Читать книгу Critical Infrastructure Risk Assessment - Ernie Hayden MIPM CISSP CEH GICSP(Gold) PSP - Страница 9
ОглавлениеIntroduction
When eating an elephant, take one bite at a time.
- General Creighton Abrams, US Army
or,
A journey of a thousand miles must begin with a single step.
- Lao Tzu
“Oh, Crap!”
Your bosses are worried about the state of your facility. They heard of a major accident at one of your competitor’s plants and there is worry your facility could suffer the same fate. During the daily Skype call with headquarters your boss, the Vice President of Operations, gives you the order. “Tell me if we are at risk for this same issue!!” he exclaims. “I want a report emailed to me in two weeks or less. Be sure to let me know if you have any questions or need any help.”
The call ends and you begin to ponder — worry, actually. How am I going to “assess” my plant? You vaguely heard about your competitor’s event but don’t know any of the details. Also, your plant is huge. It covers a square mile including the fence-line, roads, etc. How am I going to “eat the elephant?”
Frankly, this story is not that unusual. There are many instances where seasoned managers are tasked with conducting major inspections and assessments of their operations. But, even new engineers, insurance adjustors, and quality assurance staff are confronted with this same dilemma. How do I start? Where do I start? Exactly what do I do?
Besides, even if I start with such an “assessment or inspection” what do I focus on? Why? What do I do with all the data I accumulate? How do I collect it? How do I organize it?
This book is written after conducting such inspections and assessments for the past 40+ years. I have performed inspections on power plants, factories, refineries, oil and gas pipelines, warships, major sports arenas, 30+ story business buildings, and even my own house. With this experience this book will offer you a methodology along with a collection of tools and techniques to use when conducting risk and vulnerability assessments of large and small industrial facilities and critical infrastructure.
In this chapter you will discover:
The value of a Risk Assessment.
Ideas on “where to begin” to perform a Risk Assessment.
An overall view of the Risk Assessment Process.
Your journey in reading this book will offer you guidance on these key topics:
What constitutes Critical Infrastructure.
The fundamentals of risk and the risk equation.
Overall risk assessment process and methodology.
Ideas on how to prepare for the assessment.
Guidance on performing the onsite assessment.
Entry and exit Meetings.
Interviewing site personnel.
Reviewing client documentation.
Conducting physical plant inspections.
Performing and documenting observations.
Developing the final report and findings.
Details on identifying risk and risk severity ratings.
Preparation of the initial draft.
Issuing the report and follow-up.
The advice and suggestions in this book are intended to provide guidance and training for new as well as seasoned staff.
With this book I hope to offer some interesting stories of my own and from experienced assessors and inspectors you can use to become better at your job. You will learn new techniques for attacking the targeted facility, you’ll have access to some new checklists and guidelines, and I hope you’ll learn what the better “knives and forks” are to use when Eating the Elephant.
Who Should Read This Book?
So, who should read and study this book? Who should include this book on their reference shelf and among their well-worn handbooks? Some candidates include:
Facility/Plant Maintenance/Operations Managers.Benefit: New way to “look” at the plant, learn new techniques and approaches.
Corporate and site quality assurance inspectors/auditors.Benefit: Learn techniques to make the inspections valuable and worthwhile.
Corporate and site training staff.Benefit: Learn new way to teach people how to “inspect” and “assess.”
Corporate Risk ManagersBenefit: Have a technique at their fingertips to use for risk assessment and management.
ConsultantsBenefit: Learn new techniques and approaches to site visits, inspections, etc.
Staffs at the Institute of Nuclear Power Operations (INPO), insurance companies, forensic investigators, etc.Benefit: Learn a formal and consistent approach to inspecting/assessing large, complex facilities.
I trust you will find this book beneficial and will offer you many ideas to apply to your current and future jobs. I look forward to your feedback and comments on the book and encourage you to pass along your ideas, suggested changes, etc. to me.
What Risk?
Risk is a situation exposing an individual, machine, or building to danger. A simple definition defining risk is:
Figure 0-1 Classic Risk Equation
The three components of risk are threats, vulnerabilities, and impact or consequences.
You need to understand what constitutes risk before you can effectively perform a risk assessment.
Let’s think about some experiences in our lives where we can frame the risk equation.
For example, imagine you are entering an intersection in your new pickup truck. You entered on a green light but to your right a large truck is rapidly driving into the intersection right at your pretty red crew cab!
What is the risk — besides messing up your trousers? The threat is the truck barreling at your truck. The vulnerability is your truck wasn’t designed to be hit at 35 miles per hour by a large vehicle — even with side and front air bags. The consequence could range from death or serious injury to you, death/injury to adjacent cars and pedestrians, death/injury to the truck driver, citations from the police, years of lawsuits, etc.
That is pretty obvious example. What about something more subtle?
I was recently driving by a refinery near my home. I noted a perimeter fence around the facility, but the top barbed wire array was facing towards the plant and not towards the threat (i.e., the terrorist/attacker) as it should. The risk is not particularly profound; however, there is a vulnerability with the barbed wire topper facing the wrong direction which would more readily allow an intruder to enter the refinery perimeter. The consequences could range from sabotage to simple vandalism; but, there are consequences to consider.
Risk is all around us and you really should have an innate sense of what risk includes so you can fix it later.
What is a Risk Assessment?
A comprehensive risk, threat, and vulnerability assessment offers an organized and systematic approach to assessing and documenting risks to the organization. The risk assessment provides an informed list of risks and recommended corrective actions to help the enterprise attack and correct the most serious risks identified. A risk assessment is generally a holistic view of the facility and is intended to view all activities and look for “all hazards” that can constitute risks to the company.
In the US Interagency Security Committee Standard, a risk assessment is the process of evaluating credible threats, identifying vulnerabilities, and assessing consequences. In the National Institute of Standards and Technology (NIST) Special Publication 800-30, Guide for Conducting Risk Assessments, the authors define a Risk Assessment as:
The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation...
As mentioned in his Newcastle Consulting Blog, “The Value of Security Risk Assessments,” Mr. J. Kelly Stewart recognizes that properly performed risk assessments can offer the following:
Reduce long-term costs to the enterprise.
Improve future operations and aid the organization in achieving strategic objectives.
Break down organizational barriers.
Provide important self-analysis.
Facilitate internal and external communications.
Help the enterprise avoid major accidents and events.
The Risk Assessment Flow Chart
As we delve into the risk assessment process, it is easy to separate it into three primary phases:
Phase 1: Pre-Assessment Planning
Phase 2: Site Assessment, and
Phase 3: Reporting.
Figure 0-2 provides a map of the risk assessment process:
Figure 0-2 Hybrid Facility Risk Analysis Flow Chart
As we proceed with this book, and especially in Chapters 5 through 8, this map will help you understand where in the process we are, and what are the subprocesses in play for each phase.
Your Job
Your job is to jump in and use this handbook to guide you and your teams when you perform risk assessments and other facility analyses. There’s a lot going on and I think you’ll find this a worthwhile guide. Good Luck! Enjoy your journey as we try to eat the elephant!
REFERENCES
Biss, E. (2020). Eula Biss — Some of the most interesting research that I... Retrieved April 14, 2020, from https://www.brainyquote.com/quotes/eula_biss_724462
Interagency Security Committee. (2013). The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard. Retrieved from https://www.dhs.gov/publication/isc-risk-management-process-aug-2013
Joint Task Force Transformation Initiative. (2012). Guide for Conducting Risk Assessments (SP 800-30, Rev 1). Retrieved from https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
Stewart, J. K. (2019). The Value of Security Risk Assessments. Retrieved from https://www.nccllc.net/journal-shift//the-value-of-security-risk-assessments
Tzu, L. (2020). Lao Tzu — Do the difficult things while they are easy and... Retrieved April 14, 2020, from https://www.brainvquote.com/quotes/lao_tzu_398196?src=t_journey
