Industrial Security
Description
More details
Other editions
Additional editions
Persons
Content
Chapter 1 Introduction to Security Risk Assessment and Management 1
Introduction 1
Business Definition 1
Security Versus Risk 2
Framework for Risk Management 2
Value at Risk 5
Calculation of Risk 6
Risk Assessment Versus Risk Management 6
Risk Management Plans 8
Threat Scenarios 9
Statistics and Mathematics 10
Pairing Vulnerability and Threat Data 11
Setting Priorities 13
Other Definitions of Risk Assessment 14
Business Definition for Risk Assessment 14
Broad Definition for Risk Assessment 15
Quantitative Risk Assessment 15
Qualitative Risk Assessment 15
Threats 15
Vulnerabilities 15
Countermeasures for Vulnerabilities 16
The D's of security systems 16
Sample Threat Scenario No. 1 18
Background 18
Sample Threat Scenario No. 2 23
Background 23
Chapter 2 Risk Assessment Basics 29
Street Calculus and Perceived Risk 29
Street Calculus 29
Security Risk Assessment Structure 32
Value at Risk 32
Sandia Laboratory's Risk Assessment Analysis 33
Annualized Cost Analysis of Risk 34
Scenario-Driven Cost Risk Analysis 36
Real-world example 37
Model-Based Risk Analysis 37
MBRA example case 38
Risk Management by Fault Tree Methods and Risk-Informed Decision Management 39
Fault tree analysis 39
RIDM 42
Chapter 3 Assessing Types of Attacks and Threats with Data Sources 62
Weapons 62
AK-47 62
M16 62
Sniper rifles 63
Muzzle Energies for Various Cartridges 63
Rifle Grenades 63
Rocket-Propelled Grenades and Mortars 64
Explosive Energies 65
Impact of explosives 66
Other Types of Incidents and Accidents 68
Chapter 4 Evaluating a Company's Protective Systems 70
Surveys and Assessments 70
Site Security Assessments 71
Checklists 71
Cyber security checklist 71
Lighting 72
Perimeter Barriers: Design Notes and Comments 74
CCTV 79
Windows and Doors 81
Chapter 5 Port Security 82
Ranking Threats 82
Natural threats 82
Man-made/accidental threats 82
Intentional acts-delivery vectors 83
Weapon threats 83
Levels of Port Security 83
Security response plans 84
Recommended procedures 84
Identification Procedures for Personnel Screening 85
Employees 85
Vendors/contractors/vessel pilots 85
Truck drivers/passengers 85
Visitors (all personnel not falling into other categories) 86
Government employees 86
Vessel personnel access through a facility 86
Search requirements 86
Acceptable identification 87
Access control 87
Vessel Arrival and Security Procedures While Moored 87
Internal Security 88
Vehicle control 88
Rail security 88
Key/ID/access card control 88
Computer security 89
Security rounds 89
Perimeter Security and Restricted Areas 89
Barriers 89
Fencing 89
Lighting 90
Security Alarms/Video Surveillance/Communications Systems 90
Alarms 90
Video surveillance 90
Communications systems 91
Training and Security Awareness 91
Floating Barriers 91
Chapter 6 Basics of Cyber security 93
Communications Life Cycle 93
Some Solutions to the Problem of Cyber crime 94
General recommendations 94
Communications Security 96
Communications as Transactions 96
Telephone System Security 96
Radio Communications 97
Digital Communications 97
Cyber security 98
Vulnerability assessment 98
Unknowns and alternatives 99
How to Perform the Vulnerability Assessment 99
Critical success factors 99
Optimum assessment team size 101
Communications Procedure Design: Hints and Helps 101
Benefits: Identified 102
Example 102
Cyber Threat Matrix: Categories of Loss and Frequency 103
Setting up Internet Security 104
External versus internal testing 105
Security focus 105
Browser and domain security 105
Data encryption 106
Cyber security Tools 107
Chapter 7 Scenario Planning and Analyses 109
Introduction 109
Fta, Markov Chains, and Monte Carlo Methods 110
Fuzzy fault trees 111
Markov chains and Bayesian analysis 111
Other Complimentary Techniques 112
Fishbone (Ishikawa) diagrams 112
Pareto charts 114
Sample of Initial Analysis 114
Failure Modes and Effects Analysis 119
Dhs Analysis and Plans 120
Bow-Tie Analysis 124
Example 125
Hazops and Process Safety Management 127
Process safety information: General 127
PHA and HAZOPS 128
Aloha, Cameo, and Security Planning Tools 129
The Colored Books 133
Generic Guideline for the Calculation of Risk Inherent in the Carriage of Dangerous Goods by Rail 133
The Orange Book: Management of Risk-Principles and Concepts 133
The Green Book: Methods for the Determination of Possible Damage to People and Objects Resulting from Release of Hazardous Materials, CPR-16E 135
The Yellow Book: Methods for the Calculation of Physical Effects due to the Releases of Hazardous Materials (Liquids and Gases), CPR-14E 137
The Red Book: Methods for Determining and Processing Probabilities, CPR-12 137
The Purple Book: Guidelines for Quantitative Risk Assessment, PGS 3 137
Sample outline for emergency response 141
Chapter 8 Security System Design and Implementation: Practical Notes 148
Security Threat-Level Factors 148
Considered Factors 148
Vehicle bombs 149
Standoff weapons 151
Minimum standoff distances 151
Security System Design 153
Perimeter barriers 154
Active vehicle barriers 154
Entry roadways 155
Entry control stations 156
Reinforcement of buildings and infrastructure 156
Windows 156
Security system lighting 157
Lighting system design 157
Electronic Security Systems Design 157
Alarm configurations and design 158
Access control 159
Employee screening 160
Visitor identification and control 160
Packages, personnel, and vehicle control 161
Lock and key systems 161
Security forces 162
Cargo security 162
Port security systems 163
Review and Assessment of Engineering Design and Implementation 163
Auditing and evaluation 163
Risk assessment team 164
Blank sheet approach to auditing and evaluation 165
Business approach to auditing and evaluation 165
Benchmarking 166
How to evaluate a physical security system? 167
Security systems audits 167
What to review? 168
Implementation of risk assessment 174
SQUARE: Prioritizing security requirements 177
Security monitoring and enforcement 179
Security awareness program 180
Proposed future training requirements 180
Security management 180
The differing roles of the security department 181
Stress management techniques 181
Security management techniques 184
Conclusion 186
Appendix I 187
Appendix II 196
Index 204
Chapter 1
Introduction to Security Risk Assessment and Management
Introduction
This course was developed out of a training outline and the course Col. Arlow and I taught together in Manama, Bahrain. Pieter's background is South African Defense Force, and he was responsible for the security of the World Cup in 2011. Dave's background is civilian, industrial chemical, and environmental consulting. Together, we believe that this book will provide a different and practical approach that combines security theory with practice. We hope that it is not just another book that is put on the shelf and used occasionally, but read and considered, and one where our suggestions are put into place.
Security is not just one group's business; it is everybody's business. The combination of security, safety, and environmental protection are critical to the operation of a modern-day chemical or industrial plant. Despite the heightened focus on security by the US Department of Homeland Security and Transportation Security Administration, in many instances, it amounts to little more than a theater of the absurd because the United States is only marginally more secure and it is more a chance of luck than of their expensive, large, and restrictive efforts to increase travel security in particular and homeland security in general. Paperwork does little to provide security.
Business Definition
The business definition of security is quite straight forward. Webster's Dictionary provides us with the basis for security: "freedom danger, risk of loss, and trustworthy and dependable." That is a very good start. The definition of security crosses a number of lines in the modern industrial plant and has many different definitions. Plant security can be anything from the guard force who keeps out the unwanted intruders to the executive protection service and to the corporate watchdog that looks after the financial and corporate affairs of the plant or the corporation to make sure that there is no theft or leaking of secrets at the highest level of the company.
With the advent of the Internet and the digital age, the job of security has been made, if anything, tougher because of the ease of communications and the proliferation of digital devices and the Internet. The communication is much easier, but then so is the ability to penetrate networks and obtain information or compromise security systems in a variety of ways. One has to look no further than the Stuxnet virus and how it delayed the development of the Iranian atomic program by attacking the centrifuges needed to refine the uranium. The success of the virus/worm delayed the development by up to 2 years.
Security Versus Risk
In order to get a better working definition of security, we should also have a working definition of risk. Risk is the chance of loss or injury. In a situation that includes favorable and unfavorable events, risk is the probability of an unfavorable event or outcome. We measure risk by examining the certainty that a particular bad outcome or outcomes will occur.
Risk comes in many forms. There is financial risk, enterprise risk, risk of self-organized criticality (failure),1,2 risk of injury, internal risk (theft, fire, economic loss, etc.), industrial/jurisdictional risk, operational risk, and several other types of often unforeseen and uncontrollable events that create damage. Within the various operations of a corporation, many of these have specific departments to address those risks. For example, safety, health, and environmental departments address specific risks for worker safety and environmental contamination; the IT security department manages risk for intellectual- and computer-related data. We are more concerned with the risks associated with external events such as terrorism, earthquakes, tornadoes, fire, etc. These are external risks. Internal risks might include sabotage and plant accidents resulting in fire, spills, explosion, etc.3
Within the scope of plant security, one is primarily concerned with events that are external to or imposed upon the plant, natural occurrences, and man-made occurrences, some of which are preventable and others not. Our working definition will include such elements as terrorism, external attacks, naturally occurring events such as tornadoes and hurricanes, and some limited scenarios for sabotage. Events such as spills, fire, and accidents may be equally unpredictable, but they are often addressable by proper design of facilities, installation of engineering controls, and management of personnel through procedures and training. Logically, we must also look into some of the process control and operational functions as a modern plant uses a variety of computer and wired and wireless control systems that are often open to sabotage or external influences.
Framework for Risk Management
The basic framework for risk management is a cost-associated function where the general sequence starts with identification of the assets at risk, evaluation of the likelihood of their occurrence, development of a cost and a probability associated with the occurrence of an attack or an event, and estimation of the costs to reduce the risk to manageable levels. This is a cyclic process, illustrated by Figures 1.1 and 1.2.
Figure 1.1 Outline of risk management actions.
Figure 1.2 A second view of the risk analysis process. The risk analysis matrix is usually in color. Red indicates high risk, yellow indicates moderate risk, and green indicates lower levels of risk, but we have chosen to use stripes, dots, and white spaces to highlight the risk levels, respectively.
We measure and estimate the cost of a particular event occurring so that we can provide a financial plan for the plant or facility. We develop scenarios and the cost of those occurrences. For example, if we assume an attack by a hostile force, we try to estimate the damage and costs associated with that attack. We may create several scenarios and the associated costs. Things like standoff weapons such as a grenade launcher, a rocket, or a bazooka might have a damage level (cost) of C1 for the first scenario, C2 for the second scenario, etc. C1 might be for a mortar. C2 might be for a car bomb. The objective is to make these scenarios as realistic as possible when one views the likelihood of the attack.4
An attack can be any unplanned event and is subject to wide interpretation. Natural meteorological events can be an attack. So can an intruder into the plant. Terrorism is an attack, but then so is a civil unrest. Sabotage is a type of attack, but it is special and separate because it is imposed internally rather than from outside. However, a good risk management plan may want to consider sabotage as an element of a response plan.
Once we have a range of costs and scenarios, we can begin to determine the risk based on the probability of the events. This is often the most difficult and controversial part of the exercise because different assumptions on the likelihood of the event can produce dramatically different outcomes and costs. This is also complicated by the prospect of expenditures for increasing security and estimates as to how much specific improvements will reduce risk.
Just because a plant has not had an electronic intrusion (which they know of) does not mean that one will not happen tomorrow. Similarly, adverse weather events may have a record going back 30 years or more with no incidents, but that does not prove anything except that nothing has happened in that time period. History is often a very poor predictor of future events, and one needs to be careful about piling assumptions upon assumptions when and where events occur.5 The concept of a "once in 100-year storm," popular in flood prediction and rainfall frequency analysis and other similar events, does not mean anything, except that the event was not expected with high frequency. Two of those events could occur back to back in subsequent days.6
In some cases, the risk assessment is relatively easy with probabilities in the percentile ranges P = 1% (P = 10-2), while in many other cases, the probability of an event is on the order of 0.0001% (P = 10-6) or even less. When estimated costs and damages are high, in the millions of dollars, we have a challenge multiplying a very small probability by a very big cost. Added to this is the idea that costs are ever increasing, and the range of uncertainties is dependent upon a partial or limited database.
Fundamental to the understanding of risk are the concepts of vulnerabilities, assets, and threats. Those three components come together to form the basis for risk.
Assets are the physical structures, the data, the production, the inventory, and almost anything that has a value. Vulnerabilities are the possible methods of degrading or devaluing the assets. It is often helpful to think of vulnerabilities as the means that threats can accomplish the damage. Threats are the possible events that acting through the vulnerabilities can degrade or destroy the assets. The conjunction of all three is the risk. A word picture might help explain the concept.
A threat could be a terrorist attack by mortar or grenade or car bomb, or infiltration, or sabotage. The vulnerability might be that the main processing reactor at the facility would be damaged and that would lead to an explosion that destroyed the plant and created a fire in...
