Intentional, Foul: The Evolution of Security and Vulnerability Analysis
Unfortunately, security and vulnerability are important parts of risk management.
There have been 80 attacks to nuclear plants across the world since 1961, and there are thousands of chemical plants, manufacturers and water utilities around the world that store hazardous chemicals.
Any intentional incidents, especially related to energy and utilities, food and water supply, etc., could put hundreds of thousands of people in harm’s way from a potential toxic release.
Consequence analysis modeling shows that, compared to the worst credible scenarios of accidental loss of containment of hazardous materials at a chemicals site, intentional releases from the same containment would result in a potentially much higher severity impact and extent in terms of casualties and financial losses.
The concept of inherent safety in Process Safety Management (PSM) is directly applicable to security risk management. For example, after the 9/11 terrorist attack in the United States, many facilities substituted chlorine, ammonia and sulfur dioxide with less hazardous chemicals and drastically reduced the potential of threat of toxic exposure to their neighboring communities.
However, there are still thousands of chemical facilities across the globe that are either unable to switch to safer alternatives or have not done so, which continues to present a dangerous situation to their communities from both accidental and intentional release scenarios.
Process safety data from Process Hazard Analyses (PHAs), emergency response preparedness and training can be used as indicators to assess the integrity existing controls and employee readiness, and it can help gauge the vulnerability of the plant to security risks as well. Therein lies the basis of facility security risk assessment standards and guidelines that have been available for many years now, such as the API 780 SRA (2013) from the American Petroleum Institute, CCPS SVA (2003) from the Center for Chemical Process Safety, and vulnerability assessment methodology (VAM) (2002) from Sandia National Laboratories.
The U.S. Department of Homeland Security (DHS) requires high-risk chemical facilities, as determined by the Chemical Facility Anti-Terrorism Standards (CFATS) process, to complete security vulnerability assessments (SVAs), develop site security plans and implement protective measures necessary to meet DHS-defined risk-based performance standards (RBPS). Facilities in the following industries may qualify for conformance to CFATS:
- Agriculture and food
- Chemical manufacturing, storage and distribution
- Energy and utilities
- Healthcare and pharmaceuticals
- Paints and coatings
- Universities and research institutions
Risk-based decision-making has become essential across all industries and applications, including occupational health, process safety, environmental protection, quality risk and security risk. DHS provides a Risk-Based Performance Standards guidance document with 18 elements for security risk management, and having an active SVA process is integral to its success in an organization.
Over time, as companies’ risk management processes matures, not only do they need to improve the efficiency of their security risk management practices, but also they must adopt a robust risk management solution that incorporates all three elements of risk management: identification and assessment of hazardous situations, controlling and mitigating the corrective and preventive actions, and properly reviewing and monitoring the risks. A mature security risk management program allows companies to shift from compliance to risk-based decision-making enabling them to have a proactive stance.
Indeed, risk management is complex, however, this process can be managed easier through automation and which can improve the bottom line. Rather than paper-based or spreadsheet-based risk assessments, organizations must be able to standardize, centralize and automate complex risk assessment business processes and workflows. By improving the way security risks are identified and handled in, organizations can dramatically reduce potential risk from exposure to hazardous chemicals—including when those releases are intentional.
Sphera offers preformatted security risk assessment solutions as point-based desktop or web-based enterprise applications. The configurability of these platforms enables each organization, small or large, to tailor the solutions to their own specific security risk management processes.