For the last year or so I have typically been reporting on new and updated DHS CSAT Frequently Asked Question (FAQ) on a weekly basis. These are not usually urgent and it takes up too much time and effort to report on each and every FAQ change as it is posted. I do, however, review them every morning because from time to time one comes up that may appear to require quicker reporting. Yesterday, DHS posted such a new FAQ:
1649 How do I request an extension of my facility’s Top-Screen, SVA or SSP filing deadline?
Actually, the question does not appear to time critical, but the response indicates a potential problem with DHS receiving these requests. The response states:
“A request for an extension must be submitted to DHS in writing by USPS or delivery service. DO NOT FAX your extension request to the CSAT Help Desk.”
The emphasis was added by DHS, not here at the blog. I can think of a number of legal reasons that DHS might require an original document with signature, but I also know, from long experience, that things sent by fax to not always get to the recipient in a timely manner or they get garbled in transmission.
BTW: CVI rules do allow for transmission of CVI by fax, but they do require prior coordination with the receiver to ensure that a CVI authorized user with need to know is on the receiving end of the fax transmission to ensure that appropriate security measures are put into place to protect the document upon its receipt.
In any case; when DHS shouts at us with CAPS in their fax, I assume that they are especially concerned that the message is important. So please, do not fax your extension requests to the CSAT Help Desk.
Friday, November 20, 2009
Thursday, November 19, 2009
New DHS CIKR Website
There has been a wide variety of discussion (see for example) over the last couple of days about Secretary Napolitano’s recent meeting with “private sector leaders to discuss critical infrastructure security”. She emphasized that the national approach to critical infrastructure security was built around a public-private partnership based on “promoting vigilance, preparedness and risk reduction”.
The DHS press release also mentioned the opening of a new web page for critical infrastructure protection. There isn’t really much new information on this page, but it does serve as a pretty decent landing page for infrastructure protection. There are three links to chemical security pages, (chemical security, CVI training, and CSAT). There is also links for transportation and maritime security that may be of interest to the chemical facility security community.
Unfortunately, this set of links is not nearly as comprehensive as I would have hoped. A glaring omission is the lack of a links to legal documents that affect infrastructure protection; I would have added the Laws & Regulation page from Counterterrorism. This should certainly be on the landing page.
I disagreed with the selection of pages that was listed for the representation of the chemical security program. Instead of the chemicals security page listed, I would used the Chemical Security landing page for counterterrorism. This provides a link to the page given as well as four other sources of chemical security information.
Since not all chemical facilities (by a huge percentage) are covered under CFATS, I would have also added a link to the VCAT (Voluntary Chemical Assessment Tool), if I could find one. The best I have been able to find is a brief reference on the MTI page and a link to a video presentation.
One last complaint; there is no date reference on the bottom of the page to allow serious surfers, like me, to tell if there have been any recent changes on the page.
Still, even with my nit-picking complaints, I still think this IP landing page is another example of DHS trying to use the internet to ensure that they communicate with their served community. Good job; just keep trying to improve.
The DHS press release also mentioned the opening of a new web page for critical infrastructure protection. There isn’t really much new information on this page, but it does serve as a pretty decent landing page for infrastructure protection. There are three links to chemical security pages, (chemical security, CVI training, and CSAT). There is also links for transportation and maritime security that may be of interest to the chemical facility security community.
Unfortunately, this set of links is not nearly as comprehensive as I would have hoped. A glaring omission is the lack of a links to legal documents that affect infrastructure protection; I would have added the Laws & Regulation page from Counterterrorism. This should certainly be on the landing page.
I disagreed with the selection of pages that was listed for the representation of the chemical security program. Instead of the chemicals security page listed, I would used the Chemical Security landing page for counterterrorism. This provides a link to the page given as well as four other sources of chemical security information.
Since not all chemical facilities (by a huge percentage) are covered under CFATS, I would have also added a link to the VCAT (Voluntary Chemical Assessment Tool), if I could find one. The best I have been able to find is a brief reference on the MTI page and a link to a video presentation.
One last complaint; there is no date reference on the bottom of the page to allow serious surfers, like me, to tell if there have been any recent changes on the page.
Still, even with my nit-picking complaints, I still think this IP landing page is another example of DHS trying to use the internet to ensure that they communicate with their served community. Good job; just keep trying to improve.
Academic Lab Security
In an earlier blog posting, while I discussed the proposed amendment to HR 2868 that would provide special treatment for academic labs, I mentioned an email from a reader who was upset about the American Chemical Society support for that amendment. The same reader, who wishes to remain anonymous to avoid professional conflicts, sent me another email on the subject after reading a recent piece in C&ENews about that ‘important’ addition to HR 2868. He makes the following point:
“While indeed it is obvious what you said before about the STQs in academic labs deserving the same level of security. The fact that smaller quantities of hazardous substances would not be just as vulnerable as bulk quantities I think has firmly been proven wrong what with the incident in Denver, CO which did indeed involve a small quantity of a chemical of interest.”
The reader, of course, refers to the purchase of small commercial quantities of hydrogen peroxide solution by a suspected terrorist at Denver area beauty supply stores for the alleged production of backpack explosives. While most of the public focus on CFATS has centered on large quantities of dangerous chemicals like chlorine gas, those regulations also look to regulate facilities that maintain smaller inventories of chemicals that can be stolen and used by terrorists to make improvised explosive devices (IED) or very deadly chemical warfare type chemicals.
There may be some university labs that are covered under CFATS because of bulk inventories of Release COI (inventories typically in excess of 10,000 lbs), but most will be covered because of their smaller inventories of Theft/Diversion COI. Those inventories range from 2,000 lbs for some ammonium nitrate concentrations to 100g for actual CW gasses. According Rep. Olson (R, TX) during the floor debate on the amendment (Congressional Record, 11-6-09, pg H12529), there are 99 academic facilities that are currently high-risk facilities under CFATS and 23 of them fall in either Tier 1 or Tier 2.
One Size Fits All Myth
During the House floor debate of the Foster/Lujan Amendment Rep. Foster (D, IL) makes the statement that: “One-size-fits-all safety regulations only create more paperwork, more bureaucracy and more confusion without necessarily making us safer” (CR pg H12528). He is, of course, correct. This is one of the reasons that Congress, when they authorized CFATS, prohibited the Secretary from specifying any particular security measure as a pre-condition for approval of site security plans.
The CFATS regulations are hardly a one-size-fits-all system. What it does do, however, is to assess the risk to the facility, the community and the country from a potential terrorist attack on a chemical facility. It established a very limited list of chemicals of interest that it would consider to be indicators of potential risk of terrorist attack and established a risk-based inventory level for those chemicals that would trigger an initial reporting requirement under the CFATS regulations.
There is only a single, on-line form used to report that initial data, the Top Screen tool on CSAT. The Top Screen provides for filing information on the facility location and description, but the bulk of the questions deal with the inventory of selected chemicals that the facility has on hand. Academic institutions objected to this because it would require them to conduct actual inventories of chemicals that they had at their facility.
Similarly, there is only a single SVA tool and a single SSP tool in CSAT. But, once again, these are only questionnaires asking questions about a facility’s security situation. Not all of the questions apply to every facility. In most cases a facility is not even required to respond to the questions that are not applicable, the default answer is that it does not apply or exist. There was no way that DHS could develop facility specific questions, not with 30,000+ facilities potentially being covered by the CFATS regulations.
Alternative Security Plans
DHS and Congress realized early on that there was no way that the CFATS program could adequately address all of the industry specific situations in their development of the facility security rules. DHS in their first draft of the CFATS regulations allowed as how they would favorably consider industry specific security plans; industry could develop security procedures that adhered to the principals set out by the Center for Chemical Process Safety and DHS would take cognizance of those procedures when they evaluated SVA’s and SSP’s.
The Academic Community quickly asked DHS to develop an alternative security plan (ASP) for academic laboratories. DHS explained that they had neither the time, the manpower, nor the expertise to set up a plan specific to academic labs. They recommended that academia set up a committee to come up with their consensus standards. Academia demurred; it wasn’t their responsibility to be concerned with security. Security interfered with academic freedom; DHS should be responsible for that interference.
The Coyle Academic Lab Security ASP
Since neither DHS nor academia is interested in establishing an ASP for Academic Facilities, I will undertake the immense effort to do so; reader responses, questions and suggestions are welcome. The following is a general outline of the Coyle Academic Lab ASP (CAL ASP). Details will be developed in future blogs.
Applicability: The following standards will only apply to academic labs with STQ amounts of theft/diversion COI (TDCOI) as defined in Appendix A to 6 CFR part 27. Facilities with STQ inventories of release COI or sabotage COI will not be covered under this ASP.
General Requirements: The facility management will be responsible for ensuring that unaccompanied access to storage areas for TDCOI will be limited to qualified and vetted personnel. Personnel authorized unaccompanied access will be vetted in accordance with the DHS Risk-Based Performance Standards Guidance Document, RBPS #12.
Facility Definition: TDCOI will only be stored in secured chemical storage facilities (SCSF); the SCSF will be the covered facility under CFATS regulations. TDCOI in excess of STQ quantities used in experiments in labs will be closely controlled by qualified and vetted personnel. When the lab is not in actual operation under such supervision, TDCOI will be returned to the secured chemical storage facility. Exceptions will be allowed for labs that meet the security requirements of SCSF.
Security Requirements: TDCOI will be stored in locked containers within a high-security room within the SCSF. Entrances to the SCSF, the high-security room, and the individual locked containers will be monitored by video and at least one other intrusion detection device at all times. Monitoring will be done by Campus Security or Local Law Enforcement, as appropriate.
Emergency Response Requirements: Campus Security, and all other emergency response personnel who are expected to respond to incidents at SCSF will be fully trained in the chemical and security hazards associated with the TDCOI stored in the SCSF. All potentially unauthorized access events will be reported immediately to local law enforcement and will be investigated by appropriate security personnel. All confirmed intrusions will be immediately reported to the FBI.
“While indeed it is obvious what you said before about the STQs in academic labs deserving the same level of security. The fact that smaller quantities of hazardous substances would not be just as vulnerable as bulk quantities I think has firmly been proven wrong what with the incident in Denver, CO which did indeed involve a small quantity of a chemical of interest.”
The reader, of course, refers to the purchase of small commercial quantities of hydrogen peroxide solution by a suspected terrorist at Denver area beauty supply stores for the alleged production of backpack explosives. While most of the public focus on CFATS has centered on large quantities of dangerous chemicals like chlorine gas, those regulations also look to regulate facilities that maintain smaller inventories of chemicals that can be stolen and used by terrorists to make improvised explosive devices (IED) or very deadly chemical warfare type chemicals.
NOTE: The hydrogen peroxide solutions involved in the Denver ‘incident’ were too dilute to be covered by the CFATS regulations. Whether or not this was a reasonable distinction in setting up Appendix A requirements will be left for a discussion in a future blog.
There may be some university labs that are covered under CFATS because of bulk inventories of Release COI (inventories typically in excess of 10,000 lbs), but most will be covered because of their smaller inventories of Theft/Diversion COI. Those inventories range from 2,000 lbs for some ammonium nitrate concentrations to 100g for actual CW gasses. According Rep. Olson (R, TX) during the floor debate on the amendment (Congressional Record, 11-6-09, pg H12529), there are 99 academic facilities that are currently high-risk facilities under CFATS and 23 of them fall in either Tier 1 or Tier 2.
One Size Fits All Myth
During the House floor debate of the Foster/Lujan Amendment Rep. Foster (D, IL) makes the statement that: “One-size-fits-all safety regulations only create more paperwork, more bureaucracy and more confusion without necessarily making us safer” (CR pg H12528). He is, of course, correct. This is one of the reasons that Congress, when they authorized CFATS, prohibited the Secretary from specifying any particular security measure as a pre-condition for approval of site security plans.
The CFATS regulations are hardly a one-size-fits-all system. What it does do, however, is to assess the risk to the facility, the community and the country from a potential terrorist attack on a chemical facility. It established a very limited list of chemicals of interest that it would consider to be indicators of potential risk of terrorist attack and established a risk-based inventory level for those chemicals that would trigger an initial reporting requirement under the CFATS regulations.
There is only a single, on-line form used to report that initial data, the Top Screen tool on CSAT. The Top Screen provides for filing information on the facility location and description, but the bulk of the questions deal with the inventory of selected chemicals that the facility has on hand. Academic institutions objected to this because it would require them to conduct actual inventories of chemicals that they had at their facility.
Similarly, there is only a single SVA tool and a single SSP tool in CSAT. But, once again, these are only questionnaires asking questions about a facility’s security situation. Not all of the questions apply to every facility. In most cases a facility is not even required to respond to the questions that are not applicable, the default answer is that it does not apply or exist. There was no way that DHS could develop facility specific questions, not with 30,000+ facilities potentially being covered by the CFATS regulations.
Alternative Security Plans
DHS and Congress realized early on that there was no way that the CFATS program could adequately address all of the industry specific situations in their development of the facility security rules. DHS in their first draft of the CFATS regulations allowed as how they would favorably consider industry specific security plans; industry could develop security procedures that adhered to the principals set out by the Center for Chemical Process Safety and DHS would take cognizance of those procedures when they evaluated SVA’s and SSP’s.
The Academic Community quickly asked DHS to develop an alternative security plan (ASP) for academic laboratories. DHS explained that they had neither the time, the manpower, nor the expertise to set up a plan specific to academic labs. They recommended that academia set up a committee to come up with their consensus standards. Academia demurred; it wasn’t their responsibility to be concerned with security. Security interfered with academic freedom; DHS should be responsible for that interference.
The Coyle Academic Lab Security ASP
Since neither DHS nor academia is interested in establishing an ASP for Academic Facilities, I will undertake the immense effort to do so; reader responses, questions and suggestions are welcome. The following is a general outline of the Coyle Academic Lab ASP (CAL ASP). Details will be developed in future blogs.
Applicability: The following standards will only apply to academic labs with STQ amounts of theft/diversion COI (TDCOI) as defined in Appendix A to 6 CFR part 27. Facilities with STQ inventories of release COI or sabotage COI will not be covered under this ASP.
General Requirements: The facility management will be responsible for ensuring that unaccompanied access to storage areas for TDCOI will be limited to qualified and vetted personnel. Personnel authorized unaccompanied access will be vetted in accordance with the DHS Risk-Based Performance Standards Guidance Document, RBPS #12.
Facility Definition: TDCOI will only be stored in secured chemical storage facilities (SCSF); the SCSF will be the covered facility under CFATS regulations. TDCOI in excess of STQ quantities used in experiments in labs will be closely controlled by qualified and vetted personnel. When the lab is not in actual operation under such supervision, TDCOI will be returned to the secured chemical storage facility. Exceptions will be allowed for labs that meet the security requirements of SCSF.
Security Requirements: TDCOI will be stored in locked containers within a high-security room within the SCSF. Entrances to the SCSF, the high-security room, and the individual locked containers will be monitored by video and at least one other intrusion detection device at all times. Monitoring will be done by Campus Security or Local Law Enforcement, as appropriate.
Emergency Response Requirements: Campus Security, and all other emergency response personnel who are expected to respond to incidents at SCSF will be fully trained in the chemical and security hazards associated with the TDCOI stored in the SCSF. All potentially unauthorized access events will be reported immediately to local law enforcement and will be investigated by appropriate security personnel. All confirmed intrusions will be immediately reported to the FBI.
Wednesday, November 18, 2009
ICS-CERT
I just don’t get back to check the DHS CERT Control Systems Security Program (CSSP) web page often enough. I checked it today and found that last week they announced the official launch of the Industrial Control System Cyber Emergency Response Team (ICS-CERT) coordination center in Idaho Falls, ID. Now the ICS-CERT have been operational since early this year, but their coordination center is now up and running.
The brief article on the ICS-CERT contains a link to a two-page brochure about the ICS-CERT. It describes their mission and genearl capabilities. Probably the most valuable item in the brochure, however, is the ICS-CERT contact information. I’ll reproduce that whole section here.
The brief article on the ICS-CERT contains a link to a two-page brochure about the ICS-CERT. It describes their mission and genearl capabilities. Probably the most valuable item in the brochure, however, is the ICS-CERT contact information. I’ll reproduce that whole section here.
“CSSP and ICS-CERT encourage you to report suspicious cyber activity, incidents and vulnerabilities affecting critical infrastructure control systems. Online reporting forms are available at https://forms.us-cert.gov/report/. You can also submit reports via one of the following methods:I certainly recommend that anyone that has an ICS cyber incident to immediately contact ICS-CERT. Even if the result of that particular incident seems relatively innocuous, it should still be reported. The intelligence and counter-intelligence portion of the ICS-CERT mission is very important and requires these inputs to be effective. Near-miss or ‘cyber-scouting’ incident reporting can be important in preventing serious incidents.
“ICS-CERT Watch Floor: 1-877-776-7585
“ICS related cyber activity: ics-cert@dhs.gov
“General cyber activity: soc@us-cert.gov
“Phone: 1-888-282-0870”
Automated Safety Systems and Security
Yesterday, after I made my posting here about automated safety systems and their applicability as security systems, I posted a question on the same subject over on the ControlGlobal.com security discussion board. While that site hasn’t been too active of late, I thought that it might be a good place to get feed back from control system professionals.
The question posted was: “Is anyone using an existing automated safety system as a documented mitigation technique as part of a facility security plan?”
I was pleasantly surprised to get two quick responses to the question. Actually neither was a direct response to the question, but were supportive of the idea. Both the response from Walt Boyes (Editor at Control and at ControlGlobal.com) and fenton2 (a regular contributor at that site) are worth reading.
If there are any readers here that would be interested in joining that discussion feel free to post your responses at the ControlGlobal.com site, I’ll make sure that such postings get cross coverage here. Readers preferring to post their response here, will of course be appreciated.
The question posted was: “Is anyone using an existing automated safety system as a documented mitigation technique as part of a facility security plan?”
I was pleasantly surprised to get two quick responses to the question. Actually neither was a direct response to the question, but were supportive of the idea. Both the response from Walt Boyes (Editor at Control and at ControlGlobal.com) and fenton2 (a regular contributor at that site) are worth reading.
If there are any readers here that would be interested in joining that discussion feel free to post your responses at the ControlGlobal.com site, I’ll make sure that such postings get cross coverage here. Readers preferring to post their response here, will of course be appreciated.
Tuesday, November 17, 2009
Comingling Safety and Control Systems
There is an interesting blog post by Joe Weiss over at ControlGlobal.com about concerns in the regulatory community about the comingling of control systems and safety systems. To understand the concern we need to do a little instructional backgrounder here as part of Industrial Control Systems 101.
Industrial Control Systems 101
In a chemical facility an industrial control system (ICS) may be used to control a chemical process. An operator typically uses a computer to monitor process conditions (weights, temperatures, pressures, etc) and control process equipment (valves, pumps, etc). These systems can be fairly simple with all process decisions and actions being controlled by the human operator or more complex with active computer controls of multiple process parameters.
A safety system is a system used to protect process equipment, personnel and/or the environment from unsafe process upsets. These can be straight mechanical systems like pressure relief valves or they can be automated systems where there is, at a minimum, a sensor, an actuator and a controller between the two. The sensor is used to detect an impending process upset, the controller receives the signal from the sensor and directs one or more actuators to take action to prevent that upset.
You may have a chemical process where heat is used to drive a reaction to completion. There will be optimum process temperature conditions that the operator will use a control system to maintain; too low a temp and the process will be inefficient; too high a temp and there will be quality issues with the product. The ICS will be used to manipulate heating and cooling to maintain the process within that optimum temperature range.
The same process may have a temperature above the optimum temperature range where an unsafe chemical reaction can take place; an auto-ignition temperature for example. A safety system would be in place to automatically turn off heating and start cooling if the process temperature gets within a pre-set limit of that unsafe temperature.
Now the ICS should never allow the temperature to approach that unsafe condition because it is beyond the optimum temperature range. But the safety system is put into place because there is always the possibility that there could be a failure in the ICS, a human error, or some other problem that allows the temperature to rise to an unsafe level.
It would seem obvious that one would want to make sure that a failure in the ICS that would allow an unsafe temperature rise would not affect the safety system. This is one of the reasons that in the ‘good ole days’ safety systems were designed as stand alone systems with their own sensors, controllers and actuators. The power systems were even separate with battery back up systems for the safety systems where electric systems were used.
As both safety systems and control systems became more complex it became easier to justify the linkage of parts of these two systems. Sensors became more robust with very low failure rates and multiple sensors were being used in any case, so why not use the same sensor array for both systems. As systems became more complex it became harder to physically fit in separately actuated systems that accomplished the same thing so common controls were used in both systems. Finally, as the programming of the control system became more complex and interactive it became easier to justify putting the safety system controller on the same computer system as the ICS.
Unfortunately, with the mergers of these two systems it becomes easier to posit a single system failure that could affect both systems. Some systems engineers feel that the new system failure rate is lower than the rate of double failures in the old systems so the combination of the two systems is justified as being safer than the old separate systems. This is certainly true, but two systems with modern low failure rates would be safer still.
Safety Systems as Security Systems
This discussion would not seem to be germane to the discussion of security at high-risk chemical facilities, until one realizes that safety systems are actually the final line of defense against a cyber attack on the facility control system. In addition to protecting against a failure in the ICS they would also prevent catastrophic consequences from a deliberate misuse of that system.
Using the example in the ICS 101 discussion above, suppose a terrorist gained control of the ICS either through corrupting an operator or via a cyber attack on the control system computer. Changing the high temperature limits of the control system could allow the system temperature to rise to the auto-ignition temperature, causing a catastrophic fire in the facility equipment. An old-style safety system would prevent that occurrence and stymie the terrorist attack.
In other words, an existing old-style stand-alone safety system could be considered to be a security measure. No added cost or complexity, just another layer in the protective shield around the facility. But, that would only be true if the safety system were maintained as a separate system from the ICS. A safety system that is tied into the ICS would be subject to the same attack and would not prevent the catastrophic consequences of the attack.
Industrial Control Systems 101
In a chemical facility an industrial control system (ICS) may be used to control a chemical process. An operator typically uses a computer to monitor process conditions (weights, temperatures, pressures, etc) and control process equipment (valves, pumps, etc). These systems can be fairly simple with all process decisions and actions being controlled by the human operator or more complex with active computer controls of multiple process parameters.
A safety system is a system used to protect process equipment, personnel and/or the environment from unsafe process upsets. These can be straight mechanical systems like pressure relief valves or they can be automated systems where there is, at a minimum, a sensor, an actuator and a controller between the two. The sensor is used to detect an impending process upset, the controller receives the signal from the sensor and directs one or more actuators to take action to prevent that upset.
You may have a chemical process where heat is used to drive a reaction to completion. There will be optimum process temperature conditions that the operator will use a control system to maintain; too low a temp and the process will be inefficient; too high a temp and there will be quality issues with the product. The ICS will be used to manipulate heating and cooling to maintain the process within that optimum temperature range.
The same process may have a temperature above the optimum temperature range where an unsafe chemical reaction can take place; an auto-ignition temperature for example. A safety system would be in place to automatically turn off heating and start cooling if the process temperature gets within a pre-set limit of that unsafe temperature.
Now the ICS should never allow the temperature to approach that unsafe condition because it is beyond the optimum temperature range. But the safety system is put into place because there is always the possibility that there could be a failure in the ICS, a human error, or some other problem that allows the temperature to rise to an unsafe level.
It would seem obvious that one would want to make sure that a failure in the ICS that would allow an unsafe temperature rise would not affect the safety system. This is one of the reasons that in the ‘good ole days’ safety systems were designed as stand alone systems with their own sensors, controllers and actuators. The power systems were even separate with battery back up systems for the safety systems where electric systems were used.
As both safety systems and control systems became more complex it became easier to justify the linkage of parts of these two systems. Sensors became more robust with very low failure rates and multiple sensors were being used in any case, so why not use the same sensor array for both systems. As systems became more complex it became harder to physically fit in separately actuated systems that accomplished the same thing so common controls were used in both systems. Finally, as the programming of the control system became more complex and interactive it became easier to justify putting the safety system controller on the same computer system as the ICS.
Unfortunately, with the mergers of these two systems it becomes easier to posit a single system failure that could affect both systems. Some systems engineers feel that the new system failure rate is lower than the rate of double failures in the old systems so the combination of the two systems is justified as being safer than the old separate systems. This is certainly true, but two systems with modern low failure rates would be safer still.
Safety Systems as Security Systems
This discussion would not seem to be germane to the discussion of security at high-risk chemical facilities, until one realizes that safety systems are actually the final line of defense against a cyber attack on the facility control system. In addition to protecting against a failure in the ICS they would also prevent catastrophic consequences from a deliberate misuse of that system.
Using the example in the ICS 101 discussion above, suppose a terrorist gained control of the ICS either through corrupting an operator or via a cyber attack on the control system computer. Changing the high temperature limits of the control system could allow the system temperature to rise to the auto-ignition temperature, causing a catastrophic fire in the facility equipment. An old-style safety system would prevent that occurrence and stymie the terrorist attack.
In other words, an existing old-style stand-alone safety system could be considered to be a security measure. No added cost or complexity, just another layer in the protective shield around the facility. But, that would only be true if the safety system were maintained as a separate system from the ICS. A safety system that is tied into the ICS would be subject to the same attack and would not prevent the catastrophic consequences of the attack.
Monday, November 16, 2009
Reader Comment – 11-15-09 Water Tiering
An anonymous engineer from New Zealand had a question about the potential tier ranking of a water treatment facility that he is working on the design for. He posted the question to one my blogs about HR 3258. Its an interesting question and one that will have to be asked in a lot of facility design operations. So let’s take a stab at giving some sort of answer.
Disclaimers
We need to start this theoretical discussion with lots of disclaimers. First off, DHS (and likely EPA will follow suit) has been very reluctant to talk about the methodology it uses to rank the security risk for chemical facilities. Without filing an actual Top Screen for the facility, your not going to get a firm answer from anyone. I’m not sure that DHS has developed an internal procedure for dealing with facilities in development.
More importantly for water facilities there will be additional complicating factors. First, HR 2868 has not yet been signed into law so numbers of changes can still be made to that legislation. Next EPA will have two years to write their regulations implementing the law. As currently written the EPA is required to ‘consult with’ DHS in establishing their chemical security rules, but that leaves a lot of leeway.
Finally, since our NZ Engineer specifically asked about Tier 1 and 2 rankings, I’m going to guess that he was concerned about IST complications. Since that decision, as the bill is currently written, will be made by State agencies, that will be tougher still. I would bet that states like California and New Jersey may be more likely to require IST implementation, but that is a somewhat educated guess, not a prediction.
Disinfectant Decisions
One of the first decisions that must be made for a water treatment facility is the determination of the disinfection technique that will be used at the facility. I am not qualified to weigh in on the actual decision, but I can offer this; do a detailed assessment of all of the alternatives and do a formal documentation of that assessment. That assessment will form an invaluable starting point for future assessments,
Remember to include the costs of security and safety in the assessment. All drinking
Water facilities that serve more than 3300 will come under the new federal security rules regardless of what chemicals they use for disinfection. This means that some of the security costs will be there regardless of the chemicals used.
Chlorine Gas
To get an idea of the tiering for a chlorine gas facility you are going to have to identify the number of people affected by a terrorist related release of chlorine gas. DHS would require you to use the total amount of chlorine on-site for making this determination. The EPA RMP would use the amount in the largest container, but I would guess that for security the EPA will go with the DHS technique.
DHS does use the EPA RMP*Comp online tool to calculate the ‘distance of concern’ for a toxic chemical release. Select chlorine gas and enter the maximum on-site inventory to get that distance. Then draw a circle with that radius centered on the facility. Then determine the maximum number of people in that circle during a normal work day. DHS uses both residents and people working in the area in this calculation. The larger the number the more likely the facility is to be a Tier 1 or Tier 2 facility.
Security Costs
There are two types of security costs that you are going to face when you employ a toxic chemical like chlorine gas. First you need to isolate the storage from the attacker, and then you need to provide mitigation measures to deal with a successful attack.
First you are going to have to have a perimeter that looks impressive and will allow for early detection of a penetration. Next, since only the largest facilities will be able to afford having a security force on site to respond to an attack, most facilities will use local law enforcement responding to an incident. That means that there needs to be additional security layers to delay an attacker until the police arrive.
If you are using chlorine cylinders like our friend from New Zealand, then keep them in a secure room in a secure building. I would keep my stored cylinders in a separate secured room from the cylinders in use. The more you can isolate the cylinders, one from another, the more difficult it will be to release the total on-site inventory in a single attack.
Mitigation costs can be divided into active and passive measures. Active measures work to reduce the off-site movement of the toxic cloud while passive measures alert the potentially affected population to take appropriate action. Active measures can include water deluge systems or scrubbers protecting the tank storage rooms. Passive measures would include a reverse 911 system or sirens to warn of the release and an education program to teach neighbors how to respond to the warning.
In Closing…
This is, of course, just a brief over view. The American Water Works Association is supposed to be developing a computerized assessment tool. They won’t release it to outsiders like me, but it will probably help in the assessment process. The Metropolitan Water District in Southern California seems to have a pretty good handle on this situation; you might want to talk to them.
I hope I have been of some small measure of help.
Disclaimers
We need to start this theoretical discussion with lots of disclaimers. First off, DHS (and likely EPA will follow suit) has been very reluctant to talk about the methodology it uses to rank the security risk for chemical facilities. Without filing an actual Top Screen for the facility, your not going to get a firm answer from anyone. I’m not sure that DHS has developed an internal procedure for dealing with facilities in development.
More importantly for water facilities there will be additional complicating factors. First, HR 2868 has not yet been signed into law so numbers of changes can still be made to that legislation. Next EPA will have two years to write their regulations implementing the law. As currently written the EPA is required to ‘consult with’ DHS in establishing their chemical security rules, but that leaves a lot of leeway.
Finally, since our NZ Engineer specifically asked about Tier 1 and 2 rankings, I’m going to guess that he was concerned about IST complications. Since that decision, as the bill is currently written, will be made by State agencies, that will be tougher still. I would bet that states like California and New Jersey may be more likely to require IST implementation, but that is a somewhat educated guess, not a prediction.
Disinfectant Decisions
One of the first decisions that must be made for a water treatment facility is the determination of the disinfection technique that will be used at the facility. I am not qualified to weigh in on the actual decision, but I can offer this; do a detailed assessment of all of the alternatives and do a formal documentation of that assessment. That assessment will form an invaluable starting point for future assessments,
Remember to include the costs of security and safety in the assessment. All drinking
Water facilities that serve more than 3300 will come under the new federal security rules regardless of what chemicals they use for disinfection. This means that some of the security costs will be there regardless of the chemicals used.
Chlorine Gas
To get an idea of the tiering for a chlorine gas facility you are going to have to identify the number of people affected by a terrorist related release of chlorine gas. DHS would require you to use the total amount of chlorine on-site for making this determination. The EPA RMP would use the amount in the largest container, but I would guess that for security the EPA will go with the DHS technique.
DHS does use the EPA RMP*Comp online tool to calculate the ‘distance of concern’ for a toxic chemical release. Select chlorine gas and enter the maximum on-site inventory to get that distance. Then draw a circle with that radius centered on the facility. Then determine the maximum number of people in that circle during a normal work day. DHS uses both residents and people working in the area in this calculation. The larger the number the more likely the facility is to be a Tier 1 or Tier 2 facility.
Security Costs
There are two types of security costs that you are going to face when you employ a toxic chemical like chlorine gas. First you need to isolate the storage from the attacker, and then you need to provide mitigation measures to deal with a successful attack.
First you are going to have to have a perimeter that looks impressive and will allow for early detection of a penetration. Next, since only the largest facilities will be able to afford having a security force on site to respond to an attack, most facilities will use local law enforcement responding to an incident. That means that there needs to be additional security layers to delay an attacker until the police arrive.
If you are using chlorine cylinders like our friend from New Zealand, then keep them in a secure room in a secure building. I would keep my stored cylinders in a separate secured room from the cylinders in use. The more you can isolate the cylinders, one from another, the more difficult it will be to release the total on-site inventory in a single attack.
Mitigation costs can be divided into active and passive measures. Active measures work to reduce the off-site movement of the toxic cloud while passive measures alert the potentially affected population to take appropriate action. Active measures can include water deluge systems or scrubbers protecting the tank storage rooms. Passive measures would include a reverse 911 system or sirens to warn of the release and an education program to teach neighbors how to respond to the warning.
In Closing…
This is, of course, just a brief over view. The American Water Works Association is supposed to be developing a computerized assessment tool. They won’t release it to outsiders like me, but it will probably help in the assessment process. The Metropolitan Water District in Southern California seems to have a pretty good handle on this situation; you might want to talk to them.
I hope I have been of some small measure of help.
Subscribe to:
Posts (Atom)
Posts
