Wednesday, July 9, 2008

SVA – Attack Scenarios – Vulnerability Factors

This is the next in a series of blogs concerning the Security Vulnerability Assessment (SVA) instructions recently published by DHS. This blog deals with developing the vulnerability factors for the attack scenarios used in the SVA. The previous blogs in this series are listed below.

Arguably the most difficult part of the attack scenario analysis is determining the relative vulnerability of the facility to each of the attack scenarios. Instead of asking empirical questions this portion of the analysis uses qualitative questions to develop numerical factors to assess the facility’s vulnerability to each of the attack scenarios. The range of possible answers is usually worded as "extremely unlikely to achieve" to "almost certain to achieve", with the exact wording depending on the question asked. Because these questions are qualitative, the Preparer is also asked to document the assumptions used in answering these questions.

Probability of Asset Identification

A successful attack on the asset requires that the attacker can successfully identify the asset to be attacked. To identify this probability of asset identification the Preparer will answer the question:

  • "How likely is the adversary, in the course of planning and/or executing this attack scenario against this asset, to identify the specific asset(s) that must be attacked or stolen to achieve significant consequences?"

The answer will be made by selecting one of five statements ranging from ‘extremely unlikely to identify’ to ‘almost certain to identify’ the asset in question. In answering the question the facility will take into account things like markings and labels. These factors and the uniqueness of the asset will play a role in how easy it is to identify.

Probability of Gaining Access to the Asset

To successfully attack an asset, the terrorist must first gain access to the targeted asset. Different attack modes will require different types of access. A VBIED attack requires getting the vehicle within 170 feet of the asset while an assault requires direct access to the asset. To determine this probability of access the facility takes into account existing security measures other than security response forces (either on-site or off-site). The question to be answered is:

  • "How likely do you think it is that the adversary would be successful in breaching existing security measures and accessing a location from which they can attack the asset?"

Security measures could include such items as vehicle barriers, blast walls, or security doors. It would all depend on the attack mode and the asset involved. Vehicle barriers would be effective against a VBIED, but next to useless to stop an assault. A sheet-metal wall screening a storage tank from the road would be effective against a stand-off attack, but would not be effective against a VBIED.

Probability of Security Response Force Interdiction

The intent of a security response force, if one is present, is to prevent the terrorist from successfully completing the attack. This analysis assumes that the facility’s other security measures will delay an attack long enough to allow the security forces to respond. The following question seeks to determine the probable success of such a force to stop the current attack scenario.

  • "How likely is the facility security response force to successfully interdict the adversary before they are successful in executing their attack (assuming that other security measures alone are not successful in stopping the attack)?"

In answering this question the facility should assume a reasonable delaying effect from the other security measures currently in place. Again, the ‘reasonable delay’ would depend on the type of attack. Security fencing would provide some delay to an assault force, but would do nothing to delay a standoff attack.

Again, the Preparer will answer the question by selecting the appropriate response from a range of responses provided. A separate question deals with the same issues for an off-site security response force.

Probability of an Attack Achieving Success

This question is an attempt to address the general potential effectiveness of the attack scenario. It does not allow for taking into account any of the security measures present at the facility. The question asked is:

  • "How likely is the adversary to succeed in accomplishing this attack (giving no credit for any facility or asset security measure?

This will be the hardest question for many facilities to accurately assess. It takes a good understanding of the tactics and operational capabilities of a potential adversary. Few engineers or chemists will have the necessary training or experience to answer this question effectively.

Probability of Target Hardness Affecting Attack Success

Some targets are easier than others to attack because of the nature of the target. This is described as target hardness. For example, an underground storage tank is less likely to be affected by a VBIED a hundred foot away than is an above ground tank. Frequently this is a simple engineering calculation of the effect of a 9 psi overpressure event on the asset.

The actual question is:

  • "What is the probability that the asset would withstand the attack (i.e., suffers less than a catastrophic release/explosion or loss of COI to theft/diversion), assuming that the adversary is successful at accessing the target and executing the specific type of attack?"

Probability of COI Availability

A successful attack on an empty storage tank would not be very successful. This question focuses on the likeliness of a significant amount of the COI being present when the attack takes place. The facility will have to take into account not only the amount of time that the COI is present, but also the ability of the terrorist to know when the COI is present.

  • "How likely is the specific asset attack to contain the relevant COI, assuming that the adversary identifies and attacks the correct target asset?"

Probability of Successful Diversions

There are three separate questions dealing with the ability of a terrorist to divert a shipment of Theft/Diversion COI. Each question is based on the ability of the terrorist to subvert facility procedures to obtain a shipment of the COI. The CSAT Security Vulnerability Assessment Instructions (page 74) specifically suggest considering insider involvement when looking at these questions.

The questions are:

  • "How likely is the adversary to be able to register as a new customer that is approved to purchase theft/diversion COI?"
  • "How likely is the adversary to be able to place an order for this COI for an authorized customer that would allow shipment to a location where the adversary could accept the shipment?"
  • "How likely is the adversary to be able to pick up an order for an authorized customer for this COI?"

The facility will need to look at their internal rules and procedures to determine how to answer these questions. Once again, there will be a range of responses for each question and an area for the Preparer to record the assumptions that were made in preparing the response.

No comments:

/* Use this with templates/template-twocol.html */