A Systems Engineering Approach to Physical Security of Oil & Gas Installations

Author

Brunel university UK

Abstract

A fundamental challenge facing security professionals is preventing loss; be that asset, production, or third-party losses. This is not dissimilar to what safety professionals have to face. Techniques and methodologies used by the safety professionals could potentially benefit the security experts. Physical security is about taking physical measures to protect personnel and prevent unauthorized access to installations, material, and documents, which also include protection against sabotage, willful damage, and theft. The characteristics of physical security controls include measures for deterrence, detection, delay, and responses aimed at risk mitigation and enhanced operational effectiveness.
This paper outlines a systems engineering framework for implementing security goals, which are suitable for meeting the challenge of providing physical security for complex systems, which includes oil and gas facilities.  The proposed framework builds security requirements into system requirements and moves it in parallel with the system development for the entire system’s life cycle; particularly during the concept and design phases. This is a top-down process for use by a multidisciplinary team of security, operations, and industry experts to identify and prevent the system from entering into vulnerable states which could lead to losses. This framework shifts the focus of the security analysis away from threats, being the immediate cause of losses, and focuses instead on the barriers, i.e. safeguards that prevent systems from entering into vulnerable states, which would allow an unfolding event to disrupt the system leading to loses.
The need for such a method comes from the recent experience of the securing complex systems that combine a large amount of hardware, software hazardous materials, and control elements. The method takes advantage of systems engineering and encourages the use of goal-based security requirements instead of using a strict prescriptive approach that is common among security professionals.  Using this framework helps both to identify threats associated with the system, as well as weak points within the system. This framework also encourages communication between the security professional, safety engineers, and system designers. This paper draws from the existing literature as listed in the references. 

Keywords

References

  1. 1. American Petroleum Institute, (2005). Security Guidelines for the Petroleum Industry, pp58 https://www.nj.gov/dep/enforcement/security/downloads/API%20Security%20Guidance%203rd%20Edition.pdf 2. American Petroleum Institute and National Petrochemical & Refiners Association, 2018, Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries. pp 168 https://www.nrc.gov/docs/ML0502/ML050260624.pdf last accessed 29/02/2020. 3. Idaho National Engineering and Environmental Laboratory, 2004, A Comparison of Oil and Gas Segment Cyber Security Standards, Prepared for the U.S. Department of Homeland Security Under DOE Idaho Operations Office Contract DE-AC07-99ID13727 last accessed 10/03/2020, https://www.hsdl.org/?view&did=13247 4. Anderson, R.J. 2008. Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd Ed. New York, NY, USA: John Wiley & Sons. Accessed October 24, 2019, at http://www.cl.cam.ac.uk/~rja14/book.html 5. Asllani, A., Lari, A. and Lari., N 2018, Strengthening information technology security through the failure modes and effects analysis approach International Journal of Quality Innovation (2018) 4:5, pp 14. 6. Baldwin, D.A., 1997, The concept of security, Journal Review of International Studies, 23, 5-26, British International Studies Association 7. Baldwin, K., J. Miller, P. Popick, and J. Goodnight (2012). The United States Department of Defence Revitalization of system security engineering through Program Protection. Proceedings of the 2012 IEEE Systems Conference, pp19-22, Vancouver, BC, Canada, Available at (http://www.acq.osd.mil/se/docs/IEEE-SSE-Paper-02152012-Bkmarks.pdf). Last accessed 29/03/2019. 8. Centre for chemical process safety, 2002, “Guidelines for Managing and Analysing the Security Vulnerabilities of Fixed Chemical Sites”, published by American Institute of Chemical Engineers (AIChE) Centre for Chemical Process Safety (CCPS) 9. Coole, M., Corkill, J. & Woodward, A. (2012). Defence in depth, protection in depth and security in depth: a comparative analysis towards a common usage language. The Proceedings of the 5th Australian Security and Intelligence Conference, 27‐35, Perth, Western Australia. 10. Cordner, L., 2013 Offshore Oil and Gas Safety and Security in the Asia Pacific- The Need for Regional Approaches to Managing Risks RSIS Monograph no.. 26, S. Rajaratnam School of International Studies, pp 104. 11. DAU. 2012. "Defence Acquisition Guidebook (DAG): Chapter 13 -- Program Protection." Ft. Belvoir, VA, USA: Defence Acquisition University (DAU)/U.S. Department of Defence (DoD). November 8, 2012. Accessed October 24, 2014 at https://dag.dau.mil/ 12. DODI5200.44, United States Department of Defence, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks, Department of Defence Instruction Number 5200.44, November 2012, Accessed 3 November 2014 at Defence Technical Information Center http://www.dtic.mil/whs/directives/corres/pdf/520044p.pdf. 13. DHS. 2010. Build Security In. Washington, DC, USA: US Department of Homeland Security (DHS). Last accessed 29/03/2019, Available athttps://buildsecurityin.us-cert.gov 14. Dzida W, Freitag R (1998) Making Use of Scenarios for Validating Analysis and Design. IEEE Transactions on Software Engineering 24(12):1182–1196. 15. Garcia, M. L., 2008. The Design and Evaluation of Physical Protection Systems, Second Edition, Boston: Butterworth-Heinemann. 16. Federal Aviation Administration. Requirements Engineering Management Handbook DOT/FAA/AR-08/32, 2008, last accessed 23/12/2017, available on. http://www.faa.gov/aircraft/air_cert/design_approvals/air_software/media/AR-08-32.pdf 17. Hauge, S. and Øien, K., 2016, Guidance for barrier management in the petroleum industry, SINTEF report A27623, SINTEF Technology and Society 18. Hollnagel, E., (2004), Barriers and Accident Prevention, Ashgate 19. International standard 2006, IEC 60812, Analysis techniques for system reliability – Procedure for failure mode and effects analysis (FMEA) pp95 20. IAEA, 1999. “The Physical Protection of Nuclear Materials and Nuclear Facilities,” IAEAINFCIRC/225/Rev. 4 (Corrected), International Atomic Energy Agency, Vienna. 21. IAEA, 2005, Assessment of Defence in Depth for Nuclear Power Plants, Safety report series N. 46. INTERNATIONAL ATOMIC ENERGY AGENCY VIENNA, pp 130. 22. INCOSE 2015. Systems Engineering Handbook – A Guide for System Life Cycle Processes and Activities, version 4.0. Hoboken, NJ, USA: John Wiley and Sons, Inc., ISBN: 978-1-118-99940-0. 23. ISO/IEC 21827, ISO and IEC (International Organisation for Standardisation and International Electrotechnical Commission, (2008) Information technology–systems security engineering–capability maturity model. 24. ISO/IEC 15288: Systems and software engineering – System life cycle processes. 25. Königs, S.F., Beier, G., Figge, A., and Stark, R. (2012). “Traceability in Systems Engineering – Review of industrial practices, state-of-the-art technologies and new research solutions,” Elsevier Advanced Engineering Informatics, 26(4), pp 924-94 26. ISO/IEC 27001, (2005). Information security management see also "BS EN ISO/IEC 27001:2017 – what has changed?". BSI Group. Retrieved 02 March 2020. 27. Kissel, R., K. Stine, M. Scholl, H. Rossman, J. Fahlsing, J. Gulick. 2008. "Security Considerations in the System Development Life Cycle," Revision 2. Gaithersburg, MD. National Institute of Standard and Technology (NIST), NIST 800-64 Revision 2:2008. Accessed October 24, 2014, at the Computer Security Resource Centre, last accessed 30/03/2019, (http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf) 28. Kiszelewska, A., and Coole, M, (2013), Physical Security Barrier Selection: A Decision Support Analysis, Proceedings of the 6th Australian Security and Intelligence Conference, Edith Cowan University, Perth, Western Australia, 2nd-4th December, 2013, pp 13, available on https://ro.ecu.edu.au/asi/30/ 29. Merge-Safety & Security 2016, Project no.10011, Recommendations for security and safety co-engineering, release No. 3, pp 166 30. MITRE. 2012. "Systems Engineering for Mission Assurance." In Systems Engineering Guide. Accessed 19 June 2012 at MITRE http://www.mitre.org/work/systems_engineering/guide/enterprise_engineering/se_for_mission_assurance/. 31. NASA, (2007). Systems Engineering Handbook. NASA Technical Report NASA/SP-2007-6105 Rev1, ISBN 978-0-16-079747-7, Washington, DC, USA. 32. National Defence Industrial Association (NDIA) System Assurance Committee. 2008. Engineering for system assurance. Arlington, VA: NDIA. www.acq.osd.mil/sse/pg/guidance.html. 33. NATO. 2010. Engineering for System Assurance in NATO programs. Washington, DC, USA: NATO Standardization Agency. DoD 5220.22M-NISPOM-NATO-AEP-67. 34. NIST SP 800-160. Systems Security Engineering - An Integrated Approach to Building Trustworthy Resilient Systems. National Institute of Standards and Technology, U.S. Department of Commerce, Special Publication 800-160. Accessed October 24, 2014, at the Computer Security Resource Center http://csrc.nist.gov/publications/drafts/800-160/sp800_160_draft.pdf. 35. Nityanand, K., 2015, Standards for physical security management in industry: A research paper on behalf of National police academy, Hyderabad pp240 http://www.svpnpa.gov.in/images/npa/pdfs/CompletedResearchProject/35_standardizationofphysicalsecurity.pdf 36. Norwegian Petroleum Safety Authority-PSA, (2013), Principles for barrier management in the petroleum industry pp 34 37. OGP 2016, report 544 Standardization of barrier definitions, Supplement to Report 415, International Association of Oil &gas Producer 38. Plant R, Gamble R (2003) Methodologies for the Development of Knowledge-based Systems. 39. Ross, R., J.C. Oren, M. McEvilley. 2014. "Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems." Gaithersburg, MD. 40. RON Ross, R., McEvilley, M., Carrier, J., (2014), Systems Security Engineering Considerations for Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, NIST Special Publication 800-160, Vol. 1 41. Royal Canadian Mounted Police (2004) Protection, detection and response, Physical security guide, Technical Security Branch, 1‐20 42. Schmittner C., Gruber T., Puschner P., Schoitsch E. (2014) Security Application of Failure Mode and Effect Analysis (FMEA). In: Bondavalli Snell, M.K., Jaeger, C.D., Jordan, S. E., Scharmer, C., Tanuma,K., Ochiai, K., and Iida, T. 2013 43. SANDIA Security-by-Design Handbook, REPORT SAND2013-0038 Prepared by Sandia National lab Laboratories, Albuquerque, New Mexico, USA, pp 141. 44. Sklet, S., (2006)Safety barriers: Definition, classification, and performance. Journal of Loss Prevention in the Process Industries, 2006. 19(5): p. 494-506. The 45. US Department of energy, 1996 HAZARD AND BARRIER ANALYSIS GUIDANCE EH-33 OFFICE OF OPERATING 46. Transportation Security Administration of the united states, 2018, Pipeline Security Guidelines March pp 30.https://www.tsa.gov/sites/default/files/pipeline_security_guidelines.pdf 47. The US homeland security, 2003, The national strategy for The Physical Protection of Critical Infrastructures and Key Assets pp 96 https://www.dhs.gov/xlibrary/assets/Physical_Strategy.pdf 48. Unites nations’ office of counter-terrorism and united nation security council, 208, the protection of critical infrastructures against terrorist attacks: a compendium of good practices, pp 170 https://www.un.org/sc/ctc/wp-content/uploads/2019/01/Compendium_of_Good_Practices_Compressed.pdf 49. Vanderhaegen, F. (2018) Human-error-based design of barriers and analysis of their uses. Cogn Tech Work 12, 133–142 (2010). https://doi.org/10.1007/s10111-010-0146-3 50. Yasseri S., (2014). “Physical Security for Petroleum Facilities,” Journal of petroleum safety, PP 4, available on https://www.researchgate.net/publication/278405680_Physical_Security_for_Petroleum_Facilities 51. Yasseri S. Bahai, H. and Yasseri, R., (2018). “A Systems Engineering Framework for Delivering Reliable Subsea Equipment, 2018-TPC-. 52. Yasseri, S. Bahai, H, Yasseri, R, 2018, Reliability Assurance of Subsea Production Systems: A Systems Engineering Framework, International Journal of Coastal & Offshore Engineering, Vol.2, No. 1, pp 1-19. 53. Young, W. and Leveson, N., (2013) Systems thinking for safety and security, In Proceeding ACSAC '13 Proceedings of the 29th Annual Computer Security Applications Conference Pages 1-8 New Orleans, Louisiana, USA — December 09 - 13, 2013 ACM New York, NY, USA
  2. 1. American Petroleum Institute, (2005). Security Guidelines for the Petroleum Industry, pp58.
  3. American Petroleum Institute and National Petrochemical & Refiners Association, (2018), Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, pp 168.
  4. Idaho National Engineering and Environmental Laboratory, (2004), A Comparison of Oil and Gas Segment Cyber Security Standards, Prepared for the U.S. Department of Homeland Security Under DOE Idaho Operations Office Contract DE-AC07-99ID13727.
  5. Anderson, R.J. (2008), Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd Ed, New York, NY, USA: John Wiley & Sons.
  6. Asllani, A., Lari, A. and Lari., N (2018), Strengthening information technology security through the failure modes and effects analysis approach, International Journal of Quality Innovation (2018) 4:5, pp 14. [DOI:10.1186/s40887-018-0025-1]
  7. Baldwin, D.A., 1997, The concept of security, Journal Review of International Studies, 23, 5-26, British International Studies Association [DOI:10.1017/S0260210597000053]
  8. Baldwin, K., J. Miller, P. Popick, and J. Goodnight (2012). The United States Department of Defence Revitalization of system security engineering through Program Protection. Proceedings of the 2012 IEEE Systems Conference, pp19-22, Vancouver, BC, Canada. [DOI:10.1109/SysCon.2012.6189463]
  9. Centre for chemical process safety, 2002, Guidelines for Managing and Analysing the Security Vulnerabilities of Fixed Chemical Sites, published by American Institute of Chemical Engineers (AIChE) Centre for Chemical Process Safety (CCPS)
  10. Coole, M., Corkill, J. & Woodward, A. (2012). Defence in depth, protection in depth and security in depth: a comparative analysis towards a common usage language, The Proceedings of the 5th Australian Security and Intelligence Conference, 27‐35, Perth, Western Australia.
  11. Cordner, L., 2013 Offshore Oil, and Gas Safety and Security in the Asia Pacific- The Need for Regional Approaches to Managing Risks RSIS Monograph, No. 26, S. Rajaratnam School of International Studies, pp 104.
  12. DAU. 2012. "Defence Acquisition Guidebook (DAG): Chapter 13 -- Program Protection" Ft. Belvoir, VA, USA: Defence Acquisition University (DAU)/U.S. Department of Defence (DoD). November 8, 2012.
  13. DODI5200.44, United States Department of Defence, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks, Department of Defence Instruction Number 5200.44, November 2012.
  14. DHS. 2010. Build Security In. Washington, DC, USA: US Department of Homeland Security (DHS).
  15. Dzida W, Freitag R (1998) Making Use of Scenarios for Validating Analysis and Design. IEEE Transactions on Software Engineering 24(12):1182-1196. [DOI:10.1109/32.738346]
  16. Garcia, M. L., 2008. The Design and Evaluation of Physical Protection Systems, Second Edition, Boston: Butterworth-Heinemann. [DOI:10.1016/B978-0-08-055428-0.50009-9]
  17. Federal Aviation Administration. Requirements Engineering Management Handbook DOT/FAA/AR-08/32, 2008, last accessed 23/12/2017.
  18. Hauge, S. and Øien, K., 2016, Guidance for barrier management in the petroleum industry, SINTEF report A27623, SINTEF Technology and Society
  19. Hollnagel, E., (2004), Barriers and Accident Prevention, Ashgate
  20. International standard 2006, IEC 60812, Analysis techniques for system reliability - Procedure for failure mode and effects analysis (FMEA) pp95
  21. IAEA, 1999. "The Physical Protection of Nuclear Materials and Nuclear Facilities" IAEAINFCIRC/225/Rev. 4 (Corrected), International Atomic Energy Agency, Vienna.
  22. IAEA, 2005, Assessment of Defence in Depth for Nuclear Power Plants, Safety report series N. 46. INTERNATIONAL ATOMIC ENERGY AGENCY VIENNA, pp 130.
  23. INCOSE 2015. Systems Engineering Handbook - A Guide for System Life Cycle Processes and Activities, version 4.0. Hoboken, NJ, USA: John Wiley and Sons, Inc., ISBN: 978-1-118-99940-0.
  24. ISO/IEC 21827, ISO and IEC (International Organisation for Standardisation and International Electrotechnical Commission, (2008) Information technology-systems security engineering-capability maturity model.
  25. ISO/IEC 15288: Systems and software engineering - System life cycle processes.
  26. Königs, S.F., Beier, G., Figge, A., and Stark, R. (2012). "Traceability in Systems Engineering - Review of industrial practices, state-of-the-art technologies and new research solutions," Elsevier Advanced Engineering Informatics, 26(4), pp 924-94 [DOI:10.1016/j.aei.2012.08.002]
  27. ISO/IEC 27001, (2005). Information security management, BSI Group. Retrieved 02 March 2020.
  28. Kissel, R., K. Stine, M. Scholl, H. Rossman, J. Fahlsing, J. Gulick. 2008. "Security Considerations in the System Development Life Cycle," Revision 2. Gaithersburg, MD. National Institute of Standard and Technology (NIST), NIST 800-64 Revision 2:2008. [DOI:10.6028/NIST.SP.800-64r2]
  29. Kiszelewska, A., and Coole, M, (2013), Physical Security Barrier Selection: A Decision Support Analysis, Proceedings of the 6th Australian Security and Intelligence Conference, Edith Cowan University, Perth, Western Australia, 2nd-4th December 2013, pp 13.
  30. Merge-Safety & Security 2016, Project no.10011, Recommendations for security and safety co-engineering, release No. 3, pp 166
  31. MITRE. 2012. "Systems Engineering for Mission Assurance." In Systems Engineering Guide.
  32. NASA, (2007). Systems Engineering Handbook. NASA Technical Report NASA/SP-2007-6105 Rev1, ISBN 978-0-16-079747-7, Washington, DC, USA.
  33. National Defence Industrial Association (NDIA) System Assurance Committee. 2008. Engineering for system assurance. Arlington, VA: NDIA.
  34. NATO. 2010. Engineering for System Assurance in NATO programs. Washington, DC, USA: NATO Standardization Agency. DoD 5220.22M-NISPOM-NATO-AEP-67.
  35. NIST SP 800-160. Systems Security Engineering - An Integrated Approach to Building Trustworthy Resilient Systems. National Institute of Standards and Technology, U.S. Department of Commerce, Special Publication 800-160.
  36. Nityanand, K., 2015, Standards for physical security management in industry: A research paper on behalf of National police academy, Hyderabad pp240.
  37. Norwegian Petroleum Safety Authority-PSA, (2013), Principles for barrier management in the petroleum industry, pp 34
  38. OGP 2016, report 544 Standardization of barrier definitions, Supplement to Report 415, International Association of Oil &gas Producer
  39. Plant R, Gamble R (2003) Methodologies for the Development of Knowledge-based Systems.
  40. Ross, R., J.C. Oren, M. McEvilley. 2014. "Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems." Gaithersburg, MD.
  41. RON Ross, R., McEvilley, M., Carrier, J., (2014), Systems Security Engineering Considerations for Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, NIST Special Publication 800-160, Vol. 1
  42. Royal Canadian Mounted Police (2004) Protection, detection and response, Physical security guide, Technical Security Branch, 1‐20
  43. Schmittner C., Gruber T., Puschner P., Schoitsch E. (2014) Security Application of Failure Mode and Effect Analysis (FMEA). In: Bondavalli Snell, M.K., Jaeger, C.D., Jordan, S. E., Scharmer, C., Tanuma, K., Ochiai, K., and Iida, T. 2013. [DOI:10.1007/978-3-319-10506-2_21]
  44. SANDIA Security-by-Design Handbook, REPORT SAND2013-0038, Prepared by Sandia National lab Laboratories, Albuquerque, New Mexico, USA, pp 141.
  45. Sklet, S., (2006)Safety barriers: Definition, classification, and performance. Journal of Loss Prevention in the Process Industries, 2006. 19(5): p. 494-506. The [DOI:10.1016/j.jlp.2005.12.004]
  46. US Department of energy, 1996 hazard and barrier analysis guidance EH-33 office of operating
  47. Transportation Security Administration of the united states, 2018, Pipeline Security Guidelines, March, pp 30.
  48. The US homeland security, 2003, The national strategy for The Physical Protection of Critical Infrastructures and Key Assets, pp 96.
  49. Unites Nations' office of counter-terrorism and united nation security council, 2008, the protection of critical infrastructures against terrorist attacks: a compendium of good practices, pp 170.
  50. Vanderhaegen, F. (2018) Human-error-based design of barriers and analysis of their uses. Cogn Tech Work 12, 133-142 (2010). [DOI:10.1007/s10111-010-0146-3]
  51. Yasseri S., (2014). Physical Security for Petroleum Facilities, Journal of petroleum safety, PP 4.
  52. Yasseri S. Bahai, H. and Yasseri, R., (2018). A Systems Engineering Framework for Delivering Reliable Subsea Equipment, 2018-TPC-.
  53. Yasseri, S. Bahai, H, Yasseri, R, 2018, Reliability Assurance of Subsea Production Systems: A Systems Engineering Framework, International Journal of Coastal & Offshore Engineering, Vol.2, No. 1, pp 1-19. [DOI:10.29252/ijcoe.2.1.1]
  54. Young, W. and Leveson, N., (2013) Systems thinking for safety and security, In Proceeding ACSAC '13 Proceedings of the 29th Annual Computer Security Applications Conference Pages 1-8 New Orleans, Louisiana, USA - December 09 - 13, 2013 ACM New York, NY, USA . [DOI:10.1145/2523649.2530277]

Files

Share

How to cite

Statistics