A vulnerability assessment is the process of identifying, quantifying, and prioritizing the vulnerabilities in a system. Vulnerability assessments can be conducted on information technology systems, environmental systems, water supply systems, transportation systems, and of course quality systems. Assessments can be performed by small businesses up to large regional infrastructures.
The following generic steps are followed when conducting a vulnerability assessment:
Catalog assets and capabilities in a system.
Rank the assets/capabilities and their importance
Identify vulnerabilities or potential threats
Mitigate or eliminate the most serious vulnerabilities for the most valuable assets/capabilities
1. Determining the need for a vulnerability assessment.
2. Defining the project.
3. Characterizing the facility.
4. Deriving severity levels.
5. Assessing threats.
6. Prioritizing threats.
7. Preparing for the site analysis.
8. Surveying the site.
9. Analyzing the system’s effectiveness.
10. Analyzing risks.
11. Making recommendations for risk reduction.
12. Preparing the final report
An explanation has been provided for each step:
Determine if a Vulnerability Assessment should be done, identify and evaluate possible undesired events in a system to determine system priorities from level 1 (highest) to level 4 (lowest).
Assign a VAM facilitator to lead the project. Review the scope, purpose, and tasks to be completed and the resources needed. Create a project schedule for activities to be completed and assemble a team. The project definition should be documented in a written statement.
Specify the facility, including boundaries, building locations, floor plans, access points, physical protection features, and system processes, including operational procedures, procedural information, and critical activities that can result in an undesired event. Location of equipment, safety features, and chemical inventories must be documented to ensure understanding of the facilities operations.
Information sources include hazard analysis severity tables, or creating a severity table specific to the system. The resulting severity value will be used in the risk analysis.
A general description of the threat is required to determine the likelihood of occurrence. The threat must be defined for each system, including the number of adversaries, mode of operation, tools/ weapons, and type of acts that could be committed. It is important to keep this section current and relevant.
Rank the Likelihood of Attack and Severity values for each undesired event in a table to determine the Likelihood of Severity values. Priority cases are based on their proximity to a value of 1 and should be further analyzed for system protection effectiveness.
Determining the effectiveness of a facility’s protection system requires collection of background information; including site drawings, hazard analyses, physical protection system features, and process data control.
The team should review system information, drawings and worksheets put together by the facilitator to ensure accuracy and validation in preparation for a system effectiveness analysis. A walk-through survey of the facility should be conducted with attention paid to critical activities and target information.
Judge whether the protection features are effective in preventing an undesired event from occurring. Estimating the effectiveness of the physical protection system include identifying the most vulnerable scenario, listing the security features, and determining the likelihood of adversary success for the scenario. Estimating the effectiveness of the protection systems process control include identifying the most vulnerable scenario, listing the features of the process control system, and determining the likelihood of adversary success for the scenario.
Likelihood and severity values are combined with Likelihood of Adversary Success values to estimate the level of risk for each undesired event using a risk level summary table. If there are risk values of 1, 2, or 3, these risks should be decreased and recommendations to reduce the risks should address specific vulnerabilities identified in step 9.
Risk values of 1, 2, or 3 should be reduced through recommendations including detection, delay, response, and mitigation/ safety features that eliminate or mitigate the identified vulnerabilities. Low-cost, high return upgrades are the goal. After recommendations are made, the new system effectiveness level and risk level should be estimated, until acceptable risk levels of 3 and 4 are reached for each undesired event.
The final report should include several elements such as: all analysis results and values, definition tables, tables created to identify values, prioritization of undesired events, most vulnerable adversary scenarios for physical protection and process control paths, including risk levels, and recommendations made to reduce risk levels.