Oil & Gas Industry

Towards Global Security

A Holistic Security Risk Management Approach

www.thalesgroup.com/security-services
Oil & Gas Industry
Towards Global Security

This white paper discusses current security

issues in oil and gas industry and suggests a
holistic security risk management approach to
manage security risks to an acceptable level whilst
optimizing financial investment.

Threats In The Oil And Gas Field

Safe and reliable energy is a vital link in the nations critical infrastructure.
Oil and gas products play an important role in national economy, national
security and are integral to the way of life. As such, security has always
been and continues to be a priority across the oil and gas industry.
Reports from many international government agencies confirm
that various terrorism groups target the oil and gas industry.
The petroleum industry is in all probability generally subject to these
threats due to several factors:
The physical and chemical properties of the materials processed,
stored and handled at these facilities may create attractive
targets for an adversary to cause malicious release with the
intent to harm a neighboring population.
The critical importance of the products produced by companies,
to the domestic and international infrastructures and to other
businesses and individuals, may make disruption of operations of
the petroleum industry an attractive option.
The risks from terrorist attacks to the energy supply vary by segment
of the industry, which is broadly defined as exploration and production,
refining, pipeline transportation (liquids), marine transportation,
products distribution and marketing.
Nowadays, with the emergence of new kind of conflicts, asymmetric
threats using unconventional warfare tactics are the primary threats to
critical infrastructures. This is especially true for oil and gas
industry now involved in asymmetric conflicts.
Oil and gas private security forces are facing now new unconventional
opponents such as terrorists (international and national), activists,
pressure groups, single issue zealots, disgruntled employees, or
criminals, whether white collar, cyber hackers, organized or
opportunists. These threats may come from insider activity, external
action, or insiders colluding with external adversaries. These opponents
use different attacks including car suicide bombing, mortar rain,
rocket propelled grenade, improvised explosive devices (IED),
ambushes, hostages, hijacking, kidnapping, computer hacking,
information warfare, and so on. The attacks can be complex and
coordinated and can exploit a combination of physical, logical (information
technology), environmental, organizational and human weaknesses.

3
>
Security Risks
To address this issue the security needs to be evaluated in order to
fully analyze the major security risks: a risk is a combination
between the probability of the threat and the potential impact on a
critical asset. This is a complex task and therefore a holistic
security risk management methodology is required that enables all
security risks levels to be identified, whilst also evaluating the existing
technology (which should cover logical, physical and environmental
issues), organization and human factors security solutions.
Oil And Gas Critical Infrastructures
The potential threats are directed against the whole oil and gas
infrastructures but could target their critical and strategic assets
such as:
Oil and gas specific segments: Reservoirs, wells, offshore
production facilities, pipeline systems, mass storage facilities
and oil refineries.
Buildings: Administration offices, corporate offices, command
and control rooms.
Equipment: Process units and associated control systems,
product storage tanks, surge vessels, boilers, turbines, process
heaters, sewer systems.
Support systems: Utilities such as natural gas lines, electrical
power grid and facilities (including back-up power systems),
water-supply systems, wastewater treatment facilities.
Transportation interface: Railroad lines and railcars, product
loading racks and vehicles, pipelines entering and leaving
facility, marine vessels and dock area, off site storage areas.
The evaluation of the security risks starts with the identification of
Cyber systems and information technology: SCADA systems, the threats, the critical assets and the vulnerabilities. Then for each
computer systems, networks, devices with remote maintenance security risk that needs to be mitigated security objectives are
ports, laptops, PDAs. defined. Security solutions are then implemented.
Therefore, to protect those assets, the security measures should
be inline with the threat level and adapted to the security risk level.

Loss of human life (killed, injured)

Economic impact of destruction or
disruption
Business impact
Political consequences on public
confidence
Potential for loss of energy supply to civilian
areas
Potential impacts for environment
Extended time needed to repair
Potential for interdependency effects

4
Security Risk Management
The objective is to define a security program based on a collective
effort that seeks to reduce the likelihood that industry personnel,
their families, facilities and materials shall be subject to any kind of
attack, and to prepare to respond to the consequences of such
attacks should they occur.
This section describes the security management process to
mitigate the risks and to develop a security program.
The first step is to set up the internal organization to pilot the risk
management process and to define the scope and
objectives of the Security Committee and the Security Working
Groups.
The organization should be based on:
Security Committee, the SC includes top management that
develops security strategy, provides guidance, direction and
cooperation.
Security Working Groups, the SWG take actions, provide inputs
and feedbacks. They develop and recommend policy, prepare
planning documents, conduct risk assessments.
One of the SWG is the Threat WG, which consists on
Counterintelligence representative, Law Enforcement representative,
Information Operations representative and the Chemical, Biological,
Radiological, Nuclear and High Yield Explosive (CBRNE)
representative. Larger installations may include additional personnel
as assigned by the SC.
Based on interviews, site surveys and documentation, the following
areas have to be addressed:
Threat Assessment i.e. Define alert levels, identify the threats
and evaluate probability.
Criticality Assessment i.e. Identify critical assets and define
asset criticality levels.
Vulnerability Assessment i.e. identify vulnerabilities and evaluate
criticality. This includes manpower and security force protection
assessments.
Risk Assessment i.e. identify and evaluate the risks based on
previous assessments conclusions.
Consequently for each risks identified, the management decides
whether the risk should be controlled, ignored, insured or accepted.
If the decision is to control the risk, security objectives are defined.
Then the security solutions (based on technology, organization or
human factors) should be provided (based on risk priority and
objectives). Those solutions are categorized as prevention,
detection, response and recovery.
As a result, conclusions are formalized in the Security Master Plan
(SMP).
5
>
Implement Solutions
Appropriate security solutions defined in the Security Master Plan
should be implemented through a series of actions including:
Prioritization of recommended security solutions.
Planning implementation and funding of security solutions.
The quality of this security management process is maintained using
the PDCA model:
Plan: Establish or update the Security Master Plan to improve
security.
Do: Implement and operate the actions defined in the SMP.
Check: Monitor, review the actions and report the results to
decision makers.
Act: Maintain and improve the actions.
The management of security risks includes evaluating risks,
developing solutions, making decisions, implementing solutions,
supervising, reviewing and improving security level. These are
essential follow-through actions of the risk management process.
After identifying and implementing additional countermeasures or
mitigation efforts, it is essential to recalculate the risks. A risk
management scorecard is appreciated.
A yearly complete risk assessment is recommended.
6
Best Practices In Security Management
With decades of experience in the oil and gas industry and significant
depth of knowledge of security systems from its core competencies
in defense and civil businesses, Thales has identified some best
practices of security management:
Risk management: Integrate holistic security risk management
into the corporate risk management process.
Security organization: Create senior level security committee,
Security Working Groups, corporate security risk manager and
local security officers (IT, safety, facility, etc.).
Coordination: Develop coordination with government and stake-
holders (customers, suppliers, infrastructure providers).
Security Master Plan: Define the security doctrine, the
operational concept and the means to achieve an efficient level
of security.
Resilience management: As global security is impossible to
achieve, resilient system designs and procedures should be
adaptable to the unpredictable. Contingency plans (business
continuity and emergency response and disaster plans) should be
formalized, tested and updated for rapid recovery from
disruptions.
Interdependencies: Evaluate contingency plans from an
infrastructure interdependencies perspectives and enhance
coordination with other infrastructure providers (e.g. electric
power, telecommunications, water, transportation).
Human resource: Background investigations for new hires and
periodic updates for current employees, define a hiring policy,
implement structured security requirements for critical suppliers
and partners. Formalized security policies and procedures. Raise
employee awareness and education to be proactive on security
matters.
Physical security: Identify and restrict access to sensitive areas,
implement access control list and badge program. Increase
security checkpoints, manned facilities, video surveillance, badge
identification, tracking of people and vehicles, escorted visitors
and flyovers.
Information System and Network architecture: Define LAN/WAN
network perimeter, minimize external connections, keep up to
date mapping of network, enhance security of mission critical
systems, write and communicate an IT security policy. Enhance
traffic filtering, authentication controls, encryption, and access
controls, minimize or disable all unnecessary services and
software, filter emails, control viruses.
The Scope of Work that is proposed in this white paper details the
development of a security strategy, which includes those best
practices.
Typical Thales Scope Of Work
Thales can assist organizations in setting up
a program to develop an efficient security
risk management process. This program is
scheduled in five steps, as described in the
figure below:
The original step is to define the scope of
the Risk Management Program.
Thales considers the following actions:
Meet senior management.
Understand the business objectives.
Set up a Security Working Group.
Define the scope of the System that will
be concerned by the security risk
management program i.e. one or more
infrastructures.
Outputs:
Definition of the Security Working Group.
Formalization of the scope of the
System.
Formalization of the planning of the
security risk management program.
The next step is to understand the
organization and the System concerned by
the scope.
Thales considers the following actions:
Understand the organization.
Understand the relations with
government agencies.
Understand the System.
Identify constraints such as business,
industry, national and international
regulations.
Output:
Understanding of the context.
The next step is to analyze the security risks
existing in the System.
Thales considers the following actions:
Visit the System.
Undertake the threat assessment,
the criticality assessment and the
vulnerability assessment.
Do the risk assessment.
Select risks to accept, to ignore,
to control or to insure.
Propose security objectives.
Recommend mitigation security solutions.
Outputs:
Security risk analysis results report.
Based on the decisions of the Security
Committee, a strategy is decided and a
Security Master Plan is formalized to define
the security doctrine and the operational
concept.
Thales considers the following actions:
Define a security doctrine and an
operational concept.
Formalize the Security Master Plan.
Plan implementation of security
solutions.
Calculate the return on security
investment (ROSI).
Propose a planning to implement the
security solutions.
Outputs:
Security Risk Management
Methodology document (adapted to
the organization).
Security Master Plan document.
Security doctrine and operational
concept document.
Implementation plan report.
Return on security investment report.
The last step is the design and the
implementation of the actions described in
the Security Master Plan.
Thales considers the following actions:
Define a new security organization
including the Security Committee and
one or more Security Working Groups.
Develop operational security procedures
including crisis management, incident
and antiterrorism responses.
Design security control rooms.
Define a training policy and develop a
training program i.e. operational and
technical.
Implement physical security i.e.
barriers, video surveillance, intrusion
detection systems, access controls,
etc.
Implement information technology
security i.e. LAN and WAN network,
Information system architecture, server
hardening, etc.
Implement communications security i.e.
confidentiality, anti-jamming, resilience,
etc.
Implement individual protective
measures including personal protection
for personnel and family members.
Develop specific software to produce
daily scorecard of the risk situation
(option: with geographic information
system support).
Develop resilience solutions based on
technology and organization.
Maintain the solutions participating in the
Do-Check-Act process.
Outputs:
Implementation and maintenance of the
security solutions.
To support this SOW, Thales has developed
a specific software CASRIM i.e. Critical
Asset Security RIsk Management. CASRIM
helps Thales engineers to analyze the
situation and produces graphical outputs of
the risk analysis.
7
 >

Benefits
Determining the risk is essential since the management must
understand the threats, what assets are most important to protect,
and which of those important assets are most vulnerable.
Assessing security risk provides the value of an asset in relation to
the threats and the vulnerabilities associated with it. This aids the
management in balancing threats to vulnerabilities and the degree of
risk that the management is willing to accept by not correcting, or
perhaps being unable to correct, a vulnerability. For any vulnerability,
the management shall manage risk by developing a strategy to deter
incidents, employ countermeasures, mitigate the effects of an
incident, and recover from an incident.
The result of using a holistic methodology of this type ensures that
minimum appropriate investments are directed into security
solutions to reduce identified risks. In addition as there is integration
between the security technology, the organizations objectives and
processes, efficiencies can be gained whilst still remaining secure.
Security features that have been factored into initial infrastructure
facility design are more likely to be cost-effective, better integrated
and more operationally useful than those superimposed on existing
structures through add-ons or change orders. Likewise, security
features which have been coordinated early in the planning and
design process with the architects and other concerned regulatory
bodies, as well as with end-users (employees, clients, law
enforcement, public safety and regulatory agencies, and operations
and maintenance personnel) are more likely to be well received and
accepted, and thus more widely used and successful.

8
Oil & Gas Industry
Towards Global Security

Conclusion
By implementing a holistic security risk management methodology,
security solutions can be adapted to the changes in threats and
security risks, and the levels of investment can be adjusted in
accordance to the protection required.
The oil and gas cycle from initial field exploration through
production, transport and consumer retail operations is highly complex,
with countless potential weak links that are subject to security
breakdowns. The security should reflect the risk status and financial
resources of the infrastructure. Smaller infrastructures have limited
funding and have to plan their security projects with an eye toward
simplicity and manageable cost.
The methodology developed in this white paper is scalable and can cover
from a single infrastructure to the entire oil and gas chain starting with
exploration, development and production, then on through pipeline
transport to refineries and processing plants to storage facilities and
then on to distribution of refined products by land or sea, finishing at the
retail outlets.

Philippe Bouvier
Security Consulting
Thales - Security Solutions & Services Division

Organizations from around the world are already benefiting

from the use of this methodology including military
organizations, national airport authorities, energy and water
companies, financial institutions and transportation companies.
Thales brings together decades of experience in the oil and
gas industry and significant depth of knowledge of security
systems from its core competencies in defense and civil
businesses.
Thales is an unrivalled systems integrator of physical and IT
security solutions for the oil and gas industry.
If your organization would also like to reduce overall security
costs, improve the efficiency of security investment and
measurably reduce security risks then please contact your
local THALES representative for more information.

9
 November 2007 - Photos: Thales, GettyImages

Thales
Security Solutions & Services Division
Security Systems
20-22 rue Grange Dame Rose
CS 80518
78141 Vlizy Cedex - France
Tel: +33 (0)1 73 32 00 00