781 e1 pp2 fm Facility Security Plan Methodology for the Oil and Natural Gas Industries API RECOMMENDED PRACTICE 781 FIRST EDITION, SEPTEMBER 2016 Special Notes API publications necessarily address pr[.]
General
A facility security plan (FSP) is essential for creating a secure workplace by outlining potential threats and detailing the security measures and procedures in place This plan aims to mitigate risks and safeguard individuals, assets, operations, and the company's reputation.
The API Security Committee developed this standard to aid the petroleum and petrochemical industries in creating a Facility Security Plan (FSP) It outlines the necessary requirements for FSP preparation and discusses the typical elements that should be included in such plans.
Applicability
This standard offers flexibility and adaptability to meet user needs, recognizing that the content of a Facility Security Plan (FSP) can differ based on factors like facility size, location, and operations It presents one methodology for developing an FSP specifically for petroleum and petrochemical facilities, while acknowledging the existence of other security plan formats within the industry Users are responsible for selecting the FSP format and content that best suits their facility's requirements, with some plans needing to comply with government regulations Importantly, this standard does not replace any existing regulatory requirements for covered facilities but serves as a useful reference document.
The Facility Security Plan (FSP) is a crucial component of a comprehensive Security Management System (SMS) and should be developed following a Security Risk Assessment (SRA) The SRA identifies and evaluates the threats, vulnerabilities, and potential consequences that a facility may face Understanding these risks is essential for creating an effective FSP, which must include procedural, physical, and cyber security measures to ensure a holistic approach to security.
In today's fast-paced technological landscape, it is essential for Financial Service Providers (FSPs) to integrate Information Technology and Operational Technology Security measures The interconnectedness of physical and logical security, highlighted by the rise of the Internet of Things (IoT), emphasizes the need for a unified security strategy This approach is crucial for mitigating risks and ensuring organizational resilience against evolving threats.
The latest versions of the standards, codes, and publications mentioned in this RP serve as valuable resources for further information Additional details can also be found on the referenced websites and in the Bibliography.
API Manual of Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries
6 CFR §27.230 1 , Chemical Facilities Anti-Terrorism Standards, Risk-Based Performance Standards
33 CFR §105.100–415 2 , Maritime Transportation Security Act of 2002
National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity 3
1 Department of Homeland Security-ISCD, 1421 Jefferson Davis Highway, Arlington, VA 22202.
2 U S Coast Guard, 2699 Firth Sterling Ave SE, Washington, D.C., www.gocoastguard.com.
3 National Institute of Standards and Technology, 100 Bureau Drive, Stop 3460, Gaithersburg, Maryland 20899, www.nist.gov.
3 Terms, Definitions, Abbreviations, and Acronyms
Terms and Definitions
For the purposes of this document, the following definitions apply.
Effective governance strategies that integrate both physical and cyber elements are essential for protecting an organization's assets These strategies encompass principles, policies, and controls aimed at safeguarding the workforce, facilities, operations, equipment, technology, systems, communications, and information Additionally, they ensure compliance with relevant regulatory frameworks while mitigating threats and potential security events.
An asset is defined as anything that holds positive value for an owner, including individuals, environments, facilities, materials, information, business reputation, or activities While these assets are beneficial to their owners, they may also possess value to potential threats, although the significance and nature of that value can vary.
Assets may be categorized in many ways such as: a) people, b) hazardous materials (used or produced), c) information, d) environment, e) equipment, f) facilities, g) activities/operations, and h) company reputation.
When assessing the value of a target in relation to a threat, it is crucial to consider several key factors These include the potential for mass casualties and fatalities, the extent of possible property damage, and the target's proximity to national assets or landmarks Additionally, the risk of disruption to critical infrastructure and the local, regional, or national economy must be evaluated The ease of access to the target, the likelihood of media attention, and the impact on the company's reputation and brand exposure are also important considerations Finally, the presence of on-site materials that could be utilized as chemical or biological weapons, or their precursors, should not be overlooked.
A security assessment or plan, conducted by the owner, their designee, or an approved third-party, aims to identify deficiencies, non-conformities, and inadequacies that may compromise its effectiveness.
The normal operating condition level of risk that takes into account existing risk mitigation measures.
An incident that has not resulted in security incident, in which security measures have been circumvented, eluded, or violated.
The potential to accomplish a mission, function, or objective.
The potential outcome of an event can be assessed through various consequences, which are typically measured in four key areas: human, economic, mission, and psychological Additionally, consequences may encompass other important factors, including the impact on the environment.
Actions, measures, or devices intended to reduce an identified risk.
Importance to a mission or function, or continuity of operations.
The process of protecting information by preventing, detecting, and responding to attacks.
Any material, substance, or item that reasonably has the potential to cause a security incident.
To slow the progression of an intentional act.
The strategy involves detecting potential threats that may lead to security incidents or criminal activities, enabling real-time monitoring and subsequent analysis of the threat's actions and identity.
A countermeasure strategy that is intended to prevent or discourage the occurrence of a breach of security or a security incident
An employer may face legal issues if they implement a criminal background check that consistently excludes individuals based on race, national origin, or other protected characteristics, unless the check is directly related to the job and necessary for business operations.
Intentional discrimination in employment if a covered employer uses criminal history information differently based on an applicant's or employee's race, national origin, or other protected trait
Ensuring the continuous monitoring through accompaniment or technical means, such as CCTV, in a manner sufficient to observe if the individual is engaged in unauthorized activities.
The person designated as responsible for the development, implementation, revision and maintenance of the facility security plan
The document developed to ensure the application of security measures
Information to characterize specific or general threats when considering a threat's motivation, capabilities, and activities.
A state of mind or desire to achieve an objective
The Internet of Things (IoT) refers to a peer-to-peer network of interconnected objects and devices that can be sensed, controlled, and programmed, enabling seamless communication among them.
3.1.25 layers of protection concentric “rings of protection”
The concept of layered security involves implementing multiple independent and overlapping protective measures to enhance safety This approach encompasses various forms of protection, including counter surveillance, counterintelligence, physical security, and cyber security Additionally, it is crucial to maintain a balance among these security measures to ensure that equivalent risks are present, regardless of the threat's pathway or method.
The chance of something happening, whether defined, measured, or estimated objectively or subjectively or in terms of general descriptors (such as rare, unlikely, likely, almost certain), frequencies, or probabilities.
The ongoing and sustained action to reduce the probability of, or lessen the impact of, an adverse incident.
Means any person or entity that owns or maintains operational control over any facility.
A site's resilience relies on its capacity to implement effective service and restoration plans for affected assets, utilizing a combination of individual, private sector, nongovernmental, and public assistance programs These programs are essential for identifying needs, defining resources, providing housing, and promoting restoration efforts Additionally, they address the long-term care and treatment of impacted individuals, implement community restoration measures, and incorporate feasible mitigation techniques Evaluating incidents to extract lessons learned is crucial for developing initiatives aimed at reducing the impact of future occurrences.
The ability to adapt to changing conditions and prepare for, withstand and rapidly recover from disruption.
The act of reacting to detected or actual security incidents either immediately following detection or post incident.
Certain locations necessitate restricted access and enhanced security measures as outlined in the security plan The entire facility can be classified as a restricted area, provided it receives the necessary level of security.
The potential for damage to or loss of an asset.
The systematic examination of the components and characteristics of risk.
Risk assessment involves evaluating the probability of a threat exploiting a vulnerability and the potential consequences (C) for an asset This process is essential for prioritizing risks and determining the appropriate countermeasures to implement.
The process of identifying, analyzing, assessing, and communicating risk and accepting, avoiding, transferring or controlling it to an acceptable level considering associated costs and benefits of any actions taken.
Device, system, or action that either would likely interrupt the chain of events following an initiating event or that would mitigate the consequences.
A reasonable examination of persons, cargo, vehicles, or personal effects
The area over which the owner/operator has implemented security measures for access control in accordance with the security plan
A security event which may compromise an asset and require action.
An assessment for the purposes of determining security risk.
A walkthrough to visually inspect the facility to identify unattended packages, briefcases, luggage, unauthorized persons, or other security breaches and determine that all restricted areas are secure.
A device or multiple devices designed, installed and operated to monitor, detect, observe, or communicate about activity that may pose a security threat
An asset, network, system, or geographic area chosen by a threat to be impacted by an attack.
Technical systems encompass a variety of electronic solutions designed to enhance security and protection These systems include access control mechanisms such as card readers and keypads, electric locks, and remote control openers Additionally, they feature alarm systems, intrusion detection devices, and monitoring solutions from central stations Video surveillance equipment, voice communication systems, and listening devices are also integral components Furthermore, computer security measures like encryption, data auditing, and scanners play a crucial role in safeguarding information.
The illegal application of force or violence aimed at individuals or property seeks to intimidate or coerce governments or civilian groups to achieve political or social goals.
A threat refers to any indication, circumstance, or event that could lead to the loss or damage of an asset It encompasses both the capability and intent of an adversary to engage in actions that may harm critical assets.
A product or process of identifying or evaluating entities, actions, or occurrences that has or has indicated the potential to harm life, information, operations, or property.
Consist of three general areas from which threats or adversaries can be categorized such as: a) internal threats, b) external threat, and c) Internal threats working in collusion with external threats.
An event that results in a loss of an asset, whether it is a loss of capability, life, property, or equipment.
Having the authority to enter and move about a secure area without escort
A weakness that can be exploited by a threat to gain access to an asset.
A product or process of identifying physical features or operational attributes that renders an entity, asset, system, network, or geographic area susceptible or exposed to hazards.
Abbreviations and Acronyms
AFSO Alternate Facility Security Officer
AIChE American Institute of Chemical Engineers
CERT Corporate Emergency Response Team
CCPS Center for Chemical Process Safety of the American Institute of Chemical Engineers (AIChE) CCTV Closed Circuit Television
CFATS Chemical Facility Anti-Terrorism Security 6 CFR Part 27
DHS Department of Homeland Security
FBI U S Federal Bureau of Investigation
HSAS Homeland Security Advisory System
MTSA Maritime Transportation Security Act
NIPP National Infrastructure Protection Plan
USCG United States Coast Guard
The Safety Management System (SMS) serves as the strategic framework for risk management within an organization, enabling the development of policies and security objectives while identifying processes to mitigate the impact of security incidents A crucial element of the SMS is a security policy that reflects management's commitment to security, which must be endorsed by top executive leadership It is essential for management's dedication to the SMS to be effectively communicated across the organization.
The Security Management System (SMS) is tailored to meet the organization's security requirements, with two essential components being the Security Risk Assessment (SRA) and the formulation of a robust Facility Security Plan (FSP) The FSP must be adaptable to the organization, as threats and countermeasures differ based on the facility's location, size, vulnerabilities, and characteristics This flexibility enables each facility to customize its FSP to effectively address specific risks while ensuring consistency across the corporation by adhering to the overarching elements of the corporate SMS.
Risk assessment plays a crucial role in the Safety Management System (SMS) and the formulation of a Facility Security Plan (FSP) To create an effective security strategy, it is essential for a facility to identify its critical assets at risk, comprehend the threats affecting these assets, evaluate their vulnerabilities, and assess the potential consequences of a successful attack.
Understanding the distinction between threat and risk is crucial, as they are often used interchangeably Risk refers to the potential for damage or loss of an asset, with its severity determined by the likelihood of occurrence and the extent of consequences In contrast, a threat signifies any indication or event that could lead to asset loss or damage, including the capacity and intent of adversaries to harm critical assets Threats can originate from individuals, groups, organizations, or governments, encompassing a wide range of actors such as intelligence services, political and terrorist groups, criminals, disgruntled employees, activists, and cyber criminals These threats can be categorized as internal, external, or a combination of both working together.
The SRA aims to evaluate threats, vulnerabilities, and potential consequences to assist management in making informed decisions regarding cost-effective countermeasures Facilities can focus the SRA on specific threats like terrorism and security incidents, including criminal activities and disgruntled employees, or adopt a comprehensive approach that encompasses natural disasters such as hurricanes and floods This choice should be made after thorough consideration of the specific threats the facility may face.
The SRA serves as a decision-making tool that helps facilities identify vulnerabilities, assess the likelihood and consequences of potential incidents By analyzing various factors such as adversaries' capabilities, intentions, and the impact of successful attacks, this analysis enables facilities to prioritize threats effectively and allocate limited security resources efficiently.
The SRA should be viewed as a dynamic process that requires ongoing evaluation of threats for any changes Management should establish a regular review frequency to ensure the SRA remains current through continuous monitoring For an in-depth exploration of the SRA process, please refer to ANSI/API.
780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, 2013.
6 Introduction to Facility Security Plan Concepts (FSP)
Introduction
Security encompasses essential aspects of an organization's policies, practices, and procedures, focusing on both physical and cyber security measures to safeguard the facility The elements of the Facility Security Plan (FSP) should be tailored to address the specific threats and vulnerabilities identified in the Security Risk Assessment (SRA) This standard is designed to align with the framework established by the Chemical Facility Anti-Terrorism Standards (CFATS) and the Maritime Transportation Security Act (MTSA) regulations, aiming to enhance security without replacing regulatory requirements, while offering guidance for facilities that are not subject to these regulations.
The Facility Security Plan is essential for guiding personnel in safeguarding employees, neighboring areas, the facility itself, and the company's reputation It is crucial to regularly evaluate and update the security plan to reflect changes in operations, the surrounding environment, and emerging security data This ongoing review process allows organizations to leverage new information, adopt advanced technologies, and adjust to operational shifts For instance, updated threat intelligence may necessitate a revised access control strategy A robust security plan must remain adaptable to effectively respond to changes in the operating environment and align with the organization's management objectives.
The plan and its concepts must adhere to federal, state, and local regulations, with regular reviews and updates conducted by the company's legal advisor The facility security officer, alongside legal counsel, is responsible for ensuring the plan is periodically assessed to maintain compliance with regulatory standards During daily operations, legal counsel should be consulted on sensitive matters, including search and seizure issues, and should also be involved during any government inspections or visits.
Access to the Facility Security Plan (FSP) will be limited to personnel who require the information to implement or evaluate the facility's security measures Security training sessions will address the facility's information protection policy Additionally, the FSP will include a warning indicating that the information is sensitive and must be safeguarded.
Common elements included in an FSP
A security plan must be tailored to meet the specific needs of each facility owner/operator Key elements to consider for a security plan are outlined in Table 1, though this list is not exhaustive, and additional components may be included to address specific concerns Not every item in Table 1 will be necessary for every location; it is essential for the facility to assess its security requirements through a thorough risk assessment Should a facility choose to incorporate any element, compliance with the relevant requirements is mandatory.
Some facilities, subject to government regulation, may use this Standard as a reference document but shall follow the form and format in the regulation, if specified.
Record of Change
The FSP must maintain a record of change to track any updates or modifications to the plan This record should detail the revision number, date, affected pages or sections, document owner, and the individual responsible for the changes Ensuring this record is accurate confirms that the FSP remains current and up to date For an illustrative example, refer to Table 2.
A comprehensive security plan should include essential elements such as a record of changes, a distribution list, and a clear outline of security administration and organization It is crucial to incorporate site maps, security training, and regular drills and exercises Maintaining thorough records and documentation, along with a structured response to changes in alert levels, is vital for effective communication Additionally, network segmentation and the maintenance of security systems and equipment are key components Physical security measures, personnel surety, and specific protocols for protected, controlled, or restricted areas must also be addressed Monitoring security measures, key control, and established procedures for security incidents are necessary, alongside regular audits and amendments to the security plan.
Initial Issue 6/4/14 Initial Issue John Wayne Initial Issue
The document owner must ensure that all necessary changes and updates to the FSP are completed and documented to confirm that the plan remains current.
Distribution List
The security plan is classified as "Business Confidential" and contains sensitive information, adhering to the company's information security policies Access to the FSP is limited to individuals on the distribution list who have a "need to know," with the master list managed by the FSO To ensure its security, the FSP must be stored in locked file cabinets or secure containers, and each copy should be numbered and assigned to the recipient for better tracking.
Security Administration and Organization of the Facility
This section of the security plan outlines the management of security at the facility, detailing the personnel and groups assigned security roles along with their specific responsibilities Each individual mentioned will be identified by name, title, and 24-hour contact information.
In this context, "Facility Management" refers to the facility manager or their designated representative Additionally, the facility security officer (FSO) may be authorized to act on behalf of the facility manager for security-related matters.
The composition and scale of a security group can differ based on the facility's size and complexity At a minimum, the facility should include the roles specified in section 6.5.3 While some facilities may require these roles to be full-time, less complex facilities might only need part-time responsibilities.
The Facility Security Plan (FSP) must include site maps that provide detailed schematics of the facility's layout These schematics should clearly identify public areas, secure areas, and restricted zones, as well as the locations of guard posts, perimeter fencing, vehicle and pedestrian gates, cameras, parking areas, muster points, and operating units, buildings, and other assets.
The Facility Security Plan (FSP) must clearly identify the personnel and groups responsible for security at the facility, including their names, titles, 24-hour contact information, and a summary of their duties The owner/operator is responsible for defining the security organization in writing and may delegate roles and responsibilities, ensuring that all individuals tasked with security duties receive the necessary support to fulfill their obligations Additionally, the facility manager holds the primary responsibility for the security of the facility, making it a key aspect of their role.
1) The facility manager should ensure the cooperation of facility personnel with the FSP.
The facility manager must guarantee that all personnel assigned security duties are equipped with the necessary support and resources to effectively perform their roles The Facility Security Officer (FSO) holds the primary responsibility for overseeing the daily security operations of the facility, which encompasses a range of critical tasks.
1) ensures that security risk assessments are conducted at regular intervals and recommendations are addressed and resolved in as appropriate;
2) prepares and updates the FSP;
3) conducts and documents internal security audits on a regular basis;
4) develops security training for all employees based on their security responsibilities and documents the training;
5) develops and conducts drills and exercise and documents the results;
6) maintains liaison and develops relationships with local law enforcement and first responders;
7) is cognizant of current security threats and ensures that security measures in place are adequate to address the risk;
8) documents and communicates changes in threat level or security procedures to all employees;
9) responds to and documents security incidents;
10) ensures that security equipment is properly maintained, calibrated, tested and the results are documented;
11) develops and maintains a system of records as outlined above. d) Alternate Facility Security Officer—The facility should designate at least one alternate facility security officer
The AFSO manages facility security in the absence of the primary FSO The legal advisor ensures compliance with federal, state, and local security regulations, providing guidance on sensitive matters like search and seizure, and should be informed of any government inspections Additionally, the legal advisor may review security training to ensure legal sufficiency, particularly in regulated environments The cyber security officer oversees cyber security issues, collaborating with the FSO to integrate physical and cyber security measures, thereby protecting the facility's assets, including cyber assets.
Cyber events can affect multiple physical locations, as external attacks often exploit Internet egress points found in corporate data centers rather than in specific facilities Since these facilities lack the ability to terminate such access, it is essential to coordinate with corporate information technology (IT) to effectively manage a cyber event Additionally, if applicable, the Facility Security Plan (FSP) should identify the contract guard force.
The FSP must include details on the number, location, and type of guard posts, such as fixed or mobile patrols Additionally, it should provide the telephone numbers for each equipped guard post.
2) Document security roles, also known as post orders, performed by contract security guards.
3) The name, title and, 24 hour contact information of the site supervisor for the contract security force.
The facility must evaluate the involvement of corporate office personnel in security incidents, detailing their names, titles, 24-hour contact information, and specific duties This includes appointing a Corporate Security Representative to assist the Facility Security Officer (FSO) and ensure compliance with regulatory requirements while guiding security implementation across the organization Additionally, a Corporate Cybersecurity Representative is essential for managing cyber events that may necessitate a coordinated corporate response beyond the local site Furthermore, it is important to identify other corporate personnel with security responsibilities, outlining their titles and functional oversight roles.
In the event of releases, fires, or injuries due to a security-related incident, it may be necessary to notify or involve external agencies Consult the relevant facility emergency plan for detailed instructions The Facility Security Plan (FSP) should include a list of essential agencies, along with their emergency and non-emergency contact numbers, such as national, federal, and local police departments, the fire department, and any other required government and regulatory agencies.
Security Training
All personnel must undergo safety and security training before entering the facility, with the training level and frequency tailored to their specific security responsibilities and the facility's risk profile This training can range from a brief security awareness overview for casual visitors to a comprehensive program for employees with security duties Additionally, legal advisors should review the training to ensure compliance with legal standards, particularly in regulated environments.
Security awareness training is essential and should be conducted during initial briefings for new hires or upon arrival at the facility Additionally, the facility should implement annual refresher training for all staff, along with interim briefings or security advisories as they become available.
Effective training enhances security awareness, equipping personnel to recognize and report suspicious behavior and unauthorized access attempts Well-prepared staff are more adept at identifying potential security breaches, thereby increasing deterrence against unauthorized activities.
The training program is essential for validating security plans, policies, and procedures, while also identifying weaknesses and areas for improvement It ensures that personnel are well-acquainted with alert notifications, response requirements, and other critical security procedures to be followed during an incident.
To enhance cyber security, the facility should implement a comprehensive training program that educates all personnel on the vulnerabilities of cyber systems and their critical role in maintaining security This training should cover essential topics, including a review of the company's cyber policy, clarification of individual roles and responsibilities, password management procedures, acceptable practices, and guidance on reporting any suspicious or inappropriate behavior.
6.6.2 Facility Security Officer, the Assistant Facility Security Officer, and Other Security Personnel
The Facility Security Officer (FSO) and Assistant Facility Security Officer (AFSO) are responsible for the comprehensive security of the facility and must undergo extensive training This training encompasses the facility's security plan, objectives, procedures, and employee responsibilities, as well as actions to take during a security breach Key areas of knowledge include the prevention and detection of criminal activities, reporting threats, communication system operations, and procedures for notifying personnel of heightened security levels Additionally, they must be familiar with security laws, current threats, recognition of dangerous substances, and behaviors indicative of potential threats Training also covers techniques to circumvent security measures, crowd management, emergency procedures, operation and maintenance of security equipment, and methods for screening individuals and vehicles The training is tailored to the facility's unique security characteristics and evolving threats, emphasizing the importance of vigilance and prompt reporting of suspicious activities.
6.6.3 Security Training for All Other Facility Personnel
All facility personnel, including contractors, whether part-time, full-time, or temporary, must be trained or possess equivalent job experience in key areas These include understanding the facility security plan, recognizing and detecting dangerous substances and devices, identifying behavioral patterns of individuals who may pose security threats, and knowing techniques that could be used to bypass security measures.
Employees and contractors at the facility must regularly demonstrate their proficiency in operating all relevant equipment, procedures, processes, and systems This practice ensures their competence in effectively responding to security incidents.
Visitors should be provided with a concise overview of current security issues to help them recognize and report suspicious activities This briefing must cover the current threat level and relevant security concerns.
The facility will provide regular security training, with employees and contractors in security-related roles receiving more frequent and comprehensive training compared to those without such responsibilities The training intensity will align with the security duties and clearance levels of each employee.
Facilities can opt to deliver initial classroom-based security training for personnel assigned security responsibilities, along with annual refresher training through computer-based modules Additionally, an annual general security awareness module may be offered to all employees via computer-based training.
Drills and Exercises
Drills and exercises must be developed and executed to assess the effectiveness of the security plan and its supporting procedures, ensuring that facility personnel are proficient in implementing its elements These activities should evaluate personnel responsibilities across all security condition levels The evaluation process will help the Facility Security Officer (FSO) identify any security deficiencies, weaknesses, and vulnerabilities that require attention.
Drills and exercises must evaluate both physical and cyber security measures at the facility, necessitating collaboration with the IT security team for effective cyber drills.
Security drills can be integrated with other facility exercises related to environmental, health, or safety events, such as spill or release response drills These activities often include a security aspect and may align in objectives, involving both on-site personnel and off-site responders.
Facilities should document the number and frequency of drills and exercises based on their security risk analysis and risk profile It is recommended to conduct one drill each quarter and one exercise annually to ensure preparedness.
The FSO must conduct regular drills as specified in the FSP or mandated by regulations These drills should focus on testing individual elements of the FSP, adapting scenarios to reflect the facility's operations, personnel changes, new equipment, and other pertinent factors Over time, it is essential that these drills evaluate every major component of the FSP.
The facility can utilize a real-world event, such as a security breach, as a drill to document deficiencies and gather recommendations or lessons learned for enhancing security performance However, this approach should not replace the scheduled drills during the designated period.
The FSO is responsible for conducting regular exercises as outlined in the FSP or mandated by regulations These exercises serve as a thorough evaluation of the emergency response plan, often involving multiple groups and off-site responders Realistic emergency scenarios are essential to assess the readiness of individuals and organizations, aiming to enhance response capabilities and validate plans, policies, and procedures Additionally, these scenarios are crucial for determining the effectiveness of command, control, and communication functions.
Joint training initiatives require collaboration with external agencies, including law enforcement and first responders, who actively engage in exercises or drills It is essential for the Facility Security Officer (FSO) to foster relationships with these organizations and promote their regular involvement in security drills or exercises.
Record Keeping and Documentation
This section outlines the necessary security-related records that must be created and stored, either in written or electronic form All documentation pertaining to the facility's security, including the FSP, must be classified and safeguarded against unauthorized access, in line with the facility's information protection policy To minimize redundancy, existing record-keeping systems may be employed, provided that the system administrator confirms to the FSO that access can be limited to authorized personnel Records will be retained according to the facility's record retention policy, unless overridden by regulatory requirements.
The facility is required to maintain comprehensive records, including security training details such as session dates, topics, instructor qualifications, and evaluation results Documentation for drills and exercises must include descriptions, dates, deficiencies, and lessons learned, with updates to the security plan as needed All suspicious activities and security breaches must be investigated and recorded, noting the incident's date, time, location, and response actions Security equipment maintenance, testing, and calibration records should detail malfunctions, repairs, and technician qualifications, along with equipment identification Records of threats to personnel and operations must include occurrence details, communication methods, and responses, with necessary reports to governmental agencies documented Finally, security audits should be recorded, capturing audit types, results, and auditor names, with findings tracked until resolved.
Response to Change in Alert Level
This section outlines the security alert system implemented at the facility, acknowledging that threats can fluctuate unexpectedly due to global conditions These variations may not always be apparent to the public, complicating the assessment of risk levels Typically, adjustments to security measures are prompted by alerts from government agencies indicating heightened threats to the nation, industry, or specific facility.
To effectively manage potential changes in threat levels, the facility must first establish baseline security measures for normal operations After defining these baseline measures, the facility will outline elevated alert levels and implement a tiered approach to apply suitable security measures during periods of heightened threats.
The security risk assessment results help the facility identify threats, recognize risks, and select suitable countermeasures for baseline security The facility must establish at least two additional alert levels: an elevated threat alert for credible terrorist threats and an imminent threat alert for specific, impending threats Additional threat levels can be introduced between the baseline and imminent threat alerts to allow for a gradual increase in security These threat levels follow a preplanned layered approach, where each increase in threat level builds upon the security measures already in place from the previous level.
The facility has the capability to independently detect threats and raise its alert level without government communication The threat level is dynamic, adjusting as risks fluctuate In response to escalating threats, temporary security enhancements will be implemented, and a documented plan will be developed to increase security measures accordingly This preplanned response enables swift action, allowing for incremental adjustments and effective countermeasures The plan will specify the process for raising the alert level and identify the authority responsible for initiating these changes.
Enhanced security measures will significantly lower the chances of successful attacks The facility will implement a scalable range of security protocols to strengthen its security posture in response to increased threat levels.
Upon recognizing an elevated threat level, the facility must promptly implement enhanced security measures It is essential to document the date and time of awareness, the method of communication regarding the threat, the individual who communicated it, the recipients of the information, and the timing of the security measures' implementation Additionally, if notification to a regulatory authority is necessary, the facility should also record the date, time, and recipient of that report.
Appendix C in Annex A outlines the security countermeasures to be implemented during heightened threat levels The choice of specific countermeasures will be influenced by the type of threat, such as physical or cyber, as well as the intelligence gathered and the operational circumstances at the facility.
Communications
This section outlines the facility's communication capabilities essential for executing the security plan and managing emergencies It emphasizes the importance of regularly testing communication systems and procedures to ensure effective and continuous interaction among facility staff, security personnel, operations teams, vessels (if applicable), and local and national authorities Any identified deficiencies must be documented and addressed promptly.
The facility must ensure reliable backup options for internal and external communications, including cell phones, landlines, fax, and email Additionally, the plan should include regular testing of communication equipment to promptly address any deficiencies.
In emergencies where telephone landlines are disrupted, the cell phone network may become overloaded, leading to sporadic and unreliable service.
The facility will establish and document a communication plan detailing how to inform employees and contractors about elevated threat levels, communicate with potentially docked vessels, and provide instructions to off-duty personnel Additionally, the plan will outline the communication methods available among employees, such as radio and telephone.
The plan must focus on the communication and security of data by pinpointing critical computer systems and networks essential for security, such as process control and electronic access control systems It should include a general overview of the cybersecurity measures in place for these systems, along with details on any redundancies or backup capabilities.
This section outlines the communication strategy between the facility and external entities, such as local fire and police departments, that are crucial for security responses Additionally, the facility should engage with nearby businesses and residents to promote vigilance and encourage them to report any suspicious activities, providing them with the necessary contact information for reporting.
Not all elements are suitable for every location; for instance, a small, low-risk, unmanned remote facility may only need periodic checks on a weekly or monthly basis.
To ensure continuous and effective operation, security systems and equipment must be maintained in optimal condition Qualified technicians should inspect, test, calibrate, and maintain these systems according to the manufacturers' guidelines Any malfunctions must be promptly documented, and necessary repairs or replacements should be carried out by qualified professionals without unnecessary delays.
Site Maps
This section of the plan will include comprehensive schematics that illustrate the facility's layout, clearly designating public areas, secure zones, and restricted sections It will also pinpoint the locations of guard posts, perimeter fencing, vehicle and pedestrian gates, camera placements, parking areas, and muster points.
Network Segmentation
To effectively manage risks associated with diverse user and system communities, the FSO should collaborate with IT personnel to segment computer networks This segmentation enables the implementation of targeted controls, such as disabling unnecessary services like email on process control networks By minimizing the number of available services, the attack surface is reduced, which enhances system availability and mitigates potential health, safety, and environmental impacts.
Segmentation is essential for isolating networked physical security and monitoring devices, such as CCTV and electronic sensors, from the business or operational networks they oversee While these physical security devices may appear harmless, they serve distinct functions that differ from the networks they are connected to.
Integrating physical security devices into business networks heightens risk and expands the attack surface Documented incidents, such as the 2008 Baku-Tbilisi-Ceyhan pipeline explosion, illustrate how attackers exploited vulnerabilities in surveillance cameras to infiltrate networks and subsequently manipulate connected SCADA systems.
In cybersecurity, a Demilitarized Zone (DMZ) enhances the security of an internal network by isolating publicly accessible servers, thereby preventing external access and potential compromises While ultimate segmentation, or "air-gapping," is ideal, it is often impractical due to the need for external access, such as maintenance, or the value of information shared between networks To facilitate secure connections between different networks, DMZs should be implemented, along with additional controls like one-way data transmission, to minimize the risk of security breaches.
Security Systems and Equipment Maintenance
This section outlines the inspection, testing, and preventive maintenance program for the site's security systems and equipment All systems must be inspected and maintained by qualified technicians per the manufacturer's recommendations to ensure optimal functionality Any malfunctions should be promptly addressed with necessary repairs or replacements In the event of equipment failure, the Facility Security Officer (FSO) will assess the situation to implement alternative security measures, such as portable lighting, additional personnel, or access gate closures, to mitigate any security lapses.
Cybersecurity measures, including hardware and software like firewalls, intrusion detection systems, and antivirus programs, must be validated, and alternative controls should be put in place if any security devices are defective Additionally, the testing, maintenance, and repair of these cyber systems should only be conducted by qualified technicians.
Physical Security
The facility will implement a comprehensive layered security approach utilizing various systems, including perimeter fencing, restricted areas, barriers, CCTV, intrusion detection sensors, and controlled access points These countermeasures will be tailored to the specific needs of the facility, taking into account its size, layout, type, operations, and perceived value as a target for potential threats.
Physical security differs from cyber or network security, yet it can integrate cyber measures in access control, perimeter protection, intrusion detection, and CCTV These physical and cyber systems work in tandem, bolstered by the facility's policies, plans, and procedures, to create a comprehensive security framework A strategic approach is essential for effective security management.
“Defense in Depth” by placing layers of increased protection between access points and critical assets.
The facility will implement a comprehensive security system that combines both physical and cyber measures to effectively protect individuals, the facility itself, and its assets This layered approach aims to deter, detect, delay, and respond to potential incidents, ensuring that adversaries are discouraged from attempting to breach security.
4 Jordan Robertson Michael Riley, “Mysterious '08 Turkey Pipeline Blast Opened New Cyberwar” [Webpage], (December 10,
The article discusses the importance of security measures at a facility, emphasizing the need to control access, prevent unauthorized introduction of dangerous substances, secure authorized materials, and protect critical information from unauthorized disclosure.
6.14.2 Fencing/Clear Zones/Visual Observations
Fencing, clear zones, and visual observations serve as the initial defense layers for a facility by clearly marking its boundaries, creating a psychological deterrent against unauthorized access, and offering a temporary delay for intruders.
The facility must implement permanent perimeter fencing that adheres to either company or applicable industry standards Any existing fencing that fails to meet these standards should be upgraded during replacement due to damage or wear.
The facility must establish written programs for the regular inspection, repair, and upgrading of fences Effective fencing requires consistent checks, as issues such as improperly attached fabric to support poles and unsecured bottom wires are common Additionally, ground erosion beneath the fence can create gaps, allowing unauthorized access Furthermore, unchecked vegetation near the fence can provide cover for potential intruders or serve as a climbing aid.
Facilities must establish written programs for inspecting and maintaining perimeter clear zones It is recommended to have a clear zone of at least 10 to 15 feet beyond the fence line to enhance intruder detection, especially if the facility owns the property Furthermore, additional clear zones may be necessary along perimeters that border rivers, streams, and wooded areas.
Well-designed gates, along with perimeter fencing, direct vehicles and pedestrians to a few access control points for identity verification before granting facility access All gates must be secured or monitored through manpower or CCTV The facility should minimize the number of gates to those essential for safe operations, removing any unnecessary gates and replacing them with perimeter fencing.
Vehicle barriers are essential for managing vehicular access and safeguarding critical assets by delaying or preventing unauthorized entry Strategically positioned around the perimeter, these barriers help mitigate the risk of vehicles gaining speed to breach fences Additionally, they can be installed on roadways leading to access points to slow down approaching vehicles The necessity for vehicle barriers should be established through a thorough security risk assessment.
When implementing vehicle barriers, facilities have a variety of options available It is essential that the ratings of crash barriers are based on verified crash data Barriers that lack crash testing should not be utilized.
Natural barriers such as excavations, ditches, and berms can also be effective passive barriers
Effective perimeter security lighting deters unauthorized access and enhances monitoring capabilities It plays a crucial role in detecting potential breaches of the fence To ensure optimal illumination, all security lighting must comply with company or industry standards.
Lighting at guard posts must facilitate visual inspection of credentials, with full spectrum (white light) being the preferred choice The placement of lighting should effectively illuminate areas outside the guardhouse while ensuring that visitors cannot see inside.
Effective lighting in intruder detection and assessment areas is crucial for enabling security personnel and CCTV systems to observe potential threats It is essential to ensure that no light fixtures are positioned within the field of view of CCTV cameras to maintain optimal surveillance conditions.
Facilities must regularly assess lighting levels with a light meter and document the findings Additionally, a systematic approach for the inspection and maintenance of security lighting should be established and followed Any defective lights must be reported and recorded, with a work order created and monitored until completion.
General
This section outlines the facility's process for vetting employees, contractors, and visitors before granting access In compliance with legal regulations, the facility will conduct thorough background checks on all personnel to assess their eligibility for entry.
Personnel surety is essential for confirming the identity and credentials of applicants, forming the basis of a trust-based access control system It instills confidence that individuals possess the skills and experience they claim A robust personnel surety program enables hiring managers to better assess candidates and enhances the facility's ability to deter and detect insider threats Key components of an effective personnel surety program include verifying identity, checking criminal history, validating legal work authorization, confirming education and prior work experience, reviewing motor vehicle records for driving positions, and obtaining professional references.
Background Check
Background checks must include a search of publicly or commercially available databases for the past seven years of an individual's employment or residency These checks should focus on criminal history, specifically convictions, outstanding warrants, pending indictments, sentencing, and disposition dates Privacy concerns arise from the collection of sensitive personal information, which should only be used for employment decisions as permitted by law Most jurisdictions regulate the permissible use of information gathered during background investigations Only trained individuals familiar with these regulations should conduct background checks, and hiring managers must also understand the restrictions and permissible uses of the information.
Employment decisions that disqualify candidates must involve consultation with human resources or the legal department, ensuring compliance with the facility's background check policy and applicable laws regarding criminal history To mitigate risks of disparate treatment or impact, it is advisable for the facility to implement a two-step evaluation process for applicants with a criminal record.
The facility implements a "targeted" screening process for criminal records, which evaluates the nature of the crime, the time since the offense, and the specific job requirements It is essential for the facility to ensure that this targeted screening is relevant to the job and aligns with business necessity.
After administering the targeted screen, facilities should offer individualized assessments for those screened out This approach helps employers avoid mistakenly excluding qualified applicants or employees due to inaccurate or irrelevant information, while also allowing individuals to rectify any errors in their records.
Employees
All personnel with unescorted access to the facility must undergo a background check to assess their suitability The Company is responsible for conducting these checks on employees and applicants who have received job offers contingent upon the successful completion of the background verification process.
The company may consider hiring a third party, who specializes in background investigations, to conduct the investigation and report the results for evaluation.
Contractors
All full-time and long-term contractors with unescorted access to the facility must undergo a background check equivalent to that of facility employees Contractors can perform these checks internally or hire a third-party service They are required to certify the completion of background checks and ensure their employees meet the facility's standards Additionally, the contractors' background check program will be audited annually by the facility.
Audit of Personnel Surety Program
The personal surety program shall be audited annually to verify compliance with both the FSP and all related regulations
9 Security Measures for Access Control, Including Designated Public, Controlled, and Restricted Access Areas
General
Access control is essential for managing entry and movement within a facility The Facility Security Officer (FSO) must assess the site to identify and categorize areas into public, secure, and restricted zones, with public areas having minimal restrictions and restricted areas having the highest Each zone should implement increasing security measures and require additional authorizations A crucial aspect of an effective access control program is the ability to identify authorized personnel, enabling the facility to swiftly verify whether individuals are permitted access.
This section outlines the measures implemented to control access to the facility, ensuring the prevention of unauthorized entry and the introduction of hazardous substances or devices that could harm individuals or the facility itself It emphasizes the importance of identifying, screening, and inspecting both individuals and vehicles as they enter and exit the facility or its restricted areas.
External service providers, business partners, and vendors pose risks to a facility's systems, information, and intellectual property when granted access to cyber assets To mitigate these risks, the facility must conduct background checks before allowing access to its IT infrastructure Additionally, it is advisable for the facility to have these parties sign memoranda of agreements, nondisclosure agreements, confidentiality agreements, and conflict of interest agreements.
The facility must implement a robust identification system for personnel and visitors seeking access, ensuring only authorized individuals enter Acceptable forms of identification include government-issued photo IDs, with specific protocols for motorcycle riders The facility may issue its own photo identification badges, which require identity verification before issuance, and a background check is recommended for enhanced security Additionally, these badges can be integrated with an electronic access control system that detects invalid badges and logs access times and locations Badges should be visibly worn, and any lost or stolen badges must be reported immediately Vehicle occupants must display or swipe their badges when entering controlled areas, and the facility should consider Vehicle Control Points to manage traffic and screen vehicles before entry This may include features like speed bumps and barriers, along with a clear plan detailing access control measures such as fencing, gates, and signage to deter unauthorized access.