Thursday, July 3, 2008

SVA – Attack Scenarios – Getting Started

This is the next in a series of blogs concerning the Security Vulnerability Assessment (SVA) instructions recently published by DHS. This blog deals the actual analysis of the facilities vulnerability to a variety of modes of terrorist attack. The previous blogs in this series are listed below.

The SVA will use the Attack Scenario Technique to analyze the facility vulnerability. The facility will work through a number of attack scenarios, providing information about the asset, current response capabilities, and mitigation measures. Attack scenarios will be run for the primary COI for each of the assets identified earlier in the SVA. Exactly which of the eight scenarios will be done for each asset will depend on the security issue involved.

Details of the Attack Scenarios are CVI

DHS is not publicly releasing the operational details of the various attack scenarios. While there will inevitably be some that decry the ‘lack of transparency’ associated with this decision, I believe that DHS has made an appropriate decision. Allowing the attack details used to evaluate facility security measures to become public knowledge will ensure that they will provide an invaluable guide for any terrorist attack-planning effort

Some of the details will never be known outside of the inner workings of DHS and the programming for the SVA Tool. Facilities will need to have access to large parts of this sensitive data to complete their SVA analysis. DHS has provided for this. Once a facility has started their SVA, and the Preparer and Submitter have been certified for access to CVI, the Preparer/Submitter should download the "DHS CFATS Attack Scenario Descriptions" available at

The document provided by DHS will have to be protected as CVI. Provisions for protecting CVI should already be in place at the facility. The facility should already be protecting CVI documents from the Top Screen and, of course, the DHS initial notification letter is CVI. Further information for protecting CVI can be found in the CVI Procedure Manual or in my article "What Chemical Facilities Need to Do to Protect CVI".

Locating Asset on CSAT Map

DHS has provided a map of the facility area produced from overhead imagery (I am working on getting the development details for a future blog). DHS recommends that users ‘familiarize themselves with the map navigation features prior to locating the asset’ (I would have said ‘play with the controls for a while’). The navigation controls are fairly straight forward (see the list below), but it may take some practice to become proficient.

  • Zoom In
  • Zoom Out
  • Pan
  • Full Extent
  • Locate Asset

Once the map has been zoomed and moved to allow for identification of the location of the asset (near the center of the display), all the Preparer has to do is click on the ‘Locate Asset’ button and click on the location of the asset on the map. The tool will then mark the location of the asset with a ‘pink star’.

This map tool will also be used to place damage circles on the facility map. The same controls will be used to locate the ‘point of attack’ on the map. The tool will then superimpose two concentric damage circles on the map to describe the areas damaged by explosive overpressure (3-psi and 9-psi) in the attack. The rules for the placement of the ‘point of attack’ are explained in detail in each attack scenario. The radius of the damage circles are also determined by the scenario being mapped.

Attack Scenarios

There are a total of eight general attack scenarios with two or three variations of each one available. The facility will pick the variation that best suits their situation. Provisions are also made for the facility to provide their own variation for their specific situation. I would probably not recommend this option unless the facility has someone available (probably a contractor) that has been trained in attack scenario development.

The eight attack scenarios are listed below. There is a table on pages 68 and 69 of the CSAT Security Vulnerability Assessment Questions manual that describes which scenarios are associated with which security issue. That table can be simply summarized; the first five are for release COI, the 6th and 7th for Theft/Diversion COI, and the last for Sabotage COI. Even that explanation was probably unnecessary.

  • Maritime
  • Vehicle Borne Improvised Explosive Device (VBIED)
  • Assault Team
  • Standoff
  • Aircraft
  • Theft
  • Diversion
  • Sabotage

The Maritime scenarios can only be used if the facility is located directly adjacent to a navigable water way or has such a water way entering the facility boundary. These scenarios will be most applicable to those facilities that ship/receive chemicals via barges.

Adequacy of the Scenarios

The question that will come up now is whether these eight scenarios are adequate to the task of evaluating the vulnerability of the facility to attack. The simplistic answer is that these scenarios are adequate for evaluating the vulnerability for these modes of attack. Anyone with military training could certainly imagine other modes of attack. The longer they thought about it the more modes they could identify.

None of these modes deals with the threat of cyber attack. With the number of news stories that have been printed in the last six months about the vulnerability of cyber systems this appears to be a surprising oversight. DHS did not miss this potential vulnerability; they just chose a different mode of evaluating that threat. That will be covered in a later blog.

Insider attacks are not directly addressed for Release COI. Without reading or discussing the detailed information on the scenarios ‘classified’ as CVI we cannot tell if there are provisions for dealing with insider assisted attacks. Insider threats to cyber systems are addressed to some extent in the vulnerability analysis of those areas.

A pet scenario of mine (sabotaged incoming raw materials) has been overlooked. Substitution of raw materials or adulteration of raw materials being shipped into the plant could result in some nasty reactions in storage tanks or process equipment. This type of attack could result in the release of byproduct chemicals that are not even addressed in facility Top Screen, much less the SVA. Admittedly, this would have to be a very sophisticated attack and the defenses against it are more quality related than security related. I guess that I have to give DHS a pass on my scenario.

Another scenario that I was surprised not to see was the off-site attack on key utilities. The simultaneous loss of process water and power could prove to be embarrassing to many process industries. Cooling is an important tool to controlling many energetic reactions. Usually there are redundant systems available for cooling control, but none of them work if both water and power are knocked out at the same time. To be fair, this is at least partially addressed in some earlier questions (see: "SVA – Facility Security Information").

On the whole I would have to say that it looks like DHS did a pretty good job in selecting their scenarios. It is certainly not an exhaustive list, but an exhaustive list would not be practical even if it were possible.

I would like to see DHS develop provisions for adding attack scenarios as additional intelligence or actual attack information is developed. This would be a good tool for DHS to update intelligence information within the community while requiring the appropriate facilities to update their planning for the new information.

No comments:

/* Use this with templates/template-twocol.html */