RBPS Guidance – RBPS #7 Sabotage

This is another in a series of blog postings that will provide a close-up look at the RBPS Guidance document. DHS recently released this document to assist high-risk chemical facilities in meeting the risk-based performance standards required for site security plans under 6 CFR §27.230. The other blogs in the series were the: Risk-Based Performance Standards Guidance Document RBPS Guidance – Getting Started RBPS Guidance – RBPS #1 Restrict Area Perimeter RBPS Guidance – RBPS #2 Secure Site Assets RBPS Guidance – RBPS #3 Screen and Control Access RBPS Guidance – RBPS #4 Deter, Detect and Delay RBPS Guidance – RBPS #5 Shipping Receipt and Storage RBPS Guidance – RBPS #6 Theft or Diversion This posting deals with security measures put into place to deal with sabotage. DHS defines sabotage as “deliberate action aimed at weakening an employer through subversion” and notes that it is of particular concern for “facilities that are high risk based on their production of mission-critical or economically critical chemicals” (pg 68). Security Measures Most of the security measures discussed for this RBPS are covered in much more detail in other RBPS. The main preventive security measure is the thorough vetting of personnel that are allowed unescorted access to critical areas of the facility (RBPS 12 and Appendix C). While the discussion does note that the depth of the background investigation should be tied to the “severity of the consequences that could occur because of sabotage” (pg 69), there is no discussion of using a two-man rule that was briefly discussed in RBPS 6. Visitor control is another security measure that receives some treatment in this RBPS and includes a listing of the various types of visitors that might be expected at high-risk chemical facilities. The discussion briefly lists five types of control measures that might be used to mitigate the sabotage risks posed by visitors. Those control measures are:

“Positive identification of visitors; “Validation of the visit by contacting appropriate facility personnel; “The use of visitor registration forms to provide a record of the visitor and the time, location, and duration of the visit; “The use of visitor cards/badges; and “Visitor escort requirements.”

Two other types of security measures are briefly addressed with the discussion pointing to other RBPS for more information. Physical security measures are mentioned with references to RBPS 1, 3 and 4. Cyber security is mentioned, noting that the previously mentioned security measures are “of limited value against cyber sabotage attempts”. The discussion then points the reader at RBPS 8. Metrics The summary metric for this RBPS has only two levels. Tier 4 facilities are expected to have procedures and security measures in place that are aimed at “deterring, detecting, delaying, and responding to sabotage” (pg 70) while the other three tiers will have procedures and security measures that are ‘effective’ in achieving the same ends. It is interesting to see the ‘responding’ requirement mentioned here since it is not addressed or even mentioned anywhere else in the RBPS. Of the three sub-metrics listed in this RBPS only one is mentioned in the discussion portion of this section, visitor control (Metric 7.3). Metric 7.1 provides a list of procedures that a facility might use to “deter, detect, delay, and respond to sabotage”, but again, none of the listed procedures includes security response or emergency response. Metric 7.2 provides a detailed listing of ‘requirements’ for Tamper Resistant Devices. In fact this is a more detailed listing than the one in RBPS 6 (Metric 6.9) where there is a discussion of tamper resistant techniques.