a w w a presentation regional paper david mc cann

Wivenhoe Management Group

SECURITY VULNERABILITY SECURITY VULNERABILITY ASSESSMENT (SVA) & ASSESSMENT (SVA) &

LIABILITYLIABILITY


TODAY’S PRESENTATION WILL TODAY’S PRESENTATION WILL ENCOMPASS THE FOLLOWING:ENCOMPASS THE FOLLOWING:

• The Basics of an SVA

• Why an SVA is Important

• SVA History

• Federal & State Legislation

• Liability Arising from an SVA

• Solutions


THE BASICS OF AN SVATHE BASICS OF AN SVA

• What is the Threat Level?

• Who and/or What Should be Protected?

• What Can or Should Be Done?

• What Will It Cost?



• Threat Levels

– Outsider

– Insider

– Cyber


AS A NATION THE US REMAINS AT AS A NATION THE US REMAINS AT ELEVATED THREAT LEVELSELEVATED THREAT LEVELS

Current Prevailing Nationwide Threat Level:

It was Raised to HighHigh around the Anniversary of Sept. 11


CURRENT STATE OF SECURITY…CURRENT STATE OF SECURITY…OUTSIDER - PHYSICAL ATTACKSOUTSIDER - PHYSICAL ATTACKS

Type of Adversary

Cri

min

al

Fore

ign

Sta

te-S

pon

sore

d

Terr

ori

st

Dom

esti

c

Terr

ori

st

En

vir

on

men

tal

Extr

em

ist

Van

dal

s

Th

reat

Level

Many users have

historically protected at

this level.


VANDAL (LOWEST RISK)VANDAL (LOWEST RISK)

1. Intentions: Minor Damage/Petty Mischief

2. Motivations:Boredom, Drug Related’ gang?

3. Capabilities: Minimum Tools (1 to 4 individuals)

4. Police Response: Assessment?, Time?, Deployment?

5. Threat Level: Low (Depending on past history)

6. Impacts: Minimal (unless intent remains a mystery)

Vandal: Usually between the ages of 7 – 19


FOREIGN STATE-SPONSORED FOREIGN STATE-SPONSORED TERRORIST (HIGHEST RISK)TERRORIST (HIGHEST RISK)

1. Intentions: Total Destruction/Panic/Casualties

2. Motivations: Ideological/Terrorism3. Capabilities: Major – Worst Case (3 to 6

Individuals)4. Police Response: Assessment?, Time?,

Deployment?5. Threat Level: Very High6. Impacts: Very High

International Terrorist: Adult, Male or Female, Ideology Driven


LET’S EXAMINE INSIDER LET’S EXAMINE INSIDER THREAT SPECTRUMTHREAT SPECTRUM

Type of Adversary

Dis

gru

ntl

ed

(S

en

din

g a

M

essag

e)

Su

per-

Insid

er

(coerc

ion

)

Dis

gru

ntl

ed

(R

even

ge)T

hre

at

Level

Cri

min

al A

cts

(Pers

on

al

Gain

)

Dis

gru

ntl

ed

(C

ollu

sio

n)

1. Employee

2. Contractor

3. Vendor

Increased Access, Motivation, & Skill Level increases threat


CYBER DBT IS AMATEUR HACKER & INSIDER CYBER DBT IS AMATEUR HACKER & INSIDER WITH OPERATIONAL PRIVILEGESWITH OPERATIONAL PRIVILEGES

Novice

Amateur Hacker

Organized Crime

Government Sponsored

Type of Cyber Terrorist

Kn

ow

led

ge



Critical Assets– People– Infrastructure– Equipment– Data– Inventory– Processes– Other



• Recommendations

– Security Improvements

– Mitigation

– IST

– Other



• Cost– Security Versus Mitigation

– Implementation Period

– Electronic Versus Physical Security

– Threat Event CostThreat Event Cost


Client XXXClient XXXSecurity Improvement Cost EstimateSecurity Improvement Cost Estimate

Sandia Methodology ApproachSandia Methodology Approach

RISK REDUCTION SOLUTION

CRITICAL ASSET

DESCRIPTIONESTIMATE

D COST

(1A) Control # X Relocate with New Housing $TBD

(1B) Control # XPerimeter Security Improvements & Upgrades

$600,000

(2A)Control # Y & I-XX/C-XX Culverts

Perimeter Security Improvements $200,000

(2B) As Above Hardening Measures $190,000

(3A)WTP Facility

Perimeter Security Improvements & Upgrade

1,240,000

(3B) As AbovePerimeter Security Improvements & Upgrade

300,000

(3C) As Above Hardening Measures 1,060,000

TOTAL$3,590,000

Summary of Risk Reduction Solutions for Client XXX


Client XXXClient XXXSecurity Improvement Cost EstimateSecurity Improvement Cost Estimate

Deterrent Methodology ApproachDeterrent Methodology Approach

RISK REDUCTION SOLUTION

CRITICAL ASSET

DESCRIPTIONESTIMATE

D COST

(1A) Control # X Relocate with New Housing $TBD

(1B) Control # XPerimeter Security Improvements & Upgrades

$276,000

(2A)Control # Y & I-XX/C-XX Culverts

Perimeter Security Improvements $105,400

(2B) As Above Hardening Measures N/A

(3A)WTP Facility

Perimeter Security Improvements & Upgrade

$560,500

(3B) As AbovePerimeter Security Improvements & Upgrade

$192,000

(3C) As Above Hardening Measures $1,060,000

TOTAL REDUCTION OF 68.42%

$1,133,900

Summary of Risk Reduction Solutions for Client XXX


WHY IS AN SVA SO WHY IS AN SVA SO IMPORTANT?IMPORTANT?


A PROPERLY EXECUTED SVA A PROPERLY EXECUTED SVA PROVIDES:PROVIDES:

• Identification of Appropriate Threat Level

• Identification of Critical Assets• Measurement of Consequences• Sound Recommendations

― Security Improvements― Mitigation & Inherently Safer Technology

(IST)― Orderly Steps― Cost Effectiveness


WITHOUT PERFORMING A VAWITHOUT PERFORMING A VA

• What is Threat Level?

• What are the Critical Assets?

• What is Likely to Happen?

• What will be the Response?

• What are the Likely Consequences?

• Who will be Who will be held held Responsible?Responsible?


HISTORY OF SVA LEGISLATIONHISTORY OF SVA LEGISLATION

• Nuclear Power Plants

• Sandia National Laboratory

• 1998 Directive


CRITICAL INFRASTRUCTURES CRITICAL INFRASTRUCTURES SUPPORT COMMAND AND SUPPORT COMMAND AND

CONTROLCONTROL


HISTORY OF SVAHISTORY OF SVAWater and Waste WaterWater and Waste Water

US EPA required SVA of public water systems:

• Serving more than 100,000 by March, 2003• Serving 50,000 to 100,00 by December, 2003• Serving 3,300 to 50,000 by June, 2004

Funding was available for the largest water systems to cover cost of SVA, but no funding yet for smaller water systems.


HISTORY OF SVAHISTORY OF SVAOil and GasOil and GasSince1998 the National Petroleum Council has been

reviewing the vulnerabilities of oil & gas industry to attack (both physical and cyber).

Post 9/11, oil and gas has been monitoring the security of its oil and gas transportation network, its refineries and its distribution facilities

The American Petroleum Institute is coordinating information sharing among members.

ISAC (Information Sharing and Analysis Center) has been promoting collection, assessment, and sharing of oil & gas member information on physical and electronic threats, vulnerabilities, incidents, and solutions/best practices.


HISTORY OF SVAHISTORY OF SVAChemicalChemical

Early in 2002, the American Chemical Council asked its members to complete a SVA of their facilities.

• Highest risk by 12/31/02

• Lesser risk by 6/30/03

• Low risk by 12/31/03

• No off-site risk by 12/31/03

Enhancements to be completed one year later. Third party verification three months later.


NEW INITIATIVES BY STATENEW INITIATIVES BY STATE

• New Jersey• Maryland• Illinois• Florida• New York• California


NEW JERSEYNEW JERSEY

• New Legislation Enacted November 2005

• Requires SVA Plus Response Plan Plus Schedule

• Emphasis on Security and IST• Monitored by NJDEP• Possible Further Legislation

Stressing IST


MARYLANDMARYLAND

• New Legislation

• Similar Requirements to New Jersey

• SVA

• Monitoring?


ILLINOISILLINOIS

• Bill Introduced May 2006 by State Senator

• Will Require All Chemical Companies to Declare all Hazardous Chemicals Manufactured or Stored On Site

• Will Require SVA Based on Terrorist Attack


HISTORY OF SVAHISTORY OF SVAPharmaceuticalPharmaceutical

• Although no current regulatory or statutory regulations, some FDA requirements in place for quality control.

• HIPPA regulations creating great changes in information and IT security.

• Comprehensive SVA may identify vulnerabilities to counterfeit drugs and drug reimportation, and opportunities for competitive intelligence.

• SVA may identify weaknesses in supply chain security


HISTORY OF SVAHISTORY OF SVAManufacturingManufacturing

EPA has not yet required a SVA of non-chemical manufacturing facilities. However, performing an SVA at a manufacturing facility will reduce the risk of:• Attacks on Employees• Theft of Company and Personal Property• Loss of Confidential Information• Accidents involving Non-Employees• Accidents involving Workers


NEW LEGISLATIONNEW LEGISLATION

• Gas Storage New Jersey

• Food Manufacturing Federal & State

• Chemical Additions Federal & NJ

• Transportation Federal & States

• Healthcare Federal & States

• Education New Jersey


CLEAR PATTERNCLEAR PATTERN

• Legislation Not Going Away

• Legislation Activity is on the Increase

• SVA is the Common Denominator


LIABILITYLIABILITY


LIABILITY ISSUESLIABILITY ISSUES

• In simple terms, a properly executed security vulnerability assessment will identify the vulnerabilities or weaknesses of a facility or organization to specific threats

• In identifying those vulnerabilities or weaknesses, the facility or organization has been placed on notice that something has to be done with respect to such issues



• In the event that there is an incident, and it turns out that it was related to one of those vulnerabilities, and nothing had been done to address that particular vulnerability the facility or organization is not only facing a clear liability but possible negligence as well.



• Definition of LiabilityDefinition of Liability

• Liability as it pertains to security: relates to an obligation one is bound or have a responsibility to do; it is the condition of being actually or potentially subject to an obligation; the obligation required is based on the comparison of what others in an industry would do in the same circumstances – that is, they are held to an industry standard. if that obligation or standard is not met then there is a liability exposure



• Definition of LiabilityDefinition of Liability

• As an example, if tenants in a building are exposed to unauthorized intrusion it becomes the responsibility for the landlord to provide a reasonable level of security to prevent the intrusions. There is sufficient case law supporting the obligation of the landlord to provide for the protection of the tenant when it is clearly recognized that the tenant is vulnerable due to unauthorized intrusions and insufficient security in the building.


NEGLIGENCE ISSUESNEGLIGENCE ISSUES

• Definition of NegligenceDefinition of Negligence

• The legal definition of negligence is: the omission to do something which a reasonable person, guided by those ordinary considerations which ordinarily regulate human affairs, would do, or the doing of something which A reasonable and prudent person would not do.



• Definition of Gross NegligenceDefinition of Gross Negligence

• The legal definition of gross negligence is: the intentional failure to perform a manifest duty in reckless disregard of the consequences as affecting the life or property of another; such a gross want of care and regard for the rights of others as to Justify The Presumption Of

Willingness And Wantoness.



• Definition of Punitive DamagesDefinition of Punitive Damages (also known as exemplary or vindictive damages)

• Damages awarded by a court against a defendant as a deterrent or punishment to redress An Egregious Wrong Perpetrated By The Defendant; damages on an increased scale, awarded to the plaintiff over and above what will barely compensate him for his property loss, Where the Wrong Done to Him Was Aggravated by Circumstances of Violence, Oppression, Malice, Fraud, or Wanton and Wicked Conduct on the part of the defendant.


FURTHER LIABILITY ISSUESFURTHER LIABILITY ISSUES

• Implementation of Security Recommendation including new systems

• Are the new security systems based on good Design Criteria that is consistent with Security Industry standards?


STATEMENTSTATEMENT

Many Security Systems Are Installed Many Security Systems Are Installed Without Being Designed, And More Without Being Designed, And More Importantly, Without Proper Design Importantly, Without Proper Design CriteriaCriteria



• Without good design criteria consistent with Security Industry, and even having installed new security systems, it is possible that a facility or organization could be liable, and possibly negligent


LACK OF DESIGN CRITERIALACK OF DESIGN CRITERIA

Leads to Four Major Problems:

1) Inadequate Counter Measures to Meet Threat Level

2) Faulty Security System Design

3) Inability to Support Installed Security System

4) Possible Legal Consequences


INADEQUATE SECURITYINADEQUATE SECURITY

• Failure To Detect

• Failure To Surveil

• Inadequate Perimeter Security

• Inadequate Security At All Critical Assets

• Inappropriate Equipment

• Does Not Provide Adequate Protection To Meet Threat Level


QUESTIONS THAT CAN BE QUESTIONS THAT CAN BE ANSWERED BY PROPER ANSWERED BY PROPER

SECURITY DESIGN CRITERIASECURITY DESIGN CRITERIA


LIKELY QUESTIONS….LIKELY QUESTIONS….

1) Why did you use this equipment– Cameras– Motion Detectors– Type of DVR– Intrusion Detection Equipment– Type of Fence


LIKELY QUESTIONS…LIKELY QUESTIONS…

2) Explain the reasons for installing this type of security system?

3) Why did the security only attempt to cover the outer perimeter?

4) Why were Insider threats ignored?

5) The following people had clearance for all access points……. Why?

6) What was the Design Criteria for the security system?



• Monitoring and Operation of Security Systems

―Expectation of Public

―Third Form of Possible Liability



• TRAININGTRAINING – Has Adequate Training Been Given to All Staff– Security Awareness– Specialty System Training– Crisis Response– Procedures


SOLUTIONSSOLUTIONS


SECURITY VULNERABILITY SECURITY VULNERABILITY ASSESSMENT (SVA)ASSESSMENT (SVA)

• If you have not performed an SVA, do it soon

• Use experienced, certified professionals who understand existing and future Legislation



• If an SVA has already been done, have experienced professionals review the results

• Prepare Sound Design Criteria

• Implement, Modify, Add as Appropriate



• If you are not sure where you currently stand, initiate an SVA Screening Evaluation

• Provides an Outline of where you currently stand with respect to SVA Requirements, Legislation, and more importantly, options on what to do next


SOLUTIONSSOLUTIONS• Consider new security measures

properly designed with design criteria that meets or exceeds current legislation

• Implement over phased period that reduces initial costs

• Incorporate as part of Business Plan


SOLUTIONSSOLUTIONS

• Consider Deterrent Approach together with Detect, Delay, and Respond

• Consider Security Audit

• Invest in Professional Training


SOLUTIONSSOLUTIONS

• Work with Local and Federal Law Enforcement

• Work with Emergency Management

• Stay Up To Date


QUESTIONSQUESTIONS

www.wivenhoegroup.comwww.wivenhoegroup.comPhone: 609-208-0112Phone: 609-208-0112

E-mail: [email protected]: [email protected]

a w w a presentation regional paper david mc cann

Technology

sva cost security

cost of sva

sva solutions

history of sva water

history of sva oil

executed sva

sva of public water

history of sva chemical