Geoscience Reference
In-Depth Information
◾
Operation security experts who evaluate human resources security proce-
dures, facility engineering, facility operations, administrative support organi-
zations, telecommunications and information technologies, publicly released
information, and trash and waste handling.
◾
Intelligence operations experts who interact with local law enforcement and
intelligence/security personnel to determine if there are potential terrorist or
criminal elements in the region that may have an interest in the facility.
Outline of Risk Management Steps
This section presents an outline of the risk management process that has been
applied by the Department of Energy, the DHS, and the private sector. Table 8.2
provides an overview of representative steps in a comprehensive, asset-based vul-
nerability assessment methodology. This includes countermeasure (actions taken
to reduce or eliminate vulnerabilities) and risk management considerations. The
methodologies included in this survey address, to a greater or lesser degree, some
or all of these steps.
The following sections describe the steps of the risk management process in
more detail. Where appropriate, the steps contain checklists of questions that could
be used to guide the implementation of a risk management program.
Step 1: Identify Critical Assets and the Impacts of Their Loss
Estimates of the potential consequences, including economic implications, of not
mitigating identified vulnerabilities or addressing security concerns are necessary
to effectively apply risk management approaches to evaluate mitigation option and
security recommendations. Outages because of security failures could degrade an
energy facility's reputation and place the community served at risk to economic
losses or even losses of property and life.
In addition, the modern energy facility's telecommunication and computer net-
work has many external connections to public and private networks. Such connec-
tions are used to communicate with customers and offer new electronic services,
such as online billing and payment. Cyber security should be a primary concern,
especially for utilities that operate in this interconnected environment. An IT secu-
rity architecture may need to be developed.
Possible critical assets include people, equipment, material, information, instal-
lations, and activities that have a positive value to an organization or facility. People
include energy facility executives and managers, security personnel, contractors and
vendors, and field personnel. Equipment includes vehicles and other transportation
equipment, maintenance equipment, operational equipment, security equipment,
and IT equipment (computers and servers). Material includes tools, spare parts, and
specialized supplies. Information includes employee records; security plans; asset
