UNDERTAKING AN OFFSHORE OIL AND GAS

1
UNDERTAKING AN OFFSHORE OIL AND GAS SECURITY
ASSESSMENT
A Guide
2
AIM To provide you with an understanding of
the DOTARS Offshore Security Assessments Guidance
material and how to use it to assist with the
production of your Offshore Security Plans.
3
Note

• This presentation is provided to assist
  organisations who may not be familiar with the
  requirements for providing a security
  assessments.
• It is acknowledged that a number of attendees are
  leaders in the field of offshore security. This
  presentation is aimed at assisting other industry
  participants who may not be as conversant of
  security issues or aware of the requirements.
• Not intended to cover all parts of the RA, rather
  amplify specific areas.

4

• PURPOSE OF SECURITY ASSESSMENTS
• To provide a sound risk based approach to the
  implementation of preventive security planning to
  prevent unlawful interference with offshore
  facilities.
• Ensures a systematic and analytical process is
  conducted with the aim of identifying outcomes
  focused security measures and / or procedures
  that reduce the vulnerabilities of assets,
  individuals and operations to acceptable levels.

5

• Maritime Transport and Offshore Facilities
  Security Act 2003
• Requires Offshore Security Plan to include
• A security assessment for the participants
  operations
• Set out security measures for MARSEC 1, 2 3
• Provisions for use of Declaration of Security
• Demonstrate implementation of Security Plan
  that contributes to maritime security
  outcomes
• Complements Federal and State OH S
  legislation

6

• Maritime Transport and Offshore Facilities
  Security Regulations 2003
• Security Assessment must include
• statement outlining risk context or threat
  situation
• identification and evaluation of important
  assets, infrastructure and operations
• identification of possible risks or threats and
  the likelihood and consequences of occurrence

7

• Maritime Transport and Offshore Facilities
  Security Regulations 2003 (cont)
• identification of existing security measures
• identification of weaknesses
• identification, selection and prioritisation of
  possible risk treatments

8

• GENERAL GUIDANCE
• AS/NZS 4360 Risk Assessment
• HB 4362004 Risk Management
• DOTARS Offshore Security
• Assessments Guidance Paper
• http//www.dotars.gov.au/transsec/oilandgas/docs/
  Offshore_Security_Risk_Assessment_Guidance_Paper.d
  oc
• Use simple plain English
• Protected from unauthorised access

9
AS 4360 - 2004
10

• REQUIREMENTS OF SECURITY
• ASSESSMENTS
• Date assessment completed
• Scope - people, assets, infrastructure,
  facility or
• facilities and operations
• Summary of how the assessment was conducted
• ID and evaluation of strategically important
  assets,
• infrastructure and operations

11

• Requirements for Security Assessments (cont)
• ID and assessment of possible security
• risks and likelihood and consequences of
• their occurrence
• ID of existing security measures,
• procedures and operations
• ID, selection and prioritisation of possible
• risk treatments

12
Template 8.1 Offshore Industry Participants Name
and Contact Details-example
13
Template 8.5 Assets at Risk (Asset Appreciation
and Criticality Analysis)-example
A useful and simple rating system is Low, Medium
or High with relation to the criticality of the
asset in the continued productive operation of
the offshore facility.
14
TYPES OF ASSESSMENTS PLANS

• Network - a security assessment covering more
  than one individual facility for which they are
  legally responsible.
• Covering used for several facilities and/or
  offshore service providers within a single area.

15

• The Current Security Environment
• Sources
• DOTARS Offshore Oil and Gas Risk Context
  Statement - Apr 2005
• http//www.dotars.gov.au/transsec/oilandgas/i
  ndex.aspx.
• Other Threat of Risk Assessments for Critical
  Infrastructure
• Law enforcement and security agencies
• Professional and Industry bodies
• Company personnel and expert advisers

16
Establishing the Context- External

• Environmental and Geographical
• Business and Operational
• Statutory and Regulatory
• Social and Cultural
• Competitive
• Political
• Financial
• Others you may deem appropriate

17
Template 8.2 External Business Context- examples
18
Establishing the Context - Internal

• The organisational culture
• Internal stakeholders
• Organisational structure
• Capabilities in terms of resources such as
  people, systems, processes and capital
• Goals and objectives and the strategies that are
  in place to achieve them.

19
Establishing the Context Internal (cont)

• Consideration of
• Critical Assets and Resources
• Critical functions and business activities
• Operational capabilities
• Risk management capabilities
• Activities and Programs
• Existing risk controls
• Risk tolerance level
• Limitations on risk treatments

20
Template 8.3 Internal Business Context-example
21
The Risk Management Context The goals,
objectives, strategies, scope and parameters of
the activity, or part of the organisation to
which the risk management process is being
applied, should be established. Consideration
of need to balance costs, benefits and
opportunities, resources required and the records
to be kept should also be specified.
22

• Defining the risk management context
• Determining resources and expertise
• needed
• Defining the risk reporting criteria
• Defining the Likelihood (Probability or
• Frequency) criteria
• Defining the Impact (Consequence) criteria
• Defining the Risk Rating criteria
• Outlining the local security risk context

23
Specific issues to consider Roles and
responsibilities of various parts of the
organisation participating in the risk management
process and Relationships between the project
or activity and other projects or parts of the
organisation.
24
Template 8.4. Risk Management Context-examples
25

• Consideration of risks resulting in
• Unlawful interference with offshore oil and gas
  
• operations
• Death or injury
• Adverse social impact
• Adverse economic impact
• Adverse environmental impact
• Symbolic effect
• Business disruption and losses
• Damage to offshore oil and gas business /
• reputation
• Significantly reducing public confidence in
• offshore oil and gas production and supply.

26
Table 8. 11 Consequence Assessment Criteria -
example
27
Advanced version of consequence table p.33
28
Table 8.9 Likelihood Assessment Criteria
-example
29

• The Current Security Environment
• Sources
• DOTARS Offshore Oil and Gas Risk Context
  Statement - Apr 2005
• http//www.dotars.gov.au/transsec/oilandgas/i
  ndex.aspx.
• Other Threat of Risk Assessments for Critical
  Infrastructure
• Law enforcement and security agencies
• Professional and Industry bodies
• Company personnel and expert advisers

30

• IDENTIFYING SECURITY RISKS
• OIPs should consider the following terrorist
  related risk areas
• Bomb or explosive device, including suicide
  bombings
• Hijacking and hostage siege
• Deliberate infringement of exclusion zones
• Sabotage
• Arson
• Hoax calls and scare tactics
• Blockage of transport routes

31
IDENTIFYING SECURITY RISKS - cont

• Tampering with supplies, essential equipment or
  systems
• Unauthorised access or use of various equipment,
  including cyber attack
• Unauthorised access to secure areas
• Use of industry transport to carry those
  intending to cause a security incident and their
  equipment
• Use of a mode of industry transport or industry
  facility infrastructure as a weapon or a means to
  cause damage or destruction
• Use of a ship, helicopter or aircraft to
  transport explosives, hazardous goods or weapons.

32

• RISK CATEGORIES AND SOURCES OF HARM
• Vandalism vandals
• Misappropriation and sabotage - disgruntled
  insiders
• Interference - violence prone individuals or
  groups (politically motivated or otherwise)
• Crime - criminals
• Terrorism terrorists

33

• Table 8.6 RISKS, HAZARDS AND ASSOCIATED RISK
  EVENTS- examples

34
Table 8.6 RISKS, HAZARDS AND ASSOCIATED RISK
EVENTS- examples Cont..
35

• RISK SCENARIOS - one method
• Used to determine how the various risks might be
  realised and unfold
• Use previous security incidents (security
  history)
• Security history must be viewed in the context
• Operators must consider own unique risk scenarios
  
• Consider possible risk scenarios to determine how
  the risk may be initiated and realised
• It is important that significant risk causes and
  scenarios are identified.

36

• Table 8.7 RISK SCENARIOS- example

37
Table 8.10 ESTIMATED LIKELIHOOD OF RISKS BEING
REALISED- example
38
Table 8.18.RISK TREATMENTS FOR HEIGHTENED ALERT
LEVELS- example
39

• RISK SCENARIOS
• Used to determine how the various risks might be
  realised and unfold
• Use previous security incidents (security
  history)
• Security history must be viewed in the context
• Operators must consider own unique risk scenarios
  
• Consider possible risk scenarios to determine how
  the risk may be initiated and realised
• It is important that significant risk causes and
  scenarios are identified.

40

• Table 8.7 RISK SCENARIOS- example

41
Table 8.8 EXISTING SECURITY CONTROLS Summary
for Assets - example
42
Table 8.10 ESTIMATED LIKELIHOOD OF RISKS BEING
REALISED- example
43
Table 8.12 ESTIMATED CONSEQUENCE OF RISKS IF
REALISED- example
44

• Table 8.14 RISK RATING TABLE -example

Note only general information is required for
risk treatment options. However, details of
proposed security measures/procedures and desired
outcomes should be outlined in table 8.16 Risk
Treatment Implementation Schedule.
45
Table 8. 16 RISK TREATMENT IMPLEMENTATION
SCHEDULE - example
This Implementation Schedule must be included
with assessment and plan
46
Table 8.16.RISK TREATMENTS FOR HEIGHTENED ALERT
LEVELS- example
47

• SUMMARY
• Please be aware of the DOTARS Offshore Security
  Assessments Guidance Paper.
• This is the minimum requirement. If your
  assessment process exceeds this requirement
  please ensure that there is a clear explanation
  of the methodology, acronyms and relevant data
  and sources used.

48
SUMMARY cont

• Ensure there is linkage with the outcomes of the
  Risk Assessment with the Security Plan.
• Complete your plan in accordance with the Guide
  on preparing an Offshore Security Plan for
  Offshore Facility Operators.
• Please liaise with the local DOTARS office or
  Veena Rampal on 02 6274 7648

49

• QUESTIONS?