440 likes | 603 Vues
Presented at the 2007 CUPA Conference by SRM Associates, Inc. PO Box 891993 Temecula, CA 92589-1993 (951) 764-3626. Chemical Site Security and Chemical Facility Vulnerability Assessments. Introduction. Bios New DHS Regulations Who has to Comply? What do they have to do?
E N D
Presented at the 2007 CUPA Conference by SRM Associates, Inc. PO Box 891993 Temecula, CA 92589-1993 (951) 764-3626 Chemical Site Security and Chemical Facility Vulnerability Assessments
Introduction • Bios • New DHS Regulations • Who has to Comply? • What do they have to do? • Vulnerability Assessment • Updates/Reviews • Penalties • Information Protection • RAMCAP Methodology • Site Security Plans
Bios • Who are we? • What have we done? • What are we trying to do?
New DHS regulations • Federal only • No State Counterpart • Watch for it • Interim Final Regulations • DHS intends to modify later or clarify using guidance
Who has to comply? • We don't know but DHS will tell us • Top Screen Process • Multiple tiers • Facilities will be required by DHS to submit information • DHS will determine based on information whether the facility is required to complete VA and Security Plan • Voo Doo?
Who has to comply? (cont) • DHS is considering “grouping” facilities into like categories for determining requirements for compliance • e.g. NH3 Refrigeration, Petroleum Refineries • Pro: • Only facilities told by DHS they are required to comply will have to submit • Cons: • Manpower Intensive for DHS • No timeframe provided
What will facilities have to do? • First, perform a Vulnerability Assessment • Second, develop a Site Security Plan
Vulnerability Assessment • RAMCAP Methodology called out, but others may be approved • Presumptive deadline will be 60 days from DHS telling facility they need to complete VA (120 days for Site Security Plan)
Updates/Reviews • Update schedule is not stipulated yet • Reviews done by DHS, but no deadline provided
Penalties • Up to $25k/day/violation • Cease Operations • Appeals are allowed
Information Protection • Penalties are provided for release to unauthorized individuals • Facility can release if they wish
RAMCAP Methodology • Asset Based or Scenario Based • Leans heavily toward Asset Based • Likelihood of attack assumed to be 1 • Risk Matrix provided but not in line with most safety assessments • e.g. 0-100 deaths is “low” on the severity scale (1 of 10) • Recommended Team personnel includes: • Person familiar with RAMCAP • Operations • Engineering • Security
RAMCAP Methodology (cont) • 1. Asset Characterization (note bias) • Figure out which assets are critical to: operation, could be used to impact public, or could be stolen • Includes physical assets, critical personnel, information, chemicals, support processes, etc. • 2. Threat Assessment • DHS will provide list of threats • Doesn't matter because DHS recommends assuming: “...international terrorism is possible at every facility.”
RAMCAP Methodology (cont) • 3. Vulnerability Analysis • States “...define scenarios...” but then states “...each asset must be reviewed...” • Scenario based Similar to PHA: • What can go wrong? (cause) • How bad is it? (consequence/severity) • What is in place to prevent it? (safeguards) • What is likelihood of event being completed? (likelihood) – does not include probability of attack • Note: Worksheets are written to use Assets AND scenarios (i.e. it is assumed that your scenario will be based around an asset)
RAMCAP Methodology (cont) • 4. Risk Analysis/Ranking • Risk Matrix provided • Not like Safety Matrices in either likelihood or severity • 5. Identify Countermeasures • PHA would call “recommendations” • Deter • Detect • Delay • Respond • (Note: Mitigate is not included)
Site Security Plan • Risk Based Standards • Standards appear to be: complete a VA and Site Security Plan • Regs state that you need to protect perimeter, but don't state what you need to protect against. • Regs state that you need to protect critical assets, but don't state what you need to protect against.
20 Items in Site Security Plan • Secure/Monitor Perimeter • Secure/Monitor Restricted Areas • Control access to facility/Restricted Areas • Deter vehicles from penetrating perimeter • Secure/Monitor shipping/receipt of HAZMATs • Deter theft of HAZMATs • Deter sabotage • Deter cyber sabotage • Develop/exercise Emergency Plan to respond to security events
20 Items in Site Security Plan (cont) • Ensure proper security training, exercises and drills • Background checks (does not call out contractors) • Increase measures as threat goes up • Address specific threats provided by DHS • Report security issues to DHS • Maintain records of security issues • Establish person/group responsible for compliance • Maintain appropriate records
20 Items in Site Security Plan (cont) • Address specific threats provided by DHS (again) • Address additional performance standards provided by DHS in future
DHS Involvement • DHS will provide assistance • When? • How? • DHS can audit facilities or authorize 3rd party audits
Contact Information Stephen R. Melvin, PE CSP Jeffrey M. Lane SRM Associates, Inc. PO Box 891993 Temecula, CA 92589-1993 (951) 764-3626