Presentation on theme: "Presented at the 2007 CUPA Conference by SRM Associates, Inc. PO Box 891993 Temecula, CA 92589-1993 (951) 764-3626 Chemical Site Security and Chemical."— Presentation transcript:
Presented at the 2007 CUPA Conference by SRM Associates, Inc. PO Box 891993 Temecula, CA 92589-1993 (951) 764-3626 Chemical Site Security and Chemical Facility Vulnerability Assessments
Introduction Bios New DHS Regulations Who has to Comply? What do they have to do? Vulnerability Assessment Updates/Reviews Penalties Information Protection RAMCAP Methodology Site Security Plans
Bios Who are we? What have we done? What are we trying to do?
New DHS regulations Federal only No State Counterpart Watch for it Interim Final Regulations DHS intends to modify later or clarify using guidance
Who has to comply? We don't know but DHS will tell us Top Screen Process Multiple tiers Facilities will be required by DHS to submit information DHS will determine based on information whether the facility is required to complete VA and Security Plan Voo Doo?
Who has to comply? (cont) DHS is considering “grouping” facilities into like categories for determining requirements for compliance e.g. NH3 Refrigeration, Petroleum Refineries Pro: Only facilities told by DHS they are required to comply will have to submit Cons: Manpower Intensive for DHS No timeframe provided
What will facilities have to do? First, perform a Vulnerability Assessment Second, develop a Site Security Plan
Vulnerability Assessment RAMCAP Methodology called out, but others may be approved Presumptive deadline will be 60 days from DHS telling facility they need to complete VA (120 days for Site Security Plan)
Updates/Reviews Update schedule is not stipulated yet Reviews done by DHS, but no deadline provided
Penalties Up to $25k/day/violation Cease Operations Appeals are allowed
Information Protection Penalties are provided for release to unauthorized individuals Facility can release if they wish
RAMCAP Methodology Asset Based or Scenario Based Leans heavily toward Asset Based Likelihood of attack assumed to be 1 Risk Matrix provided but not in line with most safety assessments e.g. 0-100 deaths is “low” on the severity scale (1 of 10) Recommended Team personnel includes: Person familiar with RAMCAP Operations Engineering Security
RAMCAP Methodology (cont) 1. Asset Characterization (note bias) Figure out which assets are critical to: operation, could be used to impact public, or could be stolen Includes physical assets, critical personnel, information, chemicals, support processes, etc. 2. Threat Assessment DHS will provide list of threats Doesn't matter because DHS recommends assuming: “...international terrorism is possible at every facility.”
RAMCAP Methodology (cont) 3. Vulnerability Analysis States “...define scenarios...” but then states “...each asset must be reviewed...” Scenario based Similar to PHA: What can go wrong? (cause) How bad is it? (consequence/severity) What is in place to prevent it? (safeguards) What is likelihood of event being completed? (likelihood) – does not include probability of attack Note: Worksheets are written to use Assets AND scenarios (i.e. it is assumed that your scenario will be based around an asset)
RAMCAP Methodology (cont) 4. Risk Analysis/Ranking Risk Matrix provided Not like Safety Matrices in either likelihood or severity 5. Identify Countermeasures PHA would call “recommendations” Deter Detect Delay Respond (Note: Mitigate is not included)
Site Security Plan Risk Based Standards Standards appear to be: complete a VA and Site Security Plan Regs state that you need to protect perimeter, but don't state what you need to protect against. Regs state that you need to protect critical assets, but don't state what you need to protect against.
20 Items in Site Security Plan Secure/Monitor Perimeter Secure/Monitor Restricted Areas Control access to facility/Restricted Areas Deter vehicles from penetrating perimeter Secure/Monitor shipping/receipt of HAZMATs Deter theft of HAZMATs Deter sabotage Deter cyber sabotage Develop/exercise Emergency Plan to respond to security events
20 Items in Site Security Plan (cont) Ensure proper security training, exercises and drills Background checks (does not call out contractors) Increase measures as threat goes up Address specific threats provided by DHS Report security issues to DHS Maintain records of security issues Establish person/group responsible for compliance Maintain appropriate records
20 Items in Site Security Plan (cont) Address specific threats provided by DHS (again) Address additional performance standards provided by DHS in future
DHS Involvement DHS will provide assistance When? How? DHS can audit facilities or authorize 3 rd party audits