Presented at the 2007 CUPA Conference by SRM Associates, Inc. PO Box 891993 Temecula, CA 92589-1993 (951) 764-3626 Chemical Site Security and Chemical.

Slides:



Advertisements
Similar presentations
EMS Checklist (ISO model)
Advertisements

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
IAEA International Atomic Energy Agency. IAEA Outline Learning objectives Introduction Functions of Regulatory Body (RB) on EPR Appraisal guidance: Part.
Securing the Chemical Sector: An Outline of the Chemical Facility Anti-Terrorism Standards (CFATS) Program May 2008.
Chemical Facility Anti-terrorism Standards (CFATS) Compliance Plan Overview prepared by The Office of Environmental Health & Safety 1.
1 Continuity Planning for transportation agencies.
Conversation on the Chemical Facility Anti-Terrorism Standards (CFATS) and Critical Infrastructure Protection Chemical-Terrorism Vulnerability Information.
1 Disclaimer The following information was presented by Andrew Levy of the Office of General Counsel of DHS on June 12, 2007 at the 2007 Chemical Sector.
Office of Inspector General (OIG) Internal Audit
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice
Introduction to Network Defense
IAEA International Atomic Energy Agency International Cooperation in Nuclear Security David Ek Office of Nuclear Security.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Securing the Chemical Sector: An Overview of the Chemical Facility Anti-Terrorism Standards August 29, 2007 Ronald E. Miller Inspector.
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security
Process Safety Management
Basics of OHSAS Occupational Health & Safety Management System
Commissioning of Fire Protection and Life Safety Systems Presented by: Charles Kilfoil Bechtel National Waste Treatment Plant Richland WA.
U.S. Department of Homeland Security Chemicals of Interest Anti-terrorism Standard.
October 27, 2005 Contra Costa Operational Area Homeland Security Strategic and Tactical Planning and Hazardous Materials Response Assessment Project Overview.
CAIRA is a quantitative vulnerability assessment tool for examining the physical security of energy systems (electrical, natural gas, steam and water)
NCHPS Fall Meeting CFR Part 37 Update. Reference: IMPLEMENTATION GUIDANCE FOR 10 CFR PART 37 PHYSICAL PROTECTION OF BYPRODUCT MATERIAL CATEGORY.
National Rural Transit Assistance Program. Learning Objectives Safety Safety Security Security Emergency Preparedness Emergency Preparedness.
INITIAL OSHA & DOT TRAINING MODULE 10 Security. INITIAL OSHA & DOT TRAINING Module 10 – Security Introduction The Transportation Security Administration.
Rich Archer Partner, Risk Advisory Services KPMG LLP Auditing Business Continuity Plans.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Chemical Facility Anti-Terrorism Standards Rudy Underwood Senior Director State and Grassroots American Chemistry Council.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
CFATS Aka: Chemical Facility Anti-terrorism Standards Clyde D. Miller Director, Corporate Security June 9, 2010.
Technician Module 2 Unit 2 Slide 1 MODULE 2 UNIT 2 Planning, Assessment & Analysis.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Securing Critical Chemical Assets: The Responsible Care ® Security Code Protection of Hazardous Installations from Intentional Adversary Acts European.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
Hazards Identification and Risk Assessment
College Reviews An Overview Presented by Howard Lutwak, CIA Director of Internal Audit January 2004.
 Is the process of conducting an exhaustive physical examination and thorough inspection of all operational systems and procedures of a facility.
Internal Controls Christina Urias Managing Director – International Regulatory Affairs NAIC.
Program Implementation MM.DD.YY. To comply with the OHSA and regulations To demonstrate management's commitment to health and safety To show employees.
RESPONSIBLE CARE ® SECURITY CODE Daniel Roczniak Senior Director, Responsible Care American Chemistry Council June 2010.
National Public Health Performance Standards Local Assessment Instrument Essential Service:6 Enforce Laws and Regulations that Protect Health and Ensure.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Engineering | Architecture | Design-Build | Surveying | Planning | GeoSpatial Solutions November 16, 2015 THE AWWA J100 - WHAT IT IS, WHY IT IS BEING UPDATED,
Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.
Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc
OHSAS Occupational health and safety management system.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Business Continuity Planning 101
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Lowell Randel Global Cold Chain Alliance/ International Institute of Ammonia Refrigeration.
1 Presented by David Thompson, TIA December 14, 2005 NFPA 1600 and Emergency Communications.

Security and resilience for Smart Hospitals Key findings
Cybersecurity: Risk Management
Team 1 – Incident Response
and Security Management: ISO 28000
Vessels and Facilities that are Temporarily Out of Service or Laid-up
Figure 3: TSN Analysis Methodology
Cyber Protections: First Step, Risk Assessment
Know Your Revised Alternate Security Program (ASP) Jen Wilk
NRC Cyber Security Regulatory Overview
Chemical Facility Anti-terrorism Standards ((CFATS)
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
Dow Security Vulnerability Assessment Overview
Securing the Chemical Sector:
INTRODUCTION For years there have been attacks around the United States for sometimes now, which is unexpected. However; there have not been good restoration.
Securing Critical Chemical Assets: The Responsible Care® Security Code
Cyber Security in a Risk Management Framework
Presentation transcript:

Presented at the 2007 CUPA Conference by SRM Associates, Inc. PO Box Temecula, CA (951) Chemical Site Security and Chemical Facility Vulnerability Assessments

Introduction  Bios  New DHS Regulations  Who has to Comply?  What do they have to do?  Vulnerability Assessment  Updates/Reviews  Penalties  Information Protection  RAMCAP Methodology  Site Security Plans

Bios  Who are we?  What have we done?  What are we trying to do?

New DHS regulations  Federal only  No State Counterpart  Watch for it  Interim Final Regulations  DHS intends to modify later or clarify using guidance

Who has to comply?  We don't know but DHS will tell us  Top Screen Process  Multiple tiers  Facilities will be required by DHS to submit information  DHS will determine based on information whether the facility is required to complete VA and Security Plan  Voo Doo?

Who has to comply? (cont)  DHS is considering “grouping” facilities into like categories for determining requirements for compliance  e.g. NH3 Refrigeration, Petroleum Refineries  Pro:  Only facilities told by DHS they are required to comply will have to submit  Cons:  Manpower Intensive for DHS  No timeframe provided

What will facilities have to do?  First, perform a Vulnerability Assessment  Second, develop a Site Security Plan

Vulnerability Assessment  RAMCAP Methodology called out, but others may be approved  Presumptive deadline will be 60 days from DHS telling facility they need to complete VA (120 days for Site Security Plan)

Updates/Reviews  Update schedule is not stipulated yet  Reviews done by DHS, but no deadline provided

Penalties  Up to $25k/day/violation  Cease Operations  Appeals are allowed

Information Protection  Penalties are provided for release to unauthorized individuals  Facility can release if they wish

RAMCAP Methodology  Asset Based or Scenario Based  Leans heavily toward Asset Based  Likelihood of attack assumed to be 1  Risk Matrix provided but not in line with most safety assessments  e.g deaths is “low” on the severity scale (1 of 10)  Recommended Team personnel includes:  Person familiar with RAMCAP  Operations  Engineering  Security

RAMCAP Methodology (cont)  1. Asset Characterization (note bias)  Figure out which assets are critical to: operation, could be used to impact public, or could be stolen  Includes physical assets, critical personnel, information, chemicals, support processes, etc.  2. Threat Assessment  DHS will provide list of threats  Doesn't matter because DHS recommends assuming: “...international terrorism is possible at every facility.”

RAMCAP Methodology (cont)  3. Vulnerability Analysis  States “...define scenarios...” but then states “...each asset must be reviewed...”  Scenario based Similar to PHA:  What can go wrong? (cause)  How bad is it? (consequence/severity)  What is in place to prevent it? (safeguards)  What is likelihood of event being completed? (likelihood) – does not include probability of attack  Note: Worksheets are written to use Assets AND scenarios (i.e. it is assumed that your scenario will be based around an asset)

RAMCAP Methodology (cont)  4. Risk Analysis/Ranking  Risk Matrix provided  Not like Safety Matrices in either likelihood or severity  5. Identify Countermeasures  PHA would call “recommendations”  Deter  Detect  Delay  Respond  (Note: Mitigate is not included)

Site Security Plan  Risk Based Standards  Standards appear to be: complete a VA and Site Security Plan  Regs state that you need to protect perimeter, but don't state what you need to protect against.  Regs state that you need to protect critical assets, but don't state what you need to protect against.

20 Items in Site Security Plan  Secure/Monitor Perimeter  Secure/Monitor Restricted Areas  Control access to facility/Restricted Areas  Deter vehicles from penetrating perimeter  Secure/Monitor shipping/receipt of HAZMATs  Deter theft of HAZMATs  Deter sabotage  Deter cyber sabotage  Develop/exercise Emergency Plan to respond to security events

20 Items in Site Security Plan (cont)  Ensure proper security training, exercises and drills  Background checks (does not call out contractors)  Increase measures as threat goes up  Address specific threats provided by DHS  Report security issues to DHS  Maintain records of security issues  Establish person/group responsible for compliance  Maintain appropriate records

20 Items in Site Security Plan (cont)  Address specific threats provided by DHS (again)  Address additional performance standards provided by DHS in future

DHS Involvement  DHS will provide assistance  When?  How?  DHS can audit facilities or authorize 3 rd party audits

Questions? ?

Contact Information Stephen R. Melvin, PE CSP Jeffrey M. Lane SRM Associates, Inc. PO Box Temecula, CA (951)

RAMCAP: Figure 1

RAMCAP: Figure 2a

RAMCAP: Figure 2b

RAMCAP: Figures 3 & 4

RAMCAP: Figure 5

RAMCAP: Figure 6

RAMCAP: Figure 7

RAMCAP: Figure 8

RAMCAP: Figure 9

RAMCAP: Figure 10

RAMCAP: Figure 11

RAMCAP: Figure 12

RAMCAP: Figure 12B

RAMCAP: Figure 13

RAMCAP: Figure 14

RAMCAP: Figure 15

RAMCAP: Figure 16

RAMCAP: Figure 17

RAMCAP: Figure 18

RAMCAP: Figure 19

RAMCAP: Figure 20

RAMCAP: Figure 20B

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.