1. SAND No. 2011-0786C Sandia is a multi-program laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

2. SVA SVA = security vulnerability assessment PPS PPS = physical protection system

3. CCPS 2003. Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites CCPS 2003. Center for Chemical Process Safety, Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites. New York: AIChE.

4. M.L. Garcia 2003.Vulnerability Assessment of Physical Protection Systems M.L. Garcia 2003. Vulnerability Assessment of Physical Protection Systems. Amsterdam: Elsevier. The Design and Evaluation of Physical Protection Systems, Second Edition Also: M.L. Garcia 2008. The Design and Evaluation of Physical Protection Systems, Second Edition. Amsterdam: Butterworth Heinemann.

5. T.L. Norman 2010. Risk Analysis and Security Countermeasure Selection T.L. Norman 2010. Risk Analysis and Security Countermeasure Selection. Boca Raton, Florida: CRC Press.

6. SVA Security Vulnerability Assessment: A systematic evaluation process in which qualitative and/or quantitative techniques are applied to detect vulnerabilities and to arrive at an effectiveness level for a security system to protect specific targets from specific adversaries and their acts. Garcia 2008

7. 1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats 4. Assess severity of consequences 5. Evaluate effectiveness of safeguards 6. Determine adequacy of safeguards 7. Identify and implement improvements 8. Compare with process safety

8. 1. SVA objectives and overview

9. SVA Security Vulnerability Assessment: A systematic evaluation process in which qualitative and/or quantitative techniques are applied to detect vulnerabilities and to arrive at an effectiveness level for a security system to protect specific targets from specific adversaries and their acts.

10. SVA Security Vulnerability Assessment: A systematic evaluation process in which qualitative and/or quantitative techniques are applied to detect vulnerabilities and to arrive at an effectiveness level for a security system to protect specific targets from specific adversaries and their acts.

11. (continued on next slide)

13. Staff security awareness Fences - access control PIDAS* On-site guards Sensors - cameras Technology and/or Cost * PIDAS : Perimeter Intrusion Detection and Assessment System Threat understanding Professional response force 13

14.  Detect vulnerabilities (weaknesses) in a facility’s ability to protect critical assets against adversaries  Design security systems to achieve a desired level of effectiveness  Physical protection systems  Cyber security protection systems  Can also extend to mitigation systems  Emergency response  Fire protection etc.

15. Plan Identify Targets and Critical Assets Develop, Implement Improvements Calculate Risks; Compare to Critera Identify and Assess Likelihood of Threats Identify and Assess Likelihood of Threats Assess Severity of Consequences Assess Severity of Consequences Evaluate Effectiveness of Safeguards Screen Characterize Facility

16. Facility Characterization Facility Characterization Facility Characterization Facility Characterization Threat Assessment Consequence Assessment SystemEffectivenessSystemEffectiveness Risk Calculation Riskacceptable? Y N Mission, objectives; prioritize facilities Proposed Upgrades Likelihood of adversary attack (F A ) Existing protection against adversary scenarios (P E ) Potential consequence severity (C) F A * (1-P E ) * C ALTERNATIVE FLOWCHART End 16

17.  Requires management commitment of resources  Generally performed by a knowledgeable team  May require specialized resources or experts  Will involve data and information collection  May require months to fully complete  Should have a means of updating See Garcia 2003 for getting started, collecting data

18.  Carefully define what is included and excluded from the SVA.  For example, for a wastewater system, the scope may include either or both of: ◦ Collection system (e.g., sewer mains to plant inlet) ◦ Treatment plant

19.  An example mission statement for a wastewater treatment plant might be: The Wastewater Treatment Plant is committed to treating wastewater from the City in such a way that the treatment plant effluent and bio- solid residual is safe for the environment, meets permit limits, and is aesthetically pleasing to the community.

20.  Specific criteria can define successful achievement of the plant’s mission, such as: These criteria can also be prioritized.

21. 1. SVA objectives and overview 2. Identify targets and critical assets

22. Property – Laptop or desktop computer, jump drive, personal digital assistant, television, etc. Vehicles – Facility vehicle, access to areas, passes removed Information – Computer control access, stored data, intellectual property Personnel – Identification, access codes Original list from DHS Chemical Security Awareness Training

23. Wastewater system key vulnerabilities:  Collection systems  Treatment chemicals  Key components of treatment plant  Control systems  Pumping/lift stations U.S. GAO report GAO-05-165

24. Liquid Chlorine Sulfur Dioxide 24

25. Other possible targets:  Key personnel  Valuable assets (e.g. catalysts, copper)  Vehicles  Personal computers Keep in mind the plant’s mission statement and success criteria when brainstorming targets and critical assets.

26. Write down at least 6 possible targets of malevolent human actions at a chemical plant.123 456

27. 1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats

28. Facility Characterization Facility Characterization Facility Characterization Facility Characterization Threat Assessment Consequence Assessment SystemEffectivenessSystemEffectiveness Risk Calculation Riskacceptable? Y N Mission, objectives; prioritize facilities Proposed Upgrades Likelihood of adversary attack (F A ) Existing protection against adversary scenarios (P E ) Potential consequence severity (C) F A * (1-P E ) * C End 28

29. Image credit: CCPS, “Process Safety Leading and Lagging Indicators,” New York: American Institute of Chemical Engineers, January 2011, www.aiche.org/ccps. Do you remember this graphic?

30. The “Swiss cheese model” can be applied to security risks as well security risks as well as process safety risks. Threat Security Incident

31. threat The threatassessment identifies what security threats are present and how likely they are to initiate attacks on specific targets. Threat Security Incident

32. 32 Design Basis Threat: Design Basis Threat: A policy document used to establish performance criteria for a physical protection system (PPS). It is based on the results of threat assessments as well as other policy considerations. Threat Assessment: Threat Assessment: An evaluation of the threats, based on available intelligence, law enforcement, and open source information, that describes the motivations, intentions, and capabilities of these threats. 32

33.  Motivation  Political, ideological, financial, personal  Willingness to get caught or die  Intention  Theft, sabotage  Other: Stop operations, social disruption, political instability, economic harm

34.  Capabilities  Numbers  Weapons, equipment, tools  Explosives  Knowledge, skills, training  Tactics  Transportation methods  Insider assistance

35. E.g.: Vandals Gangs, thieves Computer hackers Militia / Paramilitary Environmental terrorists Rogue international terrorists Insider threats; disgruntled employee Identify all potential threats (intentional, malevolent human actions)

36.  What are some examples of insider threats ?  What makes the insider threat particularly difficult to analyze and protect against?  What are some things that can be done to protect against insider threats ?

37.  Some methods define “ Design Basis Threats ” for each identified potential adversary.  Helpful in later analysis and determining security upgrades  Not feasible to protect every critical asset against every possible threat  Example:

38. Likelihood of an attack* can be assessed using frequency categories. Options:  Purely qualitative, such as High / Medium / Low  Qualitative with descriptors  Order of magnitude  Fully quantitative * Initiation of an attempt to penetrate the facility’s physical or virtual boundary

39. Example of qualitative-with-descriptors likelihood categories From ExxonMobil “Chemical Facilities Safeguards and Security Risk Assessment Methodology, June 2002, adapted from the risk assessment matrix of MIL-STD-882B. Part of ACC Responsible Care ® Toolkit, http://www.americanchemistry.com/s_rctoolkit Frequent A Probable Occasional Remote Improbable B C D E

40. Example of order-of-magnitude likelihood categories

41. Likelihood assessment:  Consensus of plant personnel, fire department, local law enforcement, etc.  Assess the likelihood of attack by each potential adversary using the selected frequency scale  Example: FAFAFAFA

42. Key considerations affecting likelihood:  Presence  Presence in the area of the facility  Access  Access to the facility intent  Stated/assessed intent to conduct attack  History  History of attacks/threats  Credible information indicating adversary targeted has actually targeted facility  Capability  Capability to achieve successful attack

43. 1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats 4. Assess severity of consequences

44. Facility Characterization Facility Characterization Facility Characterization Facility Characterization Threat Assessment Consequence Assessment SystemEffectivenessSystemEffectiveness Risk Calculation Riskacceptable? Y N Mission, objectives; prioritize facilities Proposed Upgrades Likelihood of adversary attack (F A ) Existing protection against adversary scenarios (P E ) Potential consequence severity (C) F A * (1-P E ) * C End 44

45. Potential consequence severity (C) is assessed as the potential impact if an attack is successful.  Must consider intent and capabilities of each specific threat  Can be evaluated as a matrix of threats vs targets or as a listing of scenarios  Consider screening out those with lesser severity

46. Threat SecurityIncident The consequence assessment determines how severe the impacts can be if an attack on a target is successful.

47. Chemical release impacts:  Essentially the same as for unintentional releases (see “Identification of Hazards”)  Fires  Explosions  Toxic gas releases  Also, theft of chemicals for release or use elsewhere (e.g., precursor chemicals)

48. Other impacts:  Some loss events can be assessed monetarily  Business interruption  Property damage  Severity can be difficult to assess for other loss events  Trade secret information loss  Fear / panic impact  etc.

49. Loss event impact is generally assessed using severity categories. Options:  Purely qualitative, e.g. High / Medium / Low  Qualitative with descriptors  Order of magnitude  Fully quantitative

50. Example of qualitative- with- descriptors severity categories From ExxonMobil “Chemical Facilities Safeguards and Security Risk Assessment Methodology, June 2002, adapted from the risk assessment matrix of MIL-STD-882B. Part of ACC Responsible Care ® Toolkit, http://www.americanchemistry.com/s_rctoolkit ICritical IISerious IIIModerate IVMinor

51. Example of order-of-magnitude severity categories

52. Example consequence categories for a wastewater treatment plant

53.  Identify key consequence categories for a typical plant in your industry  Choose one of the consequence categories  Develop an impact scale for the category

54. 1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats 4. Assess severity of consequences 5. Evaluate effectiveness of safeguards

55. Facility Characterization Facility Characterization Facility Characterization Facility Characterization Threat Assessment Consequence Assessment SystemEffectivenessSystemEffectiveness Risk Calculation Riskacceptable? Y N Mission, objectives; prioritize facilities Proposed Upgrades Likelihood of adversary attack (F A ) Existing protection against adversary scenarios (P E ) Potential consequence severity (C) F A * (1-P E ) * C End 55

56. Threat SecurityIncident The system effectiveness assessment determines how good the barriers are to keep an attack from being successful.

57. Physical Protection Systems (PPS) Detection Delay Response

58.  Intrusion detection systems  Detectors (sensors, cameras, guard patrols)  Detection signal processing and alarming  Alarm assessment  Alarm communication and display  Entry control  Contraband and explosives detection  Cyber attack detection; system monitoring  Security-aware employees

59. Vibration, Heat, or Sound Passive Active Transmitter and Receiver Receiver 59

60. Covert or visible  Sensors hidden from view  More difficult for intruder to detect  Sensors in plain view of intruder  Simpler to install and repair VisibleCovert 60

61. Volumetric or line detection  Detection in a volume of space  Detection volume is not visible  Detection along a line or plane  Detection zone easily identified VolumetricLine detection 61

62. Line-of-sight or terrain- following  No obstacles in the detection space  Requires flat ground surface  Sensors detect over flat or irregular terrain Line-of-sightTerrain-following 62

63. Pictures of line (vibration) and volumetric (microwave) 63

64. Assessment Assessment - Video display triggered by sensor alarm to determine if an intruder has penetrated a sensored area. Surveillance Surveillance - Continuous video monitoring of an area that that does NOT have sensors. 64

65. Fixed and PTZ cameras  Fixed camera  Non-motorized mount  Fixed-focal-length lens  Pan-tilt-zoom (PTZ) camera  Motorized mount  Motorized zoom lens 65

66.  Access delay  Vehicle barriers  Around perimeter  Around key assets  “Serpentine” arrangement to limit approach speed  Pop-up barriers

67. 67

68.  Access delay  Vehicle barriers  Fences, barbed wire  Traverse time  Doors, windows  Walls  Locks  Strong passwords  Biometrics  Target task time

69.  Communications  Weaponry, tactics  Internal or external  Backup forces  Training  Night-fighting capability  Cyber response capability

70. Security-protective barriers must detect (1) detect an attack soon enough and delays (2) put sufficient time delays in the path of the attacker(s) response (3) for a sufficiently potent response force to arrive and interrupt the attack before the attack succeeds in stealing, releasing, destroying or otherwise compromising the facility’s critical asset(s).

71. Security-protective barriers must detect (1) detect an attack soon enough and delays (2) put sufficient time delays in the path of the attacker(s) response (3) for a sufficiently potent response force to arrive and interrupt the attack before the attack succeeds in stealing, releasing, destroying or otherwise compromising the facility’s critical asset(s). How would this to apply to cyber security ?

75. performance testing  The effectiveness of safeguards is maintained by performance testing.  If any safeguard is not tested and maintained, do not count on it working!

76. How can the performance of these physical protection system components be ensured?  CCTV camera system  Security guards’ visual detection  Perimeter fence  Access-control door locks  Response force

77. 1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats 4. Assess severity of consequences 5. Evaluate effectiveness of safeguards 6. Determine adequacy of safeguards

78. Facility Characterization Facility Characterization Facility Characterization Facility Characterization Threat Assessment Consequence Assessment SystemEffectivenessSystemEffectiveness Risk Calculation Riskacceptable? Y N Mission, objectives; prioritize facilities Proposed Upgrades Likelihood of adversary attack (F A ) Existing protection against adversary scenarios (P E ) Potential consequence severity (C) F A * (1-P E ) * C End 78

79. Risk = F A * (1 – P E ) * C where F A = Frequency of attack 1 P E = Protection system effectiveness C = Consequence severity 1 or probability of attack for a given timeframe or mission

80. Assume F A = One attack per year attempted P E = 0.90 effective protection C = US$50,000 loss Risk = F A * (1 – P E ) * C

81. Risk = 1/yr * (1 - 0.9) * $50K = $5,000 / year annualized loss rate annualized loss rate

82. Assume F A = 0.1 attack per year attempted P E = 0.99 effective protection C = Fire/explosion with 10 fatalities Risk = F A * (1 – P E ) * C What is Risk equal to?

83. Risk = 0.1/yr * (1 - 0.99) * 10 = 0.01 fatality / year point risk estimate point risk estimate

84. Determining whether existing or proposed safeguards are adequate can be done in various ways. Options:  Purely qualitative, team-based judgment  Risk matrix  Risk magnitude  Fully quantitative     

85. risk matrix Example of risk matrix with qualitative-with-descriptors likelihood and severity categories From ExxonMobil “Chemical Facilities Safeguards and Security Risk Assessment Methodology, June 2002, adapted from the risk assessment matrix of MIL-STD-882B. Part of ACC Responsible Care ® Toolkit, http://www.americanchemistry.com/s_rctoolkit

86. risk matrix Example of risk matrix with qualitative-with-descriptors likelihood and severity categories From ExxonMobil “Chemical Facilities Safeguards and Security Risk Assessment Methodology, June 2002, adapted from the risk assessment matrix of MIL-STD-882B. Part of ACC Responsible Care ® Toolkit, http://www.americanchemistry.com/s_rctoolkit NOTE: Determining where the risk risk boundaries are set is a risk management management function

87. Unacceptable region ALARP The ALARP or Tolerability Region Broadly acceptable region (No need for detailed working to demonstrate ALARP) Necessary to maintain assurance that risk remains at this level Tolerable if cost of reduction would exceed the improvement gained Tolerable only if risk reduction is impracticable or if its cost is grossly disproportionate to the improvement gained Risk cannot be justified save in extraordinary circumstances NEGLIGIBLE RISK Credit: UK HSE

88. Unacceptable region ALARP The ALARP or Tolerability Region Broadly acceptable +3 or higher NEGLIGIBLE RISK Risk magnitude +2 +1 0 or lower

89. Unacceptable region ALARP The ALARP or Tolerability Region Broadly acceptable +1 or higher NEGLIGIBLE RISK Risk magnitude 0 -2 or lower

90. Describe one complete security scenario Describe one complete security scenario involving  a particular threat and its likelihood,  a particular consequence and its severity, and  a reasonable set of safeguards and their effectiveness. Using any one risk evaluation approach, calculate the scenario risk and determine its acceptability. Be prepared to present your results and findings, including important assumptions.

91. 1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats 4. Assess severity of consequences 5. Evaluate effectiveness of safeguards 6. Determine adequacy of safeguards 7. Identify and implement improvements

92. Facility Characterization Facility Characterization Facility Characterization Facility Characterization Threat Assessment Consequence Assessment SystemEffectivenessSystemEffectiveness Risk Calculation Riskacceptable? End Y N Mission, objectives; prioritize facilities Proposed Upgrades Likelihood of adversary attack (F A ) Existing protection against adversary scenarios (P E ) Potential consequence severity (C) F A * (1-P E ) * C 92

93.  Address specific vulnerabilities identified in the SVA  Address scenarios assessed to pose the highest security risk

94.  Tendency:  Tendency: Add more physical safeguards (fences, cameras, locks, etc.).  First priority:  First priority: Make sure what you have will work.  Performance testing  Drills, tabletop exercises  Also a priority:  Also a priority: Make the facility inherently safer.  Minimize  Substitute  Attenuate  Simplify, limit effects, etc.

95. Wastewater system security-enhancing activities:  Replace gaseous chemicals with less hazardous alternatives  Improve local/state/regional collaboration efforts  Complete SVAs for individual wastewater systems  Expand training for wastewater utility operators, administrators  Improve national communication efforts  Install early warning in collection systems  Harden plants and collection facilities against attack  Strengthen procedures  Increase R&D to improve detection, assessment and response

96. The SVA is generally captured in a report and/or management presentation containing:  Objectives  Team  Approach  Data and Analysis  Results and Conclusions  Recommended improvements See Garcia 2003 and Norman 2010 for suggested presentation formats

97. Keep in mind: “The search for static security, in the law and elsewhere, is misguided. The fact is, security can only be achieved through constant change, adapting old ideas that have outlived their usefulness to current facts.” - William O. Douglas, as quoted in Garcia 2003

98. 1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats 4. Assess severity of consequences 5. Evaluate effectiveness of safeguards 6. Determine adequacy of safeguards 7. Identify and implement improvements 8. Compare with process safety

99. Continued on next slide

100. Source: CCPS 2008a, p. 207

101. Hazards 101

102. 102

103. Hazards Threat 103

104. 104

105. Threat of:  Release of hazardous material  Destruction of critical assets  Harm to key personnel  Vandalism  Theft  etc.

106. Threat of:  Release of hazardous material  Destruction of critical assets  Harm to key personnel  Vandalism  Theft  etc. By: Vandal Gang, thief Militia / paramilitary Environmental terrorist Rogue international terrorist Insider threat; disgruntled employee

107. Impacts Loss Event Mitigated Unmitigated

108. 108

109. Hazards Impacts Attack InterveneDeterMitigate Loss Event Regain control or shut down Mitigated Unmitigated 109

110. Deter  Make target less attractive  Maintain visible defenses  Lower perceived likelihood of success Attempt Deter No attempt Threat At each branch: Success Failure 110

111. 111

112. Intervene  Detect AND  Delay AND  Respond Attempt InterveneDeter Loss Event Successful intervention No attempt Threat

113.  Detect ◦ Identify threat ◦ Communi- cate to response force Attempt InterveneDeter Successful intervention No attempt Loss Event Threat 113

114. 114

115. Attempt InterveneDeter Successful intervention No attempt  Detect  Delay ◦ Slow down attack with barriers ◦ Give response force time to interrupt attack Loss Event Threat

116. Attempt InterveneDeter Loss Event Successful intervention No attempt  Detect  Delay  Respond ◦ Receive alarm ◦ Arrive in time with sufficient force to interrupt attack Threat

117. 117

118. Impacts Attempt InterveneDeterMitigate Loss Event Successful intervention Mitigated Unmitigated No attempt Threat 118

119. 119

120. Impacts Attempt InterveneDeterMitigate Loss Event Successful intervention Mitigated Unmitigated No attempt Threat At each branch: Success Failure

121. 1. Listed objectives of performing a Security Vulnerability Assessment (SVA) 2. Described evaluating potential targets and critical assets 3. Described the process of identifying and assessing the likelihood of threats 4. Described the process of assessing the severity of consequences 5. Described how to evaluate the effectiveness of security safeguards 7. Discussed the importance of identifying and implementing improvements 8. Compared SVA with process safety