The RBA is a documented analysis that is a REQUIRED part of the FSA and forces us to look critically at potential attack scenarios for our facility, and identify possible mitigation actions. Finally, we attempt to rate these items to identify those scenarios that have a high impact and vulnerability and the mitigation actions that we believe would be most effective.
Coast Guard NVIC 11-05 provides a good, basic framework for conducting an RBA. It’s important to involve key personnel and stakeholders at your facility when you conduct the RBA. When Seebald and Associates conducts an RBA, we use a slightly more involved process and have developed a spreadsheet to help us thoroughly analyze the data. We also like to have all of important players at the facility sitting around the table (senior/corporate leadership, FSO, AFSO, terminal manager, shipping manager, IT manager, production manager, security supervisor, etc.). A more inclusive and thoughtful process will yield a more realistic and effective RBA especially identifying vulnerable systems, processes or protocols.
Remember to check your FSP approval date, 2019 is right around the corner!!!