This is the last in a series of blogs concerning the Security Vulnerability Assessment (SVA) instructions recently published by DHS. This blog deals the final operations needed to complete the SVA. It also contains a commentary on the SVA procedure developed by DHS. The previous blogs in this series are listed below.
- SVA for Tier 4 Facilities
- Getting Started with SVA Submissions
- SVA – Facility Security Issues
- SVA – Facility Security Information
- SVA – Identification of COI Assets
- SVA – Characterization of COI Assets
- SVA – Attack Scenarios – Getting Started
- SVA – Attack Scenarios – Scenario Development
- SVA – Attack Scenarios – Vulnerability Factors
- SVA – Computer Systems Analysis
Once all of the questions have been completed for the SVA, finishing up the document it is very similar to the procedures used in completing the Top Screen. The Preparer will validate the data, print and check the data for accuracy and then electronically forward it to the Submitter. The Submitter will also review the SVA for completion and accuracy before printing a copy for the facility files (the completed SVA is CVI). The Submitter will then submit the SVA to DHS. The facility will no longer be able to access the SVA once it is submitted to DHS.
DHS will review the SVA. If they approve the document they will notify the facility of their final tier ranking. In some cases (probably a very small number of cases) DHS will notify the facility that they are no longer considered a high-risk facility. They will identify the date by which the facility will have to submit their Site Security Plan. They will also list the security issues that must be dealt with in that plan.
If the plan is not approved, the Department will notify the facility what deficiencies have to be corrected and provide a deadline for those corrections. The procedures for correcting those deficiencies have not been included in these CSAT Security Vulnerability Assessment Instructions.
DHS has done a very good job in converting a complex process into a fairly straightforward data entry process. This does not make the process any simpler, but it does make the job of evaluating the data much easier. With 7,009 SVA’s to process over the next six months, DHS has used their time wisely in developing this tool. Presumably they have spent an equivalent amount of time developing the processing protocol to allow for an impartial tier assignment process.
This tool does not help facilities much in easing the complexity of the vulnerability assessment process. That cannot really be helped. Security at most high-risk chemical facilities is not going to be easy. The facilities were not designed with more than a modicum of security in mind. Trying to find all of the security holes that a determined terrorist might use is certainly a Herculean task.
Security professionals will certainly be able to find fault with this process. No one size fits all document can hope to identify all of the potential vulnerabilities. Even a trained security team will not be able to develop an exhaustive list of vulnerabilities. No sooner do you plug all of the holes that you can find, when an intelligent adversary looking for an unsecured way in finds the unsuspected Achilles’ heel.
What one can say is that the most common attack modes have been addressed. They are the most common because they are the easiest to plan and execute. They can all be executed with a relatively small team and a small team size makes it easier to avoid detection before the attack starts.
The one exception to this appears to be the inclusion of the Aircraft Attack Mode. For most facilities this attack mode is overkill on a scale unimaginable before September 11th, 2001. I am certain that DHS does not really consider this a viable attack option for most chemical facilities. There are a limited number of facilities, however, where this is the true nightmare scenario (e.g. a large LPG/LNG storage facility). DHS included this mode for those facilities and will probably discount this attack mode for facilities with smaller amounts of COI on site.
The only real complaint that I have about this SVA is the lack of questions dealing with the facility perimeter. For almost all facilities the fence line will be the first line of defense against a terrorist attack. For many facilities it will be the only line of defense. An analysis of that defense should be a valuable part of the vulnerability assessment. The questions for this hypothetical section could include:
- What type of fence is used for the perimeter?
- How many guarded gates in the perimeter?
- How many unguarded gates in the perimeter?
- What type of perimeter monitoring is used?
- What percentage of the fence perimeter is lighted?
- What percentage of the fence perimeter is under continuous observation?
I am watching the DHS FAQ page closely for indications of what types of problems facilities are having with their SVA’s. This will be a good way tracking problems with the SVA process.