Metric 6.1 – Restricted Access to Potentially Dangerous Chemicals Metric 6.2 – “Know-Your-Customer” Provisions Metric 6.3 – Background Checks Metric 6.4 – Monitoring Potentially Dangerous Chemicals Metric 6.5 – Physical Security of Potentially Dangerous Chemicals Metric 6.6 – Vehicular Access Metric 6.7 – Vehicle Inspections Metric 6.8 – Inventory Control Metric 6.9 – Tamper- Evident Devices Metric 6.10 - Cyber Security for Potentially Dangerous ChemicalsWhile most of these metrics are straight forward and many are covered in previous standards it is disturbing that most received no discussion what so ever in the ‘security measures’ discussion in this section of the Guidance document. For example the RFID tags that I mentioned earlier are found in Metric 6.4 for Tier 1 and 2 facilities as a suggested security measure. Another example is that the cyber security measures in 6.10 that are not mentioned anywhere in this RBPS. While the ‘requirement’ for all Tiers that they implement “appropriate cyber security measures and procedures for business systems that manage the ordering and/or shipping of potentially dangerous chemicals” seems to be fairly straight forward the additional requirement to protect “any other cyber systems that contain personally identifiable information for those individuals who manage critical business systems or who could be exploited to steal or divert potentially dangerous chemicals” probably requires some explanation. There is one metric that will be controversial, even though it was briefly mentioned in the earlier discussion. Metric 6.3 has a single ‘standard’ for all four tiers. It includes the suggestion that drivers “transporting potentially dangerous chemicals are issued facility badges subsequent to third-party verification of background suitability”. This certainly makes sense for facilities that employ their own drivers or perhaps for those that employ a ‘captive’ trucking company to make their deliveries. Most facilities, however, will not fall into this category. One simple technique for complying with this ‘requirement’ is for the company to require that all drivers picking up loads at the facility must have a TSA issued Transportation Workers Identification Credential (TWIC). Facilities located near ports may have an easier time getting this accepted in transportation contracts. Facilities located far from port facilities will have a difficult time employing this technique, since there is unlikely to be a significant pool of driver’s with a TWIC. There are two sub-metrics that have a big ‘N/A’ for one or more Tiers. Metric 6.7 has an ‘N/A’ for Tier 4 and Metric 6.9 has the same for Tiers 3 and 4. These ‘N/A’s may provide some insight into how DHS has made their Tier rankings. I would expect that the ‘N/A’ for vehicle inspections indicates that DHS only put facilities with theft/diversion chemicals into this Tier if they did not ship those COI. The lack of requirements for tamper resistant valves on tank trucks for Tiers 3 and 4 indicates that only facilities that do not ship theft/diversion chemicals in bulk are assigned to those Tiers.
Friday, July 10, 2009
RBPS Guidance – RBPS #6 Theft or Diversion
This is another in a series of blog postings that will provide a close-up look at the RBPS Guidance document. DHS recently released this document to assist high-risk chemical facilities in meeting the risk-based performance standards required for site security plans under 6 CFR §27.230. The other blogs in the series were the: Risk-Based Performance Standards Guidance Document RBPS Guidance – Getting Started RBPS Guidance – RBPS #1 Restrict Area Perimeter RBPS Guidance – RBPS #2 Secure Site Assets RBPS Guidance – RBPS #3 Screen and Control Access RBPS Guidance – RBPS #4 Deter, Detect and Delay RBPS Guidance – RBPS #5 Shipping Receipt and Storage This posting deals with the provisions of risk-based performance standard #6 and the prevention of the theft or diversion of ‘potentially dangerous chemicals’. The opening paragraph of this RBPS section explains that potentially dangerous chemicals include: “chemical weapons, chemical weapons precursors, explosives, explosive precursors, or other chemicals of interest [emphasis added] that could be used to inflict harm at a facility or off-site” (pg 64). If there are no theft/diversion COI at the facility, no special effort would be required to address this standard. Security Measures The first class of security measures discussed in this RBPS is Inventory Control. The text for the description is practically speaking a word-for-word copy of the similar section in RBPS #5. Interestingly there is no discussion of product stewardship or ‘know-your-customer’ programs in the discussion of security measures for this RBPS. Both would contribute the same benefits seen in RBPS #5. A number of procedural techniques are discussed in this area that can be employed to help deter, detect and delay the theft and diversion of these dangerous chemicals. Most of the procedures have already been discussed in somewhat more detail in earlier standards. The one new measure mentioned here is the use of a two-man rule. This technique requires that areas where the dangerous chemicals are stored may not be entered by just one person. This is based on the concept familiar to the nuclear weapons security community that it is more difficult to suborn two people than just one. This measure would be appropriate where small man-portable containers of the most dangerous chemicals, chemical weapons, are stored. Finally, the Guidance document looks at physical security measures that can be used to protect theft/diversion COI. Two categories included in this discussion, monitoring storage locations and inspecting vehicles leaving the facility were discussed in some detail in earlier standards and Appendix C. The other, briefly covered, technique in this area is the protection of man-portable containers locks and chains as well using movement sensors on individual containers. I was surprised that the use of RFID tags on containers was not identified here. Metrics This metric provides an excellent example of how DHS intends that the escalating risk should met by increasing security. The basic summary metric ‘requirements’ for Tier 4 state that the facility “has security measures intended to deter theft or diversion of potentially dangerous chemicals”. The Tier 3 requirements add that those measures would “reduce the likelihood” of theft/diversion. Tier 2 would add that the facility has ‘multiple’ security measures that “are effective in deterring” theft/diversion while Tier 1 facilities would have multiple ‘vigorous’ security measures that are “extremely effective” in deterring the theft/diversion of those COI. There are a large number of sub-metrics for this standard. In fact, the only RBPS with more sub-metrics is RBPS #8, Cyber Security. Those sub-metrics are: