Monday, June 8, 2009

RBPS Guidance – RBPS #2 Secure Site Assets

This is another in a series of blog postings that will provide a close-up look at the RBPS Guidance document. DHS recently released this document to assist high-risk chemical facilities in meeting the risk-based performance standards required for site security plans under 6 CFR §27.230. The other blogs in the series were the: Risk-Based Performance Standards Guidance Document RBPS Guidance – Getting Started RBPS Guidance – RBPS #1 Restrict Area Perimeter In this posting we will look at the second Risk-Based Performance (RBPS) standard as it is outlined in the RPBS Guidance document. While many of the techniques discussed in this section were also discussed in RPBS #1, the focus of this here is on individual ‘critical assets’. Those assets may include COI storage or process units, bulk loading or unloading areas, process or security control rooms, or computer servers. Security Objectives With the change in focus comes a slightly different set of security objectives for this RBPS. The first RBPS was directed at “limiting the accessibility of the facility such that there is a low likelihood of an adversary successfully breaching the facility perimeter” (pg 22). The objective for this standard is “physically limiting the accessibility of the asset to reduce the likelihood of unauthorized release, theft, or sabotage” (pg 32). Another new objective of this RBPS is to prevent insider attacks. In the overview discussion the standard notes that RBPS #2 “addresses malevolent acts perpetrated by insiders or insiders in collusion with outsiders” (pg 32). These objectives will change how the facility plans for their particular combination of securing and monitoring techniques to fulfill the requirement to address this standard. Perimeter Security Even if the facility has a perimeter barrier around the entire facility perimeter, security managers might want to consider installing additional barriers around certain critical assets. While these barriers typically restrict personnel access to those assets, they may also “physically protecting the asset from the effects of explosives” (pg 32). This means that these barriers may include blast walls or blast curtains to protect particularly sensitive assets like release COI storage tanks. Current DHS thinking does not envision every critical asset having the additional protection of asset perimeter barriers where facility perimeter security already exists. The metric for critical asset perimeter barriers only includes a description of a measure for Tier 1 assets. That metric (Metric 2.1) states:
“Where feasible and consistent with critical operational and safety considerations [emphasis added], the facility has an internal perimeter barrier (e.g., a security fence or equivalent barrier that meets industrial consensus standards) that severely restricts or delays any attempts by unauthorized persons to gain access to a Tier 1 restricted area or critical asset” (pg 38).
Even for Tier 1 assets this metric acknowledges that there are considerations other than security which may affect the facility decision to provide internal perimeter barriers. While acknowledging this it provides for alternative measures including a “well-secured facility perimeter, combined with high-performance asset monitoring and strict administrative controls on asset access”. Controlling Vehicle Access While controlling general access to Tier 1 critical assets may be relatively optional, two different Metrics address the question of vehicular access to both Tier 1 and 2 critical assets. Metric 2.2 deals with general vehicle access and Metric 2.3 deals with preventing ‘access’ of VBIEDs (vehicular borne improvised explosive device) to these high risk critical assets. Metric 2.2 expects Tier 1 and 2 facilities to have security measures that would ensure that vehicles “would have a very low likelihood [Tier 2: a low likelihood] of accessing a critical asset’s restricted area by force” (pg 39). These measures would be designed to prevent vehicles from crashing into the asset and could include “bollards, berms, landscaping, ditches, drainage swales, or buried concrete anchors retaining anti-vehicle cable”. Such measures should not be necessary if a vehicle could not reach the critical asset because of being surrounded by process equipment, buildings or being contained within a building. Essentially these items would be the barrier preventing vehicular access. VBIED Access Metric 2.3 addresses the use of a VBIED to attack the critical asset. The same types of security measures could be used to prevent VBIED access. The difference would be that the distance that the vehicle would have to be kept from the asset. For a VBIED the vehicle would have to be kept far enough away “to ensure that a VBIED is extremely unlikely to be able to compromise a critical asset” pg 39. The same standard would be applied to both Tier 1 and 2 facilities. Unfortunately, there is nothing in the Guidance document that describes how to determine that distance. Typically there will have to be an assumption made as to the size of the VBIED which will vary according to the size and explosive used. Then the facility would have to know what level of blast overpressure the asset could reasonably be expected to survive. Then it becomes a relatively simple calculation as to the distance the VBIED would have to from the asset for the overpressure effects to be less than the asset could withstand. Provisions might also be made to deal with projectiles from a VBIED enhanced with nails, ball bearing, or other embedded metal. If it is not physically or practically possible to keep vehicles far enough away from the critical asset to prevent overpressure effects from significantly damaging the asset, alternative measures would be required. This could include blast walls to prevent the overpressure effects from reaching the asset. Blast curtains can be employed to prevent projectiles (and to a lesser extent the overpressure) from reaching the asset. Monitoring Site Assets Metric 2.4 is the only metric (other than the summary metric) in securing site assets that DHS considers should apply to all four tiers of high risk facilities. Even in the summary metric, the only security action that applies to all four tiers is monitoring the assets to detect “unauthorized adversary actions toward restricted areas or critical assets” (pg 38). Metric 2.4 calls for the use of (electronic or personnel) monitoring systems to “monitor restricted areas or critical assets (e.g., COI loading and unloading areas, critical valves, pipelines, manifolds, control rooms, storage facilities) to detect attempts to gain unauthorized access to, tamper with, sabotage, steal, or remove without authorization critical assets” (pg 38). The only difference across the Tiers is the frequency of monitoring (Tier 1 and 2– ‘continuously monitor’; and Tier 3 and 4 – ‘monitor’) and the ‘critical assets’ to be monitored (Tier 4 only mentions monitoring ‘loading and unloading areas’). This reflects the fact that Tier 4 facilities do not typically have release COI.

No comments:

/* Use this with templates/template-twocol.html */