|
Port security
assessment (PSA)
The port security assessment should be carried out by
persons with the appropriate skills and should include
the following:
-
Identification and evaluation of
critical assets and infrastructure that it is important
to protect.
-
Identification of threats to assets
and infrastructure in order to establish and prioritize
security measures.
-
Identification, selection and prioritization
of measures and procedural changes and their level of
acceptance in reducing vulnerability.
-
Identification of weaknesses, including
human factors, in the infrastructure, policies and procedures.
-
Identification of perimeter protection,
access control and personnel clearance requirements
for access to restricted areas of the port.
-
Identification of the port perimeter
and, where appropriate, the identification of measures
to control access to the port at various security levels.
-
Identification of the nature of
the expected traffic into or out of the port (e.g. passengers,
crew, ship/cargo type).
************
Sample Port
Security Assessment (PSA)
-
The “Threat and Risk Analysis Matrix”
(TRAM) is a simplified risk-based method and tool to
assist in carrying out a PSA. It is but one of a number
of tools and is given here by way of example.
- Its purpose is to identify threats with a view to initiating
and recommending countermeasures to deter, detect and
reduce the consequence of any potential incident should
it occur. Such an analysis may be a valuable aid to allocating
resources, forward planning, contingency planning and
budgeting.
-
The TRAM should be updated as often
as changing circumstances may dictate to maintain its
effectiveness. This task would, normally, fall under
the remit of the designated authority who should establish
and maintain close links with security committees, and
key commercial and industrial service partners and customers.
-
In addition to the more obvious
threats, the list of potential targets should be as
comprehensive as possible with due regard to the function(s)
of the port, legal, political, social, geographic and
economic environment of the country and the security
environment specific to the port.
Assessment process
-
Table
1 is a blank version of the TRAM. The object is to compare/evaluate
security measures that will reduce, independently, the
vulnerability or impact and collectively reduce the
overall risk score. It should be borne in mind that
introducing a security measure for one threat may increase
the risk of another.
-
Potential targets (PT).
(There should be a separate table for each potential
target.) Identify PT through assessment of functions
and operations, vulnerable areas, key points or persons
in the port and in the immediate environs that may,
if subject to an unlawful act, detrimentally impact
on the security, safety of personnel or function of
the port.
6.1. Establish “ownership” of the identified
PT. For example:
6.1.1. directly owned and controlled
by the port operator or member State;
6.1.2. directly owned by the port operator
or member State but rented, leased, occupied and controlled
by other parties;
6.1.3. owned, controlled and operated
by other parties;
6.1.3.1. represented on the PSAC;
6.1.3.2. not represented on the PSAC
(consider whether membership would be appropriate and/or
beneficial to the port community).
-
Establish if there are any existing
security measures, such as a perimeter fence, access
control and/or security patrol or monitoring of the
PT. If so, are they effective, can improvements be made?
-
Threat scenario
(columns A and B of table 1). Consider threat scenarios
from both internal and external sources to which the
identified PT may be vulnerable (input from police,
security and intelligence services is essential).
8.1. Threat scenarios (amongst many)
that it may be appropriate to consider:
8.1.1. direct attack to cause injury and loss
of life or destroy functions and infrastructure of the
port. To take over vehicles/vessels as means to inflict
damage by ramming. Release of noxious or hazardous material
either from vehicles/vessels or storage areas and so
on;
8.1.2. sabotage;
8.1.3. kidnap and ransom (for reward,
extortion or coercion).
-
Threat (column
C of table 1). The probability of an incident occurring
should be assessed on the following scale:
3 = high;
2 = medium;
1 = low.
The allocation of a particular threat score may be based
on specific information received or the known characteristics
of the potential target.
-
Vulnerability (column
D of table 1). The vulnerability of the PT to each threat
may be assessed as follows:
4 = No existing security measures/existing
security measures are not effective (e.g. unrestricted
access to target, target not monitored; personnel untrained;
target easily damaged);
3 = Minimal security measures (e.g.
restricted areas not clearly identified; inadequate
access control procedures; sporadic monitoring; no formal
security training programme; target susceptible to certain
types of damage);
2 = Satisfactory security measures
(e.g. restricted areas clearly identified and access
is controlled; formal security training programme; adequate
monitoring and threat awareness; target not easily damaged);
1 = Fully effective security measures
(e.g. all of “2” plus, capable of promptly scaling to
higher security level as needed; target difficult to
damage or has sufficient redundancy to prevent disruption
if certain functions are damaged).
-
Impact. Assess
the impact (consequence) of each potential incident
on the PT and port should it occur. Specific “impacts”
and priorities for a particular port may be substituted
by the designated authority to meet the national security
profile and requirements.
5 = Detrimental to security and safety
(likely to cause loss of life, serious injuries and/or
create widespread danger to public health and safety).
4 = Detrimental to public safety and/or
national prestige (likely to cause significant environmental
damage and/or localized public health and safety).
3 = Detrimental to the environment
and/or economic function of the port (likely to cause
sustained port-wide disruption and/or significant economic
loss and/or damage to national prestige).
2 = Detrimental to assets, infrastructure,
utility and cargo security (likely to cause limited
disruption to an individual asset, infrastructure or
organization).
1 = Detrimental to customer/port community
confidence.
-
Risk score. Score
is the product of threat x vulnerability x impact.
12.1. The highest score scenario will be:
Threat – High ………………………………….……… 3
Vulnerability – No existing countermeasure………….
4
Impact – Potential loss of life/injury
………..………... 5
Risk score …………..……………………………….… 60
12.2. The lowest score scenario will be:
Threat – Low ………..……………………………….. 1
Vulnerability – Fully compliant ………………….…..
1
Impact – Little ……………………………………….. 1
Risk score …………...…………………………….…. 1
-
Action priority
(column G of table 1). Tabulating and listing the scores
for each threat against each PT will assist in assessing
the priority in which to deal with each potential incident.
The process should lead to indications of actions required
to deter, detect and mitigate the consequences of potential
incidents, resources available or required and appropriate
security measures.
-
In assessing likely scenarios the
history and modus operandi of illegal groups most likely
to operate in the area should be considered when identifying
the PT and determining and assessing the most appropriate
security measures.
-
This is an assessed reduction of
the score for each scenario based on the perceived effectiveness
of the security measures when they have been put into
effect. The result should give some guidance as to which
actions and resources will have the greatest benefit
in deterring attack of the PT. It may also indicate
that some targets or threats do not need to be considered
or that the security measure is not achievable because
of resource or other constraints.
-
The TRAM for every potential target
should be collated into one master matrix of similar
threat scenarios and common security measures identified
to give the maximum benefit. It may also be that some
PT may be grouped together under one security measure.
For example one or more PT close together may be contained
within one perimeter fence with one gate controller.
It may be that a vulnerable operation in a remote part
of the port can be moved into a more secure area. Every
possible realistic action should be considered.
-
The completed TRAM together with
a consolidated summary of all security measures that
have been devised and are able to be implemented should
form the basis from which the port security plan can
be developed.
Assessment example
The following ten-step example is used to illustrate the
possible working of a security assessment using the TRAM
for a specific threat scenario – destroy port authority’s
communication tower by explosives.
Potential target: Person/place/location
(identify each PT in the port area not covered by the
PFSP or other official subordinate plan)
Scenario
No. |
Threat scenario |
Threat |
Vulnerability |
Impact |
Risk score |
Action priority |
A |
B |
C |
D |
E |
F |
G |
1 |
|
|
|
|
|
|
2 |
|
|
|
|
|
|
3 |
|
|
|
|
|
|
4 |
|
|
|
|
|
|
5 |
|
|
|
|
|
|
6 |
|
|
|
|
|
|
7 |
|
|
|
|
|
|
8 |
|
|
|
|
|
|
9 |
|
|
|
|
|
|
(1) Threat scenario – destroy port authority's communication tower by explosives.
Initial assessment:
Scenario
No.
|
Threat scenario |
Threat |
Vulnerability |
Impact |
Risk score |
Action priority
|
A |
B |
C |
D |
E |
F |
G |
1 |
Destroy port authority's communication
tower by explosives |
2 |
2 |
3 |
12
(2 x 2 x 3) |
|
Implementing measures to reduce vulnerability (2 --> 1):
Scenario
No.
|
Threat scenario |
Threat |
Vulnerability |
Impact |
Risk score |
Action priority
|
A |
B |
C |
D |
E |
F |
G |
1 |
Destroy port authority's communication
tower by explosives |
2 |
1 |
3 |
6
(2 x 1 x 3) |
|
The tower is protected from casual access or interference by a 2-metre high razor wire fence of 15 metre diameter and is located in a non-restricted area approximately 200 metres from the Harbour Master's Office. The facility is positioned on flat ground approachable from all sides, and a service road, that is accessible from the public area roads, passes within 20 metres of the perimeter fence. Access to the compound is limited to maintenance and servicing of the tower components as required and seasonal ground maintenance including grass cutting by regular port approved contractors. There is a mobile security patrol that visits and checks for signs of damage or intrusion once by day and once by night. With these measures, vulnerability was scored as “2”. However, if additional vulnerability reduction measures, such as a full-time on-site security force, or, changing the non-restricted area to a restricted area, the vulnerability score may be reduced from “2” to “1” fully effective security measures. Thus, with vulnerability in column D reduced from “2” to “1”, as shown below, a new risk score of “6” is produced.
Implementing measures to reduce impact (3 ® 2):
Scenario
No.
|
Threat scenario |
Threat |
Vulnerability |
Impact |
Risk score |
Action priority
|
A |
B |
C |
D |
E |
F |
G |
1 |
Destroy port authority's communication
tower by explosives |
2 |
2 |
2 |
8
(2 x 2 x 2) |
|
Reducing the impact will alter the figure in column E and reduce the overall risk score. Recall that the tower is a critical component of port operational and commercial communications. It also supports booster stations for local police and emergency service communications. In addition the mast supports mobile telephone repeater services for the area. Assuming that there is no back-up communications tower, the impact of losing this tower was initially calculated as “3” in column E. However, if a back-up facility was available, it would create some redundancy, thereby reducing the impact of a loss. Thus, with impact reduced from “3” to “2” limited disruption to port organization due to communications redundancy, as shown below, produces a new risk score of “8”. While this is an improvement from “12”, the persons responsible for port security could then decide whether additional measures were needed.
Implementing measures to reduce vulnerability (2 ® 1) and impact (3 ® 2):
Scenario
No.
|
Threat scenario |
Threat |
Vulnerability |
Impact |
Risk score |
Action priority
|
A |
B |
C |
D |
E |
F |
G |
1 |
Destroy port authority's communication
tower by explosives |
2 |
1 |
2 |
4
(2 x 1 x 2) |
|
If both the vulnerability reduction measures and impact reduction measures discussed in this example were taken together, the total risk score would be reduced to “4”, well below the initial score of “6”.
The persons doing the security assessment and persons charged with implementing security measures must determine the effectiveness of various vulnerability or impact reduction measures for their ports.
Source :
IMO/ILO
Code of practice on security in ports
Tripartite Meeting of Experts on Security, Safety and Health in Ports
Geneva, 2003
|
|