a w w a presentation regional paper david mc cann
TRANSCRIPT
Wivenhoe Management Group
SECURITY VULNERABILITY SECURITY VULNERABILITY ASSESSMENT (SVA) & ASSESSMENT (SVA) &
LIABILITYLIABILITY
Wivenhoe Management Group
TODAY’S PRESENTATION WILL TODAY’S PRESENTATION WILL ENCOMPASS THE FOLLOWING:ENCOMPASS THE FOLLOWING:
• The Basics of an SVA
• Why an SVA is Important
• SVA History
• Federal & State Legislation
• Liability Arising from an SVA
• Solutions
Wivenhoe Management Group
THE BASICS OF AN SVATHE BASICS OF AN SVA
• What is the Threat Level?
• Who and/or What Should be Protected?
• What Can or Should Be Done?
• What Will It Cost?
Wivenhoe Management Group
THE BASICS OF AN SVATHE BASICS OF AN SVA
• Threat Levels
– Outsider
– Insider
– Cyber
Wivenhoe Management Group
AS A NATION THE US REMAINS AT AS A NATION THE US REMAINS AT ELEVATED THREAT LEVELSELEVATED THREAT LEVELS
Current Prevailing Nationwide Threat Level:
It was Raised to HighHigh around the Anniversary of Sept. 11
Wivenhoe Management Group
CURRENT STATE OF SECURITY…CURRENT STATE OF SECURITY…OUTSIDER - PHYSICAL ATTACKSOUTSIDER - PHYSICAL ATTACKS
Type of Adversary
Cri
min
al
Fore
ign
Sta
te-S
pon
sore
d
Terr
ori
st
Dom
esti
c
Terr
ori
st
En
vir
on
men
tal
Extr
em
ist
Van
dal
s
Th
reat
Level
Many users have
historically protected at
this level.
Wivenhoe Management Group
VANDAL (LOWEST RISK)VANDAL (LOWEST RISK)
1. Intentions: Minor Damage/Petty Mischief
2. Motivations:Boredom, Drug Related’ gang?
3. Capabilities: Minimum Tools (1 to 4 individuals)
4. Police Response: Assessment?, Time?, Deployment?
5. Threat Level: Low (Depending on past history)
6. Impacts: Minimal (unless intent remains a mystery)
Vandal: Usually between the ages of 7 – 19
Wivenhoe Management Group
FOREIGN STATE-SPONSORED FOREIGN STATE-SPONSORED TERRORIST (HIGHEST RISK)TERRORIST (HIGHEST RISK)
1. Intentions: Total Destruction/Panic/Casualties
2. Motivations: Ideological/Terrorism3. Capabilities: Major – Worst Case (3 to 6
Individuals)4. Police Response: Assessment?, Time?,
Deployment?5. Threat Level: Very High6. Impacts: Very High
International Terrorist: Adult, Male or Female, Ideology Driven
Wivenhoe Management Group
LET’S EXAMINE INSIDER LET’S EXAMINE INSIDER THREAT SPECTRUMTHREAT SPECTRUM
Type of Adversary
Dis
gru
ntl
ed
(S
en
din
g a
M
essag
e)
Su
per-
Insid
er
(coerc
ion
)
Dis
gru
ntl
ed
(R
even
ge)T
hre
at
Level
Cri
min
al A
cts
(Pers
on
al
Gain
)
Dis
gru
ntl
ed
(C
ollu
sio
n)
1. Employee
2. Contractor
3. Vendor
Increased Access, Motivation, & Skill Level increases threat
Wivenhoe Management Group
CYBER DBT IS AMATEUR HACKER & INSIDER CYBER DBT IS AMATEUR HACKER & INSIDER WITH OPERATIONAL PRIVILEGESWITH OPERATIONAL PRIVILEGES
Novice
Amateur Hacker
Organized Crime
Government Sponsored
Type of Cyber Terrorist
Kn
ow
led
ge
Wivenhoe Management Group
THE BASICS OF AN SVATHE BASICS OF AN SVA
Critical Assets– People– Infrastructure– Equipment– Data– Inventory– Processes– Other
Wivenhoe Management Group
THE BASICS OF AN SVATHE BASICS OF AN SVA
• Recommendations
– Security Improvements
– Mitigation
– IST
– Other
Wivenhoe Management Group
THE BASICS OF AN SVATHE BASICS OF AN SVA
• Cost– Security Versus Mitigation
– Implementation Period
– Electronic Versus Physical Security
– Threat Event CostThreat Event Cost
Wivenhoe Management Group
Client XXXClient XXXSecurity Improvement Cost EstimateSecurity Improvement Cost Estimate
Sandia Methodology ApproachSandia Methodology Approach
RISK REDUCTION SOLUTION
CRITICAL ASSET
DESCRIPTIONESTIMATE
D COST
(1A) Control # X Relocate with New Housing $TBD
(1B) Control # XPerimeter Security Improvements & Upgrades
$600,000
(2A)Control # Y & I-XX/C-XX Culverts
Perimeter Security Improvements $200,000
(2B) As Above Hardening Measures $190,000
(3A)WTP Facility
Perimeter Security Improvements & Upgrade
1,240,000
(3B) As AbovePerimeter Security Improvements & Upgrade
300,000
(3C) As Above Hardening Measures 1,060,000
TOTAL$3,590,000
Summary of Risk Reduction Solutions for Client XXX
Wivenhoe Management Group
Client XXXClient XXXSecurity Improvement Cost EstimateSecurity Improvement Cost Estimate
Deterrent Methodology ApproachDeterrent Methodology Approach
RISK REDUCTION SOLUTION
CRITICAL ASSET
DESCRIPTIONESTIMATE
D COST
(1A) Control # X Relocate with New Housing $TBD
(1B) Control # XPerimeter Security Improvements & Upgrades
$276,000
(2A)Control # Y & I-XX/C-XX Culverts
Perimeter Security Improvements $105,400
(2B) As Above Hardening Measures N/A
(3A)WTP Facility
Perimeter Security Improvements & Upgrade
$560,500
(3B) As AbovePerimeter Security Improvements & Upgrade
$192,000
(3C) As Above Hardening Measures $1,060,000
TOTAL REDUCTION OF 68.42%
$1,133,900
Summary of Risk Reduction Solutions for Client XXX
Wivenhoe Management Group
WHY IS AN SVA SO WHY IS AN SVA SO IMPORTANT?IMPORTANT?
Wivenhoe Management Group
A PROPERLY EXECUTED SVA A PROPERLY EXECUTED SVA PROVIDES:PROVIDES:
• Identification of Appropriate Threat Level
• Identification of Critical Assets• Measurement of Consequences• Sound Recommendations
― Security Improvements― Mitigation & Inherently Safer Technology
(IST)― Orderly Steps― Cost Effectiveness
Wivenhoe Management Group
WITHOUT PERFORMING A VAWITHOUT PERFORMING A VA
• What is Threat Level?
• What are the Critical Assets?
• What is Likely to Happen?
• What will be the Response?
• What are the Likely Consequences?
• Who will be Who will be held held Responsible?Responsible?
Wivenhoe Management Group
HISTORY OF SVA LEGISLATIONHISTORY OF SVA LEGISLATION
• Nuclear Power Plants
• Sandia National Laboratory
• 1998 Directive
Wivenhoe Management Group
CRITICAL INFRASTRUCTURES CRITICAL INFRASTRUCTURES SUPPORT COMMAND AND SUPPORT COMMAND AND
CONTROLCONTROL
Wivenhoe Management Group
HISTORY OF SVAHISTORY OF SVAWater and Waste WaterWater and Waste Water
US EPA required SVA of public water systems:
• Serving more than 100,000 by March, 2003• Serving 50,000 to 100,00 by December, 2003• Serving 3,300 to 50,000 by June, 2004
Funding was available for the largest water systems to cover cost of SVA, but no funding yet for smaller water systems.
Wivenhoe Management Group
HISTORY OF SVAHISTORY OF SVAOil and GasOil and GasSince1998 the National Petroleum Council has been
reviewing the vulnerabilities of oil & gas industry to attack (both physical and cyber).
Post 9/11, oil and gas has been monitoring the security of its oil and gas transportation network, its refineries and its distribution facilities
The American Petroleum Institute is coordinating information sharing among members.
ISAC (Information Sharing and Analysis Center) has been promoting collection, assessment, and sharing of oil & gas member information on physical and electronic threats, vulnerabilities, incidents, and solutions/best practices.
Wivenhoe Management Group
HISTORY OF SVAHISTORY OF SVAChemicalChemical
Early in 2002, the American Chemical Council asked its members to complete a SVA of their facilities.
• Highest risk by 12/31/02
• Lesser risk by 6/30/03
• Low risk by 12/31/03
• No off-site risk by 12/31/03
Enhancements to be completed one year later. Third party verification three months later.
Wivenhoe Management Group
NEW INITIATIVES BY STATENEW INITIATIVES BY STATE
• New Jersey• Maryland• Illinois• Florida• New York• California
Wivenhoe Management Group
NEW JERSEYNEW JERSEY
• New Legislation Enacted November 2005
• Requires SVA Plus Response Plan Plus Schedule
• Emphasis on Security and IST• Monitored by NJDEP• Possible Further Legislation
Stressing IST
Wivenhoe Management Group
MARYLANDMARYLAND
• New Legislation
• Similar Requirements to New Jersey
• SVA
• Monitoring?
Wivenhoe Management Group
ILLINOISILLINOIS
• Bill Introduced May 2006 by State Senator
• Will Require All Chemical Companies to Declare all Hazardous Chemicals Manufactured or Stored On Site
• Will Require SVA Based on Terrorist Attack
Wivenhoe Management Group
HISTORY OF SVAHISTORY OF SVAPharmaceuticalPharmaceutical
• Although no current regulatory or statutory regulations, some FDA requirements in place for quality control.
• HIPPA regulations creating great changes in information and IT security.
• Comprehensive SVA may identify vulnerabilities to counterfeit drugs and drug reimportation, and opportunities for competitive intelligence.
• SVA may identify weaknesses in supply chain security
Wivenhoe Management Group
HISTORY OF SVAHISTORY OF SVAManufacturingManufacturing
EPA has not yet required a SVA of non-chemical manufacturing facilities. However, performing an SVA at a manufacturing facility will reduce the risk of:• Attacks on Employees• Theft of Company and Personal Property• Loss of Confidential Information• Accidents involving Non-Employees• Accidents involving Workers
Wivenhoe Management Group
NEW LEGISLATIONNEW LEGISLATION
• Gas Storage New Jersey
• Food Manufacturing Federal & State
• Chemical Additions Federal & NJ
• Transportation Federal & States
• Healthcare Federal & States
• Education New Jersey
Wivenhoe Management Group
CLEAR PATTERNCLEAR PATTERN
• Legislation Not Going Away
• Legislation Activity is on the Increase
• SVA is the Common Denominator
Wivenhoe Management Group
LIABILITYLIABILITY
Wivenhoe Management Group
LIABILITY ISSUESLIABILITY ISSUES
• In simple terms, a properly executed security vulnerability assessment will identify the vulnerabilities or weaknesses of a facility or organization to specific threats
• In identifying those vulnerabilities or weaknesses, the facility or organization has been placed on notice that something has to be done with respect to such issues
Wivenhoe Management Group
LIABILITY ISSUESLIABILITY ISSUES
• In the event that there is an incident, and it turns out that it was related to one of those vulnerabilities, and nothing had been done to address that particular vulnerability the facility or organization is not only facing a clear liability but possible negligence as well.
Wivenhoe Management Group
LIABILITY ISSUESLIABILITY ISSUES
• Definition of LiabilityDefinition of Liability
• Liability as it pertains to security: relates to an obligation one is bound or have a responsibility to do; it is the condition of being actually or potentially subject to an obligation; the obligation required is based on the comparison of what others in an industry would do in the same circumstances – that is, they are held to an industry standard. if that obligation or standard is not met then there is a liability exposure
Wivenhoe Management Group
LIABILITY ISSUESLIABILITY ISSUES
• Definition of LiabilityDefinition of Liability
• As an example, if tenants in a building are exposed to unauthorized intrusion it becomes the responsibility for the landlord to provide a reasonable level of security to prevent the intrusions. There is sufficient case law supporting the obligation of the landlord to provide for the protection of the tenant when it is clearly recognized that the tenant is vulnerable due to unauthorized intrusions and insufficient security in the building.
Wivenhoe Management Group
NEGLIGENCE ISSUESNEGLIGENCE ISSUES
• Definition of NegligenceDefinition of Negligence
• The legal definition of negligence is: the omission to do something which a reasonable person, guided by those ordinary considerations which ordinarily regulate human affairs, would do, or the doing of something which A reasonable and prudent person would not do.
Wivenhoe Management Group
NEGLIGENCE ISSUESNEGLIGENCE ISSUES
• Definition of Gross NegligenceDefinition of Gross Negligence
• The legal definition of gross negligence is: the intentional failure to perform a manifest duty in reckless disregard of the consequences as affecting the life or property of another; such a gross want of care and regard for the rights of others as to Justify The Presumption Of
Willingness And Wantoness.
Wivenhoe Management Group
NEGLIGENCE ISSUESNEGLIGENCE ISSUES
• Definition of Punitive DamagesDefinition of Punitive Damages (also known as exemplary or vindictive damages)
• Damages awarded by a court against a defendant as a deterrent or punishment to redress An Egregious Wrong Perpetrated By The Defendant; damages on an increased scale, awarded to the plaintiff over and above what will barely compensate him for his property loss, Where the Wrong Done to Him Was Aggravated by Circumstances of Violence, Oppression, Malice, Fraud, or Wanton and Wicked Conduct on the part of the defendant.
Wivenhoe Management Group
FURTHER LIABILITY ISSUESFURTHER LIABILITY ISSUES
• Implementation of Security Recommendation including new systems
• Are the new security systems based on good Design Criteria that is consistent with Security Industry standards?
Wivenhoe Management Group
STATEMENTSTATEMENT
Many Security Systems Are Installed Many Security Systems Are Installed Without Being Designed, And More Without Being Designed, And More Importantly, Without Proper Design Importantly, Without Proper Design CriteriaCriteria
Wivenhoe Management Group
FURTHER LIABILITY ISSUESFURTHER LIABILITY ISSUES
• Without good design criteria consistent with Security Industry, and even having installed new security systems, it is possible that a facility or organization could be liable, and possibly negligent
Wivenhoe Management Group
Wivenhoe Management Group
LACK OF DESIGN CRITERIALACK OF DESIGN CRITERIA
Leads to Four Major Problems:
1) Inadequate Counter Measures to Meet Threat Level
2) Faulty Security System Design
3) Inability to Support Installed Security System
4) Possible Legal Consequences
Wivenhoe Management Group
INADEQUATE SECURITYINADEQUATE SECURITY
• Failure To Detect
• Failure To Surveil
• Inadequate Perimeter Security
• Inadequate Security At All Critical Assets
• Inappropriate Equipment
• Does Not Provide Adequate Protection To Meet Threat Level
Wivenhoe Management Group
QUESTIONS THAT CAN BE QUESTIONS THAT CAN BE ANSWERED BY PROPER ANSWERED BY PROPER
SECURITY DESIGN CRITERIASECURITY DESIGN CRITERIA
Wivenhoe Management Group
LIKELY QUESTIONS….LIKELY QUESTIONS….
1) Why did you use this equipment– Cameras– Motion Detectors– Type of DVR– Intrusion Detection Equipment– Type of Fence
Wivenhoe Management Group
LIKELY QUESTIONS…LIKELY QUESTIONS…
2) Explain the reasons for installing this type of security system?
3) Why did the security only attempt to cover the outer perimeter?
4) Why were Insider threats ignored?
5) The following people had clearance for all access points……. Why?
6) What was the Design Criteria for the security system?
Wivenhoe Management Group
FURTHER LIABILITY ISSUESFURTHER LIABILITY ISSUES
• Monitoring and Operation of Security Systems
―Expectation of Public
―Third Form of Possible Liability
Wivenhoe Management Group
FURTHER LIABILITY ISSUESFURTHER LIABILITY ISSUES
• TRAININGTRAINING – Has Adequate Training Been Given to All Staff– Security Awareness– Specialty System Training– Crisis Response– Procedures
Wivenhoe Management Group
SOLUTIONSSOLUTIONS
Wivenhoe Management Group
SECURITY VULNERABILITY SECURITY VULNERABILITY ASSESSMENT (SVA)ASSESSMENT (SVA)
• If you have not performed an SVA, do it soon
• Use experienced, certified professionals who understand existing and future Legislation
Wivenhoe Management Group
SECURITY VULNERABILITY SECURITY VULNERABILITY ASSESSMENT (SVA)ASSESSMENT (SVA)
• If an SVA has already been done, have experienced professionals review the results
• Prepare Sound Design Criteria
• Implement, Modify, Add as Appropriate
Wivenhoe Management Group
SECURITY VULNERABILITY SECURITY VULNERABILITY ASSESSMENT (SVA)ASSESSMENT (SVA)
• If you are not sure where you currently stand, initiate an SVA Screening Evaluation
• Provides an Outline of where you currently stand with respect to SVA Requirements, Legislation, and more importantly, options on what to do next
Wivenhoe Management Group
SOLUTIONSSOLUTIONS• Consider new security measures
properly designed with design criteria that meets or exceeds current legislation
• Implement over phased period that reduces initial costs
• Incorporate as part of Business Plan
Wivenhoe Management Group
SOLUTIONSSOLUTIONS
• Consider Deterrent Approach together with Detect, Delay, and Respond
• Consider Security Audit
• Invest in Professional Training
Wivenhoe Management Group
SOLUTIONSSOLUTIONS
• Work with Local and Federal Law Enforcement
• Work with Emergency Management
• Stay Up To Date
Wivenhoe Management Group
QUESTIONSQUESTIONS
www.wivenhoegroup.comwww.wivenhoegroup.comPhone: 609-208-0112Phone: 609-208-0112
E-mail: [email protected]: [email protected]