Industrial Security E-Book

CONTENTS

Cover

Title page

Chapter 1:

Introduction to Security Risk Assessment and Management

Introduction

Business Definition

Security Versus Risk

Framework for Risk Management

Value at Risk

Calculation of Risk

Risk Assessment Versus Risk Management

Risk Management Plans

Threat Scenarios

Statistics and Mathematics

Pairing Vulnerability and Threat Data

Setting Priorities

Other Definitions of Risk Assessment

Business Definition for Risk Assessment

Broad Definition for Risk Assessment

Quantitative Risk Assessment

Qualitative Risk Assessment

Countermeasures for Vulnerabilities

Sample Threat Scenario NO. 1 (Fig. 1.6)

Sample Threat Scenario No. 2

Chapter 2:

Risk Assessment Basics

Street Calculus and Perceived Risk

Security Risk Assessment Structure

Value at Risk

Sandia Laboratory’s Risk Assessment Analysis

Annualized Cost Analysis of Risk

Scenario-driven Cost Risk Analysis

Model-Based Risk Analysis

Risk Management by Fault Tree Methods and Risk-informed Decision management

Chapter 3:

Assessing Types of Attacks and Threats with Data Sources

Weapons

Muzzle Energies for Various Cartridges

Rifle Grenades

Rocket-Propelled Grenades and Mortars

Explosive Energies

Other Types of Incidents and Accidents

Chapter 4:

Evaluating a Company’s Protective Systems

Surveys and Assessments

Site Security Assessments

Lighting

Perimeter Barriers: Design Notes and Comments

CCTV

Windows and Doors

Chapter 5:

Port Security

Ranking Threats

Levels of Port Security

Identification Procedures for Personnel Screening

Vessel Arrival and Security Procedures While Moored

Internal Security

Perimeter Security and Restricted Areas

Lighting

Security Alarms/Video Surveillance/Communications Systems

Training and Security Awareness

Floating Barriers

Chapter 6:

Basics of Cyber security

Communications Life Cycle

Some Solutions to the Problem of Cyber crime

Communications Security

Communications as Transactions

Telephone System Security

Radio Communications

Digital Communications

Cyber security

How to Perform the Vulnerability Assessment

Communications Procedure Design: Hints and Helps

Benefits: Identified

Cyber Threat Matrix: Categories of Loss and Frequency

Setting up Internet Security

Cyber security Tools

Chapter 7:

Scenario Planning and Analyses

Introduction

FTA, Markov Chains, and Monte Carlo Methods

Other Complimentary Techniques

Sample of Initial Analysis

Failure Modes and Effects Analysis

DHS Analysis and Plans

Bow-tie Analysis

HAZOPS and Process Safety Management

ALOHA, CAMEO, and Security Planning Tools

The Colored Books

Chapter 8:

Security System Design and Implementation: Practical Notes

Security Threat-Level Factors

Considered Factors

Security System Design

Electronic Security Systems Design

Review and Assessment of Engineering Design and Implementation

Conclusion

Appendix

I

:

Physical Security Checklist

Building

Lock and key, alarm systems, and guards

Employee security

Trash removal and shipments from the facility

Planning

Mail handling

Fire plans

Appendix

II

Cyber Security Threat/Vulnerability Assessment

Cyber Security Threat/Vulnerability Assessment Scoring

Index

End User License Agreement

List of Tables

Chapter 01

Table 1.1 Cost analysis for replacement of a chemical plant

Table 1.2 Subasset analysis for the plant in Table 1.1

Table 1.3 Vulnerability analysis for Unit A

Table 1.4 Example of risk analysis by table

Chapter 02

Table 2.1 Common Daily Risks

Table 2.2 Relative ranking of perceived risks

Table 2.3 SANDIA National Laboratory risk assessment table

Table 2.4 Probability of occurrence

Table 2.5 Part 1 of two-part data table for MBRA analysis

Table 2.6 Part 2 of two-part data table for MBRA analysis

Table 2.7 CARVER + Shock criticality table

Table 2.8 CARVER + Shock accessibility criteria

Table 2.9 CARVER + Shock recognizability criteria

Table 2.10 CARVER + Shock vulnerability criteria and effect criteria

Table 2.11 CARVER + Shock shock value

Chapter 03

Table 3.1 Muzzle energies for various types of projectile weapons

Table 3.2 Energies of various explosive compounds

Table 3.3 Damage rates from a 3 to 5 m/s explosion

Table 3.4 Explosive pressures from a 1500 kg ANFO explosion

Chapter 04

Table 4.1 US army field table for lighting security

Table 4.2 Pressure coefficients for nonporous fencing

Chapter 07

Table 7.1 Plant shutdown risk analysis table of likely causes

Table 7.2 Plant shutdown risk analysis table: Additional detail

Table 7.3 FMEA worksheet (more extensive forms are available for free download from ASQ.org)

Table 7.4 Process hazard analysis and security’s role

Table 7.5 Outline of emergency response plan for a typical facility

Chapter 08

Table 8.1 US Department of Homeland Security color code: security threat levels

Table 8.2 Severity of impact and risk levels

Table 8.3 Steps for the use of SQUARE

List of Illustrations

Chapter 01

Figure 1.1 Outline of risk management actions.

Figure 1.2 A second view of the risk analysis process. The risk analysis matrix is usually in color. Red indicates high risk, yellow indicates moderate risk, and green indicates lower levels of risk, but we have chosen to use stripes, dots, and white spaces to highlight the risk levels, respectively.

Figure 1.3 Probability of number of deaths from selected incidents, after Lewis.

Figure 1.4 Graphic of the functioning of controls.

Figure 1.5 The D’s of security.

Figure 1.6 Ammonia plant complex in Ohio, United States (40-year-old picture).

Figure 1.7 Chlorine plant complex in New York, United States (40-year-old picture).

Chapter 02

Figure 2.1 Classical risk assessment form. The risk analysis matrix is usually in color. Red indicates high risk, yellow indicates moderate risk, and green indicates lower levels of risk, but we have chosen to use stripes, dots, and white spaces to highlight the risk levels, respectively.

Figure 2.2 Cost-based risk assessment for annual loss expectancy.

Figure 2.3 Cost versus probability of occurrence.

Figure 2.4 Diagram of product flow in an ammonia plant.

Figure 2.5 Diagram to prioritize the important links and nodes for reduction of risk.

Figure 2.6 NASA’s risk-informed decision management process.

Figure 2.7 Factors that go into a risk-informed decision management process.

Figure 2.8 Steps in the RIDM process.

Figure 2.9 The IAEA’s adaptation of the RIDM process.

Figure 2.10 Common fault tree analysis symbols in current usage.

Figure 2.11 Fault free analysis example after Lewis.

Figure 2.12 Fault tree analysis example for different pathways of entry for a bomb in the plant.

Chapter 03

Figure 3.1 Power and forces for the explosive shockwave.

Figure 3.2 Pressure and distance for a 1500 kg ANFO explosion.

Chapter 04

Figure 4.1 Detail for top of protective fencing.

Figure 4.2 Security fence detail—elevation. .

Figure 4.3 Additional details on security fencing.

Figure 4.4 Wind speed versus pressure on nonporous fencing.

Chapter 06

Figure 6.1 The security life cycle.

Figure 6.2 Risk assessment team assignments for a chemical company.

Figure 6.3 Threat matrix for cyber security occurrences.

Chapter 07

Figure 7.1 Fishbone diagram of a successful attack on the XYZ chemical company.

Figure 7.2 Pareto chart on security failures.

Figure 7.3 Example of bow-tie analysis.

Chapter 08

Figure 8.1 One view of Khobar Towers bombing (Riyadh, Saudi Arabia) in 1996.

Figure 8.2 Damage at Khobar Towers, note size and depth of bomb crater.

Figure 8.3 Minimum standoff zone. Note distance is a minimum depending on type of weapon attack anticipated.

Figure 8.4 Standoff zone for medium-to-large facilities.

Figure 8.5 Exclusion zone for larger facilities.

Figure 8.6 One type of perimeter barrier.

Figure 8.7 Active vehicle barriers.

Figure 8.8 Design of the electronic security system.

Figure 8.9 Security staff and committees to be trained and instituted as a risk assessment team.

Figure 8.10 Security management.

Figure 8.11 Blank sheet approach to auditing and evaluation from inception through implementation. A continuous and cyclic process.

Figure 8.12 Business approach to auditing and assessments.

Figure 8.13 Risk assessment process flow.

Figure 8.14 Risk assessment project.

Figure 8.15 SQUARE: method for implementing and prioritizing security requirements.

Guide

Cover

Table of Contents

Begin Reading

Pages

iii

iv

v

1

2

3

4

5

6

7

8

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

125

126

127

128

130

131

132

133

134

135

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

INDUSTRIAL SECURITY

Managing Security in the 21st Century

Copyright © 2015 by John Wiley & Sons, Inc. All rights reserved

Published by John Wiley & Sons, Inc., Hoboken, New JerseyPublished simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Russell, David L., 1942–    Industrial security : managing security in the 21st century / David L. Russell, Pieter Arlow.       pages cm    Includes bibliographical references and index.

    ISBN 978-1-118-19463-8 (hardback)1. Industries–Security measures. 2. Industrial safety. 3. Risk management. 4. Security systems. 5. Terrorism–Prevention. I. Arlow, Pieter. II. Title.    HD61.5.R87 2015    658.4′73–dc23

    2014043896

For my girls and their girls:

Laura, Jennifer

Edda, Zola, and Miriam

You are all special ladies, and this is for you.

Thanks for being yourselves.

Dave Russell

“In humble submission to my Lord and Savior God,

and dedicated to my children,

Jean-Pierre, Andrich, and Landi,

who are my all here on earth”

Pieter Arlow

Chapter 1Introduction to Security Risk Assessment and Management

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!