Thursday, December 31, 2009

What Standard to Apply for IST – Cost Estimates

NOTE: This posting originally ran on 03-05-09. Changes are in [ ]. This is the third in a series of re-postings of articles on Inherently Safer Technology and security at high-risk chemical facilities. The earlier postings in the current series were: Writing IST Legislation IST Reader Comment - Scheduling What Standard to Apply for IST - Limits Gates A typical process introduction [at chemical manufacturing facilities] goes through a number of formal evaluations typically called gates. At each gate there has been more work done on developing the process and the cost estimates get more accurate. The first estimates are based on general ideas of the time, raw materials, and capital equipment required and always include a significant fudge factor that varies with the organization involved (I have heard factors as low as 20% and as high as 50%). As more information about the process is obtained those estimates are refined and the fudge factor is reduced. Even the final budgeted figure is an estimate and includes a contingency factor. The purpose of the gate process is to require periodic re-evaluation of a new process to ensure that an uneconomic project is killed as soon as possible to reduce the amount of money spent on such projects. If the IST process mandated in the new legislation does not take this process into account facilities are going to have to use a larger fudge factor on the evaluation upon which DHS will base its regulatory decision [which will kill even more IST implementations]. Chemical Process Refinement At each stage of chemical process development (I’ve described the process used at companies for which I worked in an earlier blog) new problems and solutions are identified. Process safety and quality issues require the addition of new controls and equipment that were not considered before those issues were identified. EH&S personnel learn more about the health and safety issues involved in the process. Potential chemical reactions with other on-site chemicals [are identified and] may require safety modifications of other on-site processes. I have seen a number of projects killed midway through the development process. We’ve discovered process upsets could lead to the uncontrollable evolution of heat and pressure that would endanger the process equipment; the added equipment to prevent those potential upsets doubled the cost of the project. Other projects could have led to chemical reactions in our waste water streams that would evolve toxic gasses; a complete new water treatment process killed that project. Another project was killed when the supplier of a raw material came in and briefed us on the handling requirements for that chemical; the added safety equipment costs were too high for that project. Escape Clause The earlier in the IST evaluation process that a facility is required to provide DHS with their evaluation data the more likely it is that unsuspected complications will negate those findings as the implementation process proceeds. It is unreasonable to expect that Congress will allow DHS to wait until the IST process is ready to go into full scale operation before they order the facility to implement the project. That would defeat the whole evaluation/implementation requirement. This means that there will have to be provisions for subsequent data submissions on IST evaluations requiring periodic re-evaluations of implementation orders. It might make more sense to require periodic updates of the IST data submission, in effect establishing a DHS gate process. This way DHS could track the progress of the implementation process and the evolution of the cost estimate. Process Research Frequently chemical process introductions are canceled because there is no clear way to proceed while keeping costs within reasonable bounds. In many cases industry is aware of research options that might lead to ways around the restrictions, but just cannot justify the time and money required to proceed with that research. This would seem like an excellent place for the government to step in and assist the development process with grants for process research. In some cases, where multiple facilities from a variety of companies reach the same roadblock, it may be appropriate to form a government and industry research consortium to conduct the necessary research. [These cost estimate issues are another reason that the IST process should be kept separate from the SSP submission process. The earlier in the process development program that DHS requires the assessment to be submitted, the more likely that the IST scheme will be classified as ‘not feasible’ or will be subsequently determined to cost too much. This needs to be carefully addressed in the legislation.]

S 2930 Introduction

One of the last bills introduced in the first session of the 111th Congress was S. 2930, the Justice Against Sponsors of Terrorism Act, introduced by Sen. Arlen Specter (D, PA) on December 23rd. The bill is designed to “provide civil litigants with the fullest possible basis, consistent with the Constitution, to seek relief against persons, entities and foreign states, wherever acting and wherever they may be found, which have provided material support or resources, directly or indirectly, to foreign organizations that engage in terrorist activities” {§2(b)}. While the bulk of this legislation is directed at foreign governments and officials that aid or abet terrorist acts there is one provision that might be of concern to chemical manufacturers, distributors and retailers. Section 5 of the bill amends 18 U.S.C. §2333 to define liability for potential law suits seeking to collect damages for terrorist attack. That section adds the following liability definition: “In a suit arising under subsection (a) of this section, liability may be asserted as to the person or persons who committed such act of international terrorism or any person or entity that aided, abetted, provided material support [emphasis added] or resources (as defined in Section 2339A(b)(1) of this title) to, or conspired with the person or persons who committed such an act of international terrorism.” Since the definition of ‘material support’ in 18 USC §2339A(b)(1) includes ‘lethal substances and explosives’ this bill potentially includes chemical manufacturers, distributors and retailers as targets of such litigation. Typically, one would expect that the litigants would have to prove intent in such civil suits. Unfortunately the Findings and Purpose section of this bill includes the following language: “The United States has a vital interest in providing persons and entities injured as a result of terrorist attacks committed within the United States with full access to court to pursue civil claims against persons, entities, or states that have knowingly or recklessly provided material support [emphasis added] or resources, directly or indirectly, to the persons or organizations responsible for their injuries” {§2(9)}. This would seem to allow action to be taken against chemical manufacturers, distributors or retailers that do not take reasonable precautions to ensure that their chemicals (particularly those COI listed in Appendix A, 6 CFR 27 as theft diversion COI) do not fall into the hands of terrorists. High-risk chemical facilities that have DHS approved site security plans would seem to be protected against such suits, except that this would require the disclosure that they are ‘covered facilities’ and that DHS has approved their security plans. It would be nice if the language of this bill would specifically spell out that as an absolute defense to preclude the requirement to disclose such security provisions in the discovery process. Needless to say, this is another piece of chemical security legislation that I will continue to watch as we move into the second session of the 111th Congress next week.

Wednesday, December 30, 2009

What Standard to Apply for IST - Limits

NOTE: This posting originally ran on 03-04-09. Changes are in [ ]. This is the third in a series of re-postings of articles on Inherently Safer Technology and security at high-risk chemical facilities. The earlier postings in the current series were: Writing IST Legislation IST Reader Comment - Scheduling One of the big problems with a discussion about including mandatory inherently safer technology (IST) implementation rules in the CFATS re-authorization legislation [HR 2868] is determining what standard should be applied to require IST implementation. After a facility reviews potential IST and determines that there is a possible substitution, what level of practicality [‘feasibility’ in HR 2868] will allow DHS to require that facility to implement that IST program? Establish Boundary Conditions One way to do this is to set the extreme conditions that most people will be able to agree would allow a rather unambiguous DHS decision either for or against requiring implementation. Then we can discuss establishing some reasonable standard within those parameters. In establishing these boundary conditions I think that we could establish that there are two separate conditions that need to be taken into account; technical feasibility and financial feasibility. Again, for the sake of establishing the boundary conditions we should agree that any IST provision that is feasible for both standards should be required to be implemented and any that fails both should not be required. Again, the ground in the middle remains open for discussion. Technical Feasibility If an IST substitution has been made at another facility using the same equipment to manufacture the same product to be sold into the same market, clearly that substitution is technically feasible. If an IST substitution has been tried at multiple other facilities using the same equipment to manufacture the same product to be sold into the same market and has never been successful, that substitution may practically be declared to be not technically feasible. Variations in manufacturing equipment, product made and the market being sold into can have a significant impact on the technical feasibility of a process change. Replicating a commercial chemical process in different equipment can often be quite a challenge and it is often next to impossible to tell in advance what differences in equipment will be critical. Different products or even different grades of products can have subtle differences in the allowable variations from standard [these ‘standards’ can be set by the general market, specific customer requirements or government regulations]. A product with a part per thousand allowable variation in standard can withstand a lot more process changes than a product with a part per billion allowable variation in standard. Those allowable variations can vary with product and market. Financial Feasibility Establishing realistic boundary conditions for financial feasibility is a little more difficult. To properly analyze financial feasibility you have to be able to compare fixed and variable costs, capital and operational expenditures, as well as determine equipment lifetimes and projected production volumes. Then you have to establish what baseline you want to use for comparison. For this discussion we will assume that there are acceptable methods for computing the cost per unit volume for all of these variables. We will not want to use the current production method as the baseline for comparison; we will use the current production method plus the cost of alternative security measures as our baseline. If an IST alternative can be implemented at the same or lower unit volume cost than the baseline, we can assume that the alternative is financially feasible. Setting an arbitrary top side boundary is more difficult. For some products increasing the unit volume cost by 10% will make it un-sellable. For others doubling the unit volume cost will make no difference in marketability. We are going to have to rely on the facility management to determine what increase in unit volume cost is acceptable in the market place, always keeping in mind that they are already going to have to pass on the increased cost of facility security. Evaluate the Boundary Conditions At this point I am going to stop to see if anyone has any comments on the proposed boundary conditions. If we can get a broad consensus on these conditions, then we can start working in towards an acceptable standard to use for actual evaluations.

ICS Security Training

Last week I mentioned the announcement of the ICSJWG Spring Meeting found on the CCSP web site. That announcement included a brief mention of a training course, Introduction to Industrial Control Systems Cybersecurity. I contacted ICSJWG for further information on the course and received the following information from Monica Maher at the ICSJWG Program Office, CCSP/DHS: “The training is a fast-paced course covering control systems cyber security challenges. The training objectives include helping participants understand the importance of securing control systems, how attacks against control systems can be launched, and providing mitigation strategies. Participants will gain an understanding of how to improve the cyber security posture of their control system networks. Specific topics will include:
“The importance of protecting control systems from cyber attacks and why they are susceptible “Understanding the risks and potential consequences of attacks “Understanding common vulnerabilities in industrial control systems “Discussion of system exposures to attacks, various attack scenarios, and associate mitigation strategies “Control System Security Program products and services that are available to asset owners.”
It sounds like a good introduction to ICS Cybersecurity. Oh yes, the best information, the course is being provided at no charge.

Tuesday, December 29, 2009

IST Reader Comment - Scheduling

NOTE: This posting originally ran on 02-25-09. Changes are in [ ]. This is the second in a series of re-postings of articles on Inherently Safer Technology and security at high-risk chemical facilities. The earlier posting in the series was: Writing IST Legislation Anonymous left a comment about my blog on a proposal for IST legislation. Those comments, in their entirety, are shown below:
“The trouble with putting IST security reviews on a slower timeline than conventional security assessments is that you have to know what you need to protect before you can decide how to protect it. Why spend $ millions on permanent security measures that are soon made obsolete through implementation of IST? IST reviews should take place first as a matter of efficiency.”
This is certainly a common argument for doing the IST review first [required as part of the Site Security Plan in HR 2868]. Unfortunately, it assumes three things: first that the IST review will result in a process/chemical change, second that there are no threats against the facility in the meantime and finally that developing the site security plan is costly. There are inherent problems with all three assumptions.Cost of Site Security Plans We’ll start with the last assumption, the high cost of site security plans. The development of a site security plan is separate from the implementation of that plan. When DHS roles-out their site security plan and gives a facility 90 days to complete that plan, they are not going to be requiring that all of the security measures are complete and in place [The SSP tool asks about existing, planned and proposed security measures]. They fully expect that a number of the measures outlined in the plan will take time and money to implement. What they will be looking for is a plan forward on these expensive, and time consuming capital projects. Secondly, the cost of implementing the security plan is an integral part of the IST evaluation. An IST implementation plan that costs $2 M may seem unreasonable and an unjustifiable business expense. If that implementation obviates the need for a $3 M security plan [along with associated annual upkeep/expenses], the plan becomes a lot more plausible [‘economically feasible’ under HR 2868]. Now Anonymous is certainly correct that it makes no economic sense for a facility to put into place a high-cost capital project to protect a chlorine storage tank that might be replaced by an IST project. The legislation could easily take this into account by allowing facilities to identify and defer implementation of security measures that are dedicated to the protection of the PIH assets at the facility while they continue to work on the other layers of protection required under CFATS. IST Implementation is Not Inevitable Just because there appears at first glance to be a process or chemical that can be readily substituted for a PIH COI does not mean that it is economically feasible to make the substitution. In fact there may be engineering reasons that would make the substitution impracticable.Many advocacy groups in their pro-IST arguments point to the use of chlorine gas in water treatment and waste water treatment as the most obvious case where a less hazardous chemical or process could be substituted for an admittedly dangerous PIH chemical. In his testimony before the House Subcommittee on Environment and Hazardous Materials, Brad Coffey, Water Treatment Manager, Metropolitan Water District of Southern California, provides an excellent description of the process that organization went through to do their IST analysis for ridding their multiple facilities of chlorine gas. As a result of their analysis many of their facilities did switch, but it was not practical [either economically or technically] to do so for their largest water treatment facility. Interestingly, Mr. Coffey noted that immediately after 9/11 they recognized that the security situation had significantly changed and they implemented security arrangements to protect their PIH targets. They even went to the extent of employing armed guards to protect their rail cars of chlorine gas. Facility Protection During Implementation Even when an IST review determines that a project is feasible and practical there is going to be a long period of time before it can be implemented. The Central Valley Wastewater Treatment Facility in Utah is a case in point. In a November, 2008 newspaper report the facility manager, Reed Fisher, noted that his facility had just completed a design for a UV system to replace their chlorine gas system. He expected to put the system out for bid this last January [January 2009] and have it in running in 2010. Assuming that it took six months to determine that the process was now doable and design the system (a conservative estimate if I ever made one) it would still be two years from the start to finish on this project. And the whole time there would be railcars of chlorine gas or chlorine gas storage tanks sitting there as a target. [And the chlorine storage would be at higher risk during construction because of the increased number of people entering and leaving the facility every day.] At high-risk facilities other than water treatment facilities, the time to implement an IST project could be even longer. Because of quality issues and customer requirements the time frame could be extended by years. In the specialty chemical business where I used to work it often took as long as a year to get approvals to substitute the same chemical from a cheaper supplier. It could take years to develop the new manufacturing processes, complete the requisite testing and gain customer approval for substituting a safer chemical. [This is even more of a problem in closely regulated facilities like pharmaceuticals.] Again, the whole time that the IST review and implementation process is running the facility is a high-risk chemical facility. Facilities with multiple COI, including one or more PIH COI, are likely to remain on the high-risk facility list after their IST project is approved and implemented. As high-risk facilities, they still need to be protected. Run IST Review and SVA/SSP in Parallel To properly protect the surrounding community, and that is what we are really talking about here, the SVA and SSP process needs to be completed while the IST review is taking place. The legislation should require that an IST review start when the facility with a PIH COI is give the preliminary designation of a Tier 1/2 high-risk facility. By the time the SSP submission is required the facility should have a preliminary idea of whether the IST has a chance of being implanted. The SSP tool should include a series of questions about the status of the IST project. If there is a substantial probability that the IST will go forward, then DHS should allow a deferment of some of the most expensive security measures pending final determination on the IST question. [Those would have to be clearly identified in the SSP submission.] If there is a low probability or a long lead time for implementing the IST, all security measures should be required to be implemented.

Reader Comment – 12-28-09 – TSDB and MTSA

A long time reader (and the blogger behind the Maritime Security/MTSA News blog) Laurie Thomas posted a comment about yesterday’s blog of security screening lists. She wrote: On a similar topic, the background checks that are run during the Transportation Worker Identification Credential (TWIC) enrollment process include a check against terrorist watch lists. This almost-tragedy has made some of us wonder about the accuracy of those watch list checks, and also made us wonder who has been given credentials when the most cursory study of the paperwork trail would reveal that person as a potential enemy of the United States. As I understand things, the TWIC background check uses the TSDB (along with various criminal DB) to check for potential terrorist connections. Now since the Nigerian Bomber did not have a Green Card, just a multiple-entry visa, he would not have been able to get a TWIC. Even so, Laurie’s point is still relevant; a citizen or green card holder with a similar entry on TIDE would not have failed the background check for obtaining a TWIC. Of course the problem remains, TIDE listing is based on unsubstantiated and unverified information. There are not enough FBI/CIA/NSA/XXX investigators around the world to run down the information on the 500,000 names on TIDE. Undoubtedly, most of these people pose absolutely no threat to the United States or its citizens. Is it fair to brand these harmless people as potential terrorists, to deny them jobs, or access to the US based on this unvetted information? Many people will answer “Yes”; maintaining that that is the price we must pay to protect our country. But remember, all that it takes to make the TIDE list is a public allegation of a terror connection. If I were to write in this blog that Joe Blow of 000 Main Street, Anytown, USA is making bombs in a shack in the woods outside of town and is threatening to blow up a Post Office because they keep delivering threatening letters from creditors, then Joe Blow would end up on TIDE. Of course, the only thing that I know about Joe Blow is that he has applied for the same job at a high-risk chemical plant that I have applied for; it might give me an edge on that job if Joe Blow’s name turns up on a terrorist screening check. Oh yes, one last word. The next professional (not botched amateur) terrorist attack on US soil will be conducted by someone not on the TSDB or TIDE. What good will the lists have done then?

Monday, December 28, 2009

TIDE vs TSDB

I don’t normally write about hijacking issues because that is out of my general area of expertise (though I did work on the periphery of some live hijack-response operations in the Army in the early 80’s) and because they are not really germane to chemical security issues. I am making an exception in the case of the Nigerian ‘Bomber’ because of a Washington Post article that I found on MSNBC.MSN.com this morning. The article looks at how a person that was identified by his father as a potential terrorist was allowed to get on an airplane bound for the United States. The article is well worth reading and it touches on a number of problems well known to anyone that has worked in or around the intelligence game. What will be of particular interest to the chemical security community is the existence of two intelligence lists; the Terrorist Identities Datamart Environment (TIDE) administered by the Counterterrorism Center, and the Terrorist Screening Database (TSDB) administered by the FBI. TIDE TIDE is a very large data base of information on a large number of people (over a half a million according to the Washington Post article). All someone needs to do to make it into this data base is to appear on a piece of paper (or electronic file) from thousands of different sources (police organizations, intelligence agencies, newspapers, etc) attaching some sort of connection between the individual and a terrorist threat or organization. If the information appears or is collected, it goes into TIDE. TSDB The Terrorist Screening Database is a very much smaller (18,000 names according to the Washington Post article) data base of suspected terrorists maintained by the FBI. To make it from TIDE to TSDB there has to be some level of reasonable suspicion of potential terrorist ties. That level of reasonable suspicion would seldom be made on the basis of a single report being listed in TIDE, unless that report was based on a criminal or intelligence investigation. Where there were multiple entries in TIDE or the single point of information in TIDE was specific enough to raise concern in the intelligence or law enforcement community, some level of investigation would be conducted. That investigation, if it uncovered evidence worthy of concern, could result in a name being added to TSDB. Chemical Security Now, what does this have to do with chemical security? Readers of this blog might remember last June when I wrote about the new personnel surety program being developed by DHS to support the terrorist screening requirements of RBPS #12. The checks that would be conducted by DHS under that new program would be checks against the TSDB not TIDE. The question that arises out of this incident is whether the terrorist screening check should be conducted against the TSDB or against TIDE. Assume for the purposes of this discussion that there was not enough information in TIDE to justify moving the Nigerian Bomber’s name onto the TSDB. If instead of bombing the KLM airliner, he had moved to Houston (there is a large Nigerian immigrant population in and around Houston) and signed on to work at an oil refinery or off-shore rig, the planned TSDB check would not have stopped him from bombing such a target either. Civil libertarians will be quick to point out that the data necessary to be listed on TIDE is not vetted or verified in any meaningful manner. It is includes the worst sort of gossip and unfounded character assassination. To base employment decisions on that sort of data is certainly unfair and almost certainly illegal. So, how do we weigh the competing demands? Do we cut into civil liberties to protect against terrorist attacks? Do we blithely ignore ‘documented’ threats to preserve one bomber’s human rights? Or, do we accept that protecting society from the external threat of terrorist attack is worth giving up some of our individual liberties and due process protections? Before you answer, remember one thing; it was almost by accident that the Nigerian ended up on the TIDE list in the first place, not through diligent intelligence collection of as the result of a thorough police investigation. On November 19th a concerned father entered the US embassy in Nigeria to complain that his son had become ‘radicalized’. If that father had been able to hold onto hope for just another month, the complaint would have been made too late for it to even have registered on TIDE before the attempted bombing took place. Also remember this, that a few short years ago the TSDB numbered in excess of 30,000 names instead of today’s 18,000. What was the reason for the decrease? Too many innocent civilians complained that they had been unfairly placed upon that list. Old women and young children had been listed because their name (not their unique identity, just their name) was similar to that of a suspected or known terrorist. Finally, take this into account. No intelligence or police organization has ever come close to being 100% effective in identifying the mean spirited and dangerous enemies of our society. No matter how broad we cast the net, we will never identify all of our potential attackers. So even if we completely disregard personal liberties and privacy concerns, we are unlikely to catch all of our enemies before they attack. Now, which data base do you want DHS to use in conducting their terror database search for checking the backgrounds of employees, contractors and vendors working at high-risk chemical facilities? Oh, yes, remember that plant management will also be subject to the same check.

Writing IST Legislation

NOTE: This blog first appeared on 02-23-09. New additions are set in []. As I have mentioned on a couple of different occasions, I believe that there is going to be a major push to include a mandatory IST provision in the legislation that will continue the authorization of the current CFATS regulations. It doesn’t take any great insight or a crystal ball to make that claim; a number of safety and environmental advocacy groups have made it perfectly clear that that is one of their major objectives for this legislative session. It is also fairly clear that there are sufficient votes in the House Homeland Security Committee to approve legislation containing mandatory IST provision; HR 5577 passed easily last year. It is likely that there will be sufficient votes for it to pass in the House as well. The Senate is a much closer call, but I think that a properly crafted bill with adequate protections of industry from a capricious DHS will garner support from a key Senator, Sen. Collins (R, ME), the ranking member of the Senate Homeland Security Committee. That support may be enough to pass a cloture motion and then allow a Democratic majority to pass the bill. With this in mind, I think that it is important the chemical industry (the ACC and SOCMA in particular) to stop their absolute opposition to IST and work with Chairman Thompson [now Chairman Lieberman and Ranking Member Collins] to craft sensible and workable IST wording for the chemical facility security legislation that is sure to be introduced in the next couple of months [HR 2868 passed in House]. I have some suggestions for what that wording should include. Stand Alone IST I think that including an IST requirement in the Site Security Plan (SSP) portion of the legislation is self-defeating. The IST provisions should be in a stand alone section of the legislation and subsequent regulations. The time requirement should run independently of the time limits for the CSAT process. There are a couple of reasons for this. First, a realistic appraisal of all of the IST alternatives for a facility could take significantly more time than required to complete an SSP. If the SSP time standard were adhered to a sloppy and inevitably negative IST report would be the result. If the SSP time frame were extended to an adequate time for completing an IST evaluation, it would unnecessarily delay properly protecting the facility, especially if it was determined that no reasonable IST was available for that facility. Second the facility will need to know what the alternative security cost would be for not completing a marginal IST project. The only way that they would be able to determine that is for the facility to have an approved SSP. That way the proper alternative cost can be accurately weighed into the equations. [An economically ‘unfeasible’ IST could become feasible if the security cost of not implementing the technique was considered.] The final reason is that the implementation of IST could take a great deal of time depending on the construction requirements. The facility would need to have security procedures and equipment on hand for the higher-risk pre-IST conditions until the changes have been completely implemented and the ‘offending’ COI removed from the facility. Limit Application of IST HR 5577 last year limited its IST provision to the ‘highest-risk facilities’ without adequately defining what that meant. I think that a more reasonable provision would be to require facilities with release toxic COI in Tiers 1 and 2 to conduct an IST evaluation for those COI. Other categories of COI would not be required to be evaluated for IST. [HR 2868 does limit IST implementation requirements to release COI, not release toxic COI.] It is true that there is no inherent reason that any high-risk chemical cannot have an IST alternative. However, a realistic appraisal of the situation would show that PIH chemicals in particular are attracting the political ire of the advocacy groups pushing for IST implementation. These chemicals would also be responsible, in the event of a successful terrorist attack, for the widest range of serious injuries and death. Restricting the mandatory IST provisions to just release toxic COI will undercut some of the industry opposition to IST since it will severely curtail the number of facilities that will face the prospect of implementing the IST provisions. Additionally, the facilities that will have to complete IST reviews will be the facilities that would be the hardest to defend not having done the review. IST EvaluationsSince the legislation would limit the mandatory IST review to just release toxic COI there are only two forms of IST that realistically need to be considered. The first is substituting a less hazardous chemical or process for the release toxic COI. The second alternative would be significantly reducing the inventory of the release toxic COI. Both alternatives would have to have some restrictions placed on them in the legislation. Substituting chemicals should not simply shift the toxic release hazard from one location to another. For example, simply switching from chlorine to hypochlorite should not be allowed [I should have said ‘required’] unless it can be shown that the manufacturing site for the hypochlorite would not be at increased risk because of a larger amount of chlorine used to make the hypochlorite. [This provision is included in HR 2868.] Similarly, reducing the amount of the release toxic COI inventory by taking more frequent and smaller shipments would increase the risk of accidental release of, or attack on, the COI in transit. [Furthermore, increasing the number of shipments increases the risk from accidental release during handling.] This does not increase the security or safety of the entire system. Evaluating Evaluations [Assessments] One of the common complaints from industry is that they do not believe that ‘bureaucrats’ have the technical expertise to critically review an IST evaluation done by industry. On the other hand, advocacy groups would be quick to point out that not validating negative IST reviews would provide a wide open thoroughfare for industry to avoid making realistic changes to their processes. Both sides can point to a host of evidence to support their position. The obvious solution to this impasse is to have a technical review done by technically qualified individuals. The legislation should require the National Academy of Sciences to establish an Inherently Safer Technology Process Review Board. This board would be funded by DHS and be charged with four overlapping missions:
Provide for a technical review of facility IST evaluations; Identify areas of research that would support decreasing cost and increasing effectiveness of IST techniques; Provide funding for and oversee such research; and License the use of techniques developed in such research.
This technical review would serve to keep industry honest in conducting their site IST evaluation, it would help to identify technical roadblocks to IST implementation and help to clear those road blocks. [This technical review would, inevitably, increase the time necessary to evaluate whether or not DHS should require the implementation of the IST evaluated by the facility. This provides another justification for removing the IST assessment from the SSP process.] Moving Forward The two sides of the IST debate have staked out their positions over the last year. Industry wants no part of government mandates for process change. Advocacy groups want government to regulate against the industrial use of PIH chemicals. At some point between those two positions lies a reasonable compromise that will allow the chemical industry to operate with a minimum of government interference while increasing the safety of communities around high-risk chemical facilities. The option described here provides a starting point for the discussions necessary to reach that compromise.

Adjourned Sine Die

Congress finally completed their work on December 24th and adjourned for the remainder of the year. Unfortunately the only work they completed on the chemical security front was to include a one year extension of the authorization for the CFATS regulations in the DHS budget bill. The House did pass two authorization bills for DHS components (TSA and the Coast Guard) and HR 2868, the Chemical and Water Security Act of 2009. With Congress adjourned and members back in their districts, many of my readers will be taking a vacation for the next two weeks. I’ll be spending more time on some other projects that I have been working on. But this blog won’t be adjourned. There could still be significant news in chemical security to look at, so I’ll still be watching for that. CFATS Legislation The Senate Homeland Security Committee staff will continue working on HR 2868 in the coming weeks. The staffs of Sen. Collins and Sen. Lautenberg are supposed to be working on preparing CFATS re-authorization of their own to counter their very divergent views of the problems with the House bill. The issue that will continue to be the most contentious in this area will be the Inherently Safer Technology (IST) requirements. Last year, before the HR 2868 language became available, I wrote a series of blogs about the IST issue. This week, I will be re-posting those blogs. I think that they can contribute to the work that continues to be done in the (at least) three Senate staffs currently working on this issue. Politics of Re-Elections One last political reminder to readers of this blog; if you thought politics was contentious this year, you haven’t seen anything yet. The first session of the 111th Congress was marked by party division. The second session of any Congress is always more affected by pre-election posturing by both parties; this one will certainly follow that model. The party-line division will, if anything, get worse in the lead up to October. While major issues drew a lot of ‘conflict press’ in the first session, there were a number of issues where there was bipartisan support for less controversial legislation. The number of such bipartisan bills will probably be reduced during the second session and will draw even less press coverage. What were minor disagreements last session will become ‘stands on principal’ this session as part of the Congressional re-election process. Fortunately for the chemical security community, this will be less evident in the Senate because less than 1/3rd of the Senate is up for re-election this year. That means that most Senators will probably not be looking at their short-term re-election benefit when deciding how to vote on HR 2868. Hopefully, that will allow for some reasonable compromises on IST and other issues.

Thursday, December 24, 2009

Chemical Security Legislation Status 12-23-09

Over the last year the 111th Congress has introduced a wide variety of legislation. Very little that directly affects the chemical security community has made it completely through the legislative process. As Congress gets ready to adjourn for the remainder of the year, here is a list of incomplete legislation that could yet affect our community. More details on each bill can be found at www.thomas.loc.gov. Incomplete Legislation HR 553 - To require the Secretary of Homeland Security to develop a strategy to prevent the over-classification of homeland security and other information and to promote the sharing of unclassified homeland security and other information, and for other purposes. Passed in House. Senate Homeland Security and Governmental Organization Committee ordered reported favorably on 11-04-09; no report available. HR 732 - To authorize the grant program under which the Secretary of Homeland Security makes discretionary grants for use in high-threat, high-density urban areas, and for other purposes. Assigned to Subcommittee on Emergency Communications, Preparedness, and Response; House Homeland Security Community. HR 1013 - To direct the Secretary of Transportation to establish and carry out a hazardous materials cooperative research program. Assigned to Subcommittee on Technology and Innovation; House Science and Technology Committee. HR 1187 - To authorize the Secretary of Homeland Security to make grants to first responders, and for other purposes. Assigned to Subcommittee on Emergency Communications, Preparedness, and Response; Homeland Security Committee and to Subcommittee on Economic Development, Public Buildings and Emergency Management; House Transportation and Infrastructure Committee. HR 2200 - To authorize the Transportation Security Administration's programs relating to the provision of transportation security, and for other purposes. Passed in House. Assigned to Senate Committee on Commerce, Science and Transportation. HR 2868 - To amend the Homeland Security Act of 2002 to enhance security and protect against acts of terrorism against chemical facilities, to amend the Safe Drinking Water Act to enhance the security of public water systems, and to amend the Federal Water Pollution Control Act to enhance the security of wastewater treatment works, and for other purposes. Passed in House. Assigned to Senate Committee on Homeland Security and Governmental Operations. HR 3410 - To require Surface Transportation Board consideration of the impacts of certain railroad transactions on local communities, and for other purposes. Assigned to Subcommittee on Railroads, Pipelines, and Hazardous Materials; House Transportation and Infrastructure Committee. HR 3619 - To authorize appropriations for the Coast Guard for fiscal year 2010, and for other purposes. Passed in House. Placed on Senate Legislative Calendar (No. 195). HR 4061 - To advance cybersecurity research, development, and technical standards, and for other purposes. Ordered reported by House Committee on Science and Technology on 11-07-09. No report available. HR 4370 - To require railroad carriers to prepare and maintain a plan for notifying local emergency responders before transporting hazardous materials through their jurisdictions. Assigned to House Committee on Transportation and Infrastructure. S 177 - A bill to amend the Small Business Act to extend the Small Business Innovation Research and Small Business Technology Transfer programs, to increase the allocation of Federal agency grants for those programs, to add water, energy, transportation, and domestic security related research to the list of topics deserving special consideration, and for other purposes. Assigned to Senate Committee on Small Business and Entrepreneurship. S 1385 - A bill to amend title 46, United States Code, to improve port safety and security. Assigned to Senate Committee on Commerce, Science, and Transportation. S 1649 - A bill to prevent the proliferation of weapons of mass destruction, to prepare for attacks using weapons of mass destruction, and for other purposes. Ordered reported by Senate Committee on Homeland Security and Governmental Affairs on 11-04-04. No report available. Analysis The two DHS organization authorization bills (HR 2200, TSA; and HR 3619, Coast Guard) passed easily in the House. When they finally reach the floor in the Senate they should also pass, but probably with additional amendments. Both bills should ultimately pass. The big question is whether or not the 111th Congress will become the first to pass a DHS authorization bill. HR 553 should pass, it is one of the second tier objectives of the Obama administration to get the ‘over-classification’ issue taken care of. The only thing that might derail this particular bill is the passage of one that covers the whole Executive Branch instead of just DHS. HR 2868 has a good chance of passage in some form. There will be a major fight about inherently safer technology. If IST gets knocked out in the Senate version, this will set up a major fight in conference. The liberal support for IST is very strong, and they certainly want to see IST in the legislation. If industry can come up with a version of IST that will gain approval of a bi-partisan coalition in the middle, HR 2868 will get passed with out a knockdown drag-out fight. Most of the remaining bills will go the same way that the bulk of introduced legislation goes, into the history books as an interesting footnote. They won’t pass, most won’t even get voted on. The only other place they will show up is in campaign literature next fall.

Wednesday, December 23, 2009

HR 4370 Introduction

Last week Rep. Charles Gonzales (D, TX) introduced HR 4370, the Safe Transportation of Hazardous Materials Act of 2009. The bill would require railroad carriers to prepare and maintain a plan for notifying local emergency responders before transporting hazardous materials through their jurisdictions. The legislation has been referred to the House Transportation and Infrastructure Committee. The bill would require every “railroad carrier engaged in the transportation of hazardous materials” to submit a plan to the Secretary of Transportation of how they would provide 48-hour advance notification to emergency response personnel of the expected transit of a train carrying hazardous materials through their jurisdiction. Such notification would only be made if the emergency response personnel requested the notification. Emergency responders are required to provide 48-hour advance notice of the notification requirement. The bill does not explain if this requirement is just for single event notifications or for a permanent notification requirement based upon the single request. Interestingly, the legislation makes no mention of what information would be expected to be included in the notification. So the simple notification that a train carrying hazardous material will be transiting the jurisdiction would be adequate provision of information. This would suffice for a train carrying a single railcar of fuel oil or 30 cars of anhydrous ammonia. That does not make much sense. The bill provides no justification for this requirement. It does not explain what use the emergency responders would make of the 48-hour advance notification. The 48-hour advance notice is not enough time to for the emergency response agency to acquire new equipment or conduct additional emergency response planning. This legislation looks more like a PR ploy than a real piece of legislation. This would be a bill that Rep. Gonzales could point to during a re-election campaign as proof of his support for emergency response personnel.

CSSP Web Page Update 12-23-09

The DHS-CERT Control Systems Security Program (CSSP) web page has been updated. There is now a link to the Industrial Control Systems Joint Working Group’s (ICSJWG) announcement of their spring meeting in Austin, TX, as well as a link to a new publication about the use of encryption to protect industrial control systems. ICSJWG Spring Meeting The ICSJWG is a part of Critical Infrastructure Partnership Advisory Council (CIPAC). According to the meeting announcement web page the “goal of the ICSJWG is to continue and enhance the collaborative efforts of the industrial control systems stakeholder community in securing CIKR by accelerating the design, development, and deployment of secure industrial control systems.” The spring meeting will be held over April 6th thru 8th in Austin, TX. The conference will include presentations by industry leaders in control systems cybersecurity, updates from the ICSJWG Subgroups, and the Introduction to Industrial Control Systems Cybersecurity training course. Further details, including a call for papers, will be forthcoming. ICS Encryption The CSSP has introduced a new publication, the Control Systems Communications Encryption Primer. According to the Abstract the “primer addresses the use of encryption systems within control systems environments”. It addresses the problems of applying encryption techniques to industrial control systems, acknowledging that these techniques “can introduce significant design challenges as they add complexities and operational limitations to the environment”. There will be more on this Primer in a future blog.

Commercial Peroxides

In a blog last month about academic lab alternative security programs I mentioned the IED precursor chemicals that had been bought by the suspected terrorist in Denver earlier this year. I said then that I would probably address the question of why such materials were not chemicals of interest under CFATS. Well this slow season during the holidays seem like a good time to address such issues. Pressure Events The first thing that people have to realize is that there are a wide variety of readily available commercial products that can be used to make an ‘explosion’. Most people consider it an explosion when a chemical reaction produces a gas in a sealed jar and the resulting gas pressure builds up to the point where the jar ‘explodes’ sending pieces of glass flying. While military and security people don’t really consider these ‘pressure events’ to be explosions, they are used to damage property and hurt people. DHS has not attempted to regulate the chemicals that go into these types of ‘explosives’ for two basic reasons. First the potential damage from these devices is so limited that they really are not useable as terrorist weapons. The second reason is that the number of potential chemicals used in such devices is so large that there is no practical way to regulate them. For a really ludicrous example look at the ‘explosion’ resulting from the combination of Mentos® candy and Coke®. Peroxide Explosives Now the alert reader will be quick to point out that the peroxide explosives that could be made with hair care products involved in the Denver case are explosives in the military sense. That is that the chemical reaction is in reality a really fast burning fire that produces a great deal of pressure in a very short period of time. Properly enclosed in a metallic casing these explosions can produce significant damage over a large area. Various peroxides are of particular significance when looking at a large number of improvised explosives. Chemically speaking they contain readily available oxygen that promote a wide variety of chemical reactions. From a security point of view they speed up the rate of combustion for many materials so that the other chemical now explosively burns. These peroxides are available in a wide variety of commercial products, including cleaning products, hair colorings, and hygiene products. The concentration in these products is so low that they would have no appreciable affect on the rate of burning. Unfortunately, a chemist or chemical technician can figure out ways to extract the peroxides from these products to produce a concentrated enough to peroxides to be used in improvised explosives. There is a problem with this however. You really have to know what you are doing when completing the extraction/concentration process. Nearly all of the techniques require the application of heat and that is always a dangerous thing to do to peroxides. They are unstable molecules that readily give up their excess oxygen (which is why they are used in explosives in the first place). If you don’t follow procedures exactly the premature of release of oxygen will result in small explosions in your equipment. Some will be true explosions while others will be pressure events. Dirty equipment or poor temperature control make this result even more likely. While the explosions will be small on a relative scale, they will certainly be large enough to destroy the processing equipment while killing or injuring the operators. Peroxide COI DHS took all of this into account when they set their minimum concentrations for peroxides when they established their list of DHS Chemicals of Interest (Appendix A to 6 CFR 27). Generally speaking the concentration listed in the appendix are those that are readily useable as improvised explosive components. This is why peroxide containing hair products are not covered materials under CFATS. This does not mean that DHS and the FBI are ignoring the potential use of lower concentrations of peroxide in commercial products. As I noted in an earlier blog DHS has established a voluntary program urging retailers and distributors of a variety of peroxide containing materials to watch out for odd purchases of these materials. The lower the concentration the larger the amount of material needed to extract sufficient quantities of peroxide to make terrorist weapons. This means that typical, legitimate users of these materials do not need to be hassled to prevent terrorist use of these chemicals.

Tuesday, December 22, 2009

Reader Comment – 12-21-09 – POC Info

Yesterday a reader, Joey Hernandez, posted a response (actually two nearly identical responses) to an earlier blog about an upcoming cyber security forum. He was asking for point of contact (POC) information about a reader mentioned in the article. Since Joey provided his POC in his posting I made sure that I contacted him to verify that he wanted the comment posted on the blog. I wanted to ensure that it wasn’t just a note to me.

I have always made it a point to be careful in giving out contact information about people in general. Many people don’t want to be contacted by a wide variety of strangers. So I generally treat contact info as confidential information.

I have the POC information that Joey was looking for, but once again, I didn’t give it out. I told him that I would contact the person in question, forwarding Joey’s contact request. What happens next is up to the person in question. In this case I’m fairly sure that communication will be established between these two individuals.

Privacy

The reason that I mention this is that from time to time I need to make clear my personal policy on privacy. First off, I have made arrangements with Google (who hosts this blog in case you hadn’t noticed) that comments posted to the blog are moderated. This means that when you post a comment, that it does not go public until I see and approve it.

Generally I am trying to screen out blog spam and what I consider (in my sole judgment) to be offensive comments. If contact information is provided in the post, I will typically contact the provider to ensure that they want that information made public.

While I have no desire nor intention to sell such information, I have no way of stopping people from acquiring that information once it is posted to the site. Remember, once it is on the net, it is there for ever. If you don’t want me to post the comment, but just want to communicate it to me, then clearly (preferably in bold letters, the internet equivalent of a shout) indicate that the post is ‘PERSONAL’.

I would prefer that you contact me by email with personal communications, but I do understand that anonymity is very important to some people. One final note on blog comments; DO NOT, under any circumstances, post CVI information to this blog. I know that there are a number of DHS ISCD employees that routinely read this blog. I don’t want to get into a fight with DHS about CVI disclosure; that is a fight I cannot win. And I am certainly not going to get into that kind of fight with out thinking it through ahead of time.

Chlorine Fire

There is a brief article on KWTX.com describing a fire at a water treatment facility in Texas. The fire took place in a small building where two small chlorine cylinders were stored. The fire was detected by a patrolling deputy who saw the flames and a ‘yellow mushroom cloud’. Responding fire companies detected lethal concentrations of chlorine gas on site and an evacuation was ordered in a three-mile radius around the building. There were no reports of injury or death in the article, but there was certainly the potential for both in this incident. While this was apparently an accidental fire, it does point out that fire may be an excellent weapon to use in a terrorist attack on a facility holding toxic release COI. As such we should look at this incident for lessons that can be applied to defending chemical facilities against that type of attack. Fire Protection The first thing that we see is that the first detection of this release was made by a passing deputy. If circumstances had not brought that cruising deputy to that point at that particular time, the dispersal of the chlorine cloud might have certainly caused more problems for responders. Any facility that stores release COI of any type should be equipped with smoke and heat detecting fire alarms to give fire response personnel the earliest possible response. Needless to say, such alarms need to be tied directly to the local responders, unless the facility has an on-site fire company. The fact that there was a chlorine cloud noted by the deputy indicates that the fire had been burning for some time. The chlorine cylinders are pressure vessels. They are equipped with pressure relief devices that prevent pressure from building to the point where that the tank would ‘explode’ or catastrophically fail. The idea is that the controlled release of the material to the atmosphere reduces the potential danger area over that seen in a catastrophic release. The easiest way for that critical pressure to be reached is for there to be a fire with ‘direct flame impingement’ on the cylinder. This means that a commonsense protection mechanism for such cylinders is for there to be a water deluge system on the tanks to keep them cool enough that they don’t reach their ‘release’ pressure. Even a common sprinkler system would provide some protection and would delay any temperature related pressure release. Sprinklers would also reduce the amount of chlorine gas that reached the atmosphere by dissolving some of the released gas in the water. Evacuations One key mitigation measure for any toxic release COI is the evacuation of the potentially affected population. In this case, with less than 200 lbs of chlorine involved, the three-mile evacuation area was probably over kill. As the gas cloud moves away from the release point the cloud disperses and becomes less of a hazard. There are tools available that allow for easy predictions of the distance at which the cloud loses its hazardous characteristics. In this case, a fire actually reduces the potential area of concern. One of the problems with chlorine gas is that it is heavier than air and thus hugs the ground, flowing generally down hill. In this case the fire heats the gas making it rise. The more the cloud rises the more quickly it disperses. Unfortunately, it does spread it beyond the typical low-lying areas that authorities are normally concerned with. Evacuations are most effective when they are conducted before the actual release happens. This is another argument for fire alarms on the facility. It allows emergency responders to start evacuation procedures prior to the actual release of chlorine gas. The problem with post-release evacuations is that you can inadvertently direct people into the toxic cloud. This can result in needless casualties. Preventing these casualties requires knowledge of the actual concentrations of the toxic chemical in the evacuation area. This can be accomplished with fixed or mobile chemical detectors. The optimum situation is to have a network of fixed detectors and feeding that information into a computer program that maps the concentrations so that emergency personnel can easily tell who should be evacuated and who should shelter-in-place. The population that is most at risk in a toxic chemical release are those people that are living and/or working in the areas immediately adjacent to the facility. They have the shortest amount of time to properly respond to the release. They need specific training on appropriate actions to take and need the earliest warning. Depending on how close these people are to the fence line, it may be appropriate for them to be automatically notified at the same time as the emergency responders. Prior Planning The key to a well timed, effective response to a potential toxic chemical release is effective prior planning. Facility management, first responders, and emergency planners need to work together long before the release to be able to effectively respond in an emergency responders. The next key step is to inform the potentially affected public of the hazards and their appropriate responses in the event of an emergency. As with any emergency situation, proper prior planning prevents poor performance.

Monday, December 21, 2009

Reader Comment 12-19-09 Security Systems II

A reader, Security Systems, left a short note to a posting about an earlier reader’s comment about security systems. Security Systems wrote: “Security problem is not an easy thing to deal with. But security systems does [sic] make the work much easier these days.”

We’ve Come a Long Way 

I fondly remember my first security patrol (guard duty) in Basic Training at Ft. Ord, CA back in the winter of 1973. I was dressed in fatigues with highly polished boots, equipped with a pistol belt/canteen, a fiberglass helmet liner and a baseball bat for a weapon. My post was to walk the flight line at the local aviation detachment and I had to prove that I had a dime to call the Commander of the Relief in the event of a problem.

The flight line was well lit, but the coastal fog made it nearly impossible to see even the parked helicopters from more than 30 feet away. Today that post would be watched via video cameras backed up with motion detectors, fence alarms and key-padded gates.

Vehicle teams would spot check that post along with a dozen others periodically through the night. The fog would be effectively transparent, and any intruders would have a much more difficult time approaching an aircraft undetected than when I was guarding those birds those many nights ago. 

Security systems have advanced by leaps and bounds over the years. The advent of cheap electronics has made it much easier to design a multi-tiered security system with multiple methods to detect intruders. The large numbers of systems from a seemingly endless supply of providers have made security planning more difficult, though, instead of less.

This increased complexity has given rise to a new industrial specialty, the security system integrator. This is the person that integrates the variety of human and electronic security systems that need to work together to form the seamless security package required for the high-risk facility. If you ignore the complexity of the systems involved, and as a society we have become very adept at ignoring system complexity, then the wide variety of security systems now available to help secure critical facilities does make the job of security easier.

All we have to do is fob off the hard part to those trained and experienced to handle that chore.

CIKR Webinar Update – 12-21-09

Thanks to the folks at CIPP@news.infracritical.com for updating me about the change that was made in the schedule for this month’s CIKR webinar that was supposed to be held later this afternoon. The DHS CIKR Learning Series website was updated after I had made my regular morning check so I wouldn’t have known about this change until tomorrow. I’m assuming that everyone that was already registered to take part in the webinar was notified by email this morning. Due to the weather conditions in the Washington, DC area, Federal Employees have apparently been given the adult equivalent of a snow day. As a result this afternoon’s webinar (Critical Infrastructure Resiliency: The Next Frontier in Homeland Security) has been postponed until Wednesday, January 6, 3:00-4:00 PM (EST). According to the web site, re-registration is not required.

Year End Review

It seems that as the end of the year quickly approaches everyone in the news business is doing pieces about the year’s ‘most popular stories’. While this blog isn’t strictly a news outlet, I thought I would join that band wagon and look at this year as seen by this blog. Most Visited Postings This is my first full year of using Google Analytics® to keep track of what my readers are reading. It allows me to look at how many people are visiting the blog (my daily readership has about tripled over the last twelve months) and it tells me a little bit about them. About half of the people coming to the blog each day were repeat visitor. The remainder came to the site via search engines or other site referrals looking for specific comments. Looking at the individual posting pages that people visit, either via search engines, referrals or on-the-blog searches we can do a list of the ‘Most Popular Postings’. Here is that top ten listing: 1 Rand Beer’s Confirmation Hearing 2 Fatal Ammonia Incident 3 Chemical Security Academy 4 DHS NPPD Under Secretary Appointment Announced 5 Site Security Plan Template 6 Video Escorts 7 CFATS Inspector Finds Damaged HF Tank 8 CFATS Inspectors 9 CSX SecureNow 10 Pending TSA Security Regulations It is interesting that all three postings that I have done on the chemical facility inspectors have made the Top Ten list. Of course, high-risk chemical facilities are expecting to receive their first visit of these inspectors in the coming year, and it will be a first time thing for most of them. People appear to be trying to get a handle on what to expect when these inspectors show up at their door. Long time readers of this blog will remember that I used to do a lot more reporting on individual chemical incidents. This year I cut that reporting back, reporting just on those incidents that could teach us the most about security issues including emergency response. This makes it especially surprising that a relatively unnoticed ammonia release made the top 10 list at #2. From blog comments and emails that I received, a number of the readers of this story were locals looking for authorative information on the incident. The number six story provides a cautionary tale to people who like to analyze numbers out of context. The posting was about the use of video cameras at a port facility to fulfill the escort requirements of the MTSA regulations. What people have to remember is that the term ‘video escort’ shows up in searches not related to security issues. I have had to reject a number of blog responses from ‘readers’ wanting to get a link to their escort-service web sites (services that obviously have nothing to do with security) posted on this site. Popular Topics The individual page top-ten list does not provide the best look at what the readers are looking at. This is rather obvious from seeing only one posting about actual CFATS issues making it to the list, the site security plan template story. So I went through the list of the top 200 postings (almost 10% of the pages from the last year) looking for story topics. From that list I was able to compile a Top Three list of popular topics. Those topics were:
1 Site Security Plan 2 HR 2868 3 Risk-Based Performance Standards
It is rather obvious that I have written a significant number of postings about these three topics over the last year. But, since this tracking of page ‘hits’ only looks at those pages that people are specifically coming to (rather than just looking at in their daily reading) I think that it is fairly obvious that these are topics in which my readers are interested. Site Recognition I continue to get personal expressions of support for this blog from a wide range of individuals in the chemical security community. Those are always appreciated. This year I started receiving some semi-official acknowledgements of support. I have been asked to take part in a number of blogger roundtables and have been interviewed as a chemical-security legislation ‘expert’ by editors at two industry sites. A reader recommended me to a magazine editor based upon my writing here and I now write regular pieces on chemical security issues (among other things) for the Journal of Hazmat Transportation. This blog will never make the list of top 100 blogs because of the limited potential audience. The chemical security community is just not that large. The encouragement and recognition that the site receives are an important incentive to continue this blog. There is a lot of time and effort that goes into making this blog appear on the web every day. It is a labor of love that I hope to be able to continue for a long time to come

Friday, December 18, 2009

Vehicle Barriers and VBIEDs

There is an interesting article over on SecurityManagement.com about choosing the right antiterrorism vehicle barriers. The article includes a link to a .PDF table showing a general comparison of the characteristics of different types of vehicle barriers. Both the article and the table should be valuable references for high-risk chemical facilities considering the use of vehicle barriers for their Site Security Plan.

The article is targeted at audiences looking to use vehicle barriers to prevent terrorist attacks on buildings using vehicle borne improvised explosive devices (VBIED). Since the targets discussed here are public buildings housing offices or apartments, the discussion of the blast analysis of a target structure is not really applicable to attacks on chemical facilities.

VBIED Targets 

While there might be some reason that a terrorist might want to conduct a VBIED attack on the office complex at a chemical facility, that is not the type target that most VBIED attacks will be pointed at in the event of an attack on a high-risk chemical facility. The most likely target of such an attack would be storage containers of toxic, flammable or explosive release chemicals of interest (COI). Since a VBIED attack is a high-cost attack strategy, it is most likely to be pointed at the highest value target, the storage container(s) with the highest off-site consequence.

If the facility had a large acrolein storage tank and a warehouse containing a small number of acrolein drums, the storage tank would certainly be a more likely VBIED target. A facility with similar sized tanks of allyl alcohol and allylamine would probably decide that the allyl alcohol tank would be a more valuable terrorist target because it is a toxic release (vs a flammable release) COI; and it would have more of an immediate off-site consequence if released into the environment.

That value calculus can be deceptive in some cases. If a facility has a high-pressure containment vessel like a chlorine tank, it may be easier for a terrorist to attack a nearby flammable release COI storage tank. The resulting fire, if close enough to the chlorine tank, could cause a catastrophic rupture of that tank through weakening the thick metal walls of the tank and increasing the pressure inside of the tank above the design limits.

Storage Tank Damage 

The SecurityManagement.com article has a pretty good discussion of the graduations of the types of damages that a VBIED can inflict on a target building. Understanding these damage levels is important in crafting an anti-VBIED barrier plan. Ideally a security planner would like to prevent any damage, but a realistic assessment might be made that a few broken windows from the overpressure effect might be an acceptable level of damage.

This would affect the required standoff distance between the barriers and the building. A similar decision tool is required for chemical storage tanks. The damage assessment criteria for storage tanks should be based on the resulting release rate of the chemical the chemical of interest. The higher the release rate the more likely there would be an adverse off-site impact from the release. The comparable structural damage limit states for storage might be categorized (lowest to highest risk) as:
Damage to associated piping; Limited damage to gaskets, seals or flanges on the tank proper; Small punctures (<1 in="" major="" punctures="" tank="" the="" walls="">1”) in the tank walls; or Catastrophic failure of the storage tank.
The overpressure effects required to produce the damage are going to depend in large part on the type of construction of the storage container. High-pressure systems will require higher levels of overpressure to sustain similar levels of damage. I have not seen any specific figures for the overpressure required to sustain these levels of damage, but I suspect that they would be available from the Center for Chemical Process Safety or one of the engineering associations.

Size of VBIED 

One important factor in determining the placement of vehicle barriers that is kind of glossed over in this article is the size of the explosive charge in the VBIED. This is a critical variable in determining the overpressure produced by detonation. A 40,000 lb ammonium nitrate VBIED will produce catastrophic storage tank failure over a much larger area than a 500 lb VBIED. It would not be reasonable to assume that a terrorist team would use a 40,000 lb VBIED to attack a 5,000 gallon flammable release storage tank. The VBIED detonation would be more dangerous than the subsequent release.

Parking such a VBIED outside of the security perimeter would have more of an off-site consequence and would be a less risky operation. The security system design team is going to have to determine what is a reasonable sized VBIED that they could expect to face in a serious attack on the facility. They will have to take into account the fact that a larger VBIED is much more costly to a terrorist organization (from both a materials and operational perspective) than a smaller VBIED.

The design team is going to have to weigh the cost of VBIED against the utility of the facility as a target. A large chlorine storage facility in a major urban area will have to design for a larger VBIED than a similar sized facility in a rural setting. Unless DHS decides to get involved in dictating VBIED sizes for the design basis for facility security systems (and an argument could be made for a Tier ranking based size standard), the VBIED size determination will be a facility security management decision. The basis for the VBIED size used in the security system design should be explicitly spelled out in the design documents.

Thursday, December 17, 2009

Reader Email – 12-16-09 – Security Costs

I got an email yesterday from a reader that frequently communicates with me semi-anonymously. He provides his comments via email instead of posting comments on the blog because, for professional reasons, he doesn’t want his identity made public. Since his email comes from one of the major ISPs I don’t know specifically who he is, but we can exchange views. In any case he was responding to my blog posting on RBPS metrics from earlier this week with some suggestions about things I should address in future postings about the RBPS. He brings up a couple of points that are worth public discussion. Costs of Security Measures This reader wrote:
“What I think will help to bring more attention to RBPS postings is some talk of some of the costs of meeting the metric. Of course they will vary due to differences in the size of the facility. But an example to help would be the cost of different kinds of fencing per linear foot. The costs of lighting per square area. The costs of various kind of IDSs and CCTVs. Money seems to be what really grabs attention and I think it would also help to talk about it in addition to some of your good RBPS postings.”
He is correct, of course, that costs of security are very important to the facilities that are being required to bring their security measures up to CFATS standards. I’m just not sure that I can write about specific costs in a meaningful way, especially not at the ‘dollar per linear foot’ level. Chemical facilities don’t normally directly purchase security hardware. They have neither the expertise to select the hardware nor the personnel to install it. They typically contract that type work out to someone in the business and trust them to get them the best price on materials. Some facilities will attempt to contract out the individual pieces of their security program themselves while others will rely on a security integrator to sub-contract out the pieces. This presents its own special problems when you talk about selecting a security contractor for a CFATS covered facility. You certainly can’t expect to put out a request for competitive bids on development of an SSP. Because of the nature of the CFATS requirements it is too open ended a project for the conventional low-price bidding process. I cannot imagine any legitimate security integrator telling a facility that it will cost X amount of dollars to bring the facility into compliance. No one knows what it will take, because no facility has gotten an SSP fully approved yet. Even six months from now an integrator’s claim that they have two Tier 1 clients with approved SSP’s will not be a guarantee that they will be able to get first-time approval on a Tier 2 or 3 facility, even if they provide a Tier 1 program for that facility. Chemical facilities are too unique and the CFATS requirements too vague (by Congressional intent, not DHS design) to know in advance what it will take to get an SSP approved with any reliability. This is the reason that no one writing in this field is bandying about any real numbers about the cost of CFATS security programs. A year or two from now we may have a better understanding of the costs, provided that Congress does not change the ground rules too much. I would be interested in hearing from integrators working in the field about how they address the price side of their contracts for CFATS programs. Cost of Doing Business For a number of years now it has been a truism that that ‘the cost of safety is a cost of doing business’ and the same is true for environmental regulations. With the advent of CFATS the same is becoming true for security. If a facility is going to remain in business, the cost of regulatory compliance will have to be added to the other costs of doing business. This is not, however, the same thing as what my reader was apparently saying when he wrote that: “It may also be helpful for facilities to be mindful that money should not get in the way of their decisions to stay in business.” I am finding this type comment popping up more and more often, especially among academics and various advocacy groups and it exemplifies a basic misunderstanding of business. In many cases, these societal costs of doing business can be passed on to the consumers in the form of higher prices. However, in today’s truly global market place, there is a limit to how much of a price increase will be absorbed by the consumer. If the price goes up too much, the customer will just switch to lower cost providers, be they across the street or across the Pacific Ocean. Companies need to make a profit to stay in business. While many banks, Chrysler and GM got bailouts over the last year, it was always with the intention that they would pay the government back or go out of business. If the cost of doing business prevents the company from making a profit, it will go out of business. If the costs that are preventing profits are due to government regulations then there will be a second alternative, move away from the controls of that government. The Costs of CFATS Compliance The CFATS program does provide an environment for management of security costs. Since no specific security measure can be required by DHS, a company with a creative security team has the opportunity to work on cost containment while it is developing their Site Security Plan. It would be helpful if there were some mechanism for sharing these successful strategies, but cost containment will offer a facility a competitive advantage so these strategies may remain closely held. One interesting thing about the CFATS process is that it does provide for another way of avoiding the security costs associated with the program. All a company has to do to avoid CFATS compliance requirements is to reduce or eliminate their inventory of high-risk chemicals of interest. In some cases this means a switch to safer chemicals or processes. In other cases it means transferring the risk to another facility that makes a safer chemical intermediate or even to increasing transportation risks by making more frequent shipments to reduce on-hand inventory below STQ levels. Any of these choices can reduce the required security costs. The true costs of CFATS compliance are just now beginning to be felt across a broad range of industries. It will be years before we can gauge the true affects of those costs. If history is any guide, the costs of CFATS will become, for the most part, just another cost of doing business. Some facilities will close; others will move out of the country, but most facilities will adapt and figure out how to survive while becoming stronger, safer and more secure.

Reader Comment – 12-16-09 Redact II

Funny thing about the blogging business you never can tell what is going to bring out the most reader response. Yesterday r.e.z.o.k. posted a comment to the reader comment blog posting about redaction. R.e.z.o.k. pointed us to the web site for a commercial redaction program called RapidRedact, writing that “The most effective way to redact documents is by using redaction software that works.” I am certainly not technically qualified to evaluate redaction software, but the claims on the web site do look impressive. I was disappointed not to see any endorsements of the software by some recognized security organization; neither the Consumer Product Safety Commission nor the base purchasing manager at an Air Force base count. I would be really impressed if the NSA or the CIA endorsed the product (probably unlikely), but the endorsement by any nationally or internationally recognized security organization with some recognized software expertise would go a long way in establishing the bonafides of this product.

Wednesday, December 16, 2009

Reader Comment – 12-16-09 – Redacting

It is always interesting to see the wide variety of backgrounds found in the readers of this blog. Early this morning Anonymous left a brief yet informative comment on yesterday’s blog about redacting. Anonymous wrote: “See the NSA redaction tutorial link at the bottom of http://www.fas.org/blog/secrecy/2009/12/leak_anxiety.html”. This link takes you to a December 10th posting in the Secrecy News Blog from the Federation of American Scientists. The blog is worth reading, but here is the link to the actual NSA document from that post. While I haven’t had to do any redacting in years, I knew that someone, and would have bet that it was NSA, would have developed an effective method for redacting .PDF documents. The instructions here appear (after a brief review) to provide more than adequate, step-by-step instructions to follow. So, the question then becomes, did TSA adopt those instructions as their standard? I now have a semi-rhetorical question for readers from other government agencies. Does, DHS ISCD, for instance, have established standards for redacting information in .PDF documents?

CIKR Learning Series Web Page Update 12-16-09

Yesterday DHS updated their Critical Infrastructure Key Resource Learning Series web page. They added information about the first webinar of the winter quarter and announced the subjects of the next two planned webinars. These webinars are designed to inform the public about key components of the protection of CIKR under the National Infrastructure Protection Program (NIPP). The announced webinar will be “Critical Infrastructure Resiliency: The Next Frontier in Homeland Security”. The presenter will be Rand Beers, Under Secretary for National Protection and Programs Directorate. The webinar will be held on December 21st at 4:15 pm EST. Registration is now open. January’s webinar will be Infrastructure Protection for the 21st Century: Making effective use of visualization technology. The webinar in February will certainly be of interest to the chemical security community; it will be Chemical Facility Anti-Terrorism Standards: An Update. There are no details about the CFAT program currently provided on the web page, but we do expect some changes in the program in the near future that would probably be covered in this webinar. We are looking for a Corporate Reporting Tool in CSAT, a new CSAT tool for changing currently submitted reports (Top Screen, SVA, and SSP) rather than having to completely re-type them for minor changes, and we expect to see the Personnel Surety Tool introduced into the CSAT program. As I get more details I’ll be sure to share them with the readers of this blog.

Tuesday, December 15, 2009

TSA Document – The Rest of the Story

There have been a number of stories about how the TSA ‘inadvertently’ posted a sensitive document on the internet and ‘compromised’ the security of the airline passenger screening document. I have envisioned a number of different ways that such an 'accident' could have happened, but I never thought of the way it actually occurred. Thanks to Collin Bortner at HLSWatch.com for the rest of the story. Redacting Information According to Collin’s article: “A blogger [sic] discovered the pdf document, as well as the ability to undo the redaction of sensitive information. Users of Adobe Acrobat publishing software were able to remove the blacked-out paragraphs and read the text beneath.” Apparently the people posting the document did not realize that simply adding a black box over the ‘sensitive’ text did not destroy the underlying text; simply moving or erasing the box exposed the untouched text. For those of us who have had to redact printed classified documents before copying technology came along can sympathize with the problem. I’ll never forget the first time I had a security inspector wash off the ‘permanent ink’ that I had used to redact ‘sources and methods’ from an intelligence document. There was a special ‘permanent ink’ that we could use that would not wash off, but it wasn’t what I had used. It didn’t matter that the label on the marker I used said that it was ‘permanent ink’. Actually, now that copying/scanning technology is widely available, both of these inappropriate techniques can easily be made effective by printing or copying the poorly redacted documents and then scanning them into electronic format for internet posting. It is probably safest to destroy the ‘original redaction’ to avoid confusion. Root Cause In any case, answering my question at the end of yesterday’s blog, it looks like this was a legitimate case of ineptitude. The question becomes whose ineptitude? Bortner blames the error on the poor adaptation of the ‘paper metaphor’ to Adobe technology. But, as I noted earlier, the same problem was found in the paper process, so I think that that reasoning misses the root cause of the problem. As with any key requirement there must be detailed standards of how things are to be properly done. In this case investigators will have to determine if standards for redacting documents exist and if they are adequate to the task. If standards were not set by TSA, then the employees cannot be faulted for doing something ‘wrong’. If this redaction technique met ‘established’ TSA standards, then the people setting the standards did not know what they were doing. Finally, once adequate standards are developed, they must be communicated to the affected employees. This is called training. So, if there was an adequate redacting standard in place at TSA, investigators tracking down the cause of this incident need to look at the training the employees responsible for the inadequate redacting received on that process. That investigation requires answering some basic questions:
Were they just told in training what they were required to do or were they required to demonstrate proficiency at the task? Is this a task that they perform frequently or is there a significant amount of time between the times the either repeat the task or are trained on the task and then required to execute the task? If the task is performed frequently, how often is their on-the-job performance of the task evaluated, either formally or informally? If the task is performed infrequently, do employees have a written checklist to follow in the execution of the task?
Of course the question of how well the investigation is done will be determined in large part by how political the investigation becomes. The more it becomes about finding and punishing the person responsible that correcting the problem the less likely it will be that the real root cause of the problem will be found.

RBPS Metrics

It’s a slow season for chemical security bloggers, Congress is focused on other matters and DHS is still working on their next release. So I guess it is as good a time as any to share some blogger secrets. Today we’ll look at how professional bloggers use tools supplied by Google to keep track of what is important to their readers. Every day after I make my first blog post I go to Google Analytics to look at their profile of my readers. They tell me what cities and states provide the majority of my readers. They tell me what pages (old postings) are the most popular. They tell me what web sites refer readers to my site. And most interestingly, they tell me the most popular search terms that bring people to my site. The search terms are not too surprising most days. They are usually things like “CFATS”, “Chemical Facility Security”, or topical subjects like “HR 2868”. This last weekend, however, a new term jumped up to the top five list of search terms bringing readers to the site; “RBPS Metrics”. Looking at the details, there have been 32 visits to the site since November 30th guided by that term after a long absence from the list. Now Google can provide the data, but it is up to the blogger to provide the context; explain why the surge in interest in ‘RBPS Metrics”. And, actually that isn’t too difficult. The simplest explanation would be that a new batch of notification letters have gone out telling facilities that they have been designated a ‘high-risk’ facility and been given their due dates for their SSP. Consolidated RBPS Blogs So, a good blogger gives the readers what they want, information. I suppose that I could write about the Risk-Based Performance Standards Guidance document, but I have done so extensively. Instead, it makes more sense to provide a list of those posts that I have already written on the topic as a one-stop shop for the information. RBPS Guidance – Getting Started RBPS Guidance – RBPS #1 Restrict Area Perimeter RBPS Guidance – RBPS #2 Secure Site Assets RBPS Guidance – RBPS #3 Screen and Control Access RBPS Guidance – RBPS #4 Deter, Detect and Delay RBPS Guidance – RBPS #5 Shipping Receipt and Storage RBPS Guidance – RBPS #6 Theft or Diversion RBPS Guidance – RBPS #7 Sabotage Actually, that is where I stopped, not quite half way through the list of RBPS. The reason I quit, quite frankly, was that no one appeared to be paying attention. No comments or questions about the RBPS postings were submitted to the blog. There were no emails challenging my assertions or asking for additional details. Besides, Congress was getting interesting with bunches of new legislation to look at, and there were plenty of other things to write about. Maybe it is time to go back and finish the list….

Monday, December 14, 2009

Reposting Security Information

There is an interesting article over on ComputerWorld.com discussing some of the continuing fall out over the inappropriately disclosed TSA operations manual. I have not discussed the issue here since it does not directly impact the chemical security community. The recent congressional complaints about the continued reposting of the manual on other web sites changes that because of some last minute changes made to the Chemical and Water Security Act of 2009. Reposting of CVI ComputerWorld.com is reporting today that three Republican members of the Homeland Security Committee have “expressed concerns over the ‘repeated reposting’ of the security manual on multiple Web sites and asked her [Secretary Napolitano] to clarify if the sites could be compelled to take it down”. Now this manual was a TSA manual and was reportedly marked SSI, not CVI, but the re-posting of CVI material has already been identified as a potential problem caused by the provisions of HR 2868 introduced in a House floor amendment. Rep. Barton (R, TX) noted in the floor debate that:
“But then they are creating this new loophole, that if a group that is not controlled by Homeland Security somehow gets information, they can publish it. They can put it on their Web site, and they’re not liable.” (Congressional Record, pg H12517)
Congressman Dent was referring to wording in Chairman Thompson’s amendment (Congressional Record, pg H12515) that made significant changes to the wording of the information protection provisions of the legislation. That language amended §2110(g)(2) (for instance). The specific language that Dent was referring to was the new wording of §2110(g)(2)(B) describing information excluded from §2110 protections “that is obtained from another source with respect to which the Secretary has not made a determination under either such subparagraph”. He interprets this to mean anyone not specifically regulated under the new legislation. Unfortunately, it is unclear as to what the specific congressional intent on this wording was since the amendment was made after the committee reports from the Homeland Security and the Energy and Commerce committees were filed. Additionally, according to Mr. Thompson’s comments on the floor (H12517) during the debate that this wording for §2210 was provided by the Judiciary Committee which held no hearings or debates on HR 2868 and provided no committee report. With advent of this issue with the TSA it will be interesting to see how the Senate deals with the issue of protecting CVI when they deal with HR 2868. I suspect that there will be several amendments offered, either in committee or on the floor, attempting to make it a specific violation to post CVI information on the Internet. Current CVI and Subsequent Posting Of course, the current CVI rules under 6 CFR 27.400 are less than totally clear on the subject of subsequent public postings of CVI. Section 27.400(c) does define a ‘covered person’ under the CVI rules as each “Each person who otherwise receives or gains access to what they know or should reasonably know constitutes CVI”. Proving that someone ‘should reasonably know’ can be a challenge at times, particularly if the CVI markings were removed from a document before it was posted the first time on an unauthorized site. The CFATS regulations do provide for the imposition of a ‘civil penalty’ and the “issuance of an order requiring retrieval of CVI to remedy unauthorized disclosure or an order to cease future unauthorized disclosure” {§27.400(j)}. The lack of criminal sanctions makes the enforcement of the CVI rules problematic beyond their effect on covered facilities and government employees who may be terminated. Pragmatic Effects Unfortunately, from a security perspective, once the initial leak or inappropriate posting is done there is little that can be done to stop the spread of this information on the Internet. As the ComputerWorld.com article points out: “Even if such sites could somehow be compelled to take the documents down it is unlikely to make any difference or stop the document from being disseminated anyway.” In this case copies of the document have already been posted on overseas servers, beyond the effective reach of DHS. I have not read (nor do I currently intend to read) the TSA document in question, so I can not really comment on the security implications of the release of this particular document. I will opine that, if this was a deliberate act to subvert the appropriately classified (not ‘Classified’ as this document has not been alleged to fall into that sphere of security) distribution restrictions, then this is an illegal act for which appropriate legal sanctions should be sought. If, on the other hand, this is simply an instance of bureaucratic ineptitude, a mistake of public proportions, then the focus should be on correcting the oversights in execution that lead to the disclosure to prevent future repetitions on more critical documents.
 
/* Use this with templates/template-twocol.html */