Reader Comment - 06-14-09 - Discussion on Assets

The following response from a reader in DHS explains how they came up with the way they are dealing with assets in the SSP. This is a very thoughtful response and I am happy to include it in its entirety and unedited (though I did add a link to the referenced posting). Obviously without knowing who the writer is, the readers of this blog will have to make their own decisions as to how authoritative this is. I am completely satisfied that this explanation is a good description of how at least a significant portion of DHS looks at the issue. Without further introduction: I read the reader comment and your comment on the comment having to do with Identification of Assets. Let me try to clarify a bit… The SVA did ask owner/operators to identify assets and to provide some basic information on them. In the context of the SVA, we were looking for information that would contribute to a more detailed understanding of Consequence – in other words, where and in what are your COIs? The questions about assets were spun that way, and for the most part, respondents got that we were looking for “asset” information that would allow us to refine our understanding of consequentiality. Hence, in most cases, the “assets” submitted were tanks, tank farms, warehouses, and in many cases, actual COIs themselves, especially when all a facility’s COI was in a single cylinder or small group of cylinders. The bottom line is that the “asset” information collected under SVA is of little utility (in most cases) for understanding vulnerability – it was intended to give us a much fuller understanding of consequence. In context of the SSP, we are looking for information that informs our understanding of vulnerability. Therefore, we are looking for “asset” in a different sense. (We are well aware that we could have worded things a little better, but what is done is done.) In the SSP process, we are looking for a facility to provide security (and safety, mitigation, response, if those things effect either vulnerability or consequence) information on each component, area or capability on the facility (or elsewhere, in some cases) the effects the consequences and/or vulnerability of a COI or other potentially hazardous chemical. That is a mouthful. Let’s break it down. An asset in the SSP context is anything – a system, structure, even a capability. In identifying assets, a facility should ask itself these questions: Where are my COIs located? The physical structures that are holding and processing COIs are assets that should be included. The decision as to how far down to break a system into constituent assets belongs to the site, however, it is in their interest to break it down enough so that assets with different measures being applied to them are separated. For example, if a caustic and chlorine unloading unit has cameras on the unloading station and in the storage tank area but not on the rail siding where cars are parked, they may want to break the CCL unit down into three “assets” – rail siding (no credit for CCTV) and unloading stations (yes credit for CCTV) and storage tank farm (yes credit for CCTV + yes credit for secondary containment). If there is one big dike around the whole unit, and it is all covered by CCTV, then the “asset” might just be the CCL Unit. What Assets affect my COI especially in terms of vulnerability and consequence? The physical security measures not DIRECTLY associated with COI also ma tter – the gates, perimeter, cameras, lights, etc. that make up the macro security for the facility. Again, systems should only be broken down to the extent that they must be to differentiate between impact the different components have on vulnerability and consequence. So a facility may declare its perimeter as an asset, or conversely, it may break it down into the barrier, active gates, and inactive gates if the structure and measures in place are varied for these different elements. The same goes for power substations, utility feeds, computer systems, personnel departments, and so on. There are a few things that a facility really needs to do in order o get an SSP right or close to right on the first try. These are – Plan – including reading all the instructions and guidance docs, and assembling the right team. Identify the right assets – figure out what you have the effects either the vulnerability or the consequentiality of your COIs, number them, and circle them on your site diagram. These are your “assets” for the SSP. Be detailed. Think of this from our perspective. Anything we are not told – well, we will have to make assumptions, and they will almost always be unfavorable. So, if someone says “Fence – yes” but gives us no other information, we will have to assume it is one of those silt fences that you see around construction sites, and may be falling down at that. If someone says “Fence – yes” and then puts in the text box – “11gague chain link meeting current milspec – 6’ on metal posts set in concrete, with 1’ foot triple strand barbed wire top guard on outriggers. Fence encircles 100% of active facility. 3’ clear zone inside (100%) and 4’ clear zone outside (100%). Full stone ballast, top rail and bottom wire. Complete maintenance contract with installer in place. Fence is broken by 5 gates, 1 active vehicle (guarded 24x7) 1 active rail (not guarded, controlled by site personnel) 2 active pedestrian with card controlled turnstiles, 1 inactive fire gate (joint control site personnel and local FD) - This fence is going to get the facility lots of credit for vulnerability reduction. We can see how the fence impacts vulnerability, and we can therefore give full credit. I know that’s a little much – sorry. I was trying to put the context around the issue of “asset”. One other tidbit that might help – Remember our basic equation, right? C x V x T = R C is consequence V is vulnerability T is Threat R is Risk We get a rough “C” from the top screen. Based on that, we either ask for more info or determine a facility is not at all likely to be “high risk” and we screen them out. We ask more info in the form of an SVA. From the SVA, we get a much more refined “C” and we also get a rough, opinion of the operator, “V’. Based on this info, we may (and often do) change the preliminary tier ranking and then ask for detailed security and security risk management info. That is the SSP. The SSP gives us a refined “V’. We add the “T” based on an internal process, and there you have it – a risk rating for each plant. The key of course is the veracity of the inputs. Virtually ALL the input data comes from the facilities themselves. Like all such systems, the better the info going in, the better the result coming out. The key for respondents is this – when we are not told something, we are forced to make assumptions, and we will make very conservative assumptions, as we must.