Maritime Security Risk Analysis Model USCG Presentation to Area Maritime Security Committee This brief is intended to provide a top-level risk management view the Maritime Security Risk Analysis Model and how the (MSRAM) is used by the FMSC and AMSC members to identify and prioritize critical infrastructure and key resources. Understanding the value provided by state and local law enforcement as well as first responders and industry members, the CG encourages the participation of the AMSC members in the evaluation of the MSRAM.
History of USCG Risk Tools Port Security Risk Assessment Tool (PSRAT) V1 – November 2001 – supports COTP level risk planning Port Security Risk Assessment Tool (PSRAT) V2 – November 2002 - supports COTP/HQ risk planning Maritime Security Risk Analysis Model (MSRAM) V1 – December 2005 - supports local, regional and national risk planning MSRAM V2 – March 2007 an integrated methodology to support DHS wide security risk analysis Developed and implemented shortly after 9/11 by ADM Allen in November 2001, the Port Security Risk Assessment Tool (PS-RAT) assisted COTPs identify critical infrastructure & key assets within their ports. Modeled after the COMDTs PSRAT tool and after studying all other known risk assessment models the CG developed a risk calculator to evaluate security risk. The MSRAM is the 3rd in a series of Coast Guard port security risk assessment tools. =======================================================================================
Critical Infrastructure Protection Homeland Security Presidential Directive - 7 identify, prioritize, and protect “critical infrastructure” and “key resources” IAW Homeland Security Presidential Directive - 7 Federal departments and agencies will identify, prioritize, and coordinate the protection of “critical infrastructure” and “key resources” in order to prevent, deter, and mitigate the effects of deliberate efforts to destroy, incapacitate, or exploit them.
“Critical Infrastructure” Systems and assets, so vital that the destruction of which would have a debilitating impact on: security, national economic security, national public health or safety “Key Resources” Resources essential to the minimum operations of the economy and government The term "critical infrastructure" (as defined in the USA PATRIOT Act of 2001 (42 U.S.C. 5195c(e)), section 1016(e)) means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. The term "key resources" (as defined in the Homeland Security Act of 2002 (6 U.S.C. 101(9)), section 2(9)) means publicly or privately controlled resources essential to the minimal operations of the economy and government. Example is a nuclear power plant or chemical facility
Maritime Security Risk Analysis Model (MSRAM) MSRAM was designed to identify and prioritize critical infrastructure, key resources and high consequence scenario’s across sectors using a common risk methodology, taxonomy and metrics to measure security risk from terrorism at the local, regional and national levels Therefore, the MSRAM was designed to identify and prioritize critical infrastructure, key resources and high consequence scenario’s across sectors using a common risk methodology, taxonomy and metrics to measure security risk from terrorism at the local, regional, and national levels. Thereby providing leadership with the appropriate information to coordinate the protection of our critical infrastructure, enhance security and reduce the risk of terrorism as required by HSPD-7.
Threat * Vulnerability * Consequence Risk = Threat * Vulnerability * Consequence “What should drive our intelligence, policies, operations, and preparedness plans and the way we are organized is the strategic matrix of threat, vulnerability and consequence. And so, we'll be looking at everything through that prism and adjusting structure, operations and policies to execute this strategy.” Secretary Chertoff 4/20/05 Our Secretary has stated that risk is made from the components of threat, vulnerability and consequence Risk = Threat * Vulnerability * Consequence “What should drive our intelligence, policies, operations, and preparedness plans and the way we are organized is the strategic matrix of threat, vulnerability and consequence. And so, we'll be looking at everything through that prism and adjusting structure, operations and policies to execute this strategy.” Secretary Chertoff 4/20/05 Secretary Chertoff, statement for the Record, April 20, 2005 before the U.S. Senate subcommittee on Appropriations.
Attack Modes address the full range of DHS Attack Modes (WMD) For Official Use Only MSRAM Elements Scenario Target / Asset Attack Mode MSRAM Design is Based on Terrorist Attack Modes against Types of Targets Attack Modes address the full range of DHS Attack Modes (WMD) These same elements make up the MSRAM risk equation (Threat x consequence x vulnerability). USCG & AMSC members should ensure that all MSTA regulated facilities and vessels, high consequence scenarios and hazardous material vessel transits through our high population density port areas are added to the target list. NOTE: this is the AMSC opportunity to ensure all potential critical infrastructure and key assets are include for risk evaluation. Attack modes include air, surface (land and sea) and sub-service attack modes to include cyber-attacks. For Official Use Only
Risk = Threat * Consequence *Vulnerability For Official Use Only MSRAM Elements Scenario Target / Asset Attack Mode Risk = Threat * Consequence *Vulnerability MSRAM Design begins with threat input from USCG Intel Coordination Center AMSC mbrs in the field capture their best evaluation of scenario consequences and vulnerability for each required scenario (attack mode – target type) The Threat component is supplied top down from ICC USCG & AMSC members evaluate the consequence and vulnerability ratings. NOTE: this is the greatest area where AMSC members & the port community have to ensure the evaluations are as accurate as possible. ===================PRESENTER INFORMATION ONLY====================== The MSRAM threat input is provided top down from the USCG Intel Coordination Center which provides the Intent & Capability of the adversary. The Consequence elements include: Death and injury, primary and secondary economic impact taking into account recoverability and redundancy Symbolic effect, national security and environmental impact. Field users also assess the mitigation impact of the Owner/Operator, First Responders and USCG to reduce the devastation of the consequence. Vulnerability elements include: Field users assess achievability of a specific attack mode against the specific target (level of difficulty) Field users assess the interdiction capability of the Owner/Operator, Law Enforcement and USCG Field users also assess the target capability to withstand the attack For Official Use Only
Risk Plot / Base line risk Risk Group 1 Risk Group 2 Risk Group 3 High Target/Attack Mode Risk LIKELIHOOD F V T Low Once an accurate evaluation as to the risk in the AOR is determined (based on Coast Guard & AMSC inputs) Your baseline risk can be plotted as represented here. Once base line risk is established, a security counter measure or grant application can be evaluated for risk reduction capability Low High CONSEQUENCE
MSRAM Review Process Security Sensitive Information 1 COTP/Sector Assessment with AMSC Input - Identifies risk profile for individual targets Review and Direction District Review Provide consistency/normalization between Sectors SECRET SIPRNET 2 Area Review Provide consistency/normalization between Districts 3 To help ensure consistent assessment of risk, the MSRAM team has established a hierarchical review process. The initial risk assessment will be performed at the local Captain of the Port/Sector/AMSC level. This assessment is performed at the SSI level to enable input from other local maritime stakeholders such as area maritime security committee members and local first responders and law enforcement personnel. Once the local assessment has been performed, the data will be consolidated into the HQ SIPRNET database where the data can be reviewed to ensure consistency from port to port. The first level overview will be performed by district representatives. They will identify inconsistencies between ports and work with the local field assessor’s to make updates to their data. Once all of these updates have been made, the assessments will then be reviewed by the Areas to ensure consistency across districts. Any updates requested by the area will be worked through the districts and subsequently, the sector field assessor to ensure that the sector level assessment is always up to date. Finally, the MSRAM headquarters team will review the national profile to ensure consistency. HQ Assessment, Review & Analysis Provide consistency/normalization between Areas 4
MSRAM Change Case Base Case/MARSEC 1 Potential Change Cases: MARSEC level changes Seasonal changes (Summer, Winter) Changes to threat, consequence or vulnerability profiles Reallocation of USCG/LEA resources Changes in response capability Changes in system security capability/capacity/strategy Changes in technology (RAD detection) Changes in scenarios (e.g., (NSSE, LPG vessels transits in AOR, new targets) For AMSC mbrs to evaluate grant proposals for risk reduction potential - Field users re-evaluate risk categories based upon any combination of changes to the base case scenario NOTE: this is your opportunity to ensure the Coast Guard port security specialist has the most accurate information for your facilities in regards to seasonal changes, technology changes & updates, previous years grant implementations for security enhancements, etc.
Target/Attack Mode Risk Risk Reduction Strategies! RESPONSE Risk Group 1 Risk Group 2 Risk Group 3 High Target/Attack Mode Risk PREVENTION SYSTEM SECURITY LIKLIEHOOD F V T Low The risk reduction potential for Grant proposals can be represented as depicted here. ================Presenter information only ======================= The red lines Response, Prevention & System Security represent the next step - Risk Management. In other words now that I understand the MSRAM baseline Risk - what do I do with the data to mitigate unacceptable risk to an acceptable level. These lines also represent ways the Coast Guard can impact Risk MSRAM is a Risk Assessment Tool that feeds the Risk Assessment Process. G-3PCP-4 is responsible for coordinating the Port Security Assessment Process & G-5 is responsible for the Port Security Risk Management Process. All Risk Group 1 Targets should be considered highest priority for Risk Management Action & options evaluated. Group 2 risks should be considered second priority for risk management action & options identified for later evaluation. Group 3 risks may be considered for risk management action or acceptance. Generally speaking Group 4 should be considered the ‘acceptable risk group’. However, other factors outside of the Risk Assessment may drive a manager to consider action for this group. Based on the location of the data points on the scatter plot a manager can decide what drives the risk TV or C and decide on actions to transfer, reduce, or mitigate risk. Generally speaking Response/Preparedness/Recovery Capabilities ‘Mitigate’ Consequence. And Protection Measures i.e. Physical Security (System Security) Measures ‘Reduce’ the Vulnerability & Attractiveness of a Target thereby reducing the Likelihood that a target will be attacked. Prevention Measures ‘Mitigate/Reduce’ Threat, Vulnerability, & Consequence. The results of MSRAM will be used to directly feed risk reduction strategy development. Then a cost benefit analyses should be conducted to determine the cost associated with each strategy followed by a return on investment analyses which will determine our best ROI. Low High CONSEQUENCE
Target/Attack Mode Risk Security Risk Reduction counter measures / grant proposals Risk Group 1 Risk Group 2 Risk Group 3 High Target/Attack Mode Risk LIKLIEHOOD F V T Low This graph represents the potential reduced risk after employing a risk reduction strategy as expressed in your grant proposal. Low High CONSEQUENCE
MSRAM Contacts Policy Questions Port Security Evaluation Division MSRAM HELP DESK – MSRAMHelp@uscg.mil MSRAM Contacts Policy Questions Port Security Evaluation Division LCDR Brady Downs, USCG LCDR Mark Shepard, USCG Any questions can be directed to the Coast Guard SME’s at the MSRAM Help desk
MSRAM Questions Questions Questions