Friday, January 30, 2009

Security Cost Allocation

There is an interesting article on SecurityDebrief.Adfero.com about security costs and security programs in general. Robert Liscouski makes the point that security programs do more than just prevent terrorist attacks. Many of the programs that we work so hard on for that task also prevent loss, stop industrial espionage and even reduce workplace violence. He suggests that if DHS were to emphasize these additional benefits they would have an easier time getting enthusiastic compliance with security rules. Liscouski provides a few examples in his short article of multiple use security measures, but it shouldn’t take a security professional to point out even more real world examples of how security measures designed for CFATS compliance can protect against more than just terrorists. Copper and steel thefts from industrial facilities are frequently in the news. A facility with adequate perimeter security will almost certainly be at reduced risk for these types of theft. Chemicals required for the manufacture of illegal drugs are unlikely to be stolen from a facility protected against terrorist attack. Cyber security measures that protect control systems from outside terrorist attacks will also prevent a whole host of worms, Trojans and viruses from affecting the same computers. Management of change controls on the same systems will help to prevent inadvertent errors in programming from shutting the facility down or ruining chemical processes. Security managers need to keep these dual use measures in mind as the conduct security vulnerability assessments and develop security plans. It will make it easier to justify the cost of security measures to upper management.

McCain Joins Homeland Security Committee

According to an article posted on HSToday.US the Senate has updated the list of members of the Homeland Security and Governmental Affairs Committee. Among the new members are John McCain (R, AZ) and Lindsey Graham (R, SC). The Committee Chairman, Joseph Lieberman (Ind, CT) worked closely with Sen. Graham on John McCain’s recent presidential campaign. This committee has already been marked by a very collegial atmosphere. Sen. Lieberman and Sen. Collins (R, ME), the ranking member, have worked very well together, sharing near equal billing on the committee web site. This is very unusual since most committees, in both the House and Senate, have separate web sites for the two parties. These new members should help to ensure that there continues to be broad bipartisan support for legislation that comes out of this committee.

Thursday, January 29, 2009

Re-routing Mexican Hazmat Rail

As I noted in a blog last month there is a large volume of hazmat rail traffic coming across the Mexican border at El Paso, TX. Apparently there is a similar problem in Laredo, TX. There is an effort to build a rail line around Nuevo Laredo-Laredo to keep much of that traffic out of the center of both cities. As part of that effort the US State Department yesterday published a notice in the Federal Register about a proposed Presidential Permit to construct a bridge across the border river to complete that rail line. Comments on the permit application can be filed with the State Department’s Office of Mexican Affairs by April 28th, 2009. They may be submitted by e-mail (WHA-BorderAffairs@state.gov) or by mail to: WHA/MEX--Room 3909 Department of State 2201 C St., NW. Washington, DC 20520 Additional information about Presidential Permits can be found on the web.

Wednesday, January 28, 2009

Third-Party Inspectors

Last September I briefly wrote about potential DHS efforts to use third-party inspectors to verify CFATS implementation. At the time of that blog I had heard nothing about any such efforts, other than the inclusion of rules for third-party inspectors in the HR 5577. That changed yesterday when I was reviewing the OMB website, RegInfo.gov. In the Fall 2008 Regulatory Agenda I found reference to a DHS proposal to regulate Third-Party Inspectors for CFATS. While this listing shows that the proposed regulations were ‘withdrawn’ from the regulatory process as of 08-11-08, it is interesting to see what DHS had been considering. The RegInfo.gov site provides the following abstract of the proposed rule:
“The Department will propose standards for the use of third-party auditors to conduct audits and inspections under its Chemical Facility Anti-Terrorism standards found in 6 CFR part 27. The Department will provide details about its proposed use of third-party auditors and will identify those tiers of facilities for which it will use third-party auditors. The Department will also propose standards and requirements for third-party auditors; the Department will consider issues such as the certification, qualifications, independence, objectivity, training, confidentiality, ethical obligations, and conflicts of interest issues of third-party auditors. In addition, the Department will consider the issue of who will pay for third-party auditors.”
Further inspection shows that the proposed regulations first showed up in the Fall 2007 Regulatory Agenda at about the same time that DHS was finishing up work on Appendix A to 6 CFR 27. At that time the expected time to publish the NPRM was August of 2008. At this point it appears that the issue is dead. It will be interesting to see if it arises again when Congress gets around to introducing legislation to extend or make permanent the CFATS regulations.

Pending TSA Security Regulations

I recently found another web site that provides valuable information about the development of Federal government regulations. It is part of the Office of Management and Budget web site, RegInfo.gov. Looking through its data base I found reference to three TSA regulations in development that pertain to ground transportation security. Interestingly two of the three regulations are well past their legislatively mandated implementation dates and not a single NPRM has been published. The ‘pending’ regulations are:
Railroads--Security Training of Employees Railroads--Vulnerability Assessment and Security Plan Revision of Enforcement Procedures; Reporting of Security Issues
In this blog I will examine the OMB data on these three rules. In later blogs I will attempt look at the requirements in more detail. Security Training of Employees According to the abstract published on this web site:
“The Transportation Security Administration (TSA) will add new regulations to improve the security of railroads in accordance with the Implementing Recommendations of the 9/11 Commission Act of 2007. The rulemaking will propose general requirements for a security training program to prepare railroad frontline employees for potential security threats and conditions. The regulations will take into consideration any current security training requirements or best practices.”
The legal authority cited for the rule is: 49 USC 114; PL 110-53, sec 1517. There was a statutory deadline of February 3rd, 2008 for the publication of the NPRM. Vulnerability Assessment and Security Plan According to the abstract published on this web site:
“The Transportation Security Administration (TSA) will add new regulations to improve the security of rail transportation in accordance with the Implementing Recommendations of the 9/11 Commission Act of 2007. This rulemaking will propose general requirements for each railroad carrier assigned by the Secretary of the Department of Homeland Security (DHS) to a high-risk tier to conduct a vulnerability assessment; implement a security plan that addresses security performance requirements; and establish standards and guidelines for developing and implementing these vulnerability assessments and security plans.”
The legal authority cited for the rule is: 49 USC 114; PL 110-53, sec 1512. There was a statutory deadline of August 3rd, 2008 for the publication of the NPRM. Reporting of Security Issues According to the abstract published on this web site:
“The Transportation Security Administration (TSA) proposes to amend its investigative and enforcement procedures to conform their scope to the changes in TSA’s civil enforcement authority enacted in the Implementing Recommendations of the 9/11 Commission Act of 2007. Specifically, the proposed rule would establish procedures by which TSA could issue civil money penalties for violations of any statutory requirement administered by TSA, including surface transportation security requirements, as well as requirements governing the use of Transportation Worker Identification Credentials. This proposed rule also would add new procedures by which members of the public could report to TSA a problem, deficiency, or vulnerability regarding transportation security, including the security of aviation, maritime, railroad, motor carrier vehicle, or pipeline transportation, or any mode of public transportation, such as mass transit.”
The legal authority cited for the rule is: 49 USC 114; PL 110-53, secs 1302, 1304, 1413, 1415, 1521, 1536 , There was no statutory deadline for this rule, but the OMB site noted that the expected NPRM date for the rule was in November 2008. The New Administration It will be interesting to see how the Obama Administration deals with these rules. Implementing the 9-11 Commission recommendations was a big part of the Democrat’s legislative agenda when they came into power in the House in 2007. The current economic conditions may put a damper on their enthusiasm for pushing these rules, but I expect that they might just yet see the light of day.

Tuesday, January 27, 2009

ACC – Continue CFATS

Cal Dooley, President of the American Chemistry Council (ACC), continues the public opinion campaign for the reauthorization of the current CFATS regulations in an Op-Ed piece in yesterday’s Washington Times. This piece marks a move from their publicity campaign in the industry press to start directly addressing Congress and the new Administration in the Washington press. They still appear to be ignoring the grass roots oriented campaigns of IST supporters. Dooley notes that the ACC members have been improving their security posture since soon after 9-11 and well before CFATS authorization was passed. He points to the ‘stringent, mandatory security program’ that is part of the Responsible Care Program with its security vulnerability assessment, security enhancements and independent verification of implementation of security plans. He boasts of the $6 Billion dollars that the ACC members have spent on security improvements. Fully Implement CFATS The ACC President reports that his organization was a leader in the effort to get DHS the Congressional authorization to implement the current CFATS program. While acknowledging that the current authorization runs out in October, Mr. Dooley asks that Secretary Napolitano support a continuation of the current program to “give current security regulations a chance to work before revamping them further”. ACC Acknowledges IST The ACC has acknowledged that inherently safer technology (IST) is a tool that may reduce the risks associated with hazardous chemicals. Dooley notes that the risk-based performance standards embodied in CFATS “allow and encourage operators to consider a wide array of security measures from process changes to hardening their facilities” (emphasis added). ACC just doesn’t want IST, or any other specific security measure, mandated by the Federal rules. Holes in ACC Arguments Anyone reading this Op-Ed piece would think that the ACC represented the entire chemical industry. They do not. Only a small fraction of the 7,000 high-risk facilities covered under the current CFATS program are members of the ACC. While ACC members may have worked hard to improve their security posture since 9-11, the same cannot be said for all high-risk facilities. This is especially true of the many facilities that did not consider themselves chemical facilities before CFATS. Mr. Dooley points to the draft Risk-Based Performance Standard Guidance document that was published last fall as an exemplar of the CFATS security process. Besides overlooking the fact that the document was a draft for public comment, he claims that it provided “robust standards that spells out how operators can secure their facilities and meet the requirements of the regulation”. In fact, the document was excessively clear that the ‘guidance’ did not set standards; it even acknowledged that following the ‘letter’ of the guidance would not guarantee approval of the site security plan. The draft Guidance document is a poor exemplar of CFATS. Furthermore, Mr. Dooley sets up a straw man to be his opponent by claiming that “some have argued for scrapping the rules and starting over”. While there may be the odd individual crying in the wilderness for CFATS elimination, the extended public campaign initiated this fall by a wide variety of public interest groups specifically supported last session’s HR 5577 as their model for chemical facility security legislation. That legislation specifically accepted CFATS as the starting point for the relatively limited changes outlined for the program. Finally, Mr. Dooley ignores the large number of chemical facilities (many that store large quantities of highly hazardous chemicals) that were exempted from coverage under the current CFATS legislation. By overlooking the millions of people that are at risk from potential terrorist attacks on these facilities Mr. Dooley gives lie to the claim that the ACC members “have clearly demonstrated their commitment to safeguarding America's chemical facilities”. The American Chemistry Council does itself a severe disservice in using many patently flawed and misleading arguments in this presentation. Especially in a political document targeted at regulators and members of Congress, these arguments will carry little weight. It would be much better if the ACC were to address obvious industry concerns with involving regulators in process safety decisions they are ill equipped to make. A factual discussion of the issues would be much more effective.

Monday, January 26, 2009

HSIN Advisory Comm Meeting 2-10-09

DHS published a notice in Friday’s Federal Register that the Homeland Security Information Network (HSIN) Advisory Committee will be having a public meeting February 10th and 11th. The Advisory Committee is responsible for providing “independent advice and recommendations for the improvement of the Homeland Security Information Network (HSIN) to senior leadership of the Department” (74 FR 4212). According to the notice the agenda will include “an update on efforts concerning the improvement of HSIN, a presentation on civil-military information sharing, discussions pertaining to the governance of HSIN, and discussions pertaining to the HSIN law enforcement community”. While the meeting is open to the public, discussions will be limited to DHS and Committee personnel. Advanced registration is required. Members of the public wishing to make oral presentations to the Committee must request permission prior to February 3rd; contact:
Niklaus Welter Department of Homeland Security 245 Murray Lane, SW., Bldg. 410 Washington, DC 20528 202-282-8336 Niklaus.Welter@dhs.gov
Comments, written documents, and other submissions for Committee considerations can be submitted via the Regulations.Gov web site (Docket #: DHS-2009-0003).

Emanuel Memo Published

I noted in a blog last week that the Obama Administration had put a hold on all of the on-going regulatory processes so that they could review those rules in-work and make sure that they were in-line with their regulatory philosophy. When I wrote that blog I had not been able to find an actual copy of the order, so I could only comment in generalities about its effect. Since then the Washington Post has posted a link to the Rahm Emanuel memo on the WhiteHouse.gov site and it has been published in today’s Federal Register. So, now we can look at this policy in detail. White House Chief of Staff Early news reports had called the document an ‘Executive Order’. If it had been it would have been a formal order from the President of the United States to the executive branch of the Federal government. Instead, the direction to review the rules-in-progress came from the President’s White House Chief of Staff, Rahm Emanuel. This greatly reduces the legal authority of the directions included in the memo. The Chief of Staff is technically responsible for supervising the day-to-day operation of the White House Staff. It is not a constitutional office and does not require the Advice and Consent of the Senate for an individual to take that office. In recent decades this has become more of a political post and the directives from the Chief of Staff have acquired more weight because of that. So, this memo does not carry much legal authority, but does have a great deal of political power behind it. Besides which, it was obviously issued at the direction of the President; it will be followed. Rules Covered By Memo To determine which rules are subject to the review process one has to look at their status with respect to printing in the Federal Register. There are four different categories to be considered. They are:
The final rule has not been submitted to the Federal Register, The final rule has been submitted, but not printed in the Federal Register, The final rule has been printed, but the effective date has not yet been reached, or The final rule has been printed and the effective date has passed.
The last category is not included in the review process outline in the Emanuel memo. Many recently published rules in this category will undoubtedly undergo some review, especially the more controversial rules. They cannot, however, be immediately changed in the same manner as rules falling in one of the other three categories. I’ll save the discussion about what can be done with those rules for another day. Review Process Rules that have legislative or judicially imposed time limits may be exempted from the review process. There are also provisions for exempting rules of a time critical nature from the review process. In all cases the Office of Management and Budget (OMB) Director will be the person who makes the final decision on exemption from the review process. The review process for each of the first three categories described above will be slightly different, reflecting the current publishing status. All of the reviews will be conducted by Obama appointees or designees. The results of those reviews will be forwarded to the OMB Director and the affected Department or Agency will continue the rule making process as appropriate. Rules in the first two categories will be the easiest to review and modify as necessary. Since they have not officially seen the light of day, no public notifications will have to be made. The third category will require the posting in the Federal Register of a 60 day extension of the effective date of the rule. The Emanuel memo recommends that that notice include a 30 day public comment period. Receipt of public comments that “substantial questions of law or policy” will result in the involvement of the OMB Director to decide what further actions will be required. Review Status of Recent Security Rules The following is a listing of some of the security related rules that I have been covering in this blog: Railroad Hazmat Routing Rule: Effective Date (12-26-08) – No Review Railroad Hazmat Routing Appeal Rule: Effective Date (11-26-08) – No Review Rail Transportation Security Rule: Effective Date (12-26-08) – No Review PIH Railcar Rule: Effective Date (03-16-09) – Review Required Transportation Security Plan Rule: Final Rule not published – Review Required Enhanced Enforcement Rule: Final Rule not published – Review Required Ammonium Nitrate Registration Rule: Final Rule not published – Review Required

Friday, January 23, 2009

CSX RSSM Security Efforts

Two weeks ago I did a posting on a letter that CSX was sending to its customers about their implementation of the recently finalized Rail Security Rule. At the same time that I posted that blog I sent an email to the address provided in the letter asking for some additional information about their efforts. Yesterday I received a very polite and informative reply from Mike Lunsford, Director - Chemical Safety CSXT, addressing some of the issues that were briefly mentioned in their letter. CSXT Progress He reported that during January they are planning on doing field evaluations of each of the more than sixty interchanges that they share with other rail lines. They need to determine which interchanges are going to be ‘attended’ when a Rail Security Sensitive Material shipment arrives to be transferred to that line. They also need to work out the exchange procedures with the other rail line to ensure that those procedures comply with the new § 1580.107. He specifically notes in his email that: “Should any issues be discovered during those evaluations that may impact CSXT shippers or receivers, the company will communicate its findings with the specific companies impacted.” He also points out something that should be obvious to anyone that has implemented government regulations in a complex operational environment; it is not possible to have a single policy or procedure cover every situation. He does state that: “CSXT personnel are currently working to find a solution for each unique situation.” Hazmat Routing vs Rail Security I made the point in my earlier blog that a railroad could use internal rules like those issued by the CSX letter to avoid re-routing RSSM shipments around urban areas; not out of any desire to route through that area, but rather to avoid the loss of revenue associated with turning the shipment over to another rail carrier. There is nothing in Mike Lunsford’s email indicating that CSX intends to do this, but it is certainly a reasonable (from a profit motive perspective) action for a railroad to take. This exemplifies an additional problem that regulators will have in trying to get railroads to use interchange agreements to route RSSM shipments around High Threat Urban Areas (HTUAs). Railroad may legitimately use the § 1580.107 procedures to avoid re-routing these types of shipments. It is a clear example of a regulatory requirement of one agency having a negative affect on a regulatory requirement of another agency. It is true that PHMSA and TSA have different regulatory responsibility. The problem in this case is that there is significant overlap between the requirements of safety and security. The hazmat rail routing rule (PHMSA) was written primarily as a safety regulation with security effects. The railroad security rules (TSA) have safety implications. While there is a memorandum of understanding (MOU) between these two agencies, there is obviously a lack of coordination of efforts. Until such time as these two agencies actually coordinate their respective programs we can expect to see similar conflicts between safety and security regulations.

Thursday, January 22, 2009

S 177 Funds Water Security Research

Sen. Russell Feingold (D, WI) introduced the Strengthening Our Economy through Small Business Innovation Act of 2009 (S 177) to amend the Small Business Act to extend the Small Business Innovation Research (SBIR) and Small Business Technology Transfer programs. Both of these programs are funded by the individual agencies supporting the research. It also expands the covered ‘critical technologies or pressing research priorities’ covered by these programs to include, among other things, water security. Project Funding This proposed legislation increases the percentage of agency research dollars that will be given to small businesses for conducting the covered research. The current law provides that each agency will spend 2.5% of its research and development budget with small businesses under the SBIR and 0.3% of extramural budget for the STTR program. Those percentages will increase by annual steps to 10.0% {§ 4(a)} and 1.0% {§ 4(b)} respectively and continue at those levels until 2022 and 2023. S 177 proposes to increase the maximum grant sizes from the current limits of $100,000 (one year grants) or $750,000 (two year grants) to new limits of $300,000 or $2,200,000 for each project {§§ 5(a) and 5(b)}. These project limits will apply to both programs. Project Subject Matter The original legislation mandated that these programs should be associated with critical technologies identified by the National Critical Technologies Panel or the Secretary of Defense. S 177 expands the targeted areas to include critical technologies and other ‘pressing research priorities’ {§ 6(1)} identified by a variety of reports and organizations. This includes two reports associated with water security prepared by the Committee on Water System Security Research of the National Academy of Sciences{§ 6(2)}. They are:
‘Improving the Nation’s Water Security; Opportunities for Research’, 2007 ‘Public Water Distribution Systems: Assessing and Reducing Risks’, 2006
Additionally, this legislation allows for grants associated with technologies and priorities identified by future publications by the National Academy of Sciences or the Environmental Protection Agency relating to improving the Nation’s water supply and security. This reflects the current regulatory situation where the EPA is responsible for establishing security program requirements for water treatment and waste water treatment facilities. Currently these treatment facilities are exempted, by law, from the requirements of the Chemical Facility Anti-Terrorism Standards (CFATS) set forth in 6 CFR part 27. It seems likely that that exemption will be removed in the current session of Congress when the authorization for CFATS is extended past its current expiration in October of this year. This means that this legislation should probably also include DHS as an agency that can suggest technologies and research priorities that would be covered by SBIR and STTR programs for water security. Funding Offset Finally the proposed legislation provides that any increase in expenditures will be ‘offset’ by eliminating Department of Defense funding for the Airborne Laser program {§ 7}. This seems to be a disingenuous move to simply eliminate funding for that program in a bill that is unlikely to be reviewed by DOD oversight committees. Since this bill does not increase general research funding (it only increases the percentage of funding that goes to small businesses) there is no need to establish a funding offset. This appears to be one of those underhanded legislative tricks that are used to try to shut down a program that has powerful protectors. Rather than having an upfront discussion about the merits, or lack thereof, of a project, the funding is cut in an unrelated piece of legislation. Then the funding burden is placed on the project backer who is forced to add the project back to the budget as an increase in spending; always a more difficult proposition than defending the continuation of current funding.

Wednesday, January 21, 2009

Hold on Pending Rules

I mentioned in an earlier blog today that I had heard that President Obama had issued an Executive Order putting a hold on all rule making processes pending a review by the new administration. Well, according to a brief AP article on GovExec.com it was not an Executive Order but a memo signed by Rahm Emanuel, the new president’s Chief of Staff. It was also apparently covered in “the first press release sent out by Obama's White House”, but I haven’t been able to find a copy of either the memo or press release. In any case, this is not an unusual move by a new administration; especially when there is a change in party as well. This would typically only effect rules that had not yet had the ‘final rule’ published in the Federal Register. I do not believe that it would have any effect on rules that have been published but still have effective dates pending. For example this would certainly affect the pending rule on Ammonium Nitrate but should not affect the Rail Security Rule that was published in November but has a partial effective date of April 1st, 2009. What is not clear at all is the effect of this ‘moratorium’ on guidance documents like the Risk-Based Performance Standards that was released as a draft last fall with the expected final document hopefully appearing some time early this year. I would expect that Secretary Napolitano will want to have her people review that document (and the comments received by industry) before they publish the final document, but that may not have been explicitly addressed in Emanuel’s memo.

Whitehouse.gov

Chris Battle has a blog today on SecruityDebrief.Adfero.com that looks at the Homeland Security page that has appeared on the Whitehouse.gov web site. Chris has some interesting comments about the content of that page that are worth reading. Unfortunately he fails to note that the page is a direct copy from the Homeland Security page on Change.gov, the Obama Transition web site that I briefly discussed last November. Expanded Communication That White House web site has been around for a while, but it has changed, as you would expect, since the new President has taken office. It does look like the Obama White House will use this site more as a communication tool than George Bush ever did. This is not surprising since use of the internet was a hallmark of the Obama campaign. The site provides a wide variety of communication tools, including a request public feed back via the Office of Public Liaison page. Executive Orders While I agree with most of the points that Chris makes in his blog, I was more disappointed in fact that the two Executive Orders that are being reported in this morning’s news are not shown on the Executive Orders page on the site. Instead there is the place holder message that “The President has not yet issued any Executive Orders.” Either the press has got their information wrong (and that is always possible) or the White House is being slow to update their web site (and that would be disappointing). The two orders that I am talking about are ones that I heard reported on NPR this morning as I drove into town. They called for an immediate review of the status of all of the prisoners at Gitmo and a pause in the rule making process to allow for an Obama administration review of those rules-in-progress before any other actions are taken. The way they were reported sounds reasonable and expected, but I would like to be able to read them myself. Good Move In any case, I like the look of the new White House web page and will add it to the list of sites that I periodically check. It is nice to see the more of the government moving into the age of communication.

Tuesday, January 20, 2009

MTSA Facility ID

Last week the Coast Guard published a notice in the Federal Register announcing that as the Transportation Workers Identification Cards (TWIC) is phased in at various ports around the country, the existing name-based workers identification programs put into place in April 2006 will be terminated. Once TWIC has been fully implanted in a port, the Captain of the Port (COTP) will no longer be required to enforce the name-based vetting for selected workers. In any case, that name-based program will cease on April 28th, 2009. Table 1 in the notice provides the date by which each port facility is expected to have TWIC implanted. By that date, unless otherwise notified by the COTP, each MTSA facility owner/operator (employees) and union (longshoremen) will no longer be required to submit the information required to support the name-based vetting program. The TWIC program requires individuals to submit their own information as part of the process for applying for TWIC.

Monday, January 19, 2009

Offsite Consequences

One of the perennial topics in chemical facility security, community right-to-know (RTK) information, is being discussed again in New Jersey. According to an article posted on CourierPostOnlin.com the NJ Dept of Environmental Protection (NJ-DEP) is proposing a rule that would allow shielding from public exposure ‘off-sit consequence’ reports. This would apparently parallel the US-EPA action of removing this information from web sites after 9-11. Needless to say, this action is being opposed by a number of activist groups. In light of the publication last fall of the Center for American Progress report, Chemical Security 101, this seems like a case of closing the barn door after the horses have escaped. The same information is currently available at EPA reading rooms (the data source for the CAP report). The NJ rules would still allow the on-line publication of chemicals and quantities of chemicals at sites covered by the NJ laws; it would just limit off-site consequence information. This distinction borders on the ludicrous. If the size of potential chemical inventories is available, anyone with a little bit of knowledge can find a variety of tools to calculate off-site consequences. Both the US-EPA and DHS provide on-line calculators to predict off-site consequences of a toxic release. Enter the chemical and the amount on-hand and it will tell you the distance the toxic cloud will spread. Public Consequences Part of the problem here is that the off-site response to a chemical release (either from an accidental release or a terrorist attack) is not the responsibility of the chemical facility. The facility may have a legal liability but it does not have the emergency response responsibility. That falls on local and State governments and they are frequently ill equipped to plan for and manage such a response. And jurisdictional issues frequently cloud the issue further. The current CFATS regulations make the situation even more difficult. In an effort to legitimately protect security information about high-risk chemical facilities the Chemical-terrorism Vulnerability Information rules were established. Unfortunately, these efforts will inevitably lead to many facilities to over-protect information that local communities need to establish realistic emergency response plans. Furthermore, the congressionally mandated inability of DHS to mandate any actions under CFATS past reporting of information to DHS makes it impossible for DHS to require high-risk facilities to coordinate their security plans with emergency response plans of local officials. The EPA emergency planning rules are woefully inadequate and completely un-enforced. Congressional Action Needed With the CFATS re-authorization certainly to come up in this session of Congress, it seems like a good time for Congress to address this short coming. There should be a specific requirement in the reauthorized chemical facility security legislation for coordination between high-risk facilities and local homeland security officials for emergency response planning. This should include requirements for those state and local officials to prepare an emergency response plan for each high-risk facility. That should also include a requirement to communicate that plan to all people that live and work in the area identified by DHS as being at risk for off-site consequences for a successful terrorist attack on that facility. Inevitably that requirement will have to be backed up by Federal training and funds. It is time that we learn to distinguish between legitimate security information and information that the citizens need to know. Certainly what actions the populous is going to be required to take when a local high-risk chemical facility is attacked belongs in the column of RTK. This goes well beyond just knowing the potential hazards; it must include the proper actions to take in the even that that potential is realized.

Saturday, January 17, 2009

CFSIA – No Federal Funds

HR 261, the Chemical Facility Security Improvement Act of 2009 (CFSIA) proposes to use the Congressional control of the purse strings to control how provisions of CFATS are implemented. It prohibits the use of Federal funds “to approve a site security plan for a chemical facility unless the facility meets or exceeds security standards and requirements” set by the appropriate State or local governments. As DHS is preparing to start implementing the Site Security Plan provisions of CFATS, passage of this legislation could have a significant impact on DHS implementation plans. This type of financial control is a classic tool when there is an adversarial relationship between Congress and the Executive Branch. It does not tell the Executive Branch agency how to do something, or even exactly what to do. It just stops the agency from spending money in a broadly defined set of circumstances. It is unusual to see such a proposal at the start of a new Administration, especially when the same party controls both the Executive and Legislative branch. Lack of Definition This proposed legislation does provide a limited number of definitions in § 2(a)(2). It defines both ‘site security plan’ and ‘chemical facility’ by referring to section 550 of the Department of Homeland Security Appropriations Act, 2007, the authorizing legislation for the CFATS program. Those are the only terms that are defined. What is lacking is the definition of two concepts central to proposed control of spending. Those concepts deal with what DHS actions constitute ‘approve a site security plan’ and how DHS is supposed to determine whether the facility ‘meets or exceeds security standards and requirements’. Finally, the CFSIA does not explain what DHS should do with the facility when the site security plan can be neither approved nor disapproved; the legislation does not give DHS authority to disapprove a site security plan based on the facility failure to meet State or local standards. Finally, there is the problem of the missing definition of ‘State and local government’. These are very broad and overly inclusive terms. In the grandest terms this would include any board, committee or officer constituted or authorized by law. In the broadest terms this could include constables, school boards, or zoning boards. Approval of Site Security Plan In its most basic, the ‘approval’ of a Site Security Plan is nothing more than the preparation and sending of a letter to the facility that it’s proposed Site Security Plan is approved. While there is a minimal cost of the materials and work that go into the preparation of that letter, those costs are part of the fixed cost of the Department. It cannot be truly said that DHS is expending any funds in those actions; they will be spent whether or not the letter is drafted, prepared and sent. The greatest costs associated with the facility site security plan take place in the review process before the plan is approved and in the implementation inspection process that takes place after the plan is approved. The pre-approval review process is again a fixed cost, so it cannot be effectively ‘prohibited’ by this legislation. The travel costs of the post-approval implementation inspections are clearly assignable costs. But those costs come after the approval process is completed, so they would not be controlled by CFSIA. Determining ‘Meets or Exceeds’ The biggest question left unanswered in this proposed bill is who determines that the facility does or does not ‘meet or exceed’ State and local requirements. I suppose that we should assume that Ms Jackson-Lee intends that the State or local authorities would make the go-no go determination. That still leaves the question of how DHS is supposed to know that the requirements exist, who has evaluation authority, and whether that evaluation has taken place. Additionally, the bill does not address how court challenges to the ‘standards and requirements’ or the local government ruling on the facility’s status with regards to those standards will affect the decision of DHS to approve or not act on the Site Security Plan. Provisions Unenforceable As the provisions of this bill currently stand they are effectively unenforceable. There are no identifiable funds being expended in the approval process that Congress can actually control. The definition of the standard to be applied by DHS is poorly defined and overly broad. And there is no suggestion of how DHS is supposed to apply the definition. Looking Forward The practical effect of this legislation, if passed, would be to tie DHS up in litigation and effectively stopping the implementation of Site Security Plans. This would give many facilities every excuse to stop spending money on continued work on CFATS implementation. Lacking any legislation extending CFATS passed its current expiration in October of this year, it could effectively stop any further work on increasing security at high-risk chemical facilities. If it is the intent of Congress to more completely involve the States in the security of high risk chemical facilities within their boundaries (a proposal surely to be subject to vociferous debate) then that should be included in any re-authorization legislation. Any such provisions should address the problems identified above.

Friday, January 16, 2009

High Cost of Security

I ran into a brief, yet interesting piece over on the SecuritySystemNews.com web site. It discusses a group that offers “leasing financing to companies looking to deploy security technologies to protect critical infrastructure and key facilities”. According to the brief report this financing option is being targeted at “mid-sized chemical facilit(ies) needing to meet CFATS regulations”. There are going to be a lot of security costs being incurred this year as security plans are being developed and implemented. In today’s economic environment it could be difficult for companies to get the loans necessary for large capital purchases. A leasing option like this may be the way to go. But, there are other possibilities…. Congress might want to explore providing grants or government loans to high-risk chemical facilities for site security upgrades. This could easily be justified as part of the economic stimulus package being developed. As with any good government program it would be beneficial on a number of different levels. It would provide a shot of money into the economy. It would serve the public good by increasing their protection against potential terrorist attack. And, if it was done as low-cost government loans, it would eventually bring the money directly back to the treasury.

Purpose of Security Forces

Earlier this week I noted that Shell Oil Company objected to the requirement that facilities be able to interdict an armed attack on the facility. I didn’t delve into the consequences of that comment in that blog. I knew that an appropriate discussion would add too many words to that already lengthy blog. Besides, the Shell comments were not unique in this regard; they were representative of a number of commentors. That discussion deserved a blog of its own. Actually, I have discussed the issues surrounding facility security forces on a number of occasions. At the request of some people in DHS I did a series of blogs on these issues. This link is to the last posting in the series; that blog contains links to all of the other blogs in the series. Today I would like to look at the consequences of industry opposition to a robust security force capable of interdicting armed intrusions at high-risk chemical facilties. Shell Opposition Shell stated in their comments to the Draft RBPS Guidance Document that they felt that “interdiction of an armed attack force by a private security force is an action of such an extreme nature that it is not realistic nor is it an appropriate role for private industry to assume”. They list four reasons for their opposition; such ability would:
“(R)equire the facility to arm its security personnel, “(P)ut security/facility personnel and the general public at risk, “(C)reate potential criminal and civil liabilities for the individuals engaged in the such actions as well as the facility itself, and “(F)orce the facility to assume the roles and responsibilities performed by public law enforcement agencies or the military.”
Shell’s opposition is not unique. Their comments echoed those of many industry commentors that had posted comments to the Draft Guidance. DHS has heard the same objections in many venues. Interestingly, many water treatment facilities that use large amounts of Chlorine adopted the use of armed guards without the Federal government telling them to do so; they are not covered by comprehensive security regulations. Limited Number of Facilities First off, there is no reason for every high-risk chemical facility to have an armed security force capable of interdicting an armed assault. Only those facilities that would experience an immediate adverse impact on the surrounding community from a successful terrorist attack need to consider having such a force. High-risk facilities that only possess theft/diversion COI will probably not need to have such a robust security force. The risk at those facilities is that terrorists would take those chemicals to some other site and then convert them to weapons. Interdiction by law enforcement at any time before that conversion takes place would be adequate. Security forces at these facilities need to concentrate on detecting and reporting, not interdicting. Facilities that are deemed to be high-risk facilities because of their possession of release COI will almost certainly require robust security forces capable of interdicting a terrorist attack force. For Tier 1 facilities the immediate effects of a successful attack on such a facility on the surrounding community would be catastrophic. For lower-tiered release-COI facilities there may be adequate time to evacuate innocent civilians before the effects of the release reach them. In those cases the ability to identify and report such an attack is may more important than interdicting the attackers. Consequences The problem is that there really isn’t a viable alternative to having an armed security force for the high-risk, immediate consequence facility. Barriers and surveillance by themselves will not slow a well trained force enough to allow for an off-site police or military response before the terrorists reach critical areas of the facility. Once the terrorists gain access to the critical areas of the facility it will be too late. The collateral damage from an armed response to re-take the facility will be as bad as a successful terrorist attack. No response will allow the attackers the time to prepare their demolitions perfectly for the maximum effect. Negotiating with the terrorists will, as shown by the Mumbai attacks, just allow for more press coverage, and more killing. One final consequence issue, one of little interest to the potential victims of the successful attack on a high-risk chemical facility, but one management needs to consider. At the inevitable Congressional hearing reviewing why there was a successful attack on XYZ Chemical Facility that resulted in thousands of deaths in the surrounding community, how is the CEO of the owning company going to explain that he did not want armed guards at his facility. That he thought that armed guards were too dangerous to have on site. That he thought that armed guards were too expensive. I certainly would not want to explain that and hear it repeated hundreds of time on prime time news for years to come.

Thursday, January 15, 2009

PIH Tank Car Final Rule

As I noted earlier this week, PHMSA published their final rule on safety standards for PIH rail cars. This rule is based on the NPRM that was published in the Federal Register in April of last year, but it was significantly influenced by a pair of petitions for the establishment of an interim rule. Those petitions were reported in a single publication in the Federal Register in July. Conflicting PIH Rail Car Designs The reason for the petitions, one by the Fertilizer Institute and the other a joint filing by a number of chemical and railroad industry groups, was that in the April NPRM proposed that PIH chemicals would only be able to be shipped in rail cars that passed a rigorous new performance standard. While PHMSA proposed to give industry six years to convert their PIH fleets to the new cars, there was no current rail car design that could meet the proposed standard. In fact, the consensus in the industry was that there would not be a railcar available within the six year time frame that could meet the standard. What the petitioners asked for was for PHMSA to approve an interim rail car design that could be used to replace out-of-date or damaged rail cars until the new design did become available. The design proposed by the petitioners was an incremental improvement in safety over the current PIH rail car fleet. They also wanted PHMSA to allow them to use the replacement cars for a reasonable useful life after the enhanced-performance rail car was introduced. Instead of publishing an interim rule approving the intermediate PIH rail car design, PHMSA published this final rule establishing the requirement to use the interim design. They acknowledged that they were not sure when the enhanced performance car would be available, so they left requiring its use for a later rule making effort. Interim Rail Car Design PHMSA made some modifications to the design requirements for interim rail car design. The discussion of the engineering details of the new rail car design is much too complex to go into here in this blog (translation: I’m not sure I understood everything that I read). Essentially what PHMSA did was to require a thicker shell/jacket on the tank and a full head shield to reduce the risk of puncture in derailments and collisions. Based on recommendations from the railroad community, they also required additional protection for top fittings and nozzles to reduce the potential for leaks in a roll over situation. Since thicker shells and head shields would weigh more than current cars, PHMSA also increased the weight limit for these interim rail cars to 286,000 lbs. They firmly required that any additional weight over the current limit could not allow for product weight in the rail car over the current limit. This was done to stop the increased car weight from reducing the shipping capacity of the railcars. They felt that the increase in traffic from less weight per shipment would inherently increase the risk of accident and release. PHMSA is not requiring that this interim design be used in a wholesale replacement of the current fleet. They feel that the enhanced design will be significantly safer (when it is finally introduced) than even this interim design. PHMSA is making it clear that they only want this interim design to be used to replace out-of-date rail cars or rail cars damaged beyond reasonable repair or to increase fleet capacity. They want the bulk of the current fleet to be replaced by the enhanced rail car. Speed Limit Changes In the NPRM PHMSA proposed that all trains carrying current design rail cars containing PIH chemicals would be limited to a top speed of 50 mph. The enhanced rail cars would not require the same speed limit. Additionally, PHMSA proposed a further reduction in the speed limit to 30 mph on any ‘dark territory’, track without a signal system capable of warning of approaching trains. This lower speed limit was based on some theoretical work done by the NTSB that suggested a lower risk of shell puncture in a collision with a relative closing rate of less than 50 mph. Railroad commentors on the NPRM universally objected to this lower speed limit. They claimed that the schedule disruptions would lead to railroad holding PIH shipments until they could put together a ‘poison train’. They noted that this would significantly decrease PIH security and increase the risk that an accident involving such a compiled train would result in leaks of multiple PIH chemicals and exacerbating an already bad situation. PHMSA did implement the 50 mph speed limit in this rule, but decided not to require the 30 mph dark territory speed limit. They noted that there were some questions about the theoretical underpinnings of that requirement. Additionally, when the requirement was proposed it was being considered for a limited amount of time. With the interim rail car standard being adopted the time limit would be greatly extended. PHMSA also noted that there some other means of reducing the risk of collisions in dark territory had become available since the NPRM was published. They noted that DOT had recently been given authority (granted in 49 U.S.C. 20502), to require implementation of “supportable risk reduction measures, including the installation of signal and train control systems” (74 FR 1781). They also claim that the recently published hazmat rail routing rule would provide “a useful framework for better targeting risk reduction strategies” (74 FR 1781) presumably by re-routing around dark territory.
Blogger’s Note: This is certainly not my idea. I almost choked when I read this. Anyone that has read this blog for long realizes that I do not believe that the hazmat routing rule will result in many changes in rail route selection. In my not so humble opinion, re-routing around dark territory is even more unlikely than re-routing around urban areas.
Moving Forward PHMSA maintains that they will continue to move forward in working with the industry to develop, test and field the enhanced PIH rail car that they described in the NPRM. That standard, if realized, would be an order of magnitude increase in the safety of PIH transportation. Meanwhile, the interim standard rail car described in this rule is a positive step forward in the same direction.

Wednesday, January 14, 2009

S&T Advisory Committee Meeting 1-26-09

DHS announced in today’s Federal Register that the Homeland Security Science and Technology Advisory Committee would be meeting on January 26th thru 28th at Johns Hopkins University in Laurel, MD. The meeting will be closed to the public. Information submissions for the Committee must be received by January 16th. They may be submitted through the Regulations.gov web site (Docket #: DHS-2008-0196). According to the notice (74 FR 2087): “The committee will meet for the purpose of receiving classified and sensitive Homeland Security and classified briefings on Maritime Improvised Explosive Devices (IEDs), Cyber Security and Science and Technology Programs”

Low Risk Gasoline Tank Farms

As I noted in yesterday’s blog on the Draft RBPS comments the American Petroleum Institute made some statements in their comment that absolutely astounded me. I briefly addressed their comment about the ‘low risk’ gasoline storage facilities. In hind site I realized that I treated the API unnecessarily roughly. I still think that they are severely misguided, but that is a problem that is too common throughout the petrochemical industry and it is due to a misunderstanding of the concept of ‘at high-risk of terrorist attack’. Legally a High-Risk Facility As I noted in my earlier blog, by definition, any facility that is covered by CFATS is at high-risk for terrorist attack. Section 550(a) of the Homeland Security Appropriations Act of 2007 gives the Secretary the sole authority to determine what facilities are legally at high-risk. To aid in that determination DHS established the Top Screen and Security Vulnerability Assessment (SVA) tools within the on-line Chemical Security Assessment Tool (CSAT). Determining High-Risk Status Facilities that have at least a screening threshold quantity (STQ) amount of one of the 300 or so DHS Chemicals of Interest (COI) listed in Appendix A to 6 CFR part 27 are required to prepare and send to DHS a Top Screen Submission using CSAT. DHS uses that information to make a preliminary determination if the facility is at high-risk of terrorist attack. If the facility is preliminarily designated a high-risk facility it is required to submit an SVA. The information from the SVA is then analyzed by DHS and the final high-risk status and Tier level are determined. DHS refuses to discuss the details of the process by which it determines high-risk status and Tier levels. By examining the questions asked in the Top Screen and SVA submissions we can tell a lot. Release Toxic COIs reach high-risk status by the number of people they expose upon release. Release Flammable COIs reach high-risk status by the damage radius of the explosion upon release and detonation. Release Explosive COIs are evaluated in the same manner. Theft/Diversion and Sabotage COI are harder to figure out, but are really not relevant to this discussion. Gasoline does not fit well in this model. It is certainly flammable, but it is not actually on the DHS Chemicals of Interest list. It gets sucked into this process because of the flammable COI mixture rule. Butane, a listed Release Flammable COI, exists in most gasoline in excess of the 1% listed in Appendix A. That makes the butane in gasoline large storage tanks reportable. Gasoline can form a fuel-air explosive under certain conditions, but it is much more likely to ignite and burn in a really nasty and impressive fire. A gasoline storage tank fire burns for a while. The smoke is mildly toxic and can cause problems for people with breathing problems. And the heat from the fire can cause extensive damage to nearby structures. But, then again, the same can be said for a lot of other chemicals that DHS is making no attempt to regulate under CFATS. The ‘Gasoline Specific Questions’ on the Top Screen give a suggestion of why DHS is treating gasoline storage areas different than most other flammable liquids that are not specifically COI. Since the fuel industry has classified fuel depots as low-risk facilities it is not unusual for commercial and residential areas to be found in close proximity to such storage facilities. Close enough, in fact, that they would be directly impacted by a catastrophic fire at these facilities. These potential results, combined with the non-existent security at these facilities, make them easy targets to attack. The combination of ease of attack and visually spectacular results places these facilities at high-risk for terrorist attacks. Economic Risk To the best of my knowledge DHS has not yet started including economic and strategic effects of attacks on facilities in determining facility risk status. These calculations are more difficult to set-up in a meaningful way and they have enough high-risk facilities to worry about in any case. There are many economic reasons that might make a facility a target to be attacked. The gasoline shortages and resulting price increases in the Southeastern United States this last summer were caused, in part, by disruptions to the distribution networks by hurricanes striking the Gulf Coast. These price increases contributed to the rise in oil prices. Iran, Venezuela and Russia all benefited from those oil price increases. It takes no great leap of intelligence to believe that any of those three countries could decide that controlled interruptions in the gasoline supply in the United States would cause further economic disruption here and an increase of income to those countries. Any of those countries, could use loosely controlled proxies to effect such attacks with great deniability. No Longer Low Risk Gasoline storage/distribution facilities have been considered low-risk facilities. This was due to a combination of basic safety controls and the lack of a real threat. The same could be said for the Twin Towers in New York City on September 10th, 2001. The threat situation has fundamentally changed and continues to evolve. Attacks on Mexican oil lines and Canadian gas lines demonstrate the potential risk in areas close to home. Proper security will reduce the risk here.

Tuesday, January 13, 2009

More Comments on Draft RBPS Guidance – 01-09-09

I’m not sure why I went back and re-checked the RBPS Guidance comment site on Regulations.gov, but I’m glad that I did. There were four comments posted to that site in the last month; well after the comment period was closed. Additionally there was a comment that I had some how missed earlier The five comments were received from: Synthetic Organic Chemical Manufacturers Association US Chamber of Commerce American Chemistry Council Shell Oil Company EnergyAPI Synthetic Organic Chemical Manufacturers Association Comments SOCMA appreciates that DHS has clearly delineated that the document is a guidance not a requirement. SOCMA would expect that facilities that followed the guidance could expect that their site security plan would be approved. SOCMA questions why Appendix B was ‘intentionally’ omitted from the draft. SOCMA complains that the lack of specificity in the personnel surety section could lead unions to object to any personnel surety action against employees was not required by DHS. SOCMA would like to see more discussion about what types of security forces DHS believes would be most effective in different circumstances. US Chamber of Commerce Comments The Chamber would like to see DHS clarify that auditors checking SSP compliance will not use an RBPS based checklist, but rather verify implementation of the site plan. The Chamber would like to see DHS confirm that security measures approved under other regulations would be acceptable to meet the requirements of CFATS. The Chamber would like to see DHS address the overlap of various DHS security regulations. The Chamber would like to see more segregation of emergency response and security response functions. The Chamber notes that personnel actions based on personnel surety requirements will be made at the company level not facility level and should not be addressed in the facility security plan. The Chamber complains that the record keeping requirements are not specific enough. American Chemistry Council Comments The ACC wants the Guidance to more completely address the wide variety of facilities that are affected by CFATS. The ACC wants DHS to clarify that the guidance will not be used as an enforcement tool or basis for an inspection checklist once site security plans are approved. The ACC wants DHS to more clearly delineate the difference between security response and emergency response. The ACC notes a number of specific instances where the guidance is apparently too prescriptive. Shell Oil Company Comments Shell would like to see clarification in the RBPS document that it is not intended to be used as a basis for inspections of approved site security plan compliance. Shell would like to see DHS more clearly define terms like ‘critical area’, ‘secure area’, and ‘restricted area’, and suggests the use of MTSA definitions. Shell believes that the use of phrases like ‘dangerous chemicals such as COI’ imply that the security plan should address chemicals other than those specified in the Appendix A. Shell objects to the inclusion of specific percentages in the vehicle screening requirements in Metric 3.4. Shell objects to the requirement that facilities be able to interdict an armed attack on the facility. Shell would like to see the requirement for a ‘know your customer program’ removed from Metric 5.2. Shell objects to a wide variety of requirements in RBPS #12, personnel surety. EnergyAPI Comments API believes that many of the RBPS do not address the unique nature of gasoline storage and loading facilities; noting that these facilities fall under CFATS due to the benzene content of gasoline. Noting that many of these facilities are unmanned, they object to the identification and inspection requirements of RBPS #3. They also object to the security guard/CCTV requirement under RBPS #4 as unnecessary at these low-risk facilities. My Comments on Comments From the dates on the individual comments it appears that they were mailed to DHS within the time frame required for comment submissions. I’m not sure where the delays were in getting them posted to the Regulations.gov website. I don’t suppose that it is really relevant since it is their consideration by DHS that is really important. It continues to amaze me that so many commentors praise DHS for providing guidance and not binding requirements and then criticize the document for not providing enough or providing too much detail in the guidance. And I am completely flabbergasted that they can make both of those complaints in the same document. Then API comes along and completely blows me away. Claiming that putting ‘a guard or CCTV’ system at a gasoline storage facility is excessive due to the low risk takes first prize for completely misunderstanding CFATS. If DHS has determined that a large gasoline storage facility is a high-risk facility (and if they are a Tier 4 facility they are, by definition in CFATS, at high-risk for terrorist attack). A gate-guard or CCTV system is going to be the cheapest part of the security that will eventually be put in place at these facilities before their site security plan has any hopes of being approved by DHS. The other area that constantly comes up in the corporate comments to the Draft RBPS Guidance document is the personnel surety issue. DHS has always been adamant that unescorted access to critical or high-risk areas must require background checks. This is a cornerstone of any security program. Industry commentors rightly point out that in most multi-facility companies, the personnel actions are centrally controlled, not facility controlled. What they apparently fail to recognize is that under CFATS the security of high-risk facilities is considered a corporate responsibility, not a facility management responsibility. This is reflected in the requirement for a corporate officer to be the Authorizer in CSAT. If the corporate Human Resources has to be involved in establishing and managing the personnel surety system for the high risk chemical facilities, so be it.

HSIN Teleconference Postponed

The HSIN teleconference that was scheduled for today has been postponed until January 26th, 2009 according to a notice published in today’s Federal Register. No reason for the postponement was given in the notice. As I noted in an earlier blog, the HSIN teleconference will discuss implementation efforts associated with the Next Generation of the Homeland Security Information Network.

PHMSA Issues PIH Tank Car Rule

The Pipeline and Hazardous Materials Safety Administration published a final rule in today’s Federal Register. The Improving the Safety of Railroad Tank Car Transportation of Hazardous Materials final rule provides for “enhanced safety measures for rail transportation of poison inhalation hazard (PIH) materials, including interim design standards for railroad tank cars” (74 FR 1769). The effective date of the rule is March 16, 2009. As you would expect this is a lengthy rule that will require some study before I can comment on the details. It appears that PHMSA is adopting interim changes to rail car design while it continues to work out the details of the design criteria proposed in the April 1st, 2008 NPRM. According to the summary (74 FR 1770), this rule also adopts:
“A 50 mph speed restriction for loaded rail tank cars transporting PIH materials; “An improved top fittings performance standard; “An allowance to increase the gross weight of tank cars that meet the enhanced standards; and “Adoption of the industry standard for normalized steel in certain tank cars.”
I’ll provide further details in future blogs.

Monday, January 12, 2009

Reader Comments 01-12-09

Anonymous asked for some links that I mentioned in a blog posting from last week, DHS Updates Chemical Security Page. Here they are: “Facilities covered by CFATS" http://www.dhs.gov/xprevprot/programs/gc_1181765846511.shtm "Laws and regulations" http://www.dhs.gov/xprevprot/laws/ I just re-verified that these links work.

HR 261 Text Available

The actual text of HR 261, the first chemical facility security legislation introduced in the 111th Congress, is now available on the Thomas.LOC.gov web site. It is still not available on the GPO site. It is interesting reading and proof that the phrase ‘and for other purposes’ can cover a lot of ground, especially when it is used to circumvent House rules that require legislative titles to reflect what they cover. Ms Jackson-Lee (D, TX) introduced HR 261 last week as I noted in an earlier blog. In addition to a snappy short title (Chemical Facility Security Improvement Act of 2009, surely to be abbreviated to CFSIA) it has a lengthy, descriptive title:
“To provide that no Federal funds may be used by the Secretary of Homeland Security to approve a site security plan for a chemical facility, unless the facility meets or exceeds security standards and requirements to protect the facility against acts of terrorism established for such a facility by the State or local government for the area where the facility is located, and for other purposes.”
This bill certainly sets out to accomplish the first part of description in the title. Section 2(a) is entitled ‘Limitation on Use of Funds’ and contains two sub-paragraphs. The first plainly states the ‘no Federal funds …’ requirement while the second provides the essential definitions of ‘site security plan’ and ‘chemical facility’. So far, everything is perfectly clear.

Amendments to Existing Law Relating to Approval of Security Plans

The second paragraph in Section 2 gets a little more deceptive. Someone reading the title to this paragraph; ‘Amendments to Existing Law Relating to Approval of Security Plans’ could be expected to assume that this would provide more details concerning the funding limitations set forth in the first, or at least more details concerning the ‘approval of security plan’. That would be a seriously wrong assumption. It does concern amendments to § 550 of the Department of Homeland Security Appropriations Act, 2007 (Public Law 109-295; 120 Stat. 1388), but those amendments have little to do with the approval of security plans or funding of DHS enforcement actions. What follows in § 2(b) is a series of cryptic amendments (insert this, delete this, etc) that quickly fade into confusing obscurity; confusing that is until one goes back and actually marks-up a copy of § 550. Then the provisions of this bill become more clear.

Pause for Bloviation

I try to keep my discussions in this blog on a practical plane. While I may harp on a subject from time to time, I try to keep things on an emotionally even keel. But from time to time I have to blow off some steam. This is one of those times. The way this bill is presented and worded is one of the worst examples of underhanded politics that I have ever had the displeasure to read. This bill was deliberately worded to confuse and obscure. There is no excuse for that in legislative practice unless someone is trying to accomplish something that is anti-democratic or crooked; I see nothing crooked here. Legislation should be clear in its intent. This allows for discussion on its merits and should allow for it to stand or fall on those merits. This legislation obfuscates and confuses, implying that it has no merits in the eyes of its author. Regardless of the merits of its actual intent this bill should be sent to legislative oblivion without further consideration. Now, back to a rational discussion of the contents of this legislation.

Clarifying Security

The first two changes to § 550 call for the addition of the words ‘terrorist attack’ in the first paragraph. In both cases these apparently serve to qualify what chemical facilities are being secured against. Since ‘security’ could also apply to criminal activity this may be appropriate. On the other hand, it could be an effort to remove authority to protect against the theft of chemicals of interest from chemical facilities. This would have the effect of removing a large number of facilities from the high-risk category and thus coverage under the CFATS regulations. A large number of facilities in Tier 4 are there solely because they have chemicals on site that could be used to further a terrorist attack elsewhere. This change could exempt those facilities from the expensive security requirements necessary to prevent those thefts.

Particular Security Measures

The next amendment removes the phrase that disallows the Secretary from disapproving a site security plan because of the presence or lack of a particular security measure. It did leave the requirement to judge the SSP using risk-based performance measures. Since the amended authority does not require a particular security measure, it is hard to see how effective this would be in accomplishing a particular purpose. It would serve to give the Secretary more latitude in disapproving SSPs.

Modifying CVI Protections The next three provisions for changing § 550 all deal with the protections of Chemical-Terrorism Vulnerability Information (CVI). It looks like this is part of a continuing effort to bring some order to the variety of ‘sensitive but unclassified’ information controls that have popped up over the last decade or so. It treats vulnerability assessments and site security plans as Sensitive Security Information like similar information about chemicals in transit.

Expanding Potential Enforcement Authority

The last change to the original authorizing legislation included in this bill removes ‘sole enforcement’ authority from the Secretary of DHS. This could potentially allow ‘interested parties’ to sue in Federal Court to enforce provisions of the CFATS regulations that are not being ‘adequately enforced’ by the Secretary. This change is probably not sufficient to allow that, but it could allow for changes in the regulations to allow such private law suits. A variety of state and federal laws were written to allow, and even encourage, private law suits to enforce those laws. It helps to reduce the government costs of enforcement. It also makes for unequal enforcement.

Public Discourse

None of the provisions that I have described here seem to be outrageous. They all have their ups and downs. There are legitimate arguments to be made on both sides of the issues. If this bill is to be seriously considered during the 111th Congress (and not all legislation proposed will be considered) it deserves a full public scrutiny and public discussion. It should not be passed in the House on the day before a holiday by voice vote and then included as an obscure section in a spending bill.

Comments on Ammonium Nitrate ANPRM – 01-09-09

The comment period has closed on the Ammonium Nitrate ANPRM and it looks like the comments have effectively stopped coming in. The ten comments reviewed in this posting bring the total to 33 submissions. The ten submissions were from: Minnesota Dept of Agriculture Kennecott Utah Copper Corp Jeffrey Kalmus, et al, Harvard University Aaron J. Hicks Air Liquide USA AgriBusiness Association of Kentucky Oklahoma Department of Agriculture Food and Forestry Kentucky Farm Bureau American Farm Bureau Federation Meherrin Ag and Chemical Minnesota Dept of Agriculture Comments The Minnesota Department of Agriculture (MDA) is responsible for the administration of the Minnesota Fertilizer Law (Minn. Stat. 18C) that “regulates the storage, handling, distribution, and disposal of fertilizer in the state”. There are no provisions in that law for the type controls envisioned in the ANPRM. The MDA does not want responsibility for administering the Federal program unless DHS “provides sufficient funding to fully support the administration and compliance monitoring activities”. Kennecott Utah Copper Corp Comments Kennecott would like to see DHS exempt users of blasting grade ammonium nitrate that are registered with the ATF from the DHS registration process. They would like any ammonium nitrate classified as a Class I explosive by DOT to be exempted from these rules. They also note that accurate inventories of bulk prills of ammonium nitrate are ‘impractical and virtually impossible to implement’. Jeffrey Kalmus, et al, Harvard University Comments This ‘comment’ is an undergraduate class project on “Quantitative Approaches to Public Policy Problems”. As you might expect it is a rather lengthy discussion of the problem of how to appropriately regulate ammonium nitrate. I would recommend reading it to anyone that is interested in the issue, but doubt that it will provide much actual assistance to DHS in establishing the rules required by the Congressional mandate. This would have been better submitted to the House Homeland Security Committee when they held hearings two years ago. Aaron J. Hicks Comments Mr. Hicks recommends that DHS set a lower limit of 50 lbs of AN to be covered by this regulation. He notes that there are a number of uses of AN below level that would be adversely impacted with no effective impact on terrorist use. In particular he notes that the ornamental agricultural industry uses small amounts of ammonium nitrate in plant tissue culture labs. He notes that personnel in those labs are totally unaware of these impending regulations. Air Liquide USA Comments Air Liquide uses AN to produce nitrous oxide. They express concerns about the language of the registration process and ask how many of their personnel will have to register with DHS to effect their normal acquisition process of ordering and accepting delivery of AN. They would also like to see closer coordination between these efforts and the CFATS process that also regulates the security of AN. AgriBusiness Association of Kentucky Comments ABAK would like to see registration through a variety of means and agencies, including Extension Offices and State Fertilizer Control Office with blank forms being available at AN Dealers. ABAK notes that the average age of farmers in Kentucky is over 50 and there are many areas without affordable high-speed internet access, so an internet based regulatory framework may not be workable. ABAK does not believe that DHS has been authorized to, nor should it, look into substitutes for AN. ABAK suggests that compliance audits can be best completed by the State Fertilizer Control Office. ABAK notes that it is “important that a sensible timeframe for adoption of the rule be established in order to allow all affected parties to prepare for implementation”. Oklahoma Department of Agriculture Food and Forestry Comments ODAFF recommends that the regulation of ammonium nitrate be delegated to the state fertilizer control official. That agency in Oklahoma has been regulating the sale of AN since April, 2005. Kentucky Farm Bureau Comments KFB recommends that registration take place electronically through the Cooperative Extension Service and AN Dealers and note that the process should be simplified to the greatest extent possible. They recommend that the state fertilizer control agencies be used to maintain databases of registered AN users. They recommend that registered users be allowed to list their representatives (farm workers) that are authorized to physically pick-up the AN from dealers. American Farm Bureau Federation Comments The AFBF notes that the rules should be administered by the state fertilizer control official who already oversee various state and federal programs concerning fertilizers. The AFBF notes that many farmers that us AN never take physical possession of the AN, rather they use third-party custom application services. AFBF does not believe that such farmers should be required to register in the AN program. AFBF recommends that farmers that do register be allowed to designate authorized representatives to actually pick-up the AN from dealers. AFBF feels that the costs of the AN registration and regulation should be born by DHS with no fees being charged to farmers or dealers of AN. Meherrin Ag and Chemical Comments Meherrin notes that “90% of Farmers today have access to the web and broadband is available to 99% of the nations zip codes”. They recommend on-line registration with assistance provided by the Cooperative Extension Service. Meherrin recommends that “DHS, TSA, TWIC and the FMCSA need to work together” to come up with a registration id card for ‘truckers, dock workers, farmers and retail/wholesalers’. My Comments on Comments It is very interesting in seeing the divergence in views about the computer literacy of the American Farmer and internet availability in rural areas. I especially like the fact quoted by many that ‘broadband service is available in 99% of Zip Codes’. I live in a Zip Code that has broadband service available to a very small fraction of the residents (not me, I am afraid). So that is a misleading statistic. The issue of small volume users of AN keeps popping up in the oddest areas. It brings up a generic question of how Americans get involved in the rule making process that so affects their lives. Most individuals have no ideas how laws get turned into rules or how they can participate in the process. Most business owners rely on the various organizations to which they belong to keep track of the development of new regulations. Fortunately, there are gadflies like myself that also watch the process. A number of commentors have suggested that farmers registered in the AN program be allowed to designate employees to pick up their AN. This certainly sounds reasonable, but it also would seem to be a huge potential loophole in the regulation of possession of AN. This would allow personnel that were not vetted by DHS to pick-up large quantities of AN; the very thing that the authorizing legislation was attempting to avoid. On the other hand, turn-over in farm workers can be pretty high; so that would cause registration problems. DHS has certainly got its work cut out for it in trying to make reasonable rules to regulate this very commonly used material. Good Luck guys.

Friday, January 9, 2009

Waxman Reorganizes Energy and Commerce

There are two interesting things on the new House Energy and Commerce web site today. There is little explanation accompanying these items, so I may be reading more into them than was intended by the Democratic Leadership. It seems that Energy and Commerce may no longer be responsible (co-responsible?) for chemical security legislation. Green Looses Sub-Committee Chair I reported earlier that Rep Gene Green (D, TX) had hoped to retain his chairmanship of the subcommittee on Environment and Hazardous Materials even though he had backed Dingell instead of Waxman in their fight for chairmanship of the Committee. Well, according to the list of sub-committee chairs reported on the Committee Website today, Green is no longer chair of that sub-committee. In fact, the sub-committee is no longer listed. Committee Jurisdiction There is a new list of the areas over which the committee will have jurisdiction. There is nothing in that list that says anything about Homeland Security or chemical facilities. I do not have a copy of a similar list from the 110th Congress (and don’t recall ever looking at one), so I cannot tell for sure that this is really a change. HR 261, definitely a chemical facility security bill was assigned to the Energy and Commerce Committee along with the Homeland Security Committee. I looked again at the wording of that assignment and it looks a little peculiar. According to the listing at Thomas.LOC.Gov the bill was assigned “to the Committee on Energy and Commerce, and in addition to the Committee on Homeland Security, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned”. In light of the changes in sub-committee listings, the jurisdiction listings and the strange assignment language for HR 261, I think that there might be a change in the way that chemical facility security legislation is going to be handled in the 111th Congress. This might also reflect some changes in the way the oversight of DHS in general is going to be handled. Any reduction in the number of committees that DHS has to deal with in Congress will be greatly appreciated, I’m sure. Safe Water Drinking Act The Safe Water Drinking Act is listed as being in the jurisdictional area of the Energy and Commerce Committee. The provisions of HR 5577 in the 110th Congress that brought water treatment and waste water treatment facilities under CFATS would require review by this committee if they are in the newest CFATS reauthorization bill. But that is significantly less control than Chairman Dingle tried to exert. Disclaimer Again, I must add that I am reading tea leaves or looking at the dignitaries at Lenin’s Tomb. I have yet to see anything that clearly states or backs up my ‘conclusions’. But hey, this is a blog, not a journal article. I can get away with some guessing.

DHS Updates Chemical Security Page

On Thursday DHS updated their Chemical Security Web page. This has effectively been the portal page to the CFATS program. There was no new information added to the page (other than a nice graphic of a glossy brochure on CFATS). What they did do was change the way that the page was used to access CFATS information on the DHS web site. There used to be five links near the bottom of the page that took you to various aspects of CFATS. Four of those links are no longer there. They were: Facilities covered by the Chemical Security Anti-Terrorism Standards Chemical Security Assessment Tool Chemical Security Laws and Regulations Chemical-terrorism Vulnerability Information There are still ways to get the CSAT and CVI information through links on this page. These are located in the ‘I Want to: ’ box near the top of the page. The ‘register to access CSAT’, the ‘view Top Screen’, and the ‘view SVA’ links will take you to the appropriate section of the CSAT page. The CVI information page can be accesses by clicking on the ‘complete CVI training’ link. Unfortunately there are no links to the ‘facilities covered by CFATS’ or the ‘chemical security laws and regulations’ pages. As of today the links that I have for those pages still work, but I can find no other page that links to those two pages. The ‘facilities covered by CFATS’ page has a good explanation of what facilities are not covered by CFATS and the reason they were exempted. The ‘laws and regulations’ page provides a good list of the legislation and regulations that are associated with CFATS along with their associated links. In short, I think that both pages are valuable information resources. Another thing that I was disappointed in was that I have not yet received the notification of the changes to this page that I signed up for. DHS has been pretty good about sending emails out to people about changes on some of these pages, so I am surprised that they missed it on this change.

TSA HTUA Map Late

It has been two weeks now since the bulk of the TSA Rail Security Rule went into effect. Since receivers of Rail Security Sensitive Materials (RSSM) are only affected by the rule if they are in a High Threat Urban Area (HTUA), TSA promised in their final rule to have a map of HTUAs on their web site. This was noted in the preamble to the rule, “Before the effective date of this final rule, TSA will provide on its website maps of each of the 46 HTUAs that TSA will use to inspect for compliance with the applicable sections of this regulation” (73 FR 72150). As of this morning there is still not HTUA Map on the TSA web site. To be fair to TSA they did note that these maps would be for “general guidance purposes only”. They stated in the same section of the preamble to the final rule that: “TSA encourages any regulated party with questions concerning the applicability of this final rule to its operations to contact TSA directly.” Facilities that receive railcar quantities of RSSM and are located in (or within 10 miles of the boundary of) any of the urban areas listed in Appendix A to § 1580 of 49 CFR should have already contacted the TSA Freedom Center (703-563-3240 or 1-877-456-8722) to verify their HTUA status.

Thursday, January 8, 2009

My Article on HazmatShip.com

One of the things that I have been trying to do with this blog is to expand awareness of the rule making process for the rules and regulations that affect the chemical industry. This is one of the reasons that I have been periodically reporting on comments posted to various proposed rules. Yesterday I had the good fortune to have an article placed on HazmatShip.com, the web site for HAZMAT Packager & Shipper Journal. For subscribers to that Journal the article is “Public Comments on PHMSA’s Enhanced Enforcement Rule”. This article is a in depth look at an idea I briefly discussed in a blog on this site. I had planned on looking at the ideas in more depth here, but it would have required too much space. So when I was asked to write this article I jumped at the chance as it gave me a chance to cover the idea in a more appropriate length. Of course, the fact that I got paid for it was also a good thing. As a free lance writer by profession I will continue to write for other publications about some of the same issues that I cover here on my blog. When I can, I will provide links in this blog to the sites where the article is published. Sometimes those links will only be useable by subscribers; that is the way of the publishing world. More often than not, my articles on chemical facility security and chemical transportation security will be more in depth looks at issues that I have already raised here in this blog. The blog format provides a lot more immediacy, a quicker response to issues and incidents. Magazine articles, take more lead time, but provide for more time for consideration and research and allow for more expansive writing. Both of these venues provide me a chance to comment on, and perhaps influence the ongoing efforts of the chemical industry and its observers to prevent terrorists from using the chemicals necessary for commerce as weapons against our society. I expect that this will be a long career.

First Chem Security Bill in 111th Congress

Representative Sheila Jackson-Lee (D, TX) has submitted the first bill of the 111th Congress specifically dealing with Chemical Facility Security. HR 261 was introduced yesterday and referred to the Homeland Security Committee and the Energy and Commerce Committee. No reporting dates have yet been assigned by the Speaker. The bill was co-sponsored by Chairman Thompson of the Homeland Security Committee. Ms Jackson-Lee serves as a sub-committee chair on the same committee. The only other data available this morning on Thomas.Loc.gov, the Library of Congress site that covers all matters congressional, is the title of the bill. The title for HR 261 is “To provide that no Federal funds may be used by the Secretary of Homeland Security to approve a site security plan for a chemical facility, unless the facility meets or exceeds security standards and requirements to protect the facility against acts of terrorism established for such a facility by the State or local government for the area where the facility is located, and for other purposes.” This sounds like an interesting way to increase the influence of the States of New Jersey and California. It might also be a creative way to require IST implementation. Until we can see the actual wording of the bill, it is hard to tell just what is required. Needless to say I’ll report more when I have more information.

Another Attack on Canadian Gas Wells

Earlier this week the Associate Press reported another explosive attack on a natural gas metering shed in British Columbia. As in earlier attacks, the site was in a remote location with no personnel present so no one was hurt. Apparently the RCMP has no suspects, but the first attack in the series was accompanied by a written demand for oil and gas companies to halt operations in the area. News reports have labeled these eco-terrorist attacks though that is not proven by any legal standard. It may just be someone with a personal grudge against Encana, the owner of the facilities that have born the brunt of the attacks. In any case, some one is willing and able to use violence against these facilities to affect a political-economic objective. As such it certainly fits the general definition of terrorism. Potential for Escalation? As in many eco-terrorist attacks the attacker is apparently taking pains not to hurt anyone during these attacks. In the minds of most people this lessens the seriousness of the attacks, in the opinion of many people it even might make the attacker something of a hero figure. The problem is that there is no guarantee that the attacker will not make a mistake or miscalculation that would result in serious injuries or the death of innocent bystanders or company employees. There is little reason for the oil and gas companies to acquiesce to the demands and every financial reason not to. As long as the damage inflicted is limited in scope and remains in remote locations, the companies will repair the relatively minor damage and little more. There will be periodic pressure put on the police to capture the criminal, but there will be no significant increase in security measures at these remote locations. Sooner or later the bomber will realize that continuing the current attack profile is not working. Either the attacks will stop, with the bomber accepting defeat, or the bomber escalates to achieve the objective. Once escalation starts there are only three possible outcomes: Success, the oil and gas companies close down operations and leave, or Failure, the bomber realizes the futility of the attacks and quits, or Capture, the bomber is captured or killed by security personnel. The first two outcomes are unrealistic and extremely unlikely due to the nature of the adversaries. That leaves the third with the realization that the escalation will likely continue to advance until that outcome occurs. The question then becomes, how long can the current attack pattern continue until frustration overcomes the apparent reluctance to hurt people. Unfortunately that question can only be effectively answered in hind sight. Lessons for High-Risk Chemical Facilities While oil and gas facilities may be considered chemical facilities in the broadest sense of the term, the remote production facilities being attacked by this bomber are fundamentally different from most chemical high-risk chemical facilities covered by CFATS. These are remote, stand-alone facilities with no routine personnel attendance. With that in mind we have to be careful when we try to extrapolate lessons to more conventional chemical facilities. Counter-surveillance Probably the most important lesson is that the lone-wolf bomber does exist as a potential adversary. This type terrorist is the one of the most difficult for law enforcement to detect before the first attack. There is little possibility of this terrorist contacting a police informant for assistance; the most common way that terrorist plots are brought to the attention of police or security personnel. This makes it all the more important for facilities to have an effective counter-surveillance plan in place to detect the lone-wolf bomber during the surveillance process. The individual working alone has to conduct personal reconnaissance to be able to effect a successful attack. National vs Facility Threat Level The other important lesson that needs to be addressed is that there may be a threat of terrorist attack against a facility that has nothing to do with the terrorist threat against the nation. These attacks in Canada appear to have nothing to do with Al Qaeda or other jihadist organizations. High-risk chemical facilities need to pay attention to all public and private grievances against the facility, company or industry as potential sources for growing lone-wolf attackers. All overt threats communicated to the facility need to be reported to authorities. Any facility should report such threats to local police. High-risk chemical facilities need to include the FBI and DHS in their reporting structure. Most of the threats received will lead to nothing. Failure to share all threats with government investigators may lead to an unexpected attack that could have been prevented. This means that facilities must have a procedure for receiving reports of threats and forwarding them immediately to facility security and management. There should also be a procedure in place for reporting these incidents to authorities. This includes identifying, in advance, points of contact with local police and FBI intelligence organizations. Establishing a relationship ahead of time will ensure that reports receive the appropriate attention. Lone-wolf terrorists are the most difficult to detect in advance of their initial attack. They can also be the most difficult to stop from conducting follow-on attacks. Fortunately, they are rare, but not so rare that high-risk chemical facilities can afford to ignore their potential existence.
 
/* Use this with templates/template-twocol.html */