 |
| Purchase Information |
| Use this form to request purchase information on API online subscriptions. |
|
|
Document API SECURITY is offered by IHS as part of an online subscription. This subscription contains many documents on the same topic.
You may also purchase this document alone from the IHS Standards Store.
API SECURITY Document Information:
Title
Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries
American Petroleum Institute
Publication Date:
Oct 1, 2004
Scope:
INTRODUCTION TO SECURITY VULNERABILITY ASSESSMENT
The first step in the process of managing security risks is to
identify and analyze the threats and
the vulnerabilities facing a facility by conducting a Security
Vulnerability Assessment (SVA). The
SVA is a systematic process that evaluates the likelihood that a
threat against a facility will be
successful. It considers the potential severity of consequences to the
facility itself, to the
surrounding community and on the energy supply chain.
The SVA process is a team-based approach that combines the multiple
skills and knowledge of the
various participants to provide a complete security analysis of the
facility and its operations.
Depending on the type and size of the facility, the SVA team may
include individuals with knowledge
of physical and cyber security, process safety, facility and process
design and operations,
emergency response, management and other disciplines as necessary.
The objective of conducting a SVA is to identify security hazards,
threats, and vulnerabilities
facing a facility, and to evaluate the countermeasures to provide for
the protection of the public,
workers, national interests, the environment, and the company. With
this information security risks
can be assessed and strategies can be formed to reduce vulnerabilities
as required. SVA is a tool
to assist management in making decisions on the need for
countermeasures to address the threats and
vulnerabilities.
OBJECTIVES, INTENDED AUDIENCE AND SCOPE OF THE GUIDANCE
This document was prepared by the American Petroleum Institute (API)
and the National Petrochemical
& Refiners Association (NPRA) Security Committees to assist the
petroleum and petrochemical
industries in understanding security vulnerability assessment and in
conducting SVAs. The
guidelines describe an approach for assessing security vulnerabilities
that is widely applicable to
the types of facilities operated by the industry and the security
issues they face. During the
development process it was field tested at two refineries, two tank
farms, and a lube plant, which
included typical process equipment, storage tanks, marine operations,
infrastructure, pipelines,
and distribution terminals for truck and rail. Since then, it has been
used extensively at a wide
variety of facilities involving all aspects of the petroleum and
petrochemical industry.
This methodology constitutes one approach for assessing security
vulnerabilities at petroleum and
petrochemical industry facilities. However, there are several other
vulnerability assessment
techniques and methods available to industry, all of which share
common risk assessment elements.
Many companies, moreover, have already assessed their own security
needs and have implemented
security measures they deem appropriate. This document is not intended
to supplant measures
previously implemented or to offer commentary regarding the
effectiveness of any individual company
efforts.
Ultimately, it is the responsibility of the owner/operator to choose
the SVA method and depth of
analysis that best meets the needs of the specific location.
Differences in geographic location,
type of operations, and on-site quantities of hazardous substances all
play a role in determining
the level of SVA and the approach taken. Independent of the SVA method
used, all techniques include
the following activities:
• Characterize the facility to understand what critical assets
need to be secured, their
importance and their interdependencies and supporting infrastructure;
• Identify and characterize threats against those assets and
evaluate the assets in terms of
attractiveness of the targets to each adversary and the consequences
if they are damaged or stolen;
• Identify potential security vulnerabilities that threaten the
asset's service or integrity;
• Determine the risk represented by these events or conditions by
determining the likelihood
of a successful event and the consequences of an event if it were to
occur;
• Rank the risk of the event occurring and, if high risk, make
recommendations for lowering
the risk;
• Identify and evaluate risk mitigation options (both net risk
reduction and benefit/cost
analyses) and re-assess risk to ensure adequate countermeasures are
being applied.
This guidance was developed for the industry as an adjunct to other
available references which
includes:
• American Petroleum Institute, "Security Guidelines for the
Petroleum Industry", May, 2003;
• API RP 70, "Security for Offshore Oil and Natural Gas
Operations", First Edition, April,
2003;
• "Guidelines for Analyzing and Managing the Security
Vulnerabilities of Fixed Chemical
Sites", American Institute of Chemical Engineers (AIChE) Center for
Chemical Process Safety
(CCPS"), August, 2002;
• "Vulnerability Analysis Methodology for Chemical Facilities
(VAM-CF)", Sandia National
Laboratories, 2002.
API and NPRA would like to acknowledge the contribution of the Center
for Chemical Process Safety
(CCPS) compiled in their "Guidelines for Analyzing and Managing the
Security of Fixed Chemical
Sites." It was this initial body of work that was used as a basis for
developing the first edition
of the API NPRA SVA methodology. Although similar in nature, the SVA
Method was developed for the
petroleum and petrochemical industry, at both fixed and mobile
systems. Examples have been added
that demonstrate applicability at various operating segments of the
industry. Owner/Operators may
want to use any of the methods above, or another equivalent and
appropriate methodology in
conducting their SVAs. These guidelines should also be considered in
light of any applicable
federal, state and local laws and regulations.
The guidance is intended for site managers, security managers, process
safety managers, and others
responsible for conducting security vulnerability analyses and
managing security at petroleum and
petrochemical facilities.
The method described in this guidance may be widely applicable to a
full spectrum of security
issues, but the key hazards of concern are malevolent acts, such as
terrorism, that have the
potential for widespread casualties or damage.
These guidelines provide additional industry segment specific guidance
to the overall security plan
and SVA method presented in Part I of the API Security Guidelines for
the Petroleum Industry.
SECURITY VULNERABILITY ASSESSMENT AND SECURITY MANAGEMENT PRINCIPLES
Owner/Operators should ensure the security of facilities and the
protection of the public, the
environment, workers, and the continuity of the business through the
management of security risks.
The premise of the guidelines is that security risks should be managed
in a risk-based,
performance-oriented management process.
The foundation of the security management approach is the need to
identify and analyze security
threats and vulnerabilities, and to evaluate the adequacy of the
countermeasures provided to
mitigate the threats. Security Vulnerability Assessment is a
management tool that can be used to
assist in accomplishing this task, and to help the owner/operator in
making decisions on the need
for and value of enhancements.
The need for security enhancements will be determined partly by
factors such as the degree of the
threat, the degree of vulnerability, the possible consequences of an
incident, and the
attractiveness of the asset to adversaries. In the case of terrorist
threats, higher risk sites are
those that have critical importance, are attractive targets to the
adversary, have a high level of
consequences, and where the level of vulnerability and threat is high.
SVAs are not necessarily a quantitative risk assessment, but are
usually performed qualitatively
using the best judgment of the SVA Team. The expected outcome is a
qualitative determination of
risk to provide a sound basis for rank ordering of the
security-related risks and thus establishing
priorities for the application of countermeasures.
A basic premise is that all security risks cannot be completely
prevented. The security objectives
are to employ four basic strategies to help minimize the risk:
1. Deter
2. Detect
3. Delay
4. Respond
Appropriate strategies for managing security can vary widely depending
on the individual
circumstances of the facility, including the type of facility and the
threats facing the facility.
As a result, this guideline does not prescribe security measures but
instead suggests means of
identifying, analyzing, and reducing vulnerabilities. The specific
situations must be evaluated
individually by local management using best judgment of applicable
practices. Appropriate security
risk management decisions must be made commensurate with the risks.
This flexible approach
recognizes that there isn't a uniform approach to security in the
petroleum industry, and that
resources are best applied to mitigate high-risk situations primarily.
All Owner/Operators are encouraged to seek out assistance and
coordinate efforts with federal,
state, and local law enforcement agencies, and with the local
emergency services and Local
Emergency Planning Committee. Owner/Operators can also obtain and
share intelligence, coordinate
training, and tap other resources to help deter attacks and to manage
emergencies.
About IHS
IHS (NYSE: IHS) is a leading global provider of critical technical information, decision-support tools and related services in a number of industries including aerospace and defense, automotive, construction, electronics, and energy. IHS serves customers ranging from large governments and multinational corporations to smaller companies and technical professionals in more than 100 countries. IHS been in business for more than 45 years and employ more than 2,300 people around the world.
