Developing Effective Contractor Identity Lifecycle Management for Refineries
In the wake of ever-present terrorist threats and potentially large-scale disasters, security and safety have become major concerns that also pose greater challenges for refineries. One main challenge is managing the identity of the independent contractors who have become increasingly important for refineries, which routinely undertake turnarounds (TARs) or scheduled shutdowns or outages.
During a TAR, for example, the entire process unit of a refinery is taken offline for inspection and testing, de-bottlenecking projects, revamps, catalyst regeneration or other necessary projects. In terms of lost production and direct costs such as labor, tools, equipment and materials, these projects are very expensive. Because they can be hired for a specific project or period of time and are paid only for the work they do within those parameters, contractors are a more flexible, budget-friendly alternative to full-time employees. Therefore, refineries bring in contractors – sometimes numbering in the thousands – to assist with the execution of a TAR.
However, these contractors also introduce potential risks that could create a breach in physical security that compromises other elements of a security program as well as overall operations. A contractor is by definition an outsider, but access to people, locations and assets can quickly transform an outsider into an insider. Simply by providing access to a facility, refineries may be exposed to property loss, vandalism, damage to equipment (intentional and unintentional) and more.
Effective identity management ensures that each ID is associated with a specific person to prevent them from being loaned to or stolen by another person. Physical access entitlements tied to an individual’s ID must correspond with the specific areas of a refinery to which he or she requires access. Finally, contractors must be removed from security and access control systems as soon as their contract expires or when they are terminated. The sheer size of refineries, amount of traffic entering and exiting, and the number of dangerous or sensitive materials handled within refinery facilities certainly compound the potential risk and makes contractor identity management even more critical.
Unfortunately, many refineries lack an adequate mechanism for vetting individuals prior to issuing temporary identities that enable access to the necessary critical areas for only the required amount of time. Just as critical is the need to off-board identities immediately at the completion of their temporary employment.
Without effective vetting, onboarding and off-boarding processes, refineries face the significant risks of providing access to temporary identities before they can be authenticated and potentially allowing access beyond the required timeframe, both of which violate strict compliance regulations governing refineries. The manual, paper-based processes and in-house technologies many organizations currently employ are disjointed, inefficient, error-prone and incapable of performing these critical tasks effectively.
End-to-end identity management software brings together identity vetting, smart card technology and automation to solve the challenges of managing contractor identities and ensuring compliance with Chemical Facility Anti-Terrorism Standards (CFATS) and other regulations that govern refineries’ security and identity management policies and processes. These solutions provide an automated, policy-based approach that accurately captures and verifies identities within physical security, human resources and other appropriate systems. With an end-to-end management system, access to a refinery or specific areas within will not be provisioned unless contractors have met all prerequisite criteria.
The centralized data, identity and access authority management capabilities of these solutions ensure contractors can only access areas necessary to their specific job function and which they have been approved to enter. Automated identity management software also segregates data across multiple contract companies to provide refineries with clear, concise audit reports for each contractor.
The greatest benefit of these solutions may be their ability to automatically activate, deactivate, upgrade, renew and reactivate identities. For example, a number of refineries currently employ inefficient identity proofing and vetting processes and rely on paper-based manual sign-in sheets for visitor management, limited-functionality systems developed in-house and/or limited lobby-based systems. These pose significant difficulties for enforcing global and local policies and limited insight into visitor lifecycles. Undoubtedly, refineries that deploy identity management solutions benefit from far greater efficiency and effectiveness in addressing security risks associated with managing the contractor identity lifecycle.
While representing a cost-effective alternative to full-time employees, there is no question that refineries’ increased reliance on outside contractors as part of their operational strategy also increases these organizations’ potential risk, underscoring the critical need for effective and efficient identity lifecycle management. Because manual, paper-based systems are highly inefficient and error-prone, they simply cannot adequately address these risks. If departments are segregated and operate autonomously, the significant amount of time and energy required for identity management makes it impossible for security teams to properly perform their job, exposing refineries to even greater risk. The best tool for increasing efficiency and effectiveness of these processes is an automated end-to-end identity management solution that brings together multiple systems to centrally manage information. A number of refineries and other critical infrastructure organizations have successfully implemented this solution to provide contractors with the proper level of access for only the proper amount of time – reducing contractor risks to ensure a higher level of both security and compliance.