This is the next in a series of blogs concerning the Security Vulnerability Assessment (SVA) instructions recently published by DHS. This blog deals with the characterization assets associated with each chemical of interest (COI) listed on the initial notification letter received from DHS. The previous blogs in this series are listed below.
- Getting Started with SVA Submissions
- SVA for Tier 4 Facilities
- SVA – Facility Security Issues
- SVA – Facility Security Information
- SVA – Identification of COI Assets
Once the Preparer has developed the list of COI assets discussed in the previous blog, he will enter each asset into the SVA Tool. For assets that serve more than one COI there will have to be a unique asset name entered for that asset for each COI (e.g.: ST 100a, ST 100b, etc). Once the asset list is entered in the SVA Tool, the Preparer will answer a set of questions for each asset on the list that will help to characterize that asset.
The Preparer will first enter a description of the asset into a data entry box. This description will include:
- The primary function of the asset
- The number and type of vessels included in the asset
- Additional identifying information
Next the Preparer will select a single security issue from a provided list; this will be the Primary Security Issue for this asset. Again, if the same physical equipment is an asset for more than one security issue/COI, it will have to be listed multiple times with unique names for each combination.
For assets that have one of the release (toxic, flammable or explosive) COI security issues listed as the primary security issue there will be a listing of different types of containment. The Preparer will select all of the items on that list that pertain to the asset in question.
COI Associated with Asset
The Preparer will then indicate which COI are associated with this asset. For each security issue identified earlier in the SVA Tool (see: "SVA – Facility Security Issues") there will be a separate list of chemicals. These lists should be pre-populated with the chemicals listed on the initial notification letter from DHS.
The chemicals associated with this asset should be marked whether or not that chemical is the primary COI for the asset or not. There is no requirement for the chemicals to be present at/in the asset at the same time.
Detailed COI Information for Asset
The Preparer will be required to enter (into a data entry box) the amount of each COI associated with the asset. The SVA Tool also asks if this is the facility’s largest inventory of this COI? The Preparer will select either Yes or No for each COI. For theft/diversion COI there will be an additional Yes/No question; is this COI shipped off site?
A slightly different set of questions will be asked for each security issue. Only the questions for the security issues associated with this asset will be shown. The security issue that had been marked as the primary security issue for this asset will ask the question about which COI is the Primary COI for the asset.
At the end of each asset section there will be a question asking if there is a cyber control system associated with the asset. For Theft/Diversion COI section there is a question asking if there is a cyber business system associated with the asset. Both question require the selection of either Yes or No.
Toxic Release COI
For Toxic Release COI the SVA Tool will also ask about:
- Process/Storage Condition (gas, liquid, etc)
- Temperature (F) (for liquids only)
- Pressure (psig) (for liquids only)
- Liquid Height (ft) (for liquids only)
- Concentration (wt%) (for COI in aqueous solution only)
If the Primary COI for the asset is a toxic release COI, the SVA Tool will also ask about the following mitigation measures in place for that asset:
- Containment systems
- Leak detection systems
- Fixed vapor suppression systems
- Off site notification systems
- Other Measures
If the Primary COI for the asset is a Theft/Diversion COI, the SVA Tool will also ask about:
- COI concentration range
- Packaging type
- Transportation packaging type
- Total Quantity of COI in this packaging type
These security issues get even more complicated because all four questions must be answered for each concentration range associated with the asset and with each transportation packaging type associated with the asset.
If in any of the COI sections, the Preparer checked "YES" for the question about the presence of a Cyber Control System, then a set of questions will appear about Cyber Control Systems. The Preparer will be asked to identify and describe each cyber control system in the facility that affects any of the identified assets. For each system identified the Preparer will be asked to check off on all of the COI controlled by that system.
In the Theft/Diversion COI sections, if the Preparer checked "YES" for the question about Cyber Business Systems, a similar set of questions will appear about those systems. Again, the Preparer will be asked to identify and describe the systems and what COI are controlled by them.