Oil & Gas Industry Towards Global Security A Holistic Security Risk Management Approach www.thalesgroup.com/security-services
Oil & Gas Industry Towards Global Security This white paper discusses current security issues in oil and gas industry and suggests a holistic security risk management approach to manage security risks to an acceptable level whilst optimizing financial investment. Threats In The Oil And Gas Field Safe and reliable energy is a vital link in the nation s critical infrastructure. Oil and gas products play an important role in national economy, national security and are integral to the way of life. As such, security has always been and continues to be a priority across the oil and gas industry. Reports from many international government agencies confirm that various terrorism groups target the oil and gas industry. The petroleum industry is in all probability generally subject to these threats due to several factors: The physical and chemical properties of the materials processed, stored and handled at these facilities may create attractive targets for an adversary to cause malicious release with the intent to harm a neighboring population. The critical importance of the products produced by companies, to the domestic and international infrastructures and to other businesses and individuals, may make disruption of operations of the petroleum industry an attractive option. The risks from terrorist attacks to the energy supply vary by segment of the industry, which is broadly defined as exploration and production, refining, pipeline transportation (liquids), marine transportation, products distribution and marketing. Nowadays, with the emergence of new kind of conflicts, asymmetric threats using unconventional warfare tactics are the primary threats to critical infrastructures. This is especially true for oil and gas industry now involved in asymmetric conflicts. Oil and gas private security forces are facing now new unconventional opponents such as terrorists (international and national), activists, pressure groups, single issue zealots, disgruntled employees, or criminals, whether white collar, cyber hackers, organized or opportunists. These threats may come from insider activity, external action, or insiders colluding with external adversaries. These opponents use different attacks including car suicide bombing, mortar rain, rocket propelled grenade, improvised explosive devices (IED), ambushes, hostages, hijacking, kidnapping, computer hacking, information warfare, and so on. The attacks can be complex and coordinated and can exploit a combination of physical, logical (information technology), environmental, organizational and human weaknesses. 3
> Oil And Gas Critical Infrastructures The potential threats are directed against the whole oil and gas infrastructures but could target their critical and strategic assets such as: Oil and gas specific segments: Reservoirs, wells, offshore production facilities, pipeline systems, mass storage facilities and oil refineries. Buildings: Administration offices, corporate offices, command and control rooms. Equipment: Process units and associated control systems, product storage tanks, surge vessels, boilers, turbines, process heaters, sewer systems. Support systems: Utilities such as natural gas lines, electrical power grid and facilities (including back-up power systems), water-supply systems, wastewater treatment facilities. Transportation interface: Railroad lines and railcars, product loading racks and vehicles, pipelines entering and leaving facility, marine vessels and dock area, off site storage areas. Cyber systems and information technology: SCADA systems, computer systems, networks, devices with remote maintenance ports, laptops, PDAs. Therefore, to protect those assets, the security measures should be inline with the threat level and adapted to the security risk level. Security Risks To address this issue the security needs to be evaluated in order to fully analyze the major security risks: a risk is a combination between the probability of the threat and the potential impact on a critical asset. This is a complex task and therefore a holistic security risk management methodology is required that enables all security risks levels to be identified, whilst also evaluating the existing technology (which should cover logical, physical and environmental issues), organization and human factors security solutions. The evaluation of the security risks starts with the identification of the threats, the critical assets and the vulnerabilities. Then for each security risk that needs to be mitigated security objectives are defined. Security solutions are then implemented. Loss of human life (killed, injured) Economic impact of destruction or disruption Business impact Political consequences on public confidence Potential for loss of energy supply to civilian areas Potential impacts for environment Extended time needed to repair Potential for interdependency effects 4
Security Risk Management The objective is to define a security program based on a collective effort that seeks to reduce the likelihood that industry personnel, their families, facilities and materials shall be subject to any kind of attack, and to prepare to respond to the consequences of such attacks should they occur. This section describes the security management process to mitigate the risks and to develop a security program. Based on interviews, site surveys and documentation, the following areas have to be addressed: Threat Assessment i.e. Define alert levels, identify the threats and evaluate probability. Criticality Assessment i.e. Identify critical assets and define asset criticality levels. Vulnerability Assessment i.e. identify vulnerabilities and evaluate criticality. This includes manpower and security force protection assessments. Risk Assessment i.e. identify and evaluate the risks based on previous assessments conclusions. Consequently for each risks identified, the management decides whether the risk should be controlled, ignored, insured or accepted. The first step is to set up the internal organization to pilot the risk management process and to define the scope and objectives of the Security Committee and the Security Working Groups. The organization should be based on: Security Committee, the SC includes top management that develops security strategy, provides guidance, direction and cooperation. Security Working Groups, the SWG take actions, provide inputs and feedbacks. They develop and recommend policy, prepare planning documents, conduct risk assessments. One of the SWG is the Threat WG, which consists on Counterintelligence representative, Law Enforcement representative, Information Operations representative and the Chemical, Biological, Radiological, Nuclear and High Yield Explosive (CBRNE) representative. Larger installations may include additional personnel as assigned by the SC. If the decision is to control the risk, security objectives are defined. Then the security solutions (based on technology, organization or human factors) should be provided (based on risk priority and objectives). Those solutions are categorized as prevention, detection, response and recovery. As a result, conclusions are formalized in the Security Master Plan (SMP). 5
> Implement Solutions Appropriate security solutions defined in the Security Master Plan should be implemented through a series of actions including: Prioritization of recommended security solutions. Planning implementation and funding of security solutions. The quality of this security management process is maintained using the PDCA model: Plan: Establish or update the Security Master Plan to improve security. Do: Implement and operate the actions defined in the SMP. Check: Monitor, review the actions and report the results to decision makers. Act: Maintain and improve the actions. The management of security risks includes evaluating risks, developing solutions, making decisions, implementing solutions, supervising, reviewing and improving security level. These are essential follow-through actions of the risk management process. After identifying and implementing additional countermeasures or mitigation efforts, it is essential to recalculate the risks. A risk management scorecard is appreciated. A yearly complete risk assessment is recommended. Best Practices In Security Management With decades of experience in the oil and gas industry and significant depth of knowledge of security systems from its core competencies in defense and civil businesses, Thales has identified some best practices of security management: Risk management: Integrate holistic security risk management into the corporate risk management process. Security organization: Create senior level security committee, Security Working Groups, corporate security risk manager and local security officers (IT, safety, facility, etc.). Coordination: Develop coordination with government and stakeholders (customers, suppliers, infrastructure providers). Security Master Plan: Define the security doctrine, the operational concept and the means to achieve an efficient level of security. Resilience management: As global security is impossible to achieve, resilient system designs and procedures should be adaptable to the unpredictable. Contingency plans (business continuity and emergency response and disaster plans) should be formalized, tested and updated for rapid recovery from disruptions. Interdependencies: Evaluate contingency plans from an infrastructure interdependencies perspectives and enhance coordination with other infrastructure providers (e.g. electric power, telecommunications, water, transportation). Human resource: Background investigations for new hires and periodic updates for current employees, define a hiring policy, implement structured security requirements for critical suppliers and partners. Formalized security policies and procedures. Raise employee awareness and education to be proactive on security matters. Physical security: Identify and restrict access to sensitive areas, implement access control list and badge program. Increase security checkpoints, manned facilities, video surveillance, badge identification, tracking of people and vehicles, escorted visitors and flyovers. Information System and Network architecture: Define LAN/WAN network perimeter, minimize external connections, keep up to date mapping of network, enhance security of mission critical systems, write and communicate an IT security policy. Enhance traffic filtering, authentication controls, encryption, and access controls, minimize or disable all unnecessary services and software, filter emails, control viruses. The Scope of Work that is proposed in this white paper details the development of a security strategy, which includes those best practices. 6
Typical Thales Scope Of Work Thales can assist organizations in setting up a program to develop an efficient security risk management process. This program is scheduled in five steps, as described in the figure below: The original step is to define the scope of the Risk Management Program. Thales considers the following actions: Meet senior management. Understand the business objectives. Set up a Security Working Group. Define the scope of the System that will be concerned by the security risk management program i.e. one or more infrastructures. Outputs: Definition of the Security Working Group. Formalization of the scope of the System. Formalization of the planning of the security risk management program. The next step is to understand the organization and the System concerned by the scope. Thales considers the following actions: Understand the organization. Understand the relations with government agencies. Understand the System. Identify constraints such as business, industry, national and international regulations. Output: Understanding of the context. The next step is to analyze the security risks existing in the System. Thales considers the following actions: Visit the System. Undertake the threat assessment, the criticality assessment and the vulnerability assessment. Do the risk assessment. Select risks to accept, to ignore, to control or to insure. Propose security objectives. Recommend mitigation security solutions. Outputs: Security risk analysis results report. Based on the decisions of the Security Committee, a strategy is decided and a Security Master Plan is formalized to define the security doctrine and the operational concept. Thales considers the following actions: Define a security doctrine and an operational concept. Formalize the Security Master Plan. Plan implementation of security solutions. Calculate the return on security investment (ROSI). Propose a planning to implement the security solutions. Outputs: Security Risk Management Methodology document (adapted to the organization). Security Master Plan document. Security doctrine and operational concept document. Implementation plan report. Return on security investment report. The last step is the design and the implementation of the actions described in the Security Master Plan. Thales considers the following actions: Define a new security organization including the Security Committee and one or more Security Working Groups. Develop operational security procedures including crisis management, incident and antiterrorism responses. Design security control rooms. Define a training policy and develop a training program i.e. operational and technical. Implement physical security i.e. barriers, video surveillance, intrusion detection systems, access controls, etc. Implement information technology security i.e. LAN and WAN network, Information system architecture, server hardening, etc. Implement communications security i.e. confidentiality, anti-jamming, resilience, etc. Implement individual protective measures including personal protection for personnel and family members. Develop specific software to produce daily scorecard of the risk situation (option: with geographic information system support). Develop resilience solutions based on technology and organization. Maintain the solutions participating in the Do-Check-Act process. Outputs: Implementation and maintenance of the security solutions. To support this SOW, Thales has developed a specific software CASRIM i.e. Critical Asset Security RIsk Management. CASRIM helps Thales engineers to analyze the situation and produces graphical outputs of the risk analysis. 7
> Benefits Determining the risk is essential since the management must understand the threats, what assets are most important to protect, and which of those important assets are most vulnerable. Assessing security risk provides the value of an asset in relation to the threats and the vulnerabilities associated with it. This aids the management in balancing threats to vulnerabilities and the degree of risk that the management is willing to accept by not correcting, or perhaps being unable to correct, a vulnerability. For any vulnerability, the management shall manage risk by developing a strategy to deter incidents, employ countermeasures, mitigate the effects of an incident, and recover from an incident. The result of using a holistic methodology of this type ensures that minimum appropriate investments are directed into security solutions to reduce identified risks. In addition as there is integration between the security technology, the organizations objectives and processes, efficiencies can be gained whilst still remaining secure. Security features that have been factored into initial infrastructure facility design are more likely to be cost-effective, better integrated and more operationally useful than those superimposed on existing structures through add-ons or change orders. Likewise, security features which have been coordinated early in the planning and design process with the architects and other concerned regulatory bodies, as well as with end-users (employees, clients, law enforcement, public safety and regulatory agencies, and operations and maintenance personnel) are more likely to be well received and accepted, and thus more widely used and successful. 8
Oil & Gas Industry Towards Global Security Conclusion By implementing a holistic security risk management methodology, security solutions can be adapted to the changes in threats and security risks, and the levels of investment can be adjusted in accordance to the protection required. The oil and gas cycle from initial field exploration through production, transport and consumer retail operations is highly complex, with countless potential weak links that are subject to security breakdowns. The security should reflect the risk status and financial resources of the infrastructure. Smaller infrastructures have limited funding and have to plan their security projects with an eye toward simplicity and manageable cost. The methodology developed in this white paper is scalable and can cover from a single infrastructure to the entire oil and gas chain starting with exploration, development and production, then on through pipeline transport to refineries and processing plants to storage facilities and then on to distribution of refined products by land or sea, finishing at the retail outlets. Philippe Bouvier Security Consulting Thales - Security Solutions & Services Division Organizations from around the world are already benefiting from the use of this methodology including military organizations, national airport authorities, energy and water companies, financial institutions and transportation companies. Thales brings together decades of experience in the oil and gas industry and significant depth of knowledge of security systems from its core competencies in defense and civil businesses. Thales is an unrivalled systems integrator of physical and IT security solutions for the oil and gas industry. If your organization would also like to reduce overall security costs, improve the efficiency of security investment and measurably reduce security risks then please contact your local THALES representative for more information. 9
Thales Security Solutions & Services Division Security Systems 20-22 rue Grange Dame Rose CS 80518 78141 Vélizy Cedex - France Tel: +33 (0)1 73 32 00 00 November 2007 - Photos: Thales, GettyImages