Geoscience Reference
In-Depth Information
−
Does each specific adversary know enough about the asset to plan an attack?
−
What are the possible modes of attack (e.g., explosives or incendiary
devices delivered by car, truck, boat, rail, mail, individuals, or standoff
weapons; aircraft impacts; sabotage of equipment or operations; assaults
by a lightly or heavily armed individual attacker or team of attackers;
theft, alteration, or release of information, materials, or equipment; con-
tamination by chemical agents, biological agents, or radioactive material;
and cyber attacks) each adversary might use?
−
Are there other, less risky means for a specific adversary to attain his or
her goals?
−
What is the probability that an adversary will choose one method of
attack over another?
− What specific events might provoke a specific adversary to act?
Information concerning potential threats and adversaries can be gathered about
potential threats and adversaries by
◾
Joining a threat analysis working group that includes local, county, state, and
federal agencies, the military, and other industry partners.
◾
Obtaining access to the National Infrastructure Protection Center (NIPC),
Analytical Services, Inc. (ANSER), FBI-sponsored InfraGuard, Carnegie
Mellon University's CERT
®
, or other information system security warning
notices.
◾
Initiating processes to obtain real-time information from the field (e.g.,
on-duty offices, civilian neighborhood watch programs, local businesses,
other working groups in the area).
◾
Arranging for threat briefings by local, state, and federal agencies.
◾
Performing trend analyses of historical security events (both planned and
actual).
◾
Creating possible threat scenarios based on input from the threat analysis
working group and conducting related security exercises.
Step 4: Identify and Analyze Vulnerabilities
In addition to identifying the critical assets of the energy facility, the impact of
their disruption, the present protection provided, and the potential threats against
them, the vulnerability of those assets to the potential threats must be quantified,
at least to some extent, to determine the overall risk to the assets.
There are various types of vulnerabilities, such as physical, technical/cyber, and
operational. An energy facility, including perimeter barriers (fences, walls, gates, land-
scape, sewers, tunnels, parking areas, alarms), compound area surveillance (CCTV,
motion detectors, lighting), building perimeters (walls, roofs, windows, doors, shipping
docks, locks, shielded enclosures, access control, alarms), and building interiors (doors,
