overview of the vulnerability assessment methodology for chemical facilities vam cf sm
Skip this Video
Download Presentation
Overview of the Vulnerability Assessment Methodology for Chemical Facilities (VAM-CF SM )

Loading in 2 Seconds...

play fullscreen
1 / 12

Overview of the Vulnerability Assessment Methodology for Chemical Facilities (VAM-CF SM ) - PowerPoint PPT Presentation

  • Uploaded on

Overview of the Vulnerability Assessment Methodology for Chemical Facilities (VAM-CF SM ). 3 March 2003 Cal Jaeger, PhD Security Systems and Technology Center Sandia National Laboratories 505-844-4986 [email protected]

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Overview of the Vulnerability Assessment Methodology for Chemical Facilities (VAM-CF SM ) ' - vienna

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
overview of the vulnerability assessment methodology for chemical facilities vam cf sm

Overview of the Vulnerability AssessmentMethodology for Chemical Facilities (VAM-CFSM)

3 March 2003

Cal Jaeger, PhD

Security Systems and Technology Center

Sandia National Laboratories

505-844-4986 [email protected]

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,

for United States Department of Energy under Contract DE-AC-04-94AL85000.



  • Chemical Facility Vulnerability Assessment (CFVA) Project
    • Conducted by the Center for Civil Force Protection (CCFP) at Sandia National Laboratories (SNL)
    • Support from DOJ-NIJ, EPA-CEPPO
    • Coordination with Chemical Industry Associations, key individuals at Chemical Facilities, other stakeholders
  • ACC, SOCMA, Chlorine Institute, API, other associations:
    • Guidelines for both site and transport security
    • Numerous conferences and workshops
    • ACC facility security prioritization process
    • ACC Responsible Care Security Code
  • Security Vulnerability Assessment (VA) Tools
    • Assessment Methodologies (www.ResponsibleCareToolKit.com)
    • Most are risk-based tools, some are guides, use checklists, use forms
    • Team or multi-people efforts
interactions with other activities
Interactions with Other Activities

The VAM-CF leverages many other required activities.


PSM, Process safety info,

process diagrams, PHAs,

emergency planning & response,

list of chemicals

compliance audits


RMPs, OCAs - off-site impacts,

worst-case scenarios,

alternative scenarios

Process safety info, PHAs,

list of chemicals

compliance audits

Other Fed


CWC Treaty,

Drug Enforcement



against a release of

hazardous chemicals

due to malevolent



Directions on

Safety and

emergency release,



Guidelines, checklists

Security, safety,

hazards assessment


Specific guidelines for transport of chemicals

Specifications on containers, markings etc.

list of chemicals


Characteristics of the VAM-CFSM

  • A systematic, risk-based, security assessment tool
    • S - Severity of consequences of an event
    • LA - Adversary attack potential
    • LAS - Likelihood of adversary success in causing an
    • undesired event
  • Incorporates security measures that could help prevent an
  • attack, appropriate safetyandemergency response measures
  • that could mitigate the consequences, and chemical attributes
  • that may affect consequences
  • Provides capability to screen and prioritize chemical facilities
  • and focus on critical areas for further analysis
  • Provides meaningful vulnerability information so additional
  • measures can be implemented which effectively reduce risk
  • Not a quantitative tool but provides for a rigorous comparison
  • of relative risks

VAM-CFSM Organization/Structure

  • 13 basic steps:
    • Screening
    • Project Definition
    • Facility Characterization
    • Define Severity Levels
    • Threat Assessment
    • Identify Priority Cases
  • Currently paper-based using worksheets to support above steps
  • Can consider different potential undesired events and adversaries
  • Can consider both physical or cyber attacks
  • Uses a facilitator/team lead and supporting VA team
  • Supports a continuous approach to evaluating risk
  • Analysis Preparation
  • Site Survey
  • Likelihood of Adversary Success
  • Risk Analysis
  • Risk Reduction
  • Evaluate Impacts
  • Final Report


  • Purpose of the screening process
    • identify/prioritize CFs for further vulnerability analysis
  • Identify undesired event
    • off-site release, loss of production, cost, environmental
  • Evaluate relative potential severity of malevolent events
    • significant national impact
    • consider RMP worst-case scenarios
    • (# of people potentially affected by an off-site release)
    • accessibility
    • recognizability and importance
    • history and symbolism
  • Other screening tools could be used

Identify Most Important Areas for Analysis

All Chemical Facilities

  • Helps the user to identify
  • areas for analysis
    • starts with total possible
    • locations of hazardous
    • chemicals
    • considers areas for each
    • hazardous chemical & process
    • identifies/prioritizes critical
    • areas using severity levels or
    • characterization matrix
    • identifies priority areas based
    • on consequence and threat
    • also allows the user to select
    • specific areas for analysis

1A Screening

Facilities to be Analyzed for Risk

3A Facility Characterization


Critical Areas

3B Severity Levels

3C Threat Assessment

3D Priority Cases




Define Severity Levels

  • Looks at specific areas within identified chemical processes
  • Define criteria for undesired event
    • off-site release, loss of production …..
  • Criteria for off-site release
    • # of people potentially affected by a release
  • Determine potential severity level for critical areas
    • end-point distance, population potentially affected
threat assessment
Threat Assessment
  • Who it is and What is the level of threat?
  • Collect Information
    • Industry, corporation, site specific threat
    • Coordinate with chemical industry, state/local law enforcement, and FBI, ISAC
  • Threat Definition:
    • Threat type [start with one outsider group, one insider]
    • Tactics (explosives, forced entry, cyber)
    • Threat capabilities (#s, weapons, tools, transportation)
  • Threat Levels:
    • Estimate attack potential, LA, for each undesired event and

adversary group

    • Consider existence, capability, history/intent, motivation, targeting
    • Consider target attractiveness:

Recognizability, Importance, Symbolism, Accessibility


Determine Adversary Success

  • Determine likelihood of adversary success for a physical attack
    • for an identified undesired event (e.g. off-site release, on-site damage)
    • for an identified adversary scenario(s)
    • effectiveness of physical security system
      • detection/assessment, delay, response
      • identify protection elements
    • effectiveness of safety, mitigation and emergency response
      • detection/assessment, safety/mitigation
      • identify protection elements
    • consider inherent chemical properties in the adversary scenario
      • toxicity, flammability, reactivity
    • identifies vulnerabilities/weaknesses for the total protection system
  • Determine protection system effectiveness for cyber attack
    • based on preliminary assessment
    • to be considered in future versions of the VAM-CF

Risk Reduction and Impact Analysis

  • Make recommendations to reduce risk considered too high
    • threat
    • severity of consequences
    • protection system effectiveness
  • Develop possible upgrade packages
    • identified vulnerabilities
    • protection for common vulnerabilities
    • protection-in-depth
    • balanced protection
    • consider physical protection functions
  • Estimate new risk values and compare with baseline
  • Consider cost and other impacts
    • cost
    • operations and schedule
    • safety and health
    • public response

Role of State/Local Groups to Assist CFs

  • Know what potential targets are in your area
  • Support CFs in their vulnerability assessment & risk reduction efforts
  • Understand the potential consequences of an adversary attack
  • Information exchange with CF “owners” and other stakeholders
  • Identify what actions can be done by the State/local groups
  • Conduct exercises to test contingency plans (security, emergency
  • response).
  • CFs need State/local support to protect their facilities
  • CFs must rely on more that just security measures to protect their facilities
    • need effective safety, mitigation and emergency response measures