Time filter

Source Type

Vienna, United States

Moore D.A.,AcuTech. Consulting Group Inc.
Journal of Loss Prevention in the Process Industries | Year: 2013

The American National Standards Institute (ANSI)/American Petroleum Institute (API) Standard 780 Security Risk Assessment (SRA) Methodology was published in June 2013 as a U. S. standard for security risk assessments on petroleum and petrochemical facilities. The standard represents a model standard for evaluating all security risks of petroleum and petrochemical infrastructure and operations and assists industries in more thoroughly and consistently conducting SRAs. The 2013 Standard is an update from the previous API/NPRA SRA Methodology (2004) and focuses on expanding functional utility without changing the basic methodology. The methodology can be applied to a wide range of assets even beyond the typical operating facilities of the industry. This includes refining and petrochemical manufacturing operations, pipelines, and transportation operations including truck, marine, and rail, as well as worker and executive security, housing compounds, and remote operational sites. The new standard describes the most efficient and thorough approach for assessing security risks widely applicable to the types of facilities operated by the industry and the security issues they face. It is voluntary but has been adopted by the Kingdom of Saudi Arabia Ministry of Interior High Commission for Industrial Security as the mandatory security risk assessment methodology for industrial facilities. This paper examines the key elements of the ANSI/API SRA process and discusses how forward thinking organizations may use risk-based performance metrics to systematically analyze facility security postures and identify appropriately scaled and fiscally responsible countermeasures based on current and projected threats. The AcuTech Consulting Group developed the methodology under contract to the API, and the author was the project manager for the project. © 2013 Elsevier Ltd.

Moore D.A.,AcuTech. Consulting Group Inc.
10th Process Plant Safety Symposium, Topical Conference at the 2008 AIChE Spring National Meeting | Year: 2014

Section 550 of the Homeland Security Appropriations Act of 2007 ("Section 550"), enacted on October 4, 2006, provided the Department of Homeland Security (DHS) with authority to promulgate "interim final regulations" for the security of certain high risk chemical facilities in the United States. The Chemical Facility Anti-Terrorism Standards (CFATS) regulation (6 CFR Part 27) is risk-based and performance-based, which makes it both particularly progressive and flexible and yet challenging due to the nature of the rule. The asset owners of high risk chemical facilities must interpret regulatory requirements and DHS guidance, and then stand up a set of security measures that achieve risk-based performance standards depending on their Tier level. Congress prohibited the DHS from requiring specific security measures while giving them the authority to approve site security plans. DHS must then interpret the security posture established by the asset owner and evaluate the proposed measures against the risk-based performance standards to judge the level of compliance. Two key issues emerge - the need to define adequate security and compliance in a completely performancebased regulation. Copyright © (2008) by the American Institute of Chemical Engineers.

Moore D.A.,AcuTech. Consulting Group Inc.
Global Congress on Process Safety 2012 - Topical Conference at the 2012 AIChE Spring Meeting and 8th Global Congress on Process Safety | Year: 2012

This paper explains several recent experiences in inherent safety where, despite substantial progress in the reduction of risk, the public or regulators were not satisfied with the outcome. The key reason for this is believed to be due to the lack of any accepted methodology, set of criteria, and requirement for 'tolerable risk' decision-making. This, combined with public outrage on the issue if there is an extreme aversion to risk or possibly a threat or perceived threat, such as from a past accident or the fear of terrorism, results in an environment where irrational decisions are possible. The author believes this will occur more frequently in the future as the degree of the public's risk tolerance is diminishing. Inherent safety as a regulatory concept has known complicating issues, such as the lack of metrics to judge the adequacy of the efforts employed. More so, experience has shown that the public and regulators may not be satisfied with inherent safety improvements even if they are substantial reductions in risk. The key expectation with most persons exposed to a potential release of hazardous materials is that the reduction of risk results in zero exposure to them. The final expectation is the reduction of consequences v. the reduction of risk. Inherent safety (substitution or minimization) becomes the preferred mechanism in the eyes of the public for achieving that reduction. The paper will show how these decisions are both challenging technically as well as emotionally and go beyond technical 'precision'. The current system lacks incentives for industry to use IST if the investments will not be fairly judged on a clear and transparent basis. Given the lack of specific guidance on decision-making in this situation, the benefits and impacts of intended changes, and the lack of specific guidance on how regulatory burdens may be reduced and safety and security risks improved, industry may be uncertain on the value of IST investments. ©2012 AcuTech Group, Inc.

Hazzan M.J.,Eastern Business Unit | Rose M.R.,AcuTech. Consulting Group Inc.
Chemical Processing | Year: 2010

The US Occupational Safety and Health Administration (OSHA) has issued petroleum refinery process safety management national emphasis program (NEP) in response of a high rate of fatalities and serious injuries in the chemical refining industry. The Refinery NEP features a publicly available static list of inspection questions and a dynamic list of questions restricted to OSHA personnel, to audit the facilities. The Chemical NEP will focus on the elements such as mechanical integrity, operating procedures, management of change (MOC), pre-startup safety review, and contractor safety. OSHA also will examine the interrelationship between process safety elements and will audit the flow of information among these elements. The Refinery NEP will allow inspectors to generate citations for alleged violations of general OSHA standards, such as lockout/tagout, hazard communication, and confined space.

Leith H.M.,AcuTech. Consulting Group Inc. | Piper J.W.,AcuTech. Consulting Group Inc.
Journal of Loss Prevention in the Process Industries | Year: 2013

The financial success of the chemical and petrochemical industry will increasingly depend upon the security of process control systems. This paper presents recommendations and insights gleaned from over 100 security risk assessment (SRA) and process control analyses, using requirements baselines extracted from the National Institute of Standards and Technology (NIST) special publication 800-53 (and Appendix A), the Recommended Security Controls for Federal Information Systems and Organizations, in conjunction with NIST special publication 800-82, Guide to Industrial Control Systems(ICS) Security, to provide the bridge in application of 800-53 controls to IC/SCADA. The paper identifies how current and projected malevolent threats posed by insiders, outsiders, collusion, and system-induced threats can erode system performance in terms of shut downs, sabotage, production disruption, and contamination. The issue is not whether there are clear and present cyber threats, nor whether there are business prudent practices that can be implemented to counter those threats; but rather that there is such a diverse compendium, at times conflicting and often technically obtuse guidance, that clarity is needed to narrow the focus of this guidance to assist those responsible for implementing effective process control security. The paper focuses on application of business-prudent controls and discusses how disparities in implementation of controls can exacerbate system vulnerabilities. Topics include issues of processes control system management, systems documentation, use of contractors and remote contractor access, system authorities that exceed user needs, misalignment of staff perception of information asset values, exposures related to use of USB ports, lack of encryption, and background surety gaps for individuals and contractor companies with access to process control systems. The paper examines the dynamics of communicating information from process control systems to business IT systems and the pressure from business operations to capture process data and make it available in near real-time through administrative networks. Such pressures may influence systems administrators to overlook or ignore firewall and systems engineering architecture, increasing potentials for two-way interface between business and process control that significantly increases exploit exposures. Despite the availability of excellent guidelines for physical and technical security of IT related assets, these practices are too often unheeded in favor of expediency or expanded access. The paper includes a discussion of Risk Management Framework models that should be considered to enhance the correspondences and relationships between multiple organizational domains, thereby promoting more effective cyber security for current and future process control systems. The paper summarizes the process for establishing security for industrial control systems (ICS), and addresses cyber security baseline requirements and expectations, within a risk management framework that provides a decision basis, threat dynamics, common vulnerabilities, and prudent mitigation measures. Much of this summary has been derived from The Information Technology Laboratory at the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security. NIST has also published Applying NIST SP 800-53 to Industrial Control Systems which demonstrates the relationship of 800-53 to ICS security and the application of more than 20 control families and over 625 control elements to ICS security. Although originally designed for Federal systems, portions of these publications also provide a solid foundation for critical commercial and industrial information control systems in terms of addressing the basic questions that companies in the process industry should consider when selecting security controls, including: • What controls are actually needed to protect process systems, while supporting operations and safeguarding critical assets? • Can the selected controls suggested for Federal systems effectively be implemented for systems in the process industry? • Once selected and implemented, will these controls really be effective in protecting the processes? NIST SP 800-53, Recommended Security Controls for Federal Information Systems, helps answer questions to strengthen commercial processes information security programs. The security controls articulated in NIST SP 800-53 provide guidance and recommend practices applicable to security systems in process industries, to provide a foundation for understanding the fundamental concepts of security controls. The introductory material presents the concept of security controls and their use within well-defined information security programs. Some of the issues discussed include the structural components of controls, how the controls are organized into families, and the use of controls to support information security programs. The guide outlines the essential steps that should be followed to determine needed controls, to assure the effectiveness of controls, and to maintain the effectiveness of installed controls. The appendices in NIST SP 800-53 provide additional resources including general references, definitions, explanation of acronyms, a breakdown of security controls for graduated levels of security requirements, a catalog of security controls, and information relating security controls to other standards and control sets. The controls are organized into classes of operational, management, and technical controls, and then into families within each class. To maintain parity and applicability with advances in technology, NIST also plans to review and to update the controls in the catalog as technology changes and new safeguards and new information security countermeasures are identified. NIST SP 800-53 and related documents are available at http://csrc.nist.gov/publications/nistpubs/index.html. The extensive reference list in SP 800-53 includes standards, guidelines, and recommendations that process industry companies can use as the foundation for comprehensive security planning and lifecycle management processes. Additionally, a significant effort of broad commercial and government cooperation, the Consensus Audit Guideline (CAG) provides a 20-element cyber security controls roster supporting a common commercial framework for cyber security, correlating to the NIST 800-53 Control Library. © 2013 Elsevier Ltd.

Discover hidden collaborations