Saturday, November 29, 2008

CSAT Privacy Act Information

Earlier this week, DHS updated the Chemical Security portion of their Laws and Regulations web page. They added a link to the updated CSAT Privacy Impact Assessment required under the Privacy Act. The new Impact Assessment was needed because changes made in October to the CSAT web site allowed users to see the names and positions of other users registered with CSAT for the same facility. The Help Desk also has access to this information as well as the CVI training status of users. This aids them in dealing with users having problems with the CSAT system. CSAT registered users should review the Impact Assessment document to ensure that they know how their personal information is being used and shared. Or may be they ought to do it just to help justify the government’s cost of maintaining these documents

Reader Comment 11-24-08

I’m late getting to this reader comment posted earlier this week about my October 20th blog "Escort Procedures for Rail Crews”. I apologize for the delay, but I’ve been sick this week and haven’t read or written anything until Thursday afternoon. In any case, Anonymous made the following comments:
“This is an excellent discussion of rail crews and TWIC. It also illustrates the severe problems that smaller faciities (sic) run into with trains and TWIC. Or rather, with escorting and TWIC. Economic hard times have pared many smaller facilities down to the bare minimum number of people needed to perform the business operation. No extras for escort. No extras to post at the gate to monitor that non-TWIC crew member because the facility doesn't have a CCTV system. However, the regulations apply across the board no matter the size of the employee workforce, and escort has to be performed.”
While the TWIC rules only apply to maritime facilities, the same comments could be made about the ‘attendance’ requirements for facilities under the Rail Transportation Security rule recently published by TSA. There will be other less obvious personnel requirements as facilities begin work on their site security plans. Security costs money. Security takes people. Take those two things together and the security guard companies are going to learn quick to have ‘rail gate guards’ available cheap. They will be paid the same type minimum wages that most unarmed guards are paid. They will have to have a little more training because of the federal rules, but not enough to make them high paid positions.

Only Minor Changes to Hazmat Routing Appeal Rule

As I noted in Friday’s blog (see: “FRA Publishes Rail Hazmat Routing Appeal Rule”), the Federal Railroad Administration (FRA) published their final rule on how railroads may appeal an adverse decision of their hazmat rail shipment route selection. Since this was the shorter and less complicated of the two route selection rules published on Wednesday, November 26th, this was the first that I read through completely. Background Back on April 16th the FRA issued the NPRM for this rule. I did a very basic analysis of the NPRM in an earlier blog (see: “Appeal Procedures for Route Security Finding”) and looked at the limited number of comments (only 3) received in yet another blog (see: “Comments on Rail Security and Safety Rules – 6-16-08”). Finally, this rule is very dependant on a companion rule published on the same day by the Pipeline and Hazardous Material Safety Administration (see: “PHMSA Publishes Rail Routing Final Rule”). Only Minor Changes in Rule In the entire preamble to the final rule the FRA has identified only two editorial changes and no substantive changes in the rule. One of the editorial changes is the correction of an apparent typographical error (page 72197) in § 209.501(e)(2). This change removes a small amount of confusion in the wording of the regulation. The other change involves the description of the standard used in evaluating the hazmat rail routes (page 72195). The NPRM used the phrase “safest and most secure route”, but the interim final rule issued by the PHMSA for the actual route analysis process used the phrase “poses the least overall safety and security risk”. The FRA changed the wording in § 209.501(a), and else where, to that used by PHMSA. This change is probably of interest only to potential litigants. More Important Discussions in Preamble More important than these editorial changes is the FRA discussion of the status of hazmat shippers and local jurisdictions in the appeal process. Comments made by Dow Chemical and the Mayo Clinic argued that shippers and local jurisdictions should be allowed to take part in the appeal process to protect their respective interests. The FRA maintains that they have no standing under the authorizing legislation (§1551 of the Implementing Recommendations of the 9/11 Commission Act of 2007 – PL 110-53), so they cannot be included in the regulations. The FRA also points out that any final actions under these regulations will take place only after the Assistant Administrator consults with the Surface Transportation Board (STB) which would have access to the information that would be provided by hazmat shippers or local jurisdictions. This would protect what ever limited interests that those entities might have in the proceedings. For example, in the discussion of §201.509(c) on page 72197 the preamble states that:
“As stated above, FRA believes the detailed information that will be in the railroad carriers' analyses and input from the STB will be sufficient to protect shippers' interests, and that no separate provision for securing shippers' input is necessary.”
If the PHMSA takes a similar view in their final rule, which is quite likely, there are going to be a number of groups that will find these two rules unacceptable. Whether or not those groups will have the political clout to see these rules overturned by either the Obama administration or the 111th Congress remains to be seen. If not overturned politically, they will certainly be challenged in court.

Friday, November 28, 2008

FRA Publishes Rail Hazmat Routing Appeal Rule

On Wednesday the Federal Railroad Administration (FRA) published the final rule for procedures for appealing hazmat rail routing decisions by PHMSA. This rule goes into effect December 26th, 2008. I have not yet had a chance to read this rule, but if there are any significant changes between this final rule and the proposed rule issued earlier this year, I’ll address those changes in a future blog.

PHMSA Publishes Rail Routing Final Rule

On Wednesday the Pipeline Hazardous Material Safety Administration (PHMSA) published the final rule on routing hazmat railroad shipments. This rule goes into effect December 26th, 2008. In upcoming blogs I will be taking a look at the differences, if any (I haven’t had a chance to read the rule yet) between this final rule and the interim final rule published earlier this summer.

TSA Rail Security Rule Published in Federal Register

Wednesday the TSA Rail Transportation Security Final Rule was finally published in the Federal Register. It becomes effective December 26th, 2008. I have been discussing some of the provisions of this rule in an on-going blog. The latest installment was published last week.

RBPS Guidance – Cyber Security Measures

This is the another in a series of blog posts that looks at the recently released draft DHS guidance document for implementing the Risk-Based Performance Standards (RBPS) in site security plans (SSP) for high-risk chemical facilities. The RBPS are a key component of the Chemical Facility Anti-Terrorism Standards (CFATS). This post deals with the discussion of cyber security procedures in RBPS #8.. Earlier blogs in this series include: RBPS Guidance – Introduction RBPS Guidance Shortcomings RBPS Guidance – 18 Risk Based Performance Standards RBPS Guidance – RBPS Metrics RBPS Guidance – Physical Security Measures RBPS Guidance – Security Procedures, Policies and Plans A wide variety of cyber systems are used throughout the modern chemical facility. They may be used to control critical processes, provide access to critical areas or enable business systems to control shipments of chemicals of interest. The introduction to RBPS #8 maintains that protecting “against cyber sabotage of these systems is an essential component in managing overall risk for a facility” (page 74). Security Measures This performance standard identifies nine categories of policies and practices that may help a facility address the cyber security issue. Additional details about these security measures can be found in Appendix C to the Guidance. These categories are:
Security policy, Access control, Personnel security, Awareness and training, Monitoring and incident response, Disaster recovery and business continuity, System development and acquisition, Configuration management, and Audits
Security Policy This security measure includes policies, plans and procedures that address how the facility will address cyber security concerns. It will include high-level corporate policy statements outlining the importance of cyber security. Plans and processes that lay out how the facility will achieve those policy goals form the intermediate level of documents in this area. It also encompasses those step-by-step procedures that employees will use in implementing those policy goals. Finally, it includes the designation of a ‘cyber security officer’ that will have responsibility implementing the cyber security program for the facility. A change management process for cyber systems is one of the most important parts of computer security. This process will outline “the steps an organization will take to request, evaluate, plan, implement, and measure the impact of a change to a system” (page 146). This will include a testing process that ensures that a change to one of the many components of the system does not adversely impact other components. Access Control This section of the RBPS leads security managers through the most complicated part of cyber security, controlling access to the critical cyber systems. This section discusses:
Defining System Boundaries Managing External Connections Controlling Remote Access and Rules of Behavior Limiting Access via Least Privilege Rule Password Management
The discussion of external connections in both RBPS #8 (pages 76-7) and Appendix C (page 147) are very important. They point out that these connections include obvious connections like those to corporate cyber systems and the Internet. It is also noted that many systems are designed to automatically connect with outside servers for maintenance or system updates. Finally it looks at temporary physical connections to portable devices as well as wireless connections with cameras, sensors and controllers. The discussion of Remote Access is limited to connections to outside systems initiated by users within the facility; accessing a wide variety of internet sites for instance. While this is important, the discusion totally ignores the remote access situation where communication is initiated from outside of the facility boundaries. Many facilities allow managers and technical personnel to access the cyber system via laptop or other internet connected device. Additionally many vendors include remote access in their system to allow updates to be fed to the system or allow remote maintenance. This portion of the remote access problem is completely ignored. Personnel Security Since personnel are a key component of any cyber system managing personnel access to that system is an important part of cyber security. While this was briefly discussed in Access Control, there is a much more detailed discussion provided under this heading in both RBPS #8 and Appendix C. These discussions include:
Separating Role Based Access Rights Providing Individual User Accounts Managing Changing Roles Managing External Service Providers Maintaining Access Control Lists Managing Physical Access
Managing ‘Changing Roles’ is the changing access controls for individuals undergoing adverse personnel actions. The discussion in Appendix C (pages 149-50) note that for “all employees who have departed under adverse circumstances, however, it is recommended that all access rights (both physical and electronic) be revoked by close of business the same day”. Just as important is reviewing and adjusting the access rights for employees that have under gone adverse personnel actions short of dismissal. These personnel may harbor grudges just as strong as those being dismissed, but they still retain physical access to critical systems. This requires close coordination between Human Resources, IT security and all supervisory personnel. Monitoring and incident response This section includes a brief discussion of cyber intrusion detection systems as a tool for monitoring networks. Since these are automated systems it is important that the cyber security plan includes a requirement for review of the logged events. There is a brief discussion of the need for reporting ‘security events’ to management and the DHS United States Computer Emergency Readiness Team (US-CERT) though there is no discussion of what constitutes a security event. There is a brief discussion, both in RBPS #3 (page 79) and in Appendix C (page 151) about watchdog systems or Safety Instrumented Systems. They both note that these systems had been mostly stand-alone systems with no connections to other cyber systems; this made them relatively safe from cyber attack. The Guidance document notes that there has been a move lately in the control system community to link these systems with facility control system. When this is done a special effort must be taken to protect these safety critical systems. Configuration management The discussion of configuration management in RBPS #8 (pg 80) is rather light. The discussion in Appendix C (pages 152-3) is more detailed. It covers the need for maintaining an inventory of cyber assets and requiring a business justification for each of the assets and applications. There is also a brief discussion of the need for maintaining the system with regular patches and updates. This is also recommended in the earlier section dealing with anti-virus software. There is, unfortunately, only a single sentence of discussion of how the updates to one system might interfere with other systems on the network. Appendix C (page 153) notes that the “complex nature of systems and networks occasionally introduces secondary vulnerabilities in an attempt to remedy another”. There is no accompanying discussion of testing updates and patches before implementing them on the system. Remaining Areas None of the remaining discussions of security measures are likely to provide useful information to a cyber security novice or provide much guidance to a professional. The resources listing provided at the end of the discussion in Appendix C (pages 155-6) provide a number of interesting sources, but none of them deal specifically with control systems. At the very least the North American Electric Reliability Corp (NERC) Critical Infrastructure Protection (CIP) standards for cyber systems (CIP-002-1 thru CIP-009-1) should be included in this reference section.

Monday, November 24, 2008

Waxman v. Dingell Aftermath

The replacement of Chairman Dingle with Congressman Waxman (D, Cal) at the head of the House Energy and Commerce Committee puts a certain amount of uncertainty in the minds of other members of that committee. In particular many of the sub-committee chairs that were allied with the Chairman are beginning to wonder if they will retain their positions. One such chair is Mr. Gene Green (D, Tx) who chairs the subcommittee on Environment and Hazardous Materials. Congressman Green has been proactive in his attempt to retain his chairmanship which he received just this year. He took over when Chairman Wynn resigned to become a lobbyist. Green has been talking with Chairman Waxman, Speaker Pelosi and all of the Democratic members of the committee about his continued chairmanship. According to reports he has been telling people that he has an aggressive agenda that he wants to pursue in the 111th Congress. One of the items on his agenda is to ‘strengthen security for chemical plants’. His subcommittee did hold one hearing in the last session on the chemical facility security. That hearing, on June 12th, was supposed to look at HR 5533 and HR 5577, the two competing bills to extend the authorization of the current CFATS regulations (see: “House Subcommittee Hearing on HR 5533 and HR 5577”). It will be interesting to see how aggressive he is on chemical facility security, especially since there are a number of large chemical facilities in his district.

PHMSA HAZMAT Security Rule Comments – 11-21-08

While the comment period was closed last week on this rule, a number of new comments were posted to the Regulations.gov web site this week. Of the eleven comments received this week only two were from the special effects community and one of those was from a manufacturer. The commenters were: Utility Solid Waste Activities Group National Association of Chemical Distributors William Dawson (special effects operator) Association of Hazmat Shippers National Paint & Coatings Association Council on Safe Transportation of Hazardous Articles The Cotton Warehouse Association of America Brent Bell Dangerous Goods Advisory Council Air Lines Pilots Association, International Nuclear Energy Institute Association of Hazmat Shippers Comments The AHS generally supports the proposed rule. They would like to see the wording of ‘3000 liters or more’ changed to the more common UN wording of ‘greater than 3000 liters’. They believe the current wording unintentionally brings IBCs (intermediate bulk containers) under the regulation. They would also like to see the wording of §172.802 to be changed to include words like ‘pertinent’, ‘appropriate’, or ‘significant’ to be included in the description of ‘site-specific’ or ‘location-specific’ elements of the security plan. National Association of Chemical Distributors Comments The NACD generally supports the proposed rule. They would like to see PHMSA and TSA use identical lists of security sensitive hazardous materials (SSHM). This would make it less confusing for the regulated community to comply with both sets of HAZMAT shipping regulations. The NACD has ‘grave concerns’ about the requirement to include route specific assessments. They note that many of the carriers do not have set routes for their deliveries and this would be an unreasonable burden to place on those carriers. Dangerous Goods Advisory Council Comments The DGAC does not think that small quantities of Division 1.4 explosives, Division 2.2 gasses that are oxidizers (except oxygen) or Class 3 desensitized explosives should be regulated under this rule. Further, it objects to the coverage of Division 4.3 PG II or PG III, Division 5.1 PG II liquids, Organic peroxides Type B, Division 6.1 PG 1 other than TIH, and small quantities of Division 6.1 TIH materials. DGAC objects to the requirement for risk assessments for specific routes as being impractical due to the daily route variations of most carriers. DGAC would also like to see a separate document used for the risk assessment and believes that a generic risk assessment “similar to the generic plan PHMSA provided on its website for farmers” would be appropriate in many instances. Brent Bell Comments Mr. Bell is the vice-president of BellFX, LLC, a company that provides Class 1.4 and 4.1 product to the special effects market. His company self-ships some of their products but as much as 70% ships next day delivery via common carrier in less than placardable quantities. He expects that those shipments would not be accepted if the proposed rule is passed and that would drive his company out of business. National Paint & Coatings Association Comments The NPCA objects to the inclusion of Class 3 and Class 8 paint materials (PG III) in the list of regulated items due to their low risk as potential terrorist targets. They would also like clarification that Class 3 combustible materials and high temperature materials are exempted from coverage. They would also like to see TSA and PHMS harmonize their approach to security requirements. They would also like to see the requirement for position specific requirements in the security plan changed to just department specific listing of requirements. The Cotton Warehouse Association of America Comments The CWAA supports the decision of PHMSA to remove all Class 9 materials from the list of materials requiring security planning. Air Lines Pilots Association, International Comments The ALPA supports the provisions of the rule. They particularly support the increased specificity of the training requirements. Utility Solid Waste Activities Group Comments The USWAG objects to the annual review requirements for security plans; noting that reviewing the plans only when there are significant changes that affect those plans is more reasonable. They also object to the 90 day requirement to retrain all employees after a change in the security plan; they believe that the re-training requirement should be limited to employees directly affected by the change. The USWAG requests clarification about anhydrous ammonia shipments. Since this material is typically shipped as a Division 2.2 material it does not appear to be covered, though this is clearly not the intent of the rule. They would also like clarification of how facilities are affected that come under this regulation because of an unplanned or unexpected requirement to ship listed HAZMAT, particularly one-time shipments. Council on Safe Transportation of Hazardous Articles Comments The COSTHA agrees with the ATA’s and IME’s submitted comments that PHMSA needs to define a quantity “that could be reasonably used in a mass-casualty terrorist activity” instead of using an ‘any quantity’ provision. The COSTHA objects specifically to the ‘any quantity’ provisions for Division 4.3 and 6.1, PG I materials when “materials meeting both these classifications are readily available through commercial distributors or retail outlets in non-bulk packagings”. The COSTHA notes the confusion expressed by IME about the term ‘desensitized explosives’ and suggests that PHMSA include a UN number listing of materials that it intends to be covered by that term. The COSTHA suggests that PHMSA include provisions in this rule that exempt a carrier from provisions of the rule when the shipper does not notify the carrier that the material is covered. Nuclear Energy Institute Comments The NEI notes that there is one minor difference between the NRC rules and the proposed rule; PHMSA includes coverage of ‘the 3000 A2 in a single package of Class 7 material’. NEI notes that this is not a significant difference except that the industry will have different requirements for the two agencies and this may lead to some confusion. NEI would like to see a single agency setting the shipping security requirements to avoid such confusion. My Comments on Comments As I noted in last week’s blog on this rule (see: “PHMSA HAZMAT Security Rule Comments – 11-14-08”) it is disappointing to see such a large number of last minute comments from industry. I continue to be disappointed in the lack of comments from a variety of public interest groups. While I do not always agree with some of their agendas or specific ideas, I do think that it is important that as wide a variety of opinions and ideas as possible should be included in the rule making process. I would like to applaud two commenters among those listed in today’s blog; ALPA and CWAA. Both of these organizations took the time to prepare and send positive comments without suggestions for changes. The hard working bureaucrats (not a contradiction in terms despite popular opinion) that prepare these rules need to be told when they get things right.

HAZMAT Enhanced Enforcement Rule Comments – 11-21-08

As I noted in early October, PHMSA issued a notice of proposed rule making (NPRM) for Enhanced Enforcement Rules for HAZMAT Shipments. While there was one comment posted early in the comment period, it wasn’t until this last week that a significant number of comments were received. Comments were received from: Ameriflight, LLC National Association of Retail Ship Centers UPS In addition to these corporate comments there were a number of form letter comments from operators of retail ship centers, supporting the comments made by their national association. Those comments were submitted by: Jim Brown Michael Thompson Chuck Stegman Bruno Sartini Juan J. Medel Seth Essenfeld Ron Hodges Charles F. McEntee Rajan L. Dorasami Andrew Lange Brad Mochel Ira Jacobson Charles V. Costa Willaim F. Schweiss Pat O’Sullivan Paul T. Newport Carolyn C. Bream Ameriflight, LLC Comments Ameriflight provides cargo feeder flights for companies such as UPS, DHL and Federal Express. They expressed concerns with delays to their tightly scheduled flight while waiting for an inspector to open, inspect and re-close packages for shipment; this is especially critical for shipments containing Class 7 radioactive samples for medical use. They also note that they would not be able to accept packages for shipment that had been incorrectly closed or that lacked security seals. Finally they want to be assured that the FAA will accept financial responsibility for claims for high value items ‘missing’ from opened shipments. National Association of Retail Ship Centers The NARSC represents over thousands of retail shipment centers that serve as drop off locations for carriers such as UPS, DHL and FedEx. They note that these independently operated businesses would be adversely impacted by provisions of this rule. First they note that they would be financially responsible for delays due the federal regulator opening packages. Second they note that they are prohibited by contract from shipping hazmat so would be unable to comply with directions to do so made by federal regulators finding hazmat materials in packages at their facility. In most cases they would be prohibited by lease or zoning regulations from holding any such hazmat material at their locations. UPS Comments UPS would like to see some of the definitions in the rule modified to make them clearer and more specific. For example they would like the definition of ‘agent’ modified to explicitly state that it applies only to Federal officers, not state officers. UPS pointed out that the proposed wording of §109.3(b)(4)(ii) restricting the agents authority to open just outer packagings makes the unwarranted assumption that there will be inner packaging. They proposed wording that would provide legal authority to open packagings that turned out not to have inner packagings. UPS is concerned about the wording of §109.3(b)(5) about preparing the package for re-entry into transportation. UPS believes that the Federal agent that opened the package should be solely responsible for re-closing the package and pre-paring it for re-entry into transportation. This will relieve the carrier for any financial responsibility for claims of loss or damage related to the opening of the package. My Comments on Comments The comments from all three of the corporate responses all seem to raise legitimate issues that need to be addressed in the final rule. What is interesting is the level of assistance each of the comments provides to PHMSA in modifying the rule. The Ameriflight comments only point out problems with the proposed rule. The NARSC comments point out problems and provide general direction on how some of those problems might be addressed. UPS identifies specific problems and provides specific solutions, including proposed wording changes. Now I am sure that PHMSA will give each of the comments the attention required. However, the comments that suggest specific changes are more likely to get adopted in a manner that addresses commenter’s concerns. Even if PHMSA agrees with the commenter’s concerns, they may not ‘adequately’ address those concerns in a manner that will solve the commenter’s actual problem with the proposed rule. Letter Writing Campaigns It is not unusual for organizations to conduct letter writing campaigns in support of a particular stance on legislation or rule making. These can be as simple as providing a post card for members to sign and send to the responsible entity or it can be as sophisticated as outlining the issues involved and suggesting that members write letters explaining how those issues will affect them. I have seen no studies done on the effectiveness of these campaigns, but it would seem to me that the more sophisticated the campaign, the more effective it should be. This would be especially true when the campaign is addressed to a regulatory agency rather than a legislative body. Post card campaigns, for instance, are seldom read; they are just tallied. Numbers of comments are really only important to people that run for election. Even then the numbers must be very large to be effective The letter writing campaign being conducted by the NARSC seems to be a little more sophisticated than the post card effort, but not much. The wording of most of the letters is practically identical. I am sure that PHMSA will deal with them in much the same way as I have. They will glance at them, determine that they are part of the campaign, and put them in an appropriate file. Campaigns like the one conducted by the special effects industry on the hazmat security procedure rule are more effective since each letter is different and must be read to be categorized. A number of the letter writers identified new issues with the rule that would need to be addressed in the rule making process. The effectiveness of any letter writing campaign is enhanced is a legislator or two can be brought into the process. The best example of this is the campaign that was conducted by the propane industry in response to the draft version of Appendix A to the CFATS regulations. The combination of individual letters and political pressure resulted in a significant revision of the proposed rule.

Reader Comments 11-21-08

Last Friday the ever present Anonymous left a comment about my blog (see: "New IST Report from Center for American Progress") concerning the recently released report from the Center for American Progress. Among other things, he took exception to one of the ‘goals’ of the CAP report, the one about utilizing the ‘experience and knowledge of facility employees’ in conducting SVAs and formulating SSPs. Employee Involvement His comment was that: “Many of the employees of these facilities have limited knowledge and experience with regards to REAL security.” I’ll go one better and state that, in my experience, almost no employees, hourly or salaried, had any significant knowledge or experience with security. The rare exception came to the job with security experience from the military. Does that mean that they should be excluded from the assessment and planning process? Absolutely not! At the facilities where I worked, we always had one of the hourly workers sit in on all of the safety reviews. It wasn’t because of their superior knowledge of process safety; it was because of their superior knowledge of plant processes. The chemists and engineers certainly knew more about the safe limits of the process, but the workers knew more about how the operators actually did things and reacted to things. This knowledge was important to designing the process and writing the instructions that the operators would be required to execute. This is why safety reviews and process hazard analyses are always conducted by a team. The problem will be worse, of course, for security assessments and security planning. Since essentially no one from the facility will have an adequate security background, the facility will have to rely on security professionals, either consultants or hired to staff. Those security professionals will not have anywhere near an adequate understanding of the process safety concerns that will play into the security plan. Worse, they will not talk the same language as the facility operational personnel. As facility employees receive the necessary training and get hands on experience with security processes this problem will ease. Facilities that use consultants for their security professionals will continue to have a language translation problem unless they establish a long-term relationship with their consultant to provide for an adequate learning curve. Facilities that hire staff security professionals will have a shorter learning curve and a better working relationship. Robust Security Forces Anonymous made another comment, almost in passing, which I think is very important and practically ignored in the recently released Draft Risk Based Performance Standard guidance document. He said that: “While the various companies might hire Wackenhut or similar security guard companies for onsite ‘security,’ what is needed for some of these Tier 1 facilities are real response and security forces similar to Nuclear Power Plant facilities.” For Tier 1 facilities, those that pose the highest risk of terrorist attack, are going to require more than a gate guard and security system monitors. There will have to be someone on site that is capable of intercepting and detaining armed intruders. This is going to require an armed security force, with all of the problems attendant to that situation. See my discussion at “Security Forces at Chemical Facilities – Sourcing Security”. Someone is going to have to take a hard look at what types of weapons can safely be used in an environment packed with flammable, toxic and/or explosive chemical compounds Anonymous One personal note, I really like to hear from my readers. I want to see their comments and I enjoy hearing their points of view and ideas. Hopefully, so do my other readers. Having said that, I have to say that I really do not like names like ‘Anonymous’. I do understand that there are people that, for a variety of political or legal reasons, cannot make public comments about security matters. I would prefer that they contact me by email (PJCoyle@aol.com) rather than using a nom-de-guere (I hope my French spelling is correct), but I realize that even that may not provide adequate deniability. Be forewarned, though, that I will be much more likely to delete an anonymous comment that is even borderline discourteous or malicious.

Friday, November 21, 2008

Lieberman Continues to Lead Senate Homeland Defense

With the political news yesterday about Mr. Waxman becoming Chairman Waxman and Gov. Napolitano becoming Secretary Napolitano, I kind of lost sight of the lack of change over at the Senate; Chairman Lieberman remains Chairman Lieberman. An interesting comment about that continuity was made by Rich Cooper over at SecurityDebrief.Adfero.com. He said:
“His ‘partnership’ with former Committee Chair and now Ranking Member Sen. Susan Collins of Maine in working these issues has also been a model of civility and cooperation that is rarely seen anywhere in Congress. I’m glad it will be around as we go through the beginning of the new Administration and its stewardship of the homeland.”
I might add that it is also a model for the cooperation and bipartisanship that has been promised by President-elect Obama. That the Senate Democrats agreed, at least on this issue, is a good sign for the potential of fulfilling that promise in the coming year.

Probable Head of Obama DHS Identified

A number of news sources yesterday identified Arizona Gov. Janet Napolitano as the probable appointee for Secretary of DHS in the new administration. Gov Napolitano has experience dealing with border security issues as well as illegal immigration issues because of the problems along the Mexican border. Some commentators acknowledged her experience in that area, but questioned her experience dealing with a terrorist threat. I’ll jump into that game, and complain that without a chemical engineering background she can’t understand chemical security issues. Or, being from a land locked state, she can’t possibly deal the variety of issues that face the Coast Guard. All of those are bogus concerns. Let’s face it. DHS is an agency with such a wide mandate that there is no one that will have experience in dealing with all of the issues facing the agency. What is necessary for a successful Secretary is executive experience over a wide variety of agencies and departments. Say, someone like a governor. Experience with dealing with one of the major issues confronting the Department is a plus. I might as well play another transition guessing game. Lets look at the first picks that have been made for Cabinet level appointments, Attorney General, Health and Human Services and now DHS, not State, Defense, and Treasury as so many had predicted. Does this mean that the country is going to turn inwards and isolationist? Or does it mean that these were easy choices, being of little consequence? Or does it mean that these three picks are insiders with close ties to the campaign and/or Obama? Or does it mean that the spin jockeys in the transition team are first looking to get the ‘firsts’, first black AG, first woman DHS Secretary, out of the way so serious decisions can be made? On the other hand, maybe we just ought to give the President-Elect a break and let him put his team together in peace. That would be a significant change.

Another IST Implementation – UV for Chlorine

The Center for American Progress report that I discussed in yesterday’s blog (see: “New IST Report from Center for American Progress”) brought out another story of IST implementation. This time it was the Central Valley Wastewater Treatment Facility in Salt Lake City, UT, one of the facilities that made the 101 Most Dangerous List. The facility made the list because it uses chlorine and anhydrous sulfur dioxide, both PIH chemicals.

Impetus for Change 

According to the Deseret News article, the general manager of the facility has always been aware of the dangers associated with chlorine. After the 2001 terrorist attacks he upped the security at the facility because of concerns about the stored chlorine being used as a weapon.

Cost of a UV Treatment System 

The utility first looked at the substituting a UV treatment system for the chlorine gas treatment in 2003 when the facility made a similar ‘most dangerous list’ put out by “Environmental Defense” (sic). It wasn’t considered practical then because the new system would have cost $19 Million. Since then the cost of the system has come down to $3 Million. Installation and infrastructure is expected to add $5 Million to those costs, but they won’t know for sure until the project is put out for bidding early next year.

Time for Implementation 

The article does not make clear when the design work on the new UV system started, but it was just recently completed. The design has to be approved by the Utah Department of Health and the US EPA. Then, January 2009 or so, it will be placed out for bid. All in all the utility expects to have the new system in operation by early 2010.

Complexities of IST Implementation

This is another example of how complicated it can be to implement a relatively straight forward IST project. I say ‘straight forward’ because the technology is available and most of the problems have been worked out in previous installations. Design and installation problems still have to be overcome, since each treatment facility is slightly different in layout and equipment. The other installation challenge is the fact that water and wastewater treatment plants cannot simply shut down for the installation of new equipment.

The new equipment has to be installed in parallel with the existing equipment. Frequently this is not practical or even possible in some cases due to space limitations at the current facility. In those cases it may require the construction of a completely new installation, adding to the cost. Finally, the old equipment cannot be removed until the installation is complete, running properly and certified.

This all needs to be taken into account when legislation requiring IST implementation is written. To be effective that legislation would have to require that an IST evaluation look into the possibility (not all chemical processes can be changed), practicality (simply moving the hazmat to another location is not necessarily inherently safer) and economic viability of the implementation. It must also provide a time frame for practical implementation. Only once that technical evaluation is made by the facility in question can the political decision be made to order an implementation.

Thursday, November 20, 2008

New IST Report from Center for American Progress

The Homeland Security Digital Library (note: name corrected 11-21-08, 0951) blog late yesterday afternoon noted that the Center for American Progress had released their latest report on chemical facility security, Chemistry 101. As in previous reports they note that a number of facilities in this country use hazardous chemicals that could be replaced by less hazardous chemicals. In particular they identify “the nation’s 101 most dangerous chemical facilities” and claim that most could “convert to safer and more secure chemicals or processes already being used by similar facilities”.

I have not had a chance to read the complete report so I cannot comment on the details of the claims, but the reports Executive Summary does provide some compelling arguments. I particularly like the fact that they specifically do not claim that all of the facilities could convert to inherently safer technology (IST).  

Comprehensive Chemical Security Program 

The report does call for Congress to enact a comprehensive chemical security program “rooted in identifying, developing, and leveraging the use of safer and more secure tech­nologies”. They identify eight areas that this program should address:
"Require chemical facilities to assess and use feasible alternatives that reduce the poten­tial harm of a terrorist attack
"Create financial incentives for facilities to convert by requiring liability insurance and targeting conversion funding to publicly owned facilities and first-adopters of innova­tive technologies
"Invest in collaborative research to identify safer, more secure alternatives
"Utilize the experience and knowledge of facility employees in security assessments, plans, and inspections
"Build the oversight capacity of government agencies and require administrative trans­parency to hold those agencies accountable
"Ensure equal enforcement of standards without special treatment for facilities in volun­tary industry security programs
"Include all relevant industries, in particular currently exempted water utilities
"Respect the right of states to set more protective standards if federal actions won’t pro­tect communities"
This list is more extensive than the one proposed by a number of special interest groups earlier this year (see: “Push for New Chemical Facility Security Law”). The list does not appear to be a radical new agenda, but it does go beyond what was included in the Chemical Facility Anti-Terrorism Act of 2008 (HR 5577) that died quietly in the current 110th Congress.

This report includes some ideas that will certainly meet with resistance from the chemical industry. We already know that the industry does not like mandatory IST. Liability insurance requirements and increased state regulations will not be popular either. They are also unlikely to support ‘administrative transparency’ that might make public the security measures, or lack thereof, at their facilities. This report is going to carry some weight in the new Obama administration. At least one commenter has noted that the Center for American Progress was founded by “John Podesta, who is co-chairman of President-elect Barack Obama's transition team”. What remains to be seen is the level of importance that the new President attaches to this type legislation.

Public Relations Campaign 

The Center for American Progress appears to be quietly pushing this agenda. This report is listed, but not featured, on their web site, but today at least four newspapers (The Daily Record, The Courier Post, The Deseret News, and The News Journal) carried news articles discussing the report and local facilities named in the report. The chemical industry should take note. I predict that this is part of the opening salvo of a push to by the new administration and a stronger Congress to enact stricter chemical security controls. I will also bet that this time next year, the industry will wish that it had backed HR 5577 in the current Congress. It would have been much easier to live with.

The Winner Is ….. Waxman

Just a quick follow-up to yesterday’s blog about the chairmanship of the House Energy and Commerce Committee in the 111th Congress (see: “Dingell/Waxman Battle and Chemical Security”). Both the Automotive News and Politico.com are reporting that Waxman (D, Cal) is the winner in a 137-122 vote in the caucus meeting today. Again, it is way too early to tell what this means for chemical security legislation. Generally speaking Mr. Waxman is more liberal than Mr. Dingell and much more interested in environmental issues. I expect that this will translate into more interest in IST, worker involvement, whistleblower protection, all things that were integral parts of the HR 5577 legislation that stalled in the Dingell led committee.

TSA HAZMAT Security Awareness Training Evaluation

TSA published a notice in today’s Federal Register that it plans to collect training evaluation information from participants in a planned HAZMAT Security Awareness training program to be used by HAZMAT carriers and shippers. This notice is being issued to comply with an Office of Management and Budget (OMB) requirement to justify requesting that the public provide information to a government agency. According to the Federal Register notice “TSA plans to develop and distribute a security awareness/in-depth training program and will request voluntary feedback from hazmat motor carrier and shipper companies that elect to receive the training.” TSA plans to offer this training program as a live, instructor led program at various sites around the country. It will also make it available on CD and DVD for use in company training programs. Finally, it will be made available to the general public as a web based training program. TSA plans to request user feed-back in each of the formats. Personally identifiable information will not be part of the information request. Public comments on this information collection request (ICR) need to be submitted to TSA by January 20, 2009.

Rail Transportation Security – Rail Car Chain of Custody

This is another in a series of blogs that will look at the requirements of the recently released final rule on Rail Transportation Security. While the main focus of this regulation is directed at railroads, there are significant provisions (49 CFR part 1580, Subpart B) that will apply to a wide variety of chemical facilities that use railroad to ship or receive ‘specified quantities and types of hazardous materials’ {§1580.100(b)}. This blog deals the provisions requiring covered chemical facilities to report significant security concerns to TSA. Earlier blogs in this series were: Rail Transportation Security – RSC Requirement Rail Transportation Security – Reporting Security Concerns This final rule requires that receivers of specified hazmat that are located in an HTUA and all hazmat shippers of the same materials (regardless of their location) perform certain security related duties. These duties include producing and maintaining documentation of the transfer of responsibility of the rail cars to or from the rail carrier. Hazmat Shipper Responsibilities Section 1580.107(a) requires that shippers of designated hazmat must, for each hazmat rail car:
· Physically inspect the rail car before loading · Keep the rail car in a rail secure area · Document the transfer to the rail carrier
The purpose of the physical inspection is to detect evidence of tampering or “other signs that the security of the car may have been compromised” {§ 1580.107(a)(1)}. Additionally, the inspection is looking for suspicious or out-of-place items, including IEDs. According to the preamble to this final rule (page 84) TSA is in the process of completing a DVD that may be used to train people in “identifying IEDs and signs of rail car tampering”. HTUA Hazmat Receiver Responsibilities Section 1580.107(f) requires that within HTUAs receivers of specified hazmat must, for each hazmat rail car
· Ensure that positive control of the hazmat rail is maintained during the transfer · Keep the rail car in a rail secure area until it is unloaded · Document the transfer from the rail carrier
The requirement to ensure ‘positive control’ is placed on both the facility and the delivering rail carrier. The preamble states that “TSA intends that the receiver communicate with the railroad carrier and work in close cooperation to ensure the security of the rail car during the transfer process” (page 83). Rail Secure Area TSA does not provide a great deal of guidance on ‘Rail Secure Areas’. Section 1580.107(i) simply states that “The rail hazardous materials shipper and the rail hazardous materials receiver must use physical security measures to ensure that no unauthorized person gains access to the rail secure area.” Even as an operational definition or performance measure this is an inadequate definition. I know of no security professional that would claim that any physical security measure or combination of measures can ‘ensure that no unauthorized person gains access’ to a secure area. It will be extremely interesting to see how TSA enforces this requirement. Document Hazmat Rail Car Transfer Each time a rail car containing a specified hazmat moves from control of one entity to another (shipper to carrier, carrier to carrier, or carrier to receiver in HTUA) both parties to the transfer will independently document {§ 1580.107(k)(3)} the transfer, either electronically or in writing. That documentation will include:
· Car initial and number. · Identification of individuals who attended the transfer · Location of transfer. · Date and time the transfer was completed.
Regulatory Exemptions Unlike the CFATS regulations there are no statutory exemptions to this rule. There are provisions in the rule {§ 1580.107(j)} for receivers within a HTUA to request an exemption from TSA from the change of custody requirements of this rule “if the receiver demonstrates that the potential risk from its activities is insufficient to warrant compliance”. The discussion in the preamble (pages 87-8) makes it clear that infrequent shipments are not an adequate justification for an exemption, explaining that the hazards associated with the specified “materials is significant even if a rail hazardous materials facility only receives a single carload each month”.

Wednesday, November 19, 2008

HS Information Network Advis Comm Teleconf 12-03-08

DHS announced today that the Homeland Security Information Network Advisory Committee (HSINAC) will be conducting a teleconference on December 3, 2008 at 2:00 p.m. EST. This is one in a series of teleconferences that the HSINAC will be conducting to discuss “implementation efforts associated with the Next Generation of the Homeland Security Information Network”. The Federal Register notice stated that members of the public “are welcome to monitor the meeting however, the number of teleconference lines is limited and available on a first-come, first-served basis”. The telephone number for the conference is 1-866-222-9044, and the PIN is 78982. The Homeland Security Information Network (HSIN) allows all states and major urban areas to collect and disseminate information between federal, state, and local agencies involved in combating terrorism.

Dingell/Waxman Battle and Chemical Security

There has been an ongoing political discussion on Politico.com about the attempt by Congressman Waxman to take over the chairmanship of the House Energy and Commerce Committee from Chairman Dingell. Today, for the first time, I have seen a discussion about how this might affect chemical facility security over on CQPolitics.com. Part of this discussion is driven by the failure of the Energy and Commerce Committee to report HR 5577 (or even HR 5533) to the House floor. Now I have written extensively about this issue (see: “The Continuing Saga of CFATA” for my latest diatribe), but I do not know if this potential change in committee leadership would have any significant effect on chemical facility security legislation in the upcoming session. From the discussion in the CQPolitics.com article it doesn’t seem as if the chemical industry (or at least it’s representative organizations) knows either. The article quotes a SOCMA representative that that thinks Waxman would support IST provisions while Dingell would continue to ‘listen to industry’. The American Chemistry Council representative, on the other hand, was not so sure. In any case, the change will not take effect until January 6th when the 111th Congress meets for the first time. That means that this move will have no direct affect on HR 5577. I say ‘no direct affect’ for a specific reason. If Waxman is as ‘anti-industry’ as he has been made out to be, the chemical industry might find that the provisions of HR 5577 may not be as obnoxious as they thought. They might make a ‘conciliatory’ move to get HR 5577 to a floor vote to get it on the books and avoid a bill they might like even less in the incoming congress.

RBPS Guidance – Security Procedures, Policies and Plans

This is the another in a series of blog posts that looks at the recently released draft DHS guidance document for implementing the Risk-Based Performance Standards (RBPS) in site security plans (SSP) for high-risk chemical facilities. The RBPS are a key component of the Chemical Facility Anti-Terrorism Standards (CFATS). This post deals with the discussion of security procedures policies and plans found in Appendix C. Earlier blogs in this series include: RBPS Guidance – Introduction RBPS Guidance Shortcomings RBPS Guidance – 18 Risk Based Performance Standards RBPS Guidance – RBPS Metrics RBPS Guidance – Physical Security Measures There are a number of different procedures, policies and plans that contribute to a comprehensive security plan. Individually they will detail how a facility will deal with a wide variety of security related tasks. The section in Appendix C (page 157) lists seven such tasks, or security measures:
(1) Inventory Controls/Product Stewardship; (2) Managing Control Points; (3) Screening; (4) Personnel Surety (i.e., Background Checks); (5) Exercises and Drills; (6) Training; and (7) Responding to Elevated Threat Levels
There is a short description of the task, a brief review of the security considerations affecting the task and a listing of the RBPS that they support. Finally there is a list of resources available on-line or in print for further information. Inventory Control Keeping track of the inventory of chemicals at a chemical facility and controlling the use of those chemicals is an important business process and a significant means of managing costs. At high-risk chemical facilities the application of those control procedures to chemicals of interest (COI) also forms an important part of the security procedures for facilities. This is especially true for theft/diversion COI. This is just about all that the discussion in Appendix C covers. Managing Control Points Managing control points is actually an extension of the perimeter barriers discussion under Physical Security Measures. Control points are those places where people are allowed through the facility or secure area perimeters. The bulk of the discussion in this section deals with controlling vehicles. Screening Screening is the process of identifying and inspecting people and vehicles that enter the facility at the designated control points. This section includes a discussion of the variety of types of personnel identification that might be used to control access to the facility including government issued ID, corporate issued ID or facility issued ID as well as identification techniques for vehicle authorized access to the facility. This section also includes a brief description of the search techniques that could be employed to search personnel and vehicles. The discussion in this section is fairly extensive, but it does not provide much depth. There is no discussion of the pros and cons of the various techniques listed. Even in the ‘considerations’ section there is little more than a listing of physical and environmental factors that must be taken into consideration. That listing does not even sound as if it applies to the screening techniques listed. It sounds more like it should belong in the physical security section of Appendix C. Personnel Surety Without a doubt the most extensive and useful discussion in this section of Appendix C deals with background checks. This may be because “DHS believes personnel surety to be a key component of a successful chemical facility security program, with the level of screening commensurate with the access provided” (page 164). There is a detailed listing of the different types of background checks that can be done with a brief discussion what each type requires in the way of personnel information and what information that a facility might expect to obtain from that particular type of check. The evaluation of data obtained from these checks is probably the most controversial aspect of the use of background checks. DHS provides (page 168) a listing of ‘anomalies’ that might be ‘significant’ if turned up in a background check. Just as importantly, they provide a listing of things to take into account when deciding what information justifies not allowing an employee to have unaccompanied access to sensitive areas of the facility. The one thing that is lacking is a discussion of how a facility deals with an employees disagreement with ‘adverse information’ found on the background check. The discussion does not address the fact that none of these systems used for conducting checks is error free. Any personnel surety program needs to address how the facility will deal with allegations of incorrect information. There is also a brief discussion about how a personnel surety program deals with visitors. The option of completing a background investigation is not practical or legal, but some level of vetting is required. Even though visitors will be escorted when ever they move through the facility, their business at the facility will still be verified before allowing them even escorted access. Exercise and Drills There is a very good discussion of how drills, exercises and tests are used in training and evaluating how teams will work together in a variety of emergency and security situations. What is missing is any kind of discussion on how drills, exercises and tests are designed and executed. Nor is there any discussion of how individual skill training fits into this picture. Training There is a very good discussion of how a facility training program should be tailored for both different categories of employees and for the risk ranking of the facility. The discussion includes a table (Table A-5, pgs 173-4) of ‘possible’ training requirements for the Site Security Officer (and assistant), Personnel with Security Responsibilities and everyone else. There is another table (Table A-6, pgs pg 174) that shows a reasonable (but remember, not required) schedule for conducting training, drills and exercises. Editorial Comments ‘Editorial’ in this case is not commentary, but comments by an editor. This section of Appendix C is poorly put together, with many entries put in the wrong place in the document. For example: The second paragraph under Managing Control Points (page 158, starting “Because control systems are not self-administering…) belongs in the discussion of the Inventory Control Measures. The entire ‘Layered Security Measures’ section under ‘Security Considerations for Screening’ (page 162) has nothing to do with screening. It probably belongs with the earlier discussion under ‘Physical Security Measures’. The entire ‘Physical and Environmental Considerations’ section under ‘Security Considerations for Screening’ (page 162) belongs with the ‘Monitoring and Intrusion Detection’ section under ‘Physical Security Measures’, as does the entire ‘Command and Control’ section at the top of page 163. The entire ‘Training’ section should come before the ‘Drills and Exercise’ portion of the discussion since drills and exercises are an extension of the training as is made clear in the discussion. Under the heading of ‘Performance Standards Affected by Training’ on page 175 the sentence starting “The implementation of monitoring systems…” belongs under the ‘Monitoring’ discussion. Finally, there is no discussion of ‘Responding to Elevated Threat Levels’ that was listed in the introduction to the ‘Security Procedures, Policies, and Plans’ section of Appendix C.

Tuesday, November 18, 2008

Security Rules Affect Court Case

There was an interesting physical security related court case reported on MLive.com last week. A judge threw out a felony trespassing charge because a required 100% fenced perimeter did not exist at the local power plant. The felony trespassing charge had been sought because the power plant was considered to be a ‘key facility’ by DHS. The Michigan law under which the charge was filed required that key facilities be completely enclosed by a physical barrier and an investigation showed a 15-foot gap between the perimeter fence and wet lands that apparently constituted part of the facility barrier. Setting the Standards There is nothing in the article that indicates that there was any actual suspicion that the defendant in the case was a terrorist. What is apparent is that the prosecutor, possibly at the behest of DHS and FBI personnel, wanted to make a point that key facilities are protected above what is normally expected of the run of the mill industrial facility, that even simple trespassing was treated as a major offense. Unfortunately, the inadequate security infrastructure belies that stance. The facility operator and the state regulators (there are no federal rules about physical security at power plants, apparently), obviously do not take physical security seriously. The 15-foot gap is inexcusable and even relying on wetlands as part of a personnel barrier is questionable. Prosecution Backfired The notoriety associated with this failed prosecution (though as of the date of the article the decision to appeal the judge’s ruling had not yet been made) actually decreases the security of this and similar facilities. First it points out a glaring security failure at this particular facility. Fortunately, that can be corrected fairly easily, and (hopefully) is being done as I write this blog. More importantly it points out a systemic problem with security generally. There are many security rules and guidelines in place throughout this country as a result of the increased awareness of potential terrorist attacks. What is lacking a systematic enforcement effort. Simply legislating standards does not ensure that they are followed. There must be an education and enforcement effort to make sure that the legislated standards are actually adhered to. Lesson to Learn There are a couple of reasons that OSHA and EPA have done so poorly in preventing industrial and environmental accidents. First is that they do not have enough people on the ground checking on how well facilities have implemented the rules currently on the books. Second they have done a poor job of training their covered facilities in what is actually required. Both of these failures can be traced back to lack of Congressional funding for an adequate workforce. Unfortunately, it seems that Congress is duplicating these problems with security legislation. TSA is proud of their 100 railroad security inspectors, but really, what can 100 inspectors accomplish? How often will they get to each rail safe area to ensure that there are adequate physical security measures to protect the hazmat rail cars from attack or even vandalism? How many hand-offs of hazmat rail cars will they observe to ensure that the railroads follow the appropriate security procedures? Not nearly enough by anyone’s measure. How many inspectors will DHS have to inspect/assist the 7,000 high-risk chemical facilities currently identified under the CFATS rules? Each facility is going to require at least two visits just to get the Site Security Plan approval process complete, and that is if everything is done correctly the first time. I’ll bet that the number of inspectors will be well short of what is required.

Rail Transportation Security – Reporting Security Concerns

This is another in a series of blogs that will look at the requirements of the recently released final rule on Rail Transportation Security. While the main focus of this regulation is directed at railroads, there are significant provisions (49 CFR part 1580, Subpart B) that will apply to a wide variety of chemical facilities that use railroad to ship or receive ‘specified quantities and types of hazardous materials’. This blog deals the provisions requiring covered chemical facilities to report significant security concerns to TSA. Earlier blogs in this series were: Rail Transportation Security – RSC Requirement The new rail transportation security rule {49 CFR § 1580.105(b)} requires that covered facilities (hazmat shippers and hazmat receivers in UHTA shipping/receiving PIH chemicals by rail) “must immediately report potential threats and significant security concerns to DHS by telephoning the Freedom Center at 703-563-3240 or 1-877-456-8722”. Potential Threats or Significant Security Concerns Section 1580.105(c) provides an extensive list (nine separate entries) of activities or incidents that need to be reported to the Freedom Center. Some items on the list are easy to understand, like ‘bomb threats’. Others are rather vague, like “Suspicious activity occurring onboard a train or inside the facility of a freight railroad carrier, rail hazardous materials shipper, or rail hazardous materials receiver that results in a disruption of operations.” TSA acknowledges that the wording of many of the listed activities is vague. On page 66 of the preamble to the rule TSA explains that:
“These requirements will provide information to the appropriate authorities, allowing their timely intervention to an attack or its preparation. Detecting activities that may compromise transportation security entails piecing together seemingly unrelated incidents or observations and conducting analysis in context with information from other sources. However, as the threat environment is dynamic and indicators of incident planning and preparation can change, TSA cannot provide a threshold for reportable events or a specific definition.”
This is a problem common to all intelligence analysis operations. Trying to define in advance what information will be important in identifying an opponent’s intentions is nearly impossible. The trick is to acquire as much information as is possible and then let the analysts sort it out. Inevitably this means that much of the information captured will have no use in the analysis because it will not pertain to the actual opponent, but it is always better to have too much information than not enough. Reporting Format In the Army we trained every soldier to use the acronym SALUTE to remember to report the Size, Activity, Location, Unit, Time, and Equipment observed every time that they reported enemy activity. TSA has not yet gotten that sophisticated, in Section 1580.105(d) they provide a list of eight different items that they want included in their reports. As you would expect in a rail security rule, most of the information that TSA is interested in seeing in the report is details about the railroad involvement in the incident. They want to know the carrier name, the rail line/siding, the rail car identification. TSA also wants to know the name of the facility and the point of contact for the incident, to include a telephone number or email where the POC can be reached for the inevitable questions. Finally TSA wants as many details as possible about the incident. Covered facilities should consider making up a blank reporting template. It should include the two Freedom Center phone numbers (703-563-3240 or 1-877-456-8722) and blanks for each of the information requirements listed in §1580.105(d). This would make it easier to organize information in a coherent manner. It would also help to prompt the reporter to take a second look at the incident to gather as much detail as possible before making the phone call. Finally, it would serve as a written record of the information provided to the Freedom Center. Immediately Report Incidents Immediately is one of those tricky terms that everyone thinks they understand. From the discussion provided in the preamble to the final rule, it is clear that reviewers of the NPRM thought that it could mean anything from before calling the police to call within 12 hours. TSA refused to set a specific time standard, but did indicate that a call to 911 would probably take precedence, but not much else. Here is the way it was described in the preamble to the final rule (page 61):
“TSA recognizes that, in some cases, notifying the local first responders to address a threat or consequences in the immediate aftermath of an incident takes precedence over notifying TSA because of the need to protect lives or property. In these cases, regulated entities should notify TSA simultaneously or as soon as possible after notifying 911 or other first responders.”
TSA maintains that promptly receiving these reports is an integral factor in meeting its legal responsibility to assess and coordinate government response to threats against transportation. The preamble notes (page 61) that prompt “notification enables TSA to help coordinate the Federal response, including actions to be taken at the State and local levels, and provides TSA with the situational awareness needed to make the appropriate assessments on the National and local levels.”

Monday, November 17, 2008

RBPS Guidance – Physical Security Measures

This is the another in a series of blog posts that looks at the recently released draft DHS guidance document for implementing the Risk-Based Performance Standards (RBPS) in site security plans (SSP) for high-risk chemical facilities. The RBPS are a key component of the Chemical Facility Anti-Terrorism Standards (CFATS). This post deals with the discussion of physical security measures found in Appendix C. Earlier blogs in this series include: RBPS Guidance – Introduction RBPS Guidance Shortcomings RBPS Guidance – 18 Risk Based Performance Standards RBPS Guidance – RBPS Metrics Physical security measures are discussed in various levels of detail in a variety of RBPS, in particular RBPS 1 thru 4 contain some significant discussion on physical security measures. Since physical security measures affect all RBPS to some extent, the authors of the Guidance document elected to place a more detailed discussion of those measures in Appendix C. Appendix C to Draft RBPS Guidance Document The introduction to Appendix C (page 131), which also addresses cyber security and security procedures, reiterates a comment seen throughout the Guidance documents, that “no single measure, policy, or procedure listed below will alone satisfy the security needs of a facility”. The introduction also contains, yet again, a §550 inspired disclaimer that each facility is free to “to include any measures they think appropriate to demonstrate compliance with the RBPS in their Site Security Plans (SSP)”. The authors of Appendix C note that physical security measures are “are most useful for reducing the risks of direct, physical attacks against the facility”. The discussion looks at four main types of physical security measures:
Perimeter Barriers, Monitoring and Intrusion Detection Systems, Security Lighting, and Protective Forces
The first three physical security measures are discussed in some detail, with examples of different measures, equipment and techniques available. There is also a brief discussion of the various security considerations that must be considered when employing that type of security measure. Finally each section includes a reference list of on-line and print resources that can be used to further explore the subject. There is also a general physical security measure resource list at the end of the discussion. Perimeter Barriers The physical security measure that gets the most attention in Appendix C is the use of perimeter barriers. The introductory discussion notes that perimeter barriers can act as both a physical and a psychological barrier to unauthorized entry to the facility. It describes four general uses for perimeter barriers:
Controlling vehicular and pedestrian access Providing channeling to facility entry-control points Delaying forced entry Protecting critical assets
The perimeter barrier discussion looks at a variety of manmade and natural barriers. It provides a brief discussion of a large number of barrier systems and how they can be used to stop human and vehicle penetration of the facility perimeter. The addition of line drawings or pictures would have made those descriptions more valuable. Monitoring and Intrusion Detection Systems The next physical security measure discussed deals with monitoring. The two sentence introduction provides the most succinct description of monitoring in a physical security context that I have ever seen. It is worth quoting in its brief entirety (page 138):
“Security events are monitored through a combination of human oversight and a variety of technical sensors interfaced with electronic entry-control devices, remote surveillance imagery, and alarm reporting displays. When an event of interest to security is identified, it is either assessed directly by sending persons to that location or remotely assessed by personnel evaluating sensor inputs and surveillance imagery.”
The discussion of video monitoring is very brief and cursory. John Honovich has provided a much more extensive discussion in his eBook (see: “Video Surveillance Book – 2nd Edition”) which should be included in the reference section. The discussion of intrusion detection systems is much more useful. Security Lighting The security lighting section of the physical security measures discussion is relatively short. There is a brief discussion of the importance of adequate lighting for a variety of monitoring systems. The discussion of security considerations for security lighting is also short, but it is briefly comprehensive, identifying many of the relevant issues. Protective Forces Discussion The discussion of the last physical security measure, Protective Forces, is very poorly developed. This is probably because of the many controversies associated with the employment of security forces. Earlier this year I did a series of blogs (see: “Security Forces at Chemical Facilities – Sourcing Security”) that describes some of those controversies. The Appendix C discussion completely avoids the issues and, as a result, provides almost no information. Finally, there are no resources provided for a more detailed discussion of protective forces. This is, without a doubt, the least developed discussion in the entire draft RBPS Guidance document.

PHMSA HAZMAT Security Rule Comments – 11-14-08

This week saw the end of the comment period for this NPRM and six comments were posted on the Regulations.Gov web site. That means that this should be the last blog that I do on the comments. The six comments were submitted by: National Tank Truck Carriers, Inc Dow Chemical Company Full Scale Effects Tassilo Baur National Association of SARA Title III Program Officials Compressed Gas Association Special Effects Industry Comments We have two comments from the special effects industry this week, Full Scale Effects and Tassilo Baur. Once again they object to the ‘any amount’ requirement for Division 1.4 explosives. The letter from Thomas M Craven, Operations Manager, Full Scale Effects brings up some new information that I had not seen in the previous industry letters. First he notes that there are only two suppliers of the pyrotechnic devices used by the special effects industry. I find it curious that neither of them has posted a comment to this regulation. Second, he takes issue with the PHMSA assertion that “while the proposed rule would apply to a substantial number of small entities, it will not have a significant economic impact on those small entities” (page 52569). Actually, what the PHMSA discussion was about was the negligible benefit received by the approximately 10,000 small businesses that would benefit by no longer being covered by the current regulations. PHMSA fails to note that any small entities would be adversely affected by the proposed rule. Finally, he proposes that small quantities (e.g. 25 lbs for Division 1.4 explosives) be allowed to be shipped ‘next day’ without falling under the security provisions of this NPRM. He notes that this “would expose the product to theft for the least amount of time and limit the amount that could be stolen at any one time”. National Tank Truck Carriers, Inc Comments The NTTC agrees with the comments submitted by the American Trucking Association and specifically objects to two provisions of the current NPRM, “route specific security analyses and security plan updates”. The NTTC notes that it is not practical to conduct a route specific security analysis because there really is no such thing as a fixed route for truck transported materials. Exigencies of the moment caused by traffic, construction and weather (for example) routinely cause truck drivers to change the route to their destination. The NTTC objects to the language in the preamble to the NPRM (page 52567) that includes “acquisitions, mergers, operating rights, materials transported, expanded or reduced service levels” as ‘changing circumstance’ that would require revision of the security plan. They would, however, support the actual wording of §172.802(c) if it included the qualification that the ‘changing circumstances’ would “render a significant aspect of the security plan deficient”. Dow Chemical Company Comments Dow presents a detailed discussion on a number of areas. Those areas include:
· Regulated material must be quantified above “any quantity” · Shipment of residual material must be exempted · PHMSA should expressly note that risks and security measures will vary by mode · HAZMAT employees need access only to the need-to-know elements of the security plan and not to the security risk assessment · “Site-specific” and “location-specific” are not appropriate terms for transportation security risk assessments · The specific security criteria must be defined between offeror and transporter · PHMSA should clarify that a corporate security assessment and plan satisfies the requirements of the subpart · PHMSA should ensure consistency with other federal regulations · PHMSA should facilitate identification of materials subject to Security Plan requirements
National Association of SARA Title III Program Officials Comments This organization takes exception to the requirement for route security assessments without a requirement to consult with “local emergency planners, law enforcement or fire departments”. They suggest that a new §172.802 (b)(4) be added to require that the security plan includes a certification that security risks were evaluated in consultation with local emergency planners, law enforcement and fire departments. Compressed Gas Association Comments The CGA recommends that cryogenic Oxygen be removed from the list of chemicals that require shipment security plans. They note that, other than the cryogenic hazard, there is typically no direct hazard from an oxygen release. They provide a copy of a magazine article from 1989 describing an attack with small arms and a light anti-tank weapon (M72 LAW) on an oxygen storage tank to support their contention. My Comments on Comments First I want to note that there appear to be a large number of comments that were submitted on this docket that were not published on the Regulation.Gov web site. There are provisions for submitters to request that their submission be kept from public view IAW 49 CFR part 105. This allows for trade secrets, confidential commercial information and sensitive security information to be kept confidential. However, a news release by the National Association of Chemical Distributors notes that they filed comments on November 11th and they were not available on the site by close of business November 14th. Nor have I seen the comments submitted by the American Trucking Association referenced in the National Tank Carriers comments. As is fairly usual the bulk of the comments by large industry commenters are filed at or near the close of the comment period. A part of the reason is the fact that a large organization needs more time to get its comments organized, reviewed and approved. I also suspect that it is an attempt to restrict the time for counter comments by special interest groups and others ‘opposing industry interests’. The Dow Chemical comments on the different security assessment and plan requirements for shippers and carriers need to be addressed more completely in the proposed regulations. The shipper cannot accurately assess and/or address the enroute security risks associated with the hazmat shipment. The carrier will, likewise, not be able to accurately assess the security of the loading or unloading operations. The regulations need to more completely address the different roles of the shipper, the carrier and the receiver, as well as the change of custody between each. A good example of how this might be done would be the current final rule on Rail Transportation Security recently published by the TSA (see: “DHS Announces Final Rule on Railroad Security Standards”). One thing that large hazmat shippers like DOW might want to consider is including suggested security procedures for bulk unloading operations in their product stewardship documents. I have seen the detailed information that these large companies include for safe unloading requirements. They should do something similar for security. Future of the Rule It will be interesting to see how this rule is handled during the transition to the Obama administration. PHMSA will almost certainly not have time to publish the final rule before January 20th. The Obama campaign had very little to say about chemical security (to be fair, neither did the McCain campaign), nor has there been much comment from Congress or the variety of special interest groups that would be expected to have an opinion and some level of influence in the new administration. The one comment from the SARA Title III organization does show what types of suggestions I would have expected to see from some of the groups that have been vocal on other chemical security issues. I have seen no comments about routing bulk shipments of PIH chemicals away from HTUAs, or about requiring the involvement of truck drivers and other front line workers in the security planning process, or comments about whistleblower protections. All of these could have easily been included in this regulation. This is one of the regulations where we will get a good chance to see how the new administration is going to address homeland security issues. Personally, I think that this rule should be approved essentially as is (except do away with the ‘any quantity’ wording and set some sort of reasonable minimum quantity for each covered material). It has taken more than two years to get this regulation this far. Then the new administration could set about improving the regulation. There are alternative possibilities. The new administration could completely scrap the rule making process completed to date and start with a completely new ANPRM. Or it could take all or part of the process accomplished to date and re-write the present NPRM. Of the two, I would prefer to see that later, if for no other reason than it would speed up the process of improving the current regulations.

Major Change to Change.gov Web Site – Update 11-17-08

I’m not sure exactly when the ‘Agenda’ pages went back up on the Change.gov website, but I did find the Homeland Security page back at the same URL that it was at last week when I wrote my original blog (see: “Office of the President-Elect”). The page looks the same as the one I reported on in that blog. The page is slightly harder to get to because you have to click on the ‘MORE ISSUES’ link under the Agenda section of the home page to find the complete list of issue pages. This certainly does not seem to be a anti-change conspiracy like some people have alluded to (see: “Major Change to Change.gov Web Site”).

DHS CSAT FAQ Page Update – 11-14-08

Last week DHS updated two questions on the CSAT FAQ page. They dealt with Tiering and Top Screen Navigation and Troubleshooting. The two questions were:
1363: I have completed the Top-Screen and submitted it to DHS, but I discovered that I need to make some changes to the information I submitted. How can I do this? 1606: I recently received an e-mail telling me there is a CSAT letter available for me to access and print. How do I go about accessing this letter?
The answers to both of these questions provided some interesting information so we will review both answers in some depth. Top Screen Revision The answer to this question is very similar to the answer provided to FAQ # 1406, but there is a slight difference in the wording of the question. FAQ #1406 reads “If have already submitted a Top Screen and later determine that I need to re-submit, what do I do?” Now I may be reading more into the difference in wording than DHS intended, but FAQ #1363 seems to address correcting an error in the submission while #1406 deals with a material change in the facility status. If I am correct in my interpretation, this marks a subtle change in DHS policy. The CSAT web page has always maintained that once “a Top-Screen has been completed and submitted, it cannot be recalled and edited”. The apparent reason for this is that once a Top Screen is submitted it automatically begins the internal evaluation process that leads to the preliminary determination of whether a facility is a high-risk facility and its preliminary tier level. Trying to catch this evaluation in process and change any of the data would be impractical at best. I doubt that DHS has made any substantial changes in the evaluation process. What I do think has probably happened is that the Top Screen submission rate has slowed enough (to the ‘normal’ maintenance rate) that DHS no longer fears that multiple submissions to correct relatively minor errors will clog up the system. DHS would still prefer that facilities adequately check their Top Screen for errors before submission, so there would be not announcement of a change in policy. Practically speaking, I suspect that both the original and changed submission will still both go through the evaluation process. There is a remote possibility that a changed submission submitted quickly enough might result in the status notification for the initial submission being caught before it is transmitted to the facility. What is more likely is that a notification letter/email for both submissions would probably be sent to the facility. Since a facility would have no way of knowing which submission the notification letter would refer to, it must assume that any letter received is the ‘correct’ status and act accordingly. CSAT Notification Letters DHS will send the Submitter an email notifying the facility that the CSAT notification letter is available on-line. A submitter might not be able to access this letter on the CSAT system for a couple of reasons, both dealing with the Chemical-Terrorism Vulnerability Information (CVI) training status of the Submitter. Completion of the on-line CVI training is not required to access the Top Screen submission tool on CSAT. This is because it is expected that a significant majority of facilities submitting a Top Screen will not be judged to be a high-risk facility. Facilities that are not at high-risk for a terrorist attack are not subject to the CVI rules, so the training is not necessary. Facilities that receive a high-risk facility notification letter are covered facilities under the CFATS regulations, so they must comply with the CVI requirements. The notification letter is one of the documents that is automatically considered CVI and thus requires protection. So before the Submitter can access the letter, the CVI training must be completed and the training status associated with the Submitter’s User Name.
 
/* Use this with templates/template-twocol.html */