overview of the vulnerability assessment methodology for chemical facilities vam cf sm
Download
Skip this Video
Download Presentation
Overview of the Vulnerability Assessment Methodology for Chemical Facilities (VAM-CF SM )

Loading in 2 Seconds...

play fullscreen
1 / 12

Overview of the Vulnerability Assessment Methodology for Chemical Facilities (VAM-CF SM ) - PowerPoint PPT Presentation


  • 76 Views
  • Uploaded on

Overview of the Vulnerability Assessment Methodology for Chemical Facilities (VAM-CF SM ). 3 March 2003 Cal Jaeger, PhD Security Systems and Technology Center Sandia National Laboratories 505-844-4986 [email protected]

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Overview of the Vulnerability Assessment Methodology for Chemical Facilities (VAM-CF SM ) ' - vienna


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
overview of the vulnerability assessment methodology for chemical facilities vam cf sm

Overview of the Vulnerability AssessmentMethodology for Chemical Facilities (VAM-CFSM)

3 March 2003

Cal Jaeger, PhD

Security Systems and Technology Center

Sandia National Laboratories

505-844-4986 [email protected]

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,

for United States Department of Energy under Contract DE-AC-04-94AL85000.

slide2

Background

  • Chemical Facility Vulnerability Assessment (CFVA) Project
    • Conducted by the Center for Civil Force Protection (CCFP) at Sandia National Laboratories (SNL)
    • Support from DOJ-NIJ, EPA-CEPPO
    • Coordination with Chemical Industry Associations, key individuals at Chemical Facilities, other stakeholders
  • ACC, SOCMA, Chlorine Institute, API, other associations:
    • Guidelines for both site and transport security
    • Numerous conferences and workshops
    • ACC facility security prioritization process
    • ACC Responsible Care Security Code
  • Security Vulnerability Assessment (VA) Tools
    • Assessment Methodologies (www.ResponsibleCareToolKit.com)
    • Most are risk-based tools, some are guides, use checklists, use forms
    • Team or multi-people efforts
interactions with other activities
Interactions with Other Activities

The VAM-CF leverages many other required activities.

OSHA

PSM, Process safety info,

process diagrams, PHAs,

emergency planning & response,

list of chemicals

compliance audits

EPA

RMPs, OCAs - off-site impacts,

worst-case scenarios,

alternative scenarios

Process safety info, PHAs,

list of chemicals

compliance audits

Other Fed

Agencies

CWC Treaty,

Drug Enforcement

VAM-CFSM

Protection

against a release of

hazardous chemicals

due to malevolent

attack

State/Local

Directions on

Safety and

emergency release,

LEPC/SERCs,

Corporate/Groups

Guidelines, checklists

Security, safety,

hazards assessment

DOT

Specific guidelines for transport of chemicals

Specifications on containers, markings etc.

list of chemicals

slide4

Characteristics of the VAM-CFSM

  • A systematic, risk-based, security assessment tool
    • S - Severity of consequences of an event
    • LA - Adversary attack potential
    • LAS - Likelihood of adversary success in causing an
    • undesired event
  • Incorporates security measures that could help prevent an
  • attack, appropriate safetyandemergency response measures
  • that could mitigate the consequences, and chemical attributes
  • that may affect consequences
  • Provides capability to screen and prioritize chemical facilities
  • and focus on critical areas for further analysis
  • Provides meaningful vulnerability information so additional
  • measures can be implemented which effectively reduce risk
  • Not a quantitative tool but provides for a rigorous comparison
  • of relative risks
slide5

VAM-CFSM Organization/Structure

  • 13 basic steps:
    • Screening
    • Project Definition
    • Facility Characterization
    • Define Severity Levels
    • Threat Assessment
    • Identify Priority Cases
  • Currently paper-based using worksheets to support above steps
  • Can consider different potential undesired events and adversaries
  • Can consider both physical or cyber attacks
  • Uses a facilitator/team lead and supporting VA team
  • Supports a continuous approach to evaluating risk
  • Analysis Preparation
  • Site Survey
  • Likelihood of Adversary Success
  • Risk Analysis
  • Risk Reduction
  • Evaluate Impacts
  • Final Report
slide6

Screening

  • Purpose of the screening process
    • identify/prioritize CFs for further vulnerability analysis
  • Identify undesired event
    • off-site release, loss of production, cost, environmental
  • Evaluate relative potential severity of malevolent events
    • significant national impact
    • consider RMP worst-case scenarios
    • (# of people potentially affected by an off-site release)
    • accessibility
    • recognizability and importance
    • history and symbolism
  • Other screening tools could be used
slide7

Identify Most Important Areas for Analysis

All Chemical Facilities

  • Helps the user to identify
  • areas for analysis
    • starts with total possible
    • locations of hazardous
    • chemicals
    • considers areas for each
    • hazardous chemical & process
    • identifies/prioritizes critical
    • areas using severity levels or
    • characterization matrix
    • identifies priority areas based
    • on consequence and threat
    • also allows the user to select
    • specific areas for analysis

1A Screening

Facilities to be Analyzed for Risk

3A Facility Characterization

Processes/Chemicals

Critical Areas

3B Severity Levels

3C Threat Assessment

3D Priority Cases

Priority

Cases

slide8

Define Severity Levels

  • Looks at specific areas within identified chemical processes
  • Define criteria for undesired event
    • off-site release, loss of production …..
  • Criteria for off-site release
    • # of people potentially affected by a release
  • Determine potential severity level for critical areas
    • end-point distance, population potentially affected
threat assessment
Threat Assessment
  • Who it is and What is the level of threat?
  • Collect Information
    • Industry, corporation, site specific threat
    • Coordinate with chemical industry, state/local law enforcement, and FBI, ISAC
  • Threat Definition:
    • Threat type [start with one outsider group, one insider]
    • Tactics (explosives, forced entry, cyber)
    • Threat capabilities (#s, weapons, tools, transportation)
  • Threat Levels:
    • Estimate attack potential, LA, for each undesired event and

adversary group

    • Consider existence, capability, history/intent, motivation, targeting
    • Consider target attractiveness:

Recognizability, Importance, Symbolism, Accessibility

slide10

Determine Adversary Success

  • Determine likelihood of adversary success for a physical attack
    • for an identified undesired event (e.g. off-site release, on-site damage)
    • for an identified adversary scenario(s)
    • effectiveness of physical security system
      • detection/assessment, delay, response
      • identify protection elements
    • effectiveness of safety, mitigation and emergency response
      • detection/assessment, safety/mitigation
      • identify protection elements
    • consider inherent chemical properties in the adversary scenario
      • toxicity, flammability, reactivity
    • identifies vulnerabilities/weaknesses for the total protection system
  • Determine protection system effectiveness for cyber attack
    • based on preliminary assessment
    • to be considered in future versions of the VAM-CF
slide11

Risk Reduction and Impact Analysis

  • Make recommendations to reduce risk considered too high
    • threat
    • severity of consequences
    • protection system effectiveness
  • Develop possible upgrade packages
    • identified vulnerabilities
    • protection for common vulnerabilities
    • protection-in-depth
    • balanced protection
    • consider physical protection functions
  • Estimate new risk values and compare with baseline
  • Consider cost and other impacts
    • cost
    • operations and schedule
    • safety and health
    • public response
slide12

Role of State/Local Groups to Assist CFs

  • Know what potential targets are in your area
  • Support CFs in their vulnerability assessment & risk reduction efforts
  • Understand the potential consequences of an adversary attack
  • Information exchange with CF “owners” and other stakeholders
  • Identify what actions can be done by the State/local groups
  • Conduct exercises to test contingency plans (security, emergency
  • response).
  • CFs need State/local support to protect their facilities
  • CFs must rely on more that just security measures to protect their facilities
    • need effective safety, mitigation and emergency response measures
ad