Chemical Security Engagement Program Chemical Security for Industry and the Chemical Supply Chain Dubai, UAE 15-16 January 2014

Workshop Overview Welcome and Introduction Gulf Petrochemicals and Chemicals Association (GPCA) Responsible Care Program Dr Abdulwahab Al Sadoun, GPCA Secretary General Overview of U.S. Department of State Chemical Security Engagement Program (CSP) Peter Gambill, U. S. Department of State Chemical Security Engagement Program Chemical Risk Management Dual-Use-Chemicals and Precursors Chemical Distribution System and Supply Chain Chemical Management for Small to Medium Industry Principles of Security Safe Secure Transportation Security Vulnerability Analysis for Chemical Industry Aspects of IT Security

Sandia National Laboratories Albuquerque, New Mexico, USA

Sandia National Laboratories

GPCA Responsible Care Program Tahir Jamal Qadir, Director of Responsible Care GPCA Dr. Abdulwahab Al Sadoun GPCA Secretary-General

Overview of U.S. Department of State Chemical Security Engagement Program (CSP) Peter Gambill, U. S. Department of State Chemical Security Engagement Program

Take-Aways from Workshop Discussions and Activities Identify gaps between existing and ideal situation Develop plans and procedures for improvement Sustainability Networking with other facilities Mentorship with larger facilities provided through GPCA Train the trainer- deep dive in to certain topics to give the most information that they can use for future training -They become the experts to take back and train their colleagues/ students At the end of this workshop we will be going through basic lesson planning -Keep this in mind during the workshop for ideas and questions along the way that may be helpful to you for future training

Introductions Instructors Participants Dr. Christine Straut Mr. Steve Iveson Participants Name, Facility, Job tile or Specialty

Workshop Overview: Day 1 Welcome and Introduction GPCA Responsible Care Program Overview of U.S. Department of State Chemical Security Engagement Program (CSP) Peter Gambill, U. S. Department of State Chemical Security Engagement Program Chemical Risk Management for Industry and the Chemical Supply Chain Overview of Chemical Risk Management Tracking Chemicals-of-Concern, Dual-Use-Chemicals and Precursors Chemicals Dual-Use chemical tracking from the Perspective of the Organization for the Prohibition of Chemical Weapons Regulatory Options for Tracking and Controlling Chemicals of Concern The Chemical Distribution System and Its Focus on Supply Chain Overview of international Responsible Care best practices, including ACC and CCPS Chemical Management for Small to Medium Industry: Perspective/ Problems TBD, Company Discussion: Chemical Management for Small to Medium Industry Facilitated discussion groups

Chemical Risk Management for Industry and the Chemical Supply Chain

Module Overview: Chemical Management Importance of Chemical Security and Chemical Management Fundamentals of Chemical Management Benefits of Chemical Management Best Practices Cradle-To-Grave Life Cycle of Chemicals Controls Chemical Risk Management Risk Basics Chemical Security Risk Assessment Summary, Conclusions, and Evaluations

Chemical Safety and Security (CSS) Preventing and protecting against chemical laboratory accidents Chemical Security Preventing and protecting against the intentional misuse of chemicals, people, or equipment for non-peaceful purposes Goal: Safe and Peaceful use of Chemicals

Industrial Safety Incidents Catastrophic process incidents: 1947 Texas City, Texas – 578 dead 1984 Bhopal, India - 4000 dead 2001 Toulouse, France – 29 dead More recently: 2013-Fertilizer plant explosion- West, Texas 14 killed 150 buildings damaged or destroyed 2013- Petroleum train wreck- Lac Megantic, Quebec 47 killed 30 buildings destroyed

What about chemical security? Chemical theft Precursors for drugs Precursors for chemical weapons Dual-use chemicals Industrial chemicals Flammable/toxic gases Ammonium nitrate Chlorine Pesticides Plant sabotage Deaths, injuries Economic and environmental impact Abandoned Bhopal Plant Photo credit: AP/Saurabh Das

What are the threats to chemical security? Materials Unlimited access to facilities Chemical storage areas Analytical laboratories Waste storage Construction sites No controls or security checks on chemical procurement Shipping and receiving areas not protected Technical Expertise Recruit young chemists Tokyo subway Sarin attack

Threats to Cyber Security SCADA control software is widely used in industrial plants Security technology may not work on plant proprietary networks Attacks may result in: Loss of process control Loss of production Process safety incidents Examples: 2005-Zolob worm shuts down 13 Daimler Chrysler Plants SCADA systems that tie together decentralized facilities such as power, oil, and gas pipelines and water distribution and wastewater collection systems were designed to be open, robust, and easily operated and repaired, but not necessarily secure.[8] The move from proprietary technologies to more standardized and open solutions together with the increased number of connections between SCADA systems, office networks, and the Internet has made them more vulnerable to types of network attacks that are relatively common in computer security

How are chemical safety and chemical security related? Both Ensure Protection of: Workers Plant facilities Plant processes Community Environment Economy

Conflicts Between Chemical Safety and Security: Information Sharing Science generally means sharing information widely, but this may not always be advisable. Safety label everything so people recognize hazardous chemicals let community and especially emergency responders know what chemical dangers exist share knowledge about chemical hazards so people know to be alert Security labels help identify targets for theft or attack sharing locations of chemicals can publicize targets for theft or attack sharing knowledge of chemical hazards could inspire harmful behavior (copy-cat criminals) 18

Conflicts Between Chemical Safety and Security: Facility Exits Locking exit doors is secure, but not safe For safety, people need to be able to leave the facility quickly and by many routes For security, you want to control exits as well as entrances so chemicals (or equipment) are not taken. EXIT 19

Setting Priorities Facilties need to be safe, secure and productive policies and practices need to be flexible enough to allow for the uncertainties of research policies and practices need to align with local laws, regulations, practices and culture. Can’t just copy from somewhere else Use risk-based security and safety measures can’t afford to defend against every imaginable hazard identify threats, characterize facilities, identify alternatives, analyze costs vs. performance Be alert for suspicious activities or inquiries. 20

All Chemical Facilities Need to be Secured Small-scale research laboratories Many different chemicals used in small amounts Large-scale manufacturing plants Limited types of chemicals used in large amounts Security measures need to match facility and threat Can’t afford to defend against all imaginable threats. 21

Reflect and Consider What chemical safety and security practices and controls does your plant require? …Are they effective? …Could they be improved? …How?

Fundamentals of Chemical Management

Chemical Management Benefits Improves safety Employees Nearby community Improves security Theft Sabotage Facilitates plant sustainability Protects the environment

Cradle-To-Grave Life Cycle of Chemicals Control and accountability of chemicals at all times, from procurement to disposal as waste Chemical Use Waste Management Ordering/ Procurement Delivery/ Receipt Storage/ Inventory Recycling Legacy/ Waste Disposal

Key Principles: CSS Controls Involves all CSS controls Administrative Develop Chemical Safety and Security Policy and programs Implement Chemical Safety and Security Policy Procurement, Storage, Use, Disposal Procedures Operational Standard Operating Procedures Substitution (Using less dangerous chemical) Scale down (Procure and use a smaller amount of dangerous chemical) Engineering Isolate or enclose the process, hazardous material or worker

Chemical Procurement Institute a procurement approval system Written procedure Document who orders chemicals Document what chemicals require approval Who approves Link ordering to a product review system Engineering, Environmental Health & Safety, Facility & Fire Protection Staff Inventory Management Track “chemicals of concern” Product review by process engineer, ES&H SMEs, facilities staff, fire protection. Only one vendor allowed. P card system Require permission for other types of ordering Product review system document on the CD. Track chemicals of concern from ordering to disposal.

Chemical Storage Identify Hazards and Communicate Control Hazards Properties, Hazards, Reactivity Training, Employee Safety and Health Control Hazards Siting, Ignition Control, Chemical Compatibility, Natural Hazards Design and Construction Environmental Control, Fire Control, Materials of Construction Inspection, Testing, Maintenance Emergency Planning Security of tanks-Fenced or Surveillance-guards or electronic Tube trailers versus high capacity tanks Serious incidents involving vehicles impacting tanks or valve on tanks Photo credit: Bailiff Enterprises, Inc. Houston, Texas

Chemicals Storage Where are chemicals stored? Consider unusual storage sites Loading docks Outside locations Waste storage facility Chemicals contained in equipment Resource Guidelines for Safe Warehousing of Chemicals, Center for Chemical Process Safety, ISBN: 978-0-8169-0659-8

Commercial Inventory Systems Commercial systems typically include: Barcode Scanner Database Link to safety data sheets May also include: Link to chemical suppliers Report function Reportable chemicals Community Right-to-Know, air emissions, etc. Internal reports Internal reports on highly hazardous chemicals or those requiring security measures

Chemical Transportation Chemical transportation: In-plant, local, in-country, or international transport Chemical transportation is an essential element in the chemical supply chain Globalization has resulted in: Increased volume Increased speed Strain on transportation infrastructure C = Generally expressed in terms of fatality, injury, property damage, environmental damage or loss of company reputation V = Likelihood of an adversary success in causing the desired consequence T = Indication, circumstance, or event with the potential to cause loss of, or damage to, an asset at a specific location along the transportation route Also a function of Target Attractiveness

Video: Styrene Tanker Explosion in Bleve

Chemical Waste Management Understand the Law Administrative Controls Registration, certification, auditing, record keeping Operational Controls Minimization, substitution, recycling, packaging, labeling Ground and surface water controls, air controls Access control Training, safety, emergency response Recycle/reuse depends on specific process, especially scale.

Chemical Risk Management

Risk Basics Overview Hazard vs. Risk Definition of Risk Activity: Risk Perception Risk Characterization Risk Reduction

Risk Basics: Hazard vs. Risk There is a difference between hazard and risk Hazard Something that has the potential to do harm Is there a hazard in this picture? If so, what type? Is it a risk? If so, how much of a risk? Depends on the situation

Risk Basics: Hazard vs. Risk What is wrong? Overloaded circuit What are the possible scenarios? Blown fuse Electrical shock Fire What is the likelihood? Factors that lead to an event Plugged in, broken/frayed cords, near oily rags What are the consequences? Other factors and things that follow an event Voltage, fire alarms, evacuation Risk

Risk Basics: Definition Risk is a function of Probability that an incident will occur (likelihood) Severity if the event occurs (consequence) Risk = f (Likelihood, Consequence)

Activity: Risk Perception* Rank each action or technology according to your perception of its RISK A rank of 1 means riskiest • A rank of 15 means least risky Take about 10 minutes ___ Swimming ___ Traveling by commercial flight ___ X-rays ___ Nonnuclear electric power ___ Prescription antibiotics ___ Mountain climbing ___ Railroads ___ Nuclear power ___ Smoking ___ Pesticides ___ Motor vehicles ___ Alcoholic beverages ___ Police work ___ Spray cans ___ Bicycles * Adapted from Slovic et al. “Facts and Fears: Understanding Perceived Risk.” In R. C. Schwing and W. A. Albbers, Jr. (eds.) Societal Risk Assessment: How Safe is Safe Enough? New York: Plenum, 1980, 181-216.

Activity: Risk Perception College Students1 Nuclear power Smoking Pesticides Motor vehicles Alcoholic beverages Police work Spray cans Traveling by commercial flight X-rays Nonnuclear electric power Prescription antibiotics Mountain climbing Railroads Bicycles Swimming Experts2 Motor vehicles Smoking Alcoholic beverages X-rays Pesticides Nonnuclear electric power Swimming Bicycles Travelling by commercial flight Police work Railroads Nuclear power Prescription antibiotics Spray cans Mountain climbing 1 Thirty US college students participated in this study 2 A group of fifteen risk assessment professionals in the US

Risk Basics: Definition College Students Nuclear Power Smoking Motor Vehicles Experts

Activity: Risk Perception What do you think may have influenced your risk assessment besides your best guesses regarding likelihood and consequence? Emotional Risk Perception Factors (examples) Involuntary vs. Voluntary Immoral vs. Moral Unfamiliar vs. Familiar What should be the basis for your professional Risk Assessment of Chemical Safety and Security?

Risk Basics: Safety and Security Risk concept Applies to both Chemical Safety and Chemical Security Safety Incident Spill Accidental exposure Uncontrolled reaction Security Incident Theft or diversion of dual-use chemicals Intentional release Sabotage

Risk Basics: Reduction Types of Chemical Safety and Security Controls Administrative Operational Engineering PPE Decrease likelihood Decrease consequence Risk = f (Likelihood, Consequence)

Safety and Security Risk Characterization What are the benefits of characterizing risks? Can risks ever be reduced to zero? What does it take to reduce Chemical Safety and Security risk? Are resources for risk reduction limitless? Characterizing Chemical Safety and Security risks is a necessary step toward responsible and effective allocation of finite resources to reduce risk to acceptable levels Risk reduction measures should always be applied in a graded manner Large effort made to reduce high risks Smaller effort made to reduce low risks

Security Risk Characterization Low Assets are possibly targets for theft or diversion Consequences of loss or release are minimal Moderate Assets are attractive for theft or diversion due to monetary value or dual-use Consequences could threaten the public; misuse could be harmful or even lethal to a small number of people, and would certainly damage the institution, its programs, and reputation High Assets are very valuable or hard to acquire dual- use materials Consequences of misuse could result in harm or death to many people

Chemical Security Risk Assessment: Overview of the Process 1. Evaluate Threat Potential 2. Facility Characterization 3. Characterize Security Risks 4. Are Risks Acceptable? 5. Implement Additional Security Measures Yes No Proceed with work and 6. Follow up with periodic repeat of steps 1-5

Chemical Security Risk Assessment Evaluate threat potential Adversaries Motive Means Opportunity Outsiders—no authorized access Insiders—authorized access Collusion—between Outsiders and Insiders Actions Sabotage Theft

Chemical Security Risk Assessment Identify security hazards - Assets Information Equipment Expertise Dual-use materials Need a working inventory Need an understanding of dual-use materials Likelihood and Consequences of malicious use Ease or difficulty Quantity Location How they are used

Chemical Security Risk Assessment Characterize security risks Create and analyze scenarios Adversary Action Asset What are the factors affecting the likelihood of a security incident? Do you think the likelihood is low, moderate, or high? What are the factors affecting the consequences of a security incident? Do you think the consequences are low, moderate, or high?

Chemical Security Risk Assessment Characterize security risks On the basis of likelihood and consequence, are the security risks low, moderate, or high? Why?

Chemical Security Risk Assessment Characterize security risks Is it possible to analyze, protect against, or even think of every possible scenario? No So what should be done?

Chemical Security Risk Assessment Are risks acceptable? If you are accountable for the security of the assets, how do you establish an acceptable level of security risk? Are there national security standards? Are there other limits imposed by the institution? If you don’t know, how can you find out? What do you do if there are not established limits?

Chemical Security Risk Assessment Implement additional control measures where needed to reduce security risks to acceptable levels What controls are needed to reduce the security risks? Administrative Operational Engineering

Chemical Security Risk Assessment Follow up with periodic repeat of steps 1-5 Have scenarios changed? Could further improvements be made? How often should follow-up assessments be performed?

Chemical Security Risk Assessment: Overview of the Process 1. Evaluate Threat Potential 2. Facility Characterization 3. Characterize Security Risks 4. Are Risks Acceptable? Yes No Proceed with work and 6. Follow up with periodic repeat of steps 1-5 5. Implement Additional Security Measures

Conclusions Risk is a function of Likelihood and Consequence Applies to both Safety and Security Facilities need to be safe, secure, and productive Assessing and characterizing Chemical Safety and Security risks allows controls to be applied in a graded manner Larger efforts toward reducing high risks Smaller efforts toward reducing low risks

Chemicals-of-Concern, International Controls and Regulation

Module Overview: Chemicals of Concern Dual-Use-Chemicals and Precursor Chemicals Overview of International Chemical Management Efforts OPCW - Chemical Weapons Convention Australian Group REACH - Registration, Evaluation, Authorisation and Restriction of Chemicals Overview of US Chemical Security- (Chemical Facilities Anti-Terrorism Standard) CFATS Chemicals of Interest (COI)

Chemical dual-use awareness Dual use chemicals: Chemicals that can be used for both legal and illegal purposes. KMNo4 – disinfectant, H2O treatment, synthesis of saccharin (sugar), Fruit preservative (bananas) Paint Stripper – used to remove paint and cocaine purification Ammonium Nitrate – fertilizer and Bombs Pseudoephedrine – cold medication and Meth Phosgene – production of isocyanates then used to make polyurethanes and phosgene gas

Dual Use Chemicals Exist in Three Categories Drug precursors Chemical weapons and precursors (CW) Explosive precursors Category Chemical Beneficial Uses Illegal Use Drug Pseudoephedrine Medicine Methamphetamine CW Hydrogen Cyanide Mining, metal finishing Hydrogen cyanide poison Explosive Ammonium Nitrate Fertilizer, Mining Bomb

Dual-use chemicals: CW Precursors Dimethyl methyl phosphonate (DMMP) Flame retardant for: building materials, furnishings, transportation equipment, electrical industry, upholstery Nerve agent (GB and GD- CWC) precursor Thiodiglycol Dye carrier, ink solvent, lubricant, cosmetics, anti-arthritic drugs, plastics, stabilizers, antioxidants, photographic, copying, antistatic agent, epoxides, coatings, metal plating Mustard gas (Agent HD- CWC) precursor Arsenic Trichloride Catalyst in CFC manufacture, semiconductor precursor, intermediate for pharmaceuticals, insecticides Lewisite (Agent L - CWC) precursor Here are some less-obvious examples, taken from the CWC literature.

Chemical Security :Dual Use Chemicals-Cyanide Legitimate use Mining and metal plating industries Misuse Poison and precursor to HCN, a CW agent Popular with criminals and terrorists because it is relatively easy to obtain USA, 1982, cyanide added to Tylenol capsules Killed 7 people Led to tamper-proof packaging "Tylenol Crisis of 1982." Wikipedia, The Free Encyclopedia. 22 Nov 2007, 06:04 UTC. Wikimedia Foundation, Inc. 28 Nov 2007 <http://en.wikipedia.org/w/index.php?title=Tylenol_Crisis_of_1982&oldid=173056508>. Therence Koh/AFP/Getty Images

Chemical Security :Dual Use Chemicals – Ammonium Nitrate Legitimate use Agriculture ANFO ingredient (industrial explosive) Misuse ANFO ingredient (used maliciously) USA, 1995, bombing of federal building in Oklahoma City 168 killed, including 19 children, and almost 700 injured Timothy McVeigh, an antigovernment extremist Also used by other groups around the world http://www.fbi.gov/about-us/history/famous-cases/oklahoma-city-bombing

Chemical Security :Dual Use Chemicals - Chlorine Legitimate Use Manufacture of chlorine compounds 63% - organic chlorine compounds Examples: C2H4Cl2 and C2H3Cl – (PVC) 18% - inorganic chlorine compounds Examples: HCl, HOCl, AlCl3, SiCl4, PCl3 19% - bleaches and disinfection products Misuse Incidents in which chlorine gas cylinders are blown up with explosives Chlorine likely stolen/diverted from water purification plants or oil industry Civilians and non-combatants injured Chlorine first used in WWI as a chemical weapon C2H4Cl2 = 1,2-dichloromethane C2H3Cl = vinyl chloride HOCl = Hypochlorous Acid – bleach, deodorant, and disinfectant AlCl3 = Aluminium trichloride – most commonly used Lewis acid SiCl4 = Silicon tetrachloride – fused silica fibers PCl3 =Phosphorous trichloride – prcursor to herbicides, plasticisers, and flame retardants www.longwarjournal.org/archives/2007/03/al_qaedas_chlorine_w.php

Diversion of Industrial / Laboratory chemicals: Bali bombing Van bomb was made of: Potassium chlorate Aluminum powder Sulfur mixed with TNT (trinitrotoluene) 150 meters of detonating cord Electric detonators How were the chemicals obtained? Killed 202 people Bags of chemical ingredients for bombs were found in his workshop and soil samples taken from outside his home showed traces of the primary chemical used in the Sari Club bomb. Police found receipts for the purchase of chemicals used to make the bombs, as well as a list of expenses incurred in making the bombs. http://www.heraldsun.com.au/news/law-order/insight-editor-keith-moor-reconstructs-the-story-behind-the-2002-bali-bombing/story-fnat7jnn-1226489278700 He went to the Tidar Kima chemical shop of Silvester Tendean in Surabaya on September 18 and on September 23, buying chemicals weighing more than a tonne. "I went by myself to Surabaya and asked questions from shop to shop, asking for what I needed, and I ended up buying the chemicals at Tidar Kima,'' Amrozi said. He said he knew the owner of the shop as he had previously bought chemicals there in 2000 to send to the Indonesian island of Ambon to help Muslims who were battling Christians there. Although the chemicals bought by Amrozi were unrestricted, and as such did not need to be reported to police, Amrozi still insisted on his receipts being made out for chemicals other than those he bought. The meeting was told the chemicals were being mixed by hand by Sawad, Abdul Ghani Ali Imron, Umar Patek and others, and placed in the 48 drawers of 12 plastic filing cabinets. Those cabinets were to be bolted to the false floor of the L300, three wide and four deep. Another filing cabinet drawer, filled with TNT, would be placed next to them to act as a booster charge to ignite the main bomb. Photo: www.zgeek.com Chemicals were bought from a chemical supply house, but purchaser insisted on false receipt. Chemicals were not restricted at the time.

Overview of International and National Chemical Management

Overview of Global Trends In Chemical Management International Regulations and Conventions: OPCW CWC Australia Group Stockholm Convention Rotterdam Convention Basel Convention Montreal Protocol Strategic Approach to International Chemicals Management (SAICM) non-binding international agreement implemented by IOMC through WHO and UNEP GCC Common system for the Management of Hazardous Chemicals, 2002 EU Regulations: REACH and CLP (“Classification, Labelling and Packaging”) US Regulations: CFATS Toxic Substances Control Act (TSCA) China REACH and GHS India Hazardous Substances Rules (Draft 2011) South Africa Hazardous Chemical Substances Regulations (HCSR) 1995 South Korea, "K-REACH" (2015)

International Chemical Controls Chemical Weapons Convention (CWC) Governments The Australia Group Export Control UN Security Council Resolution 1540 Terrorists Seeking WMD REACH European Import Control Other agreements and standards Many are Environmental

International Chemical Controls: Chemical Weapons Convention CWC entered into force in April 1997 Today, 188 nations1 About 98% of the global population1 Bans CW Development, production, storage, and use Destroyed over 73% of existing stockpiles2 Defines CW according to the “General Purpose Criterion” All toxic chemicals and their precursors except those used for peaceful purposes Administered by the Organization for the Prohibition of Chemical Weapons (OPCW) Promote cooperation in peaceful chemistry 1 http://www.opcw.org/ 2 Refers to 52,048 of the declared 71,196 metric tonnes of chemical agent verifiably destroyed as of March 30, 2012. See http://www.opcw.org/

International Chemical Controls: Chemical Weapons Convention Reporting and Verification Schedule Description Treaty Obligations 1 Known CW agents and key precursors Few or no peaceful uses Pose high risk E.g., sarin, VX, ricin Small amounts allowed for research uses with permit Production and transfer must be declared to OPCW Routine inspections 2 Possible CW agents and precursors Small scale industrial use Declaration and inspections for amounts above threshold Transfer only to States Parties 3 Toxics, older CW agents and precursors Large scale industrial use Threshold is higher for declaration and inspections Random inspections DOC Discrete Organic Chemical Not specifically named Also subject to declaration and inspection, less strict

International Chemical Controls: The Australia Group Started in 1985 40 nations plus European Commission Supports CWC compliance Arrangement to prevent exports from being used for chem/bio weapons Harmonize export control Applies to exports of Chemical weapon agents and precursor chemicals Biological agents, pathogens Dual-use chem/bio manufacturing facilities, equipment, related technology, and software Includes a no-undercut policy Countries will not approve an export that another member country denied http://www.australiagroup.net/en/index.html

International Chemical Controls: UNSCR 1540 Passed April 2004 Binding obligation for UN member states Against proliferation of WMD, including CW Prohibit support to non-State actors seeking WMD Adopt and enforce effective laws to that end Take and enforce effective measures to control materials and funds Encourage international cooperation in nonproliferation http://www.un.org/sc/1540/

International Chemical Controls: REACH Registration, Evaluation, Authorization and Restriction of Chemicals Entered into force in June 2007 Replaces existing European regulations to create a single EU system Places greater responsibility on industry Provide documentation of chemical hazards Testing, classification, labeling, safety data sheets European Chemicals Agency (ECHA) http://ec.europa.eu/environment/chemicals/reach/reach_intro.htm

International Chemical Controls: Other Agreements and Standards Examples: Stockholm Convention Persistent Organic Pollutants (POPs) Basel Convention Hazardous waste Montreal Protocol Ozone-depleting chemicals International Organization for Standardization (ISO) American Society for Testing and Materials (ASTM) International International standards for chemical analyses, safety, etc. There are a number of treaties, regulations, agreements, and standards that apply to you and your work with chemicals

National Chemical Controls National laws enacted due to international chemical controls CWC, UNSCR 1540, etc. Other national regulations Health and safety of workers and environment Security of facilities National laws and regulations need to be accounted for in the Chemical Security Policies and Programs of a facility Which international chemical controls apply to your country? What laws or regulations concerning chemicals exist in your country?

Chemical Sector Size in the US SARA Title III Program EPA RMP CFATS ~5k ~15k The Chemical Sector-Specific Plan (SSP) covers all facilities within the Sector regardless of which, if any, regulatory program(s) to which they belong. Chemical Sector (# of Facilities) From - DHS Overview of the Chemical Sector-Specific Agency March 2011 ~550k

Chemical Facility Anti-terrorism Standard (CFATS) yes High Risk ? Security Vulnerability Analysis Top-Screen SVA no Site Security Plan Unregulated by CFATS U.S. Department of Homeland Security (DHS) Inspection

Top –Screen will give 4 Levels of Facility ---(Tier 1-4) Identifies security issues at facilities using chemicals of interest (COI) Specific security issues Release of toxic chemicals Theft or diversion-precursors to chemical weapons and improvised explosive devices, and toxic inhalation hazards Reactive chemicals and those stored in transportation containers https://ChemicalSecurityTraining.dhs.gov https://www.dhs.gov/how-appendix-chemicals-interest-was-developed

Security Vulnerability Assessment (SVA) Tier 1-3 facilities must use the Chemical Security Assessment Tool (CSAT) SVA application SVA approach has similar risk-based steps as Center for Chemical Process Safety (CCPS) Asset characterization Threat characterization Consequence analysis Vulnerability analysis Tier 4 facilities can use alternate security plans Results used for Site Security Plan (SSP) SVA letter sent http://www.aiche.org/ccps

Site Security Plan (SSP) All assets in Security Vulnerability Assessment (SVA) letter must be addressed Measures in place or planned to achieve compliance with the applicable Risk Based Performance Standards (RBPS) Site Security Plans (SSPs) will be reviewed and follow-up inspections may be conducted Facilities may use Alternative Security Plans as part of their SSPs

Risk-Based Performance Standards (RBPS) Risk-based standards which are flexible , and scalable – higher tiers require tougher standards SSP and inspectors assess how the facility meets the standards Restrict Area Perimeter Secure Site Assets Screen and Control Access Deter, Detect and Delay Shipping, Receipt & Storage Theft and Diversion Sabotage Cyber Response Monitoring Training Personnel Surety Elevated threats Specific threats, vulnerabilities, risks Reporting of significant security incidents Significant security incidents/suspicious acts Officials and organization Records Additional performance standards

CFATS Information Protection Chemical-terrorism Vulnerability Information (CVI) Information and training available on website CSAT helpdesk available for assistance CSAT disclaimer statement prior to beginning Top Screen CVI enforcement treated as classified information DHS has formally classified: Formulas, calculations, tiering thresholds Information which would help terrorist targeting May need to take CVI training in order to talk to people about chemical facility security.

Summary of Chemicals of Concern Dual Use Chemicals Overview of Global Trends In Chemical Management OPCW CWC Australian Group REACH Overview of U.S. Approaches to Chemical Security Chemical Security Control (U.S.- CFATS) Ranking Risk by Tier, Security Vulnerability Assessment, Site Security Plans Discussion

Overview of Voluntary Chemical Management Best Practices

Abbreviations for Voluntary Security Efforts American Chemistry Council ACC International Council of Chemical Associations ICCA Society of Chemical Manufacturers and Affiliates SOCMA National Association of Chemical Distributors NACD Center for Chemical Process Safety CCPS Environment, Health, Safety and Security EHS&S Voluntary Chemical Assessment Tool VCAT

Responsible Care Security Code 13 management practices Facility, cyber and transportation/value chain security. Companies must conduct security vulnerability assessments (SVAs) Implement security enhancements under a strict timeline Independent verification to prove they have made required physical site security measures from SVA http://www.icca-chem.org/en/Home/Responsible-care/ http://responsiblecare.americanchemistry.com/Responsible-Care-Program-Elements

Responsible Care Security Code 1. Leadership Commitment. 2. Analysis of Threats, Vulnerabilities and Consequences. 3. Implementation of Security Measures. 4. Information and Cyber-Security. 5. Documentation. 6. Training, Drills and Guidance. 7. Communications, Dialogue and Information Exchange. 8. Response to Security Threats. 9. Response to Security Incidents. 10. Audits. 11. Third-Party Verification. 12. Management of Change. 13. Continuous Improvement.

GPCA Management Codes Management Code Document Number Community Awareness and Emergency Response (CAER) GPCA-RC-C01 Distribution GPCA-RC-C02 Product Stewardship GPCA-RC-C03 Security GPCA-RC-C04 Health & Safety GPCA-RC-C05 Process Safety GPCA-RC-C06 Environmental Protection GPCA-RC-C07 http://gpca.org.ae/rc/

ChemStewards - Security Members must Participate in CFATS if required. If not they should perform a SOCMA Security Vulnerability Assessment or Department of Homeland Security (DHS) VCAT Identification of Counter Measures Verification of Counter Measures [Only if under EPA’s Risk Management Program (RMP)] Using Outside Local Agency Expected that the facility has a Site Security Plan [SSP] http://www.socma.com/chemstewards/

National Association of Chemical Distributors (NACD) Security Code Develop security programs that address security of the member’s facility and the transportation of chemicals. Scrutinize for-hire motor carriers using selection criteria that includes a carrier’s ability to secure chemicals in transportation, including defense against diversion, theft, or hijacking. Qualify customers purchasing chemicals as prescribed by government regulations and Verify implementation of security measures by an independent third-party verification firm. Sept 25, 2013. DMV guards, proxy test-takers arrested in New York driver’s license scam Corrupt test-takers paid $2,000 to $2,500 for the easy road to getting licensed to operate school buses, big rigs and heavy equipment. Guards in on the plot allowed wannabe license-holders to leave testing rooms and have surrogate test-takers look up exam answers. Three DMV security guards and eight associates were busted Wednesday for allegedly helping cheaters obtain commercial driver’s licenses using an elaborate scheme that included surrogate test-takers and answers etched into pencils in secret code. Authorities said the corrupt test-takers paid $2,000 to $2,500 for the easy road to getting licensed to operate school buses, big rigs and heavy equipment. The head honcho of the hoodwink appears to be Akmal Narzikulov, according to the 38-page complaint unsealed Wednesday. He identified himself as an ambulance company worker. http://www.nacd.com/

National Association of Chemical Distributors (NACD) Security Code The 13 elements of the NACD Security Code* are identical to those of the Responsible Care Security Code *NACD Responsible Distribution Code of Management Practice 5th Cycle , (January 1, 2014- December, 2016) http://www.nacd.com/rd/rdpcode.aspx

Comparison of Voluntary Systems* SOCMA RCC NACD ISO14001 Scope EHS&S Environment Basis Facility Headquarters and Facility Company Audit 3rd Party System Documentation Element Checklist Technical Specification Code of Management Practice Security Support Materials SVA Manual Technical Specifications Manual SVA Methods Not Applicable * Source : ChemStewards White Paper http://www.socma.com/chemstewards/

Other International Associations European Association of Chemical Distributors (FECC) http://www.fecc.org/fecc/ European Petrochemical Association (EPCA) http://www.epca.eu/ International Council of Chemical Trade Associations (ICCTA) http://www.iccta.org/ Canadian Association of Chemical Distributors (l'Association Canadienne des Distributeurs de Produits Chimiques) – CACD http://www.cacd.ca/ Center for Chemical Process Safety (CCPS) http://www.aiche.org/ccps

Center for Chemical Process Safety (CCPS) Not-for-profit, corporate membership organization within AIChE that identifies and addresses process safety needs within the chemical, pharmaceutical, and petroleum industries Project range from: Human factor issues Risk analysis Security vulnerability Design Safety Transportation Safety 1st CCPS Middle East regional meeting on 7th Oct. 2013 in Dubai

Break

The Chemical Distribution System -Supply Chain

Module Overview: Chemical Distribution System Overview of Supply Chain Distributor Responsibilities Distributors Network and Resources Chemical Distribution: Laws and Regulations Summary, Conclusions, and Evaluations

Supply Chain: Basics Three main Parts: Chemical Manufactures Downstream Users Chemical Distributors Company/Industry Customers End Users Can be simple or complex process (each part can have multiple steps in the supply chain)

Example: Simple Chemical Supply Chain 2) Downstream Users 1) Chemical Manufactures Chemical Distributors Industry Customers Repackaging New Product Distribution 3) End Users Distribution to End User

Example: Complex Supply Chain Multiple/varied downstream users Chemical Manufacturer http://www.fda.gov/Drugs/DrugSafety/DrugShortages/ucm277626.htm

Risk Basics: Definition Risk in the chemical supply chain are dependent upon: Incident Probability Consequences

Chemical Distribution System Definition: The system for chemical distribution to the end user Chemical distributors are a key link in the chemical supply chain Distributors Main Roles in the supply chain: Local Expertise Sales and Marketing Repackaging

Distributor Responsibilities Resell chemicals safely and securely on behalf of the manufactures Health, safety, environmental, and security information Local bulk storage Large and small containers Repackaging capabilities Continuous shipments/deliveries Large and small Specialty blending/mixtures to meet customer needs

Responsible Distribution Security Cargo/Chemical Security: Physical storage and Transportation (en route) vulnerabilities Protect again theft and diversion by selecting carriers who demonstrate ability to secure cargo Product Stewardship Security: System to qualify customers

Chemical Distribution: Security Measures Constantly evaluate security measures and enhancing security of the facility 24-hour guard service Perimeter: concrete barriers, fences, trenches, lighting Detection: surveillance cameras, security alarms, intruder detectors, tamper indicators Limited facility access Cargo GPS tracking Employee security training Security audits and inspections

Distributors Network and Resources North America and EU have local networks to help inform and train downstream users Help provide guidance for successful of the requirements of the REACH and CLP Regulations Provide guidance for a framework for health, safety, environmental, and security aspects of handling, storing, and delivering chemicals Some associations and networks are specific to industry type: Pharmaceutical/medical, Petrochemical, Agricultural

CHEMCATS – Chemical Suppliers “Chemical Catalogs Online”, produced by CAS Database containing information about commercially available chemicals and their worldwide suppliers. More than 68 million commercially-available products More than 885 suppliers Links with SciFinder for Pricing and Availability Only stock chemical available for general sale is acceptable for listing No on-demand synthesis or non-chemical items (supplies, kits, animal tissue)

http://www.chemtrec.com/ Around-the-clock communications center Immediate access to thousands of chemical product specialists and hazardous materials experts A telecommunications system for virtual emergency response team, links on-scene responders with chemical experts, transportation companies, and medical experts An electronic library of over 5 million Safety Data Sheets (SDS); Access to advice from medical experts and toxicologists for emergency medical treatment assistance. Interpretation for more than 180 languages http://www.chemtrec.com/

TRANSCAER® Voluntary effort in USA that helps communities prepare and respond to hazardous material transportation incident. Planning Training Drills Hazmat safety training along railway National conferences State coordinators http://www.transcaer.com TRANSportation Community Awareness and Emergency Response

CHEMLIST® Database “Regulated Chemicals Listing”, produced by CAS Chemical substances that are regulated in key markets across the globe Identifying-in one place-the regulatory requirements for a specific substance from many of the world's most significant regulated substances lists http://www.cas.org/content/regulated-chemicals

Chemical Distribution: Laws and Regulations International (EU, UN, and EC) and Country Specific Import/Export Transportation Chemical Safety Information (labeling/packaging) Ultimate goal: Safety and Security for people, community, government, and the environment

How GHS impacts countries without existing regulations Many challenges exist with implementation of a national GHS action plan What is the appropriate legal framework for adopting/implementing the GHS? What government agencies should be involved? Are there ministries/agencies ready to implement and maintain the GHS? How will stakeholder cooperation and support for implementing the GHS be managed? UNITAR and ILO (under the guidance of UN GHS Sub-Committee) to develop technical assistance to write new regulations using the GHS elements. pilot implementations have begun in a few countries 2.6 How will the GHS impact countries without existing regulations? Developing and maintaining a classification and labelling system is not a simple task. The GHS can be used as a tool for developing national regulations. It is expected that countries that do not have systems will adopt GHS as their basic scheme. The GHS provides the building blocks from which countries can construct chemical safety programs. Although the GHS will facilitate the process, many challenges exist in creating new regulations. For example: What is the appropriate legal framework for adopting/implementing the GHS? What government agencies should be involved? Are there ministries/agencies ready to implement and maintain the GHS? How will stakeholder cooperation and support for implementing the GHS be managed? Work has begun in international organizations (e.g, UNITAR and ILO) under the guidance of the UN GHS Sub-Committee, to develop technical assistance for developing countries to write new regulations using the GHS elements. Guidance has been developed on how to implement a national GHS action plan. Additionally, pilot implementations have begun in a few countries. The opportunities and challenges learned from the pilot programs will be documented and are expected to facilitate future implementations.

Open Discussion Who are your country or local distributors? Do you have a network for distributors? What security or quality control standards are in place for Saudi chemical distributors? How do you assess the integrity of your supply chain?

Workshop: DAY 1 Welcome, Introductions, Overview, Organization and Objectives Chemical Risk Management for Industry and the Chemical Supply Chain Overview of Chemical Risk Management Tracking Chemicals-of-Concern, Dual-Use-Chemicals and Precursors Chemicals Dual-Use chemical tracking from the Perspective of the Organization for the Prohibition of Chemical Weapons Regulatory Options for Tracking and Controlling Chemicals of Concern The Chemical Distribution System and Its Focus on Supply Chain Overview of international Responsible Care best practices, including ACC and CCPS Chemical Management for Small to Medium Industry: Perspective/ Problems TBD, Company Discussion: Chemical Management for Small to Medium Industry Facilitated discussion groups

Tahir Jamal Qadir, Director of Responsible Care GPCA Management Codes Tahir Jamal Qadir, Director of Responsible Care

GPCA Management Codes Management Code Document Number Community Awareness and Emergency Response (CAER) GPCA-RC-C01 Distribution GPCA-RC-C02 Product Stewardship GPCA-RC-C03 Security GPCA-RC-C04 Health & Safety GPCA-RC-C05 Process Safety GPCA-RC-C06 Environmental Protection GPCA-RC-C07 http://gpca.org.ae/rc/

Chemical Management for Small to Medium Industry: Perspective/ Problems Representative TBD

Small to Medium Enterprises Tend to be: excluded from regulation included gradually subject to self-regulation This creates gaps in national chemical management

Discussion

Discussion: Chemical Management for Small to Medium Industry Key difficulties Possible solution Mentorship program with successful companies Interest How to approach Next steps

Day 2

Workshop Day 2 Principles of Security Safe and Secure Transportation Overview and objective of security Importance of performance-based security Identification of Security Threat: Insider vs. Outsider Personnel Assurance and Security Safe and Secure Transportation Overview of transportation basics – packaging, international to local travel considerations, safety and security best practices Emergency Management and Response Security Vulnerability Analysis for Chemical Facilities Overview and discussion of SVA for small to medium industry CCPS guidance Introduction to ChemSAM Aspects of IT Security Overview of Cyber security, Cyber vulnerabilities, and Solutions IT Access Control SCADA – control systems

Principles of Security SAND No. 2012-1606C Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

Objective Overview and objective of security Describe the four principles of security Importance of performance- based security Identification of Security Threat: Insider vs. Outsider Personnel Assurance and Security

Security Definition and Objective Security intends to prevent intentional acts which could result in unacceptable consequences Death/Severe Injury Chemical contamination People Environment Political Instability Economic Loss Industrial capacity loss Negative public psychological effect Adverse media coverage

All Chemical Facilities Need to be Secured Small-scale research laboratories Many different chemicals used in small amounts Large-scale manufacturing plants Limited types of chemicals used in large amounts Security measures need to match facility and threat Can’t afford to defend against all imaginable threats. 127

Principles of Physical Security General Principles followed to help ensure effective, appropriate security Defense in Depth Balanced Security Integrated Security Managed Risk

Principle 1: Defense in Depth Layers Physical Administrative and Programmatic Deterrence Program Pre-Event Intelligence Personnel Reliability Physical Security Mitigation of Consequences

Principle 2: Balanced Protection Physical Layers Adversary Scenarios Adversary paths (physical) Protected Area Controlled Room Controlled Building Target Enclosure Path 1 Path 2 A security system is only as good as the least secure adversary path

Principle 2: Balanced Protection Each Path is composed on many protection elements Walls, fences, sensors, cameras, access controls, etc… Protection elements each possess delay and detection components For example: Fence delays adversaries 20 seconds, and provides 50% likelihood that adversary is detected Wall delays adversary 120 seconds and provides a 10% likelihood of detection Guard delays adversary 20 seconds and provides a 30% likelihood of detection Balanced protection objective: for every possible adversary path cumulative detection and delay encountered along path will be the similar regardless of adversary path NO WEAK PATH

Principle 3: System Integration Detection alerts Response Access Delay slows the adversary to provide time for Response Response prevents the consequence

Principle 3: System Integration Contribution to security system of each can be reduced to its contribution to: Detection of adversary or malevolent event Delay of adversary Response to adversary Integrated security evaluates composite contribution of all components to these three elements Assures that overall detection is sufficient and precedes delay Assures that adversary delay time exceeds expected response time Assures that response capability is greater than expected adversary

Principle 4: Managed Risk How much Security is enough ??? Cost of Security Benefit of Security Decision based on risk assessment and performance evaluation of security system

Principle 4: Managed Risk Benefits of Security is Reduced Risk Recall: Risk Risk = Consequence Severity * Probability of Consequence Probability of Consequence Occurrence  Frequency of attempted event X Probability of successful attempt Probability of successful attempt is 1 - Probability of security system effectiveness

Principle 4: Managed Risk Cost of Security Risk 0.0 1.0 The benefit (risk reduction) increases with increased security investment (cost) However, there is a point where the increased benefit does not justify the increased cost

Higher-integrity security measures need careful design and implementation *PIDAS: Perimeter Intrusion Detection and Assessment System PIDAS* Professional response force Technology and/or Cost On-site guards Sensors - cameras Fences - access control Staff security awareness Threat understanding

Components of Security Administrative and Operational Security Awareness Trained human resources Engineering controls Electronic Physical Administrative Operational Engineering Chemical Security

Administrative and Operational Security Examples Procurement process Deter unauthorized purchase and diversion of chemicals Inventory management Detect theft of chemicals Personnel management Trusted, trained, legitimate Security Policies, Programs, Training, and Security Awareness

Security Awareness Changes to work area Suspicious behavior Hole in fence Suspicious packages Inventory discrepancy Door unlocked Suspicious behavior Testing security – walking into, wait for discovery Mapping, loitering, staging vehicles Taking pictures of security system Looking in dumpster Asking for user name over the phone or by email Asking about facility layout, workers names, schedules Security awareness is the first step to making your facility safe from malevolent acts Source: DHS Chemical Security Awareness Training

YOU are the first responder Security Awareness Security requires attention, even to small things Missing badge Leaving workstation unsecured Fire alarm Leaving sensitive document Bypassing security Know what to do and who to call Report anything unusual YOU are the first responder Source: DHS Chemical Security Awareness Training

Trained Human Resources Can be for detection only Unarmed Can be for detection, delay, and response Armed Hiring guards increases the number of insiders

Engineering controls: Electronics Electronic Security Measures Cameras and monitoring stations Lighting Alarm systems Access control Keypads, card swipes, or biometric access controls

Engineering controls: Physical Physical Security Measures Locks Walls Doors Fences Other barriers

Types of Security Measures Which security measures work for which threats? Outsider Theft Diversion Sabotage Insider Rogue work Insiders in collusion with outside groups Outsider Physical security Administrative and operational security Insider Inventory management Control and accountability Personnel management Background checks Adequate security will only be achieved through combination and integration of security measures

Objectives Overview and objective of security Describe the four principles of security Importance of performance-based security Identification of Security Threat: Insider vs. Outsider Personnel Assurance and Security

Performance-Based Security Requirements Driven Engineering Principles used for Security What are requirements for system? What are constraints of system? Like any engineered system, security is developed following an engineering approach where constraints and requirements are optimized. Constraints might include operational conditions, cost, etc. Requirements might include loads, frequencies, lifetime, etc

Requirements-Driven Security Design Constraints Understand Operational Conditions Design Requirements Consequences to be prevented Identify Targets to be protected Define Threats against which targets will be protected

Target Identification What are possible sources of unacceptable consequences? Dispersal Identify areas to protect Theft Identify material to protect Next, we need to understand something about the assets that are being protected. Targets are usually identified based on the consequence of their loss and on the adversary goal. Certain assets may be sabotage targets, while others may be theft targets. Occasionally, a target will seem to be both (perhaps a chemical agent is stolen from a research facility and then released at a shopping mall). In this course, a theft event is considered removing the asset from the controlled area, and sabotage is doing something with the asset at the facility or somewhere lese. If looking at sabotage targets then you must identify the vital areas where sabotage may be caused by an adversary. If theft is the goal, you must identify the location of material or information. It is also important to note that once a piece of information has been identified as critical, it must be protected in all forms—paper, electronic, in the brain, etc. If all forms are not protected equally, the target is vulnerable.

Target Identification Characterize Types of Targets Form Storage manner and location Flow of chemicals Vulnerability of Chemicals Flammable Explosive Caustic Just going to give a brief overview here. There is a lot of work that has been done. Most of it is probably too complicated for an academic environment, but some of the ideas should be useful. Criticality / Effect Access / Vulnerability Recoverability / Redundancy Vulnerability

The Physical Protection System Must Have a Basis for Design Threat Assessment: An evaluation of the threats- based on available intelligence, law enforcement, and open source information that describes the motivations, intentions, and capabilities of these threats Design Basis Threat: A policy document used to establish performance criteria for a physical protection system (PPS). It is based on the results of threat assessments as well as other policy considerations

Design Basis Threat A Design Basis Threat (DBT) is a formalized approach to develop a threat-based design criteria DBT consists of the attributes and characteristics of potential adversaries. These attributes and characteristics are used as criteria to develop a customized security system design. The DBT is typically defined at a national level for a State. At the facility level, also: Consider local threats Local criminals, terrorists, protestors Consider insider threats Employees and others with access

Security and Risk How do security measures decrease risk? Decrease likelihood or consequence? Deter from happening Stop if happening Detect a potential problem And assess whether false alarm or real threat Delay the criminal activity Respond to the problem

Detect Adversary Technology Supporting elements Intrusion Detection Entry Control Contraband Detection Unauthorized Action Detection Supporting elements Alarm Assessment Alarm Communication Alarm Annunciation

Delay Adversary Delay Definition : The element of a physical protection system designed to slow an adversary after they have been detected by use of Walls, fences Activated delays-foams, smoke, entanglement Responders Delay is effective only after there is first sensing that initiates a response

Respond to Adversary Guard and Response Forces Guards: A person who is entrusted with responsibility for patrolling, monitoring, assessing, escorting individuals or transport, controlling access. Can be armed or unarmed. Response forces: Persons, on-site or off-site who are armed and appropriately equipped and trained to counter an attempted theft or an act of sabotage. Guards can sometimes perform as initial responders as well (both guards and response force) 156

Summary Security systems should attempt to prevent, but be prepared to defeat an intentional malevolent act that could result in unacceptable consequences at a chemical facility Security awareness is an essential element An effective system depends on an appropriate integration of: Detect Delay Respond Threat definition is a very important part of the process. Some say it is the most important part of the process, because if you do not know who you are protecting against, how can you design a protection system? Be sure to note that security systems are designed against malevolent human threats. Security systems do not protect against acts of God, nature, or accidents. These events fall more into abnormal conditions or the safety environment. You can imagine that perhaps the most difficult combination to defend against is Collusion between an insider and violent outsider. An insider can be passive (give information) or active (open doors) or violent (shoot plant guards), and if this is accomplished in conjunction with an outsider, the facility could be very vulnerable.

Objectives Overview and objective of security Describe the four principles of security Importance of performance-based security Identification of Security Threat: Insider vs. Outsider Personnel Assurance and Security

Define the Threats In physical security: Knowing adversary permits customizing security to maximize effectiveness As adversary not known, develop hypothetical adversary to customize security Hypothetical adversary description should be influenced by actual threat data

Introduction Companies are accustomed to protecting their valuable information assets from outside attack. In reality, insiders commit more fraud and compliance violations than anyone else. Ponemon Institute Survey, September 2011 found that an insider fraud happens once a week in the typical organization

Threat Definition Threat classes: Outsiders—no authorized access Insiders—authorized access Collusion—between Outsiders and Insiders 161

Definitions Insider Outsider Insiders might include: Any individual with authorized access to chemical facilities or transport who might attempt unauthorized removal or sabotage, or who could aid outsiders to do so Insiders might include: Management Regular employees Security personnel Service providers Visitors Inspectors Past employees Others? Outsider An unauthorized entity from outside the domain perimeter that has the potential to harm an Information System through destruction, disclosure, modification of data, and/or denial of service Outsiders might include: Hackers Organized crime groups Government entities Environmental events (weather and earthquake)

Insider Threat Profile Motivation Work quietly and steadily, often for weeks or months at a time, without detection Profile They are longtime employees. They work in nontechnical positions. They have authorized access to internal systems. They have unblemished employee records. They use legitimate computer commands to commit fraud. They commit fraud primarily during business hours. Motivation Revenge Dissatisfaction Financial gain Source: Survey conducted by the US Secret Service National Threat Assessment Center and the CERT Coordination Center of the Carnegie Mellon University's Software Engineering Institute, 2005

Best Practices for the Prevention and Detection of Insider Threats Proactive technical measures need to be instituted and maintained Implement system change controls Implement secure backup and recovery processes Good management practices Anticipate and manage negative workplace issues Monitor and respond to suspicious or disruptive behavior, beginning with the hiring process Log, monitor, and audit employee online actions Deactivate computer access following termination Legal and contractual implications Balance trusting employees and providing access to achieve the organization’s mission, and protecting its assets from potential compromise by those same employees Enforce separation of duties and least privilege Clearly document and consistently enforce policies and controls Implement strict password and account management policies and practices Develop an insider incident response plan Consider threats from insiders and business partners in enterprise-wide risk assessments. Ref: Common Sense Guide to Prevention and Detection of Insider Threats 3rd Edition – Version 3.1, CERT January 2009

Objectives Overview and objective of security Describe the four principles of security Importance of performance-based security Identification of Security Threat: Insider vs. Outsider Personnel Assurance and Security

Personnel Reliability Part of the Chemical Security Program that provides important security against insider threats Should be appropriate for the risk level What factors affect the risk from insider threats?

Personnel Reliability New employee background checks Identity Previous employment Criminal record Mechanism for reporting suspicious or unusual behavior or circumstances Elicitation Surveillance Procurement of unnecessary or unapproved chemicals or equipment Insistence on only working alone and outside normal hours Chemicals missing from inventory Disgruntled Personnel Employees, ex-workers, students

Exclude Potential Adversary Filter potential insiders entering the system Pre-employment: Application process Background checks Financial obligations Work history Other? Detection (identification) and response (not hiring) can be achieved by the above measures Deterrence is also achieved

Remove Potential Adversary: Define Undesirable Behaviors Based on your society, you may define undesirable behaviors as: Criminal behavior Financial instability Substance abuse Psychological instability Ideology Others? Who defines these? Management State Need to be consistent across the state or complex. Insider Protection Training Course

Why Check These Things? Malevolent potential may be indicated by criminal history Financial affairs will provide some indication of stability as well as potential susceptibility to extortion Work history can reveal tendencies to anger, reliability, mental competency, honesty, etc. References may reveal information not provided on the application Don’t limit interviews to only references the applicant provides Note: established criteria will remove many potential employees before activity on-site commences, and can serve as cause to terminate employment later on

Application Process Example Make background check requirements well known to the public Include a medical examination and substance abuse testing as requirements Assure that application asks for all information needed to evaluate applicants behavior Financial instability Substance abuse Psychological instability Criminal activity

Background Checks There are several levels of checks that are used in various environments – graded approach Just the application form and an interview A search of national records Criminal Credit A cursory follow-up of the information on the application A rigorous follow-up of activity of last several years Interview references Investigate financial affairs Interview previous employers and colleagues Add some examples. Insider Protection Training Course

Personnel Reliability Conclusions People with access to chemicals, information, other assets, especially highly toxic, or dual-use materials should be limited to those that are Trusted Trained Have a legitimate need

Open Discussion Did you learn anything new from this module? Definitions or Terminology Performance-based vs. Requirements-driven What types of Security Measures do you use? What types of Personnel Reliability do you use?

Workshop Day 2 Principles of Security Safe and Secure Transportation Overview and objective of security Importance of performance-based security Identification of Security Threat: Insider vs. Outsider Personnel Assurance and Security Safe and Secure Transportation Overview of transportation basics – packaging, international to local travel considerations, safety and security best practices Emergency Management and Response Security Vulnerability Analysis for Chemical Facilities Overview and discussion of SVA for small to medium industry CCPS guidance Introduction to ChemSAM Aspects of IT Security Overview of Cyber security, Cyber vulnerabilities, and Solutions IT Access Control SCADA – control systems

Safe and Secure Transportation

Introduction What makes transportation security different? Inside facility Outside facility What are the biggest concerns? Adversary controls the environment Detection by the driver

Chemical Transportation Security Risks In-plant threat Sabotage shipments Intentional release Theft In-transit threats Hijacking Theft of materials Sabotage Attacks on pipelines http://www.phmsa.dot.gov/hazmat/security Carlsbad, New Mexico and San Bruno incident was accidental, but pipelines are vulnerable. Photo credit: NTSB Pipeline New Mexico, USA

CCPS Transportation Risk Management (TRM) The CCPS TRM process includes the following elements: Primary Management System Identification and prioritization of hazards Risk Analysis Risk Reduction Program Sustainability

Transportation Risk Management Due to the complexity of many supply chains, transportation risk management is a shared responsibility Roles and responsibilities may differ for each stakeholder Individual activities and actions can impact the risk to the overall chemical supply chain Hazardous material transportation is a comprehensive system of activities that involves numerous stakeholders. Service providers and managersTransportation managers Safety professionals Risk professionals Government regulators Insurers Industry associations Shippers Chemical manufacturing companies Chemical distributors Carriers Business managers Evaluating the chemical transportation should address the entire supply chain of a commodity: Delivery and handling of raw materials Through the offloading of finished products

Transportation Risk Management Primary Management System Primary Management Systems Management systems should adhere to regulations and accepted international transportation standards. UN Model Regulations http://www.unece.org/trans/danger/publi/unrec/12_e.h tml International Maritime Organization (IMDG Code) http://www.imdgsupport.com/ International Air Transport Association (IATA) Dangerous Goods Regulation, 52nd Ed. C = Generally expressed in terms of fatality, injury, property damage, environmental damage or loss of company reputation V = Likelihood of an adversary success in causing the desired consequence T = Indication, circumstance, or event with the potential to cause loss of, or damage to, an asset at a specific location along the transportation route Also a function of Target Attractiveness

Transportation Risk Management Primary Management System A Primary Management System Should Also Include: Management Commitment “Risk Reduction Culture” Policies, procedures & practices Emergency preparedness & response procedures Incident reporting system Management of change Periodic auditing of the system

Transportation Risk Management Model Transportation risk management follows a general risk management model Identify and prioritize the transportation safety and security hazards for your facility Risk Analysis: Estimate the level of risk for each scenario Risk = f(scenario, consequence, likelihood) Risk Evaluation: decide on the level of risk reduction Risk Reduction: Apply mitigation (controls) to reduce the risk to the appropriate level Examine the entire chemical supply chain

Transportation Risk Management Analyze Potential Risks External events Collisions, crashes, accidents Collisions-road, rail Cargo shift-road, air Derailment-rail Crash-air External impact-pipeline Internal Events Release or spill due to equipment or containment failure Example: equipment or containment failure Consider all that could go wrong, potential causes and the consequences Photos: US National Transportation Safety Board

Transportation Risk Management Analyze Potential Risks Potential “Event” Causes Human factors Equipment defects Corrosion Overpressure Overfilling Improper packaging Vehicle impact Transportation infrastructure Driver has sleep apnea. Outdated highway design-narrow shoulder on overpass. The tanker approached an overpass (bridge) to Interstate 95 (I-95), it departed from the right traffic lane and went onto the adjacent lane. Collided with and mounted these roadside barriers before falling 30 feet over the bridge rail and onto the northbound traffic lanes and median of I-95. The vehicle’s speed prior to the accident most likely did not exceed 49 mph based on physical evidence and postaccident tests. Photo: US National Transportation Safety Board

Transportation Risk Management Analyze Safety Risk Risk = f(scenario, consequence, likelihood) Fatalities/injuries Property damage Environmental damage Business impact/fines Negative media Distribution system disrupted Likelihood Expected probability and frequency CCPS Guidelines gives likelihood estimates for: Pipelines Rail Trucks Barges Ocean-going vessels Intermodal transport

Analyze Safety Risk Qualitative Methodology Chemicals Hazards Potential Impacts Risk Ranking Chlorine Toxic gas Exposure to people along route High Ethylene Oxide Toxic, flammable gas Potential toxic exposure, vapor cloud, fire Mineral Acids Corrosive Potential Environmental impact Medium Acrylonitrile Flammable liquid Potential explosion and fire CCPS (2008). Guidelines for Chemical Transportation Safety, Security, and Risk Management

Transportation Risk Management Risk Reduction Address highest priority safety hazards first Written procedures Personnel training Hazard communication Packaging Spill containment Equipment inspection Personnel protection (PPE) Emergency response and reporting Packaging Container within container On-site transport Temperature control requirements Segregate chemically incompatible substances

Transportation Risk Management Risk Reduction UN Standard Packaging Outer packaging Container within a container Closure requirements Specific requirements depend on material and other factors US Department of Transportation. http://www.dot.gov/

Transportation Risk Management Risk Reduction Emergency Response Guidebook (ERG) Interactive internet version: http://wwwapps.tc.gc.ca/saf-sec-sur/3/erg-gmu/erg/ergmenu.aspx Developed jointly by: US DOT, Transport Canada, Secretariat of Communications and Transportation Mexico For first responders to transportation incident Guide to quickly identify material classification Protect initial responders and public Copy is in your CD

Transportation Risk Management Risk Reduction Hazard Communication Safety data sheets Shipping papers Labeling Placarding Documentation Safety Data Sheets Shipping order Bill of lading Manifest Full shipper, receiver addresses Packing and labeling certification Verification of receipt

US Federal Motor Carrier Safety Regulations The US FMCSA regulates: Driver qualifications Years of service Equipment standards Driving and parking rules Alcohol and controlled substances Financial responsibility Operational requirements HAZMAT training required for: Personnel who prepare, load/unload, or transport hazardous materials.

Who requires training? Managers Packers Handlers Loaders Drivers All shipping and receiving personnel Mailroom personnel 193

Transportation Risk Management Security Risks Initiating event is a direct attack Incident magnitude is greater Release size larger Effect on larger population or greater environmental damage Security Risk = f(C, V, T) C = consequence V = vulnerability T = threat C = Generally expressed in terms of fatality, injury, property damage, environmental damage or loss of company reputation V = Likelihood of an adversary success in causing the desired consequence T = Indication, circumstance, or event with the potential to cause loss of, or damage to, an asset at a specific location along the transportation route Also a function of Target Attractiveness

Chemical Transportation Security Risks In-plant threat Sabotage shipments Intentional release Theft In-transit threats Hijacking Theft of materials Sabotage Attacks on pipelines http://www.phmsa.dot.gov/hazmat/security

Transportation risk management: Security risks Security Risk = f(consequence, vulnerability, threat) Is similar to safety risks Safety Risk = f(scenario, consequence, likelihood) C = Generally expressed in terms of fatality, injury, property damage, environmental damage or loss of company reputation V = Likelihood of an adversary success in causing the desired consequence T = Indication, circumstance, or event with the potential to cause loss of, or damage to, an asset at a specific location along the transportation route Also a function of Target Attractiveness For security risks the initiating event is a direct attack. The magnitude of the incident could be greater. Larger releases of hazardous material are possible, Populations would be most likely the target.

Transportation Security Vulnerability Analysis CCPS (2008). Guidelines for Chemical Transportation Safety, Security, and Risk Management

Transportation Security Risk Management Risk Reduction Plant Security Include internal transfers in plant security plan Limit access to facilities and shipping information Secure transportation equipment Keep an inventory of hazardous materials Use tamper resistant seals Personnel Security Background checks Identification cards or badges

Transportation Security Risk Management Risk Reduction In transit security threats Vehicle travels on unprotected public roads, rail or sea Surroundings are constantly changing Sabotage or theft is not detected until in progress One person responsible for transport Typically there are no security personnel accompanying shipment Photo: U. S. Transportation Security Administration

Transportation Security Risk Management Risk Reduction Highway Security Sensitive Materials Depends on quantity and packaging ~ > 3000 liters in single container Explosives Flammable Gases Anhydrous Ammonia Toxic Gases Flammable Liquids & Solids Oxidizers Water reactive Corrosives Radioactive, infectious substances 5.2 is organic peroxide Credit: US TSA Highway Security Sensitive Materials

Transportation Security Risk Management Risk Reduction High risk shipments require high-level controls: Increase possibility of detecting an attack Provide for additional security personnel Alarm the shipment Use communication systems Photo: http://www.securityguardcompanies.us/

Transportation Security Risk Management Risk Reduction Increase the possibility of delaying an attack Cargo secured to vehicle Immobilize vehicle Hazardous material in vault Locks, barriers, entanglements Drum Cage Photo credit: DOE NNSA Presentation, October 17-November 5, 2010

Transportation Security Risk Management Risk Reduction Photos: TSA User’s Guide on Security Seals for Domestic Cargo

Transportation Risk Management Selection of Transportation Contractor Evaluation of accident history and transportation safety plans Safety training of personnel Certifications/licensing Condition of equipment Confirm the following: Secure packaging Shipping documentation/bill of lading Labeling/placarding Safety data sheets Appropriate PPE for spill response Spill containment kits on board Emergency Contact Information on board

Transportation Security Risk Management: Risk Reduction Plant Security Include internal transfers in plant security plan Limit access to facilities and shipping information Secure transportation equipment Keep an inventory of hazardous materials Use tamper resistant seals Personnel Security Background checks Identification cards or badges

Transportation Security Risk Management: Risk Reduction High risk shipments require high-level controls: Increase possibility of detecting an attack Provide for additional security personnel Alarm the shipment Use communication systems For example in New Mexico some construction companies will place global positioning satellite (GPS) devices in construction equipment in order to track them in case they are stolen.

Balancing Transportation Security with Safety Issue Safety Security Placards Commodity information needed by emergency responders to react appropriately to an accident and minimize any impact. Commodity information could be used by terrorists to target specific chemicals. Rerouting May result in more accidents if there are longer transits or the infrastructure along an alternate route may be less well maintained or contain undesirable features (uncontrolled intersections, no shoulders, etc.). Eliminating a shipment near a specific location (most likely a highly populated or critical area) may inadvertently transfer the risk from one community to another. CCPS (2008). Guidelines for Chemical Transportation Safety, Security, and Risk Management

Balancing Transportation Security with Safety Issue Safety Security Working with supply chain partners (implementing security countermeasures) Technology can be used for both safety and security (e.g., GPS to indicate location en route, emergency response to accident, and monitoring time-sensitive chemicals/materials). Technologies focused on security should not distract the main function of the carriers (e.g., the safe transport of chemicals from point A to B). Risk Analysis Methods Rational and structured results lead to recommendations Participation and engagement by individuals with different perspectives, roles, and backgrounds/skill sets for safety, security, and transportation Similar methodology Same decision metrics (guidelines) CCPS (2008). Guidelines for Chemical Transportation Safety, Security, and Risk Management

Transportation Risk Management: Evaluate risk Example - A company ships a hazardous chemical from Factory A to Factory B. There are two different roads that connect Factory A and B. One road (Route 1) is in very poor condition and goes through a heavily populated part of City, but the distance to Factory B is shorter. The other road (Route 2) is in better condition, does not go through any populated areas, but the distance to Factory B is longer and takes more time. Photo: US National Transportation Safety Board

Transportation Risk Management: Evaluate risk Example…. A review of the transport logs shows that trucks traveling along Route 1 experience a breakdown or minor accident one time in about every 20 trips. However, no major chemical spill has resulted yet. The company has done a analysis and has concluded that 1 in every 50 accidents a truck will overturn and its hazardous cargo could spill. The company has decided that this is an unacceptable risk based on their evaluation criteria.

Transportation Risk Management: Risk reduction Example…. The company has decided that Route 1 is an unacceptable risk to the local population and will begin using Route 2 even though the distance is longer and takes more time. Of course one could argue that longer distances increase the risk of an accident; however, the company did the risk analysis on that scenario and found the longer route over the better roadway and less populated density was still the best alternative.

Open Discussion What controls are there over transport security? What control do you have for transport security at you facility?

Workshop Day 2 Principles of Security Safe and Secure Transportation Overview and objective of security Importance of performance-based security Identification of Security Threat: Insider vs. Outsider Personnel Assurance and Security Safe and Secure Transportation Overview of transportation basics – packaging, international to local travel considerations, safety and security best practices Emergency Management and Response Security Vulnerability Analysis for Chemical Facilities Overview and discussion of SVA for small to medium industry CCPS guidance Introduction to ChemSAM Aspects of IT Security Overview of Cyber security, Cyber vulnerabilities, and Solutions IT Access Control SCADA – control systems

Security Vulnerability Analysis for Chemical Facilities **MOI HCIS has an established process for conducting SVAs at Saudi chemical facilities, and we are providing information on how SVA is done in other countries.**

Key acronyms Security Vulnerability Assessment SVA Physical Protection System PPS Center for Chemical Process Safety CCPS American Petroleum Institute API

SVA resources CCPS 2003. Safety, Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites. NY: American Institute of Chemical Engineers. M.L. Garcia 2003. Vulnerability Assessment of Physical Protection Systems. Amsterdam: Elsevier. T.L. Norman 2010. Risk Analysis and Security Countermeasure Selection. Boca Raton, Florida: CRC Press.

Security Vulnerability Assessments SVA objectives and overview Identify targets and critical assets Identify and assess likelihood of threats Assess severity of consequences Evaluate effectiveness of safeguards Determine adequacy of safeguards Identify and implement improvements

Definition Security Vulnerability Assessment (SVA): A systematic evaluation process in which qualitative and/or quantitative techniques are applied to detect vulnerabilities and to arrive at an effectiveness level for a security system to protect specific targets from specific adversaries and their acts. Garcia 2008

SVA Objectives and Goals Detect vulnerabilities (weaknesses) in a facility’s ability to protect critical assets against adversaries Design security systems to achieve a desired level of effectiveness Physical protection systems Cyber security protection systems Can also extend to mitigation systems Emergency response Fire protection etc. Goal: Protect specific targets from specific adversaries and their acts

SVA Protects the Most Sensitive Areas Site Characterization - Target Evaluation Evaluate location , potential energy Look for single point of failure Look at replacement times for critical equipment Where are soft targets – personnel Design Physical Security System Detection - Delay – Response Risk reduction by protecting critical assets Apply layers of protection Cost / Benefit analysis essential

SVA Process – from API Asset Characterization Threat Characterization Vulnerability Analysis Risk Assessment Countermeasures Analysis Project Planning- Define SVA Scope Facility Characterization Identify critical assets/hazards Consequence analysis Evaluate target attractiveness Review layers of protection Threat Assessment- Identify/Characterize Adversary Vulnerability Analysis Asset based Scenario based Identify Countermeasures - asset based or scenario based Assign performance standard Identify recommended upgrades Reassess risk Prioritize Countermeasures

SVA Process – from CCPS Project Planning Facility Characterization Threat Assessment Vulnerability Analysis Identify Countermeasures Project Planning- Define SVA Scope Facility Characterization Identify critical assets/hazards Consequence analysis Evaluate target attractiveness Review layers of protection Threat Assessment- Identify/Characterize Adversary Vulnerability Analysis Asset based Scenario based Identify Countermeasures - asset based or scenario based Assign performance standard Identify recommended upgrades Reassess risk Prioritize Countermeasures

SVA Process: Alternative Flowchart Facility Characterization Mission, objectives; prioritize facilities Threat Assessment Probability of adversary attack (PA) Consequence Assessment Potential consequence severity (C) System Effectiveness Existing protection against adversary scenarios (PE) Risk Calculation PA * (1-PE) * C Risk acceptable? N Y Proposed Upgrades End

SVA planning and getting started Requires management commitment of resources Generally performed by a knowledgeable team May require specialized resources or experts Will involve data and information collection May require months to fully complete Should have a means of updating See Garcia 2003 for getting started, collecting data

Define the SVA Scope Carefully define what is included and excluded from the SVA. For example, for a wastewater system, the scope may include either or both of: Collection system (e.g., sewer mains to plant inlet) Treatment plant

System characterization: Mission An example mission statement for a wastewater treatment plant might be: The Wastewater Treatment Plant is committed to treating wastewater from the City so that the treated water and bio-solid residual is safe for the environment and meets permit limits.

System characterization: Perfromance Specific performance can define successful achievement of the plant’s mission, such as: These performance measurements can be prioritized.

Security Vulnerability Assessments SVA objectives and overview Identify targets and critical assets Identify and assess likelihood of threats Assess severity of consequences Evaluate effectiveness of safeguards Determine adequacy of safeguards Identify and implement improvements

Facility Characterization Consequence Assessment SVA Process Facility Characterization Mission, objectives; prioritize facilities Threat Assessment Probability of adversary attack (PA) Consequence Assessment Potential consequence severity (C) System Effectiveness Existing protection against adversary scenarios (PE) Risk Calculation PA * (1-PE) * C Risk acceptable? N Y Proposed Upgrades End

Categories of possible targets Property – Laptop or desktop computer, jump drive, personal digital assistant, television, etc. Vehicles – Facility vehicle, access to areas, passes removed Information – Computer control access, stored data, intellectual property Personnel – Identification, access codes Original list from DHS Chemical Security Awareness Training

Examples of possible targets Wastewater system key vulnerabilities: Collection systems Treatment chemicals Key components of treatment plant Control systems Pumping/lift stations Other possible targets: Key personnel Valuable assets (e.g. catalysts, copper) Vehicles Personal computers U.S. GAO report GAO-05-165 Keep in mind the plant’s mission statement and success criteria when brainstorming targets and critical assets

SVA EXERCISE Consider a typical process facility in your industry. 1 4 Write down at least 6 possible targets of malevolent human actions at the facility. 1 4 2 5 3 5

Security Vulnerability Assessments SVA objectives and overview Identify targets and critical assets Identify and assess likelihood of threats Assess severity of consequences Evaluate effectiveness of safeguards Determine adequacy of safeguards Identify and implement improvements

Facility Characterization Consequence Assessment SVA Process Facility Characterization Mission, objectives; prioritize facilities Threat Assessment Probability of adversary attack (PA) Consequence Assessment Potential consequence severity (C) System Effectiveness Existing protection against adversary scenarios (PE) Risk Calculation PA * (1-PE) * C Risk acceptable? N Y Proposed Upgrades End

“Swiss cheese model” The “Swiss cheese model” can be applied to security risks as well as process safety risks. The threat assessment identifies what security threats are present and how likely they are to initiate attacks on specific targets. Threat Security Incident

A PPS design is based on threat Threat Assessment: An evaluation of the threats, based on available intelligence, law enforcement, and open source information, that describes the motivations, intentions, and capabilities of these threats. Design Basis Threat: A policy document used to establish performance criteria for a physical protection system (PPS). It is based on the results of threat assessments as well as other policy considerations. 236 236

Threat assessment Motivation Intention Capabilities Political, ideological, financial, personal Willingness to get caught or die Intention Theft, sabotage Other: stop operations, social disruption, political instability, economic harm Capabilities Numbers Weapons, equipment, tools Explosives Knowledge, skills, training Tactics Transportation methods Insider assistance

Threat assessment (continued) Some methods define “Design Basis Threats” for each identified potential adversary Helpful in later analysis and determining security upgrades Not feasible to protect every critical asset against every possible threat Example:

Assess likelihood of attack Probability (likelihood) of an attack* can be assessed using frequency categories. Options: Purely qualitative, such as High / Medium / Low Qualitative with descriptors Order of magnitude Fully quantitative *Initiation of an attempt to penetrate the facility’s physical or virtual boundary

Example of qualitative-with-descriptors likelihood categories Frequent B Probable C Occasional D Remote E Improbable From ExxonMobil “Chemical Facilities Safeguards and Security Risk Assessment Methodology, June 2002, adapted from the risk assessment matrix of MIL-STD-882B. Part of ACC Responsible Care® Toolkit, http://www.americanchemistry.com/s_rctoolkit

Example of order-of-magnitude likelihood categories

Assess likelihood of attack Likelihood assessment: Consensus of plant personnel, fire department, local law enforcement, etc. Assess the likelihood of attack by each potential adversary using the selected frequency scale Example:

Assess likelihood of attack Key considerations affecting likelihood: Presence in the area of the facility Access to the facility Stated/assessed intent to conduct attack History of attacks/threats Credible information indicating adversary has actually targeted facility Capability to achieve successful attack

Security Vulnerability Assessments SVA objectives and overview Identify targets and critical assets Identify and assess likelihood of threats Assess severity of consequences Evaluate effectiveness of safeguards Determine adequacy of safeguards Identify and implement improvements

Facility Characterization Consequence Assessment SVA Process Facility Characterization Mission, objectives; prioritize facilities Threat Assessment Probability of adversary attack (PA) Consequence Assessment Potential consequence severity (C) System Effectiveness Existing protection against adversary scenarios (PE) Risk Calculation PA * (1-PE) * C Risk acceptable? N Y Proposed Upgrades End

Consequence severity Potential consequence severity (C) is assessed as the potential impact if an attack is successful. Must consider intent and capabilities of each specific threat Can be evaluated as a matrix of threats vs targets or as a listing of scenarios Consider screening out those with lesser severity

assessment Threat The consequence determines how severe the impacts can be if an attack on a target is successful. Security Incident

Assess severity of consequences Chemical release scenarios: Essentially the same as for unintentional releases Fires Explosions Toxic gas releases Also, theft of chemicals for release or use elsewhere (e.g., precursor chemicals) Some loss events can be assessed monetarily Business interruption Property damage Other scenarios: Severity can be difficult to assess for other loss events Trade secret information loss Fear / panic impact etc.

Assess severity of consequences Loss event impact is generally assessed using severity categories. Options: Purely qualitative, such as High / Medium / Low Qualitative with descriptors Order of magnitude Fully quantitative

descriptors severity categories II Serious Critical Example of qualitative-with- descriptors severity categories II Serious III Moderate From ExxonMobil “Chemical Facilities Safeguards and Security Risk Assessment Methodology, June 2002, adapted from the risk assessment matrix of MIL-STD-882B. Part of ACC Responsible Care® Toolkit, http://www.americanchemistry.com/s_rctoolkit IV Minor

Example of order-of-magnitude likelihood categories

Example consequence categories for a wastewater treatment plant

SVA Exercise Identify key consequence categories for a typical plant in your industry Choose one of the consequence categories Develop an impact scale for the category

Security Vulnerability Assessments SVA objectives and overview Identify targets and critical assets Identify and assess likelihood of threats Assess severity of consequences Evaluate effectiveness of safeguards Determine adequacy of safeguards Identify and implement improvements

Facility Characterization Consequence Assessment SVA Process Facility Characterization Mission, objectives; prioritize facilities Threat Assessment Probability of adversary attack (PA) Consequence Assessment Potential consequence severity (C) System Effectiveness Existing protection against adversary scenarios (PE) Risk Calculation PA * (1-PE) * C Risk acceptable? N Y Proposed Upgrades End

effectiveness assessment Threat The system determines how good the barriers are to keep an attack from being successful. Security Incident

Physical Protection System has Three Purposes Physical Protection Systems (PPS) Detection Delay Response

Attack detection Assessment - Video display triggered by sensor alarm to determine if an intruder has penetrated a sensored area. Slide Purpose: Slide gives overview of difference between surveillance and assessment. Instructor Notes: Often the terms assessment and surveillance are used to mean the same thing. Technically, they are different; however, they both employ the use of cameras and video monitors to observe locations of interest. Assessment (used after alarm) is the display of video on alarm station video monitors showing the current state of the location where an alarm occurred and, if digital video recording is available, a looping display of the alarm location scene at the time of an alarm. It is the detection sensor alarm inputs that cause video from the alarming location to automatically display on alarm station monitors. Surveillance (used as detection) is the continuous monitoring of an area that does not have detection sensors to cause an alarm. The detection sensor is essentially the security operator. There are no sensors to alert the security operator of an alarm event. Graphics depict an intruder near a fence line crawling, intruder climbing a sensored fence, an alarm operator at a central alarm station console, surveillance camera in a facility hallway, surveillance camera observing an entry portal location and another central alarm station monitoring console showing alarm displays and camera views of locations of interest. Surveillance- Continuous video monitoring of an area that that does NOT have sensors. 258 258

Attack delay barriers Access delay Vehicle barriers Traverse time Around perimeter Around key assets “Serpentine” arrangement to limit approach speed Pop-up barriers Traverse time Examples: Fences, barbed wire Doors, windows Walls Locks Strong passwords Biometrics Target task time

Attack response Communications Weaponry, tactics Internal or external Backup forces Training Night-fighting capability Cyber response capability

Protection performance objective Security-protective barriers must (1) detect an attack soon enough and (2) put sufficient time delays in the path of the attacker(s) (3) for a sufficiently potent response force to arrive and interrupt the attack before the attack succeeds in stealing, releasing, destroying or otherwise compromising the facility’s critical asset(s).

Scenario and path analysis

Scenario and path analysis

Role of Access Delay Interrupted Detection Time Response Force Time Adversary Begins Task Adversary Completes Task Time Adversary Task Time C T First Sensing Adversary Detected D Response Force Time Interrupted I Physical Protection System Response Time Adversary Task Time Remaining After First Sensing Sensing Opportunities Time Remaining After Interruption Slide Purpose: Describes the role and importance of access delay by using an adversary timeline. Instructor Notes: Access delay is measured in time. For a physical protection system to have a high probability of success, the detection with assessment time plus the response force time must be less than the adversary task time. There are four methods listed to increase the probability of system success. Note first that it is hard to detect an intruder before they cross a boundary. If a site perimeter has an effective perimeter intrusion detection and assessment system (typically listed as Pd with a certain confidence level), it is often very difficult and very expensive to detect an intrusion earlier. Faster assessment is typically done by video assessment. If the assessment system is a modern system with CCTV, effective perimeter lighting, automatic display of alarm events, recording and rapid playback of alarm events a few seconds before the sensor alarms to a few seconds after the alarm, then it is likely that the assessment time can only be marginally reduced at best. If multiple communication systems are available between the Central Alarm Station and the response force and the response force is located near or at the target area, it is likely that response times can only be reduced marginally. Increasing adversary task time after detection may be completed by installing additional fixed barriers or by installing dispensable barriers that will work synergistically with existing physical barriers. The most capable barriers should be installed directly at the targets to be cost effective. Discussion Questions: Supporting Information: References: System detection and response time must be less than adversary task time after the first alarm To increase system success probability Detect intrusion earlier Reduce assessment time Reduce response time Increase adversary task time

Security Vulnerability Assessments SVA objectives and overview Identify targets and critical assets Identify and assess likelihood of threats Assess severity of consequences Evaluate effectiveness of safeguards Determine adequacy of safeguards Identify and implement improvements

Safeguards effectiveness The effectiveness of safeguards is maintained by performance testing. If any safeguard is not tested, do not count on it working!

DISCUSSION How can the performance of these physical protection system components be ensured? CCTV camera system Security guards visual detection Perimeter fence Access-control door locks Response force

Facility Characterization Consequence Assessment SVA Process Facility Characterization Mission, objectives; prioritize facilities Threat Assessment Likelihood of adversary attack (PA) Consequence Assessment Potential consequence severity (C) System Effectiveness Existing protection against adversary scenarios (PE) Risk Calculation PA * (1-PE) * C Risk acceptable? N Y Proposed Upgrades End

Security risk equation Risk = PA * (1 - PE) * C where PA = Frequency of attack1 PE = Protection system effectiveness C = Consequence severity 1or probability of attack for a given timeframe or mission

Example risk calculation (continued) Risk = 1/yr * (1 - 0.9) * $50K = $5,000 / year annualized loss rate

Example risk calculation Risk = PA * (1 - PE) * C Assume PA = One attack per year attempted PE = 0.90 effective protection C = $50,000 loss

Risk = PA * (1 - PE) * C Another example Assume PA = 0.1 attack per year attempted PE = 0.99 effective protection C = Fire/explosion with 10 fatalities What is Risk equal to?

  Make risk decision Options: Determining whether existing or proposed safeguards are adequate can be done in various ways. Options: Purely qualitative, team-based judgment Risk matrix Risk magnitude Fully quantitative  

Determining where the risk boundaries are set is a risk Example of risk matrix with qualitative-with-descriptors likelihood and severity categories NOTE: Determining where the risk boundaries are set is a risk management function From ExxonMobil “Chemical Facilities Safeguards and Security Risk Assessment Methodology, June 2002, adapted from the risk assessment matrix of MIL-STD-882B. Part of ACC Responsible Care® Toolkit, http://www.americanchemistry.com/s_rctoolkit

Security Vulnerability Assessments SVA objectives and overview Identify targets and critical assets Identify and assess likelihood of threats Assess severity of consequences Evaluate effectiveness of safeguards Determine adequacy of safeguards Identify and implement improvements

Facility Characterization Consequence Assessment SVA Process Facility Characterization Mission, objectives; prioritize facilities Threat Assessment Likelihood of adversary attack (PA) Consequence Assessment Potential consequence severity (C) System Effectiveness Existing protection against adversary scenarios (PE) Risk Calculation PA * (1-PE) * C Risk acceptable? N Y Proposed Upgrades End

Develop and implement improvements Address specific vulnerabilities identified in the SVA Address scenarios assessed to pose the highest security risk

Possible improvements Tendency: Add more physical safeguards (fences, cameras, locks, etc.). First priority: Make sure what you have will work. Performance testing Drills, tabletop exercises Also a priority: Make the facility inherently safer. Minimize Substitute Attenuate Simplify, limit effects, etc.

Example strategies Some wastewater security-enhancing activities: Replacing gaseous chemicals with less hazardous alternatives Improving local/state/regional collaboration efforts Completing SVAs for individual wastewater systems Expanding training for wastewater utility operators, administrators Improving national communication efforts Installing early warning in collection systems Hardening plants and collection facilities against attack Strengthening procedures Increasing R&D to improve detection, assessment and response

SVA report The SVA is generally captured in a report and/or management presentation. Objectives Team Approach Data and Analysis Results and Conclusions Recommended improvements See Garcia 2003 and Normal 2010 for suggested presentation formats

Updating the SVA Keep in mind: “The search for static security, in the law and elsewhere, is misguided. The fact is, security can only be achieved through constant change, adapting old ideas that have outlived their usefulness to current facts.” - William O. Douglas, as quoted in Garcia 2003

Workshop Day 2 Principles of Security Safe and Secure Transportation Overview and objective of security Importance of performance-based security Identification of Security Threat: Insider vs. Outsider Personnel Assurance and Security Safe and Secure Transportation Overview of transportation basics – packaging, international to local travel considerations, safety and security best practices Emergency Management and Response Security Vulnerability Analysis for Chemical Facilities Overview and discussion of SVA for small to medium industry CCPS guidance Introduction to ChemSAM Aspects of IT Security Overview of Cyber security, Cyber vulnerabilities, and Solutions IT Access Control SCADA – control systems

Chemical Security Self-Assessment Model

Chem-SAM The Chem-SAM software tool is designed to support conducting a technical assessment of chemical security risks

RECALL: Process of Chemical Security Risk Assessment 1. Evaluate Threat Potential 2. Identify Security Threats 3. Characterize Security Risks 4. Are Risks Acceptable? 5. Implement Additional Security Measures Yes No Proceed with work and 6. Follow up with periodic repeat of steps 1-5

RECALL: Process of Chemical Security Risk Assessment 1. Evaluate Threat Potential 2. Identify Security Threats Chem-SAM supports these steps 3. Characterize Security Risks 4. Are Risks Acceptable? 5. Implement Additional Security Measures Yes No Proceed with work and 6. Follow up with periodic repeat of steps 1-5

Identify Security Threats (Chem-SAM ) Insider Outsider Theft Near populated or industrial areas Sabotage

Characterize Security Risks Risk is a function of Probability that an incident will occur (likelihood) Severity if the event occurs (consequence) Risk = f (Likelihood, Consequence)

Characterize Security Risks (Chem-SAM) Chem-SAM risk is a function of: Likelihood Attractiveness of the chemical for misuse Potential for successful theft/diversion of the chemical based upon facility characteristics Consequences Impact to human health and/or facility of misuse of the chemical

How does it work? Based on a Multi-Objective Decision Analysis (MODA) framework Objectives defined and weighted by chemical and security subject matter experts User provides ‘scores’ for each objective based upon their unique situation Software has built in mathematical operations to characterize the risk based upon likelihood and consequences The user: Defines the chemical assets Characterizes facility security management

Data Collected Through a Comprehensive Set of Questions

Results presented graphically

The Software Windows or OS x supported Captures management documentation for proper record keeping as advocated by Responsible Care©

Chemical Assets Over 100 chemicals have been pre-loaded into the system

Chemical Assets Provide the quantity of any of the provided chemicals pre-loaded at your facility OR Enter a new chemical for assessing additional chemicals Save your updated answers

Facility Security Management Answer the questions regarding your facility’s security management Save the answers for your facility

View Results Select your chemicals Select your facility/laboratory View the risks

Saving the assessment Save your responses Save in an assessment folder

Are Risks Acceptable? Working with management and other key stakeholders determine if the risks are acceptable or unacceptable For unacceptable implement risk mitigation measures

Another assessment Load the assessment responses to update or review Create a new assessment

Software and resources http://csp-state.net/ Resources tab Tools Chemical Risk Management Self- Assessment Model (Chem- SAM)

Chem-SAM A tool for chemical security risk assessment Easy to use Small-to-medium enterprises Technical risk assessment Well characterized factors Objective and rational Prioritize risks Facilities Chemicals Communicate risks

Workshop Day 2 Principles of Security Safe and Secure Transportation Overview and objective of security Importance of performance-based security Identification of Security Threat: Insider vs. Outsider Personnel Assurance and Security Safe and Secure Transportation Overview of transportation basics – packaging, international to local travel considerations, safety and security best practices Emergency Management and Response Security Vulnerability Analysis for Chemical Facilities Overview and discussion of SVA for small to medium industry CCPS guidance Introduction to ChemSAM Aspects of IT Security Overview of Cyber security, Cyber vulnerabilities, and Solutions IT Access Control SCADA – control systems

Aspects of IT Security (Information Management and Security)

Overview Information Risk Assessment Information Processes IT Infrastructure and components Threats to IT infrastructure Information Assurance Information Risk Assessment Information Security Resources

Information Processes Data Generation Data Storage Data Reviewed/Used Information Processes The generalized information process starts with the generation of data. This data can be generated from technical devices such as SCADA systems, Process systems, Physical security system, as well as, being generated directly from individuals (process reports, research, etc.). This data is typically transmitted to a data storage system, including file servers, databases, web-portals, etc. From the data storage, data could then be transmitted to a data recipient (the recipient may be a person or may be another system) where the data is analyzed to create information.

IT Infrastructure (The Information Technology Assets) The technical components required to support information processes Hardware Software Communication lines Power infrastructure Human support Information technology infrastructure includes all the technical components required to generate data, transmit the data, storage of data, and may include technologies to support data analysis. These technical components include the hardware, software, communication lines (wired or wireless), power infrastructure, and the human support infrastructure. These are often referred to as information technology assets.

Examples of IT components Data Generators Process Control Systems SCADA (supervisory control and data acquisition) Systems Physical Security Systems Researchers/Engineers Communication Lines Digital / Analog Wired / Wireless Tunneled Information Storage Systems Databases File Systems Websites/portals Examples of IT components

Threats to IT infrastructure Data Generators Altering control data to make a system preform the wrong function (Cracking) Altering the reporting data so system provides false data (Hijacking) Blocking data to inhibit control or reporting (Denial of Service) Communication Lines Hijacking information Detecting system reporting pattern Inserting false information Denial of Service Information Storage Systems Loss of data (Denial of Service, direct deletion, or equipment failure) Alteration or release of information (Cracking and/or Hacking) Hacking is the gaining of access(wanted or unwanted) to a computer or networked system, copying, or creating data(leaving a trace) without the intention of destroying data or maliciously harm. This represents the Good Guys most of the time for they are the ones who search for these exploits to prevent crackers use a method called cracking(opposite of hacking). Hacking and hackers are commonly mistaken to be the bad guys most of the time. Crackers are the ones who create virus, cracks, spyware, and destroy data. A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the network. Cracker - Person who gains unauthorized access to a computer with the intention of causing damage. Cracking - Method by which a person who gains unauthorized access to a computer with the intention of causing damage. Hacker - Person who gains authorized/unauthorized access to a computer WITHOUT the intention of causing damage. Spyware - A Program that was created by a person(most frequently a cracker) to watch the computer and it's actions and report the details to the origional maker. Virus - A maliciously made program that is used to destroy data, or hurt the performance of the computer. Makes copies of itself and sends it to more people.

Threats Types and Definitions Hacker Person who gains authorized/unauthorized access to a computer WITHOUT the intention of causing damage Cracker Person who gains unauthorized access to a computer WITH the intention of causing damage Method Type Method Definition Hacking Gaining of access (wanted or unwanted) to a computer or networked system, copying, or creating data WITHOUT the intention of destroying data or maliciously harm Cracking Method by which a person who gains unauthorized access to a computer WITH the intention of causing damage Hacking and hackers are commonly mistaken to be the bad guys most of the time. Crackers are the ones who create virus, cracks, spyware, and destroy data.

Information Assurance (Defines the processes needed to protect and defend the information) (What IT infrastructure do I have?) Define the situation Define the information risks (What could go wrong?) (How could it happen? What are the consequences if it does?) Assess the risks Determine if these risks are acceptable (Is this okay?) Implement security measures to reduce risk (Information Security)

Information Risk Assessment (What could go wrong?) (How could it happen?) Likelihood Means of access to system Physical Access Network Access Local Remote (Internet) (What would the impact be?) Consequences Direct loss of information (loss of Availability) Alteration of information (loss of Integrity) Release of information (loss of Confidentiality) Risk is a function of likelihood and consequences. Likelihood is defined by those components that lead up to an incident or attack, consequences are the impact following the incident or attack. Likelihood is based upon the means an attacker could gain access to a system. Confidentially is defined as “preserving authority restrictions on information access and disclosure, including means for protection personal privacy and proprietary information…” This also includes the protection from access and disclosure of information that affects national security. Typically, disclosure is thought of as theft of information, which can be achieved via physical theft, network theft, or discovering the information via human-to-human discussions. Integrity is defined by the “guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity…” Data can be modified or replaced if the integrity is not protected. Availability “ensures timely and reliable access to and use of information…” by those individuals with a need for access. In assessing the risks associated with information, both the potential (likelihood) and the consequences should be reviewed for each of the three security objectives. Understanding the relative risk independently for each objective will help to define the overall information security measures needed. For example, if the relative risk is notably higher for a loss of integrity than that for confidentiality or availability, the mitigation measures should be focused on authentication mechanisms rather than encryption during data transmission. If the relative risks are similar for confidentiality and integrity, than both encryption and authentication should be used. Using a risk based approach will allow for better understanding of the trade offs and limitations of mitigation measures. In some mission areas, there must be a higher risk tolerance due to the benefit of the information process out weighing the potential new threats posed by the system. However, in other missions, the risk tolerance may be considerably low. In using a risk-based approach these considerations can be discussed and managed.

Information Security Physical security of the components Access control Barrier security Secured conduit Personnel security of those individuals with access to the components Vetting Cyber security of each component and the entire system Firmware Operating System Communication protocol Applications

Information Technology Infrastructure Information Assurance Information Management Information Technology Infrastructure Data Generators Communication Lines Data Storage Systems Information Assurance Risk Assessment Information Security Physical Security Personnel Security Cyber Security Information management includes all the elements of the information technology infrastructure and layers information assurance onto this infrastructure. Information technology infrastructure includes all the technical components required to generate data, transmit the data, storage of data, and may include technologies to support data analysis. These technical components include the hardware, software, communication lines (wired or wireless), power infrastructure, and the human support infrastructure. These are often referred to as information technology assets.

Resources http://ics-cert.us-cert.gov/Standards-and- References http://csrc.nist.gov/publications/PubsFIPS.ht ml http://www.iso27001security.com/

Summary and Next Steps

Discussion Next Steps SVA Transportation Security IT Security Mentorship

Dr. Christine Straut and Mr. Steve Iveson THANK YOU Dr. Christine Straut and Mr. Steve Iveson