Beruflich Dokumente
Kultur Dokumente
This article describes a security risk assessment and protection methodology that was developed for use in the chemical and process industries in Belgium. The method employs a
risk-based approach according to design principles for objectoriented protection, using so-called Typicals. The approach is
beneficial for workers in the chemical industry because of
the familiarity with safety models and concepts in this particular industry. The model combines the rings-of-protection
approach with generic security practices including management and procedures, security technology (e.g., CCTV, fences,
and access control), and human interactions (proactive as
well as reactive). The method is illustrated in a case-study
where a practical protection plan was developed for an existing chemical company. This article demonstrates that the
method is useful for similar chemical and process industrial
activities far beyond the Belgian borders, as well as for crossindustrial security protection. In summary, this article offers
an insight into how the chemical sector might protect itself
on the one hand and an insight into how security risk manC 2014 American
agement may be practiced on the other hand. V
Institute of Chemical Engineers Process Saf Prog 34: 7283, 2015
72
similarities in safety and security that prompt experts to indicate that, for achieving an optimal result, an integrated
approach is required [7,8]. It is thus important to integrate
the responses to a security threat with the needed security
responses to a safety threat. This topic is explored in ecurity
Risk Assessment Approach Section. The basic theoretical
concepts that form the basis of such an integrated approach
are dealt with in General Design Principles for Building Up a
Protection Strategy Inside a Chemical Plant Section. The
translation to practical cases is explained in Security Measures and Protection: Practice in the Chemical Industry Section, which is based on an existing chemical plant.
SECURITY RISK ASSESSMENT APPROACH
DOI 10.1002/prs
March 2015
73
the Defense in Depth principle [1719]. An effective countermeasure deploys multiple defense mechanisms between
the adversary and the target. Each of these mechanisms
should present an independent obstacle to the adversary.
Note that the rings of protection in security may not necessarily be independent of each other. However, the Layers of
Protection are intended to be independent of each other. Figure 2 (based on [9]) illustrates the rings-of-protection concept
and its component countermeasures (listed non-exhaustively).
When the security management team has decided which
security risks require protection measures, a company security concept can be designed. In this regard, a complete
view of the chemical plant and its surroundings, geographical, as well as sociotechnical, is the starting point.
The rings-of-protection concept illustrated in Figure 2,
and based on the Defense in Depth approach, is the backbone of security systems [4,9,11,1619]. Most commonly, the
terminology of perimeters and zones is used.
Every ring in Figure 2 is defined and constructed according to the risk sensitivity of the objects inside that zone (e.g.,
storage of flammable liquids; a reactor that is prone to
explode during process disturbances, etc.). The question of
occupancy will be important for building the rings-ofprotection for the chemical plant. The barriers that protect a
specific ring are designed with a certain resistance against
intrusion. The target in the center is the asset that is deemed
attractive for a potential adversary and, therefore, requires
protection. The resistance of a barrier and the time it takes
an adversary to get to the target are important factors in the
probability of interruption when setting up a path analysis.
An adversary will choose a specific path (usually one of
several options), also called an adversary path [1,20,21] to
get to a target. The path can be seen as an ordered series of
actions taken against a facility, which, if/when completed,
results in a successful attack. As an example, to destroy a
water pump, the series of actions may be: penetrate fence,
walk to outside door O of building B, penetrate outside door
O of building B, walk to inner door D of target room R, pen-
74
DOI 10.1002/prs
March 2015
Organizational Requirements
Adequate security starts with the genuine commitment of
an organizations top management. In the safety domain, top
management commitment has been identified as an essential
contributing factor for adequate safety performance [24,25].
Due to the similarity between operational safety and security
management, it can be assumed that the same conclusion on
management commitment holds for security. However, in the
security field, there are only a few scholarly publications that
prove this claim. As an example, qualitative research indicates that success will depend to a large extent on senior
management showing meaningful support for security [5].
Security within a chemical plant, as also in other industrial
sectors, needs to be clearly defined and set up according to
the security risks present, and considering the balance
between the threats and the level of concern of a company
(see before). If the approach to security is not written down
in a security manual, there is a danger that ad hoc decisions
will be made in dealing with threats, possibly leading to
inadequate responses. The development of a credible security manual should be based on the following domains of
consideration [4]:
a security policy
security procedures
an employees screening process
a security awareness program
security training
an emergency response facility
incident reporting
Physical Security
In a previous section, the concept of the rings-ofprotection (i.e., defenses in depth or plant perimeters of protection), was explained. Since the rings will be the basis of
the complete security plan, there will be security breaches if
they are not well researched.
Prior to determining the rings-of-protection, an inventory
of each part of the plant (building, building level,
DOI 10.1002/prs
March 2015
75
76
DOI 10.1002/prs
March 2015
protection system. The URB as well as the URS are a combination of all possible security requirements (people, procedures, and technical issues).
The way an URB is written down is given in the procedure displayed in Figure 4. This URB reporting structure is
actually based on the OPER principle.
The generic procedure of Figure 4 gives for the first URB
the syntax as displayed in Figure 5.
Once the complete set of URBs has been defined, the
URSs can be drafted. An URS describes the technical specifications of the URB. It is, however, neither a technical
descriptive of the solution, nor is it a set of procedures. In
the case of an existing plant, it is often common that several
URSs are present but that some of them differ with respect
to one or more specific parts. As an example, for the URB 1,
six URSs can be identified, namely:
URS 1 5 the fence itself
URS 2 5 the access-points for pedestrians and cars
URS 3 5 the access-points for the trucks
URS 4 5 the access-points for the trains
URS 5 5 the access-points for the boats
URS 6 5 the access-points to the utilities such as water
and electricity
It is worth noting that places where energy is produced
or where cooling water or water needed for production is
being stored are often forgotten as targets for adversaries.
DOI 10.1002/prs
March 2015
77
78
March 2015
Access Control
Access control methods combine physical and electronic
OPER measures in a single security system. The company
security manual needs to guide the choice of an appropriate
access system. It will indicate whether one-by-one access
(i.e., access only allowing one person entering or leaving at
one time) is required on the perimeter or just protection
against unauthorized access. Otherwise, it will indicate
whether people have to identify themselves by means of a
second verification system. Maybe, there is also a need for
installing an antipass back (i.e., a way to prevent people
from accessing a site twice without leaving the site, e.g.,
handing over of badges to other people). Installing such an
antipass back system can be interesting, for example, if the
number of people in a certain location has to be counted, or
if a person cannot access the plant if he or she does not possess the right certification, or if a person is not authorized to
enter this specific zone.
All these parameters must be carefully defined before
decisions can be made about the type of cards, doors, a system with pin-codes, biometrics, and what have you. These
parameters will indicate whether employees need to access
the site by means of a man-height turnstile or a simple gatedoor or no barrier. The number of users and the timeframe
will indicate the type of door as well as the number of
access points. If one-by-one access for every employee at
Perimeter 1 is needed (e.g., having 500 people entering
between 8 am and 8:15 am), then several turnstiles to let
these people in in a correct manner during this timeframe,
DOI 10.1002/prs
1
1
1
1
1
1
DOI 10.1002/prs
March 2015
79
80
March 2015
DOI 10.1002/prs
what can prevent the camera from viewing the correct images
(plants, construction site, changes on the perimeter, . . .)
Cameras are part of the overall security measures and by
themselves they will of course not prevent incidents occurring. In Figure 13, some definitions of camera surveillance
for a chemical plant are presented. Nevertheless every chemical plant has its own peculiarities and, therefore, definitions
must be fitted to the result of the chemical plants security
assessment and security manual.
As can be seen in Figure 13, the camera surveillance system will mostly be used as a verification of the act. A camera
will, in the best case scenario, deter an adversary from committing an unwanted act. On the other hand, if the adversary
can see the camera, he may destroy or disable the camera
before committing the unwanted act. The integration of cameras with other security technologies is thus needed, especially in chemical plants where premises can be large and
not always well illuminated at all locations. The absence of
light can indeed be a problem for camera surveillance and it
must be resolved using the correct techniques.
The visualization of the images and the contents of these
images can have a better level of performance using intelligent VCA-techniques. However, in contrast with the military
sector, industrial security VCA-techniques are used that have
to cope with very small pixel objects. If combined with thermal cameras instead of standard cameras, even day/night, a
better result is often obtained in chemical plants. However,
thermal cameras are good for large open spaces, but have
vulnerabilities and their measure of performance, user
expectations, etc. also bring unique problems. Hence, the
optimal solution is site dependent.
Intrusion can be detected quickly, even sometimes before
the actual intrusion takes place, when combined with the
newest 4D/3D techniques called video image understanding.
Video image understanding is a technique that uses sensors
and telemetry in 2D-images together with human behavior
analysis. It is even arranged so that the combination of thermal cameras and VCA can be used for fire detection or gas
detection. In this case, thermal cameras will have a double
effect and a reduced cost as they have a double functionality,
especially in the chemical and process industry. Moreover,
such thermal cameras are a nice example of the need for integration of safety and security in a chemical industrial area.
DOI 10.1002/prs
March 2015
81
System Integration
The necessity of integration of procedures, people, and
systems was already mentioned as the OPER principle. All
the previous sections follow this principle. But there is also a
need for integration between systems. Not only between two
security systems, such as camera surveillance and access control, but between all security systems installed and used
within a chemical plant, and between security and safety
needs.
Most often the security manager will use integration for
an interaction between fire detection and access control. It is
compulsory that some doors, in the event of a fire, need to
be unlocked or locked, to prevent the fire from expanding
or to enable people to escape to fire-free areas. This successful safety practice can be opposed to access control, which
is a purely security-based solution. Access control is set up
to prevent unauthorized people from entering the plant,
whereas fire detection is set up to evacuate the plant in the
event of a fire. Hence access control demands fail-secure
locks where fire detection demands fail-safe locks. In this
case, the appropriate lock and access point must be installed
so that everyone, in the event of fire, has a free exit, but that
the entrance is still secured and only available for those who
have access.
This practice is of course only one part of the integration,
even though it is still a very difficult one. For example, after
a flash fire alarm, an intrusion was seen but was not detected
due to the integration of the two systems not being set up
properly. In most cases, the fire alarm will cause the power
to be cut off from the access points and doors will be left
unsecured. Hence, integration is more than setting up some
hardware links: it is also about the interaction between systems that sometimes are not regulated. For example, consider the use of thermal cameras to ensure gas detection or
the help of camera surveillance to have an overview of the
location of a fire and the additional escape routes. In a
chemical plant, it is very important that security people as
well as firemen have a complete overview of the fire, its
location, its extension region, the escape routes for people
and also the possible routes for the fire brigade. For chemical plants, it is important that part of the integration includes
the activity inside the control rooms, not only between systems but also between people.
DISCUSSION
March 2015
CONCLUSIONS
LITERATURE CITED
17. J. Ellis and C.A. Hertig, The Professional Protection Officer, Butterworth-Heinemann, Burlington, 2010.
18. IAEA (International Atomic Energy Agency), Defence in
Depth in Nuclear Safety, IAEA, Vienna, 1996.
19. ASIS, Protection of Assets, Physical Security, ASIS International, Alexandria, VA, 2012.
20. M.J. Arata Jr., Perimeter Security, McGraw-Hill, San Francisco, 2006.
21. T.L. Norman, Risk Analysis and Security Countermeasure
Selection, CRC Press, Boca Raton, 2010.
22. Institute of Security Belgium, Handbook Basisopleiding
bestemd voor Leidend Personeel van beveiligingsondernemingen (in Dutch), Ministry of Home Affairs,
Brussels, 2013.
23. Belgian Official Gazette, Wet tot regeling van de private
en bijzondere veiligheid (in Dutch), (1990), p. 10963.
24. T. Wu, C. Chen, and C. Li, A correlation among safety
leadership, safety climate and safety performance, J Loss
Prev Process Ind 21 (2008), 307318.
25. E.A. Kapp, The influence of supervisor leadership practices and perceived group safety climate on employee
safety performance, Saf Sci 50 (2012), 11191124.
26. H.A. Gabbar and K. Suzuki, The Design of a Practical
Enterprise Safety Management System, Kluwer Academic
Publishing, Dordrecht, 2004.
DOI 10.1002/prs
March 2015
83