The All-hazards Approach to Conducting Audits of Supporting Energy Systems
By Doug Haines
A couple of months ago, you enjoyed the title, Hey Boss, it’s Time for your Security Colonoscopy.
This is the second part of the argument for an annual security check-up, or security physical, if you will.
Just like regularly scheduled eye exams or visits to the dentist are a good thing, so is a check-up of your facility’s energy systems.
Unless, there’s a significant change in status and you would need to do it soon after the change, usually an annual audit is sufficient.
In order to accomplish its primary function or reason for being, every organization must protect personnel and critical assets from all hazards, both natural and man-made.
Spending limited funds to protect personnel and not spending funds on the buildings they occupy or the infrastructure that supports those buildings and vice versa is unacceptable.
Not only must organizational leaders make every effort to ensure that organizational resources are adequately protected but they also must ensure that in the unlikely event a catastrophic scenario occurs, they reduce injury to personnel and mass casualties and the continuity of operations.
This can be an extremely delicate balancing act in risk management for those in leadership positions.
Without a quantitative method for risk assessment and analysis, this question cannot be truthfully answered.
By responding, “I think I’m protecting everyone and everything”, simply won’t cut it.
Risk Management
The first thing to understand about risk management is that it does not mean risk avoidance.
You must first accept the fact that not all risks can be avoided and some level of risk remains no matter how many countermeasures are in place.
You could spend every day at the hospital and some people do. Or at least it seems like it.
And yet, people have been known to have a heart attack right there in the parking lot. Some risk is unavoidable.
Smart and confident organizational leaders understand this principle and accept it.
Now some folks will argue that if enough countermeasures are put in place then total risk can be avoided. This is simply not true.
That’s like saying, “If I take enough pills, I’ll be okay.
While you may be able to reduce to a level that a successful manmade threat is highly improbable, you will never be able to eliminate the threat or all hazards completely.
Natural events occur on a frequency all their own.
Some events occur every year; i.e., snowstorms, hurricanes, tornadoes while others occur every thousand years, flooding, earthquakes, volcanic eruptions.
So the question is, “Why is it that, even after I’ve spent all this money and I dealt with every conceivable hazard scenario, the event still occurred”.
Well, think of it this way, you get routine maintenance done on your car; you change the oil, rotate the tire, etc., yet sometimes things just break and the car sits on the side of the road waiting for the repair truck.
By getting your car serviced regularly you are lowering your risk from the hazards of over-heating, uneven tire wear, parts breaking and so on.
Same thing with your health, you watch what you eat, you exercise, you take your meds, don’t drink in excess, so in essence, you lowered the risk but you didn’t eliminate it.
The same holds true for security.
Some hazards may be mitigated to the point where it is very improbable that they will occur and others may not be completely prevented no matter how much you spend.
Risk can be reduced to a level that is acceptable but not completely avoided.
The keys principles in risk management are:
-
Lowering the likelihood that the event will occur and accepting some level of risk, and
-
Minimizing its affects in the unlikely event it does happen.
The best way to calculate risk is by conducting a risk assessment.
There are two types of assessments – Qualitative and Quantitative.
Qualitative analysis uses subjective judgment based on non-quantifiable information.
Quantitative assessment however, resolves the disadvantages of lack of consistency overtime, lack of subject matter expertise, lack of standardization and outside stimuli impact, commonly found in most qualitative methodologies.
During the quantitative analysis, each item that is evaluated is given a number value; therefore, it provides standardization.
Since those values don’t change regardless of who’s doing the assessing, it fixes the other three problems of qualitative analysis.
It provides consistency over time, is not dependent on a person’s level of experience nor can it be manipulated to achieve a specific result.
That’s what lab tests are all about. They measure certain things and the results fall within or outside of certain parameters.
Because of this standardization, quantitative numbers can be trusted.
A quantitative risk analysis and vulnerability assessment methodology called CAIRA (Critical Asset and Infrastructure Risk Analysis, pronounced Sear-Ra) has been developed by Haines Security Solutions (HSS) in identifying and measuring risks and determining the most cost-effective countermeasures for mitigating those risks.
A typical assessment team is made up of subject matter experts specializing in physical and technical security, law enforcement, forced-entry tactics, electronic security systems, antiterrorism, force protection, engineering, criminal and terrorist intelligence, logistics, and quantitative analysis.
The CAIRA Approach
A holistic approach is taken to analyzing natural and manmade hazards.
The process looks at the most common naturally occurring hazards; such as, heavy rain/flooding, tornados, earthquakes, etc.
It also takes into consideration an asset’s location.
For example, is the asset and its supporting energy infrastructure (electric, fossil fuels, steam or water) located in an area prone to volcanic eruption or heavy snow storms?
It calculates risk based on probability of occurrence.
Generally speaking, the higher the likelihood of the event the higher the risk is to the asset from that particular type of hazard.
CAIRA also analyzes manmade hazards; ranging from a disgruntled employee bringing a gun to work to acts of vandalism to a bombing due to a terrorist act.
CAIRA is a quantitative assessment that differs from a qualitative assessment because it uses fixed numerical values, which have been field tested for accuracy, to evaluate the hazards, target criticality, vulnerabilities and risks.
Because risk is quantifiable, the results of the analysis can be used as the basis for making informed decisions by organizational leaders for allocating resources – facilities, funding, property and personnel.
In CAIRA, security countermeasures are selected based on their likelihood of lowering the risk to the asset, as well as, their cost effectiveness.
In many cases, risk analysis and risk management become an optimization analysis that examines risk reduction values (due to implementing countermeasures) and the associated costs to implement the identified remedies through a simple cost–benefit study.
Although performing a detailed risk assessment is complicated, following the CAIRA methodology makes it manageable.
The results are tailored to an organization’s needs and can be used to make informed decisions in the allocation of resources to mitigate risks.
CAIRA Methodology
The primary purpose of CAIRA is to quantitatively measure hazards or threats, asset criticality, vulnerabilities, and risks to energy systems associated with large compounds or stand-alone facilities, government or private.
It establishes a security baseline, explores upgrades, recalculates vulnerabilities and risks, and recommends optimized features or improvements for facilities.
In essence, CAIRA identifies current levels of vulnerability and risk and then identifies improved levels with the implementation of specified countermeasures – basically a snapshot of where the organization is today and where it could be after countermeasures are implemented.
In addition, CAIRA identifies the associated cost and impact of the improvements.
CAIRA includes the performance of six sub-analyses: hazards (38 natural & 22 man-made, target (from the aggressor and owner views), vulnerability (today and tomorrow), optimization (reduction based on proven effective solutions), risk and cost–benefit (to the greatest number of people).
In Summary
To summarize, CAIRA quantifiably measures vulnerability and risk, prioritizes recommended countermeasures, prioritizes facilities, and compares cost and countermeasure effectiveness.
Most importantly, CAIRA lets the customer know how vulnerable the asset is, what to do to reduce the vulnerability, how effective the recommendations will be in reducing the vulnerability, and at what cost.
Regardless of the type of analysis or study, the resulting recommendations need to be based on a given hazards.
The performance of CAIRA is not driven by regulation or design standards; therefore, the Design Basis Threats (DBT) must be identified before cost- effective recommendations can be generated.
HSS works with the customer to identify Single-Point Failures and other critical assets or processes within the organization.
Unlike standard vulnerability assessments, CAIRA quantifies risks and vulnerabilities, determines the cost effectiveness of specific improvements, and helps prioritize countermeasures.
This in turn allows decision makers to plan for and seek hard-to-get funding.
Further they can go to bed at night knowing that countermeasures they have implemented will effectively reduce the risks to personnel and facilities.
Both of which translate directly to organizational productivity and cost savings.
CAIRA was selected as the Best Risk Analysis Methodology in Homeland Security for 2018, by industry experts, and received a Platinum ‘ASTORS’ Award from American Security Today.
While CAIRA concentrates on assessing supporting energy systems (electricity, fossil fuels, steam and non-drinking water), another assessment tool developed by HSS, called Asset Based Risk Analysis or ABRA (pronounced ah-Bra) focuses on the asset itself.
Most often both the ABRA and CAIRA are used in tandem.
And in this case, the assets and energy systems would not be governed by regulatory government statute or part of Homeland Security’s strategic critical infrastructure protection program.
The ABRA methodology was selected as Best Risk Analysis Methodology in Government Security by a panel of experts at Security Today and was presented a Platinum GOVIE in 2017.
About the Author
Doug Haines, owner of Haines Security Solutions, LLC (HSS), is a United States Air Force veteran with over 45 years of law enforcement and security related experience, which includes teaching building design principles to architects, engineers, facility managers, planners, and security professionals.
HSS is recognized as a center of expertise within the security community for risk assessment, providing services for many federal; State, local government agencies and private companies around the globe, and is a founding member of International Centers of Security Training Excellence (ICSTE).
Each ICSTE member company offers courses in one of several security verticals yet provides a location for other members to present their courses upon request.
At its River Park facility in Oxnard, CA architects, engineers, facility managers, planners and security professionals learn about antiterrorism countermeasures in building design, the integration of security technologies in the built environment, and risk analysis strategies.
The CPK-United BV (also an ICSTE founding member) training facility in Hilversum, The Netherlands gears its curriculum towards fashion retail, hospitality (hotel and nightclubs) and port security guard activities and executive protection.
Tactics for patrolman and SWAT are taught by former police officers at the Greenville, NY training center, where a firing range and urban mock-up are on site.
In 2017, HSS’s Physical Security Engineering Training and Certification (PSET&C) program was recognized as the Best Homeland Security Education Program, by American Security Today and received a coveted Platinum ‘ASTORS’ Award.
More information about ABRA, CAIRA, ICSTE or other services can be found on the company’s website at www.hainessecuritysolutions.com.
Learn More…
Haines Security Solutions a Double Winner in the 2018 ‘ASTORS’ Homeland Security Awards Program
Haines Security Solutions
-
Most Innovative New Solution of the Year
-
Student & Faculty Emergency Response Training [SaFERST]
-
Best Risk Analysis Methodology
-
Critical Asset & Infrastructure Risk Analysis (CAIR Methodology)
-
*Doug Haines and Haines Security Solutions were also recognized in the 2017 ‘ASTORS’ Awards Program with Double Platinum Wins.
The Annual ‘ASTORS’ Awards Program is specifically designed to honor distinguished government and vendor solutions that deliver enhanced value, benefit and intelligence to end users in a variety of government, homeland security and public safety vertical markets.
The 2018 ‘ASTORS’ Awards Program drew an overwhelming response from industry leaders with a record high number of corporate and government nominations received, as well as record breaking ‘ASTORS’ Presentation Luncheon Attendees, with top firms trying to register for the exclusive high – end luncheon and networking opportunity – right up to the event kickoff on Wednesday afternoon, at the ISC East registration!
Over 130 distinguished guests representing National, State and Local Governments, and Industry Leading Corporate Firms, gathered from across North America, Europe and the Middle East to be honored among their peers in their respective fields which included:
- The Department of Homeland Security
- The Federal Protective Service (FPS)
- Argonne National Laboratory
- The Department of Homeland Security
- The Department of Justice
- The Security Exchange Commission Office of Personnel Management
- U.S. Customs and Border Protection
- Viasat, Hanwha Techwin, Lenel, Konica Minolta Business Solutions, Verint, Canon U.S.A., BriefCam, Pivot3, Milestone Systems, Allied Universal, Ameristar Perimeter Security and More!
The Annual ‘ASTORS’ Awards is the preeminent U.S. Homeland Security Awards Program highlighting the most cutting-edge and forward-thinking security solutions coming onto the market today, to ensure our readers have the information they need to stay ahead of the competition, and keep our Nation safe – one facility, street, and city at a time.
The 2019 ‘ASTORS’ Homeland Security Awards Program is Proudly Sponsored by ATI Systems, Attivo Networks, Automatic Systems, and Desktop Alert.
Nominations are now being accepted for the 2019 ‘ASTORS’ Homeland SecurityAwards at https://americansecuritytoday.com/ast-awards/.
Comprehensive List of Categories Include:
| Access Control/ Identification | Personal/Protective Equipment | Law Enforcement Counter Terrorism |
| Perimeter Barrier/ Deterrent System | Interagency Interdiction Operation | Cloud Computing/Storage Solution |
| Facial/IRIS Recognition | Body Worn Video Product | Cyber Security |
| Video Surveillance/VMS | Mobile Technology | Anti-Malware |
| Audio Analytics | Disaster Preparedness | ID Management |
| Thermal/Infrared Camera | Mass Notification System | Fire & Safety |
| Metal/Weapon Detection | Rescue Operations | Critical Infrastructure |
| License Plate Recognition | Detection Products | And Many Others! |
Don’t see a Direct Hit for your Product, Agency or Organization?
Submit your category recommendation for consideration to Michael Madsen, AST Publisher at: mmadsen@americansecuritytoday.com.
2018 Champions Edition
See the 2018 ‘ASTORS’ Champions Edition – ‘Best Products of 2018 ‘ Year in Review’ for in-depth coverage of the outstanding products and services of firms receiving American Security Today’s 2018‘ASTORS’ Homeland Security Awards.’
Enter Early to Maximize Media Coverage of your Products and Services at Kickoff, and Get the Recognition Your Organization Deserves!
And be sure to Register Early for the 2019 ‘ASTORS’ Awards Presentation Luncheon at ISC East 2019 to ensure your place at this limited- space event.
Why the 2019 ‘ASTORS’ Homeland Security Awards Program?
American Security Today’s comprehensive Annual Homeland Security Awards Program is organized to recognize the most distinguished vendors of physical, IT, port security, law enforcement, and first responders, in acknowledgment of their outstanding efforts to ‘Keep our Nation Secure, One City at a Time.’
Why American Security Today?
American Security Today is uniquely focused on the broader Homeland Security & Public Safety marketplace with over 70,000 readers at the Federal, State and local levels of government as well as firms allied to government.
The old traditional security marketplace has been covered by a host of security publications that have changed little over many years.
American Security Today brings forward a fresh compelling look and read with our customized digital publications that provides our readers with solutions to their challenges.
Our Editorial staff provides a full plate of topics for our AST monthly digital editions, AST Website and AST Daily News Alerts.
The editorial calendar and AST’s high drawing website features 23 different Technology and Marketing Sectors such as Access Control, Perimeter Protection, Video Surveillance/Analytics, Airport Security, Border Security, CBRNE Detection, Border Security, Ports, Cybersecurity, Networking Security, Encryption, Law Enforcement, First Responders, Campus Security, Security Services, Corporate Facilities and Emergency Response among others.
These sectors are part of the new integration, where these major applications communicate with one another in a variety of solutions to protect our cities and critical infrastructure.
AST has Expanded readership into vital Critical Infrastructure audiences such as Protection of Nuclear Facilities, Water Plants & Dams, Bridges & Tunnels, and other Potential targets of terrorism.
Other areas of concern include Transportation Hubs, Public Assemblies, Government Facilities, Sporting & Concert Stadiums, our Nation’s Schools & Universities, and Commercial Business Destinations – enticing targets for extremist or lone wolf attacks due to the large number of persons and resources clustered together.
About the Author
Doug Haines, owner of Haines Security Solutions, LLC (HSS), is a United States Air Force veteran with over 45 years of law enforcement and security related experience, which includes teaching building design principles to architects, engineers, facility managers, planners, and security professionals.
HSS specializes in conducting quantitative risk and vulnerability assessments of federal, state and local facilities worldwide and other security related consulting services.
HSS also develops security criteria, conducts entry control point and security forces manpower studies, drinking water systems and critical energy infrastructure risk/vulnerability assessments, and develops, plans and conducts table-top and full scale antiterrorism, force-on-force, emergency response and disaster preparedness exercises.
(Learn More about Haines Security Solutions capabilities. Courtesy of Haines Security and YouTube)
