Скачать презентацию National Response Team Presentation Security Risk Assessment Methodologies Скачать презентацию National Response Team Presentation Security Risk Assessment Methodologies

2dee25b0e9904071bb1c506cd7fcd35a.ppt

  • Количество слайдов: 32

National Response Team Presentation: “Security Risk Assessment Methodologies: Community VAM 3/3/3 Presented By: Gloria National Response Team Presentation: “Security Risk Assessment Methodologies: Community VAM 3/3/3 Presented By: Gloria E Chavez Sandia National Laboratories

Community Vulnerability TM Assessment Methodology (CVAM ) Community Vulnerability TM Assessment Methodology (CVAM )

“Snapshot” of Community Process: today's message n n n Community Vulnerability Assessment Methodology (CVAMTM) “Snapshot” of Community Process: today's message n n n Community Vulnerability Assessment Methodology (CVAMTM) process Process is copyrighted / licensed to ensure appropriate use of training materials by qualified trainers and so resulting information is protected Part of the “family” of center processes for infrastructure Part of Center for Civil Force Protection Focus is on “planning” to allow appropriate response and to mitigate consequences by identifying weaknesses in systems

Vulnerability Assessment (VA)…What Is It Vulnerability assessment is • A systematic approach • Used Vulnerability Assessment (VA)…What Is It Vulnerability assessment is • A systematic approach • Used to determine relative risk • Based upon the effectiveness of a protection system • Considering the consequences • Resulting from a likely threat

Community Vulnerability Assessment Methodology • Builds on prior VAM / RAM development – nuclear Community Vulnerability Assessment Methodology • Builds on prior VAM / RAM development – nuclear sites, dams, water, chemical facilities, prisons/jails • Goals • Useable by public safety personnel, emergency planners, private industry employees – don't need to be a "techie" • Useful -provides information which significantly contributes to making security risk management decisions

Reasons for a Community VA include: n n n n Identify vulnerabilities in a Reasons for a Community VA include: n n n n Identify vulnerabilities in a systematic way (minimize gaps) For important vulnerabilities, communities may be able to request additional resources For significant identified vulnerabilities, community may consider ways to mitigate – such as provide a backup for a vulnerable mission with no existing backup Can use identified vulnerabilities to better plan future projects i. e. , two communication routes (backup) Can help prepare, in event of attack, to mitigate consequences Helps communities make security decisions based on a process including risk assessment Community may decide to improve response or an aspect of physical security

Scope of Analysis n n n Screening Analysis Characterize a Community, critical Facilities & Scope of Analysis n n n Screening Analysis Characterize a Community, critical Facilities & Consequences Define the Threat and Likelihood of Attack Review Physical Protection Systems Make Observations and Recommendations

Community Vulnerability Assessment Process Screening, Team, Decisions/ Risks Planning Characterize Assets Facility Characterization, ID Community Vulnerability Assessment Process Screening, Team, Decisions/ Risks Planning Characterize Assets Facility Characterization, ID Targets Determine Consequences Site Specific Consequence Table, Prioritize Targets Community Protection Goals: Defined Threat (DT) Define Threats Other Action Cost ? Benefit Analysis R=PA*(1 -PE)*C Define Safeguards Analyze System Understand PPS: Detect, Delay, Response System Effectiveness, Scenario Analysis Risks Acceptable ? Risks Upgrade PPS, Mitigate Consequences Proposed Upgrades/ Actions N Y End

CVAM TM process consists of Community Screening workshop (optional) n Training Course on VA CVAM TM process consists of Community Screening workshop (optional) n Training Course on VA Process -including VA on selected facilities n Follow-up visit/assist on reporting (optional) n

Who is Involved in the Process? n n n Players for a community include Who is Involved in the Process? n n n Players for a community include decision makers in the community working with emergency management, police, risk management, fire departments, civic leaders, financial leadership, chamber of commerce, others Process takes time and requires information about the community Process requires difficult decisions (…what is an acceptable risk? )

CVAMTM Course n n We teach a Vulnerability Assessment Course, not a Security Assessment CVAMTM Course n n We teach a Vulnerability Assessment Course, not a Security Assessment Course The course, for a community, is an intense week of: n n n class material describing process Exercises, based on facilities in community, to demonstrate the process We also teach a “trainer course” for qualified trainers with backgrounds in training and community policing, or risk management

Community Screening n n Definition: Selecting facilities of most concern, using a documented process Community Screening n n Definition: Selecting facilities of most concern, using a documented process Requires participation by decision makers in a community Uses Consequence Analysis, determination of acceptable risk First Step in Process

CVAMTM Screening: Consequence and Target Identification Severity of Undesirable Consequences • Loss of human CVAMTM Screening: Consequence and Target Identification Severity of Undesirable Consequences • Loss of human life • Loss of revenue • Loss of vital equipment • Loss of vital capabilities

CVAMTM Community Characterization: Many elements n Communications n Government n Power/Electric n Transportation n CVAMTM Community Characterization: Many elements n Communications n Government n Power/Electric n Transportation n Gas/Oil n Emergency n Industry n n Water n Banking/Financial n Education Foreign Represented Governments n Recreational Venues n Special Classification

Development of Defined Threat (DT) for a Community List, collect and organize information for Development of Defined Threat (DT) for a Community List, collect and organize information for DT 1. Use historical and current intelligence data 2. Threat policy may be specified by community leaders or others 3. Consider developing a range of potential threats 4. Use a combination of above

Collect Threat Information n National and international sources n n Intelligence organizations Literature search, Collect Threat Information n National and international sources n n Intelligence organizations Literature search, crime studies, analysis Professional organizations Local sources n n Local police agencies Local professional organizations ü ü n Industry Security City, county, state agencies

Lots of Weapon Options: Bushmaster (used in Virginia -$750)…web site Lots of Weapon Options: Bushmaster (used in Virginia -$750)…web site

Discuss Adversaries: Adversary Types Overlap (collusion is possible), Insiders… Insiders ? ? ? Discuss Adversaries: Adversary Types Overlap (collusion is possible), Insiders… Insiders ? ? ?

Potential Agents n n Biological Chemical Radiological Explosive Potential Agents n n Biological Chemical Radiological Explosive

Want to Buy something Radioactive? ? …Go to the web… • Reactor Fuel Pellets Want to Buy something Radioactive? ? …Go to the web… • Reactor Fuel Pellets Uranium Oxide Reactor Fuel Pellet ( 10 mm X 15 mm ) 16, 000 cpm Reactor Fuel Pellet: $100. 00 These are Uranium Oxide Fuel Pellets made of highly compressed Uranium Oxide. They are from a "Slow-Poke" Ammonia-Cycle Nuclear Reactor and are slightly out of spec. Each is 10 mm in diameter and 15 mm long. • Uranium Ore - Super High Radiation Level

Physical Protection Systems (PPS) n Potential PPS objectives are: n n n PPS and Physical Protection Systems (PPS) n Potential PPS objectives are: n n n PPS and their objectives will vary n n Protect lives Protect property Prevent loss of services Other Consequence mitigation may be option PPS includes detection, delay, response

Risk Equation: R=PA*(1 -PE)*C • Equation is discussed and estimated values obtained for parameters, Risk Equation: R=PA*(1 -PE)*C • Equation is discussed and estimated values obtained for parameters, given existing community PPS • What happens with upgrades? • Data is often poor or missing for communities • Now What? …

Security is a Continuum Approach: “Buy Cameras” rity No u Sec p rt O Security is a Continuum Approach: “Buy Cameras” rity No u Sec p rt O ion in e Exp “Manuals” ds dar ia n Sta riter &C “Performance Tests, Analysis, Computer Models i Eng s em h t Sys roac p Ap i eer n ng Typical Application: homes new construction nuclear facilities low risk low - moderate – high consequence risk facilities profile government

How Much Is Enough? *Consequences *Military Action What to protect against? What’s important? Mission How Much Is Enough? *Consequences *Military Action What to protect against? What’s important? Mission *Liabilities *Crime How well are you protected? *Terrorism *Is risk acceptable *Operational trade-off Decisions *Cost options

Goal in Performing a Community VA: Identify Where Vulnerabilities Are, And Then Decide How Goal in Performing a Community VA: Identify Where Vulnerabilities Are, And Then Decide How to Allocate Resources… High Resources = $$$$ $ to Fix Likelihood Of Occurrence $$ to Fix $$$$ to Fix Low Terrorist Acts Violence by criminals THREAT Theft or vandalism

Community Vulnerability Assessment Methodology • Focus is on physical protection. • Considers physical protection Community Vulnerability Assessment Methodology • Focus is on physical protection. • Considers physical protection systems (PPSs) • Need to understand how to evaluate PPSs • But, probably not likely to implement effective PPSs at community facilities due to cost. • More likely to use adverse consequence reduction and mitigation measures (e. g. insurance, redundant capabilities, improved response) • or acceptance of risk.

CVAM n n n n TM Application To Date Miami-Dade, Florida Sterling Heights, Michigan CVAM n n n n TM Application To Date Miami-Dade, Florida Sterling Heights, Michigan Bismarck, ND Hennepin County, MN Norfolk, VA Rochester, NY Albuquerque, NM (Trainer Class) We learned something new every time and incorporated improvements

What Have We Learned? n n n Communities are surprised at identified vulnerabilities Communities What Have We Learned? n n n Communities are surprised at identified vulnerabilities Communities learn who in their own community is a resource May choose to get redundancy (back-up 911 center or incident command center, or communications equipment, good blueprints) Need to test procedures and response in many situations (off-hours, various scenarios) Lots of requests for help from communities!

Caution for Communities!!!! n n n Illegal intelligence gathering Operations Security Protect information. . Caution for Communities!!!! n n n Illegal intelligence gathering Operations Security Protect information. . . may have a ”blueprint for attack” Need to know Control release of information Document

What are our plans? n n n Future community VA training… VA training program What are our plans? n n n Future community VA training… VA training program for law enforcement academies More Trainer classes

Summary Community Vulnerability Assessments come from applying nuclear security approaches n The CVAM process Summary Community Vulnerability Assessments come from applying nuclear security approaches n The CVAM process is a systematic way to assess vulnerabilities and make decisions based on risk n We have a community tested process n Call me for more information and help Gloria Chavez Phone: 505 -845 -8737 Email: gechave@sandia. gov n

What is the appropriate response to a situation? Depends… What is the appropriate response to a situation? Depends…