1 / 12

Overview of the Vulnerability Assessment Methodology for Chemical Facilities (VAM-CF SM )

Overview of the Vulnerability Assessment Methodology for Chemical Facilities (VAM-CF SM ). 3 March 2003 Cal Jaeger, PhD Security Systems and Technology Center Sandia National Laboratories 505-844-4986 cdjaege@sandia.gov

vienna
Download Presentation

Overview of the Vulnerability Assessment Methodology for Chemical Facilities (VAM-CF SM )

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Overview of the Vulnerability AssessmentMethodology for Chemical Facilities (VAM-CFSM) 3 March 2003 Cal Jaeger, PhD Security Systems and Technology Center Sandia National Laboratories 505-844-4986 cdjaege@sandia.gov Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for United States Department of Energy under Contract DE-AC-04-94AL85000.

  2. Background • Chemical Facility Vulnerability Assessment (CFVA) Project • Conducted by the Center for Civil Force Protection (CCFP) at Sandia National Laboratories (SNL) • Support from DOJ-NIJ, EPA-CEPPO • Coordination with Chemical Industry Associations, key individuals at Chemical Facilities, other stakeholders • ACC, SOCMA, Chlorine Institute, API, other associations: • Guidelines for both site and transport security • Numerous conferences and workshops • ACC facility security prioritization process • ACC Responsible Care Security Code • Security Vulnerability Assessment (VA) Tools • Assessment Methodologies (www.ResponsibleCareToolKit.com) • Most are risk-based tools, some are guides, use checklists, use forms • Team or multi-people efforts

  3. Interactions with Other Activities The VAM-CF leverages many other required activities. OSHA PSM, Process safety info, process diagrams, PHAs, emergency planning & response, list of chemicals compliance audits EPA RMPs, OCAs - off-site impacts, worst-case scenarios, alternative scenarios Process safety info, PHAs, list of chemicals compliance audits Other Fed Agencies CWC Treaty, Drug Enforcement VAM-CFSM Protection against a release of hazardous chemicals due to malevolent attack State/Local Directions on Safety and emergency release, LEPC/SERCs, Corporate/Groups Guidelines, checklists Security, safety, hazards assessment DOT Specific guidelines for transport of chemicals Specifications on containers, markings etc. list of chemicals

  4. Characteristics of the VAM-CFSM • A systematic, risk-based, security assessment tool • S - Severity of consequences of an event • LA - Adversary attack potential • LAS - Likelihood of adversary success in causing an • undesired event • Incorporates security measures that could help prevent an • attack, appropriate safetyandemergency response measures • that could mitigate the consequences, and chemical attributes • that may affect consequences • Provides capability to screen and prioritize chemical facilities • and focus on critical areas for further analysis • Provides meaningful vulnerability information so additional • measures can be implemented which effectively reduce risk • Not a quantitative tool but provides for a rigorous comparison • of relative risks

  5. VAM-CFSM Organization/Structure • 13 basic steps: • Screening • Project Definition • Facility Characterization • Define Severity Levels • Threat Assessment • Identify Priority Cases • Currently paper-based using worksheets to support above steps • Can consider different potential undesired events and adversaries • Can consider both physical or cyber attacks • Uses a facilitator/team lead and supporting VA team • Supports a continuous approach to evaluating risk • Analysis Preparation • Site Survey • Likelihood of Adversary Success • Risk Analysis • Risk Reduction • Evaluate Impacts • Final Report

  6. Screening • Purpose of the screening process • identify/prioritize CFs for further vulnerability analysis • Identify undesired event • off-site release, loss of production, cost, environmental • Evaluate relative potential severity of malevolent events • significant national impact • consider RMP worst-case scenarios • (# of people potentially affected by an off-site release) • accessibility • recognizability and importance • history and symbolism • Other screening tools could be used

  7. Identify Most Important Areas for Analysis All Chemical Facilities • Helps the user to identify • areas for analysis • starts with total possible • locations of hazardous • chemicals • considers areas for each • hazardous chemical & process • identifies/prioritizes critical • areas using severity levels or • characterization matrix • identifies priority areas based • on consequence and threat • also allows the user to select • specific areas for analysis 1A Screening Facilities to be Analyzed for Risk 3A Facility Characterization Processes/Chemicals Critical Areas 3B Severity Levels 3C Threat Assessment 3D Priority Cases Priority Cases

  8. Define Severity Levels • Looks at specific areas within identified chemical processes • Define criteria for undesired event • off-site release, loss of production ….. • Criteria for off-site release • # of people potentially affected by a release • Determine potential severity level for critical areas • end-point distance, population potentially affected

  9. Threat Assessment • Who it is and What is the level of threat? • Collect Information • Industry, corporation, site specific threat • Coordinate with chemical industry, state/local law enforcement, and FBI, ISAC • Threat Definition: • Threat type [start with one outsider group, one insider] • Tactics (explosives, forced entry, cyber) • Threat capabilities (#s, weapons, tools, transportation) • Threat Levels: • Estimate attack potential, LA, for each undesired event and adversary group • Consider existence, capability, history/intent, motivation, targeting • Consider target attractiveness: Recognizability, Importance, Symbolism, Accessibility

  10. Determine Adversary Success • Determine likelihood of adversary success for a physical attack • for an identified undesired event (e.g. off-site release, on-site damage) • for an identified adversary scenario(s) • effectiveness of physical security system • detection/assessment, delay, response • identify protection elements • effectiveness of safety, mitigation and emergency response • detection/assessment, safety/mitigation • identify protection elements • consider inherent chemical properties in the adversary scenario • toxicity, flammability, reactivity • identifies vulnerabilities/weaknesses for the total protection system • Determine protection system effectiveness for cyber attack • based on preliminary assessment • to be considered in future versions of the VAM-CF

  11. Risk Reduction and Impact Analysis • Make recommendations to reduce risk considered too high • threat • severity of consequences • protection system effectiveness • Develop possible upgrade packages • identified vulnerabilities • protection for common vulnerabilities • protection-in-depth • balanced protection • consider physical protection functions • Estimate new risk values and compare with baseline • Consider cost and other impacts • cost • operations and schedule • safety and health • public response

  12. Role of State/Local Groups to Assist CFs • Know what potential targets are in your area • Support CFs in their vulnerability assessment & risk reduction efforts • Understand the potential consequences of an adversary attack • Information exchange with CF “owners” and other stakeholders • Identify what actions can be done by the State/local groups • Conduct exercises to test contingency plans (security, emergency • response). • CFs need State/local support to protect their facilities • CFs must rely on more that just security measures to protect their facilities • need effective safety, mitigation and emergency response measures

More Related