Chapter 3.0 describes a process for a threat assessment including the use of security intelligence and threat-based countermeasures systems such as the Department of Homeland Security Al
Introduction
In order to assist petroleum companies evaluate and respond to security threats, the American Petroleum Institute has:
• Assessed the general types of security risks to the public and to petroleum supplies that each sector may face due to terrorism;
• Identified existing standards, recommended practices, guidance and other operational practices, as well as ongoing initiatives that may mitigate these risks;
• Developed guidance on conducting Security Vulnerability Assessments (SVA) a in the petroleum and petrochemical industries;
• Developed Recommended Practices for security for offshore oil and gas operations b
• Worked with the Federal Government, other industry associations and petroleum companies to prepare appropriate guidance.
Scope and Objective
This document aims to offer essential guidance for U.S domestic petroleum asset owners and operators on effectively managing security risks, while also serving as a reference for relevant Federal security laws and regulations that may influence petroleum operations.
The domestic petroleum sector comprises over 300,000 production sites, 4,000 offshore platforms, and 600 natural gas processing plants, alongside extensive infrastructure including 160,000 miles of liquid pipelines and 144 refineries While most of these assets are small and located in remote areas, posing minimal security risks to the economy and public safety, the petroleum industry advocates for proactive measures to mitigate potential threats from terrorism.
The Maritime Transportation Security Act of 2002 (MTSA), enacted on November 25, 2002, mandates that specific petroleum facilities adhere to federal security regulations The U.S Coast Guard has established rules under 33 CFR Subchapter H, Parts 101 – 106, which address security for ports, offshore continental shelf (OCS) operations, and vessels These regulations require certain vessels and port facilities that may be involved in transportation security incidents to develop and submit a security plan to the USCG For a comprehensive overview, refer to Appendix A, which lists the federal security regulations impacting the U.S.
Organization of the Document
This document comprises seven chapters and three appendices for reference Chapter 1 outlines the objectives, target audience, and scope of the guidance, along with references to other security regulations Chapter 2 provides an overview of terrorism in relation to the petroleum industry Chapter 3 details a threat assessment process that incorporates security intelligence and threat-based countermeasures, including the Department of Homeland Security Alert System (HSAS) and USCG Maritime Security (MARSEC) levels Chapter 4 discusses the elements of the American Petroleum Institute/National Petrochemical and Refiner’s Association Guidance on "Security Vulnerability Assessment Methodology" from October 2004, as well as API RP 70 on Security for Offshore Oil and Natural Gas Operations, First Edition, March 2003.
International Oil and Natural Gas Operations, First Edition, May 2004
Reproduced by IHS under license with API
This article outlines a comprehensive security plan, beginning with an overview of security vulnerability assessment in Chapter 5 Chapter 6 discusses security conditions and potential response measures, while Chapter 7 focuses on information (cyber) security Additionally, the Appendix includes valuable reference materials, such as a matrix of relevant Federal laws and regulations on security, along with a glossary of terms and references utilized in the development of this document.
Underlying Basis of this Guidance
Effective management of security risks is crucial for petroleum industry owners and operators to enhance asset security and ensure business continuity By adopting a risk-based, performance-oriented management systems approach tailored to site-specific circumstances, security threats and vulnerabilities can be systematically identified and analyzed This process includes evaluating the adequacy of existing countermeasures to mitigate these threats A Security Vulnerability Assessment (SVA) serves as a flexible management tool that aids in identifying and prioritizing security risks, enabling management to determine the necessary protection levels for local assets.
Security enhancements should be tailored to specific site factors, including threat level, vulnerability, potential consequences of security events, and asset attractiveness to adversaries High-risk sites, particularly those of critical importance and significant potential consequences, require careful consideration of security measures In such scenarios, implementing countermeasures that mitigate vulnerabilities and threats is essential to achieve an acceptable level of security.
Effective security risk management strategies must be tailored to specific site factors, including facility type, operations, stored substances, and potential threats This guidance emphasizes the importance of identifying and analyzing vulnerabilities rather than prescribing specific measures Each facility should be assessed individually, allowing management to make informed security decisions based on applicable practices Recognizing the lack of a one-size-fits-all approach in the petroleum industry, resources should be allocated to prioritize high-risk situations While it is impossible to eliminate all security risks, they can be significantly mitigated through a robust security risk management program The primary security objectives involve four key strategies: Deter, Detect, Delay, and Respond.
Owner/operators are urged to collaborate with federal, state, and local law enforcement, as well as local emergency services and the Local Emergency Planning Committee By seeking assistance, they can share intelligence, coordinate training, and access resources to effectively deter attacks and manage emergencies.
Other Guidelines and Security References
API has created this guidance for the petroleum industry to serve as a reference alongside other available resources This document aims to provide a foundational framework for evaluating and implementing security measures, rather than an exhaustive list of security considerations It is also acknowledged that some information within a security program must remain confidential, prompting petroleum companies to prioritize confidentiality in their security strategies.
`,,`,`,-`-`,,`,,`,`,,` - program to understand what information can be shared and what should remain confidential Other available resources on security include:
• American Petroleum Institute RP 70, Security for Offshore Oil and Natural Gas Operations,
• American Petroleum Institute RP 70I, Security for Worldwide Offshore Oil and Natural Gas
• American Petroleum Institute Std 1164, SCADA Security, 1 st Ed., September 2004
• American Petroleum Institute / National Petrochemical and Refiners Association, “Security Vulnerability Assessment Methodology,” October 2004
• American Chemistry Council, “Site Security Guidelines for the U S Chemical Industry,”
• American Chemistry Council, “Implementation Resource Guide for Responsible Care Security Code ® of Management Practices: Value Chain Activities,” 2003
• American Chemistry Council, “Transportation Security Guidelines for the U.S Chemical Industry,” 2001
• American Institute of Chemical Engineers (AIChE) Center for Chemical Process Safety (CCPS ® ), “Guidelines for Managing and Analyzing the Security Vulnerabilities of Fixed Chemical Sites,” August 2002 1
• DOT, Office of Pipeline Safety, “Pipeline Security Information Circular, Information of Concern to Pipeline Security Personnel, Security Guidance for Natural Gas, and Hazardous
Liquid Pipelines and Liquefied Natural Gas Facilities,” September 5, 2002.
• Sandia National Laboratories, “Vulnerability Assessment Methodology for Chemical Facilities (VAM-CF)”
• U.S Coast Guard NVIC 11-02 (and other NVICs)
Owners and operators must also consider relevant local and national laws and regulations For a comprehensive list of final security regulations affecting the petroleum industry that were established before this document's release, please refer to the reference table in Appendix A.
Background on Terrorism and Security
The FBI characterizes terrorism as the unlawful use of force or violence aimed at intimidating or coercing governments or civilians to achieve political or social goals In recent years, there has been a notable rise in international terrorist incidents, heightening the potential threat posed by such groups Consequently, all sectors of the U.S economy are vulnerable to these illicit activities.
Threat to the Petroleum Industry
Reports from the Department of Homeland Security (DHS), the U.S Department of State, and the Federal Bureau of Investigation (FBI) suggest that the petroleum industry is a potential target for terrorism This vulnerability arises from the critical role of petroleum products in national infrastructure and their inherent characteristics.
Reproduced by IHS under license with API
• The physical and chemical properties of the products handled at petroleum sites
• The importance of petroleum to the national economy
• The importance of petroleum to national security
• The symbolism of the industry as a cornerstone of capitalism and western culture
While the U.S has limited experience with actual terrorism, this presents challenges for domestic petroleum owners and operators To enhance national security and protect infrastructure, collaboration between government and industry is essential Facility owners should foster strong relationships with local and national intelligence sources, including law enforcement, regional FBI offices, emergency response organizations, the USCG Office of Intelligence and Investigations, and the Energy ISAC By implementing basic awareness training, employees and the public can serve as vigilant observers, reporting any suspicious activities around facilities Additionally, as many domestic petroleum companies operate internationally in regions with significant security concerns, leveraging that global experience can further bolster domestic security programs.
The Value of Threat Assessment
Threat assessment plays a crucial role in a security management system This chapter outlines a comprehensive approach to threat assessment within the security management process For a more in-depth understanding of its application in the Security Vulnerability Assessment (SVA), refer to Chapter 5.0.
A threat assessment evaluates the likelihood of an attack on specific assets, serving as a crucial decision support tool for prioritizing security program needs, planning, and resource allocation It systematically identifies and assesses threats based on factors such as capability, intent, and potential impact.
Threat assessment is a crucial, ongoing process that helps identify vulnerabilities and evaluate necessary countermeasures against various adversaries By understanding specific threats, companies can create an effective and cost-efficient security management system.
Threat Assessment Process
To assess the threat to a facility or specific asset, companies analyze historical security incidents and adversary behavior while gathering relevant threat intelligence from government agencies and other sources This information is then evaluated to identify which company assets are more likely to be targeted, focusing on those that represent higher potential payouts for adversaries.
Certain threats are categorized as continuous, while others are variable, leading to guidance that aligns with the Department of Homeland Security’s Homeland Security Advisory System (HSAS) for managing fluctuating threat levels in the industry Other agencies, such as the USCG, have their own threat level systems, like MARSEC Levels, which, despite differences in number and description, convey similar information and can be correlated The threat assessment establishes a general threat level that serves as a baseline for further analysis.
`,,`,`,-`-`,,`,,`,`,,` - intelligence and threat assessment helps to evaluate situations as they develop Depending on the increased threat level, different security measures above baseline may be necessary
Threat assessments are essential for decision-making; however, they may not fully address emerging threats from certain terrorist groups, even with regular updates Therefore, it is crucial to pair threat assessments with vulnerability assessments to enhance preparedness and ensure comprehensive security measures.
U.S intelligence and law enforcement agencies evaluate both foreign and domestic threats to national security The intelligence community, including the CIA, DIA, and the State Department's Bureau of Intelligence and Research, actively monitors terrorist threats originating from abroad Additionally, the Terrorist Threat Integration Center was created to consolidate information and assess risks associated with domestic terrorism.
Threat information from intelligence and law enforcement can help create a tailored threat assessment for companies, though much of this data is classified and requires security clearance for access Identifying potential threats is crucial for companies to effectively manage risks in a cost-efficient way, as they face various dangers, including terrorism and other significant threats.
A threat assessment can take different forms, but the key components include:
1 the identification of known and potential adversaries, where such information is available and accurate;
2 the recognition and analysis of their intent, motivation, operating history, methods, weapons, strengths, weaknesses, and intelligence capabilities;
3 the assessment of the threat posed by the adversary factors mentioned above against each asset, and the assignment of an overall criticality ranking for each adversary
Threats to security arise from both internal and external sources, including potential collusion between the two External adversaries may gain unauthorized access to facilities and systems to steal or damage valuable assets In contrast, insiders—individuals with legitimate access—present a unique challenge due to their potential for deceit, familiarity with the environment, and unsupervised access to sensitive information and resources.
When assessing security vulnerabilities, it is crucial to consider threat categories that possess both the intent and capability to inflict significant harm on facilities, the public, or the environment Key threats to include in a Security Vulnerability Assessment (SVA) are international terrorists, domestic terrorists such as disgruntled individuals or 'lone wolf' sympathizers, disgruntled employees, and extreme activists Additionally, other potential adversaries should be evaluated as necessary.
Companies should engage in discussions about threats with local and federal law enforcement and foster connections with national, regional, and local industrial groups to enhance the quality of information they use Specifically, owner/operators are advised to collaborate with the Joint Terrorism Task Force offices.
Threat assessments often rely on vague or nonspecific information rather than precise data, making it challenging to analyze potential risks This is especially true for facilities lacking site-specific details about threats, particularly in light of growing concerns over international terrorism A recommended strategy is to assume that international terrorism could be a risk for any facility deemed attractive to such threats.
Reproduced by IHS under license with API
Effective threat assessment is a dynamic process that requires continuous evaluation of potential threats During a Security Vulnerability Assessment (SVA) exercise, it is essential to consult the threat assessment for guidance on both general and specific threats to assets Additionally, the threat assessment should be updated as necessary, incorporating new information and insights regarding vulnerabilities.
Security Alert Level Systems
Introduction
Flexibility is essential for operational security in a dynamic threat environment, necessitating the application of variable security measures Alert levels indicate the likelihood of terrorist actions, ranging from normal to imminent risk, based on intelligence from government or company sources Three key alert level systems have been established by government and international entities to signal potential acts of terrorism.
1 Homeland Security Advisory System (HSAS)—This five-level alert system is based on the
National Threat Advisory System developed by the Department of Homeland Security
2 Maritime Security Levels (MARSEC)—This three-level alert system was developed by the
U.S Coast Guard for use by marine vessels, ports and port facilities
3 International Ship and Port Facility Security (ISPS) Code—This three-level alert system is similar to the MARSEC system and applies to foreign flagged vessels and ports
These systems aim to deliver clear information to both private and public sectors regarding the potential for terrorist actions, facilitating the implementation of appropriate response measures during crisis situations.
Department of Homeland Security Alert System (HSAS)
The Homeland Security Advisory System (HSAS), established on July 27, 2002, is a five-level color-coded threat advisory system aimed at enhancing coordination and communication among government levels and the American public in combating terrorism HSAS offers a framework for assigning threat conditions that can be applied nationally, regionally, by sector, or to specific targets, utilizing various factors for threat assessment.
• Is the threat specific and/or imminent?
• What are the potential consequences of the threat?
Threat conditions indicate the risk of a terrorist attack, while protective measures are essential steps taken by potential targets to minimize vulnerabilities The Homeland Security Advisory System (HSAS) outlines five threat conditions, each linked to general protective measures It is crucial for facilities to develop tailored protective strategies based on their unique characteristics and findings from a site-specific Security Vulnerability Assessment (SVA) Section 6 of this publication offers a detailed discussion on specific protective measures that owners and operators of petroleum facilities should implement in response to changes in the national alert level.
Following is the HSAS five level alert system and their general protective measures
The Homeland Security Alert System indicates a Severe Condition (Red) when there is a significant risk of terrorist attacks In such cases, additional protective measures may include the assignment of emergency response personnel, the pre-positioning of specially trained teams, monitoring and redirecting transportation systems, closing facilities, and reallocating personnel to meet critical emergency needs.
During a high condition alert (Orange), indicating a significant risk of terrorist attacks, it is crucial to enhance security measures This includes coordinating security efforts with armed forces or local law enforcement, implementing additional precautions at public events, preparing for operations at alternate sites or with a dispersed workforce, and restricting access to essential personnel only.
In an Elevated Condition—Yellow, there is a significant risk of terrorist attacks, prompting the implementation of additional protective measures These include increasing surveillance at critical locations, coordinating emergency plans with local jurisdictions, refining protective measures based on current threat information, and executing contingency and emergency response plans as necessary.
In a Guarded Condition—Blue, there is a general risk of terrorist attacks, prompting the implementation of additional protective measures These include checking communications with designated emergency response locations, reviewing and updating emergency response procedures, and providing essential information to the surrounding community.
In a low condition, indicated by green, there is a minimal risk of terrorist attacks It is essential to refine and practice preplanned protective measures, provide personnel with training on the Homeland Security Advisory System (HSAS) as well as corporate and facility-specific protocols, and conduct regular assessments of facility vulnerabilities to implement necessary reductions.
The National Infrastructure Protection Center, U.S Coast Guard and other agencies publish guidance on protective measures that are recommended for the different threat levels 6
U.S Coast Guard Maritime Security Levels
The U.S Coast Guard has developed a three-level Maritime Security (MARSEC) alert system for use by marine vessels, certain energy facilities and ports The MARSEC alert levels are:
• MARSEC I: Low or Moderate Threat—this alert is defined as the “new normalcy”
• MARSEC II: Heightened Alert—this alert is used when there is credible intelligence suggesting a high threat, but no specific target or delivery method is known
Reproduced by IHS under license with API
• MARSEC III: Maximum Alert—this alert is issued when there is credible intelligence coupled with a specific threat
The U.S Coast Guard utilizes Maritime Security levels (MARSEC) 1, 2, and 3 to indicate varying levels of alert, which correspond to the color-coded threat conditions established by the Homeland Security Advisory System (HSAS) MARSEC serves as a vital communication tool for the maritime sector to convey risk levels, directly linking maritime security to national threat assessments.
MARSEC Level I aligns with the lowest three levels of the Homeland Security Advisory System (HSAS), which are Green (Low), Blue (Guarded), and Yellow (Elevated) In contrast, MARSEC Level 2 is equivalent to HSAS Orange (High), while MARSEC Level 3 corresponds to HSAS Red (Incident Imminent).
Facilities must establish and execute protective measures within their security plans to mitigate the risk of transportation security incidents, particularly as MARSEC levels rise These levels can be designated for the entire nation or specific geographic areas, industrial sectors, or operational activities Importantly, a transition from MARSEC 1 to MARSEC 3 can occur without passing through MARSEC 2.
Section 6.0 provides in-depth discussion of specific protective measures that owners/operators of petroleum assets may consider when the national alert level changes.
International Ship and Port Facility Security (ISPS) Alert Levels
The ISPS code is a three-level alert system similar to the MARSEC system
Security Level 1, also known as Normal, represents the standard operational security level for ships and port facilities At this level, minimum appropriate protective security measures are required to be maintained consistently.
Security Level 2, also known as Heightened Security, is implemented during periods of increased risk for security incidents This level necessitates the maintenance of additional protective security measures to address the elevated threat.
Security Level 3 (Exceptional) is implemented during periods of probable or imminent security threats This level necessitates the maintenance of enhanced protective security measures for a limited duration, even when specific targets cannot be identified.
Setting security level 3 is an exceptional measure that should only be implemented when credible intelligence suggests a probable or imminent security incident This heightened security level must be maintained only for the duration of the identified threat or actual incident It is important to note that while security levels can progress from level 1 to level 2 and then to level 3, a direct transition from level 1 to level 3 is also possible.
The Security Management System Process
Different SVA methods vary significantly in detail and complexity Companies lacking formal SVA processes can benefit from an initial screening level SVA, which helps prioritize resources on critical areas A screening approach often proves to be the most practical way to prioritize facilities for SVA Depending on the location and operations, not all facilities may need a formal SVA and security plan.
To effectively manage security risks, each owner or office must implement a flexible security management system tailored to the unique characteristics of petroleum operations This system should prioritize continuous improvement to adapt to changing conditions while incorporating several essential elements to ensure its effectiveness.
Figure 4.1 presents a security management system that outlines a decision flow for creating and maintaining a site-specific security plan Owner/operators must evaluate their unique security risks and prioritize addressing the highest risks Various methods exist for implementing the elements shown in Figure 4.1, ranging from simple to complex, with no single "best" approach suitable for all petroleum operations This guideline emphasizes the need for flexibility in designing security plans and offers appropriate guidance to meet this requirement.
Figure 4.1—Security Management System Process
Initial Screening
Before initiating a formal Security Vulnerability Assessment (SVA), it is essential to conduct an initial evaluation of petroleum facilities at a systems level This screening should assess potential economic impacts, public safety and health concerns, national security implications, and the effects on the value chain due to significant events At the corporate level, this process aids in prioritizing facilities for further analysis and evaluating regional impacts For facilities identified for deeper evaluation, a formal SVA should focus on individual assets to identify and prioritize vulnerabilities that need to be addressed.
Reproduced by IHS under license with API
Data Gathering
The first step in a Security Vulnerability Assessment (SVA) involves gathering crucial information about the location, its assets, and potential threats This process includes the initial collection, review, and integration of data necessary to identify location-specific security risks Relevant data may encompass operational details, surveillance practices, existing security measures, and unique security concerns For those developing a security plan, initial data collection may concentrate on a limited number of assets to effectively identify the most significant security risks.
Table 4.1—Examples of petroleum facility assets subject to potential security risk
Administration offices, corporate offices, control rooms
Process units and associated control systems; product storage tanks; surge vessels, boilers, turbines, process heaters, sewer systems
Utilities such as natural gas lines, electrical power grid and facilities (including back-up power systems), water-supply systems, wastewater treatment facilities
Railroad lines and railcars, product loading racks and vehicles, pipelines entering and leaving facility, marine vessels and dock area, off site storage areas
Cyber systems and information technology:
Computer systems, networks, all devices with remote maintenance ports, SCADA systems, laptops, PDAs and cell phones.
Initial SVA
The Security Vulnerability Assessment (SVA) utilizes data gathered from prior steps to systematically identify potential security risks at the facility By integrating and evaluating this information, the SVA process pinpoints specific security-related events or conditions that may compromise safety, while also assessing the likelihood and potential consequences of these risks.
Different SVA methods exhibit considerable variation in detail and complexity Companies lacking formal SVA processes may benefit from an initial screening level SVA, which helps concentrate resources on critical areas Adopting a screening approach can be the most practical way for companies to prioritize facilities for SVA.
Table 4.2—Examples of security risks or threats in the petroleum industry
• Intentional release (loss of containment) from a process unit or storage tank
• Loss of a critical management team or member
• Destruction or disruption of support systems, such as: o Electrical power; water supply, sewer systems o Communications systems, computer systems o Raw material (crude oil) supply, finished product distribution
• Contamination of raw material or finished product
• Bomb threat or discovery of an Improvised Explosive Device (IEDs) or Vehicle Borne Explosive Devices (VBED)
• Bio-terrorism or eco-terrorism
After identifying the key risks, it is essential to establish countermeasures to mitigate or eliminate these risks Additionally, employing further assessment techniques can help identify potential future risk issues The process of risk control and mitigation may include various strategies and actions.
• Identification of risk control options that lower the likelihood of an incident, reduce the consequences, or both;
• A systematic evaluation and comparison of those options;
• Selection and implementation of a strategy for risk control
A Security Vulnerability Assessment (SVA) is essential for identifying and prioritizing potential targets, ensuring resources are allocated efficiently by avoiding low-risk areas Implementing a tiered, risk-based strategy proves to be the most effective method for evaluating and prioritizing these targets Various techniques can be utilized to perform an SVA and determine appropriate risk control measures.
To establish a Baseline Security Plan, it is essential to utilize the findings from the Security Vulnerability Assessment (SVA) to tackle the most critical risks and evaluate the security of the facility or asset This comprehensive plan must incorporate risk mitigation strategies and outline security assessment activities, such as inspections and the management of traffic and personnel control.
Implement security measures by executing baseline security plan activities, evaluating the outcomes, and making necessary adjustments to manage risks that could result in system failures Additionally, a Security Vulnerability Assessment (SVA) may uncover other risks that need to be addressed.
Examples of physical security elements may include, but are not limited to:
• Controlling access into, within and out of a facility or critical asset areas;
• Perimeter protection including immediately beyond the perimeter;
• Redundant systems (electrical, water, computing, communications, sewer, gas);
• Mail and package screening system
Update, Integrate, and Review Data After the initial security assessments have been performed, the facility will have improved and updated information about the security of the facility This
Reproduced by IHS under license with API
`,,`,`,-`-`,,`,,`,`,,` - information should be retained and added to the database of information used to support future SVAs and security evaluations
Regularly reassessing risks through Security Vulnerability Assessments (SVAs) is essential to incorporate recent operational data, facility design changes, and external factors like nearby facilities and traffic flow alterations Additionally, findings from security inspections and drills should be integrated into future SVAs to maintain an up-to-date understanding of security challenges.
The baseline security management plan must evolve into a continuous security assessment plan, regularly updated to incorporate new information and current security risk understanding As new risks or variations of known risks emerge, appropriate mitigation actions should be implemented Additionally, the revised Security Vulnerability Assessment (SVA) results should inform the scheduling of future security assessments.
Audit Plan Companies should collect information and periodically evaluate the success of their security assessment techniques and other mitigation risk control activities
To effectively manage change within a facility, it is essential to implement a systematic process that evaluates potential risk impacts before any modifications are made Additionally, changes in the operational environment must also be assessed Once changes are implemented, they should be integrated into future Security Vulnerability Assessments (SVAs) to ensure that the assessment process accurately reflects the facility's current configuration This highlights that security management is an ongoing process, characterized by a continuous cycle of monitoring, risk identification, assessment, and action to mitigate significant risks Regular reviews and updates of SVAs are crucial to align with the latest conditions.
A security plan must be an integrated and iterative process, where the steps, although presented sequentially for clarity, involve significant information flow and interaction The choice of a Security Vulnerability Assessment (SVA) approach is influenced by the availability of risk-related data, and during the SVA process, additional data needs often emerge to effectively tackle potential vulnerability issues.
Example Elements of a Security Plan
Personnel Training
This section of the security plan outlines the security training provided to the Security Officer(s) and individuals responsible for managing the security program at the location It also identifies training for other personnel with security duties and highlights additional security awareness training offered to all employees at the site.
Many EHS training topics are closely related to security, especially in petroleum handling and processing facilities, where emergency response is crucial It is important to appropriately describe these topics, particularly for MTSA facilities, as outlined by the USCG.
Regulations outlined in 33 CFR 105.205 specify the qualifications required for Facility Security Officers (FSOs), individuals with security responsibilities, and all other employees It is important to note that the extensive lists of skills do not necessarily need to be covered as formal training topics, as they can be acquired through various means.
Reproduced by IHS under license with API
All employees at the site undergo orientation and security awareness training, which emphasizes the importance of developing a healthy level of skepticism regarding information encountered during their normal duties.
Drills and Exercises
The security plan should outline the planned activities for rehearsing its components and supporting procedures Each location must assess the necessary extent and frequency of security drills and exercises based on a security risk assessment Some sites may determine that no drills are needed, while others might conduct short, focused activities to test specific aspects of the security program, such as vehicle searches by main gate guards Conversely, higher-risk locations may necessitate comprehensive exercises, including full-scale roll-outs or table-top scenarios involving multiple groups and offsite responders.
Many activities often align in their objectives, utilizing the same onsite personnel and offsite responders as those needed for environmental, health, or safety (EHS) events To enhance efficiency, it is essential to minimize duplication and take advantage of existing programs and activities.
MTSA facilities must adhere to USCG regulations that mandate specific drills and exercises at defined intervals, similar to requirements found in various EHS laws For instance, a petroleum processing facility may be subject to the Oil Pollution Act, SARA Title III regulations, and OSHA and EPA standards It is essential for EHS and security teams at both site and corporate levels to align these regulations and create a comprehensive drill and exercise plan that fulfills all requirements, including necessary documentation This plan should be integrated into the security plan, which must outline the follow-up process for addressing critique action items from drills and exercises If this process aligns with resolving EHS-related recommendations, it can be linked to the relevant procedures, databases, or documents.
The security plan should detail the company's crisis management plan (CMP) as it relates to facility drills and exercises, highlighting its role in the site's security program It is essential to outline the information and support provided by individual sites in relation to the CMP Additionally, the site emergency response plans and the CMP must be referenced in the security incident procedures section of the security plan.
This section of the security plan outlines the types of security-related records to be maintained and the measures to protect them from unauthorized access It emphasizes the importance of leveraging existing Environmental Health and Safety (EHS), quality, and other recordkeeping systems to minimize redundancy Many petroleum facilities already have robust recordkeeping systems for EHS and ISO compliance, so this plan should detail how these systems will be adapted to incorporate security-related information Additionally, it specifies the individuals responsible for managing security records and establishes policies for the retention of these records Notably, MTSA facilities are required to maintain eight specific categories of records.
4.4.5 Response to Change in Alert Level
This section of the security plan outlines the security alert system implemented at the site or company, specifically referencing the Department of Homeland Security (DHS) Homeland Security Advisory System.
The security plan must outline the actions to be taken at each level of the alert system, such as the U.S Coast Guard's MARSEC levels or the ISPS Code Security Levels For instance, if the site follows DHS HSAS alerts, it should specify the additional security measures implemented when the alert level rises from Yellow to Orange As most alert systems are governed by external agencies, the plan should detail how changes in alert levels are documented and the time required to reach the declared level Even without direct regulatory mandates, companies may need to report this time interval to external organizations For more information on alert levels, refer to section 3.4, and for example response measures related to alert level changes, see section 6.0.
This section of the security plan should describe the necessary communications capabilities of the facility with respect to implementing the security plan Certain elements to consider are:
• Communications capabilities between employees (e.g., radio, telephone, etc.)
• Communications between the facility and offsite responders or support (e.g., 911)
• Communications between vessels and the facility, if applicable
Effective data communication is essential for identifying critical computer systems and networks that are vital to security, such as process control and electronic access control systems It is important to provide a general overview of the cybersecurity measures implemented to protect these systems.
Not all elements are suitable for every location; for instance, a small, low-risk, unmanned remote facility may only need periodic checks on a weekly or monthly basis.
4.4.7 Security Systems and Equipment Maintenance
This section of the security plan should describe the inspection, test, and preventive maintenance program for security equipment (e.g., camera systems, lighting fencing, etc.)
4.4.8 Security Measures for Access Control, Including Designated Public Access Areas
This section of the security plan outlines essential policies, practices, and procedures necessary for effective implementation It is important to consider the following items, while noting that not all elements may be suitable for every specific location.
• Identification requirements for employees, visitors, contractors, truck drivers, railroad crews, government employees/law enforcement and other who may seek access
• Sign-in or documentation of access procedures
• Escorting policies for visitors, contractors, and government employees (Circumstances when escorts are required and the procedures to be followed under each situation.)
• Screening and searching procedures for vehicles, baggage (accompanied and unaccompanied), hard-carried articles
• Physical security measures applicable to access control (Fencing/barriers, locks, lighting, intrusion detection, etc.)
• Physical barriers that prevent vehicles from being used as weapons
• The escalation in the implementation of access control procedures as alert levels escalate (How vehicle search procedures change as alert levels rise)
Reproduced by IHS under license with API
If the location designates certain areas as protected, controlled or restricted, then the physical security measures pertinent to those areas should be described this section of the plan
This section of the plan should describe how the facility is monitored for unauthorized access
Effective monitoring can be achieved through various methods tailored to specific locations For less attractive remote facilities, operational checks may suffice, while more advanced facilities require a blend of personnel monitoring, such as guards and dogs, alongside technology like intrusion detection systems The security plan must outline how monitoring equipment, personnel, and procedures adapt as alert levels rise For instance, if off-duty law enforcement officers are utilized during an "Orange" alert, this should be clearly detailed in the security plan.
This section of the plan outlines the definition of security breaches, the notification process, and the sequence of notifications It details the procedures for investigating security breaches and incidents, emphasizing the need for potential modifications to encompass security-related incidents and their specific requirements Additionally, it references the site emergency response plan and the company crisis management plan, if relevant.
4.4.12 Audits and Security Plan Amendments
This section of the security plan should describe how the plan should be audited, including periodicity, audit team leadership/membership, documentation, and follow-up of findings For
MTSA facilities, the USCG regulations contain specific provisions for security plan audits Non- MTSA facilities may wish to develop their own or use existing HES auditing
After an audit or for other reasons, it may be necessary to amend the security plan The procedure for generating and approving these amendments, both internally and potentially by external organizations, should be clearly outlined The USCG regulations specify a defined interface process for amending a security plan between the Coast Guard and the facility For facilities that are not regulated by the USCG but are ISO-9000 certified, the ISO process for maintaining controlled documents or an equivalent method may be utilized.
4.4.13 Security Vulnerability Analysis (SVA) Report
The security plan may include the SVA report as an attachment, a summary, or a reference to the SVA, which serves as the foundation for various elements within the plan It is essential to keep the SVA and the security plan up to date For Coast Guard-regulated facilities, the SVA is known as the Facility Security Assessment (FSA), fulfilling the same role Additionally, the Facility Vulnerability and Security Measures Summary (Form CG-6025) must be included in the security plan for these facilities For more details on security vulnerability assessments, refer to Chapter 5.0.
Response to Change in Alert Level
This section of the security plan outlines the security alert system implemented at the site or company, including the use of the Department of Homeland Security (DHS) Homeland Security Advisory System.
The security plan must outline the actions to be taken at each level of the alert system, such as the U.S Coast Guard's MARSEC levels or the ISPS Code Security Levels For instance, if using the DHS HSAS alerts, the plan should specify the additional security measures implemented when the alert level rises from Yellow to Orange It is essential to document how changes in alert levels are recorded and the time required to reach the declared level, even if there are no direct regulatory mandates Companies may still need to report this time interval to external organizations For more details on alert levels, refer to section 3.4, and for example response measures related to alert level changes, see section 6.0.
Communications
This section of the security plan should describe the necessary communications capabilities of the facility with respect to implementing the security plan Certain elements to consider are:
• Communications capabilities between employees (e.g., radio, telephone, etc.)
• Communications between the facility and offsite responders or support (e.g., 911)
• Communications between vessels and the facility, if applicable
Effective data communication is essential for identifying critical computer systems and networks that are vital to security, such as process control and electronic access control systems It is important to provide a general overview of the cybersecurity measures implemented to protect these systems.
Not all elements are suitable for every location; for instance, a small, low-risk, unmanned remote facility may only need periodic checks weekly or monthly.
Security Systems and Equipment Maintenance
This section of the security plan should describe the inspection, test, and preventive maintenance program for security equipment (e.g., camera systems, lighting fencing, etc.).
Security Measures for Access Control, Including Designated Public Access Areas
This section of the security plan outlines essential policies, practices, and procedures necessary for effective implementation It is important to consider the following items, while noting that not all elements may be suitable for every specific location.
• Identification requirements for employees, visitors, contractors, truck drivers, railroad crews, government employees/law enforcement and other who may seek access
• Sign-in or documentation of access procedures
• Escorting policies for visitors, contractors, and government employees (Circumstances when escorts are required and the procedures to be followed under each situation.)
• Screening and searching procedures for vehicles, baggage (accompanied and unaccompanied), hard-carried articles
• Physical security measures applicable to access control (Fencing/barriers, locks, lighting, intrusion detection, etc.)
• Physical barriers that prevent vehicles from being used as weapons
• The escalation in the implementation of access control procedures as alert levels escalate (How vehicle search procedures change as alert levels rise)
Reproduced by IHS under license with API
Protected/Controlled/Restricted Areas
If the location designates certain areas as protected, controlled or restricted, then the physical security measures pertinent to those areas should be described this section of the plan.
Security Measures for Monitoring
This section of the plan should describe how the facility is monitored for unauthorized access
Effective monitoring methods should be tailored to the specific needs of each location For less attractive remote facilities, regular operational checks may suffice, while more advanced facilities require a blend of personnel monitoring, such as guards and dogs, alongside technological solutions like intrusion detection systems The security plan must outline how monitoring equipment, personnel, and procedures adapt in response to escalating alert levels For instance, if off-duty law enforcement officers are deployed during an "Orange" alert, this should be clearly detailed in the security plan.
Security Incident Procedures
This section of the plan outlines the definition of security breaches, specifies the notification process and order, and details the investigation procedures for security incidents It may require adjustments to encompass security-related incidents and establish specific investigation criteria Additionally, it should reference the site emergency response plan and the company crisis management plan, if relevant.
Audits and Security Plan Amendments
This section of the security plan should describe how the plan should be audited, including periodicity, audit team leadership/membership, documentation, and follow-up of findings For
MTSA facilities, the USCG regulations contain specific provisions for security plan audits Non- MTSA facilities may wish to develop their own or use existing HES auditing
After an audit or for other reasons, it may be necessary to amend the security plan The procedure for generating and approving these amendments, both internally and potentially by external organizations, should be clearly outlined The USCG regulations specify a defined interface process for amending security plans between the Coast Guard and the facility For facilities that are not regulated by the USCG but are ISO-9000 certified, the ISO process for maintaining controlled documents or an equivalent method may be utilized.
Security Vulnerability Analysis (SVA) Report
The security plan may include the SVA report as an attachment, a summary, or a reference to the SVA, which serves as the foundation for various elements within the plan It is essential to keep the SVA and the security plan up to date For Coast Guard-regulated facilities, the SVA is known as the Facility Security Assessment (FSA), fulfilling the same role Additionally, the Facility Vulnerability and Security Measures Summary (Form CG-6025) must be included in the security plan for these facilities For more details on security vulnerability assessments, refer to Chapter 5.0.
Security Vulnerability Assessment Overview
A Security Vulnerability Assessment (SVA) systematically evaluates the likelihood of successful threats against a facility or asset, while also considering the potential severity of consequences for the facility, surrounding community, and energy supply chain One key objective of an SVA is to identify countermeasures that can mitigate the risk of attacks and their potential impacts.
Various SVA techniques and methods exist, each with shared elements The owner/operator must select the SVA method and analysis depth that align with the facility's specific needs Factors such as geographic location, operational type, and the presence of hazardous substances influence the SVA level and approach adopted.
1 Characterize the facility to understand what critical assets need to be secured, their importance and their interdependencies and supporting infrastructure, and the consequences if they are damaged or stolen
2 Identify and characterize threats against those assets and evaluate the assets in terms of attractiveness of the targets
3 Identify potential security vulnerabilities that threaten the system’s service or integrity
4 Determine the risk represented by these events or conditions by determining the likelihood of a successful event and the consequences of an event if it were to occur
5 Rank the risk of the event occurring and, if high risk, make recommendations for lowering the risk
6 Identify and evaluate risk mitigation options and re-assess risk
The purpose of a Security Vulnerability Assessment (SVA) is to pinpoint security hazards, threats, and vulnerabilities, as well as to identify effective countermeasures This process is essential for safeguarding the public, protecting workers, preserving national interests, ensuring environmental safety, and securing the company's assets.
Owner/operators may use any appropriate security vulnerability assessment methodology that effectively achieves this objective Following are a few published methodologies that are currently available for this use:
• API RP 70 Security for Offshore Oil & Natural Gas Operations, 1 st Ed., March, 2003
• API RP 70I Security for International Oil and Natural Gas Operations, 1 st Ed., April 2004
• API/NPRA Security Vulnerability Assessment Methodology, September 2004
• American Institute of Chemical Engineers (AIChE) Center for Chemical Process Safety (CCPS ® ) “Guidelines for Managing and Analyzing the Security Vulnerabilities of Fixed Chemical Sites, August 2002” 8
• Sandia National Laboratories Vulnerability Assessment Methodology for Chemical Facilities (VAM-CF)
This guidance should also be considered in light of any applicable governmental security regulations and other guidance as outlined in Appendix A, Regulatory Matrix
The SVA process may be used to assess a wide range of security issues such as those listed in Figure 5.1
Reproduced by IHS under license with API
Figure 5.1—Security Events Evaluated During the API SVA Process
The intentional damage to equipment or malicious release of toxic substances and flammable hydrocarbons at the facility can lead to significant consequences, including multiple casualties, extensive damage, and detrimental effects on public safety and the environment.
2 Theft of toxic substance or flammable hydrocarbons with the intent to cause severe harm at the facility or offsite
3 Contamination or spoilage of products to cause workers or public harm on or offsite
4 Degradation of assets or infrastructure or the business function or value of the facility or the entire company through destructive malevolent acts
Facilities governed by USCG regulations 33 CFR 101 through 106 must assess specific security events as part of their Security Vulnerability Assessment (SVA) For detailed information on these events, it is essential to consult the relevant sections of the regulations and U.S Coast Guard NVIC 11-02, as they pertain to the specific type of vessel, facility, or operation involved.
Steps in the SVA Process
Figure 5.2 illustrates the SVA process flow diagram from the API/NPRA Security Vulnerability Assessment Methodology, which is tailored for the petroleum and petrochemical industries Additionally, other effective methods, such as those described in API RP 70 and RP 70I, are also successfully utilized within the petroleum sector, as referenced in Section 5.1 For a copy of the "API/NPRA SVA Methodology," please reach out for further information.
National Petrochemical and Refiners Association
Figure 5.2—API/NPRA Security Vulnerability Assessment Methodology
1.1 Identify critical assets and infrastructure
2.4 Select targets for further analysis.
3.1 Define scenarios and evaluate specific consequences 3.2 Evaluate effectiveness of existing security measures 3.3 Identify vulnerabilities and estimate degree of vulnerability
4.2 Evaluate risk and need for additional countermeasures
4.1 Estimate likelihood of attack by vulnerability, threat, and attractiveness
5.1 Identify and evaluate countermeasures options
5.2 Prioritize potential enhancements by cost, effectiveness, and other factors
Estimating Risk Using SVA Methods
Risk management principles acknowledge that while risks cannot be entirely eliminated, they can be mitigated by strengthening defenses against known or potential threats It is crucial to approach risk-related decisions systematically SVA methods serve as valuable tools for management, offering risk insights derived from a comprehensive and defensible process The effectiveness of these methods relies heavily on the quality of the inputs and the robustness of the logical relationships within the SVA framework Additionally, much of the threat information held by the Government is classified and not publicly accessible.
Definition of SVA Terms
Risk Definition for SVA
Security risks differ from safety risks, as threats arise from a combination of an adversary's capability and intent Without both elements, a true threat does not exist.
The petroleum industry excels in risk management, particularly in safety, where risk is defined as the product of probability and consequences Traditionally, risk management has concentrated on the likelihood of accidental events However, this conventional approach falters in the security domain, as the lack of specific intelligence makes it challenging to assess risks effectively.
Reproduced by IHS under license with API
`,,`,`,-`-`,,`,,`,`,,` - specific about the likelihood of an attack One conclusion of this reasoning is that there is no risk – a potentially misleading and incorrect conclusion
To effectively assess the likelihood of an attack, it is essential to utilize surrogates due to the inherent uncertainty in estimating risks for specific locations It is advisable to incorporate multiple variables that reflect an assumed threat, such as terrorism In the context of a Security Vulnerability Assessment (SVA), risk is defined as follows:
“Risk is an expression of the likelihood that a defined threat will target and successfully exploit a specific vulnerability of an asset and cause a given set of consequences ” 9
Figure 5.3 provides a simple depiction of risk, and Figure 5.4 defines risk for the SVA process
Security risk is a function of the consequences of an attack and the likelihood of the attack
The likelihood of damage or loss of an asset is a function of the target’s attractiveness, the degree of threat, and the degree of vulnerability to the attack
The risk variables are defined as shown in Figure 5.5
Consequences Consequences are the potential impacts of the event
The likelihood of being targeted for an attack involves both the probability of being chosen as a target and the conditional probability of successfully planning and executing the attack, taking into account the existing security measures This likelihood is influenced by three key variables.
Threat Threat is a function of the adversary intent, motivation, capabilities, and known patterns of potential adversaries Different adversaries may pose different threats to various assets within a given facility
Vulnerability refers to a weakness that can be exploited by an adversary to access, damage, or steal an asset, or to disrupt a critical function It serves as a variable that indicates the likelihood of a successful attack when there is intent to target an asset.
Target Attractiveness Target Attractiveness is a surrogate measure for likelihood of attack
This factor is a composite estimate of the perceived value of a target to the adversary and their degree of interest in attacking the target
A high-risk event indicates a significant chance of a successful attack on a critical target asset, influenced by the asset's appeal to adversaries, the level of threat, and its vulnerability The criticality of the asset is assessed based on its value and the potential repercussions of an attack When the likelihood of a successful attack is elevated, the associated risk is deemed high, necessitating the implementation of suitable countermeasures for the asset in question.
In the SVA, security event risks are assessed qualitatively, relying on the consensus of knowledgeable individuals to evaluate the likelihood and consequences of potential undesired scenarios This assessment utilizes the best available information, drawing on experience and expertise to inform effective risk management decisions A risk matrix may be employed as a graphical tool to aid in these risk assessment decisions.
Consequences (C)
The impact of a security incident at a facility is typically measured by the potential injury or damage from a successful attack, which can exceed the anticipated effects of accidental risks Notable examples of significant consequences in a Security Vulnerability Assessment (SVA) include various forms of harm and disruption.
• Injuries to the public or to workers
• Severe environmental damage (such as contamination of drinking water)
• Direct and indirect significant financial losses to the company
• Disruption to the national, regional, or local operations and economy
The potential consequences of accidental releases can vary significantly from what is typically expected In contrast, during security incidents, adversaries aim to inflict maximum damage, necessitating the definition of a worst-case credible security scenario Additionally, it is essential to carefully consider the dependencies and interdependencies of critical infrastructure.
Reproduced by IHS under license with API
The inclusion of hazardous materials theft in Security Vulnerability Assessments (SVAs) is crucial, as terrorists may seek to acquire these materials to inflict harm or to manufacture chemical weapons.
Consequences play a crucial role in assessing asset criticality and determining the necessary security measures In the initial evaluation process, both consequences and attractiveness are utilized to filter out low-value assets from further analysis.
Threat (T)
A threat refers to any indication, circumstance, or event that has the potential to cause loss or damage to an asset It also encompasses the intention and capability of an adversary to take actions harmful to valued assets Threat sources can be categorized in various ways.
• Activists, pressure groups, single-issue zealots,
• Criminals (e.g., white collar, cyber hacker, organized, opportunists)
Adversaries may be categorized as occurring from three general groups:
• Insiders working as colluders with external threats
During the SVA process, threat information serves as a crucial reference for evaluating an adversary's capabilities and intentions Understanding the motivations behind potential threats allows a company to assess various risks and identify vulnerabilities within its systems This assessment is essential for pinpointing areas where the company may require further assistance and information from federal, state, and local authorities.
Vulnerability (V)
Vulnerabilities refer to weaknesses that adversaries can exploit to gain unauthorized access, leading to potential destruction or theft of assets These vulnerabilities may arise from deficiencies in management practices, physical security, or operational security In a Security Vulnerability Assessment (SVA), vulnerabilities are assessed by examining the threats and hazards to the assets or through a scenario-based approach that analyzes various potential sequences of events.
Target Attractiveness (A T )
Not all targets hold the same value for adversaries, as the Security Vulnerability Assessment (SVA) process assumes that target attractiveness significantly impacts the probability of a security event This attractiveness is determined by the estimated real or perceived value of a target to an adversary, influenced by various factors.
In the Security Vulnerability Assessment (SVA), it is crucial to assess the appeal of each asset by considering the adversary's intentions or their expected interest in the target This evaluation allows for the formulation of security strategies tailored to the identified targets and potential threats.
Figure 5.6—Target Attractiveness Factors Type of effect:
• Potential for causing maximum casualties
• Potential for causing maximum damage and economic loss to the facility and company
• Potential for causing maximum damage and economic loss to the geographic region
• Potential for causing maximum damage and economic loss to the national infrastructure
• Usefulness of the process material as a weapon to cause collateral damage
• Proximity to a national asset or landmark
• Difficulty of attack including ease of access and degree of existing security measures
• High company reputation and brand exposure
• Chemical or biological weapons precursor chemical
Characteristics of a Sound SVA Approach
Distinguishing between security risk management and SVA methods is crucial Security risk management encompasses the entire process, including SVA, the development and implementation of a security plan, and the reintegration of data into future SVAs SVA serves as a risk estimation tool for decision-making, providing powerful analytical capabilities to understand system risks However, relying solely on SVA methods to establish risk or make decisions is inadequate Instead, these methods should be integrated into a comprehensive process involving knowledgeable personnel who review inputs, assumptions, and results This collaborative review should consider SVA outputs alongside other factors, the impact of key assumptions, and uncertainties due to data absence or variability before making informed decisions on risk and mitigation actions.