Download presentation
Presentation is loading. Please wait.
Published byLondon Belcourt Modified over 3 years ago
1
SAND No. 2011-0786C Sandia is a multi-program laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.
2
SVA SVA = security vulnerability assessment PPS PPS = physical protection system
3
CCPS 2003. Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites CCPS 2003. Center for Chemical Process Safety, Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites. New York: AIChE.
4
M.L. Garcia 2003.Vulnerability Assessment of Physical Protection Systems M.L. Garcia 2003. Vulnerability Assessment of Physical Protection Systems. Amsterdam: Elsevier. The Design and Evaluation of Physical Protection Systems, Second Edition Also: M.L. Garcia 2008. The Design and Evaluation of Physical Protection Systems, Second Edition. Amsterdam: Butterworth Heinemann.
5
T.L. Norman 2010. Risk Analysis and Security Countermeasure Selection T.L. Norman 2010. Risk Analysis and Security Countermeasure Selection. Boca Raton, Florida: CRC Press.
6
SVA Security Vulnerability Assessment: A systematic evaluation process in which qualitative and/or quantitative techniques are applied to detect vulnerabilities and to arrive at an effectiveness level for a security system to protect specific targets from specific adversaries and their acts. Garcia 2008
7
1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats 4. Assess severity of consequences 5. Evaluate effectiveness of safeguards 6. Determine adequacy of safeguards 7. Identify and implement improvements 8. Compare with process safety
8
1. SVA objectives and overview
9
SVA Security Vulnerability Assessment: A systematic evaluation process in which qualitative and/or quantitative techniques are applied to detect vulnerabilities and to arrive at an effectiveness level for a security system to protect specific targets from specific adversaries and their acts.
10
SVA Security Vulnerability Assessment: A systematic evaluation process in which qualitative and/or quantitative techniques are applied to detect vulnerabilities and to arrive at an effectiveness level for a security system to protect specific targets from specific adversaries and their acts.
11
(continued on next slide)
13
Staff security awareness Fences - access control PIDAS* On-site guards Sensors - cameras Technology and/or Cost * PIDAS : Perimeter Intrusion Detection and Assessment System Threat understanding Professional response force 13
14
Detect vulnerabilities (weaknesses) in a facility’s ability to protect critical assets against adversaries Design security systems to achieve a desired level of effectiveness Physical protection systems Cyber security protection systems Can also extend to mitigation systems Emergency response Fire protection etc.
15
Plan Identify Targets and Critical Assets Develop, Implement Improvements Calculate Risks; Compare to Critera Identify and Assess Likelihood of Threats Identify and Assess Likelihood of Threats Assess Severity of Consequences Assess Severity of Consequences Evaluate Effectiveness of Safeguards Screen Characterize Facility
16
Facility Characterization Facility Characterization Facility Characterization Facility Characterization Threat Assessment Consequence Assessment SystemEffectivenessSystemEffectiveness Risk Calculation Riskacceptable? Y N Mission, objectives; prioritize facilities Proposed Upgrades Likelihood of adversary attack (F A ) Existing protection against adversary scenarios (P E ) Potential consequence severity (C) F A * (1-P E ) * C ALTERNATIVE FLOWCHART End 16
17
Requires management commitment of resources Generally performed by a knowledgeable team May require specialized resources or experts Will involve data and information collection May require months to fully complete Should have a means of updating See Garcia 2003 for getting started, collecting data
18
Carefully define what is included and excluded from the SVA. For example, for a wastewater system, the scope may include either or both of: ◦ Collection system (e.g., sewer mains to plant inlet) ◦ Treatment plant
19
An example mission statement for a wastewater treatment plant might be: The Wastewater Treatment Plant is committed to treating wastewater from the City in such a way that the treatment plant effluent and bio- solid residual is safe for the environment, meets permit limits, and is aesthetically pleasing to the community.
20
Specific criteria can define successful achievement of the plant’s mission, such as: These criteria can also be prioritized.
21
1. SVA objectives and overview 2. Identify targets and critical assets
22
Property – Laptop or desktop computer, jump drive, personal digital assistant, television, etc. Vehicles – Facility vehicle, access to areas, passes removed Information – Computer control access, stored data, intellectual property Personnel – Identification, access codes Original list from DHS Chemical Security Awareness Training
23
Wastewater system key vulnerabilities: Collection systems Treatment chemicals Key components of treatment plant Control systems Pumping/lift stations U.S. GAO report GAO-05-165
24
Liquid Chlorine Sulfur Dioxide 24
25
Other possible targets: Key personnel Valuable assets (e.g. catalysts, copper) Vehicles Personal computers Keep in mind the plant’s mission statement and success criteria when brainstorming targets and critical assets.
26
Write down at least 6 possible targets of malevolent human actions at a chemical plant.123 456
27
1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats
28
Facility Characterization Facility Characterization Facility Characterization Facility Characterization Threat Assessment Consequence Assessment SystemEffectivenessSystemEffectiveness Risk Calculation Riskacceptable? Y N Mission, objectives; prioritize facilities Proposed Upgrades Likelihood of adversary attack (F A ) Existing protection against adversary scenarios (P E ) Potential consequence severity (C) F A * (1-P E ) * C End 28
29
Image credit: CCPS, “Process Safety Leading and Lagging Indicators,” New York: American Institute of Chemical Engineers, January 2011, www.aiche.org/ccps. Do you remember this graphic?
30
The “Swiss cheese model” can be applied to security risks as well security risks as well as process safety risks. Threat Security Incident
31
threat The threatassessment identifies what security threats are present and how likely they are to initiate attacks on specific targets. Threat Security Incident
32
32 Design Basis Threat: Design Basis Threat: A policy document used to establish performance criteria for a physical protection system (PPS). It is based on the results of threat assessments as well as other policy considerations. Threat Assessment: Threat Assessment: An evaluation of the threats, based on available intelligence, law enforcement, and open source information, that describes the motivations, intentions, and capabilities of these threats. 32
33
Motivation Political, ideological, financial, personal Willingness to get caught or die Intention Theft, sabotage Other: Stop operations, social disruption, political instability, economic harm
34
Capabilities Numbers Weapons, equipment, tools Explosives Knowledge, skills, training Tactics Transportation methods Insider assistance
35
E.g.: Vandals Gangs, thieves Computer hackers Militia / Paramilitary Environmental terrorists Rogue international terrorists Insider threats; disgruntled employee Identify all potential threats (intentional, malevolent human actions)
36
What are some examples of insider threats ? What makes the insider threat particularly difficult to analyze and protect against? What are some things that can be done to protect against insider threats ?
37
Some methods define “ Design Basis Threats ” for each identified potential adversary. Helpful in later analysis and determining security upgrades Not feasible to protect every critical asset against every possible threat Example:
38
Likelihood of an attack* can be assessed using frequency categories. Options: Purely qualitative, such as High / Medium / Low Qualitative with descriptors Order of magnitude Fully quantitative * Initiation of an attempt to penetrate the facility’s physical or virtual boundary
39
Example of qualitative-with-descriptors likelihood categories From ExxonMobil “Chemical Facilities Safeguards and Security Risk Assessment Methodology, June 2002, adapted from the risk assessment matrix of MIL-STD-882B. Part of ACC Responsible Care ® Toolkit, http://www.americanchemistry.com/s_rctoolkit Frequent A Probable Occasional Remote Improbable B C D E
40
Example of order-of-magnitude likelihood categories
41
Likelihood assessment: Consensus of plant personnel, fire department, local law enforcement, etc. Assess the likelihood of attack by each potential adversary using the selected frequency scale Example: FAFAFAFA
42
Key considerations affecting likelihood: Presence Presence in the area of the facility Access Access to the facility intent Stated/assessed intent to conduct attack History History of attacks/threats Credible information indicating adversary targeted has actually targeted facility Capability Capability to achieve successful attack
43
1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats 4. Assess severity of consequences
44
Facility Characterization Facility Characterization Facility Characterization Facility Characterization Threat Assessment Consequence Assessment SystemEffectivenessSystemEffectiveness Risk Calculation Riskacceptable? Y N Mission, objectives; prioritize facilities Proposed Upgrades Likelihood of adversary attack (F A ) Existing protection against adversary scenarios (P E ) Potential consequence severity (C) F A * (1-P E ) * C End 44
45
Potential consequence severity (C) is assessed as the potential impact if an attack is successful. Must consider intent and capabilities of each specific threat Can be evaluated as a matrix of threats vs targets or as a listing of scenarios Consider screening out those with lesser severity
46
Threat SecurityIncident The consequence assessment determines how severe the impacts can be if an attack on a target is successful.
47
Chemical release impacts: Essentially the same as for unintentional releases (see “Identification of Hazards”) Fires Explosions Toxic gas releases Also, theft of chemicals for release or use elsewhere (e.g., precursor chemicals)
48
Other impacts: Some loss events can be assessed monetarily Business interruption Property damage Severity can be difficult to assess for other loss events Trade secret information loss Fear / panic impact etc.
49
Loss event impact is generally assessed using severity categories. Options: Purely qualitative, e.g. High / Medium / Low Qualitative with descriptors Order of magnitude Fully quantitative
50
Example of qualitative- with- descriptors severity categories From ExxonMobil “Chemical Facilities Safeguards and Security Risk Assessment Methodology, June 2002, adapted from the risk assessment matrix of MIL-STD-882B. Part of ACC Responsible Care ® Toolkit, http://www.americanchemistry.com/s_rctoolkit ICritical IISerious IIIModerate IVMinor
51
Example of order-of-magnitude severity categories
52
Example consequence categories for a wastewater treatment plant
53
Identify key consequence categories for a typical plant in your industry Choose one of the consequence categories Develop an impact scale for the category
54
1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats 4. Assess severity of consequences 5. Evaluate effectiveness of safeguards
55
Facility Characterization Facility Characterization Facility Characterization Facility Characterization Threat Assessment Consequence Assessment SystemEffectivenessSystemEffectiveness Risk Calculation Riskacceptable? Y N Mission, objectives; prioritize facilities Proposed Upgrades Likelihood of adversary attack (F A ) Existing protection against adversary scenarios (P E ) Potential consequence severity (C) F A * (1-P E ) * C End 55
56
Threat SecurityIncident The system effectiveness assessment determines how good the barriers are to keep an attack from being successful.
57
Physical Protection Systems (PPS) Detection Delay Response
58
Intrusion detection systems Detectors (sensors, cameras, guard patrols) Detection signal processing and alarming Alarm assessment Alarm communication and display Entry control Contraband and explosives detection Cyber attack detection; system monitoring Security-aware employees
59
Vibration, Heat, or Sound Passive Active Transmitter and Receiver Receiver 59
60
Covert or visible Sensors hidden from view More difficult for intruder to detect Sensors in plain view of intruder Simpler to install and repair VisibleCovert 60
61
Volumetric or line detection Detection in a volume of space Detection volume is not visible Detection along a line or plane Detection zone easily identified VolumetricLine detection 61
62
Line-of-sight or terrain- following No obstacles in the detection space Requires flat ground surface Sensors detect over flat or irregular terrain Line-of-sightTerrain-following 62
63
Pictures of line (vibration) and volumetric (microwave) 63
64
Assessment Assessment - Video display triggered by sensor alarm to determine if an intruder has penetrated a sensored area. Surveillance Surveillance - Continuous video monitoring of an area that that does NOT have sensors. 64
65
Fixed and PTZ cameras Fixed camera Non-motorized mount Fixed-focal-length lens Pan-tilt-zoom (PTZ) camera Motorized mount Motorized zoom lens 65
66
Access delay Vehicle barriers Around perimeter Around key assets “Serpentine” arrangement to limit approach speed Pop-up barriers
67
67
68
Access delay Vehicle barriers Fences, barbed wire Traverse time Doors, windows Walls Locks Strong passwords Biometrics Target task time
69
Communications Weaponry, tactics Internal or external Backup forces Training Night-fighting capability Cyber response capability
70
Security-protective barriers must detect (1) detect an attack soon enough and delays (2) put sufficient time delays in the path of the attacker(s) response (3) for a sufficiently potent response force to arrive and interrupt the attack before the attack succeeds in stealing, releasing, destroying or otherwise compromising the facility’s critical asset(s).
71
Security-protective barriers must detect (1) detect an attack soon enough and delays (2) put sufficient time delays in the path of the attacker(s) response (3) for a sufficiently potent response force to arrive and interrupt the attack before the attack succeeds in stealing, releasing, destroying or otherwise compromising the facility’s critical asset(s). How would this to apply to cyber security ?
75
performance testing The effectiveness of safeguards is maintained by performance testing. If any safeguard is not tested and maintained, do not count on it working!
76
How can the performance of these physical protection system components be ensured? CCTV camera system Security guards’ visual detection Perimeter fence Access-control door locks Response force
77
1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats 4. Assess severity of consequences 5. Evaluate effectiveness of safeguards 6. Determine adequacy of safeguards
78
Facility Characterization Facility Characterization Facility Characterization Facility Characterization Threat Assessment Consequence Assessment SystemEffectivenessSystemEffectiveness Risk Calculation Riskacceptable? Y N Mission, objectives; prioritize facilities Proposed Upgrades Likelihood of adversary attack (F A ) Existing protection against adversary scenarios (P E ) Potential consequence severity (C) F A * (1-P E ) * C End 78
79
Risk = F A * (1 – P E ) * C where F A = Frequency of attack 1 P E = Protection system effectiveness C = Consequence severity 1 or probability of attack for a given timeframe or mission
80
Assume F A = One attack per year attempted P E = 0.90 effective protection C = US$50,000 loss Risk = F A * (1 – P E ) * C
81
Risk = 1/yr * (1 - 0.9) * $50K = $5,000 / year annualized loss rate annualized loss rate
82
Assume F A = 0.1 attack per year attempted P E = 0.99 effective protection C = Fire/explosion with 10 fatalities Risk = F A * (1 – P E ) * C What is Risk equal to?
83
Risk = 0.1/yr * (1 - 0.99) * 10 = 0.01 fatality / year point risk estimate point risk estimate
84
Determining whether existing or proposed safeguards are adequate can be done in various ways. Options: Purely qualitative, team-based judgment Risk matrix Risk magnitude Fully quantitative
85
risk matrix Example of risk matrix with qualitative-with-descriptors likelihood and severity categories From ExxonMobil “Chemical Facilities Safeguards and Security Risk Assessment Methodology, June 2002, adapted from the risk assessment matrix of MIL-STD-882B. Part of ACC Responsible Care ® Toolkit, http://www.americanchemistry.com/s_rctoolkit
86
risk matrix Example of risk matrix with qualitative-with-descriptors likelihood and severity categories From ExxonMobil “Chemical Facilities Safeguards and Security Risk Assessment Methodology, June 2002, adapted from the risk assessment matrix of MIL-STD-882B. Part of ACC Responsible Care ® Toolkit, http://www.americanchemistry.com/s_rctoolkit NOTE: Determining where the risk risk boundaries are set is a risk management management function
87
Unacceptable region ALARP The ALARP or Tolerability Region Broadly acceptable region (No need for detailed working to demonstrate ALARP) Necessary to maintain assurance that risk remains at this level Tolerable if cost of reduction would exceed the improvement gained Tolerable only if risk reduction is impracticable or if its cost is grossly disproportionate to the improvement gained Risk cannot be justified save in extraordinary circumstances NEGLIGIBLE RISK Credit: UK HSE
88
Unacceptable region ALARP The ALARP or Tolerability Region Broadly acceptable +3 or higher NEGLIGIBLE RISK Risk magnitude +2 +1 0 or lower
89
Unacceptable region ALARP The ALARP or Tolerability Region Broadly acceptable +1 or higher NEGLIGIBLE RISK Risk magnitude 0 -2 or lower
90
Describe one complete security scenario Describe one complete security scenario involving a particular threat and its likelihood, a particular consequence and its severity, and a reasonable set of safeguards and their effectiveness. Using any one risk evaluation approach, calculate the scenario risk and determine its acceptability. Be prepared to present your results and findings, including important assumptions.
91
1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats 4. Assess severity of consequences 5. Evaluate effectiveness of safeguards 6. Determine adequacy of safeguards 7. Identify and implement improvements
92
Facility Characterization Facility Characterization Facility Characterization Facility Characterization Threat Assessment Consequence Assessment SystemEffectivenessSystemEffectiveness Risk Calculation Riskacceptable? End Y N Mission, objectives; prioritize facilities Proposed Upgrades Likelihood of adversary attack (F A ) Existing protection against adversary scenarios (P E ) Potential consequence severity (C) F A * (1-P E ) * C 92
93
Address specific vulnerabilities identified in the SVA Address scenarios assessed to pose the highest security risk
94
Tendency: Tendency: Add more physical safeguards (fences, cameras, locks, etc.). First priority: First priority: Make sure what you have will work. Performance testing Drills, tabletop exercises Also a priority: Also a priority: Make the facility inherently safer. Minimize Substitute Attenuate Simplify, limit effects, etc.
95
Wastewater system security-enhancing activities: Replace gaseous chemicals with less hazardous alternatives Improve local/state/regional collaboration efforts Complete SVAs for individual wastewater systems Expand training for wastewater utility operators, administrators Improve national communication efforts Install early warning in collection systems Harden plants and collection facilities against attack Strengthen procedures Increase R&D to improve detection, assessment and response
96
The SVA is generally captured in a report and/or management presentation containing: Objectives Team Approach Data and Analysis Results and Conclusions Recommended improvements See Garcia 2003 and Norman 2010 for suggested presentation formats
97
Keep in mind: “The search for static security, in the law and elsewhere, is misguided. The fact is, security can only be achieved through constant change, adapting old ideas that have outlived their usefulness to current facts.” - William O. Douglas, as quoted in Garcia 2003
98
1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats 4. Assess severity of consequences 5. Evaluate effectiveness of safeguards 6. Determine adequacy of safeguards 7. Identify and implement improvements 8. Compare with process safety
99
Continued on next slide
100
Source: CCPS 2008a, p. 207
101
Hazards 101
102
102
103
Hazards Threat 103
104
104
105
Threat of: Release of hazardous material Destruction of critical assets Harm to key personnel Vandalism Theft etc.
106
Threat of: Release of hazardous material Destruction of critical assets Harm to key personnel Vandalism Theft etc. By: Vandal Gang, thief Militia / paramilitary Environmental terrorist Rogue international terrorist Insider threat; disgruntled employee
107
Impacts Loss Event Mitigated Unmitigated
108
108
109
Hazards Impacts Attack InterveneDeterMitigate Loss Event Regain control or shut down Mitigated Unmitigated 109
110
Deter Make target less attractive Maintain visible defenses Lower perceived likelihood of success Attempt Deter No attempt Threat At each branch: Success Failure 110
111
111
112
Intervene Detect AND Delay AND Respond Attempt InterveneDeter Loss Event Successful intervention No attempt Threat
113
Detect ◦ Identify threat ◦ Communi- cate to response force Attempt InterveneDeter Successful intervention No attempt Loss Event Threat 113
114
114
115
Attempt InterveneDeter Successful intervention No attempt Detect Delay ◦ Slow down attack with barriers ◦ Give response force time to interrupt attack Loss Event Threat
116
Attempt InterveneDeter Loss Event Successful intervention No attempt Detect Delay Respond ◦ Receive alarm ◦ Arrive in time with sufficient force to interrupt attack Threat
117
117
118
Impacts Attempt InterveneDeterMitigate Loss Event Successful intervention Mitigated Unmitigated No attempt Threat 118
119
119
120
Impacts Attempt InterveneDeterMitigate Loss Event Successful intervention Mitigated Unmitigated No attempt Threat At each branch: Success Failure
121
1. Listed objectives of performing a Security Vulnerability Assessment (SVA) 2. Described evaluating potential targets and critical assets 3. Described the process of identifying and assessing the likelihood of threats 4. Described the process of assessing the severity of consequences 5. Described how to evaluate the effectiveness of security safeguards 7. Discussed the importance of identifying and implementing improvements 8. Compared SVA with process safety
Similar presentations
© 2018 SlidePlayer.com Inc.
All rights reserved.
Ppt on p&g products coupon Ppt on new york times Ppt on resistance temperature detector probe Ppt on world photography day Ppt on three equations of motion Ppt on power electronics in ieee format Ppt on different types of computer softwares for resume Ppt on noun for class 2 Ppt on transportation in plants and animals for class 10 Ppt on importance of sports and games in students life