ACC Tier 4 SVA Methodology - American Chemistry Council · Process Safety (CCPS)5, or a methodology...

Tier 4 Modified SVA Guidance –American Chemistry Council

Tier 4 Modified SVA Guidance

December 2002


TABLE OF CONTENTS

I. PURPOSE ........................................................................................................................... 3

II. BACKGROUND ................................................................................................................ 3

A. Definition of Tier 4 Facility .................................................................................... 3 B. Concept of a Modified SVA for Tier 4 Facilities ..................................................... 3 C. ACC Facility Security Prioritization Process .......................................................... 4

III. CONFIRMATION OF TIER 4 LEVEL ................................................................................ 4

IV. SCOPE ............................................................................................................................. 5

V. OBJECTIVES ................................................................................................................... 5

VI. REQUIREMENTS ............................................................................................................. 5

A. SVA Planning ....................................................................................................... 5 B. Facility Characterization ....................................................................................... 7 C. Threat Assessment ............................................................................................... 8 D. Vulnerability Analysis ............................................................................................ 8 E. Countermeasures ................................................................................................. 9 F. Documentation ..................................................................................................... 9

VII. REFERENCES ............................................................................................................ 10

VIII. DEFINITIONS .............................................................................................................. 11


I. PURPOSE This document is intended to assist American Chemistry Council (ACC) members in performing a Modified Security Vulnerability Analysis (SVA-4) at facilities that were ranked as Tier 4 during the ACC Initial Prioritization Screening1 as required by the ACC Security Code of Management Practices2. These facilities represent sites where chemicals are handled but they represent the lowest risk of the four prioritization levels since they do not pose a significant security risk to the public or the environment. SVAs are an important component of a security management program at a chemical manufacturing facility, and are a key element of the ACC Security Code of Management Practices. SVA-4 is provided to assist ACC members in evaluating the adequacy of security at these Tier 4 facilities; e.g., that the policies, practices, procedures and security elements are appropriate for the conditions at facilities presenting low probable security risks. SVA-4 has two parts: – (1) a confirmation that the facility qualifies for Tier 4 status and (2) a streamlined methodology and sample checklists of security issues and typical countermeasures that may be considered by management at these low security risk facilities. The document also references other checklists that a member company may use.

II. BACKGROUND A. Definition of Tier 4 Facility For the purpose of the Modified SVA, “facility” means domestic (US) sites at which operations occur that involve chemicals, e.g., manufacturing, storage, processing, handling, laboratories, or pilot plants. This definition does not necessarily apply to non-chemical activity sites such as administrative or sales offices, nor does it apply to transportation sites outside operating facilities3. Depending on specific situations, companies may also want to consider evaluating security at sites other than chemical operations, e.g., corporate headquarters. B. Concept of a Modified SVA for Tier 4 Facilities A Tier 4 facility is one (1) that does not pose a reasonable expectation of off-site impacts from release, theft, contamination of chemical assets, or other factors and (2) for which physical security, access control, and administrative policies and procedures would be the primary strategies for addressing security issues. For such sites, it is prudent to conduct a modified SVA that better addresses the lower level of security risk posed by these facilities.

1ACC Prioritization Tool for Chemical Facility Security, American Chemistry Council, February 28, 2002;

http://www.responsiblecaretoolkit.com/security_guidance_siteSec.asp#priority.

2 Responsible Care Security Code Of Management Practices, American Chemistry Council, June 2002.

3 Transportation is addressed through the “Distribution/Value Chain” portion of the Responsible Care® Security Code and in the Transportation Security Guidelines for the U.S. Chemical Industry, American Chemistry Council, December 2002; http://www.responsiblecaretoolkit.com/security_guidance_value.asp.

http://www.responsiblecaretoolkit.com/security_guidance_siteSec.asp#priority

http://www.responsiblecaretoolkit.com/security_guidance_value.asp


C. ACC Facility Security Prioritization Process Tier 4 facilities are identified using the ACC Prioritization Process which evaluates facilities based on the: (1) difficulty of attack, (2) severity of attack, and (3) attractiveness of target. Based on this evaluation a facility is placed into one of 4 “tiers.” Facilities in Tiers 1, 2, & 3 pose potential risks of off-site impacts. Such facilities must conduct full SVAs using methodologies published by Sandia National Laboratories4 the American Institute of Chemical Engineers, Center for Chemical Process Safety (CCPS)5, or a methodology found to equivalent6. Tier 4 facilities -- those not expected to pose potential risks of off-site impacts -- may use this SVA-4 methodology for assessing their potential security vulnerabilities. Depending on the results of the prioritization, each ACC-member facilities must conduct an SVA based on the following schedule:

* Because Tier 4 facilities do not have potential offsite consequences and do not require third party verification.

III. CONFIRMATION OF TIER 4 LEVEL The purpose of this step is to verify that the facility meets the definition of a Tier 4 facility, e.g., it is not reasonably expected to pose a risk of off-site consequences from an uncontrolled release, theft, product contamination, or other reasons. Before applying the Modified Tier 4 SVA, a facility should review its prioritization to assure that it is, in fact, a Tier 4 facility using the decision tree in Figure 1. Application of the flow diagram is based on good engineering judgment and consideration of factors such as: (1) the three factors used in the ACC Prioritization Screening (threat, consequences, difficulty), (2) materials at the site (e.g., chemical weapon potential for materials present at the site), (3) potential impact on offsite receptors from non-RMP chemicals or RMP chemicals in a process in less than the threshold quantities, and (4) potential for contamination of chemicals with public impact. Application of the decision tree requires good engineering judgment, particularly in regards the potential for

4 Chemical Facility Vulnerability Assessment Methodology, U.S. Department of Justice, NCJ 195171, July 2002.

5 Guidelines For Analyzing And Managing The Security Vulnerabilities Of Fixed Chemical Sites, Center for

Chemical Process Safety, American Institute of Chemical Engineers, August 2002.

6 Information on these methodologies is available at www.ResponsibleCareToolKit.com.

Table 1 ACC Prioritization Process for SVAs, Enhancements, and Verification

Activity Tier 1 Tier 2 Tier 3 Tier 4

Complete Facility Security Vulnerability Analysis

12/31/02 6/30/03 12/31/03 12/31/03

Complete Implementation of Facility Security Enhancements

12/31/03 6/30/04 12/31/04 12/31/04

Have Verification of Enhancements Completed

3/31/04 9/30/04 3/31/05 *

http://www.responsiblecaretoolkit.com/


impacts to the public. It does not, however, require use of air dispersion modeling or similar tools for this evaluation. ACC members were to have completed such an evaluation by September 2002, but is repeated here for completeness. If, based on application of the decision tree, the company decides to elevate the facility to Tier 1, 2, or 3, a full vulnerability analysis would be performed within the time frame specified in schedule (above). Facilities remaining in Tier 4 may use this modified vulnerability analysis.

IV. SCOPE Tier 4 SVAs conducted by ACC facilities will examine, at a minimum, the security issues and steps outlined in Attachment 2:

All steps of the SVA process: Planning, Facility Characterization, Threat Assessment, Vulnerability Analysis, Countermeasures, Documentation

Management Issues

Physical Security

Employee & Contractor Security

Information, Computer, & Network Security Other security events are to be included at the discretion of the member company.

V. OBJECTIVES The objective of an SVA is to conduct an analysis to identify security hazards, threats, and vulnerabilities facing a fixed facility handling hazardous materials from malicious acts, and to evaluate the countermeasures to protect the public, workers, the environment, national interests, and the company.

VI. REQUIREMENTS The ACC Modified SVA methodology is shown diagrammatically in Attachment 1. The application of the ACC Modified SVA methodology at ACC member sites and the general requirements for ACC Modified SVAs is as follows:

A. SVA Planning Conducting an ACC Tier 4 SVAs will require knowledge and experience with the following: Process safety (if the facility has process safety hazards) Security principles and practices Operations of the facility under study The Management of the company or facility should identify appropriate expertise and resources to conduct the study. This may include determination of which expertise is necessary for which steps of the analysis. At least one participant in the analysis should be familiar with the facility being evaluated.


Does the facility handle, process, or

store any chemicals in appreciablequantities that are recognized as having

the potential for theft or misuse in

terrorism or the production of weaponsof mass destruction or illegal drugs?

Would a security event involving non-RMP materials or RMP substances

below the regulatory threshold amount

be likely to cause an offsite "injury" asdefined in the RMP regulations (40 CFR

68.3): "any effect on a human thatresults either from direct exposure totoxic concentrations; radiant heat; or

overpressures from releases or fromthe direct consequences of a vapor

cloud explosion (such as flying glass,debris, and other projectiles) from arelease and that requires medical

treatment or hospitalization."

Are there any other factors that you areaware of that would justify that the

facility security be evaluated by a Full

SVA?

ReassignAppropriate Tier

Designation

(1, 2, 3)

Figure 1

ACC Tier 4 Verification Process

Is the facility's

SRI > 3?

YES

YES

YES

YES

NO

NO

NO

Review ACC Prioritization

Security Risk Index (SRI)for each facility.

Conduct Modified Tier 4 SVA Conduct Full SVA

Does the facility handle, process, orstore any chemicals in appreciable

quantities that could be contaminated

causing impacts on the public?

NO

NO

YES

YES

Is it likely to cause a

significant offsite

impact to thepublic? YES

NO


Where possible, the site‟s raw materials, intermediate materials, and final products may be grouped in families where the properties, processing conditions, and the consequences of the malicious events defined in section 4.0 are similar. This is particularly useful, and will save time in identifying target assets if the there are a large number of materials used, manufactured, or stored onsite. B. Facility Characterization The purpose of facility characterization is to determine an annotated list of targets for which a vulnerability analysis will be performed. The annotations to the target list are a severity ranking should the asset be abused, and a relative target attractiveness factor. To perform a SVA facility characterization, the SVA team will review all materials handled on site to determine the potential for significant impact in the event of a malicious act. Resource information that the team may find useful in reviewing assets as potential targets, are listed below:

SARA Title III/Right-To-Know inventory records

Inventory records submitted in support of other regulatory programs (e.g., Texas Air Permit inventory records of finished products and raw materials).

Material Safety Data Sheet (MSDS) index

Logistical (shipping/receiving) records that show which materials are used, stored, or manufactured at the site and their inventories

Radiation safety program inventories of licensed radioactive materials onsite

Department of Commerce reports of chemical weapons precursor materials onsite required by 15 CFR 710 (Chemical Weapons Convention Treaty listed materials as supplemented by 15 CFR 710)

FBI published list of chemical weapons precursors

Australia Group published list of chemical weapons precursors

Lists of materials produced onsite that are used in food products, pharmaceutical products, or personal care/cosmetic products

Lists of materials regulated by the U.S. Drug Enforcement Agency

PHA results that describe the loss of key infrastructure systems (e.g., power, cooling water, nitrogen, etc.)

Documents or verbal descriptions that explain how software programs manage raw materials and product inventories, orders, shipments, etc. (i.e., onsite access, remote access, password/user ID, firewalls, and other IT protection methods, periodicity of reconciling amounts or records, management of variances when reconciliation occurs)

Documents (i.e., Process Hazard Analyses) or verbal descriptions that explain how process control systems operate and can be compromised (i.e., onsite access, remote access, password/user identification, firewalls, and other


Information Technology protection methods, effects of loss of control, effects of malicious commands entered into system)

The security survey contained in the ACC facility characterization step can be completed by a combination of personnel interviews, records reviews, and a thorough inspection of onsite security provisions. C. Threat Assessment The purpose of the threat assessment is to determine which threats are credible at the site under consideration, given the targets and the location/region of the site. To perform a SVA threat assessment, ACC member facilities should consider the types of individuals/groups and types of acts possible to be a threat at the site. At a minimum, the following threats should be considered during ACC Tier 4 SVAs:

Terrorism (although this is not likely at a Tier 4 facility due to the unattractiveness of the targets)

Theft

Manipulation of computer systems to cause chemical-related asset impacts

Sabotage (damage, contamination) of chemical-related assets

Other more common crimes against property or people as applicable. Threats may be grouped for the purposes of advancing them to the vulnerability analysis. Threats with the same overall assessment ranking and also where the same layers of security must be breached to reach the targets may be grouped if desired. For example, any threats that would evolve as a determined armed attack on the site (e.g., terrorists), or threats where target materials are stolen and removed form the site may be able to be grouped. Both specific and general threats should be considered, as applicable. D. Vulnerability Analysis To perform a SVA vulnerability analysis, threats are evaluated against asset as appropriate to identify and analyze vulnerabilities. A company may use one or more of the referenced checklists found in Attachment 2 or 3 as appropriate, or another similar approach that satisfies the vulnerability step. Attachment 2 contains 30 questions and is adapted from a checklist that was previously published in the ACC's Site Security Guidelines for the U.S. Chemical Industry published in October 2001. Attachment 3 contains 124 questions and is also based on guidelines previously published in the ACC's Site Security Guidelines for the U.S. Chemical Industry published in October 2001. The 30 question checklist provides a "strategic analysis" while the 124 question checklist provides a more "detailed analysis" of a facilities security programs against the ACC Site Security Guidelines. The strategic analysis (30 questions) and the


detailed analysis (124 questions) complement each other since they are both based upon the same guidelines. Other checklists that may be used for reference include „Countermeasures Checklist‟ (Checklist published in CCPS SVA Guidelines, Attachment 17, August, 2002), „Association of Metropolitan Sewerage Association Security Checklist‟, and „ARA, Crop Life and Fertilizer Institute Vulnerability Checklist‟. E. Countermeasures For the Tier 4 Modified SVAs, the improved countermeasures will be recommended by comparing the existing countermeasures to those required in the checklist to identify gaps as deemed appropriate by the management of the facility. The purpose of security countermeasures is to deter, detect, and/or delay adversaries from reaching the targets. For example, in the case of determined armed attacks on a site by a large number of well-trained and heavily armed adversaries (e.g., a large group of international terrorists), the goal is not to be able to defeat such an attack, but to detect the presence of the adversaries before they reach the targets and to be able to call quickly for help from police or other qualified offsite responders. For less capable adversaries, for example a small group of terrorist sympathizers, a local gang, or individuals attempting to gain access to the site, the goal should be to not only detect such an adversary, but to place barriers between the adversary and the asset that would significantly delay these adversaries. Improved countermeasures should appropriately reflect ACC Security Guidelines or current industry guidance (e.g., American Society of Industrial Security (ASIS) „Protection of Assets Manual‟ for physical security countermeasures), other industry or government publications (e.g., U.S. Drug Enforcement Agency „Chemical Handler‟s Manual for Counter-diversion Countermeasures‟). Recommendations for improved countermeasures made during SVA study sessions should be considered preliminary ideas that may be modified post-SVA upon further review by qualified personnel. F. Documentation ACC Tier 4 SVAs will be documented in a written report. The report should include:

Purpose, Scope, and Objectives: A summary description of the purpose, scope, and objectives of the Security Vulnerability Analysis

SVA Methodology: A brief description of each step in the ACC Modified Tier 4 SVA methodology used and a summary of relevant assumptions made in each step of the study

Results: A summary of the findings of the SVA and the recommendations offered for consideration to improve site security

SVA Checklist: Where a checklist is used as part of the Vulnerability Analysis, the completed ACC Tier 5 SVA checklist worksheets (or modified equivalent worksheets) shall be attached as an appendix to the report


ACC SVA reports should be retained until superceded by a revision. These reports shall be maintained as a confidential document and should not be divulged to any party outside of the company, in whole or in part, without the concurrence of a person responsible for this information.

VII. REFERENCES Guidelines For Analyzing And Managing The Security Vulnerabilities Of Fixed Chemical Sites, Center for Chemical Process Safety, American Institute of Chemical Engineers, 2002. ACC Facility Security Prioritization Process, American Chemistry Council, January 2002. OSHA standard, Process Safety Management of Highly Hazardous Chemicals, 29 CFR 1910.119, May 26, 1992. EPA Rule Risk Management Program, 40 CFR 68, May 24, 1996. OSHA Instruction CPL 2-2.45A CH-1, Process Safety Management of Highly Hazardous Chemicals - Compliance Guidelines and Enforcement Procedures, September 28, 1994. Layer of Protection Analysis, Simplified Process Risk Assessment, Center for Chemical Process Safety, American Institute of Chemical Engineers, 2001. Counter-terrorism and Contingency Planning Guide. Special publication from Security Management magazine and American Society for Industrial Security, 2001. Dalton, Dennis. Security Management: Business Strategies for Success. Newton, MA: Butterworth-Heinemann Publishing, 1995. Walsh, Timothy J., and Richard J. Healy, eds., Protection of Assets Manual (Santa Monica, CA: Merritt Co.). Four-volume loose-leaf reference manual, updated monthly. Drug Enforcement Agency, Chemical Handler‟s Manual. Guidelines for Chemical Process Quantitative Risk Analysis, Second Ed., Center for Chemical Process Safety, American Institute of Chemical Engineers, 2000. Security Code Of Management Practices, American Chemistry Council, June 2002. Site Security Guidelines for the U.S. Chemical Industry, American Chemistry Council, October 2001. Inherently Safer Chemical Processes – A Life Cycle Approach, Center for Chemical Process Safety, American Institute of Chemical Engineers, 1996 Guidelines for Technical Management of Chemical Process Safety, Center for Chemical Process Safety


Guidelines for Technical Planning for On-Site Emergencies, Center for Chemical Process Safety, American Institute of Chemical Engineers, 1996. Bowers, Dan M., Security Fundamentals for the Safety Engineer, Professional Safety, American Society of Safety Engineers, December, 2001, pgs. 31-33. Ragan, Patrick T., et. al., Chemical Plant Safety, Chemical Engineering Progress, February 2002, pgs. 62-68

VIII. DEFINITIONS The following definitions apply to ACC Tier 4 Modified SVAs: Adversary: Any individual, group, organization, or government that conducts activities, or has the intention and capability to conduct activities detrimental to critical assets. An adversary could include intelligence services of host nations, or third party nations, political and terrorist groups, criminals, rogue employees, and private interests. Adversaries can include site insiders, site outsiders, or the two acting in collusion. Alert levels: Describes a progressive, qualitative measure of the likelihood of terrorist actions, from negligible to imminent, based on government or company intelligence information. Different security measures may be implemented at each alert level based on the level of threat to the facility. Asset: An asset is any person, facility, material, information, business reputation, or activity that has a positive value to an owner. The asset may have value to an adversary, as well as an owner, although the nature and magnitude of those values may differ. Asset category: Assets may be categorized in many ways. Among these are: People Chemicals (used or produced) Information Equipment Facilities Activities/Operations Benefit: Amount of expected risk reduction based on the overall effectiveness of countermeasures with respect to the assessed vulnerabilities. Capability: When assessing the capability of an adversary, two distinct categories need to be considered. The first is the capability to obtain, damage, or destroy the asset. The second is the adversary‟s capability to use the asset to achieve their objectives once the asset is obtained, damaged, or destroyed. Checklist: A list of items developed on the basis of past experience that is intended as a guide to assist in applying a standard level of care for the subject activity and to assist in completing the activity in as thorough a manner as possible.


Consequences: The amount of loss or damage that can be expected, or may be expected from a successful attack against an asset. Cost: Includes tangible items such as money and equipment as well as the operational costs associated with the implementation of countermeasures. There are also intangible costs such as lost productivity, morale considerations, political embarrassment, and a variety of others. Costs may be borne by the individuals who are affected, the corporations they work for, or they may involve macroeconomic costs to society. Countermeasures: An action taken or a physical capability provided whose principal purpose is to reduce or eliminate one or more vulnerabilities. The countermeasure may also affect the threat(s) (intent and/or capability) as well as the asset‟s value. The cost of a countermeasure may be monetary, but may also include non-monetary costs such as reduced operational effectiveness, adverse publicity, unfavorable working conditions, and political consequences. Countermeasures analysis: A comparison of the expected effectiveness of the existing countermeasures for a given threat against the level of effectiveness judged to be required in order to determine the need for enhanced security measures. Cyber security: Protection of critical information systems including hardware, software, infrastructure, and data from loss, corruption, theft, or damage. Delay: A countermeasures strategy that is intended to provide various barriers to slow the progress of an adversary in penetrating a site to prevent an attack or theft, or in leaving a restricted area to assist in apprehension and prevention of theft. Detection: A countermeasures strategy to that is intended to identify an adversary attempting to commit a chemical security event or other criminal activity in order to provide real-time observation as well as post-incident analysis of the activities and identity of the adversary. Deterrence: A countermeasures strategy that is intended to prevent or discourage the occurrence of a breach of security by means of fear or doubt. Physical security systems such as warning signs, lights, uniformed guards, cameras, bars are examples of countermeasures that provide deterrence. Enterprise level screening: An activity whereby a business defines the relative security exposure of multiple facilities at the business enterprise level (i.e., site), and then uses this information to establish priorities for its sites and determines the need to study security vulnerabilities in more detail at the site level. The ACC SVA Prioritization Process is an example of an enterprise level screening process. Hazard: A situation with the potential for harm. Intelligence: Information to characterize specific or general threats including the motivation, capabilities, and activities of adversaries. Intent: A course of action that an adversary intends to follow. When assessing threats, security professionals need to evaluate intent as well as capabilities. To


determine the intent and what motivates an adversary, an adversary‟s goals and objectives must be closely examined, as well as specific events that might trigger the adversary to act. The questions that should be asked about intent are: “Does the adversary have a current or projected need for this asset? Do they seek to deny or destroy the use of the asset?” Layers of protection: A concept whereby several independent devices, systems, or actions are provided to reduce the likelihood and severity of an undesirable event. Likelihood of adversary success (LAS): The potential for causing a catastrophic event by defeating the countermeasures. LAS is an estimate that the security countermeasures will thwart or withstand the attempted attack, or if the attack will circumvent or exceed the existing security measures. This measure represents a surrogate for the conditional probability of success of the event. Likelihood of adverse event: The likelihood that a specific vulnerability will be exploited by a particular threat. Mitigation: The act of causing a consequence to be less severe. Physical security: Security systems and architectural features that are intended to improve protection. Examples include fencing, lighting, doors, gates, walls, turnstiles, locks, motion detectors, vehicle barriers, and hardened glass. Response: The act of reacting to detected criminal activity either immediately following detection or post-incident via surveillance tapes or logs. Risk: The potential for damage to or loss of an asset. Risk, in the context of chemical process security, is the potential for a catastrophic outcome to be realized. Examples of the catastrophic outcomes that are typically of interest include an intentional release of hazardous materials to the atmosphere, or the theft of chemicals that could later be used as weapons, or the contamination of chemicals that may later harm the public, or the economic costs of the damage or disruption of a chemical process. Risk management: The process of selecting and implementing appropriate security countermeasures to achieve a recognized tolerable level of risk. Risk Matrix: A matrix that relates the likelihood of security events with the severity of each event for purposes of evaluating risk and setting priorities in addressing risk (Appendix C of the CCPS Guidelines for SVA describes use of a Risk Matrix). Risk analysis: Risk analysis is the process of determining the likelihood of an adversary successfully exploiting vulnerability and the resulting degree of consequences on an asset. A risk assessment provides the basis for rank ordering of risks and thus establishing priorities for the application of countermeasures. Safeguard: Any device, system or action that either would likely interrupt the chain of events following an initiating event or that would mitigate the consequences. Security layers of protection: Also known as concentric „rings of protection‟, a concept of providing multiple independent and overlapping layers of protection in depth. For


security purposes, this may include various layers of protection such as counter-surveillance, counterintelligence, physical security, and cyber security. Security management system checklist: A checklist of desired features used by a facility to protect its assets. Security plan: A document that describes an operator‟s plan to address security issues and related events, including security analysis and mitigation options. This includes security alert levels and response measures to security threats. Security Vulnerability Analysis (SVA): A SVA is the process of determining the likelihood of an adversary successfully exploiting vulnerability, and the resulting degree of damage or impact. SVAs are qualitative risk analyses that use the best judgment of security and safety professionals. The determination of risk (qualitatively) is the desired outcome of the SVA, so that it provides the basis for rank ordering of the security-related risks and thus establishing priorities for the application of countermeasures. SVA criteria: The design basis of the SVA that explains the rationale for and forms the basis for why the specific steps of the SVA have been included. This information will allow the comparison of a site-specific SVA program policy/procedure with the CCPS criteria. Target attractiveness: An estimate of the value of a target to an adversary based on the factors shown below. Experience has shown that, particularly for terrorist attacks, certain targets better accomplish the objectives of the adversaries than do others. Since the SVA is a risk-based analytical approach, consideration must be given to these factors in defining the threat and in determining the need for any enhanced countermeasures.

Potential for mass casualties/fatalities

Extensive property damage

Proximity to national assets or landmarks

Possible disruption or damage to critical infrastructure

Disruption of the national, regional or local economy

Ease of access to target

Media attention or possible interest of the media

Company reputation and brand exposure Technical Security: Electronic systems for increased protection or for other security purposes including access control systems, card readers, keypads, electric locks, remote control openers, alarm systems, intrusion detection equipment, annunciating and reporting systems, central stations monitoring, video surveillance equipment, voice communications systems, listening devices, computer security, encryption, data auditing, and scanners. Terrorism: There is no single definition of terrorism. The FBI defines terrorism as, "the unlawful use of force or violence against persons or property to intimidate or coerce a Government, the civilian population, or any segment thereof, in furtherance of political or social objectives."


Threat: Any indication, circumstance, or event with the potential to cause the loss of, or damage to an asset. Threat can also be defined as the intention and capability of an adversary to undertake actions that would be detrimental to critical assets. Threat categories: Adversaries may be categorized as occurring from three general areas: Insiders Outsiders Insiders working in collusion with outsiders Undesirable events: An event which results in a loss of an asset, whether it is a loss of capability, life, property, or equipment. Vulnerabilities: Any weakness that can be exploited by an adversary to gain access to an asset. Vulnerabilities can include but are not limited to building characteristics, equipment properties, personnel behavior, locations of people, equipment and buildings, or operational and personnel practices.


Attachment 1 – ACC Tier 4 Modified SVA Process

1.2 Objectives

1.3 Scope

2.1 Critical Assets Identification

and Characterization

2.5 S ite Security Review

3.Adversary Identification and

Analysis

4. Checklist Review

Attachment 1 ACC Tier 4 Modified

SVA Process

Step 1. Project

Planning

Step 2. Facility

Characterization

Step 3. Threat

Assessment

Step 4. Vulnerability

Analysis

5. Identify

Countermeasures

1.1 Form SVA Team

5.2 Prepare Report

5. Identify Deficiencies and Make

Recommendations Based on

Checklist Analysis and Site

Security Review


Attachment 2 –ACC Tier 4 Modified SVA Strategic Checklist The checklist is adapted from ACC‟s „Site Security Guidelines‟, October 2001. This sample follows the topical order in the preceding sections of this guide. This worksheet is a guide and not intended to be all-inclusive.

Question Response Recommendations

A. Security Vulnerability Analysis

1. Have we identified all key facility assets?

2. Have we performed a chemical hazards evaluation?

3. Have we performed a threat assessment?

4. Have we performed a consequence assessment?

5. Have we performed a physical factors assessment?

6. Have we performed a mitigation assessment?

7. Have we performed a security assessment/gap analysis?

8. Have we developed rings of protection?

B. Management Issues

9. Does the company‟s top management visibly support security efforts?

10. Have clear security policies been developed and promulgated?

11. Have we established partnerships with local, state, and federal law enforcement agencies, other public safety agencies, and surrounding communities?



12. Have we clarified relationships and procedures with other management functions to provide a more coordinated response to security incidents?

13. Do we have a well-understood system for employees to report security incidents?

14. Do we have a system for collecting and analyzing reports of security incidents?

15. Have we developed security awareness programs for employees and contractors?

16. Have we developed a procedure for referring suspicious incidents and breaches of company policy to corporate counsel or corporate security management?

17. Have we developed a policy of referring all suspected illegal activity to law enforcement?

18. Have we developed procedures for emergency response and crisis management?

19. Do we periodically reassess the site‟s security posture (threats, vulnerabilities, risks, and countermeasures)?

C. Physical Security



20. Have we implemented appropriate access control measures, such as signs, secure doors and windows, locks, card-based access control systems, parcel inspection, and control of gates and docks?

21. Do we have appropriate perimeter protection, using, for example, fences, bollards, trenches, turnstiles, and security lighting?

22. Do we need security officers, on patrol or at fixed locations? If so, do they have written post orders to direct their activity?

23. Have we appropriately protected crucial communications equipment and utilities?

D. Employee & Contractor Security

24. Have we developed appropriate security practices for voluntary and involuntary terminations of employment?

25. Have we adopted policies and established procedures to prevent and respond to workplace violence?

E. Information, Computer, & Network Security

26. Have we taken steps (through the Operations Security, or OPSEC, process) to protect information that could be of use to our adversaries?



27. Do we follow procedures to reduce the likelihood that spoken information (in face-to-face conversations, phone calls, and radio communications) could be picked up by adversaries?

28. Do we follow appropriate procedures for protecting and destroying sensitive documents?

29. Are we using appropriate hardware, software, and procedural techniques for protecting our computers and networks?

30. Do we periodically analyze computer transaction histories to look for irregularities that might indicate security breaches?


Attachment 3 – Detailed Analysis Checklist for Site Security Analysis (Checklist Based on ACC Site Security Guidelines, October, 2001) Section 1: Introduction: The attached Security Analysis Checklist (detailed) has been developed against ACC's “Site Security Guidelines for the U.S. Chemical Industry”, published October, 2001. Sites may use this checklist to assist in assessing the adequacy of their security programs and procedures. The checklist is organized into five major sections. The recommended approach for utilizing the checklist is to review each question and check those security provisions that are in place. For those not in place, the site should make a determination whether a recommendation for an upgrade is appropriate commensurate with the risk associated with the particular facility being assessed. If a determination is made that a recommendation is not needed, a dash should be placed in the right hand column. If a recommendation for an upgrade is made, an asterisk should be placed in the right hand column referencing an attached recommendation. When the checklist is completed, the site will have documented its analysis of its Security programs and provisions, complete with a listing of recommendations for upgrades. Section 2: Risk Assessment and Prevention Strategies The facility has reviewed its Risk Assessment and Prevention Strategies, and with recommendations so indicated, has deemed them to be appropriate. Risk Management and Prevention Strategy provisions which are in place are indicated below: Recommendations for upgrade are attached.

Risk Assessment and Prevention Strategies In Place

A. Assets In security terms, assets are broadly defined as people, information, and property. At a chemical facility, these people include employees, visitors, contractors, haulers, nearby community members, and others. Information includes trade secrets (such as recipes, formulas, prices, and processes), other confidential business information, employee information, computer passwords and other proprietary information. The range of property that a security effort might wish to protect includes the following:

Buildings Vehicles Production equipment Storage tanks and process vessels Control systems Telephone & data lines Raw materials Finished product Electrical power lines Backup power systems Automated production equipment such as digital control systems & programmable logic controllers Hazardous materials Boilers

--


Water supply Sewer lines Waste treatment facilities and equipment Natural gas lines Rail lines Office equipment Supplies Tools Personal possessions

1. Has the site identified all key assets to be protected?

B. Threats, Vulnerabilities, Consequences: --

2. Evaluation of Chemical Hazards

3. Analysis of Process Hazards

4. Assessment of Consequences (adversarial attack))

5. Assessment of Physical factors, (e.g. vessel &/or container size, location, distance to personnel)

6. Assessment of mitigation systems (e.g. water sprays, etc)

7. Countermeasures Assessment/Gap Analysis

C. Prevention Strategies --

8. Rings of protection analysis

9. Cooperation with local law enforcement, security staff in other companies and trade associations – sharing threat info.

Section 3: Management Issues: (System, Policies, & Procedures) The facility has reviewed it Management Systems, Policies, and Procedures, and with recommendations so indicated, has deemed them to be appropriate. Management Systems, Policies and Procedures which are in place are indicated below. Recommendations for upgrade are attached:

Management Issues: (System, Policies, & Procedures) In place

A. Management Leadership --

10. Top company management visibly supports security effort

11. Security manager (or equivalent) assigned at site level.

B. Policy (Clear Policies & Procedures Established): Some examples include:

--

12. Access Control

13. Drug & alcohol use

14. Workplace violence, threats, intimidation, and other misconduct

15. Locker searches

16. Reporting of incidents and threats

17. Response to bomb threats and suspicious packages

18. Response to civil disturbance

19. Weapons carrying by employees

20. Pre-employment screening

21. Information Protection

22. Protest demonstrations

23. Ethics

C. Collaboration --

24. External: Establishment of partnerships &/or enhancing relationships


with local, state, and federal law enforcement and other public safety agencies.

25. Internal: Clarification of relationships and procedures with other management functions to provide a more coordinated response to security incidents

D. Incident Reporting & Analysis --

26. Reporting, recording, analyzing security incidents

27. Anonymous employee hot line to enable employees to report security and ethics problems

E. Employee & Contractor Training & Security Awareness --

28. Training &/or Security Awareness measures established to transform employees and contractors into a natural surveillance system

29. Training &/or Security Awareness measures established to reinforce existing security practices such as:

30. Locking doors

31. Looking for and reporting suspicious packages

32. Challenging people without proper identification

33. Not writing computer passwords on computers

34. Not taping exterior doors open to facilitate outdoor smoking breaks

F. Investigations --

35. Suspicious incident and security breaches are investigated by trained professionals.

36. Policy established for referral of any suspected illegal activity to local law enforcement.

G. Emergency Response & Crisis Management Emergency Response plan developed commensurate with facilities need/resources. Plan addresses:

--

37. Personnel accounting during emergencies

38. Crisis Management plan/system developed

H. Periodic Reassessment --

39. Site Security Measures periodically reassessed

40. Other provisions recommended (see attached)

Section 4: Physical Security The facility has reviewed its physical security provisions, and with recommendations so indicated, has deemed them to be appropriate. Physical security systems which are in place are indicated below. Recommendations for upgrade are attached:

Physical Security In place

A. Access Control The following are just a few of the measures that managers may wish to consider for the purpose of controlling access into, within, and out of a chemical facility:

--

41. Posting of signs (e.g.” No Trespassing" or "Authorized Access Only"

42. To extent feasible, natural surveillance is employed by arranging reception, production, and office space so unescorted visitors are

43. Publicly accessible restroom doors are locked with key control system.

44. Visitor sign-in logs & escorts

45. Close attention to access control at loading/unloading areas


46. Install appropriate penetration-resistant doors and security hinges

47. Install secure windows and doors with appropriate locks, perhaps using unbreakable plastics instead of glass and employing window bars.

48. Institute a system of employee and contractor photo ID badges

49. Establish system for determining which cars, trucks, rail cars, marine vessels, and other vehicles may enter the site through which gates, docks, or other entrances, and under what conditions.

50. Install an electronic access control system that requires the use of key cards at main entrances and on other appropriate doors and that provides an audit trail of ingress and egress.

51. Install a CCTV system to monitor key areas of the facility

52. Institute a system of parcel inspection (using magnetometers, x-ray screening, or explosives detectors).

53. Require the use of property passes for removal of property from the site.

B. Perimeter Protection Perimeter protection includes such measures as these, which managers can consider and implement as appropriate:

--

54. Fences and exterior walls that make it difficult for intruders to enter the site

55. Bollards and trenches that prevent vehicles from driving into the site at pints other than official entrances.

56. Vehicle gates with retractable barriers

57. Personnel gates with turnstiles

58. Setbacks and clear zones that eliminate hiding places near the site‟s perimeter, making it difficult for intruders to approach the site unnoticed.

59. Lighting that makes it easier for employees and even passersby to observe and possibly identify intruders.

C. Security Officers Security officers can provide a range of useful security services. Once deemed appropriate for a site to have security officers, some of the services they can supply include:

--

60. Patrolling the site to look for intruders or irregularities

61. Staffing site entrances to check ID‟s

62. Maintaining entry and exit logs

63. Handing out trucker safety lists

64. Reminding employees and contractors of security policies

65. Assisting in emergencies

66. If security officers are provided, has site established written post orders to direct their activity?

D. Backup Systems From a security standpoint as well as safety and operations standpoint, it may be appropriate for chemical facilities to secure and/or provide back-up systems for key utilities and other services, such as:

--

67. Electricity

68. Communications (telephone & computer)

69. Water, sewer, and gas


70. Control centers

71. Rack rooms

72. Computer servers

E. Other considerations Other miscellaneous considerations which can contribute to the overall security/safety of the organization include:

--

73. Physical security hardware is designed to be safe for use e.g., CCTV systems, access control card readers may need to be specially selected so they are safe and effective in corrosive or flammable areas.

74. Offices are maintained neat and orderly to identify strange objects or unauthorized people more easily

75. Package and large envelopes in executive offices are opened only if the source or sender is positively identified

76. Closets, service openings and telephone and electrical closets are maintained in a locked position.


Section 5: Employee and Contractor Security Issues The facility has reviewed it's employee and contractor security provisions and, and with recommendations so indicated, has deemed them to be appropriate. Employee and contractor systems which are in place are indicated below. Recommendations for upgrade are attached: Note: Security threats to chemical facilities can come from within as well as outside. Disgruntled employees and former employees sometime pose a risk. Workplace violence can erupt from disgruntled customer‟s Pre-employment background screening may help companies weed out job candidates who seem likely to cause trouble, and workplace violence policies, awareness, and response plans may help forestall other threats

Employee and Contractor Security Issues In place

A. Hiring and Employment Termination Practices Managers should consider using hiring and employment termination policies/practices that contribute to the security of their facilities. Some policies/practices that may be considered include:

--

78. Pre-employment screening to identify history of conviction for theft or violent crimes, of workplace violence or threatening behavior, or of interests inimical to the company

79. Treatment of workers with respect when employment ends

80. Retrieval of worker‟s keys, access control card, and company ID

81. Change combination locks and even some keyed locks

82. Change computer passwords

83. Practices regarding involuntary terminations, where appropriate:

84. Direct worker to the company‟s employee assistance program and out-placement services

85. Escort departing worker out of the building to make sure he or she does not harm data, property, or people on the way out.

B. Workplace Violence Prevention and Response Policies/practices regarding workplace violence prevention, where

--


appropriate:

86. Prohibiting (and responding to all reports of) physical violence, verbal abuse, willful destruction of company property, and intimidation. Consider suspension of suspects from work while the reports are investigated. Response to confirmed reports with counseling, reprimands, or termination of employment

87. Teach employees how to recognize the early warning signs of a troubled or potentially violent person and how to respond.

88. Require employees who have obtained court-issued restraining orders to notify management immediately. Managers can then take steps to protect all employees and can notify law enforcement of any violations.

89. Limit former employees access to the workplace, as appropriate.

90. Forbid the use and possession of drugs at any time and forbid the use of alcohol and weapons at work.

91. Train managers on appropriate ways to handle difficult employee termination, layoffs, and discipline.

92. After a violent incident, evaluate the potential for further violence at the facility

93. Help employees with the psychological consequences of workplace violence.

94. Support prosecution of offenders by accommodating employees who are needed for court appearances and cooperation with the prosecution

95. To avoid a defamation suite by accused employees who turn out to be innocent, managers should investigate allegations quickly and quietly.


Section 6: Information, Computer, and Network Security The facility has reviewed its Information, Computer, and Network Security provision, and with recommendations so indicated, has deemed them to be appropriate. Information, computer, and network security provisions which are in place are indicated below: Recommendations for upgrade are attached.

Information, Computer, and Network Security In place

A. Operations Security. The chemical industry well understands the importance of protecting its trade secrets. However, it is also vital to protect information that could be useful to criminals, demonstrators, and terrorists who wish to plan attacks on a chemical site or obtain hazardous materials for weapons-building. Examples of such information include:

Process flow diagrams Piping and instrument design diagrams Formulation, recipes, Client & supplier lists Site maps, Other information that describes the workings of a chemical facility

One approach to denying adversaries the information they seek is called Operations Security or OPSEC. Practices which managers may utilize, as part of OPSEC, include:

--


97. Identify critical information

98. Conduct a threat assessment

99. Perform a vulnerability analysis

100. Assess the risk

101. Apply countermeasures

B. Spoken-Information Security The following are polices, practices which managers may utilize to address spoken information security:

--

102. Prohibit radio conversations about sensitive topics

103. Alternatively use voice encryption for radio conversations.

104. Conduct the most sensitive conversations in person.

105. Prohibit employees from giving out potentially risky information over the phone, as one may not be sure to whom one is speaking.

C. Document Security: The following are practices which may be utilized to address document security:

--

106. Shredding of old, outdated, or unnecessary copies of critical documents

107. Lock file cabinets and trash bins

108. Institute a clean desk policy

109. Mark sensitive documents as “confidential”.

110. Provide employee training on document security practices

D. Computer and Network Security The following are practices which may be utilized to address computer and network security:

--

111. Physically secure computer rooms, motor control centers, rack rooms, server rooms, telecommunications rooms, and control rooms, ideally with electronic or biometric access control systems that record ingress and egress.

112. Employ firewalls, virus protection, encryption, user identification, and message and user authentication to protect both the main computer network and any subsidiary networks, such as access control systems, that are connected to it or to the outside.

113. Training of employees to beware of ruses to obtain their computer passwords

114. Require systems administrator to disable all Internet connection software that may be prepackaged in operating systems.

115. Allow the principles of “least access”, “need to know,” and “separation of functions” guide the determination of user authorizations, rather than position or precedent.

116. If possible, place computer room above the first floor of the building to reduce the likelihood of theft and water damage (from broken water lines, floods, or fire fighting). The computer room should not be adjacent to an exterior building wall.

117. Do not post signs indicating the location of the computing facility

118. Equip the computer room with adequate communications capabilities to facilitate prompt reporting of emergencies

119. Allow only authorized personnel to have physical access to central computer rooms. Supervise any visitors.


120. Do not give keys or lock combinations to visitors.

121. Require employees to notify management in advance if they wish to gain entry to the computing facility during hours when they are not scheduled to be working.

E. Audits and Investigations To help detect computer intrusions, manager can make sure that computer systems maintain an audit trail of access to system resources. With that in place, the following practice(s) may be utilized to detect computer intrusion:

--

122. Periodic analysis of transaction histories, looking for variances from the norm

123. Periodic analysis of users authorizations, (unusual) timing, frequency, and length of access.


ACC Tier 4 SVA Methodology - American Chemistry Council · Process Safety (CCPS)5, or a methodology...

Documents

Transcript of ACC Tier 4 SVA Methodology - American Chemistry Council · Process Safety (CCPS)5, or a methodology...