Security Vulnerability Assessment Methodology for the Petroleum , 2ed

Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, Second Edition
byAmerican Petroleum Institute

October 2004
Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, Second Edition American Petroleum Institute 1220 L Street, NW Washington, DC 20005-4070 National Petrochemical %26amp; Refiners Association 1899 L Street, NW Suite 1000 Washington, DC 20036-3896
CONTENTS

CHAPTER 1 INTRODUCTION ............................................................................................................11.1 INTRODUCTION TO SECURITY VULNERABILITY ASSESSMENT............................................11.2 OBJECTIVES, INTE NDED AUDIENCE AND SCOPE OF THE GUIDANCE .................................11.3 SECURITY VULNERABILITY ASSESSMENT AND SECURITY MANAGEMENT PRINCIPLES.....2CHAPTER 2 SECURITY VULNERABILITY ASSESSMENT CONCEPTS ...............................................32.1 INTRODUCTION TO SVA TERMS ............................................................................................32.2 RISK DEFINITION FOR SVA ....................................................................................................32.3 CONSEQUENCES ...................................................................................................................42.4 ASSET ATTRACTIVENESS......................................................................................................42.5 THREAT..................................................................................................................................52.6 VULNERABILITY .....................................................................................................................52.7 SVA APPROACH.....................................................................................................................52.8 CHARACTERISTICS OF A SOUND SVA APPROACH ...............................................................72.9 SVA STRENGTHS AND LIMITATIONS .....................................................................................82.10 RECOMMENDED TIMES FOR CONDUCTING AND REVIEWING THE SVA.............................82.11 VALIDATION AND PRIORITIZATION OF RISKS......................................................................82.12 RISK SCREENING.................................................................................................................9CHAPTER 3 SECURITY VULNERABILITY ASSESSMENT METHODOLOGY .......................................93.1 OVERVIEW OF THE SVA METHODOLOGY .............................................................................93.2 SVA METHODOLOGY ........................................................................................................... 153.3 STEP 1: ASSETS CHARACTERIZATION................................................................................ 183.4 STEP 2: THREAT ASSESSMENT........................................................................................... 233.5 SVA STEP 3: VULNERABILITY ANALYSIS ............................................................................. 253.6 STEP 4: RISK ANALYSIS/RANKING ....................................................................................... 283.7 STEP 5: IDENTIFY COUNTERMEASURES:............................................................................ 283.8 FOLLOW-UP TO THE SVA..................................................................................................... 29ATTACHMENT 1 – EXAMPLE SVA METHODOLOGY FORMS ........................................................ 31ABBREVIATIONS AND ACRONYMS .............................................................................................. 41 APPENDIX A—SVA SUPPORTING DATA REQUIREMENTS ........................................................... 43APPENDIX B—SVA COUNTERMEASURES CHECKLIST ............................................................... 45APPENDIX C—SVA INTERDEPENDENCIES AND INFRASTRUCTURE CHECKLIS T....................... 67APPENDIX C1—REFINERY SVA EXAMPLE ................................................................................. 115APPENDIX C2—PIPELINE SVA EXAMPLE .................................................................................. 123APPENDIX C3—TRUCK TRANSPORTATION SVA EXA MPLE ...................................................... 135APPENDIX C4—RAIL TRANSPORTATION SVA EXAMPLE .......................................................... 145 References .................................................................................................................................. 155 Figures 2.1 Risk Definition ..................................................................................................................3 2.2 SVA Risk Variables ...........................................................................................................3 2.3 Asset Attractiveness Factors .............................................................................................4 2.4 Overall Asset Screening Approach.....................................................................................6 2.5 Recommended Times for Conducting and Reviewing the SVA ............................................9

3.1 Security Vulnerability Assessment Methodology Steps ...................................................... 11

3.1a Security Vulnerability Assessment Methodology—Step 1 .................................................. 12 3.1b Security Vulnerability Assessment Methodology—Step 2.................................................. 13 3.1c Security Vulnerability Assessment Methodology—Steps 3 – 5 .......................................... 14 3.2 SVA Methodology Timeline ............................................................................................. 15 3.3 SVA Team Members ....................................................................................................... 16 3.4 Sample Objectives Statement .......................................................................................... 16 3.5 Security Events of Concern ............................................................................................. 17 3.6 Description of Step 1 and Substeps ................................................................................. 19 3.7 Example Candidate Critical Assets .................................................................................. 20 3.8 Possible Consequences of Security Events ...................................................................... 21 3.9 Example Definitions of Consequences of the Event........................................................... 22 3.10 Description of Step 2 and Substeps ................................................................................. 23 3.11 Threat Rating Criteria...................................................................................................... 25 3.12 Target Attractiveness Factors (for Terrorism) .................................................................... 25 3.13 Attractiveness Factors Ranking Definitions (A).................................................................. 26 3.14 Description of Step 3 and Substeps ................................................................................. 26 3.15 Vulnerability Rating Criteria ............................................................................................. 27 3.16 Description of Step 4 and Substeps ................................................................................. 28 3.17 Risk Ranking Matrix ........................................................................................................ 29 3.18 Description of Step 5 and Substeps ................................................................................. 29

A SVA Methodology Flow Diagram ................................................................................... 124

http://rapidshare.com/files/110942853/API_-_Security_Vulnerability_Assessment_Methodology_for_the_Petroleum_and_Petrochemical_Industries__