Wednesday, November 12, 2008

RBPS Guidance – RBPS Metrics

This is the another in a series of blog posts that looks at the recently released draft DHS guidance document for implementing the Risk-Based Performance Standards (RBPS) in site security plans (SSP) for high-risk chemical facilities. The RBPS are a key component of the Chemical Facility Anti-Terrorism Standards (CFATS). This post deals with the RBPS Metrics provided for each RBPS. Earlier blogs in this series include:
RBPS Guidance – Introduction RBPS Guidance Shortcomings RBPS Guidance – 18 Risk Based Performance Standards
Each discussion of the eighteen Risk Based Performance Standards listed in the Guidance document ends with a table listing the ‘metrics’ that might be used to evaluate how a facility’s site security plan (SSP) addresses. The table is laid out so that there is a column for each of the four tiers of high-risk facilities. There is a summary level listing for each RBPS and a separate listing for each of the security measures discussed for that RBPS. Metrics are Only Guidelines The use of the term “metrics” is misleading in this draft Guidance document. They do not actually provide a measure of the security. DHS describes the information in these tables this way at the start of every RBPS Metrics table in the Guidance:
“The following table provides a narrative summary of the security posture of a hypothetical facility at each tier in relation to this RBPS and some example measures, activities, and/or targets a facility may seek to achieve that could be considered compliant with the RBPS. However, a facility may choose to demonstrate compliance through other measures, activities, and/or targets, provided DHS is satisfied that the measures demonstrated meet the level of performance specified in the RBPS.”
The fact that the ‘metrics’ provided in the tables are defined in qualitative terms not quantitative provides another level of difficulty for facilities trying to decide if their site security plan provisions adequately address the RBPS. What is clear from reading these guidelines is that facilities are going to have to work closely with the DHS inspectors during the SSP approval process. Levels of Protection In their SVA approval letter DHS will tell each facility their final assigned Tier level and the security issues that must be addressed in the SSP. Both of these pieces of information are important for determining the level of protection each facility must strive to achieve in addressing each of the RBPS in their SSP. Level of Protection Based on Tier Ranking To understand how this might work, lets look at the metrics for RBPS #1, Restrict Area Perimeter. First lets look at an extract from the summary metric (page 27) for each of the for Tiers (#1 is the highest risk tier):
Tier #1: “The facility has an extremely vigorous perimeter security and monitoring system that enables the facility to thwart most adversary penetrations and channel personnel and vehicles to access control points…” Tier #2: “The facility has a vigorous perimeter security and monitoring system that enables the facility to thwart or delay most adversary penetrations and channel personnel and vehicles to access control points…” Tier #3: “The facility has a perimeter security and monitoring system that enables the facility to delay a significant portion of attempted adversary penetrations and channel personnel and vehicles to access control points…” Tier #4: “The facility has a perimeter security and monitoring system that enables the facility to delay a portion of attempted adversary penetrations and channel personnel and vehicles to access control points…”
We can see the change from an ‘extremely vigorous perimeter” to a “vigorous perimeter” to just a “perimeter” from Tier 1 through 3, but there is no further decrease at Tier 4 reflecting that there must be some sort of ‘perimeter security and monitoring’ system at all high-risk chemical facilities. We can see a similar change in the required proficiency of that system. Level of Protection Based on Security Issue Again, we can look at RBPS #1 to see how the level of security required for different facilities also depends on the security issues identified for that facility. For this we can look at Metric 1.3, Standoff Distance:
Tiers #1and #2: “Sufficient vehicle standoff distance or alternative protective means are provided to ensure that vehicle-borne improvised explosive devices will not cause a breach of containment resulting in an uncontrolled release of a release chemical of interest from the nearest point of attack.” Tiers #3 and #4: “N/A”
From the wording we can see that this metric would only apply to facilities that have a security issue related to release COI. Facilities with theft/diversion or sabotage COI would not have to use this security measure to address the Restrict Area Perimeter RBPS. Additionally, we can deduce that facilities with a release COI security issue are not assigned to a Tier 3 or Tier 4 ranking since there are no metrics associated with those levels. RBPS that Transcend Security Issue or Tier Ranking Similarly we can see that some RBPS will have metrics that will not vary because of either security issue or tier ranking. We can think of these as transcendent RPBS. A good example of this can be found in RBPS #10, Cyber. The summary metric (page 81) is the same for all four tiers and carries no reference to any security issue:
Tiers #1, #2, #3, and #4: “The facility should have in place cyber security policies, procedures, and measures that result in a low risk of a successful attack on the facility’s critical cyber systems or using a facility’s critical cyber systems to carry out or facilitate an attack.”
There are some security measure metrics that vary somewhat by tier level for this RBPS. The following security measures have two levels of metrics, those for Tiers #1 and #2 and those for Tiers #3 and #4:
Metric 8.3.2 Separation of Duties Metric 8.3.3 – Access Control Lists Metric 8.4.1 – Cyber Security Training Metric 8.5.2 – Network Monitoring Metric 8.5.3 – Incident Response Metric 8.8.3 – Network/System Architecture Metric 8.9 – Audits
Metrics as an Evaluation Tool While DHS currently believes that the Section 550 language prohibiting the requiring of any specific security measure also requires the disclaimer discussed above, the metrics provided in this Guidance document will, for most facilities, provide a useful tool in evaluating their SSP. They won’t provide an absolute measure of compliance, but a facility that can provide an adequate justification to the DHS inspector of how their SSP addresses the listed metric, has a very good chance of having their SSP approved.

No comments:

 
/* Use this with templates/template-twocol.html */