Overview of the vulnerability assessment methodology for chemical facilities vam cf sm
This presentation is the property of its rightful owner.
Sponsored Links
1 / 12

Overview of the Vulnerability Assessment Methodology for Chemical Facilities (VAM-CF SM ) PowerPoint PPT Presentation


  • 50 Views
  • Uploaded on
  • Presentation posted in: General

Overview of the Vulnerability Assessment Methodology for Chemical Facilities (VAM-CF SM ). 3 March 2003 Cal Jaeger, PhD Security Systems and Technology Center Sandia National Laboratories 505-844-4986 [email protected]

Download Presentation

Overview of the Vulnerability Assessment Methodology for Chemical Facilities (VAM-CF SM )

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Overview of the Vulnerability AssessmentMethodology for Chemical Facilities (VAM-CFSM)

3 March 2003

Cal Jaeger, PhD

Security Systems and Technology Center

Sandia National Laboratories

505-844-4986 [email protected]

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,

for United States Department of Energy under Contract DE-AC-04-94AL85000.


Background

  • Chemical Facility Vulnerability Assessment (CFVA) Project

    • Conducted by the Center for Civil Force Protection (CCFP) at Sandia National Laboratories (SNL)

    • Support from DOJ-NIJ, EPA-CEPPO

    • Coordination with Chemical Industry Associations, key individuals at Chemical Facilities, other stakeholders

  • ACC, SOCMA, Chlorine Institute, API, other associations:

    • Guidelines for both site and transport security

    • Numerous conferences and workshops

    • ACC facility security prioritization process

    • ACC Responsible Care Security Code

  • Security Vulnerability Assessment (VA) Tools

    • Assessment Methodologies (www.ResponsibleCareToolKit.com)

    • Most are risk-based tools, some are guides, use checklists, use forms

    • Team or multi-people efforts


Interactions with Other Activities

The VAM-CF leverages many other required activities.

OSHA

PSM, Process safety info,

process diagrams, PHAs,

emergency planning & response,

list of chemicals

compliance audits

EPA

RMPs, OCAs - off-site impacts,

worst-case scenarios,

alternative scenarios

Process safety info, PHAs,

list of chemicals

compliance audits

Other Fed

Agencies

CWC Treaty,

Drug Enforcement

VAM-CFSM

Protection

against a release of

hazardous chemicals

due to malevolent

attack

State/Local

Directions on

Safety and

emergency release,

LEPC/SERCs,

Corporate/Groups

Guidelines, checklists

Security, safety,

hazards assessment

DOT

Specific guidelines for transport of chemicals

Specifications on containers, markings etc.

list of chemicals


Characteristics of the VAM-CFSM

  • A systematic, risk-based, security assessment tool

    • S - Severity of consequences of an event

    • LA - Adversary attack potential

    • LAS - Likelihood of adversary success in causing an

    • undesired event

  • Incorporates security measures that could help prevent an

  • attack, appropriate safetyandemergency response measures

  • that could mitigate the consequences, and chemical attributes

  • that may affect consequences

  • Provides capability to screen and prioritize chemical facilities

  • and focus on critical areas for further analysis

  • Provides meaningful vulnerability information so additional

  • measures can be implemented which effectively reduce risk

  • Not a quantitative tool but provides for a rigorous comparison

  • of relative risks


VAM-CFSM Organization/Structure

  • 13 basic steps:

    • Screening

    • Project Definition

    • Facility Characterization

    • Define Severity Levels

    • Threat Assessment

    • Identify Priority Cases

  • Currently paper-based using worksheets to support above steps

  • Can consider different potential undesired events and adversaries

  • Can consider both physical or cyber attacks

  • Uses a facilitator/team lead and supporting VA team

  • Supports a continuous approach to evaluating risk

  • Analysis Preparation

  • Site Survey

  • Likelihood of Adversary Success

  • Risk Analysis

  • Risk Reduction

  • Evaluate Impacts

  • Final Report


Screening

  • Purpose of the screening process

    • identify/prioritize CFs for further vulnerability analysis

  • Identify undesired event

    • off-site release, loss of production, cost, environmental

  • Evaluate relative potential severity of malevolent events

    • significant national impact

    • consider RMP worst-case scenarios

    • (# of people potentially affected by an off-site release)

    • accessibility

    • recognizability and importance

    • history and symbolism

  • Other screening tools could be used


Identify Most Important Areas for Analysis

All Chemical Facilities

  • Helps the user to identify

  • areas for analysis

    • starts with total possible

    • locations of hazardous

    • chemicals

    • considers areas for each

    • hazardous chemical & process

    • identifies/prioritizes critical

    • areas using severity levels or

    • characterization matrix

    • identifies priority areas based

    • on consequence and threat

    • also allows the user to select

    • specific areas for analysis

1A Screening

Facilities to be Analyzed for Risk

3A Facility Characterization

Processes/Chemicals

Critical Areas

3B Severity Levels

3C Threat Assessment

3D Priority Cases

Priority

Cases


Define Severity Levels

  • Looks at specific areas within identified chemical processes

  • Define criteria for undesired event

    • off-site release, loss of production …..

  • Criteria for off-site release

    • # of people potentially affected by a release

  • Determine potential severity level for critical areas

    • end-point distance, population potentially affected


Threat Assessment

  • Who it is and What is the level of threat?

  • Collect Information

    • Industry, corporation, site specific threat

    • Coordinate with chemical industry, state/local law enforcement, and FBI, ISAC

  • Threat Definition:

    • Threat type [start with one outsider group, one insider]

    • Tactics (explosives, forced entry, cyber)

    • Threat capabilities (#s, weapons, tools, transportation)

  • Threat Levels:

    • Estimate attack potential, LA, for each undesired event and

      adversary group

    • Consider existence, capability, history/intent, motivation, targeting

    • Consider target attractiveness:

      Recognizability, Importance, Symbolism, Accessibility


Determine Adversary Success

  • Determine likelihood of adversary success for a physical attack

    • for an identified undesired event (e.g. off-site release, on-site damage)

    • for an identified adversary scenario(s)

    • effectiveness of physical security system

      • detection/assessment, delay, response

      • identify protection elements

    • effectiveness of safety, mitigation and emergency response

      • detection/assessment, safety/mitigation

      • identify protection elements

    • consider inherent chemical properties in the adversary scenario

      • toxicity, flammability, reactivity

    • identifies vulnerabilities/weaknesses for the total protection system

  • Determine protection system effectiveness for cyber attack

    • based on preliminary assessment

    • to be considered in future versions of the VAM-CF


Risk Reduction and Impact Analysis

  • Make recommendations to reduce risk considered too high

    • threat

    • severity of consequences

    • protection system effectiveness

  • Develop possible upgrade packages

    • identified vulnerabilities

    • protection for common vulnerabilities

    • protection-in-depth

    • balanced protection

    • consider physical protection functions

  • Estimate new risk values and compare with baseline

  • Consider cost and other impacts

    • cost

    • operations and schedule

    • safety and health

    • public response


Role of State/Local Groups to Assist CFs

  • Know what potential targets are in your area

  • Support CFs in their vulnerability assessment & risk reduction efforts

  • Understand the potential consequences of an adversary attack

  • Information exchange with CF “owners” and other stakeholders

  • Identify what actions can be done by the State/local groups

  • Conduct exercises to test contingency plans (security, emergency

  • response).

  • CFs need State/local support to protect their facilities

  • CFs must rely on more that just security measures to protect their facilities

    • need effective safety, mitigation and emergency response measures


  • Login