Critical Infrastructure Risk Assessment. Ernie Hayden, MIPM, CISSP, CEH, GICSP(Gold), PSP
book on their reference shelf and among their well-worn handbooks? Some candidates include:
Facility/Plant Maintenance/Operations Managers.Benefit: New way to “look” at the plant, learn new techniques and approaches.
Corporate and site quality assurance inspectors/auditors.Benefit: Learn techniques to make the inspections valuable and worthwhile.
Corporate and site training staff.Benefit: Learn new way to teach people how to “inspect” and “assess.”
Corporate Risk ManagersBenefit: Have a technique at their fingertips to use for risk assessment and management.
ConsultantsBenefit: Learn new techniques and approaches to site visits, inspections, etc.
Staffs at the Institute of Nuclear Power Operations (INPO), insurance companies, forensic investigators, etc.Benefit: Learn a formal and consistent approach to inspecting/assessing large, complex facilities.
I trust you will find this book beneficial and will offer you many ideas to apply to your current and future jobs. I look forward to your feedback and comments on the book and encourage you to pass along your ideas, suggested changes, etc. to me.
What Risk?
Risk is a situation exposing an individual, machine, or building to danger. A simple definition defining risk is:
Figure 0-1 Classic Risk Equation
The three components of risk are threats, vulnerabilities, and impact or consequences.
You need to understand what constitutes risk before you can effectively perform a risk assessment.
Let’s think about some experiences in our lives where we can frame the risk equation.
For example, imagine you are entering an intersection in your new pickup truck. You entered on a green light but to your right a large truck is rapidly driving into the intersection right at your pretty red crew cab!
What is the risk — besides messing up your trousers? The threat is the truck barreling at your truck. The vulnerability is your truck wasn’t designed to be hit at 35 miles per hour by a large vehicle — even with side and front air bags. The consequence could range from death or serious injury to you, death/injury to adjacent cars and pedestrians, death/injury to the truck driver, citations from the police, years of lawsuits, etc.
That is pretty obvious example. What about something more subtle?
I was recently driving by a refinery near my home. I noted a perimeter fence around the facility, but the top barbed wire array was facing towards the plant and not towards the threat (i.e., the terrorist/attacker) as it should. The risk is not particularly profound; however, there is a vulnerability with the barbed wire topper facing the wrong direction which would more readily allow an intruder to enter the refinery perimeter. The consequences could range from sabotage to simple vandalism; but, there are consequences to consider.
Risk is all around us and you really should have an innate sense of what risk includes so you can fix it later.
What is a Risk Assessment?
A comprehensive risk, threat, and vulnerability assessment offers an organized and systematic approach to assessing and documenting risks to the organization. The risk assessment provides an informed list of risks and recommended corrective actions to help the enterprise attack and correct the most serious risks identified. A risk assessment is generally a holistic view of the facility and is intended to view all activities and look for “all hazards” that can constitute risks to the company.
In the US Interagency Security Committee Standard, a risk assessment is the process of evaluating credible threats, identifying vulnerabilities, and assessing consequences. In the National Institute of Standards and Technology (NIST) Special Publication 800-30, Guide for Conducting Risk Assessments, the authors define a Risk Assessment as:
The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation...
As mentioned in his Newcastle Consulting Blog, “The Value of Security Risk Assessments,” Mr. J. Kelly Stewart recognizes that properly performed risk assessments can offer the following:
Reduce long-term costs to the enterprise.
Improve future operations and aid the organization in achieving strategic objectives.
Break down organizational barriers.
Provide important self-analysis.
Facilitate internal and external communications.
Help the enterprise avoid major accidents and events.
The Risk Assessment Flow Chart
As we delve into the risk assessment process, it is easy to separate it into three primary phases:
Phase 1: Pre-Assessment Planning
Phase 2: Site Assessment, and
Phase 3: Reporting.
Figure 0-2 provides a map of the risk assessment process:
Figure 0-2 Hybrid Facility Risk Analysis Flow Chart
As we proceed with this book, and especially in Chapters 5 through 8, this map will help you understand where in the process we are, and what are the subprocesses in play for each phase.
Your Job
Your job is to jump in and use this handbook to guide you and your teams when you perform risk assessments and other facility analyses. There’s a lot going on and I think you’ll find this a worthwhile guide. Good Luck! Enjoy your journey as we try to eat the elephant!
REFERENCES
Biss, E. (2020). Eula Biss — Some of the most interesting research that I... Retrieved April 14, 2020, from https://www.brainyquote.com/quotes/eula_biss_724462
Interagency Security Committee. (2013). The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard. Retrieved from https://www.dhs.gov/publication/isc-risk-management-process-aug-2013
Joint Task Force Transformation Initiative. (2012). Guide for Conducting Risk Assessments (SP 800-30, Rev 1). Retrieved from https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
Stewart, J. K. (2019). The Value of Security Risk Assessments. Retrieved from https://www.nccllc.net/journal-shift//the-value-of-security-risk-assessments
Tzu, L. (2020). Lao Tzu — Do the difficult things while they are easy and... Retrieved April 14, 2020, from https://www.brainvquote.com/quotes/lao_tzu_398196?src=t_journey
PART