1 / 44

Presented at the 2007 CUPA Conference by SRM Associates, Inc. PO Box 891993

Presented at the 2007 CUPA Conference by SRM Associates, Inc. PO Box 891993 Temecula, CA 92589-1993 (951) 764-3626. Chemical Site Security and Chemical Facility Vulnerability Assessments. Introduction. Bios New DHS Regulations Who has to Comply? What do they have to do?

huy
Download Presentation

Presented at the 2007 CUPA Conference by SRM Associates, Inc. PO Box 891993

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Presented at the 2007 CUPA Conference by SRM Associates, Inc. PO Box 891993 Temecula, CA 92589-1993 (951) 764-3626 Chemical Site Security and Chemical Facility Vulnerability Assessments

  2. Introduction • Bios • New DHS Regulations • Who has to Comply? • What do they have to do? • Vulnerability Assessment • Updates/Reviews • Penalties • Information Protection • RAMCAP Methodology • Site Security Plans

  3. Bios • Who are we? • What have we done? • What are we trying to do?

  4. New DHS regulations • Federal only • No State Counterpart • Watch for it • Interim Final Regulations • DHS intends to modify later or clarify using guidance

  5. Who has to comply? • We don't know but DHS will tell us • Top Screen Process • Multiple tiers • Facilities will be required by DHS to submit information • DHS will determine based on information whether the facility is required to complete VA and Security Plan • Voo Doo?

  6. Who has to comply? (cont) • DHS is considering “grouping” facilities into like categories for determining requirements for compliance • e.g. NH3 Refrigeration, Petroleum Refineries • Pro: • Only facilities told by DHS they are required to comply will have to submit • Cons: • Manpower Intensive for DHS • No timeframe provided

  7. What will facilities have to do? • First, perform a Vulnerability Assessment • Second, develop a Site Security Plan

  8. Vulnerability Assessment • RAMCAP Methodology called out, but others may be approved • Presumptive deadline will be 60 days from DHS telling facility they need to complete VA (120 days for Site Security Plan)

  9. Updates/Reviews • Update schedule is not stipulated yet • Reviews done by DHS, but no deadline provided

  10. Penalties • Up to $25k/day/violation • Cease Operations • Appeals are allowed

  11. Information Protection • Penalties are provided for release to unauthorized individuals • Facility can release if they wish

  12. RAMCAP Methodology • Asset Based or Scenario Based • Leans heavily toward Asset Based • Likelihood of attack assumed to be 1 • Risk Matrix provided but not in line with most safety assessments • e.g. 0-100 deaths is “low” on the severity scale (1 of 10) • Recommended Team personnel includes: • Person familiar with RAMCAP • Operations • Engineering • Security

  13. RAMCAP Methodology (cont) • 1. Asset Characterization (note bias) • Figure out which assets are critical to: operation, could be used to impact public, or could be stolen • Includes physical assets, critical personnel, information, chemicals, support processes, etc. • 2. Threat Assessment • DHS will provide list of threats • Doesn't matter because DHS recommends assuming: “...international terrorism is possible at every facility.”

  14. RAMCAP Methodology (cont) • 3. Vulnerability Analysis • States “...define scenarios...” but then states “...each asset must be reviewed...” • Scenario based Similar to PHA: • What can go wrong? (cause) • How bad is it? (consequence/severity) • What is in place to prevent it? (safeguards) • What is likelihood of event being completed? (likelihood) – does not include probability of attack • Note: Worksheets are written to use Assets AND scenarios (i.e. it is assumed that your scenario will be based around an asset)

  15. RAMCAP Methodology (cont) • 4. Risk Analysis/Ranking • Risk Matrix provided • Not like Safety Matrices in either likelihood or severity • 5. Identify Countermeasures • PHA would call “recommendations” • Deter • Detect • Delay • Respond • (Note: Mitigate is not included)

  16. Site Security Plan • Risk Based Standards • Standards appear to be: complete a VA and Site Security Plan • Regs state that you need to protect perimeter, but don't state what you need to protect against. • Regs state that you need to protect critical assets, but don't state what you need to protect against.

  17. 20 Items in Site Security Plan • Secure/Monitor Perimeter • Secure/Monitor Restricted Areas • Control access to facility/Restricted Areas • Deter vehicles from penetrating perimeter • Secure/Monitor shipping/receipt of HAZMATs • Deter theft of HAZMATs • Deter sabotage • Deter cyber sabotage • Develop/exercise Emergency Plan to respond to security events

  18. 20 Items in Site Security Plan (cont) • Ensure proper security training, exercises and drills • Background checks (does not call out contractors) • Increase measures as threat goes up • Address specific threats provided by DHS • Report security issues to DHS • Maintain records of security issues • Establish person/group responsible for compliance • Maintain appropriate records

  19. 20 Items in Site Security Plan (cont) • Address specific threats provided by DHS (again) • Address additional performance standards provided by DHS in future

  20. DHS Involvement • DHS will provide assistance • When? • How? • DHS can audit facilities or authorize 3rd party audits

  21. Questions? ?

  22. Contact Information Stephen R. Melvin, PE CSP Jeffrey M. Lane SRM Associates, Inc. PO Box 891993 Temecula, CA 92589-1993 (951) 764-3626

  23. RAMCAP: Figure 1

  24. RAMCAP: Figure 2a

  25. RAMCAP: Figure 2b

  26. RAMCAP: Figures 3 & 4

  27. RAMCAP: Figure 5

  28. RAMCAP: Figure 6

  29. RAMCAP: Figure 7

  30. RAMCAP: Figure 8

  31. RAMCAP: Figure 9

  32. RAMCAP: Figure 10

  33. RAMCAP: Figure 11

  34. RAMCAP: Figure 12

  35. RAMCAP: Figure 12B

  36. RAMCAP: Figure 13

  37. RAMCAP: Figure 14

  38. RAMCAP: Figure 15

  39. RAMCAP: Figure 16

  40. RAMCAP: Figure 17

  41. RAMCAP: Figure 18

  42. RAMCAP: Figure 19

  43. RAMCAP: Figure 20

  44. RAMCAP: Figure 20B

More Related