Page 224 - Pipeline Risk Management Manual Ideas, Techniques, and Resources
P. 224
Sabotage module 9/201
It would be naive to rule out the possibility of attack com- that, eventually, a pipeline failure will occur as long as the
pletely in any part of the world. However, this module is attacks continue. It is recommended that the sabotage threat be
designed to be used when the threat is more than merely a tbeo- included as a stand-alone assessment. It represents a unique
retical potential. Inclusion of this module should be prompted type of threat that is independent and additive to other threats.
by any of the following conditions in the geographical area To be consistent with other failure threat assessments (dis-
being evaluated: cussed in Chapters 3 through 6), a 100-point scale, with
increasing points representing increasing safety, can be used in
Previous acts directed against an owned facility have evaluations. Specific point values are not always suggested
occurred here because a sabotage threat can be so situation specific.
Random acts impacting owned or similar facilities are occur- The evaluator should review all of the variables suggested,
ring add others as needed, and determine the initial weightings
The company has knowledge of individuals or groups that based on an appropriate balance between all variables.
have targeted it. Variables with a higher potential impact on risk should have
higher weightings.
Because the kinds of conditions that promote sabotage can The overall potential to a sabotage event can first be assessed
change quickly, the potential for future episodes is difficult to based on the current sociopolitical environment, where lower
predict. For some applications, the evaluator may wish to points reflect lower safety-greater threat levels. A score of
always include the sabotage module for consistency reasons. 100 points indicates no threat of sabotage.
An important first step in sabotage assessment is to under-
stand the target opportunities from the attackers’ point of view. Attack Potential . . . . . . . . . . . . . . . . .O-100 pts
It is useful to develop “what-if” scenarios of possible sabotage Then points can be added to the “attack potential” score
and terrorist attacks. A team of knowledgeable personnel can based on the presence of mitigating measures. In the sample list
be assembled to develop sabotage strategies that they would of considerations below, seven mitigating measures are
use. should they wish to cause maximum damage. The scenar- assessed as are portions of the previously discussed Incorrect
ios should be as specific as possible, noting all ofthe following Operations index:
aspects:
A. Community Partnering
What pipeline would be targeted? B. Intelligence
Where on the pipeline should the failure occur? C. Security Forces
What time of year, day of week, time of day? D. Resolve
How would the failure be initiated? E. Threat of Punishment
How would ignition be ensured, if ignition was part of the F. Industry Cooperation
scenario? G. Facility Accessibility (barrier preventions, detection pre-
What would be the expected damages? Best case? Worst ventions)
case‘?
What would be the probability of each scenario? Incorrect Operations Index:
As seen in the leak impact,factor development discussion, A. Design
the most damaging scenarios could involve unconfined vapor B. Construction
cloud explosions, toxic gases, or rapidly dispersed flammable C. Operations
liquids (via roadways, sewer systems, etc), all in “target-rich” D. Maintenance
environments. Fortunately, these are also very rare scenarios.
Even if a careful orchestration of such an event were attempted, Finally, some modifications to the Leak Impact Factor
the practical difficulties in optimizing the scenario for maxi- detailed in Chapter 7 might also be appropriate, as is discussed.
mum impact would be challenging even for knowledgeable
individuals. Attack potential
The threat assessment team should use these scenarios as
part of a vulnerability assessment. Existing countermeasures Anticipation of attacks is the first line of defense. Indications
and sequence-interruption opportunities should be identified. that the potential for attack is significant include (in roughly
Additional prevention measures should be proposed and dis- priority order)
cussed. Naturally, care should be exercised in documenting
these exercises and protecting such documentation. 0 A history of such attacks on this facility
The nature of the sabotage threat is quite different than all 0 A history of attacks on similar facilities
threats previously considered. A focused human effort to cause 0 Presence of a group historically responsible for attacks
a failure weighs more on the risk picture than the basically ran- High tension situations involving conflict between the oper-
dom or slower acting forces of nature. Because any aspect of ating (or owner) company and other groups such as
the pipeline operation is a potential target, all failure modes can 0 Activists (political, environmental, labor, religious
theoretically be used to precipitate a failure but the fast-acting extremists, etc.)
failure mechanisms will logically be the saboteur’s first choice. Former employees
It must be conservatively assumed that a dedicated intruder will Hostile labor unions
eventually find a way to cause harm to a facility. This implies 0 Local residents.
