Offshore installation security

Offshore installation security is the protection of maritime installations from intentional harm. As part of general maritime security, offshore installation security is defined as the installation's ability to combat unauthorized acts designed to cause intentional harm to the installation. The security of offshore installations is vital as not only may a threat result in personal, economic, and financial losses, but it also concerns the strategic aspects of the petroleum market and geopolitics.

Offshore installations refer to offshore platforms, oil platforms, and various types of offshore drilling rigs. It also is a general term for mobile and fixed maritime structures which includes facilities that are intended for exploration; drilling; the production, processing, or storage of hydrocarbons, and other related activities regarding the processing of fluids lying beneath the seabed. Offshore installations are most commonly engaged in drilling actions located in the continental shelf of a country and form a major part of the petroleum industry's upstream sector.

Whilst records of security incidents date to the 1960s, the matter did not appear in academic writings until the early 1980s. A milestone is the 1988 SUA Act & Protocol which criminalized crime or violence against ships or fixed platforms. After the September 11 attacks in 2001, there was increased awareness of possible threats in the offshore energy sector. Threats  stem from sources such as pirates, environmental extremists, and other criminals, and they may vary in gravity and frequency. There are a variety of protective mechanisms in place, and these range from international legal frameworks to specific industry planning and responses.

1960s - 2000s
Record keeping of security incidents of offshore installations dates back to the 1960s, but it was not until the early 1980s that possible threats were first addressed within academic literature. This lack of protection left the assets vulnerable to attacks;  however, with the Achille Lauro attack in 1985, the awareness for the protection of maritime targets, including offshore installations, increased. The attack is seen as a major driver for the 1988 adoption of the Convention For The Suppression Of Unlawful Acts Against The Safety Of Maritime Navigation (SUA Act) criminalizes behavior of crime or violence against ships including attacks of terrorism and piracy. The signing of the accompanying SUA Protocol, the Protocol for the Suppression of Unlawful Acts against the Safety of Fixed Platforms Located on the Continental Shelf, which prohibits and punishes behavior that may threaten the security of offshore fixed platforms is seen to present a milestone in offshore installation security. In the same year Brian Michael Jenkins published a paper under the RAND Corporation and was the first to comprehensively list a record of historical attacks on offshore installations and identify the main methods of attack. By the late 1980s the awareness of installation security had increased, and the first international legal regulation was in place. Nevertheless, industry standards with regards to the protection of offshore installations were still low.

September 11 attacks as turning point
The 9/11 attacks marked a turning point in the international awareness and policy towards the comprehensive protection of offshore energy sector as political engagement with the topic increased. Moreover, since 2004, the international community experienced an increase in the attacks on offshore installation due to reasons such as the increased capabilities of adversaries, political instability within certain nations, and armed conflicts in oil producing countries. For example, since 2006 the conflict in the Niger Delta has resulted in increased attacks in the Gulf of Guinea and raised security level.

According to the International Energy Agency, the security of offshore oil and gas industry is currently of economic and strategic importance as about one quarter of the global energy supply stems from offshore sources. The resulting overall development towards heightened awareness and recognition of the issue has affected the organization of the offshore oil and gas sector within their installations. For example, some companies include a security division within their Health, Safety & Environment departments. This overall development has brought changes to the international regulatory framework; namely, the passing of the ISPS Codes and the 2005 amendments to the 1988 SUA Convention and Protocol. Additionally, national laws have been enacted to include critical infrastructure protection policies (for further information see below 'Protection Mechanisms').

Security threats
While a security threat is seen as "any unlawful interference with offshore oil and gas operations or an act of violence directed towards offshore installations", there are several ways of how to classify the various threats facing offshore installations. The most comprehensive and encyclopedic compilation is Dr. Mikhail Kashubsky in his 2016 book. Offshore Oil and Gas Installations Security: An International Perspective. The book includes a comprehensive dataset of past attacks and security incidents involving offshore oil and gas installations entitled the Offshore Installations Attack Dataset (OIAD). In his writing, Kashubsky established an offshore security threat nexus in which he classifies the different threats. This classification identifies the people and organizations behind the threats as an analysis to learn more about their motivation, intent and tactics, to develop an effective response.

Specifically, there are three factors taken into account by Kashubsky when assessing the offshore security threats: geography and other enabling factors, motivations and objectives, and capabilities and tactics. With regards to geography, the location of the offshore installation is identified for possible vulnerability. Other enabling factors refer to how events such as civil wars or political unrest in the region might effect offshore security. Motivations and objectives highlight the difference in intentions by the respective threats and how this relates to a differing methods in which they might deploy threats methods. Capabilities and tactics, address how to adapt defensive operations depending on the type of type and aim of a threat. These can range from piratical kidnapping tactics to external sabotage. Since threats are seen as being motivated by a range of objectives, the threats are also seen as being interlinked and overlapping. Lastly, Kashubsky ranks the different threats according to the API Security Risk Assessment methodology. This consists of a 5-level threat ranking system that define threat rankings for the petroleum and petrochemical industry, where 1 is very low, 2 is low, 3 is medium, 4 is high, and 5 is very high. This ranking is based on these three factors as well as the frequency of past incidents.

The offshore security threat nexus identifies and ranks the following threats:


 * Civil protest: These are interferences caused by non-violent environmental activists, indigenous activists, labour activists, striking workers, anti-government protesters or the like, usually employing non-violent and non-destructive measures. API-SRA Ranking: High
 * Cyber threats: These present a broad spectrum of motivations and capabilities; however, there is a trend of cyber-attacks to target critical infrastructure targets, attacks that can be executed from any location worldwide. API-SRA Ranking: High
 * Inter-state hostilities: These are certain actions of nation-states that take the form of interstate armed conflict and wars, maritime boundary disputes, or state terrorism. API-SRA Ranking: High
 * Piracy: Piracy activities are those acts that seek financial gain and it describes the act of piracy. API-SRA Ranking: Medium
 * Insurgency: These include regular or guerrilla combat against the armed forces of an established authority and the government or administration which act in opposition to civil authority. These may also relate to piracy as a financial tactic. API-SRA Ranking: Medium
 * Organised crime: This addresses criminal activities with illegal ventures for financial purpose, specifically those which are non-ideological. API-SRA Ranking: Medium
 * Internal sabotage: This addresses the deliberate destruction, disruption, or damage of equipment by dissatisfied employees, current or former. It also includes the intentional disclosure of sensitive and confidential information to third parties. API-SRA Ranking: Medium
 * Terrorism: This concerns activities organised for terrorist purposes with a political aim or a tactic to realise certain sub-goals. In this classification, violence is deliberately used. API-SRA Ranking: Low
 * Vandalism: The concerns acts that damage cargo, support equipment, infrastructure, systems, or facilities. They can include violent actions of radical environmental and animal rights groups that intend to cause damage to company property. API-SRA Ranking: Very Low

With this classification system, the highest threats are seen to stem from civil protest, interstate hostilities, and cyber threats. On the other hand, terrorism threat is low, and vandalism even lower. The other categories provide a medium threat level.

Geographical considerations
The security of an offshore installation stands in close relation to its geographical location. Even though attacks have taken place in all regions of the world, most occurred in political and economically unstable countries. The majority of these, more than 60%, took place off the coast of Nigeria. This raised the notion that there are national and regional dimensions that must be considered. Regions of heightened concern include the following:


 * Gulf of Guinea with more than 60% of the attacks taking place there
 * Bay of Benegal and the Asia Pacific region due to civil unrest onshore
 * Persian Gulf which is in an oil rich region
 * Indian Ocean specifically around the Horn of Africa

Possible consequences of security incidents
There is a variety of consideration when analyzing the consequences of a possible threat materializing. Within this, offshore installations security threats are considered hybrid-threats as the consequences may be felt by various organizations and sectors around the globe.

Personal security concerns
Possible injury or death of offshore workers need to be considered. Attacks may result in grave injuries or other medical consequences, or loss of life in the worst case.

Operational security concerns
A materialized security threat may result in the disruption of the functioning of the offshore installation due to the damage or harm on the operational site.

Environmental security concerns
The consequences of oil spills, especially in the high seas, may be grave. A possible oil spill may cause long-lasting damage to the immediate environment, but may have wider implications too. For example, the food security of a region may be compromised due to water contamination. Not only may water offshore and in coastal waters be affected, but it also may cause toxic effects on shorelines and shallow inshore waters. This could have a negative effect on the population living in the region.

Economic Security Concerns
A successful attack may result in economic concerns for a variety of people who are involved. First, for the operating company may suffer damage and also a loss of income when production is stalled. Additionally, a disruption of oil and gas supply to the market may result in volatile oil prices, which would carry an effect on global economy and the stock exchange. An oil spill may also have significant effects on other sectors such as local fisheries and tourism which could experience losses.

Energy security concerns
With the offshore oil and gas sector being one fourth of the global energy production, offshore oil and gas extraction has become increasingly important in the evolving world energy scene. Petroleum, as one of the most important energy resources of the earth, will remain an essential part of the global energy demand also in the future, as demands are not projected to curtail. Thus, an uninterrupted petroleum supply is essential in light of the global energy security as a sustained disruption in oil supply may cause national emergencies.

Strategic security concerns
A sustained disruption in oil and gas supply may also cause geopolitical concerns. It could present a weakened position of a nation within global politics as it loses power within those factors that govern international relations.

Protection mechanisms
Offshore installations enjoy a number of protection mechanisms that are international, regional, and industry specific.

UNCLOS Art. 60
The 1982 United Nations Convention on the Law of the Sea (UNCLOS) provides a basic legal basis for protecting offshore installations. Typically, offshore installations are deployed either in the territorial sea, the contiguous zone, or the exclusive economic zone (EEZ) of a coastal state. Whilst the coastal state has full enforcement jurisdiction over all security matters in the territorial sea, in the contiguous zone it has also has powers over law enforcement issues which affect its domestic stability. This allows the coastal state to secure its offshore assets broadly through jurisdiction in these two zones. In the EEZ the rights are more limited, as the coastal state cannot restrict others' right to innocently transit the waters. 'Art. 60 of UNCLOS' gives coastal states the right to create a 500-meter safety zone around offshore installations which designates it as an area of restricted navigation where any passing vessel or boat may be considered a potential security concern. Within this zone, personnel may take appropriate measures to stop those who pose the threat.

SUA Convention + protocol
The Convention for the Suppression of Unlawful Acts Against the Safety of Maritime Navigation (SUA Convention) and its accompanying Protocol for the Suppression of Unlawful Acts Against the Safety of Fixed Platforms Located on the Continental Shelf (SUA Protocol) criminalized behavior of crime, violence, or behavior that may threaten the security of ships and fixed platforms. The main purpose of the Convention was to ensure that appropriate action is taken against those who have committed unlawful acts against vessels and offshore oil and gas infrastructure as it obliges contracting Governments either to extradite or prosecute alleged offenders. The 2005 amendments, moreover, addressed vulnerable elements of the maritime-based oil and gas industry and drew attention to potential acts of terrorism. These actions establish that consideration should be also given also to the oil and gas industry. With this the SUA Convention and Protocol provided the first international treaty and framework for combating and prosecuting criminals and terrorists who have attacked or used a tanker or a fixed oil or gas installation as part of a terrorist operation.

ISPS Code
The International Ship and Port Facility Security Code (ISPS) prescribed responsibilities to governments, companies and personnel to detect security threats and take preventive measures against security incidents affecting ships or port facilities used in international trade. It additionally introduced maritime security levels for quick crisis communication which provides industry members with a framework for crisis response. The ISPS Code is enacted in national law in the EU and the US.

International Association of Oil and Gas Producers (OGP documents)
The International Association of Oil and Gas Producers is asserted as the "voice of the global upstream oil and gas industry" and has published several documents in the form of reports that recommend best practices to be introduced in the oil and gas industry including enhanced security of energy installations. The pertinent documents are:


 * OGP Report No. 494 on integrating security in major projects - principles & guidelines
 * OGP Report No. 512 on security management system
 * IOGP Report No. 555 on conducting security risk assessments (SRA) in dynamic threat environments

ISO Standards ISO 31000:2009
The voluntary international ISO Standards introduced recommendations and best practices for industry actors. The ISO 31000:2009 Risk Management: Principles and Guidelines is a standard presenting internationally accepted best practice frameworks and guidelines for action on risk management. It presents a systematized protocol to identify, analyse, evaluate, and treat possible risks to support strategies for major safety and security incident prevention, response, and recovery. Implementation of these standards is designed to both prepare for and react to an security emergency.

RAMCAP
RAMCAP or Risk Analysis and Management for Critical Asset Protection is a framework for analyzing and managing the risks associated with attacks against the United States national critical infrastructure assets. It provides an overarching 7-step methodology for assessment and management of risks and their impact. It has been developed by the American Society of Mechanical Engineers to be used by the staff and management of infrastructure facilities and is also used by the American industry to report to the US Department of Homeland Security

CRISRRAM
CRISRRAM, or critical infrastructures and systems risk and resilience assessment methodology, is a security methodology developed by the European Commission. It addresses risks and vulnerabilities of critical infrastructure at asset, system, and societal levels which takes into account environmental and man-made security hazards. It provides industry professionals with a framework to analyse, act, and a security emergency.

SVA Methodology for the Petroleum and Petrochemical Industries
The Security Vulnerability Assessment (SVA) Methodology for the Petroleum and Petrochemical Industries from the American Petroleum Institute and the National Petrochemical & Refiners Association aims at maintaining and increasing the security of energy facilities in the petroleum sector. The document establishes a security vulnerability assessment methodology to identify and analyse the threats and vulnerabilities those energy installations face.

Moreover, general security risk management practices, such as enterprise risk management are employed throughout the sector.