Page 50: of Maritime Logistics Professional Magazine (Q3 2011)

50 Maritime Professional 3Q 2011Once these critical steps are per-formed the next challenge facing multi- national energy companies is integrat- ing the information developed in the analysis of the threats, vulnerabilities,and risks into consolidated, enterprise-wide risk mitigation programs that willenable the company to deter, detect, respond, and recover effectively from incidents or attacks. But how is this done, and where does one start?REGULATORY ENVIRONMENT Subsequent to the events of 9/11, the UN?s International MaritimeOrganization (IMO) developed the International Ship and Port Facility Security (ISPS) Code to provide securi- ty standards and performance objec-tives for the international maritime community, which applies to commer- cial maritime port facilities, vessels, and offshore platforms. Subsequent tar- geting of maritime energy carriers, transmission pipelines, and energy plat- form service vessels by criminal and terrorist organizations led to the devel- opment of additional regulatory instru- ments whose application may befocused on the energy products, or the mechanisms by which they are trans- ported through the supply chain. Inaddition to the ISPS Code, some of thesecurity regulations and industry ?best practices? that have emerged and may be applied to the energy industry include:US Maritime Transportation Security Act (MTSA);Counterterrorism Chemical Facility Anti-Terrorism Standards (CFATS); Customs-Trade Partnership Against Terrorism (C-TPAT); UNSCR 1540 ? WMD Non- Proliferation; Pipeline Hazardous Materials Security Act (PHMSA); andISO 28000 - Security for the Supply Chain.All of these instruments outline secu-rity standards and performance objec-tives that provide a framework for the development and enterprise-wide implementation of effective security policies and procedures. Of course, theadoption of security policies and proce-dures by energy companies will not by itself deter or mitigate the risk of secu-rity incidents, or lessen the company?s obligation to execute due diligence in the execution of those policies and pro- cedures. Due diligence is defined and demonstrated by adapting the compa-ny?s enterprise-wide security policy and procedures into security plans thatreflect the threats, vulnerabilities, andrecommended risk remediation meas-ures specific to their individual enter- prise facilities and operations. The ability of those company facili- ties to execute the procedures in their security plan is reflected in their pro-gram for conducting security training,drills, and exercises for their personnel at a local level. Non-compliance by an individual energy industry facility may compromise the integrity of the entire supply chain, and expose the company to an increased risk of legal or financial liability in the event of a security inci- dent resulting from deficiencies in their energy transportation system?s protec- tive measures. Since the capabilities and intent of the threats against theenergy industry are dynamic and con- stantly evolving, there is no one solu- tion that can effectively address them across any one company?s operational spectrum. Therefore, it is critical that the company have security profession- als at each enterprise level and at each facility that has a thorough understand- ing of the applicable security regula- tions, and is practiced in the implemen-tation and oversight of the company?s security policies and programs. A com- prehensive risk mitigation program will include the key elements: A consolidated spreadsheet of securi- ty regulations applicable to the ener- gy companies facilities and opera- tions;Security threat, vulnerability, and risks assessments conducted for eachenterprise facility and its operations conducted on a recurring basis, the frequency of which is dependent upon the facility?s evolving threat profile; A security plan that addresses the compliance requirements associated with the applicable security regula- tions, as outlined in the policies andprocedures captured in company?s enterprise security manual;A training plan that provides security awareness and compliance training, drills, and exercises for company per- sonnel at all enterprise levels; A program for communication with industry and government organiza- tions to obtain threat information necessary to support an effective company?s security risk mitigation program; and The commitment, at the highest level of corporate leadership, for invest- ment in security programs, systems and personnel necessary to effective- ly address the ongoing threats facing the energy industry worldwide. The energy industry has an obligation to its employees and shareholders to apply appropriate and effective preven- tive security, incident recovery, and continuity of operations programs thatare tailored to the credible threats ateach enterprise location. Individual enterprise investment in comprehensive risk mitigation programs is the best way to address weaknesses in their respec-tive segments of the energy supply chain, where their vulnerabilities canexpose the entire industry to the risk of interruption, and reduce the triggermechanism for escalating prices at thepump.The AuthorRonald Thomasonis President of Infrastructure Security Solutions LLC, a provider of security consulting serv- ices for the maritime trade and trans-portation communities worldwide. Mr. Thomason also serves as the VP of Strategic Programs for the Maritime Security Council.ENERGY SECURITYMP #3 (50-64):MP Layouts 8/17/2011 4:36 PM Page 50