"INTRODUCTION TO SECURITY VULNERABILITY ASSESSMENT The first step in the process of managing security risks is to identify and analyze the threats and the vulnerabilities facing a facility by conducting a Security Vulnerability Assessment (SVA). The SVA is a systematic process that evaluates the likelihood that a threat against a facility will be successful. It considers the potential severity of consequences to the facility itself@ to the surrounding community and on the energy supply chain. The SVA process is a team-based approach that combines the multiple skills and knowledge of the various participants to provide a complete security analysis of the facility and its operations. Depending on the type and size of the facility@ the SVA team may include individuals with knowledge of physical and cyber security@ process safety@ facility and process design and operations@ emergency response@ management and other disciplines as necessary. The objective of conducting a SVA is to identify security hazards@ threats@ and vulnerabilities facing a facility@ and to evaluate the countermeasures to provide for the protection of the public@ workers@ national interests@ the environment@ and the company. With this information security risks can be assessed and strategies can be formed to reduce vulnerabilities as required. SVA is a tool to assist management in making decisions on the need for countermeasures to address the threats and vulnerabilities. OBJECTIVES@ INTENDED AUDIENCE AND SCOPE OF THE GUIDANCE This document was prepared by the American Petroleum Institute (API) and the National Petrochemical Refiners Association (NPRA) Security Committees to assist the petroleum and petrochemical industries in understanding security vulnerability assessment and in conducting SVAs. The guidelines describe an approach for assessing security vulnerabilities that is widely applicable to the types of facilities operated by the industry and the security issues they face. During the development process it was field tested at two refineries@ two tank farms@ and a lube plant@ which included typical process equipment@ storage tanks@ marine operations@ infrastructure@ pipelines@ and distribution terminals for truck and rail. Since then@ it has been used extensively at a wide variety of facilities involving all aspects of the petroleum and petrochemical industry. This methodology constitutes one approach for assessing security vulnerabilities at petroleum and petrochemical industry facilities. However@ there are several other vulnerability assessment techniques and methods available to industry@ all of which share common risk assessment elements. Many companies@ moreover@ have already assessed their own security needs and have implemented security measures they deem appropriate. This document is not intended to supplant measures previously implemented or to offer commentary regarding the effectiveness of any individual company efforts. Ultimately@ it is the responsibility of the owner/operator to choose the SVA method and depth of analysis that best meets the needs of the specific location. Differences in geographic location@ type of operations@ and on-site quantities of hazardous substances all play a role in determining the level of SVA and the approach taken. Independent of the SVA method used@ all techniques include the following activities: ? Characterize the facility to understand what critical assets need to be secured@ their importance and their interdependencies and supporting infrastructure; ? Identify and characterize threats against those assets and evaluate the assets in terms of attractiveness of the targets to each adversary and the consequences if they are damaged or stolen; ? Identify potential security vulnerabilities that threaten the asset's service or integrity; ? Determine the risk represented by these events or conditions by determining the likelihood of a successful event and the consequences of an event if it were to occur; ? Rank the risk of the event occurring and@ if high risk@ make recommendations for lowering the risk; ? Identify and evaluate risk mitigation options (both net risk reduction and benefit/cost analyses) and re-assess risk to ensure adequate countermeasures are being applied. This guidance was developed for the industry as an adjunct to other available references which includes: ? American Petroleum Institute@ ""Security Guidelines for the Petroleum Industry""@ May@ 2003; ? API RP 70@ ""Security for Offshore Oil and Natural Gas Operations""@ First Edition@ April@ 2003; ? ""Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites""@ American Institute of Chemical Engineers (AIChE) Center for Chemical Process Safety (CCPS"")@ August@ 2002; ? ""Vulnerability Analysis Methodology for Chemical Facilities (VAM-CF)""@ Sandia National Laboratories@ 2002. API and NPRA would like to acknowledge the contribution of the Center for Chemical Process Safety (CCPS) compiled in their ""Guidelines for Analyzing and Managing the Security of Fixed Chemical Sites."" It was this initial body of work that was used as a basis for developing the first edition of the API NPRA SVA methodology. Although similar in nature@ the SVA Method was developed for the petroleum and petrochemical industry@ at both fixed and mobile systems. Examples have been added that demonstrate applicability at various operating segments of the industry. Owner/Operators may want to use any of the methods above@ or another equivalent and appropriate methodology in conducting their SVAs. These guidelines should also be considered in light of any applicable federal@ state and local laws and regulations. The guidance is intended for site managers@ security managers@ process safety managers@ and others responsible for conducting security vulnerability analyses and managing security at petroleum and petrochemical facilities. The method described in this guidance may be widely applicable to a full spectrum of security issues@ but the key hazards of concern are malevolent acts@ such as terrorism@ that have the potential for widespread casualties or damage. These guidelines provide additional industry segment specific guidance to the overall security plan and SVA method presented in Part I of the API Security Guidelines for the Petroleum Industry. SECURITY VULNERABILITY ASSESSMENT AND SECURITY MANAGEMENT PRINCIPLES Owner/Operators should ensure the security of facilities and the protection of the public@ the environment@ workers@ and the continuity of the business through the management of security risks. The premise of the guidelines is that security risks should be managed in a risk-based@ performance-oriented management process. The foundation of the security management approach is the need to identify and analyze security threats and vulnerabilities@ and to evaluate the adequacy of the countermeasures provided to mitigate the threats. Security Vulnerability Assessment is a management tool that can be used to assist in accomplishing this task@ and to help the owner/operator in making decisions on the need for and value of enhancements. The need for security enhancements will be determined partly by factors such as the degree of the threat@ the degree of vulnerability@ the possible consequences of an incident@ and the attractiveness of the asset to adversaries. In the case of terrorist threats@ higher risk sites are those that have critical importance@ are attractive targets to the adversary@ have a high level of consequences@ and where the level of vulnerability and threat is high. SVAs are not necessarily a quantitative risk assessment@ but are usually performed qualitatively using the best judgment of the SVA Team. The expected outcome is a qualitative determination of risk to provide a sound basis for rank ordering of the security-related risks and thus establishing priorities for the application of countermeasures. A basic premise is that all security risks cannot be completely prevented. The security objectives are to employ four basic strategies to help minimize the risk: 1. Deter 2. Detect 3. Delay 4. Respond Appropriate strategies for managing security can vary widely depending on the individual circumstances of the facility@ including the type of facility and the threats facing the facility. As a result@ this guideline does not prescribe security measures but instead suggests means of identifying@ analyzing@ and reducing vulnerabilities. The specific situations must be evaluated individually by local management using best judgment of applicable practices. Appropriate security risk management decisions must be made commensurate with the risks. This flexible approach recognizes that there isn't a uniform approach to security in the petroleum industry@ and that resources are best applied to mitigate high-risk situations primarily. All Owner/Operators are encouraged to seek out assistance and coordinate efforts with federal@ state@ and local law enforcement agencies@ and with the local emergency services and Local Emergency Planning Committee. Owner/Operators can also obtain and share intelligence@ coordinate training@ and tap other resources to help deter attacks and to manage emergencies."