Facility Security Plan Methodology for the Oil and Natural Gas Industries

API RECOMMENDED PRACTICE 781 FIRST EDITION, SEPTEMBER 2016

Special Notes

API publications necessarily address problems of a general nature. With respect to particular circumstances, local, state, and federal laws and regulations should be reviewed.

Neither API nor any of API’s employees, subcontractors, consultants, committees, or other assignees make any warranty or representation, either express or implied, with respect to the accuracy, completeness, or usefulness of the information contained herein, or assume any liability or responsibility for any use, or the results of such use, of any information or process disclosed in this publication. Neither API nor any of API's employees, subcontractors, consultants, or other assignees represent that use of this publication would not infringe upon privately owned rights.

API publications may be used by anyone desiring to do so. Every effort has been made by the Institute to assure the accuracy and reliability of the data contained in them; however, the Institute makes no representation, warranty, or guarantee in connection with this publication and hereby expressly disclaims any liability or responsibility for loss or damage resulting from its use or for the violation of any authorities having jurisdiction with which this publication may conflict.

API publications are published to facilitate the broad availability of proven, sound engineering and operating practices. These publications are not intended to obviate the need for applying sound engineering judgment regarding when and where these publications should be utilized. The formulation and publication of API publications is not intended in any way to inhibit anyone from using any other practices.

Any manufacturer marking equipment or materials in conformance with the marking requirements of an API standard is solely responsible for complying with all the applicable requirements of that standard. API does not represent, warrant, or guarantee that such products do in fact conform to the applicable API standard.

All rights reserved. No part of this work may be reproduced, translated, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission from the publisher. Contact the Publisher, API Publishing Services, 1220 L Street, NW, Washington, DC 20005.

Copyright © 2016 American Petroleum Institute

Foreword

Nothing contained in any API publication is to be construed as granting any right, by implication or otherwise, for the manufacture, sale, or use of any method, apparatus, or product covered by letters patent. Neither should anything contained in the publication be construed as insuring anyone against liability for infringement of letters patent.

This document was produced under API standardization procedures that ensure appropriate notification and participation in the developmental process and is designated as an API standard. Questions concerning the interpretation of the content of this publication or comments and questions concerning the procedures under which this publication was developed should be directed in writing to the Director of Standards, American Petroleum Institute, 1220 L Street, NW, Washington, DC 20005. Requests for permission to reproduce or translate all or any part of the material published herein should also be addressed to the director.

Generally, API standards are reviewed and revised, reaffirmed, or withdrawn at least every five years. A one-time extension of up to two years may be added to this review cycle. Status of the publication can be ascertained from the API Standards Department, telephone (202) 682-8000. A catalog of API publications and materials is published annually by API, 1220 L Street, NW, Washington, DC 20005.

Suggested revisions are invited and should be submitted to the Standards Department, API, 1220 L Street, NW, Washington, DC 20005, standards@api.org.

iii

1. Scope 1

   1. General 1

   2. Applicability 1

2. Normative References 1

3. Terms, Definitions, Abbreviations, and Acronyms 2

   1. Terms and Definitions 2

   2. Abbreviations and Acronyms 7

4. Security Management System (SMS) 8

5. Security Risk Assessment (SRA) 8

6. Introduction to Facility Security Plan Concepts (FSP) 9

   1. Introduction 9

   2. Common elements included in an FSP 9

   3. Record of Change 9

   4. Distribution List 10

   5. Security Administration and Organization of the Facility 11

   6. Security Training 13

   7. Drills and Exercises 15

   8. Record Keeping and Documentation 16

   9. Response to Change in Alert Level 17

   10. Communications 18

   11. Site Maps 19

   12. Network Segmentation 19

   13. Security Systems and Equipment Maintenance 20

   14. Physical Security 20

7. Futures—Additional Integration of Cyber and Physical Systems 22

8. Personnel Surety 22

   1. General 22

   2. Background Check 23

   3. Employees 23

   4. Contractors 23

   5. Audit of Personnel Surety Program 24

9. Security Measures for Access Control, Including Designated Public, Controlled, and Restricted Access Areas24

   1. General 24

   2. Visitors 25

   3. Deliveries 25

   4. Government Employees 25

   5. Screening, Searches, and Inspection 26

   6. Restricted Areas 27

   7. Security Countermeasures for Restricted Areas 27

10. Security Measures for Monitoring 28

11. Key Control 29

12. Security Incident Procedures 29

    v

    
    

13. Audits and Security Plan Amendments 30

    1. Audits 30

    2. Audit Amendments 30

    3. Findings 30

Annex A (informative) Example Security Plan 31

Bibliography 70

Tables

1. Example Elements of a Security Plan 10

2. Record of Change 10

Facility Security Plan Methodology for the Oil and Natural Gas Industries

1. Scope

   1. General

      
      

      The purpose of a facility security plan (FSP) is to provide the framework to establish a secure workplace. The plan provides an overview of the threats facing the facility and describes the security measures and procedures designed to mitigate risk and protect people, assets, operations, and company reputation.

      
      

      This standard was prepared with guidance and direction from the API Security Committee, to assist the petroleum and petrochemical industries in the preparation of a Facility Security Plan. This standard specifies the requirements for preparing an FSP as well as a discussion of the typical elements included in an FSP.

      
      

   2. Applicability

      
      

      This standard is intended to be flexible and adaptable to the needs of the user. It is noted that the content of an FSP can vary depending on circumstances such as facility size, location, and operations. This methodology is one approach for preparing an FSP at petroleum and petrochemical facilities. There are other security plan formats available for the industry. It is the responsibility of the user to choose the format and content of the FSP that best meets the needs of a specific facility. The format and content of some FSPs should be dictated by government regulations for covered facilities. This Standard is not intended to supersede the requirements of any regulated facility but may be used as a reference document.

      
      

      This standard should be limited to the preparation of the FSP. It is recognized that the FSP is only one part of a comprehensive security management system (SMS). The FSP should be prepared after a security risk assessment (SRA) is conducted. The SRA is a process to identify and assess the threats, vulnerabilities and consequences facing a facility. It is important to understand the risks facing the facility before a comprehensive and effective FSP can be developed. The FSP should incorporate procedural, physical and cyber security measures for a holistic and comprehensive plan.

      
      

      In an era of rapidly advancing technology, no FSP would be complete without inclusion of Information Technology and Operational Technology Security considerations and reference to security measures developed and maintained by these organizations. The interdependence of physical and logical security, as evidenced by the “Internet of Things” (IoT) underscores the criticality of preparing a single, common security strategy to mitigate risk and assure an organization’s resilience in the face of dynamic threats.

      
      

2. Normative References

The most recent editions of each of the following standards, codes, and publications are referenced in this RP as useful sources of additional information. Further information may be available from the cited Internet World Wide Web sites or references included in the Bibliography.

API Manual of Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries 6 CFR §27.230 1, Chemical Facilities Anti-Terrorism Standards, Risk-Based Performance Standards 33 CFR §105.100–415 2, Maritime Transportation Security Act of 2002

National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity 3

1. Department of Homeland Security-ISCD, 1421 Jefferson Davis Highway, Arlington, VA 22202.

2. U. S. Coast Guard, 2699 Firth Sterling Ave SE, Washington, D.C., www.gocoastguard.com.

3. National Institute of Standards and Technology, 100 Bureau Drive, Stop 3460, Gaithersburg, Maryland 20899, www.nist.gov.

1