Slide 1

SAND No. 2011-0786C Sandia is a multi-program laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energys National Nuclear Security Administration under contract DE-AC04-94AL85000. Slide 2 SVA SVA = security vulnerability assessment PPS PPS = physical protection system Slide 3 CCPS 2003. Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites CCPS 2003. Center for Chemical Process Safety, Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites. New York: AIChE. Slide 4 M.L. Garcia 2003.Vulnerability Assessment of Physical Protection Systems M.L. Garcia 2003. Vulnerability Assessment of Physical Protection Systems. Amsterdam: Elsevier. The Design and Evaluation of Physical Protection Systems, Second Edition Also: M.L. Garcia 2008. The Design and Evaluation of Physical Protection Systems, Second Edition. Amsterdam: Butterworth Heinemann. Slide 5 T.L. Norman 2010. Risk Analysis and Security Countermeasure Selection T.L. Norman 2010. Risk Analysis and Security Countermeasure Selection. Boca Raton, Florida: CRC Press. Slide 6 SVA Security Vulnerability Assessment: A systematic evaluation process in which qualitative and/or quantitative techniques are applied to detect vulnerabilities and to arrive at an effectiveness level for a security system to protect specific targets from specific adversaries and their acts. Garcia 2008 Slide 7 1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats 4. Assess severity of consequences 5. Evaluate effectiveness of safeguards 6. Determine adequacy of safeguards 7. Identify and implement improvements 8. Compare with process safety Slide 8 1. SVA objectives and overview Slide 9 SVA Security Vulnerability Assessment: A systematic evaluation process in which qualitative and/or quantitative techniques are applied to detect vulnerabilities and to arrive at an effectiveness level for a security system to protect specific targets from specific adversaries and their acts. Slide 10 SVA Security Vulnerability Assessment: A systematic evaluation process in which qualitative and/or quantitative techniques are applied to detect vulnerabilities and to arrive at an effectiveness level for a security system to protect specific targets from specific adversaries and their acts. Slide 11 (continued on next slide) Slide 12 Slide 13 Staff security awareness Fences - access control PIDAS* On-site guards Sensors - cameras Technology and/or Cost * PIDAS : Perimeter Intrusion Detection and Assessment System Threat understanding Professional response force 13 Slide 14 Detect vulnerabilities (weaknesses) in a facilitys ability to protect critical assets against adversaries Design security systems to achieve a desired level of effectiveness Physical protection systems Cyber security protection systems Can also extend to mitigation systems Emergency response Fire protection etc. Slide 15 Plan Identify Targets and Critical Assets Develop, Implement Improvements Calculate Risks; Compare to Critera Identify and Assess Likelihood of Threats Identify and Assess Likelihood of Threats Assess Severity of Consequences Assess Severity of Consequences Evaluate Effectiveness of Safeguards Screen Characterize Facility Slide 16 Facility Characterization Facility Characterization Facility Characterization Facility Characterization Threat Assessment Consequence Assessment SystemEffectivenessSystemEffectiveness Risk Calculation Riskacceptable? Y N Mission, objectives; prioritize facilities Proposed Upgrades Likelihood of adversary attack (F A ) Existing protection against adversary scenarios (P E ) Potential consequence severity (C) F A * (1-P E ) * C ALTERNATIVE FLOWCHART End 16 Slide 17 Requires management commitment of resources Generally performed by a knowledgeable team May require specialized resources or experts Will involve data and information collection May require months to fully complete Should have a means of updating See Garcia 2003 for getting started, collecting data Slide 18 Carefully define what is included and excluded from the SVA. For example, for a wastewater system, the scope may include either or both of: Collection system (e.g., sewer mains to plant inlet) Treatment plant Slide 19 An example mission statement for a wastewater treatment plant might be: The Wastewater Treatment Plant is committed to treating wastewater from the City in such a way that the treatment plant effluent and bio- solid residual is safe for the environment, meets permit limits, and is aesthetically pleasing to the community. Slide 20 Specific criteria can define successful achievement of the plants mission, such as: These criteria can also be prioritized. Slide 21 1. SVA objectives and overview 2. Identify targets and critical assets Slide 22 Property Laptop or desktop computer, jump drive, personal digital assistant, television, etc. Vehicles Facility vehicle, access to areas, passes removed Information Computer control access, stored data, intellectual property Personnel Identification, access codes Original list from DHS Chemical Security Awareness Training Slide 23 Wastewater system key vulnerabilities: Collection systems Treatment chemicals Key components of treatment plant Control systems Pumping/lift stations U.S. GAO report GAO-05-165 Slide 24 Liquid Chlorine Sulfur Dioxide 24 Slide 25 Other possible targets: Key personnel Valuable assets (e.g. catalysts, copper) Vehicles Personal computers Keep in mind the plants mission statement and success criteria when brainstorming targets and critical assets. Slide 26 Write down at least 6 possible targets of malevolent human actions at a chemical plant.123 456 Slide 27 1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats Slide 28 Facility Characterization Facility Characterization Facility Characterization Facility Characterization Threat Assessment Consequence Assessment SystemEffectivenessSystemEffectiveness Risk Calculation Riskacceptable? Y N Mission, objectives; prioritize facilities Proposed Upgrades Likelihood of adversary attack (F A ) Existing protection against adversary scenarios (P E ) Potential consequence severity (C) F A * (1-P E ) * C End 28 Slide 29 Image credit: CCPS, Process Safety Leading and Lagging Indicators, New York: American Institute of Chemical Engineers, January 2011, www.aiche.org/ccps. Do you remember this graphic? Slide 30 The Swiss cheese model can be applied to security risks as well security risks as well as process safety risks. Threat Security Incident Slide 31 threat The threatassessment identifies what security threats are present and how likely they are to initiate attacks on specific targets. Threat Security Incident Slide 32 32 Design Basis Threat: Design Basis Threat: A policy document used to establish performance criteria for a physical protection system (PPS). It is based on the results of threat assessments as well as other policy considerations. Threat Assessment: Threat Assessment: An evaluation of the threats, based on available intelligence, law enforcement, and open source information, that describes the motivations, intentions, and capabilities of these threats. 32 Slide 33 Motivation Political, ideological, financial, personal Willingness to get caught or die Intention Theft, sabotage Other: Stop operations, social disruption, political instability, economic harm Slide 34 Capabilities Numbers Weapons, equipment, tools Explosives Knowledge, skills, training Tactics Transportation methods Insider assistance Slide 35 E.g.: Vandals Gangs, thieves Computer hackers Militia / Paramilitary Environmental terrorists Rogue international terrorists Insider threats; disgruntled employee Identify all potential threats (intentional, malevolent human actions) Slide 36 What are some examples of insider threats ? What makes the insider threat particularly difficult to analyze and protect against? What are some things that can be done to protect against insider threats ? Slide 37 Some methods define Design Basis Threats for each identified potential adversary. Helpful in later analysis and determining security upgrades Not feasible to protect every critical asset against every possible threat Example: Slide 38 Likelihood of an attack* can be assessed using frequency categories. Options: Purely qualitative, such as High / Medium / Low Qualitative with descriptors Order of magnitude Fully quantitative * Initiation of an attempt to penetrate the facilitys physical or virtual boundary Slide 39 Example of qualitative-with-descriptors likelihood categories From ExxonMobil Chemical Facilities Safeguards and Security Risk Assessment Methodology, June 2002, adapted from the risk assessment matrix of MIL-STD-882B. Part of ACC Responsible Care Toolkit, http://www.americanchemistry.com/s_rctoolkit Frequent A Probable Occasional Remote Improbable B C D E Slide 40 Example of order-of-magnitude likelihood categories Slide 41 Likelihood assessment: Consensus of plant personnel, fire department, local law enforcement, etc. Assess the likelihood of attack by each potential adversary using the selected frequency scale Example: FAFAFAFA Slide 42 Key considerations affecting likelihood: Presence Presence in the area of the facility Access Access to the facility intent Stated/assessed intent to conduct attack History History of attacks/threats Credible information indicating adversary targeted has actually targeted facility Capability Capability to achieve successful attack Slide 43 1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats 4. Assess severity of consequences Slide 44 Facility Characterization Facility Characterization Facility Characterization Facility Characterization Threat Assessment Consequence Assessment SystemEffectivenessSystemEffectiveness Risk Calculation Riskacceptable? Y N Mission, objectives; prioritize facilities Proposed Upgrades Likelihood of adversary attack (F A ) Existing protection against adversary scenarios (P E ) Potential consequence severity (C) F A * (1-P E ) * C End 44 Slide 45 Potential consequence severity (C) is assessed as the potential impact if an attack is successful. Must consider intent and capabilities of each specific threat Can be evaluated as a matrix of threats vs targets or as a listing of scenarios Consider screening out those with lesser severity Slide 46 Threat SecurityIncident The consequence assessment determines how severe the impacts can be if an attack on a target is successful. Slide 47 Chemical release impacts: Essentially the same as for unintentional releases (see Identification of Hazards) Fires Explosions Toxic gas releases Also, theft of chemicals for release or use elsewhere (e.g., precursor chemicals) Slide 48 Other impacts: Some loss events can be assessed monetarily Business interruption Property damage Severity can be difficult to assess for other loss events Trade secret information loss Fear / panic impact etc. Slide 49 Loss event impact is generally assessed using severity categories. Options: Purely qualitative, e.g. High / Medium / Low Qualitative with descriptors Order of magnitude Fully quantitative Slide 50 Example of qualitative- with- descriptors severity categories From ExxonMobil Chemical Facilities Safeguards and Security Risk Assessment Methodology, June 2002, adapted from the risk assessment matrix of MIL-STD-882B. Part of ACC Responsible Care Toolkit, http://www.americanchemistry.com/s_rctoolkit ICritical IISerious IIIModerate IVMinor Slide 51 Example of order-of-magnitude severity categories Slide 52 Example consequence categories for a wastewater treatment plant Slide 53 Identify key consequence categories for a typical plant in your industry Choose one of the consequence categories Develop an impact scale for the category Slide 54 1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats 4. Assess severity of consequences 5. Evaluate effectiveness of safeguards Slide 55 Facility Characterization Facility Characterization Facility Characterization Facility Characterization Threat Assessment Consequence Assessment SystemEffectivenessSystemEffectiveness Risk Calculation Riskacceptable? Y N Mission, objectives; prioritize facilities Proposed Upgrades Likelihood of adversary attack (F A ) Existing protection against adversary scenarios (P E ) Potential consequence severity (C) F A * (1-P E ) * C End 55 Slide 56 Threat SecurityIncident The system effectiveness assessment determines how good the barriers are to keep an attack from being successful. Slide 57 Physical Protection Systems (PPS) Detection Delay Response Slide 58 Intrusion detection systems Detectors (sensors, cameras, guard patrols) Detection signal processing and alarming Alarm assessment Alarm communication and display Entry control Contraband and explosives detection Cyber attack detection; system monitoring Security-aware employees Slide 59 Vibration, Heat, or Sound Passive Active Transmitter and Receiver Receiver 59 Slide 60 Covert or visible Sensors hidden from view More difficult for intruder to detect Sensors in plain view of intruder Simpler to install and repair VisibleCovert 60 Slide 61 Volumetric or line detection Detection in a volume of space Detection volume is not visible Detection along a line or plane Detection zone easily identified VolumetricLine detection 61 Slide 62 Line-of-sight or terrain- following No obstacles in the detection space Requires flat ground surface Sensors detect over flat or irregular terrain Line-of-sightTerrain-following 62 Slide 63 Pictures of line (vibration) and volumetric (microwave) 63 Slide 64 Assessment Assessment - Video display triggered by sensor alarm to determine if an intruder has penetrated a sensored area. Surveillance Surveillance - Continuous video monitoring of an area that that does NOT have sensors. 64 Slide 65 Fixed and PTZ cameras Fixed camera Non-motorized mount Fixed-focal-length lens Pan-tilt-zoom (PTZ) camera Motorized mount Motorized zoom lens 65 Slide 66 Access delay Vehicle barriers Around perimeter Around key assets Serpentine arrangement to limit approach speed Pop-up barriers Slide 67 67 Slide 68 Access delay Vehicle barriers Fences, barbed wire Traverse time Doors, windows Walls Locks Strong passwords Biometrics Target task time Slide 69 Communications Weaponry, tactics Internal or external Backup forces Training Night-fighting capability Cyber response capability Slide 70 Security-protective barriers must detect (1) detect an attack soon enough and delays (2) put sufficient time delays in the path of the attacker(s) response (3) for a sufficiently potent response force to arrive and interrupt the attack before the attack succeeds in stealing, releasing, destroying or otherwise compromising the facilitys critical asset(s). Slide 71 Security-protective barriers must detect (1) detect an attack soon enough and delays (2) put sufficient time delays in the path of the attacker(s) response (3) for a sufficiently potent response force to arrive and interrupt the attack before the attack succeeds in stealing, releasing, destroying or otherwise compromising the facilitys critical asset(s). How would this to apply to cyber security ? Slide 72 Slide 73 Slide 74 Slide 75 performance testing The effectiveness of safeguards is maintained by performance testing. If any safeguard is not tested and maintained, do not count on it working! Slide 76 How can the performance of these physical protection system components be ensured? CCTV camera system Security guards visual detection Perimeter fence Access-control door locks Response force Slide 77 1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats 4. Assess severity of consequences 5. Evaluate effectiveness of safeguards 6. Determine adequacy of safeguards Slide 78 Facility Characterization Facility Characterization Facility Characterization Facility Characterization Threat Assessment Consequence Assessment SystemEffectivenessSystemEffectiveness Risk Calculation Riskacceptable? Y N Mission, objectives; prioritize facilities Proposed Upgrades Likelihood of adversary attack (F A ) Existing protection against adversary scenarios (P E ) Potential consequence severity (C) F A * (1-P E ) * C End 78 Slide 79 Risk = F A * (1 P E ) * C where F A = Frequency of attack 1 P E = Protection system effectiveness C = Consequence severity 1 or probability of attack for a given timeframe or mission Slide 80 Assume F A = One attack per year attempted P E = 0.90 effective protection C = US$50,000 loss Risk = F A * (1 P E ) * C Slide 81 Risk = 1/yr * (1 - 0.9) * $50K = $5,000 / year annualized loss rate annualized loss rate Slide 82 Assume F A = 0.1 attack per year attempted P E = 0.99 effective protection C = Fire/explosion with 10 fatalities Risk = F A * (1 P E ) * C What is Risk equal to? Slide 83 Risk = 0.1/yr * (1 - 0.99) * 10 = 0.01 fatality / year point risk estimate point risk estimate Slide 84 Determining whether existing or proposed safeguards are adequate can be done in various ways. Options: Purely qualitative, team-based judgment Risk matrix Risk magnitude Fully quantitative Slide 85 risk matrix Example of risk matrix with qualitative-with-descriptors likelihood and severity categories From ExxonMobil Chemical Facilities Safeguards and Security Risk Assessment Methodology, June 2002, adapted from the risk assessment matrix of MIL-STD-882B. Part of ACC Responsible Care Toolkit, http://www.americanchemistry.com/s_rctoolkit Slide 86 risk matrix Example of risk matrix with qualitative-with-descriptors likelihood and severity categories From ExxonMobil Chemical Facilities Safeguards and Security Risk Assessment Methodology, June 2002, adapted from the risk assessment matrix of MIL-STD-882B. Part of ACC Responsible Care Toolkit, http://www.americanchemistry.com/s_rctoolkit NOTE: Determining where the risk risk boundaries are set is a risk management management function Slide 87 Unacceptable region ALARP The ALARP or Tolerability Region Broadly acceptable region (No need for detailed working to demonstrate ALARP) Necessary to maintain assurance that risk remains at this level Tolerable if cost of reduction would exceed the improvement gained Tolerable only if risk reduction is impracticable or if its cost is grossly disproportionate to the improvement gained Risk cannot be justified save in extraordinary circumstances NEGLIGIBLE RISK Credit: UK HSE Slide 88 Unacceptable region ALARP The ALARP or Tolerability Region Broadly acceptable +3 or higher NEGLIGIBLE RISK Risk magnitude +2 +1 0 or lower Slide 89 Unacceptable region ALARP The ALARP or Tolerability Region Broadly acceptable +1 or higher NEGLIGIBLE RISK Risk magnitude 0 -2 or lower Slide 90 Describe one complete security scenario Describe one complete security scenario involving a particular threat and its likelihood, a particular consequence and its severity, and a reasonable set of safeguards and their effectiveness. Using any one risk evaluation approach, calculate the scenario risk and determine its acceptability. Be prepared to present your results and findings, including important assumptions. Slide 91 1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats 4. Assess severity of consequences 5. Evaluate effectiveness of safeguards 6. Determine adequacy of safeguards 7. Identify and implement improvements Slide 92 Facility Characterization Facility Characterization Facility Characterization Facility Characterization Threat Assessment Consequence Assessment SystemEffectivenessSystemEffectiveness Risk Calculation Riskacceptable? End Y N Mission, objectives; prioritize facilities Proposed Upgrades Likelihood of adversary attack (F A ) Existing protection against adversary scenarios (P E ) Potential consequence severity (C) F A * (1-P E ) * C 92 Slide 93 Address specific vulnerabilities identified in the SVA Address scenarios assessed to pose the highest security risk Slide 94 Tendency: Tendency: Add more physical safeguards (fences, cameras, locks, etc.). First priority: First priority: Make sure what you have will work. Performance testing Drills, tabletop exercises Also a priority: Also a priority: Make the facility inherently safer. Minimize Substitute Attenuate Simplify, limit effects, etc. Slide 95 Wastewater system security-enhancing activities: Replace gaseous chemicals with less hazardous alternatives Improve local/state/regional collaboration efforts Complete SVAs for individual wastewater systems Expand training for wastewater utility operators, administrators Improve national communication efforts Install early warning in collection systems Harden plants and collection facilities against attack Strengthen procedures Increase R&D to improve detection, assessment and response Slide 96 The SVA is generally captured in a report and/or management presentation containing: Objectives Team Approach Data and Analysis Results and Conclusions Recommended improvements See Garcia 2003 and Norman 2010 for suggested presentation formats Slide 97 Keep in mind: The search for static security, in the law and elsewhere, is misguided. The fact is, security can only be achieved through constant change, adapting old ideas that have outlived their usefulness to current facts. - William O. Douglas, as quoted in Garcia 2003 Slide 98 1. SVA objectives and overview 2. Identify targets and critical assets 3. Identify and assess likelihood of threats 4. Assess severity of consequences 5. Evaluate effectiveness of safeguards 6. Determine adequacy of safeguards 7. Identify and implement improvements 8. Compare with process safety Slide 99 Continued on next slide Slide 100 Source: CCPS 2008a, p. 207 Slide 101 Hazards 101 Slide 102 102 Slide 103 Hazards Threat 103 Slide 104 104 Slide 105 Threat of: Release of hazardous material Destruction of critical assets Harm to key personnel Vandalism Theft etc. Slide 106 Threat of: Release of hazardous material Destruction of critical assets Harm to key personnel Vandalism Theft etc. By: Vandal Gang, thief Militia / paramilitary Environmental terrorist Rogue international terrorist Insider threat; disgruntled employee Slide 107 Impacts Loss Event Mitigated Unmitigated Slide 108 108 Slide 109 Hazards Impacts Attack InterveneDeterMitigate Loss Event Regain control or shut down Mitigated Unmitigated 109 Slide 110 Deter Make target less attractive Maintain visible defenses Lower perceived likelihood of success Attempt Deter No attempt Threat At each branch: Success Failure 110 Slide 111 111 Slide 112 Intervene Detect AND Delay AND Respond Attempt InterveneDeter Loss Event Successful intervention No attempt Threat Slide 113 Detect Identify threat Communi- cate to response force Attempt InterveneDeter Successful intervention No attempt Loss Event Threat 113 Slide 114 114 Slide 115 Attempt InterveneDeter Successful intervention No attempt Detect Delay Slow down attack with barriers Give response force time to interrupt attack Loss Event Threat Slide 116 Attempt InterveneDeter Loss Event Successful intervention No attempt Detect Delay Respond Receive alarm Arrive in time with sufficient force to interrupt attack Threat Slide 117 117 Slide 118 Impacts Attempt InterveneDeterMitigate Loss Event Successful intervention Mitigated Unmitigated No attempt Threat 118 Slide 119 119 Slide 120 Impacts Attempt InterveneDeterMitigate Loss Event Successful intervention Mitigated Unmitigated No attempt Threat At each branch: Success Failure Slide 121 1. Listed objectives of performing a Security Vulnerability Assessment (SVA) 2. Described evaluating potential targets and critical assets 3. Described the process of identifying and assessing the likelihood of threats 4. Described the process of assessing the severity of consequences 5. Described how to evaluate the effectiveness of security safeguards 7. Discussed the importance of identifying and implementing improvements 8. Compared SVA with process safety