A PROVEN SECURITY ASSESSMENT METHODOLOGY

Subtask 1 Subtask 1 &Investigation Preplanning

Once the security-assessment team is formed and roles and responsibili- ties arc delineated, preplanning activity is formulated, and parameters are set for data collection, planning interviews, and developing questions. As a minimum, this task should encompass the following:

Develop questionnaires

Coordinate with the enterprise on the distribution of questionnaires Evaluate completed questionnaires returned by the enterprise staff Categorize/prioritize responses

Develop and deliver a listing of enterprise data to be reviewed Develop and deliver a listing of enterprise management and staff can- to designated individuals

didates to be interviewed Development of Questionnaires

Before the project kickoff meeting, the security-assessment team prepares a set of questionnaires for distribution and completion by designated enter- prise staff. Whenever practical, the security-assessment team should review and evaluate the responses to these questionnaires before the project kick- off meeting. They provide valuable feedback to the team and help organize the review of documents, the interview process, and the field investigation effort. At times reviewing and evaluating questionnaires before the project kickoff meeting is not always possible. Staff members may be on travel sta- tus, vacation, or unavailable. Questionnaires are often returned at the meet- ing or during the interview phase. They are an important part of the process, however, and the security-assessment team should use patience and flexibility in filling any gaps at this point in project activity.

Subtask 1C-Plan, Organize, Coordinate Project Kickoff Meeting Establishing Contact and Maintaining Open Communications

All security projects regardless of size and complexity require continuous effective communications between the security-assessment team and the enterprise. The basic steps to begin this open dialogue include:

Develop and deliver detailed project kickoff meeting agenda to enter- Develop a listing of recommended attendees and their participation prise management

roles

TASK 1-PROJECT PLANNING: UNDERSTANDING REQUIREMENTS 89

Provide enterprise management with a listing of support actions for Develop listing of materials needed for the project kickoff meeting Establish jointly with the enterprise the vision and direction that will the project kickoff meeting

guide the project

Working Hand-in-Hand with the Enterprise Staff

Preparing for and coordinating the project kickoff meeting with enterprise management offers the security consultant and the security-assessment team the first formal opportunity to demonstrate excellence and compe- tence in leadership, program management, and organization skills as well as presentation of expertise and strategic vision. The process is the begin- ning of team building between the enterprise staff and the security-assess- ment team and of accepting joint ownership of project success.

Developing the Project-Kickoff-Meeting Agenda

The project kickoff agenda is typically the first official notice to the enter- prise’s staff that the project is underway. The agenda is formalized by the security consultant and approved in writing by the enterprise. When pub- lished and distributed, the agenda becomes a guide to conducting and con- trolling the meeting and gives attendees a preview of topics to be dis- cussed and who the participants are. To give the staff sufficient time to organize their schedules and prepare for the meeting, the agenda should be distributed at least ten working days prior to the meeting.

Subtask 1D-Co-Chair Project Kickoff Meeting

The project kickoff meeting brings all key stakeholders together in a for- mal face-to-face setting and sets the stage for project activity. The secu- rity-assessment teams meet with designated stakeholders to exchange introductions, establish project parameters and communications, discuss the overall security-assessment methodology, review the initial project schedule, and establish rapport. During this initial meeting, the enterprise management briefs the team on project expectations; presents an orienta- tion to the general system configuration, processes, distribution, critical customers, and future growth plans; describes the general business culture of the organization; and answers questions. A well-organized project kick- off meeting should address the following topics:

Enterprise management and security consultant to introduce respec- tive members:

90 STRATEGIES FOR PROTECTING CRITICAL INFRASTRUCTURE ASSETS

t Enterprise management to introduce staff with Homeland Security

t Enterprise to introduce state/local authorities with Homeland

t Security consultant to introduce security-assessment-team mem- responsibility

Security responsibility bers present

Enterprise to:

F Describe business culture, mission, service area, customer base,

t Describe security objectives and goals and overview issues and

t Identify current initiatives that have strategic security implications

t Discuss protocol of project norms and governance aspects

t Steering committee, executive management, safety board, and

t A corporate single point of contact for direct interface and coordi-

F A site single point of contact for direct interface and coordination

t Individuals and agencies to receive deliverables and in what quantities

t Facilities as mutually agreed in the program implementation plan

t Site engineers and operations, maintenance, and security personnel and future growth plans

assets to be surveyed and may impact the study

Enterprise to present contact information as applicable for:

security committee nation of project activity of each site to be studied

Enterprise to provide protocols for access to:

[PIP] or schedule for follow-up interviews

Enterprise to discuss protocols for:

t Protecting project sensitive information

t Granting security-consultant and security-assessment-team members and teaming partners access to facilities and personnel, including permission to take photographs, calculations, and measures to perform contract obligations

t Introduction to external dependency agencies announcing the secu- rity consultant, security-assessment-team members, and teaming partners as its security-consultant group authorized to contact and meet with the agencies with respect to security-related inquires

TASK 1-PROJECT PLANNING: UNDERSTANDING REQUIREMENTS 91

Enterprise representatives or others in attendance to offer brief com- ments concerning vulnerability with regard to public health and wel- fare, risk management, operations continuity, security capabilities, and expectations, including expectations of the security-assessment team Enterprise to identify key personnel for security-assessment team to interview

Security consultant to:

b Introduce the assessment methodology to be used to execute proj- ect requirements

b Discuss the systematic performance-based measurement criteria to be used to identify risk, consequences of loss, asset criticality, and program effectiveness

b Identify key milestones and present initial PIP or schedule Security consultant to provide:

b A project-team contact list

b Schedule of proposed project workshops and future workshops and

b List of proposed internal interviews including follow-up meetings

b List of proposed external interviews with federal or state agency

b List of documents requested for review

b Need to take photographs, calculations, and measures noting rele- Security consultant to define enterprise staff involvement for the var- Security consultant to discuss project procedures for safeguarding Enterprise staff and security consultant to jointly review and adjust

meetings

with each division chief

Homeland Security representatives

vant security concerns ious tasks and expectations sensitive security information requirements and costs:

b Identify and resolve scheduling conflicts

b Coordinate the integrated strategic implications of ongoing initia- tives and site work with project activity

b Identify security implications and interject security considerations into performing the work

b Timely update and distribution of schedule

b Identify and resolve project staffing conflicts proceedings

Security consultant staff member to take attendance and minutes of

92 STRATEGIES FOR PROTECTING CRITICAL INFRASTRUCTURE ASSETS

Subtask 1E-Review Available Project-Management Information and Identify a Vision of Security Requirements and the Road Map to Achieve Project Goals and Objectives

Following the project kickoff meeting, the security-assessment team reviews available data and the enterprise culture to baseline the evaluation process. The team analyzes the data for completeness and functionality and compares this information against the enterprise’s goals and objec- tives for the security assessment in order to further solidify the project direction and the security organization’s capability to perform its mission.

Research tasks include but are not necessarily limited to the following:

Review and become familiar with security-related reports, proce- dures, and operation plans for completeness, accuracy, and clarity of detail with respect to performing mission statement, including:

b Late submissions of questionnaires

b Previous security surveys, threat assessments, audits, and inspec-

b Enterprise annual businesdfinancial reports and mission statement

b Capital-improvement plan to identify ongoing or recent programs and projects that may be impacted or may have an impact on this study and proposed program enhancements

tion reports

b Fire and safety plans;

b Disaster andor emergency-preparedness plans to identify compre- hensiveness of emergency-preparedness planning

Emergency-response and recovery procedures to identify event- driven planning and capabilities

b Business-continuity plan to determine security integration and par- ticipation

b Parking and lighting plans to identify completeness and flow- through

b Security plan to identify comprehensiveness of security planning

b Security procedures and post orders to identify arcane regulations

b Security force training records to identify types and frequency of

b Current security contract services to determine if expected services or unnecessary and unworkable measures

training and certification;

meet emerging enterprise requirements

TASK 1-PROJECT PLANNING: UNDERSTANDING REQUIREMENTS 93

t Security organization chart, staffing levels, and job descriptions to ensure the operating model meets enterprise’s expectations and mandates for security performance

t Other security-related documents identified during the kickoff meeting or at other times

Compare documents against previous security work undertaken by enterprise and identify standards, requirements, and considerations that may apply to this survey:

t Compare information reviewed to enterprise security program

t Identify and document information gaps

t Summarize the status of information reviewed from all documents

t Identify and report to enterprise management the nature and goals and objectives

and/or persons within the final project report

amount of research additionally required by the project team This review of enterprise data, assessments, and studies is critical. It benchmarks the status of the existing security program and helps the secu- rity-assessment team determine the scope needed for the security project and their approach to developing an overall corporate security strategy when one has been requested by the enterprise. It is important to note that not all information requested for review may be available at this time and some data may have to be reviewed concurrent with the performance of other tasks, typically in concert with Task 2 [site characterization], Task 3 [threat characterization], and Task 4 [program effectiveness].

In the preceding chapter, six critical and inseparable corporate perform- ance strategies were introduced. Two of these strategies, the entity mission and business operations, are initially examined here and further evaluated under Task 4 and Task 5 [program analysis]:

Enterprise goals, objectives, and the security culture are looked at in terms of their contribution to the business world, standing within the community, and acceptance by employees

Business operations, processes, techniques, and best practices come under review to expose vulnerabilities that impacts the security integrity of the enterprise

A major first step in reviewing the data is to define the enterprise’s functional or operational requirements for providing services contrasted

94 STRATEGIES FOR PROTECTING CRITICAL INFRASTRUCTURE ASSETS

with a series of collective risks and vulnerabilities. Otherwise, no relation- ship exists between identified problems and recommended solutions, and the solutions in and of themselves become opinions rather than profes- sional judgments. Likewise, in performing Task 3 we will see that the rela- tionships between threats and their consequences, functional require- ments, and recommended solutions are equally inseparable.

Subtask 1F-Conduct Workshop Sessions and Review Available Technical Project Information and Document Critical Information Armed with the information reviewed under Task lE, the team then holds a workshop or a series of workshops with enterprise representatives. The pur- pose of these sessions is to examine available site-layout drawings, to pre- liminarily identify critical security interfaces among system components, to baseline the operational system components and configuration, and to develop a prioritization plan for field investigation strategy. Tasks include:

Review and become familiar with related construction plans, record drawings, diagrams, and sketches, including:

t Master expansion plan

t Facility drawings, water-system maps, hydraulic profiles

t Site layout drawings and other plans

Develop system tree to baseline system configuration and document:

t Flow process, location and quantities of major system components,

t Critical production and delivery operations, redundancy and

t Supervisory Control and Data Acquisition [SCADA], System, dis-

t Critical technical and security interfaces among progradsystem Identify internal and external protocols for dependency services and Identify operational constraints

Identify status of proposed or new construction work Identify status of proposed or new security-upgrade work Discuss significant security problem areas

Develop prioritized plan for field-investigation strategy Conduct open discussion with workshop representatives

and facilities backup systems

tributed-control systems, and security systems components

delivery of materials

TASK 1-PROJECT PLANNING: UNDERSTANDING REQUIREMENTS 95

Summarize contact information and discussion contents within the final project report

Assist enterprise in developing site-visitation schedule

Assist enterprise in developing follow-up stakeholder interviews at Identify and report to enterprise the nature of research additionally site level

required by the security-assessment team Working- Group Sessions

For best results, workshop attendees should be comprised of enterprise representatives from the electrical, maintenance, operations, and security branches and be knowledgeable about the operations and the physical con- figuration of the facilities to be visited and assessed. The work sessions and the security-assessment team capture critical thoughts and factual data. At times it may be necessary to hold more than one session-for example, when representatives are not available or if the security consult- ant determines that it is best to conduct separate or sequential workshops with each discipline. One option is to stagger the timeline for attendance.

For example, electrical and maintenance personnel could meet with the consultant at the same time, but operations personnel, who have different concerns, might best meet separately. The security division also has unique requirements, and so on. This is an efficient approach to use when focus on specific issues is desired. Based on the magnitude and complex- ity of the project, the security-assessment team can also hold multiple concurrent workshops, then regroup to compare and consolidate team observations and notes. Enterprise representatives should bring to these sessions a facility and system layout for each site to be visited that con- tains sufficient information to identify flow processes; location and quan- tities of major components such as intake sources, production facilities, storage facilities, distribution points, and redundancy and backup sys- tems; SCADA network components; morphologies and communication pathways; network diagrams with connection details; networking address information; and other critical information that will help identify the char- acteristics of each facility or site.

Conducting Workshop In tewiews

Two types of interviews are conducted during workshop sessions. The first is an open forum, but this approach only provides limited insight into key issues. Further individual interviews are almost always necessary to gain further knowledge of the technical, operational, and security issues. These

96 STRATEGIES FOR PROTECTING CRITICAL INFRASTRUCTURE ASSETS

workshops enable the security-assessment team to complete much of the field-interview process, thereby reducing time on site, including that needed for site-management interviews. Conducting site interviews with designated staff representatives rounds out the information-exchange process.

Candidate-interview representatives as applicable include:

Plant superintendents or operations managers Electrical, maintenance, and facility managers Warehouse managers

Administrative managers and purchasing chiefs or agents

Business-continuity or emergency-preparedness-planning managers Security and safety managers

Plant-control-room operators [on all shifts]

Guard shift supervisors and security guards [on all shifts]

Security monitoring-station operators [on all shifts]

In addition to the above, interviewing other employees is critical in obtaining a different perspective on the work environment than that of senior or middle management. However, some employees tend to have personal agendas and may not give answers based on objective facts.

A seasoned consultant can detect this attitude and adjust accordingly. To ensure that no one person’s perspective taints the findings, several employees from more than one work center should be sought out to cor- roborate information gathered by the team before the information is rec- ognized as valid and included in the report.

Conducting Follow-on Site Interviews

Internal and external stakeholder interviews are critical to obtaining inde- pendent views from the staff and others and providing invaluable insight to the assessment team. An informal interview/discussion process is rec- ommended to make personnel comfortable in relating individual percep- tions, values, and experiences. This eliminates potential bias and pressure associated with group discussions. Predispositions include leadership influence, the dominance of individuals, and group pressure toward con- formity. This approach enables the capture of a broad range of honest opinions, practical experiences, and the “actual” as opposed to “official”

enterprise-culture mindset. Internal site interviews help the security- assessment team to understand the enterprise culture, gain insight into the strengths and weaknesses of existing practices, identify specific security

TASK 1-PROJECT PLANNING: UNDERSTANDING REQUIREMENTS 97

functional needs, and address individual security concerns. External inter- views provide invaluable information about the social order of the com- munity, law-enforcement capabilities, relationships with the enterprise, and involvement with national, state, and local Homeland Security initia- tives. Information collected during these interviews is used in the Task 2 [critical assessment], Task 3 [threat characterization], and Task 4 ^[pro- gram evaluation] analyses.

Developing Site- Visitation Schedules

At the completion of the workshop sessions, the assessment team works with the representatives in attendance to formulate the sequence of facility visits based on management’s predetermined criteria. A facility-visitation schedule is developed including dates and times for selected site inter- views with designated individuals. Not setting a schedule-even one with flexibility-can lead to major time delays on the enterprise end and hold up the entire process. When the enterprise approves the visita- tion schedule, the security-assessment team can then mobilize site investi- gations using the appropriate team configuration suited for the specific task. During this process responsibilities under Tasks 1 through 5 are exe- cuted on a site-by-site basis. As mutually agreed between enterprise man- agement and the security consultant, the security-assessment team may remain in the field to complete all site surveys or return to its base of oper- ations between each site or grouping of sites. There begins the formal analysis process, a discussion of preliminary strategies to mitigate observed vulnerabilities, and the formulation of status reports for presen- tation to enterprise executive management.

DOCUMENTING THE SECURITY-ASSESSMENT PROCESS Much has been written about available software programs that can docu- ment the security-assessment analysis and generic checklists that can be customized to meet specific needs. Both instruments are noteworthy of discussion.

Using Proprietary Software Programs to Document Security-Assessment Results

There are many off-the-shelf software programs on the market today that proclaim to have the answer to security problem-solving. These pro- grams range in capabilities from identifying and prioritizing assets to

98 STRATEGIES FOR PROTECTING CRITICAL INFRASTRUCTURE ASSETS

quantifying the effects of recommended protective measures. Most pro- grams are based on a series of drop-down menus and checklists to build a profile of a site or facility. Some programs calculate vulnerabilities in place and levels of acceptable risk, while others report residual vulnera- bilities resulting from proposed protective measures. These programs are attractive because they emphasize advantages such as “save time, money, and resources,” “special analytical skills not required,” or “be your own security expert.”

All of these programs have design constraints and limitations that may not meet the needs of the end user. They include a lock-step approach that prevents the user from navigating to other screens before

“filling in all the blanks,” even if such information is unknown, unavail- able, or irrelevant. This prevents the user[s] from moving forward to screens particular to the task assignment. In other instances, steps cannot be retraced to update or change information until all screens in the lock- step sequence have been completed, at which time a prompt appears to validate and save all data entered. Some programs alert the user that infor- mation in certain screens is not correct or incomplete, forcing one to focus on “manufacturing a reply” to close the program. As such, many security practitioners shy away from using such programs. Nonuse also results from software programming that doesn’t allow users to alter program parameters or report design criteria to meet their needs. Such programs may take a lot of time to maneuver, only to prove useless in the end.

Many enterprises and security consultants use these programs to con- duct assessments without fully understanding their limitations or how they work. While these users may have created a “physical security program on paper,” it is doubtful that such “cookie-cutter” replies are capable of pro- ducing accurate, realistic, effective, and efficient solutions. Equally mis- leading would be any cost data generated, as it would be such an extremely rough estimate that it may not be useful to the user. Missing variables including site-specific conditions, circumstances, and aspects such as dimensions, measurements, calculations, environments, and other consid- erations make such cost estimates suspect. Generic software programs cannot adequately and completely respond to such variables and condi- tions, and cost data and their respective cost-benefit analyses should best be left to the industry security construction and installation experts. A qualified security professional with extensive experience in security assessments may find such programs useful, but they would only be bene- ficial if they complement the security-assessment process, not replace human judgment. Used correctly and within their limitations, good soft- ware programs can aid the security-assessment process, but it is important