590 likes | 1.25k Views
UNDERTAKING AN OFFSHORE OIL AND GAS SECURITY ASSESSMENT. A Guide. AIM To provide you with an understanding of the DOTARS Offshore Security Assessments Guidance material and how to use it to assist with the production of your Offshore Security Plans. . Note.
E N D
UNDERTAKING AN OFFSHORE OIL AND GAS SECURITY ASSESSMENT A Guide
AIM To provide you with an understanding of the DOTARS Offshore Security Assessments Guidance material and how to use it to assist with the production of your Offshore Security Plans.
Note • This presentation is provided to assist organisations who may not be familiar with the requirements for providing a security assessments. • It is acknowledged that a number of attendees are leaders in the field of offshore security. This presentation is aimed at assisting other industry participants who may not be as conversant of security issues or aware of the requirements. • Not intended to cover all parts of the RA, rather amplify specific areas.
PURPOSE OF SECURITY ASSESSMENTS • To provide a sound risk based approach to the implementation of preventive security planning to prevent unlawful interference with offshore facilities. • Ensures a systematic and analytical process is conducted with the aim of identifying outcomes focused security measures and / or procedures that reduce the vulnerabilities of assets, individuals and operations to acceptable levels.
Maritime Transport and Offshore Facilities Security Act 2003 • Requires Offshore Security Plan to include: • A security assessment for the participants operations • Set out security measures for MARSEC 1, 2 & 3 • Provisions for use of Declaration of Security; • Demonstrate implementation of Security Plan that contributes to maritime security outcomes • Complements Federal and State OH &S legislation
Maritime Transport and Offshore Facilities Security Regulations 2003 • Security Assessment must include: • statement outlining risk context or threat situation • identification and evaluation of important assets, infrastructure and operations • identification of possible risks or threats and the likelihood and consequences of occurrence
Maritime Transport and Offshore Facilities Security Regulations 2003(cont) • identification of existing security measures • identification of weaknesses • identification, selection and prioritisation of possible risk treatments
GENERAL GUIDANCE • AS/NZS 4360 Risk Assessment • HB 436:2004 Risk Management • DOTARS Offshore Security • Assessments Guidance Paper • http://www.dotars.gov.au/transsec/oilandgas/docs/Offshore_Security_Risk_Assessment_Guidance_Paper.doc • Use simple plain English • Protected from unauthorised access
REQUIREMENTS OF SECURITY • ASSESSMENTS • Date assessment completed • Scope - people, assets, infrastructure, facility or • facilities and operations • Summary of how the assessment was conducted • ID and evaluation of strategically important assets, • infrastructure and operations
Requirements for Security Assessments (cont) • ID and assessment of possible security risks and likelihood and consequences of their occurrence • ID of existing security measures, procedures and operations • ID, selection and prioritisation of possible risk treatments
Template 8.1 Offshore Industry Participants Name and Contact Details-example
Template 8.5 Assets at Risk (Asset Appreciation and Criticality Analysis)-example A useful and simple rating system is Low, Medium or High with relation to the criticality of the asset in the continued productive operation of the offshore facility.
TYPES OF ASSESSMENTS & PLANS Network - a security assessment covering more than one individual facility for which they are legally responsible. Covering – used for several facilities and/or offshore service providers within a single area.
The Current Security Environment • Sources: • DOTARS Offshore Oil and Gas Risk Context Statement - Apr 2005 • http://www.dotars.gov.au/transsec/oilandgas/index.aspx. • Other Threat of Risk Assessments for Critical Infrastructure • Law enforcement and security agencies • Professional and Industry bodies • Company personnel and expert advisers
Establishing the Context- External • Environmental and Geographical • Business and Operational • Statutory and Regulatory • Social and Cultural • Competitive • Political • Financial • Others you may deem appropriate
Establishing the Context - Internal • The organisational culture • Internal stakeholders • Organisational structure • Capabilities in terms of resources such as people, systems, processes and capital • Goals and objectives and the strategies that are in place to achieve them.
Establishing the Context – Internal (cont) Consideration of : • Critical Assets and Resources • Critical functions and business activities • Operational capabilities • Risk management capabilities • Activities and Programs • Existing risk controls • Risk tolerance level • Limitations on risk treatments
The Risk Management Context • The goals, objectives, strategies, scope and parameters of the activity, or part of the organisation to which the risk management process is being applied, should be established. • Consideration of need to balance costs, benefits and opportunities, resources required and the records to be kept should also be specified.
Defining the risk management context: • Determining resources and expertise • needed • Defining the risk reporting criteria • Defining the Likelihood (Probability or • Frequency) criteria • Defining the Impact (Consequence) criteria • Defining the Risk Rating criteria • Outlining the local security risk context
Specific issues to consider: Roles and responsibilities of various parts of the organisation participating in the risk management process; and Relationships between the project or activity and other projects or parts of the organisation.
Consideration of risks resulting in: • Unlawful interference with offshore oil and gas • operations • Death or injury • Adverse social impact • Adverse economic impact • Adverse environmental impact • Symbolic effect • Business disruption and losses • Damage to offshore oil and gas business / • reputation • Significantly reducing public confidence in • offshore oil and gas production and supply.
The Current Security Environment • Sources: • DOTARS Offshore Oil and Gas Risk Context Statement - Apr 2005 • http://www.dotars.gov.au/transsec/oilandgas/index.aspx. • Other Threat of Risk Assessments for Critical Infrastructure • Law enforcement and security agencies • Professional and Industry bodies • Company personnel and expert advisers
IDENTIFYING SECURITY RISKS OIP’s should consider the following terrorist related risk areas: • Bomb or explosive device, including suicide bombings • Hijacking and hostage siege • Deliberate infringement of exclusion zones • Sabotage • Arson • Hoax calls and scare tactics • Blockage of transport routes
IDENTIFYING SECURITY RISKS - cont… • Tampering with supplies, essential equipment or systems • Unauthorised access or use of various equipment, including cyber attack • Unauthorised access to secure areas • Use of industry transport to carry those intending to cause a security incident and their equipment • Use of a mode of industry transport or industry facility infrastructure as a weapon or a means to cause damage or destruction • Use of a ship, helicopter or aircraft to transport explosives, hazardous goods or weapons.
RISK CATEGORIES AND SOURCES OF HARM • Vandalism – vandals • Misappropriation and sabotage - disgruntled insiders • Interference - violence prone individuals or groups (politically motivated or otherwise) • Crime - criminals • Terrorism – terrorists
Table 8.6 RISKS, HAZARDS AND ASSOCIATED RISK EVENTS- examples
Table 8.6 RISKS, HAZARDS AND ASSOCIATED RISK EVENTS- examples Cont..
RISK SCENARIOS - one method • Used to determine how the various risks might be realised and unfold • Use previous security incidents (security history) • Security history must be viewed in the context • Operators must consider own unique risk scenarios • Consider possible risk scenarios to determine how the risk may be initiated and realised • It is important that significant risk causes and scenarios are identified.
Table 8.10 ESTIMATED LIKELIHOOD OF RISKS BEING REALISED- example
Table 8.18.RISK TREATMENTS FOR HEIGHTENED ALERT LEVELS- example
RISK SCENARIOS • Used to determine how the various risks might be realised and unfold • Use previous security incidents (security history) • Security history must be viewed in the context • Operators must consider own unique risk scenarios • Consider possible risk scenarios to determine how the risk may be initiated and realised • It is important that significant risk causes and scenarios are identified.
Table 8.8 EXISTING SECURITY CONTROLS – Summary for Assets - example
Table 8.10 ESTIMATED LIKELIHOOD OF RISKS BEING REALISED- example
Table 8.12 ESTIMATED CONSEQUENCE OF RISKS IF REALISED- example
Table 8.14 RISK RATING TABLE -example * Note – only general information is required for risk treatment options. However, details of proposed security measures/procedures and desired outcomes should be outlined in table 8.16 Risk Treatment Implementation Schedule.
Table 8. 16 RISK TREATMENT IMPLEMENTATION SCHEDULE - example This Implementation Schedule must be included with assessment and plan
Table 8.16.RISK TREATMENTS FOR HEIGHTENED ALERT LEVELS- example
SUMMARY • Please be aware of the DOTARS Offshore Security Assessments Guidance Paper. • This is the minimum requirement. If your assessment process exceeds this requirement please ensure that there is a clear explanation of the methodology, acronyms and relevant data and sources used.
SUMMARY cont • Ensure there is linkage with the outcomes of the Risk Assessment with the Security Plan. • Complete your plan in accordance with the Guide on preparing an Offshore Security Plan for Offshore Facility Operators. • Please liaise with the local DOTARS office or Veena Rampal on 02 6274 7648