API SECURITY-ed.2004

Annotation of standard text API SECURITY-ed.2004 :

API SECURITY, 2004 Edition, October 2004 - Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries

INTRODUCTION TO SECURITY VULNERABILITY ASSESSMENT

The first step in the process of managing security risks is to identify and analyze the threats and the vulnerabilities facing a facility by conducting a Security Vulnerability Assessment (SVA). The SVA is a systematic process that evaluates the likelihood that a threat against a facility will be successful. It considers the potential severity of consequences to the facility itself, to the surrounding community and on the energy supply chain.

The SVA process is a team-based approach that combines the multiple skills and knowledge of the various participants to provide a complete security analysis of the facility and its operations. Depending on the type and size of the facility, the SVA team may include individuals with knowledge of physical and cyber security, process safety, facility and process design and operations, emergency response, management and other disciplines as necessary.

The objective of conducting a SVA is to identify security hazards, threats, and vulnerabilities facing a facility, and to evaluate the countermeasures to provide for the protection of the public, workers, national interests, the environment, and the company. With this information security risks can be assessed and strategies can be formed to reduce vulnerabilities as required. SVA is a tool to assist management in making decisions on the need for countermeasures to address the threats and vulnerabilities.

OBJECTIVES, INTENDED AUDIENCE AND SCOPE OF THE GUIDANCE

This document was prepared by the American Petroleum Institute (API) and the National Petrochemical& Refiners Association (NPRA) Security Committees to assist the petroleum and petrochemical industries in understanding security vulnerability assessment and in conducting SVAs. The guidelines describe an approach for assessing security vulnerabilities that is widely applicable to the types of facilities operated by the industry and the security issues they face. During the development process it was field tested at two refineries, two tank farms, and a lube plant, which included typical process equipment, storage tanks, marine operations, infrastructure, pipelines, and distribution terminals for truck and rail. Since then, it has been used extensively at a wide variety of facilities involving all aspects of the petroleum and petrochemical industry.

This methodology constitutes one approach for assessing security vulnerabilities at petroleum and petrochemical industry facilities. However, there are several other vulnerability assessment techniques and methods available to industry, all of which share common risk assessment elements. Many companies, moreover, have already assessed their own security needs and have implemented security measures they deem appropriate. This document is not intended to supplant measures previously implemented or to offer commentary regarding the effectiveness of any individual company efforts.

Ultimately, it is the responsibility of the owner/operator to choose the SVA method and depth of analysis that best meets the needs of the specific location. Differences in geographic location, type of operations, and on-site quantities of hazardous substances all play a role in determining the level of SVA and the approach taken. Independent of the SVA method used, all techniques include the following activities:

• Characterize the facility to understand what critical assets need to be secured, their importance and their interdependencies and supporting infrastructure;

• Identify and characterize threats against those assets and evaluate the assets in terms of attractiveness of the targets to each adversary and the consequences if they are damaged or stolen;

• Identify potential security vulnerabilities that threaten the assets service or integrity;

• Determine the risk represented by these events or conditions by determining the likelihood of a successful event and the consequences of an event if it were to occur;

• Rank the risk of the event occurring and, if high risk, make recommendations for lowering the risk;

• Identify and evaluate risk mitigation options (both net risk reduction and benefit/cost analyses) and re-assess risk to ensure adequate countermeasures are being applied.

This guidance was developed for the industry as an adjunct to other available references which includes:

• American Petroleum Institute, "Security Guidelines for the Petroleum Industry", May, 2003;

• API RP 70, "Security for Offshore Oil and Natural Gas Operations", First Edition, April, 2003;

• "Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites", American Institute of Chemical Engineers (AIChE) Center for Chemical Process Safety (CCPS"), August, 2002;

• "Vulnerability Analysis Methodology for Chemical Facilities (VAM-CF)", Sandia National Laboratories, 2002.

API and NPRA would like to acknowledge the contribution of the Center for Chemical Process Safety (CCPS) compiled in their "Guidelines for Analyzing and Managing the Security of Fixed Chemical Sites." It was this initial body of work that was used as a basis for developing the first edition of the API NPRA SVA methodology. Although similar in nature, the SVA Method was developed for the petroleum and petrochemical industry, at