GMK - 3/4/05 Pg. 1 Dow Security Vulnerability Assessment Overview April, 2005 This document and any technical information contained herein was prepared for use by Dow employees at Dow facilities. Dow has provided for the compilation of the information in this document as a part of an effort by its employees and contractors to collect and share their experience and expertise in the areas of security. The contributors to this document believe the information provided is accurate, and they have provided this information in good faith. However, no warranty, express or implied, is given by Dow. When used by other than Dow employees, or other than in Dow facilities, those who use this document should use their independent judgment in evaluating information contained herein, and assume the risk for using the information provided in this document. Dow assumes no responsibility for damages resulting from the use of the information herein including the accuracy or reasonableness of the factual or statistical assumptions, studies or conclusions, ownership or copyright or other intellectual property rights, or personal rights of others. The user is solely responsible for compliance with applicable governmental requirements. References to "Dow" mean The Dow Chemical Company and its consolidated subsidiaries unless otherwise expressly noted.
SVA Overview WBP- 4/25/05 Pg. 2 Outline Dow Background of the SVA process Overview of Dow SVA process steps Review the type of recommendations that are generated by Dow SVAs. Expectations about Dow site vulnerability Key issues identified during Implementation General General items, Public and Private Responsibilities of companies
SVA Overview WBP- 4/25/05 Pg. 3 SVA Background After the 9/11/2001 attack on the WTC: –Focus of US authorities on Process Industry –Draft legislation (elimination of highly toxic materials, additional layers of protection) –ACC proposal: Assessment first –Mandatory in US –Additional requirements will depend upon outcome
SVA Overview WBP- 4/25/05 Pg. 4 Dow decided to use the Sandia SVA methodology Sandia National Labs under contract by the Department of Justice developed a Vulnerability Assessment Methodology for Chemical Facilities (VAM-CF) Purpose to identify vulnerabilities to attacks and recommend upgrades to reduce risk (Scenario Based) Other assessment tools - CCPS, others Dow supplements the Sandia methodology with our Emergency Services & Security audit. (Site Based) Combination of scenario and site based assessments provides Dow with a comprehensive SVA process. SVA Background (continued)
SVA Overview WBP- 4/25/05 Pg. 5 SVA Process Steps Screening of all manufacturing sites into 4 tiers –based upon perceived consequences of an attack –Used to prioritize the assessment work Established standard scope for SVAs –undesired release of a hazardous (flammable or toxic) chemical with significant off-site consequences –caused by either a potential outside (Terrorist or extremist) or an inside (disgruntled employee) adversary. Planning –Gather data from site process plants, local law enforcement and site leadership –Preliminary scenario consequence severity & threat level used to identify high priority attack scenarios
SVA Overview WBP- 4/25/05 Pg. 6 SVA Process Steps Perform Site Visit –ES&S audit – evaluates existing perimeter security and meets Security portion of EH&S Audits –SVA using Sandia Methodology confirms high priority scenarios (~ 2 hours per process plant) –Interviews of site employees from process plants & ES&S –Provide implementation support to site personnel Analysis of Findings & Recommendations –Consensus development of recommendations by SVA team –Includes consideration for removal or reduction of the hazardous material as well as mitigation to deter, detect or delay an adversary. –Impact of the recommendations is documented
SVA Overview WBP- 4/25/05 Pg. 7 SVA Process Steps Final Report & Communications –SVA report written and agreed upon by site & business –Legal review of the SVA report document –General communication to site employees that SVA was conducted –Security awareness training for site personnel –A plan is immediately developed to implement action items from the report –Third party verification of action items being completed in the US.
SVA Overview WBP- 4/25/05 Pg. 8 SVA Process Steps Sensitivity & Confidentiality of the SVA documentation –Information in the SVA is security sensitive because it provides details on the scenarios and potential consequences. (Roadmap for a terrorist) –Internal SVA related document are Dow confidential and not shared externally except as necessary to advance security or as required by law. –Documents required by US federal, state or local law are protected by law from public disclosure and safeguarded as sensitive information. –Dow internal SVA related documents are only shared within Dow on an as needed basis. Secure server used for storage
SVA Overview WBP- 4/25/05 Pg. 9 SVA and ES&S Audits – Typical Recommendations Personnel Training –security awareness training Perimeter security: –additional patrols –upgrade pipeline & utilities main junctions –reduce gates Priority Areas: –plant perimeter security fencing upgrades access control –Control room & key area security access control to control rooms & computer rooms (ID cards, video, alarms) target hardening (barricades, etc.) Process Modifications: –Inventory Reductions: Fewer, Smaller storage vessels Fewer filled railcars on site –Protection of easily accessible nozzles & valves –When practical, Inherently Safer Materials (e.g., replacement of Cl2 refrigerant) –Acceleration of implementation of Safety Instrumented System installations which will also address Security Vulnerabilities. Automation of protective functions Installation of SIS with protected code to prevent insider overrides. Frequently Less Frequently Typical Recommendations
SVA Overview WBP- 4/25/05 Pg. 10 The SVA Recommended Action items alone WILL NOT: –assure that we will or can stop a group of determined armed terrorists by these actions alone. To reduce the vulnerability and improve our site security and ability to stop or respond to an adversary before they accomplish a successful attack will require a combination of implementing the SVA action items with: –advanced intelligence combined with escalation of site security (as per our site security contingency plan) and/or –an armed response team provided by local law enforcement Working with local law enforcement and government security agencies is an essential element of our strategy SVA and ES&S Audits SVA Expectations
SVA Overview WBP- 4/25/05 Pg. 11 Dow Goals for Security Vulnerability reduction –Provide increase level of perimeter security –Implement action items to reduce all Category 1 & Category 2 (highest risk) scenarios to Category 3. –Unmitigated Category 1 or 2 scenarios must be reviewed & approved by EH&S Management Board. Responding to government regulations may require sites to review SVAs and Action Items with government agencies. –Control of sensitive information is critical –Some SVAs may be required to be redone using agency methodology SVA and ES&S Audits - OTHER KEY ISSUES L S Risk L AS Likelihood & Severity Likelihood of Adversary Success
SVA Overview WBP- 4/25/05 Pg. 12 General items, public and private From UNICE * position paper on Security Cooperation between Public authorities (authority and information) and Business (owners of the risk) cooperation is essential. Integrated EU strategy against terrorism and reduction of impact. Priority to reinforcing existing structures. Cooperation with the US. Mutual recognition of each others implementing measures. (*) Union of Industrial and Employers Confederations of Europe
SVA Overview WBP- 4/25/05 Pg. 13 General items, public and private (continued) Initiatives to fight terrorism should be followed by relevant information to the companies. They need to be able to reduce vulnerability. Joint work should lead to effective and cost- efficient security initiatives. Common implementation in the EU member states. The list of accepted standards and methodologies across the EU should include the US methodologies that are already implemented.
SVA Overview WBP- 4/25/05 Pg. 14 Responsibilities of Companies Risk Management System –Identification –Evaluation –Measures Emergency Preparedness (within the existing framework of cooperation with the Authorities) Measures need to be proportional to the (semi) quantified risks Training and Emergency Drills for Terrorist and Sabotage scenarios
SVA Overview WBP- 4/25/05 Pg. 15 General items, public and private (continued)
SVA Overview WBP- 4/25/05 Pg. 16 QUESTIONS?