Saturday, February 28, 2009

Questions About Security

ControlGlobal.com is preparing an article on cyber security for their April issue of their Control magazine. On their blog they asked for some help from their readers. They are looking for some feed back on two questions:
How much security do you need to be really secure? What’s the difference between "compliance" and "security"?
They would like to have as many responses as possible by March 4, 2009. Responses can be sent to Nancy Bartels, nbartels@putman.net. I have already sent my response. I urge all of my readers to think about these two questions and help out the people at ControlGlobal.com; they are one of the few publications that really addresses control system security issues on an ongoing basis.

HR 1187 Status – 02-25-09

On February 25th, Rep Rodney Frelinghuysen (R. NJ) introduced HR 1187, the Smarter Funding for All of America’s Homeland Security Act of 2009. The bill would authorize the Secretary of DHS to make grants to first responders, establish an Advisory Council on First Responders, make modifications to the Homeland Security Advisory System, require reports on information sharing with State and local governments, and require a study of the spectrum needs for first responders. The bill was assigned to the Homeland Security Committee with additional assignments to the Committees on Transportation and Infrastructure, the Judiciary, and Energy and Commerce for the areas under their jurisdictions. First Responder Grants This legislation would add §802, Faster and Smarter Funding for First Responders, to Subtitle A of Title VIII of the Homeland Security Act of 2002. The grants made under this section would be in addition to any existing first responder grant program. It would establish a State and Regional First Responder Grant Program through the Office for State and Local Government Coordination. The grants would be targeted at specific risks identified by the Under Secretary for Information Analysis and Infrastructure Protection. Section 802(e)(2) establishes the ten categories of threats that will be used to establish the risk requirement for this grant. The categories include such things as threats against the water supply, food supply and energy supply. Interestingly threats against high-risk chemical facilities are not a listed category; though they would probably fall under one of the listed categories. Grants may not be made under this section unless “unless the Under Secretary identifies a specific vulnerability that is subject to a present or analytically projected threat of an act of terrorism” {§ 802(e)(4)}. Advisory Council on First Responders The bill would also add §803, establishing the Advisory Council on First Responders. The Council would advise the Secretary on the “need for a Federal standard with respect to any particular first responder equipment or training” and other areas of the Department’s missions that would enhance the capabilities of first responders. The Council would meet at least quarterly. Homeland Security Advisory System Section 210F would be added to Subtitle A of title II of the Homeland Security Act of 2002 requiring changes to the Homeland Security Advisory System. It would require that any threat level or warning will be “accompanied by a designation of the geographic regions and economic sectors to which the designation applies.” It would also require the Secretary to make an annual, unclassified-report to Congress explaining the basis for the region specific and sector specific warnings issued in the previous year. Information Sharing Subtitle I of title VIII of the Homeland Security Act of 2002 would be amended by adding § 899a requiring an annual report from the Secretary to Congress on the issue of security clearances requested by, and issued to, members of State and local governments to allow for the sharing of classified information. First Responder Spectrum Needs The final section of this legislation would require the Secretary to conduct a study to determine if there was a need to assign additional communication spectra to first responders to meet their “their needs associated with a catastrophic regional or national emergency”. The Secretary would be required to report to Congress the results of such a study within 180 days of the enactment of this legislation.

Friday, February 27, 2009

Reader Comments – 02-26-09

Yesterday a reader, Roger Helbig, left two comments about an earlier blog on the dead Nazi-wannabe that apparently was trying to make a dirty bomb with depleted uranium. He correctly pointed out that the original story has been updated to reflect that the depleted uranium is not radioactive enough to be considered a component for a dirty bomb. As I noted in a personal reply to Roger, I really am aware that depleted uranium is only slightly radioactive; that is why it is called depleted. It is much less dangerous than the glow-in-the-dark ‘EXIT’ signs that were recently in the news. Unfortunately, if this wacko had constructed a bomb with this material and then detonated it in a public place it would almost certainly have been treated like a dirty bomb, especially if there had been the obligatory propaganda release associated with the blast. The public would have insisted on a ‘thorough’ clean up of the ‘radioactive’ contamination so that they could avoid ‘radiation sickness’; all of this even though there would be probably more danger for an annual dental x-ray. All we have to do is look at the press reaction to the 5-gal containers of chlorine gas that were used in Iraq to contaminate car-bomb scenes. Again, there was little risk from the small amount of chlorine, but it complicated the response and made great publicity. I do want to clarify one of my points in my earlier blog. The ‘radioactive’ cloud that I discussed that would result from a detonating ‘dirty bomb’ at a high-risk chemical plant would require material much more radioactive than depleted uranium if it were to be measurable much past the facility fence line.

Control System Connections

A blog earlier this week over on ControlGlobal.com points out how hard it is for facilities to ensure that there control networks are not subject to off-site access. Joe Weiss reports on a Distributech webinar on the new Smart Grid technology to improve the reliability of the electrical grid. While the SCADA systems for the electrical grid are not the same as those for chemical manufacturing facilities, they do share the growing vulnerability of connections to systems outside of the facility gates. These outside connections allow for the potential attack on the control systems without physical penetration of the facility perimeter or insider complicity; obviously making them something to be avoided. Except that the latest technology discussed for addition to Smart Grid technology is the use of Blue tooth connections to elements system to allow for remote diagnostics. While this makes the control system tech’s job of system maintenance easier it also increases the ease of hacking the system to gain control. If this technology is being offered for electric control systems, the most closely regulated systems in the United States, it will not be long before it finds its way into SCADA systems at high-risk chemical facilities, increasing the risks there even more.

HR 1105 Update – 02-27-09

Just a quick follow-up report on yesterday’s blog about HR 1105, the Omnibus Appropriations Act, 2009. I noted that there were supposed to be additional funds for DHS in the new spending bill for the portions of the government that were funded by a continuing resolution last fall (DHS was specifically funded for FY2009 in the Consolidated Security, Disaster Assistance, and Continuing Appropriations Act, 2009). Last night I had a chance to review the 1123 page document and can confirm that DHS did get additional money, but there was nothing in the bill that related to chemical security issues. There is lots of pork and some surprising policy provisions, but nothing to do with the subject of this blog. I will keep an eye on this as it runs through the Senate and the inevitable conference to see if anything is added that will affect chemical security issues.

Thursday, February 26, 2009

HR 1105 Status – 02-25-09

The House passed HR 1105, the Omnibus Appropriations Act, 2009, yesterday by a vote of 245 to 178. This bill was supposed to take up the appropriations for those departments not included in the appropriations bill passed last fall. The DHS appropriations were included in the earlier bill, but I have heard that there were some additional funds for DHS included in this bill. I have not had a chance to scan through this bill looking for DHS monies yet.

Problems with Secrecy

One of the problems that a number of advocacy groups have been complaining about since the government started talking about protecting high-risk chemical facilities from potential terrorist attacks has actually happened. According to an article on WVGazeete.com the Bayer plant in West Virginia has, at least temporarily, stopped the Chemical Safety Board from discussing their investigation of an August 2008 explosion at that facility by invoking the information security requirements of the Maritime Transportation Security Act (MTSA). These advocacy groups have warned that chemical facilities would use these security provisions to stop from disclosing information vital to residents near such facilities. While it may seem odd that a facility in West Virginia may be covered by the provisions of the MTSA, they do apparently ship or receive chemicals by river barge, so they must be on a navigable waterway. That certainly qualifies them for MTSA coverage. The CSB has not yet said that they will not discuss their investigation. At this point, in an abundance of caution, they have postponed their standard review of the progress of their investigation with the local community. They are looking into the Bayer claims of ‘national security’ protection of the information included the CSB investigation with their lawyers and are probably discussing the matter with the Coast Guard (the action agency for the MTSA) and DHS. I do not know what information that the CSB might be intending to disclose, nor am I familiar enough with the information security requirements of the MTSA, to offer an opinion on the validity of the Bayer claims. I do not believe that if the claims had been made under the CFATS CVI rules that they would have had any legitimacy unless the CSB were going to specifically discuss security rules. I hope that Secretary Napolitano and the Obama Administration side with the Chemical Safety Board and allow the CSB to share their information with the affected community of Charleston, WV. To stop any potential for confusion with CVI, Congress should in their reauthorization of CFATS specifically include provisions that information provided to the CSB in their investigation of an accident at a high-risk chemical facility should be exempted from the public disclosure provisions of the CVI rules.

Reader Comment – 2-25-09

While I have stated on many occasions that I like receiving comments from readers, I was severely disappointed with a comment that was posted yesterday. The comment was directed at an earlier commenter and included a personal attack. What made it worse was that the poster hid behind the name Anonymous. The Use of ‘Anonymous’ Now I realize that there are many readers that would not feel comfortable signing their real names to comments posted on this site. I know that there are people from DHS that read this blog and many would not want their name appearing on the site or their connection with DHS. I respect that, I spent 15 years working for the government. Even employees in the private sector might not want their names appearing with their comments. I would prefer that my readers show a little bit of creativity and, if they want to remain nameless, come up with a handle that can be used on this site so that we can track their ideas. But, if you want to use ‘Anonymous’, so be it. Having said that hiding behind the ‘Anonymous’ tag and making a personal attack marks everyone that uses that handle in the future. That is certainly not acceptable. Anyone that uses that tag needs to make sure that they use it in a professional manner. No Personal Attacks I would like to think that this is a blog for professionals. As such there is no place for including personal attacks in the discussion. Admittedly I have slipped close to that line on a couple of occasions, questioning the motives of some readers. But, I have never come close to making the kind of attack made by this reader. This is not a moderated blog; you do not have to be a member to post a comment. It is, however, my blog, with my name and reputation on the line. I reserve the right to edit or remove comments that I find offensive or think that my readers might find offensive. With 15 years in the US Army Infantry, there is very little that I find personally offensive, but I will not tolerate personal attacks on my readers. As a blog owner I have two options. I can remove an offending comment or I can let it stand. The first option has its drawbacks; it can be seen as a move to stifle an exchange of ideas, especially if readers have not seen the offending comment. And the third option, do nothing, is always as offensive as the comment. In this case I will let the comment remain. It is far enough in the past that most readers will never see the reader comment. And, I hope that this issue will not come up in the future.

Wednesday, February 25, 2009

Reader Comment – 02-24-09

Anonymous left a comment about my blog on a proposal for IST legislation. His comments, in their entirety are shown below:

“The trouble with putting IST security reviews on a slower timeline than conventional security assessments is that you have to know what you need to protect before you can decide how to protect it. Why spend $ millions on permanent security measures that are soon made obsolete through implementation of IST? IST reviews should take place first as a matter of efficiency.”

 This is certainly a common argument for doing the IST review first. Unfortunately, it assumes three things: first that the IST review will result in a process/chemical change, second that there are no threats against the facility in the meantime and finally that developing the site security plan is costly. There are inherent problems with all three assumptions.

Cost of Site Security Plans 

We’ll start with the last assumption, the high cost of site security plans. The development of a site security plan is separate from the implementation of that plan. When DHS roles-out their site security plan and gives a facility 90 days to complete that plan, they are not going to be requiring that all of the security measures are complete and in place. They fully expect that a number of the measures outlined in the plan will take time and money to implement.

What they will be looking for is a plan forward on these expensive, and time consuming capital projects. Secondly, the cost of implementing the security plan is an integral part of the IST evaluation. An IST implementation plan that costs $2 M may seem unreasonable and an unjustifiable business expense. If that implementation obviates the need for a $3 M security plan, the plan becomes a lot more plausible.

Now Anonymous is certainly correct that it makes no economic sense for a facility to put into place a high-cost capital project to protect a chlorine storage tank that might be replaced by an IST project. The legislation could easily take this into account by allowing facilities to identify and defer implementation of security measures that are dedicated to the protection of the PIH assets at the facility while they continue to work on the other layers of protection required under CFATS.

IST Implementation is Not Inevitable 

Just because there appears at first glance to be a process or chemical that can be readily substituted for a PIH COI does not mean that it is economically feasible to make the substitution. In fact there may be engineering reasons that would make the substitution impracticable. Many advocacy groups in their pro-IST arguments point to the use of chlorine gas in water treatment and waste water treatment as the most obvious case where a less hazardous chemical or process could be substituted for an admittedly dangerous PIH chemical.

In his testimony before the House Subcommittee on Environment and Hazardous Materials, Brad Coffey, Water Treatment Manager, Metropolitan Water District of Southern California, provides an excellent description of the process that organization went through to do their IST analysis for ridding their multiple facilities of chlorine gas. As a result of their analysis many of their facilities did switch, but it was not practical to do so for their largest water treatment facility.

 Interestingly, Mr Coffey noted that immediately after 9/11 they recognized that the security situation had significantly changed and they implemented security arrangements to protect their PIH targets. They even went to the extent of employing armed guards to protect their rail cars of chlorine gas.

Facility Protection During Implementation 

Even when an IST review determines that a project is feasible and practical there is going to be a long period of time before it can be implemented. The Central Valley Wastewater Treatment Facility in Utah is a case in point. In a November, 2008 newspaper report the facility manager, Reed Fisher, noted that his facility had just completed a design for a UV system to replace their chlorine gas system. He expected to put the system out for bid this last January and have it in running in 2010.

Assuming that it took six months to determine that the process was now doable and design the system (a conservative estimate if I ever made one) it would still be two years from the start to finish on this project. And the whole time there would be railcars of chlorine gas or chlorine gas storage tanks sitting there as a target. At high-risk facilities other than water treatment facilities, the time to implement an IST project could be even longer.

Because of quality issues and customer requirements the time frame could be extended by years. In the specialty chemical business where I used to work it often took as long as a year to get approvals to substitute the same chemical from a cheaper supplier. It could take years to develop the new manufacturing processes, complete the requisite testing and gain customer approval for substituting a safer chemical.

 Again, the whole time that the IST review and implementation process is running the facility is a high-risk chemical facility. Facilities with multiple COI, including one or more PIH COI, are likely to remain on the high-risk facility list after their IST project is approved and implemented. As high-risk facilities, they still need to be protected.

Run IST Review and SVA/SSP in Parallel

 To properly protect the surrounding community, and that is what we are really talking about here, the SVA and SSP process needs to be completed while the IST review is taking place. The legislation should require that an IST review start when the facility with a PIH COI is give the preliminary designation of a Tier 1/2 high-risk facility. By the time the SSP submission is required the facility should have a preliminary idea of whether the IST has a chance of being implanted.

 The SSP tool should include a series of questions about the status of the IST project. If there is a substantial probability that the IST will go forward, then DHS should allow a deferment of some of the most expensive security measures pending final determination on the IST question. If there is a low probability or a long lead time for implementing the IST, all security measures should be required to be implemented.

S&T Communications Development

More about the DHS ‘table top’ exercise that is being “designed to facilitate and accelerate the delivery of critical infrastructure protection technologies”. In my earlier blog I finished with a discussion of how we used a what-if review to analyze the things that can go wrong with a new or revised chemical process. And I promised to explain how that ties into this DHS ‘table top’ exercise. Well, here goes, with a little side trip through the US Army Berlin in the ‘70s. War Story Back many years ago when I was a young sergeant in a mortar platoon we got a new company commander in our unit. Shortly after his arrival we had one of those periodic games that a peace-time Army likes to play, a load-out alert. It really was nothing more than an emergency response drill with weapons and camouflage. The call came in and we loaded up all of our combat equipment and parked the vehicles outside the gate, ready for inspection. The new commander did not like how well his new company performed on this alert. He thought we were confused, disorganized and above all, too slow. He was sure that ‘his’ company should be able to get the vehicles rolling out the gate in 30 minutes instead of the almost two-hours it actually took us. All it would take would be a little training. The first thing he did was hold a training session with the leaders of each platoon; the platoon leader, platoon sergeant and each squad leader. We went over in detail what needed to happen to get our platoon loaded out and in the assembly area. At each step along the way he would explain a requirement and we would work out how to make it happen in the most efficient way possible. For example, getting vehicles to the platoon bay to load them up. Assigned drivers need to pick up the vehicles from the motor pool. Oops, all of the assigned drivers lived off post and it would take them twenty minutes to get there. Okay, assign a person who lived in the barracks to get the vehicle. Oops, the vehicle keys were locked in the Platoon Sergeant’s desk and it took him 15 minutes to get there (he lived closer). Okay, give a key to the desk to one of the sergeants (me) who lived in the barracks; no better make that a copy to each of the sergeants who lived in the barracks. After doing that for each of the tasks involved in loading out the platoon, we did a walk through with whole platoon, explaining what each person was supposed to do along the way. After we went through it a couple of times and everyone understood we went back to the barracks and pretended it was early in the morning and did a slow run through. And then repeated that a couple more times. Two weeks later when they called the next load-out alert we made it out the gate in 20 minutes. Table Top Exercises So we have two completely different types of process development that used many of the same techniques. The most important was the sit down in a room and talk about the process in a step-by-step sequence. This allowed a variety of people who would look at the process from their separate perspectives to point out the things that would work and would not work. The input from these collective viewpoints would allow most of the real time problems to be avoided. This is the purpose of any table top exercise. It is used to familiarize personnel with the procedure and work out the kinks in the procedure in an atmosphere where there is no time pressure or safety considerations distracting people from finding an effective way to get things done. Science and Technology (S&T) Division The S&T Division of DHS has the responsibility for developing tools and techniques to protect the homeland. They are there to help solve the problems that crop up in trying to protect the critical infrastructure and key resources (CIKR) that have been identified as being important in maintaining the ‘American Way of Life’. They cannot, however, be everywhere and see everything needed to identify those problems. They must rely on a wide variety of stakeholder in the Federal, State and local governments and the private sector to identify those problems. Anyone that has ever done any serious problems solving knows that the hardest part is defining the problem. It gets even more complicated when someone else is defining the problem; communications issues cause additional complications. This is the primary challenge that S&T faces in developing procedures for taking problems from other agencies, levels of government and the private sector and converting those problems into innovative tools and techniques to solve those problems. This is the Game According to Leslie Sibick, Chief, Research and Development Project Office at the DHS Infrastructure Information Collection Division this is the process that the ‘table-top’ exercise is supposed to help develop. Their ‘little game’ will put potential consumers of S&T Division services around a table and provide them with a game ‘scenario’. They will then work through the situation, trying to identify problems where the S&T Division can provide assistance. Then they will work through the S&T procedures for submitting that problem. Both the Infrastructure Information Collection and the S&T Divisions hope that this will help their private sector customers understand the areas where the S&T Division can provide assistance and how to request that assistance. S&T should also get at least a couple of issues on which they can start to work. But, more importantly, it will allow S&T to refine their problem identification and information collection process. That is what this game is all about. Anyone in the Nuclear, Chemical, and Dams Sectors that may be interested in participating in this exercise should contact Amy Graydon at amy.graydon@hq.dhs.gov.

Tuesday, February 24, 2009

2009 National Infrastructure Protection Plan Released

A blog at HSDL.org reported Friday that DHS had released the new version of the National Infrastructure Protection Plan (NIPP). The NIPP provides a strategy for managing and reducing the risks to the nation’s critical infrastructure and key resources (CIKR) from a “from a complex mix of manmade and naturally occurring threats and hazards”. The 2009 version of the NIPP replaces the 2006 version. The draft of this document was published in November, 2008 with the public comment period ending on December 1st. Only five comments were received in the two week comment period. The complex subject and the bureaucratic language made the draft so hard to read that I was surprised to see that many comments. It does not appear that there were any substantive improvements to the writing style in the final version. I highly recommend this document as a substitute for harsh chemical sleep aids.

Monday, February 23, 2009

CFATS Reauthorization Bill in May

Last Friday GovExec.com reported that staffers from the House Homeland Security Committee were saying that a bill for the reauthorization of the CFATS regulations is scheduled to be marked up in committee before the end of May recess. They report that there is close coordination between the Homeland Security Committee and the House Energy and Commerce Committee to try to develop a single bill that can be marked-up by both committees. The GovExec.com article claims that IST provisions are still under discussion for this new bill that would otherwise re-authorize the current chemical facility security program.

DHS Exercise of SandT Communications

Last month I read a short little piece on the ACC website about a ‘table-top’ exercise that DHS was going to be putting on in early March. Now DHS sponsors all sorts of exercises and drills, but this one sounded a little bit different because of the purpose. This exercise would be “designed to facilitate and accelerate the delivery of critical infrastructure protection technologies”. Needless to say, my interest was peaked. Since that piece came out, I have been trying, in fits and starts, to get some more information, some details about how this ‘table-top exercise’ was going to fulfill its designed goal. Well on Friday, I finally had a chance to talk to one of the people that is responsible for this ‘little game’, Leslie Sibick, Chief, Research and Development Project Office, and it was an interesting telephone conversation, well worth the wait. Drills and Exercises Before I get to the details of what I learned in that conversation, I think that it would be appropriate to take a look at why we use drills and exercises. Most readers of this blog will have at least a passing familiarity with emergency response drills. A typical emergency response exercise will physically simulate an incident that could happen at a facility. Then the people involved will exercise their pre-planned response to that simulated emergency. A variety of people and response agencies can take part in the drill, but essentially everyone is going to do in the drill what they would do in the actual situation. Generally we think of these drills as training or evaluation exercises. The people involved will have some level of familiarity with the tasks involved; they know what they are supposed to do; they just need practice so that they can do it effectively in the event the incident ever really happens. Before these emergency response drills can take place, however, some one must determine what everyone is supposed to do. Some one must decide that if this happens, this should be done; it should be done by this person or group, it should be done using this equipment and using these procedures. Due consideration must be made for missing people and equipment and for responses for a whole host of things that can go wrong. The more detailed this planning is done in advance, the smoother the training goes, and the smoother the drill or exercise goes. Process Development Essentially what we are talking about here is process development, developing the process for responding to an emergency incident. Now process development is something that I know a lot about, it is what I did for most of my career in the chemical industry. I developed refined and improved chemical manufacturing processes. I became quite good at it and I understand the process of process development. Developing a process, any process, starts out with an idea of how to accomplish a task. That initial idea usually comes from the mind of a single individual. Now one thing that I have learned in my life is that no successful process comes from the mind of just one person. The reason for that is simple, life is too complex for any one person to conceive of all of the things that can happen to make a process go wrong. Now, the next most important thing about process development that I have learned I learned before I ever set foot in a chemical production facility. I learned this, had it pounded into my head, in my first career as an Infantry NCO. The military has a rule that is familiar to every successful general and sergeant; no plan survives contact with the enemy. It means that no matter how well you plan, no matter how well you train, when it comes time to actually put that plan into action something over which you have no control will cause you to change your plan. Experimental Development Now in the chemical industry we dealt with that problem by conducting a series of experiments. The experiments would start out small in the laboratory. We would look at all of the things that we though could go wrong; temperature too high or too low, too much of one ingredient or another. The more complex the process, or the more unique the process the more experiments were done. As we successfully found all the things that could go wrong, and how to prevent or correct them, we would scale up the experiments to a larger size container. We started with small scale glassware experiments and then moved into 1-liter reaction vessels that more closely simulated the process equipment that we would use in production. Then we would scale-up to 20-liter vessels and then 2000-liter vessels. Then we would move into production scale equipment. At each step along the way there was a formal review of what had been done, what had been learned in the previous experiments. As the scale increased the number of people involved in the review process increased as did the formality of the review. This was because the number of people involved in conducting the experiments would increase, but also because the risk and the cost of the experiments would increase. Process Reviews The most intense and practical reviews were the process safety reviews. A team of experienced individuals from a variety of different disciplines in the facility would get together and review each individual step of the process and ask a series of what if questions; what if the temperature got too high, what if the wrong material were added. If the answer was some negative consequence, ranging from a bad product to a vessel exploding, a control or preventive action had to be developed to stop that from happening. DHS’ Little Game Well, what does that have to do with this little game that DHS has developed to “to facilitate and accelerate the delivery of critical infrastructure protection technologies”? To find that out, you are going to have to tune in to the next installment: S&T Communications Development.

Writing IST Legislation

As I have mentioned on a couple of different occasions, I believe that there is going to be a major push to include a mandatory IST provision in the legislation that will continue the authorization of the current CFATS regulations. It doesn’t take any great insight or a crystal ball to make that claim; a number of safety and environmental advocacy groups have made it perfectly clear that that is one of their major objectives for this legislative session. It is also fairly clear that there are sufficient votes in the House Homeland Security Committee to approve legislation containing mandatory IST provision; HR 5577 passed easily last year. It is likely that there will be sufficient votes for it to pass in the House as well.

The Senate is a much closer call, but I think that a properly crafted bill with adequate protections of industry from a capricious DHS will garner support from a key Senator, Sen. Collins (R, ME), the ranking member of the Senate Homeland Security Committee. That support may be enough to pass a cloture motion and then allow a Democratic majority to pass the bill. With this in mind, I think that it is important the chemical industry (the ACC and SOCMA in particular) to stop their absolute opposition to IST and work with Chairman Thompson to craft sensible and workable IST wording for the chemical facility security legislation that is sure to be introduced in the next couple of months. I have some suggestions for what that wording should include.

Stand Alone IST 

I think that including an IST requirement in the Site Security Plan (SSP) portion of the legislation is self-defeating. The IST provisions should be in a stand alone section of the legislation and subsequent regulations. The time requirement should run independently of the time limits for the CSAT process. There are a couple of reasons for this.

First, a realistic appraisal of all of the IST alternatives for a facility could take significantly more time than required to complete an SSP. If the SSP time standard were adhered to a sloppy and inevitably negative IST report would be the result. If the SSP time frame were extended to an adequate time for completing an IST evaluation, it would unnecessarily delay properly protecting the facility, especially if it was determined that no reasonable IST was available for that facility.

Second the facility will need to know what the alternative security cost would be for not completing a marginal IST project. The only way that they would be able to determine that is for the facility to have an approved SSP. That way the proper alternative cost can be accurately weighed into the equations. The final reason is that the implementation of IST could take a great deal of time depending on the construction requirements. The facility would need to have security procedures and equipment on hand for the higher-risk pre-IST conditions until the changes have been completely implemented and the ‘offending’ COI removed from the facility.

Limit Application of IST 

HR 5577 last year limited its IST provision to the ‘highest-risk facilities’ without adequately defining what that meant. I think that a more reasonable provision would be to require facilities with release toxic COI in Tiers 1 and 2 to conduct an IST evaluation for those COI. Other categories of COI would not be required to be evaluated for IST.

 It is true that there is no inherent reason that any high-risk chemical cannot have an IST alternative. However, a realistic appraisal of the situation would show that PIH chemicals in particular are attracting the political ire of the advocacy groups pushing for IST implementation. These chemicals would also be responsible, in the event of a successful terrorist attack, for the widest range of serious injuries and death. Restricting the mandatory IST provisions to just release toxic COI will undercut some of the industry opposition to IST since it will severely curtail the number of facilities that will face the prospect of implementing the IST provisions. Additionally, the facilities that will have to complete IST reviews will be the facilities that would be the hardest to defend not having done the review.

IST Evaluations 

Since the legislation would limit the mandatory IST review to just release toxic COI there are only two forms of IST that realistically need to be considered. The first is substituting a less hazardous chemical or process for the release toxic COI. The second alternative would be significantly reducing the inventory of the release toxic COI. Both alternatives would have to have some restrictions placed on them in the legislation. 

Substituting chemicals should not simply shift the toxic release hazard from one location to another. For example simply switching from chlorine to hypochlorite should not be allowed unless it can be shown that the manufacturing site for the hypochlorite would not be at increased risk because of a larger amount of chlorine used to make the hypochlorite.

Similarly, reducing the amount of the release toxic COI inventory by taking more frequent and smaller shipments would increase the risk of accidental release of, or attack on, the COI in transit. This does not increase the security or safety of the entire system.

Evaluating Evaluations 

One of the common complaints from industry is that they do not believe that ‘bureaucrats’ have the technical expertise to critically review an IST evaluation done by industry. On the other hand, advocacy groups would be quick to point out that not validating negative IST reviews would provide a wide open thoroughfare for industry to avoid making realistic changes to their processes. Both sides can point to a host of evidence to support their position.

The obvious solution to this impasse is to have a technical review done by technically qualified individuals. The legislation should require the National Academy of Sciences to establish an Inherently Safer Technology Process Review Board. This board would be funded by DHS and be charged with four overlapping missions:
Provide for a technical review of facility IST evaluations;
Identify areas of research that would support decreasing cost and increasing effectiveness of IST techniques;
Provide funding for and oversee such research; and
License the use of techniques developed in such research.
This technical review would serve to keep industry honest in conducting their site IST evaluation, it would help to identify technical roadblocks to IST implementation and help to clear those road blocks.

Moving Forward

The two sides of the IST debate have staked out their positions over the last year. Industry wants no part of government mandates for process change. Advocacy groups want government to regulate against the industrial use of PIH chemicals. At some point between those two positions lies a reasonable compromise that will allow the chemical industry to operate with a minimum of government interference while increasing the safety of communities around high-risk chemical facilities. The option described here provides a starting point for the discussions necessary to reach that compromise.

Friday, February 20, 2009

2009 Chemical Sector Security Summit

Yesterday DHS update their Chemical Sector Security Summit web page. They have announced the date of the 3rd Summit; June 29 – July 1, 2009. This year it will be held in Baltimore, MD. The key topics for this year’s summit will be:
Chemical security regulations Site security plan demonstrations Security exercise guidance Industry practices
Information about the exact location, reservations, and agenda will be coming out over the next couple of months.

Reader Comment – 02-20-09

Early this morning Anonymous posted a comment to yesterday’s blog about the role-out of the Site Security Plan Tool. Actually, the comment was signed “a federal 10 year DSO”; I believe the DSO refers to a Defense Security Officer. In any case the comment was an extensive rant against the current FPS (Federal Protective Service, the people that provide security services for Federal Buildings and property). I have little personal experience with this organization, but have seen some news reports that indicate that there are problems with the funding, staffing, and leadership of this organization. Unfortunately, all of this has little to do with security at high-risk chemical facilities. At least I have heard nothing of any intention by anyone to use the FPS or any other governmental security service to provide security at these facilities.

House HS Committee to Hear Sec. Napolitano

The House Homeland Security Committee announced yesterday afternoon that DHS Secretary Napolitano would be appearing before the Committee on Wednesday, 2-25-09 to discuss “DHS: The Path Forward”. No detailed agenda has been announced, but one could expect that some issues would be raised about the CFATS implementation schedule and future chemical facility security legislation.

Top Screen Fuels Page Update 02-17-09

Of all of the review/updates noted earlier this week on the DHS Chemical Security web site, I have only found one change. It was made to one of the two charts (.PDF files) used to explain the decision making process for determining reporting requirements for release-flammable COI on a Top Screen Submission. The page that changed dealt with flammable release COI in mixtures. A more detailed explanation was added to the chart in place of the examples of mixtures used in the previous version of the chart. The information that was removed was not very useful in explaining the flow chart. The new information does make the flow chart easier to understand.

ChemSecure Conference

The American Chemistry Council (ACC) is holding their annual ChemSecure Conference next month in Houston, TX. The three day conference (March 23 to 25, 2009) will look at a variety of regulatory actions that will affect the chemical industry. Topics of interest this year will include:
Implementation of the Chemical Facility Anti-Terrorism Standards (CFATS) requirements for risk-based performance metrics and site security plans as well as what to expect from inspectors as they review the site plans, and ultimately evaluate your site for compliance; Legislative activities in Washington that are likely to impact the CFATS program including consideration of inherently safer technology; DHS efforts to harmonize requirements between the growing list of security related initiatives such as the new TSA rail security regulations, the MTSA and CFATS requirements; DHS and industry voluntary initiatives such as security metrics, voluntary site vulnerability assessments, VBIED trainings and the Chemical Security Assessment Center's efforts to improve DHS risk-assessments and modeling to make their assumptions more accurate on both the regulatory and voluntary initiatives.
Site Security Plan Information The conference will take place shortly after DHS releases the revised Risk-Based Performance Standard Guidance document and rolls out the Site Security Plan tool for CSAT. DHS representatives will provide information on site security plans and the inspection process. They will also discuss a variety of voluntary compliance programs that are available to facilities that are not covered by the CFATS process. Future Legislation There will be programs presented about a number of potential legislative efforts that might affect the chemical industry. This includes the re-authorization of CFATS and one entire session devoted to Inherently Safer Technology. More Information ACC has a brochure available on-line that provides more detailed information about this event. The line-up of presentations looks like this will be a very informative event. I’m looking forward to attending this year myself.

Thursday, February 19, 2009

Site Security Plan Preview

As we get closer to the DHS role-out of their Site Security Plan (SSP) tool on CSAT, I have been doing some thinking on how they might implement that tool and tie in the risk-based performance standards that must be fulfilled by that plan for high-risk facilities. For this to be a web based tool like the Top Screen or SVA tools on that site, it would seem improbable that that there would be room for the kind of book of procedures that one typically thinks of when they consider preparing a ‘plan’ for something as complex at a high-risk chemical facility. SSP Tool Design Looking at the Top Screen and SVA as the design precursors to the SSP tool it seems obvious that there will be a series of questions about the facility and the individual assets that were identified in the SVA. Sources tell me this is how it will be done and that most of these questions will be answered in a simple yes/no or check-off box. Again, this is the same type design that we saw in the earlier tools. Now I have not been able to find out what the questions will be yet, but anyone can make a reasonable guess as to the way the questions will go. For an example here would be how I would write some of the questions for RBPS #1 Restrict Area Perimeter: 1. Does the facility have a continuous antipersonnel perimeter barrier broken only by controlled access points? Y N (If no, go to question 2) All measurements are in feet. 1a. What is the length of the total perimeter? _______ 1b. What length of the perimeter has a public road adjacent to it? ______ 1c. What kinds of barriers are included in the perimeter barrier? Mark all appropriate responses. Chain-link fence ___ Length: ___ Height of Fence: ___ Top Guard? Y N Other wire fence ___ Length: ___ Height of Fence: ___ Top Guard? Y N Brick/concrete wall ___ Length: ___ Height of Wall: ___ Top Guard? Y N River/lake shoreline ___ Length 1d. What is the minimum cleared space outside of the barrier? ___ 1e. What is the minimum cleared space inside of the barrier? ___ 1f. What is the minimum distance from the barrier to any of the critical assets within the facility? ___ 1f. Is the perimeter barrier under continuous observation: Y N If yes skip to 1h. 1g. Is the perimeter barrier periodically checked? Y N Max length of time between checks (hours): _____ (Go to Question 2) 1h. What type of observation is used to continuously observe perimeter barrier? Fixed guard posts ___ Roving security guards ___ CCTV System ___ Other intrusion detection system ___ From this example you can tell that this will be a long and tedious document to prepare. The good part of it is that there will be little interpretation required and the answers lend themselves to automated review. This is important when there will be a limited number of people reviewing the 7,000+ SSP’s. Have it, Get it, Want it The most important questions will deal with what the facility currently has in place, but DHS is also going to want to know what the facility intends to do to improve their security. According to my sources, DHS will divide these future actions into two categories: those things that are being implemented (purchase order or budget line item) and those things planned for the future but not yet committed to. Security Contract The thing to remember about these SSP’s is that they are essentially going to be security contracts between the high-risk chemical facility and DHS. An agreement will be reached between DHS and the facility (with DHS having a superior bargaining position) as to what security measures will be applied at the facility. DHS will then use that agreement as the basis for future inspections and enforcement actions. It will remain in force until such time as the rules change or the facility changes (adds or subtracts) one or more of its chemicals of interest and resubmits a Top Screen to start the process all over again.

200 Cyber Security Experts

Joe Weis had an interesting blog over on ControlGlobal.com yesterday. He had a brief report about NERC forming a team called Hydra. This would be a network of 200 electric-utility cyber-security subject matter experts (SME) that would be used to respond quickly to “fast-moving threats to the bulk power system”. Joe’s response to that was his comment that: “I believe there are currently less than 100 control system cyber security experts world-wide, in all industries.”

I can’t quibble about his number; I just don’t have enough contacts in that part of the industry to judge. Joe writes about cyber security issues for ControlGlobal.com so I would suspect that he knows what he is talking about. In any case, unless he is off by at least an order of magnitude, this calls into question how much NERC really understands about cyber security.

One of Joe’s readers, Ralph Langer, raises another interesting question; how does one identify a control-system cyber-security expert? There are no degree programs offered in this field; I suspect there are even few courses taught yet in this area. I know of no certification program conducted by the ‘cyber security industry’.

This is a major problem for the electric utilities. They are in the process of trying to get their SCADA security systems in place so they can be certified as having met the Federal Energy Regulatory Commission (FERC) Critical Infrastructure Protection (CIP) standards issued last year. The utilities have no in-house SME’s so they have to turn to consultants; but which consultants (if any) have any real experts on hand? In the coming weeks a bunch of high-risk chemical facilities are going to start looking at the same problem when they try to address their control-system security issues for their site security plans.

I hate to raise problems in this blog without providing solutions, but I just don’t have one for this problem. Time will ease the problem, but DHS is not going to give the facilities that time. One thing is almost certain to be true. The cyber security plans in the first go round of the site security plans will be looked back upon with derision in the coming years. The only good thing, from the facility point of view, is that DHS has no more expertise in this area than does the industry. Hopefully, the same will also be true for the terrorists attempting cyber attacks on the control systems at those facilities.

TSA Information Collection Request – DHS-VISAT-T

Yesterday, the Transportation Security Administration (TSA) reposted their Information Collection Request Notice in the Federal Register for the Department of Homeland Security—Vulnerability Identification Self-Assessment Tool—Transportation (DHS-VISAT-T). The original 60-day Notice was published on December 24, 2008 (73 FR 79148) for extending the currently approved collection (OMB Control Number: 1652-0037). The current deadline for comments to the Office of Management and Budget is March 20, 2009. According to the notice: “The DHS-VISAT-T (formerly the TSA Self-Assessment Risk Module (TSARM)) was developed to assist all modes of transportation asset owners/operators in developing a security plan and in performing a vulnerability assessment of their asset(s). The tool is designed to be user-friendly, web-based, and is provided at no cost to transportation owner and operators. The tool captures a snapshot of the asset's baseline security posture and assists the stakeholder in conducting a vulnerability assessment and completing a comprehensive security plan. TSA designed this tool to be flexible to support the unique characteristics of each transportation mode, while still providing a common framework from which analysis and trends can be identified. Thus far, TSA has developed modules of the tool for maritime, mass transit, highway bridges, and rail passenger stations, with more in development.” Comments should be addressed to Desk Officer, Department of Homeland Security/TSA, and sent via electronic mail to oira_submission@omb.eop.gov or faxed to (202) 395-6974.

Wednesday, February 18, 2009

Site Security Plan Role-out This Month

The American Chemistry Council is reporting today that DHS has announced that it will be rolling out its “Web-based site-security plan” this month. This is mentioned in their SmartBrief.com article about the upcoming (3-23-09) ChemSecure Conference. There is nothing yet posted on the DHS Chemical Security web site to confirm this.

Chemical Security Site Updates

Almost all of the pages on the DHS Chemical Security web site were ‘updated/reviewed’ yesterday and today. The eighteen pages deal with everything from CFATS to CSAT to CVI. In a quick review of the pages I could not see any obvious changes other than the dates on the bottom of each page. I’ll be doing a closer examination later today. The one page that did get overlooked was the Chemical Facility Anti-Terrorism Standards page. It still shows an update/review date of January 8th, 2009. Wholesale reviews like this have been a decent forecast tool for predicting a major change on the site. We are expecting to see DHS role out the Site Security Plan Tool on CSAT some time in the near future so this may be a lead up to that.

CFATS and Research Labs

An alert reader sent me a copy of a portion of a newsletter sent from the Council on Government Relations (COGR) to its member colleges and universities (see page 9 of the complete document). It discusses the results of a couple of meetings between DHS and a variety of organizations representing colleges and universities about the level of compliance of educational laboratories with the reporting requirements of CFATS. DHS was aware early on that there would be a number of college and university labs that would fall under the CFATS definition of a chemical facility. Because of the chemical and biological research done at some of these facilities it was inevitable that a significant number of these facilities would be required to submit a Top Screen because they had more than a STQ of one or more DHS chemicals of interest (COI) on site. And, because of the potential threat presented by these chemicals, some of those facilities would be declared by the Secretary to be high-risk chemical facilities that would have continued responsibilities under CFATS. Top Screen Submissions According to this newsletter a total of 380 college and university facilities submitted initial Top Screens. Of these 204 were declared high-risk facilities. The tier rankings are provided below. It should be noted that the Tier 1 facilities are the highest risk facilities in the rankings.
Tier 4 112 Tier 3 56 Tier 2 30 Tier 1 6
It should be noted that that this is a much higher ‘high-risk’ rate than the general run of Top Screen Submissions. There were a total of about 35,000 Top Screens resulting in a little over 7,000 high-risk facilities or one-in-five. School labs had a closer to one-in-two rate. The reason is probably related to the fact that most of the COI found at these labs above the STQ were theft/diversion COI instead of release COI. Compliance Outreach The newsletter goes on to say that DHS believes that the number of Top Screen submissions was significantly lower than what it should have been. Apparently DHS made it clear that they did not believe this was due to willful non-compliance, but rather an inadequate understanding of the requirements. COGR claims that DHS plans to do a pilot program of compliance checks on select schools in New York and New Jersey. First they would look in the literature for the types of research being done at high-risk labs. They would then look for schools with similar research programs that did not submit Top Screens. Those schools would get ‘on-site’ visits to determine if the school did not understand the requirement, or that they made a legitimate determination that they did not need to file a Top Screen. Interestingly the folks at DHS claim that they have no such plans. My sources explain that DHS has informed COGR that they reserved the right to call any site, university or otherwise, to ask why they did not do a Top-Screen. It would seem like the COGR plan would be an expensive effort, especially while the SSP roll-out was still pending. Besides, there are almost certainly more risky facilities out there than the odd college lab; that’s where I would bet that DHS would expend its limited inspector force looking for non-compliant facilities. Facility Description Complications One of the problems that DHS is certainly going to run into is how to define what a chemical facility is in a college or university setting. In the preamble to the final rule, DHS made it clear that they did not expect the facility to be defined as the entire campus and would allow schools a large measure of latitude in how they defined their facilities. Potentially, a school could take this to an extreme and count each individual laboratory as a separate facility; this would greatly reduce the number of potential facilities with an STQ of a COI. Looking Ahead to SSP The two hundred some odd high-risk labs identified so far are looking forward with some trepidation to developing their site security plans. The educational institutions have a number of concerns about the draft guidance document issued in November and its impact on their SSP’s. They are concerned that the interpretation of the risk-based performance measures outlined in that document was targeted at industrial rather than research facilities. This newsletter briefly addresses these concerns. The COGR notes that the Campus Safety Health Environmental Management Association (CSHEMA) is in continuing discussions with DHS to try to “integrate the Performance Standards into an Alternative Security Plan that is flexible enough to be used as a template by institutions”. This was not the original intent of the ASP program. Again going back to the final rule preamble, DHS intended for facilities that had already developed and implemented a site security plan that conformed to the Center for Chemical Process Safety (CCPS) guidelines to be able to use that plan in lieu of the CSAT based format. DHS might find it expedient to allow the laboratory community to come up with such a template.

NIAC Meeting – 04-14-09

The National Infrastructure Advisory Council announced their next meeting in yesterday’s Federal Register. The meeting will be held on April 14th, 2009 in Washington, D.C. This will be Secretary Napolitano’s first meeting with the NIAC. The agenda includes “a final report from the Frameworks for Dealing with Disasters and Related Interdependencies Working Group and status reports from the Critical Infrastructure Resilience Working Group”. The meeting will be open to the public but the public will not be allowed to participate in the discussions of the Council. Written comments and documents may be submitted by April 7th (Docket No. DHS-2009-0008).

OOPs, an Apology is Due

Last Friday, in a posting on ACC cyber security publications I blamed an “over zealous writer on Sys-Con.com” for exaggerating about the extent of a “‘recent’ release of a series of documents by American Chemistry Council on cyber security issues”. I owe the owner of Sys-Con.com an apology for that erroneous conclusion. The only reason that I don’t owe an apology to the ‘over zealous writer’ is that there was no such writer on Sys-Con.com; the article was a straight re-print of an ACC press release that I found yesterday. Beyond that, I still maintain that the wording of the article exaggerates the amount of work that was recently released by ACC. According to the ACC Guidance Document page and the White Paper page, only one of the seven documents listed in the article was released this year. Shame on the ACC for using an editorial license issued in Hollywood or Capital Hill for this press release. The announcement of the release of the Guidance on the Protection of Intellectual Property would have been worthy of a press release all of its own without attempting to inflate its importance by adding six previously released papers to the announcement. In the long run, I believe that this document may be more important than all of the other documents listed because more companies will be affected by electronic intellectual property theft than will ever have their control systems violated by a terrorist.

Tuesday, February 17, 2009

Reader Comments – 02-14-09

On Saturday Fred Millar, a long time reader and commenter, left comments on three of last weeks blogs. Railroad Re-Routing On my posting about SOCMA and IST Fred noted that there is currently an IST (potentially anyway) program for PIH rail shipments; the recent railroad routing rules. While I would not have thought of this as an IST measure, there is a measure truth in Fred’s claim. One way to make these rail shipments safer and more secure is to route them around high-threat urban areas (HTUA). Neither Fred nor I are anywhere near confident that the new rules will result in significant changes in railroad routings of these hazardous chemicals. Fred does make a point that an aggressive effort by Obama’s Transportation Department to use these rules to force railroad re-routing in the most egregious instances is more likely than under the Bush Administration. Still, such enforcement actions will be more than a year away. Fred provides an interesting quote from a CSXT docket submission indicating that there is widespread “the widespread social disapproval of TIH transport by rail”. I’m not sure that I agree with that claim and would be interested to see some sort of documentation to justify the use of the term ‘widespread social disapproval’. In reading reader comments (not a scientific sampling to be sure) in most of the newspaper articles about last fall’s CAP report show a distinct disdain for the threat posed by TIH chemicals in general. John Q Public’s appreciation of potential threats is uneven at best. Of course, let a real incident happen and people like Fred will be hailed as a voice calling in the wilderness. Chlorine Response Training On my posting about a new chlorine response training program Fred had some disparaging comments about the inadequacy of the training programs that he has observed in the past. He makes a good point that just climbing around a chlorine railcar is totally inadequate. A good training program will discuss hazards and mitigation techniques and a serious discussion of how to determine when a shelter-in-place order is more appropriate than an evacuation order. Fred’s tongue-in-cheek comments about “really good tennis shoes and long-race running expertise” really does make light of a serious problem. First responders have a hard and dangerous job responding to hazmat incidents. There is no way that they can be adequately trained on how to deal with the thousands of different hazardous chemicals that they might run into on their next call. There is no excuse, however, for failing to provide in depth training on extremely hazardous chemicals like chlorine or anhydrous ammonia if it is routinely stored or transits their jurisdiction. The training program that I discussed in this blog looked like it might be an effective part of such training, but I have not actually reviewed the material. If anyone has actually seen this program, please contact me (pjcoyle@aol.com). Reverse 911 Fred’s final comment this weekend was on a posting about the new reverse 911 system recently installed in Arizona that allows residents to add their cell or fax number, or even their email address to the reverse 911 system. Fred’s comment was more in the way of a very pertinent question: “Any info on the measured effectiveness of this system, and compared with others?” I have not looked to see if the system provider has any response data for this new system. If they did, I would not put much stock in it unless they tested it in a real world situation and the system is too new for that. The only place that I have heard of such real world testing being done is during an annual emergency response exercise last spring in Hamilton County, TN. As part of their exercise they used their reverse 911 system to send a message about the exercise to area residents and then followed up with a personal phone call to each of the residents to determine how well the message was communicated. I never did see a formal write-up about the results of that study. I suspect that an ‘enhanced’ reverse 911 system like this will only be as successful as the advertising effort that goes into getting people to sign up for the messages. The more people that sign up, the more effective it should be in a real emergency in contacting affected personnel. The technical aspects should be relatively easy to solve. The people-ware is the more challenging aspect. The biggest challenge will be the preparation of the actual emergency message that goes out over the system as the clock is ticking. Pre-prepared messages for expected emergencies would be a good idea (an anhydrous ammonia leak at the local meet packing plant for example), but the unexpected emergencies with the clock ticking will be a particular challenge for writing coherent emergency instructions. Keep the Cards and Letters Coming As always, I really do appreciate reader feed back on this blog. It helps keep me honest and makes me think. Comments, questions and suggestions for blog topics are always accepted. I do reserve the right (and responsibility) to remove objectionable material from the comments, but I spent 15 years in the Infantry so I have a pretty broad viewpoint on objectionable.

Hazmat Cooperative Research Act

Last week Rep Elijah Cummings (D, MD) introduced HR 1013, the Hazardous Materials Cooperative Research Act of 2009. The bill would require the Secretary of Transportation to establish a $5 Million per year research program covering hazmat transportation issues that transcend the transportation mode and government jurisdiction. The bill was assigned to the House Committee on Science and Technology for consideration. Congressional Findings As with any well designed legislation establishing a new program, this proposed bill sets forth the facts that justify the program. Section 2 of the legislation sets out five sets of facts that lead to the conclusion in § 2(6) that: “There is a documented need for the establishment of a cooperative research program that will engage all modes and actors, both public and private, involved in the transportation of hazardous materials in conducting cross-cutting assessments of hazardous materials transportation issues that are national and multi-modal in scope and application.” Governing Board Section 3 of the bill requires the Secretary of Transportation to establish a governing board to oversee the research program. The Department of Transportation will provide a voting member for the board from each of the operating agencies that are concerned with the transportation of hazardous materials. The EPA, DHS and the Department of Energy will also provide voting members. The Secretary will appoint nine additional voting members to the governing board; they will represent a variety of designated state and local government agencies, labor organizations and private industry. Additionally, there will be the obligatory additional representatives “as the Secretary considers appropriate” {§ 3(b)(20)}. Research Studies The research studies selected by the governing board will look at hazardous material transportation subjects that are not adequately addressed by existing research programs. Section 3(c) requires that priority be given to “research studies that will yield results immediately applicable to risk analysis and mitigation or that will strengthen the ability of first responders to respond to incidents and accidents involving transportation of hazardous materials”. The Secretary of Transportation will make grants to the National Academy of Sciences to complete the studies selected by the governing board. The bill authorizes the appropriation of $5 Million per year for the years 2010 thru 2013. It specifically specifies that the funds are to remain available until expended.

Monday, February 16, 2009

Other Terrorist Threats

Since the 9/11 attacks most discussions about potential terrorist attacks in the United States have been focused, in large part, against jihadist extremists. As I have pointed out on a number of occasions, Al Qaeda and its affiliates and allies, are not the only potential threat; we have a large number of home-grown wackos of various political stripes that also must be considered as potential threats. Last week the unauthorized release of FBI information (page 11) on a white-supremacist that had components for building a dirty bomb (in this case an IED contaminated with depleted uranium 238 and thorium 232) emphasized another terrorist threat. Dirty Bombs and Lone Wolves Two things of interest are highlighted in this story. First is the apparent ease with which one could acquire components for a dirty bomb. The information provided did not indicate that the components would have provided much of a radiological threat due to the small volume radioactive isotopes. Dirty bombs do not have to pose a significant radiological hazard to be effective terrorist weapons. The mere existence of a radioactive component would increase public fear associated with the attack and would complicate the emergency response to such an attack. The second item of interest is that the discovery of these dirty bomb components was the result of a criminal investigation of the shooting death of the potential terrorist by his wife because of spousal abuse. It does not appear that the individual had shown up in any Federal investigation of white supremacist organizations or potential terrorists. This is another example of the ‘lone wolf’ terrorist that is so hard to detect prior to their attack. Threat Against Chemical Facilities There is nothing in any of the available articles or FBI documents that indicates that the potential target of this particular wacko was a high-risk chemical facility. That is not to say that white supremacists would not target such facilities. An argument could be made that an attack on a chemical facility in a minority neighborhood could be an indirect attack on people of color. Additionally, facilities closely associated, or identified, with targets of white supremacists, which include racial and religious minorities as well as the Federal government, may be targets of such organizations and individuals. Dirty bombs may be a particularly useful in attacks against a chemical facility with large volumes of flammable release chemicals rather than toxic release chemicals. The dispersal of radioactive material in the smoke plume of a large chemical fire would expand the scope of the attack. The relative hazard would be small, but the psychological effects could be profound, especially if accompanied by a propaganda campaign by associated groups proclaiming that the government was covering up the radiological hazard. Prevention and Response There is nothing that a high-risk chemical facility could really do to protect it against itself against a dirty bomb. The typical defenses against IEDs and VBIEDs would be appropriate defenses against dirty bombs in this case. Unless someone developed particular intelligence of a dirty-bomb attack against a specific facility, the deployment of radiological sensors for detection of a dirty bomb would not be cost effective. More important would be planning for emergency response for a dirty bomb. Radiological decontamination over a large area would expensive and time consuming. A realistic approach would not be to try to decontaminate all ‘radioactive’ contamination, but to identify and clean up such areas that present a realistic threat of harm to civilians living and operating in the area. More importantly, an immediate and effective education campaign must be initiated to explain the real and relative threat from low-level radioactive contamination. This particular case points up the fact that there needs to be a realistic discussion of the potential risks from radioactive dirty-bombs. While high-risk chemical facilities will not take substantial actions to prevent dirty-bomb attacks, the response community needs to take a hard look at the fact that the smoke plume would increase the area of concern from such an attack.

DHS Updates Chemical Security Web Page

Sometime last Friday afternoon (after I last looked at the page for the day) DHS updated their Chemical Security web page. Nothing major, they moved the CFATS Whistleblower Hot Line (okay, they call it the CFATS Tip Line) information from the ‘I Want To…” block near the top of the page to the more permanent and prominent block along the right side of the page. Not quite ‘black boxing it’ like I suggested last week, but this does make it easier to find.

Defense in Depth

Last Friday I received a twit (a message on Twitter.com, my twitter name is PJCoyle) from BozonGas recommending that I look at a document on Honeywell.com called “An Integrated Approach to Safety: Defense in Depth”. Honeywell has long been a producer of a variety of instruments, controllers and other devices used in chemical process safety. While this white paper is mainly a look at their philosophy for an integrated safety program, it does address facility security, especially in how it integrates with process safety. Security Incident Outcomes The three page discussion of process security is short on details, this is a white paper after all, but it does provide some important information none the less. One of the most interesting items discussed comes in the form of a table on page 17 taken from an American Chemistry Council document, “The Case for Taking Action on Cyber Security”. The table lists 14 ‘concerns’ about possible outcomes from successful attacks of high-risk chemical facilities. Of the fourteen concerns, only two deal with the potential outcomes that are most often discussed in security related discussions; “Release, diversion, or theft of hazardous materials” and “Employee and public fatalities, injuries and health effects”. The other 12 concerns deal with business consequences of such an attack. The identification of these consequences helps to provide an additional business case for proceeding with improving facility security. Layers of Security and Safety This white paper makes the point that a layered process safety program (with an interesting diagram on page 4) is necessarily an integral part of a facility security program at chemical process facilities. Honeywell notes (page 18) that:
“The integration between building automation, security, and process control systems at plants plays a crucial role in rapid, efficient, and coordinated mitigation steps during a security incident. A close linkage between security and process systems ensures that a process control system operator is immediately made aware of a security breach so they may take preventative action to protect the safety of individuals in and around the facility.”
Honeywell recommends adding three security layers to the nine layers of process safety layers covered in the remainder of the white paper. Those layers encompass physical security, electronic security, and cyber security. The first two layers help prevent unauthorized physical access to the facility and help manage the mitigation process in the event of a successful attack. The cyber security layer helps to prevent the process control and process safety systems from being used to execute an attack on the facility. Process Systems The white paper identifies nine elements of a successful cyber security system. Two of those elements have not received enough, in my opinion, emphasis in other discussions of cyber security. Those elements were:
“Physically separated process control and enterprise networks with limited access points” “Physically separated process control and process safety systems with limited access points”
The first element helps to isolate control systems from attacks via the internet. This does not eliminate the threat of a cyber attack on those systems, but would allow security teams to focus on physical or on-site attacks on those systems. The second would allow properly designed process safety systems to mitigate the effects of many successful attacks on process control systems and even a few attacks on physical assets. Since Honeywell is one of the domestic leaders in process control systems, I would certainly like to see them address process security in more detail. They are in a unique position to assist facilities in the design and implementation of cyber security systems for process systems across a wide variety of industries.

Friday, February 13, 2009

Reader Comment – 02-13-09

Received a prompt and informative comment today from Michael Petty, whom I assume works with NovaTracker, manufacturer of GuardTrax. He makes the following point about my earlier blog today on that system: “I would like to clarify a point that you made in your blog posting. The GuardTrax SFL does have an encryption capability for those customers who have higher level security issues and needs. All data transmitted by the GuardTrax device can be encrypted if a customer desires such functionality. We encrypt the data for many of our customers. Thank you.” That certainly makes a lot of sense to me. Not all facilities would need the communications links encrypted. High-risk chemical facilities, however, would almost certainly want to have that added protection. NOTE: I did try to contact NovaTracker earlier by email (at info@novatracker.com), but each time their email server rejected my message “for security reasons”.

ACC Cyber Security

There is a very misleading article on Sys-Con.com about the ‘recent’ release of a series of documents by American Chemistry Council on cyber security issues. The article states that: “The American Chemistry Council’s Chemical Sector Cyber Security Program has added to its suite of cyber security resources with the release of five guidance documents and two white papers”. What is misleading is that none of the documents shown on the referenced ACC web pages is really recent. One guidance document, The Protection of Intellectual Property, was released last month, but all of the other guidance documents are almost a year old. One white paper, Report of Technical Survey Results: Separating Industrial Automation and Business Systems, was released in December, but the next most recent release date was April of last year. I don’t think that this confusion was caused by the ACC. The release dates are very clear on their web site. It looks to me like an over zealous writer on Sys-Con.com was exaggerating to make the article look more important and timely than it really was.

Tracking Security Guard Locations

I ran into an interesting article on HSDailyWire.com about a new service that allows security managers or guard force managers to track the location of security guards in real time. It is being touted by the manufacturer as a tool to manage and communicate with security forces. It tracks the guard location by GPS and transmits that data to a remote server by a wireless communication device. The server processes the data from the guard’s transceiver and provides information on the guard’s location, status and movement on a “a map-based (GIS) application that includes satellite imagery” according to the GuardTrax® product sheet. While it is certainly handy for a guard manager or security manager to be able to track the security force it would also be good information for anyone intending to penetrate facility security, either thieves or terrorists. There is nothing in the product literature that I have found that indicates that there is any encryption of the communications from the guard transceiver to the server or from the server to manager. Hacking into either communications channel would provide a serious tactical advantage to an adversary. Knowing where the guards were and where they were going makes it much easier to avoid them. Being able to provide bogus security status information to the manager will allow the penetration team to delay detection and misdirect any response forces. It sounds to me like a potentially good product that needs some additional work before it is ready for real world security.

Thursday, February 12, 2009

Emergency Response Access

Emergency Response Access There is an interesting report on 58WCHS.com about a piece of legislation introduced recently in the West Virginia Legislature. The new rules being proposed by Governor Manchin would require chemical facilities in the state to allow first responders access to the facility in event of an emergency at the facility. It would also require the facility to establish communications with emergency response personnel. This bill was ‘inspired’ by last summer’s explosion at the Bayer CropScience Plant in Institute, WV where the community was kept in the dark about what was going on at the facility. CFATS Pre-Emption Issue If this bill becomes law I can foresee the extensive chemical industry in West Virginia arguing that the security regulations embodied in CFATS would prohibit automatic entry of emergency response personnel to high-risk facilities. They would argue that the pre-emption provisions in 6 CFR 27.405 would prevent the State and local governments from enforcing such a law. Since emergency response functions have normally been under the purview of the States, not the Federal Government, I doubt that even the Bush Administration would have sided with industry in this (potential) case. I would be very surprised if Secretary Napolitano did not support the State’s side of this question if an appeal were made to the Department under § 27.405(d). Necessary Coordination It would seem to me that the close cooperation between a high-risk facility and the local emergency responders should be a given. Even if a facility has its own fire brigade, common at refineries and large chemical plants, the backup of the on-site emergency response personnel by community responders should be appreciated. In that sense this legislation should, in a sane world, be unnecessary. Unfortunately, we do not live in a sane world. As countless incidents across the country show, many chemical facilities would rather try to keep the local community in the dark about on-site problems. This is probably due, in part, to an attempt to avoid litigation for real and imagined problems associated with on-site releases. This attitude may prevent nuisance law suits for accidents with no off-site affect, but it destroys the potential cooperation needed to deal with catastrophic accidents or terrorist attacks. I do think that Congress should pre-empt this potential action by the West Virginia legislature, by requiring in the legislation re-authorizing CFATS that as part of any site security plan (SSP) for a high-risk chemical facility there would be detailed coordination and training with local first responders in support of that SSP. It would not be a bad idea if that coordination would have to require frequent on-site exercises with those responders and allow for counting response to actual incidents as a required exercise.

HS Committee Reorganization Explained

There is an interesting article over on CQPolitics.com that takes a pretty in-depth look at the political reasons for the re-organization of the House Homeland Security Committee that I reported on last week. According to the authors, Fowler and Margetta (both CQ staff writers) it looks like the large influx (six of eight new Democrats) of freshmen congressmen (four men and two women) reflects a decline in the power and influence of the Committee. The authors paint a complex picture of committee decline. They note that homeland security is becoming less important in the current political climate. There is more attention being paid to the economy and finance. The power of the Committee has been fairly diluted because they do not exclusive power over the Homeland Security Department; they share it with 84 other committees and subcommittees in the House and Senate. That means that a member can serve on another influential committee and still have impact at the Department. It will be interesting to see how this decline in power affects a wide variety of homeland security legislation. For readers of this blog that will include the reauthorization of CFATS. It would not be prudent to count too much on the decline in the power of Chairman Thompson. He did get HR 553 (Reducing Over-Classification Act) to the House floor and approved there less than a month into the session.

Reader E-Mail – 02-10-09

A long time reader, Brandon Williams, sent me a couple of e-mails on Tuesday about my first blog posting of the same day; the one about enforcement activities. He used to work on the US Chemical Weapons Convention (CWC) support teams that helped facilities with the international inspection teams that came by to check CWC compliance. (Personal Note: having gone through CWC inspections at two different facilities I can attest to how professional and helpful these support teams were. As best we can tell Brandon was not on either team that I worked with). Anyway, based on his CWC team experience Brandon questioned the propriety of EPA and DHS sharing data on facilities in the manner I suggested. Brandon noted that their rules, and the supporting legislation, prohibited these CWC teams from sharing information with either EPA or OSHA. He felt that this was done to allow open communications and encourage facilities to freely share information with the assistance team. He thinks that the DHS inspectors doing the initial Site Security Plan visits (the first visits to verify the adequacy of the plan, not the later compliance audit) will need the same level of open communications that the CWC teams were able to engender at most facilities. Legality of DHS-EPA Information Sharing I could find nothing in the Section 550 authorizing language that would prohibit DHS from sharing information with either EPA or OSHA. I don’t think that Congress even considered the matter when they were preparing that abbreviated authorization. This may be something that Congress might want to consider when they write the re-authorization legislation. They could pattern the language after the following two sections of the CWC Implementation Act of 1998 (thanks to Brandon for digging up the details):
Sec 304(E)(2)(G) - Procedures for Inspections: no inspection under this Title shall extend to... "data maintained for compliance with environmental or occupational health and safety regulations" Sec 303(B)(2)(B) - Authority to Conduct Inspections: "no employee of the Environmental Protection Agency or Occupational Safety and Health Administration accompanies any inspection team visit"
Provisions like these may make the old joke, “I’m from the government, and I’m here to help you” a little less painfully true. At least the initial visit should be a true assistance visit with the inspector providing an outside view point on the facility efforts to comply with the Risk Based Performance Standards. The post-approval compliance inspection may be a different story; but until the facility’s SSP is approved, the inspection is supposed to help the facility adopt a compliant plan. Agency Level Information Sharing What I was suggesting was not inspector level sharing of inspection information. It was directorate level use of EPA developed information that is held in a publicly available data base (the data base was available on-line until shortly after 9/11, but it is still available in-person at EPA reading rooms). The data would be the list of facilities that have submitted RMP information to the EPA. It would include the RMP chemicals involved and the amount held on site. While this is publicly available information (it was used, for example, to develop the list of 101 high risk chemical facilities in the CAP Chemical Security 101 report), there might be some concerns about using this for government enforcement actions by another agency. To alleviate that concern, Congress could include language in the re-authorization legislation requiring DHS to use this data to identify facilities for DHS to contact to require a Top Screen submission. This would stop facilities from challenging enforcement actions based on a self-incrimination defense. Any subsequent enforcement actions would be based on failure to obey a directive from the Secretary to complete a Top Screen rather than failure to file based on the EPA data.

Wednesday, February 11, 2009

HR 261 Status Update: 02-11-09

Last week the Homeland Security Committee assigned responsibility for initial review of HR 261 (Chemical Facility Security Improvement Act of 2009) to the Subcommittee on Transportation Security and Infrastructure Protection. The author of the bill, Rep Jackson-Lee (D, TX) is also the Chairwoman of that subcommittee. This does not necessarily mean that the bill will get quick consideration; after all it did take almost a month for the sub-committee assignment to be made.

Unique 911 Callback System

There is an article on PrescottDailyCourier.com about a new 911 ‘callback’ system that was recently installed in the Yavapai County, AZ, Sherriff’s Office. Callback systems are a relatively new innovation allowing emergency centers to automatically call telephone customers in a designated area to communicate a recorded message notifying people of a local emergency. The new system in Yavapai County allows residents to add telephone numbers to the system for communications devices not tied to landline phones. Getting out timely information about actions to take in the event of an emergency is a key to reducing both confusion and casualties. The old emergency system notifications by radio and television were never really effective in contacting people and have become less so as the society becomes more mobile. The 911 callback systems increased the effectiveness of emergency communication because it caught many people who were at a fixed site but not listening to the radio or watching TV. This new system allows emergency notification to go out to people on the move by sending voice, text and email messages to cell phones, pagers, and even Blackberries. This system was installed in Arizona with a funding assist from a Homeland Security Grant. Communities with high risk chemical facilities or other high risk sites may want to investigate installing such a system.

Include Security in Stimulation Plan

An interesting Op-Ed piece showed up in yesterday’s Washington Times. It was written by Daniel B. Prieto, an adjunct senior fellow for counterterrorism and national security at the Council on Foreign Relations. One of his recommendations for the Stimulation Plan was to provide tax incentives to high-risk chemical facilities to improve chemical facility security. Unfortunately, the suggestion was made too late to be included in the plan that was passed today in the Senate. Prieto argued that the use of tax incentives has a well established reputation as a tool for directing the private sector to spend money in a desired way. He notes that this tool has not been used in the chemical and transportation security sectors. Congress has relied on rules and regulations to accomplish their objectives. He notes that tax incentives are easier to run for multiple year projects without worrying about them being continued past their useful life. He suggests that the tax credit could be weighted to provide more money in the first year, enhancing its stimulative affect. Then, in subsequent years, the credit would reduce until the credit disappeared in year four or five. Tax Credits Urge not Command There are a number of issues with tax policy as a tool for social or political engineering that Prieto overlooks in his article. First, without declaratory rules directing the same objective, there is no way for tax credits to ensure (near) universal compliance. In the case of security measures at high-risk chemical facilities, there is no reasonable tax credit that would convince all facilities to employ armed guards, for instance. For most regulatory requirements this might not suffice. For chemical facility security rules it would allow facilities to decide which requirements it would want to comply with and a major factor in that decision could be the size of the tax credit. But there are no specific security measures required under CFATS (there are only Risk Based Performance Standards), so this might not be a problem. Creative Tax Writing Since it is too late to get tax credits for chemical facility security spending into the stimulus bill, perhaps the Congress could look at adding such tax credits to the reauthorization of CFATS. It would add an additional level of complexity to the legislative process since the House Appropriations Committee would probably have to sign off on the bill before it could come to the floor for a vote. Tax credits could be tied to the tier level assigned to the facility. Tier 1 facilities could receive a higher maximum tax credit than a Tier 4 facility. This would reflect the higher security levels required for the riskier facilities. Congress could target the tax credits to encourage capital spending; spending that would have a more wide spread effect in the general economy. They could target the tax credits to those performance standards that require construction or equipment installation; RBPS #1 – Restrict Area Perimeter, or RBPS #2 – Secure Site Assets would be good examples. Even more specificity could be achieved by targeting specific metrics listed in the Risk Based Performance Guidance document; Metric 1.2 – Vehicle Barriers, or Metric 2.4 – Monitoring and Surveillance for example. Finally, the tax credits could be targeted at security measures that are the most controversial. Such a tax credit could provide an incentive to add an armed response force to a Tier 1 facility security plan. Or a tax credit could be used to offset the salary for a trained security manager. Incentives for Industry Support The other thing that these tax credits could be used for is to buy industry support for chemical facility security legislation that contains some provisions that are not readily acceptable to industry. No level of tax incentive would be adequate to get industry to support the most extreme IST provisions (mandatory replacement for a list of specific chemicals, for instance), it might make industry more amenable to developing a workable IST provision. With the Homeland Security Committee preparing to work on the reauthorization legislation for CFATS it is a good time for industry to talk to Congress about how tax incentives could be used to support that program and increase chemical facility security.
 
/* Use this with templates/template-twocol.html */