possible parties involved, there is a clear understanding of the necessity of the implemented security measures. It should be ensured that there are no conflicts between security and operational requirements on the facility. Both should complement and strengthen each other and any obstacles should be addressed properly. Principal questions are: Is the workforce aware of potential threats to the site and the vulnerabilities? Is everyone informed on the security policies and objectives? Doe they understand their responsibilities and tasks in managing the security risks? Identify and develop the necessary expertise Security covers many very specific aspects, each requiring different levels of expertise: risk and vulnerability assessments, IT-security, physical security, legal requirements, identification of adversaries and their methods of operation. It is essential that qualified experts join the team and if necessary, experts from outside the organisation are engaged. 116102555 Page 101 Improve knowledge of effective critical infrastructure protection Principal questions here should be: Which expertise is needed in the team? Which help is available within the organisation? Which help is not available and must be obtained from outside? 13.2.2 Selection of security measures The following recommendations may help in selecting appropriate security measures whereby the first four will normally have been addressed during the SVA process. 1. Classify and rank the assets or areas of the facility in terms of criticality. 2. Obtain a clear understanding of the relevant threats. 3. Define the security objectives for specific assets or areas. 4. Define the security levels, zones and compartments. 5. Make a justification for each set of security measures and describe the secured situation in order to avoid misunderstanding for persons who need to act upon this information. 6. Ensure that entrance control is efficient for security purposes and for daily operations. 7. Identify technical systems, personnel and procedures for the timely detection of adversaries. 8. Create a central point of contact for reporting and follow-up of security incidents. 9. Establish contacts with public emergency response services and engage into mutual support agreements with neighbouring facilities. 10. Anticipate higher than normal threat levels and develop enhanced security measures which can be activated when required. 11. Do not underestimate the value of security awareness. 12. Assess the cost of implementation and maintenance of security measures based on a cost-benefit analysis. 13. When selecting the required measures consider standardisation. 13.2.3 Implementation and maintenance Security project management Security countermeasures should be specified, tendered, procured, installed, commissioned and accepted as a formal project in line with industry standards. Use qualified contractors Once the security measures have been selected, these should be implemented by certified security engineers and technicians. It is up to them to actually engineer and build the required security systems. Quality control on this essential phase of the security cycle (plan-do-check-act) should preferably be supported by security experts. Operational maintenance and control 116102555 Page 102 Improve knowledge of effective critical infrastructure protection It is important to take into account during the design phase the interaction between the day-to-day operations of the facility and the security functions. The operational management of these security functions should be well described and the necessary equipment and arrangements should be foreseen. Manage the internal and external relations The security operations manager should coordinate and communicate with: senior management; reception, dispatch centre, HRM (Human Resources Management), ICT, business operations, public relations, communications etc.; staff; security providers, police and first responders; neighbours (companies and the public) and the municipality. Accountability for security operations The accountability for the management of security risks and the operation of security functions should be clearly described and should be in line with legal requirements and company policy. This includes the responsibility for timely revising and keeping up to date security procedures as well as the distribution of relevant documents amongst staff in the organisation and in the facility. OSP documentation and dissemination The documentation of the OSP should be transparent and complete. Ownership and responsibilities for updating and distribution of documents should be clearly determined. Information of the OSP may be sensitive or classified. This should be clearly defined and monitored. Securing this information may be required but in general the content of the OSP must be available to all staff on a ‘need to know’ basis. Maintenance and review of the security plan The Operator Security Plan should be reviewed in a predetermined time or period set by management and this period can vary depending on changes to the threat, changes to the operations, responsibilities or methods of working. 13.3 OSP Contents and structure It is recommended that the Operator Security Plan should contain the following information: 116102555 Page 103 Improve knowledge of effective critical infrastructure protection 13.3.1 Introduction The Introduction outlines the importance of the Security Plan and its relationship with the mission, general policies, security policies and culture of the organization. It should outline the areas of the organisation that the Security Plan applies to – for example is it a plan for the whole organization or only for a specific facility, portfolio or work unit. It should also provide clear and concise statements about what the Security Plan is designed to achieve and outline the relationship between security policies and processes and the corporate plans and business objectives. There should be a summary and analysis of the Security Vulnerability Assessment (SVA) highlighting the current threats and vulnerabilities along with an assessment of the current security environment and measures in place. If loss prevention is an objective of the organization it should be outlined as well. The management summary of the SVA may supply most relevant information for this chapter. 13.3.2 Security Program The Security Program outlines how security in the organization is managed, evaluated and updated in a Security Management System (SMS). The security staffing, supervision and training of staff should also be addressed. Security awareness training for all staff and communication of security incidents and countermeasures should be organized as an ongoing process. In this chapter reference may be made to other programs and plans such as for: emergencies, crisis response and business continuity. 13.3.3 Operational Policies and Procedures The operational security policies and procedures describe how the security goals and objectives of the organization are achieved. The roles, responsibilities and authorisations of staff will be addressed in this chapter. A clear and published access control policy is an essential security function that will be highlighted in this chapter. Access procedures to secured areas of the site should be drafted for authorised staff, invitees, vendors and maybe contractors, whereby means of identification, registration and badging will be addressed. 116102555 Page 104 Improve knowledge of effective critical infrastructure protection Key and access cards will have to be disseminated in a secure and transparent fashion. Procedures may be in place to prevent theft or loss of valuable goods, inventory or data. If security incidents do take place the process of incident reporting may be the basis for mitigation and corrective action. Of course the response to a security incident by staff, security workers and management needs adequate attention. 13.3.4 Physical Security Measures Physical security measures are needed to support the operational policies and procedures. Access control is supported by external barriers like fences, gates and Access Control and Alarm Monitoring Systems (ACAMS). Theft prevention is supported by barriers, a perimeter intrusion detection system, security lighting, locking hardware, vaults and ACAMS. Incident response may be coordinated from the security control centre. 13.3.5 Personnel Security Measures Personnel security measures are implemented to recruit, contract and employ reliable, trustworthy and security aware personnel and subcontractors. Pre-employment screening may be conducted for critical functions, security clauses may be in contracts of employees, subcontractors and suppliers. Aftercare of staff once employed is as important as initial screening. An exit procedure on termination of employment or contracts should be considered in order to cancel authorisations, protect intellectual property and collect company properties. Debriefing the leavers may provide useful security feedback for the company. 116102555 Page 105 Improve knowledge of effective critical infrastructure protection Template structure The following template could be used for drafting a structured Operator Security Plan. This is only a suggested template however and should not be considered as the only alternative. 1. Introduction 1. Company mission, goals and objectives 2. Security Policy and scope of the OSP 3. Brief description of process and implementation 4. Security Vulnerability Assessment 5. Loss prevention 2. Security Program 1. The Security Management System (SMS) 2. Documentation and administration of the OSP and SMS 3. Security staffing, supervision and training 4. Security awareness program 5. Other security related programs and plans 6. Communication plan 3. Operational Policies and Procedures 1. Access control 2. Key and access card control 3. Theft and loss prevention 4. Incident reporting and recording 5. Incident response and investigation 4. Physical Security Measures 1. External and internal barriers 2. Perimeter intrusion detection, CCTV and security lighting 3. Locking hardware for buildings, compartments and vaults 4. Access control and alarm monitoring system 5. Security control centre 5. Personnel Security Measures 1. Pre-employment screening and aftercare 2. Security clauses for contracts 3. Security awareness 4. Exit procedure 116102555 Page 106
