Tuesday, March 31, 2009

TSA Extension Request Granted

On March 25th, the Surface Transportation Board published a ‘decision’ on Docket # FD 355219, the Union Pacific petition for a declaratory order. Actually the decision was on the TSA request for an extension of the time to file comments. The STB granted the TSA request for an extension of the time limit until April 10th. This also necessitated a change to the date by which UP must file any replies or rebuttals to comments submitted on the docket; that date was delayed until April 30th. The delay in my reporting this is due to the fact that I just found where STB posts their decisions on their web site. Needless to say it is in a different place than where they post the filings. Once I figured the site out it seems logically organized. This is one of the problems with the thousands of different government web sites. There is no common structure to the organization of the sites. A visitor has to spend a significant amount of time trying to figure out the logic of the organization for that site. In any case, there is now an additional 10 days for us to follow possible submissions to this docket. We are expecting to see a TSA reply and an FRA reply. There is no telling who else might put their two-cents worth in (actually I guess it would be fourty-three cents worth now).

Video Surveillance Project Management

Long time readers of this blog will be well familiar with the name of John Honovich. He has provided me with a lot of good information on video surveillance systems and maintains an excellent web site packed with video surveillance information. One of the things that I really appreciate about John’s information is that he isn’t afraid to pass on information from a variety of other sources. In last week’s email listing of new information he provided a link to an article on CSOOnline.com about video surveillance project planning. This project planning article by Jason Crowling is not a step-by-step outline of how to plan for a video surveillance project. It does point out a number of pieces of information that will help the security manager to understand the bidding and project definition process. As with all of the other articles that I have recommended on the subject, this is far from an exhaustive review of all of the relevant factors. I do think that any security manager that is not well experienced in working with video surveillance systems should add this article to a pre-bid reading list. It will help to explain some of the exasperating issues that will have to be dealt with in the competitive bidding process.

PHMSA Public Meeting to Prep for UNSCOE TDG Meeting

The Pipeline and Hazardous Material Safety Administration announced in today’s Federal Register that they would be holding a public meeting on June 17th to get public input about issues that will be discussed at the United Nations Sub-Committee of Experts on the Transport of Dangerous Goods (UNSCOE TDG) to be held June 22-26, 2009 in Geneva, Switzerland. Interested personnel will be able to attend the PHMSA meeting in person or participate in the ‘conference call’ coverage. The meeting will be held in the DOT Headquarters building in Washington, D.C.

Monday, March 30, 2009

Congressional Hearing Update – 03-30-09

The House Appropriations Committee web site now has their calendar for hearings for this week available; it wasn’t when I wrote Friday’s blog on the schedule. There are three Homeland Security Subcommittee hearings scheduled for this week and two of them should have some impact on the chemical security community. The first hearing will be tomorrow at 10:00 am EDT and it will cover ‘Rail and Transit Security, Aviation Security Efficiency’. The second hearing will be conducted on Wednesday at 10:00 am EDT and it will cover ‘Cargo and Container Security: Keeping a Lid on Threats’. Wednesday’s hearing will be webcast. No word on the witness list for either hearing.

TWIC Reader ANPRM – Identification Techniques

As I noted last Friday the Coast Guard published an advance notice of proposed rule making (ANPRM) about the use of electronic TWIC Readers. This blog will be the first in a series of blogs that will look at some of the details of the program that they are thinking about implementing. Along the way we will look at potential applications at high-risk chemical facilities not associated with MTSA covered facilities. In this first blog we will look at the various identification techniques that can be associated with the Transportation Workers Identification Credential and the TWI Reader. Identity Verification There are three different techniques that facilities can use the TWIC to verify a worker’s identity. The first, most basic and least secure is to use the picture on the card and to compare it to person’s face. Of course, any picture ID card could be used in the same way. The next most secure way to use the TWIC would be to place the card into a smart card reader and enter the worker’s 6-digit PIN into the reader. This provides about the same level of security as a standard bank card. What the TWIC was designed for was biometric identification verification. The worker’s identification is verified during the application process and an electronic copy of a fingerprint is encoded on the chip embedded in the TWIC. At the point of identification the TWIC would be placed into the TWIC Reader and the worker’s fingerprint read. The two would then be compared to verify the worker’s identity. For high-risk chemical facilities that are not covered by the MTSA rules, the security manager must determine what level of identification is necessary at that facility. Initial identification of the individual is certainly going to require verification of identity based on finger prints. For most facilities, once the initial identification verification is completed, photo ID is going to be adequate since the employee will be familiar to his co-workers. For larger facilities with multiple levels of access to areas without security guard coverage some sort of automated identification verification will be necessary. Card Authentication Since the TWIC Reader identification verification system relies on information provided by the TWIC there needs to be some form identification verification for the card itself. There are two levels of TWIC authentication available on every legitimate TWIC. First there are visible security features embedded into the front and back surfaces of the card. The absence of one or more of these visible features indicates that the card is a poor forgery. The second, more secure level of TWIC authentication requires the use of a TWIC Reader. First the Reader finds the Card Authentication Certificate programmed into the TWIC chip. The TWIC Reader then initiates a challenge and response protocol based on data included in the certificate. An improper response indicates a forged card. Any facility that designs their security identification procedures around a card system that relies on personnel identification information contained only in the card must come up with a similar type procedure. If the biometric identification information is contained in the on-site system rather than the card, methods of authenticating the identification card are not as critical. Card Validation A TWIC will spend most of its life in un-secure areas. They will be subject to theft and other forms of diversion. Workers will loose their clearance for unescorted access to MTSA security areas, but will physically retain their TWIC. There are a variety of reasons that an authentic TWIC should not be able to authorize unaccompanied access to a secure area. This means that the current status of that TWIC must be validated. When a TWIC Reader authenticates a TWIC it immediately reads the identification for that card, the Federal Agency Smart Card—Number (FASC-N). The TWIC reader then compares that FASC-N to a list of ‘bad’ numbers provided by TSA. If the FASC-N is not found on that list then the TWIC is validated. At this point the identity and security status of the holder is verified. Again, this level of sophistication would not be required for a privately developed security identification card system if the data used to verify the identity of the user was maintained on an isolated system within the security perimeter. Any identification system that allows the verification data to reside outside that perimeter must use a similar level of sophistication.

Replies to UP STB Petition – 03-27-09

Last week there were two additional replies to the Union Pacific petition before the Surface Transportation Board (STB) to allow UP to refuse to provide tariff rate quotes for chlorine transport routes. As noted in my last blog one reply was from Olin Corp (a copy of the reply is now posted). The latest reply came from two unions; The Brotherhood of Railroad Signalmen (BRS) and the Brotherhood of Maintenance of Way Employes [sic] Division (BMWED/IBT). Both replies weighed in against the UP petition. Olin Corp Reply Olin Corp is a major chlorine producer/shipper. Olin asserts that the reason for the UP petition is to “gain an unfair advantage in a commercial dispute between UP and USM [US Magnesium]”. They recommend that the STB deny the UP petition and order UP to provide the requested rates to USM. They also note that the issue of TIH shipments and common carrier obligations is already an issue before the STB (Ex Parte No 677) and should be decided in that venue not this petition. Finally, they note that the safety and security of TIH shipments through High Threat Urban Areas (HTUA) are a matter for Federal Railroad Administration (FRA) and TSA to regulate, not STB. BRS BMWED/IBT Reply These two unions represent railroad employees that perform ground side installation and maintenance for the railroads. They assert that the risk and safety aspects of the UP petition should be addressed through the FRA rulemaking process mandated by last year’s Rail Safety Improvement Act (RSIA). They also raise the issue that allowing Class 1 railroads to stop carrying TIH chemicals would allow them to avoid installing Positive Train Control Systems on the lines which would have been required by RSIA. Finally, they note that allowing Class 1 railroads to arbitrarily stop carrying TIH would not stop the shipment of these chemicals. It would merely shift those shipments to higher risk modes of transportation, Class 2 and Class 3 railroads and trucks. My Comments on Replies Since Olin is a major chlorine producer/shipper it is not unexpected that they would side with US Magnesium in this dispute. The level of vehemence in their filing (carefully couched in legal terms of course) is somewhat surprising for someone that is not an actual party to the dispute. Equally surprising is their reference back to Ex Parte No 677 as the potential resolution to the TIH and Common Carrier Obligation issue. It seemed clear that when STB held these hearings last year that there was no real expectation that they would take any concrete actions. If they had tried to impose an exception it would have certainly ended up in the courts on the same day. The only way a substantive change could be made in this issue would be by Congress changing the law and that is a political hot potato that no one is willing to touch. It was surprising to see these two particular unions filing a reply in this case. I had a hard time seeing their interest in the issue since their people were not directly involved in handling these shipments. But this is not a court case, so there is no requirement for having ‘standing’ in the dispute to file a reply; the STB did after all request public comments. Reading through their reply it became clear that they do have a stake in the decision. When you get to the part about the PTC systems, it is there members that would be responsible for installing and maintaining those systems. Given the long stretches of ‘dark track’ out west (particularly) if UP could avoid shipping chlorine (and other TIH chemicals) on these tracks they could avoid installing PTC systems along those lines. Tomorrow is the current deadline for comments on the petition. Of course there is a request for an extension of the time limit before the STB. Since that came from the TSA, whom the STB requested provide input, it is likely that it will be granted. And we still have to hear from the FRA, the other agency invited to file comments. Then there will be a second deadline to allow UP to counter reply. We still have a ways for this to go before STB finally makes a decision on this ‘emergency’ case.

CFATS Reauthorization and Water Facilities

One aspect of potential CFATS reauthorization legislation that we haven’t looked at much since the 111th Congress came into session has been the issue of the exemption for water treatment and waste water treatment facilities. This last week 130 members of the American Water Works Association (AWWA) flew into Washington, DC to talk about this issue, among others, with their elected representatives. According to a press release from the AWWA, these local leaders made the following points about their facilities and any new chemical security legislation:
“Allow decisions about disinfectant choices to be made locally. “Prohibit the federal government from ordering the shut-down of water facilities. “Apply only to drinking water systems if they have chemicals of concern above certain threshold quantities.”
HR 5577 and Water Facilities Last year’s attempt at reauthorizing CFATS, HR 5577, clearly addressed the water treatment facility exemption. It would have removed that exemption and brought water treatment and waste water treatment facilities under the CFATS regulations. They could only have become ‘covered facilities’ if they had one or more DHS chemicals of interest (COI; typically chlorine, anhydrous ammonia and/or sulfur dioxide for this type facility) on-site above the screening threshold quantity (STQ) listed in Appendix A to 6 CFR part 27. Chairman Thompson’s proposal specifically addressed water facilities when it authorized the Secretary to shut down non-complying facilities. In §2105(b)(4) the legislation established a higher standard for that sanction for water facilities:
“Notwithstanding the preceding sentence, the Secretary may not issue an order to cease operations under this paragraph to the owner or operator of a drinking water or wastewater facility unless the Secretary determines that continued operation of the facility represents a clear and present danger to homeland security.”
There were no provisions in HR 5577 that would have exempted water facilities from the IST provisions of the legislation. In fact, there are many that feel that a large number of the facilities that the IST provisions were designed to affect would have been water treatment facilities using chlorine gas to disinfect the water. This is reflected in the large number of water treatment facilities that are listed in the Center for American Progress publication, Chemical Security 101. AWWA and CFATS Reauthorization It is almost a certainty that the legislation being developed by the House Homeland Security Committee will remove the water facility exemption from the §550 authorization. Where the AWWA will fall on the issue of CFATS authorization legislation then will be determined by the wording of the IST provisions. The AWWA had promised to come up with a model method for analyzing for technical and financial feasibility of replacing chlorine gas at water and waste water treatment facilities. If they can convince the Committee that the method provides a ‘legitimate analysis’ (technically and politically) they have a chance of getting IST wording that they can live with. Having the analysis peer reviewed would go a long way to convincing the Committee of the legitimacy of the analytical method.

More from DHS Briefing at ChemSecure

Last Friday I posted some information that I had from a set of slides that had been used earlier in the week by DHS to brief attendees at the ACC conference, ChemSecure, in Houston, TX. Today I would like to take a look at the information provided in two slides from the same presentation. Both slides deal with ‘Program Issues’. DHS Personnel Issues The first bullet on this slide deals with DHS personnel issues. Readers of this blog will have already been familiar with most of this information. I talked about DHS personnel training in an earlier blog. A reader provided the same personnel numbers in a comment to that blog. Ammonium Nitrate Rules Not a lot of information on the slide for this bullet. DHS does let us know that there are about 700 ammonium nitrate related facilities that are covered by CFATS. It would probably be more if not for the indefinite Top Screen extension given to agricultural production facilities. The other bit of information provided is that DHS plans on using the same Personnel Surety Portal for AN registration that is being developed for CFATS; makes good sense. Ag Facility Top Screen Extension When the agriculture ‘extension’ was announced in December 2007 I always felt that DHS had just finally been beaten into the ground by the Ag Lobby. I think the entries under this bullet reflect some of the lingering resentment associated with that ‘defeat’. This is particularly evident (to me) in the comment that: “Voluntary engagement to learn more about end user community did not yield results anticipated”. The slide does note that DHS has developed “supplemental Ag-focused questions targeted at distributor community”. DHS plans to use the §27.200(b)(1) authority to require distributors to re-submit a Top Screen with the added ‘Ag-focused questions’. DHS can then use the data received from those Top Screens to evaluate potential approaches to bring an end to the ‘extension’. One technique under consideration appears to be setting a separate STQ for agricultural facilities (presumably with a higher minimum quantity). It will be interesting if they go back and modify the propane STQ at the same time. The 60,000 lbs (10,000 lb container minimum) was selected mainly to appease the agricultural community. If DHS establishes agricultural STQ’s they could return the standard propane STQ to the 10,000 lbs used for all other flammable release COI and keep the 60,000 lbs STQ for agricultural facilities. Gasoline Storage Facilities The fuel distribution industry has been very upset with DHS over the attempt to classify their tank farms as ‘chemical facilities’. They point to the EPA exemption from RMP rules for those facilities as justification for their potential exemption from CFATS. The fact that the RMP exemption was a politically driven exemption rather than a scientifically derived exemption is lost in the discussion. The DHS slide emphasizes the distinction between RMP (safety) and CFATS (terrorist targets). It also notes that only 13% of the fuel storage facilities that submitted Top Screens were designated as high-risk facilities with most being preliminarily tiered in Tier 3 and Tier 4. This compares to the almost 24% of all facilities submitting Top Screens. In the DHS review of the Top Screen results it seemed that the questions returned too high a risk rating for the fuel storage facilities. DHS went back and re-worked the fuel storage questions and re-published the Top Screen last fall. About 85% of the original 450 high-risk fuel storage facilities have re-submitted the Top Screen. Nothing in the briefing slide indicates how their rating or ranking changed. Harmonization with Coast Guard and TSA The Office of Infrastructure Compliance is not the only DHS agency that regulates chemical security. Both the Coast Guard and TSA have irons in that fire. Chemical facilities that abut on navigable waterways and ports fall under the Coast Guards domain under the MTSA regulations. Hazmat receivers located in HTUA that receive railcar loads of rail security sensitive material (RSSM) and all hazmat shippers that ship RSSM by rail fall under the TSA freight rail security rules. Tying those rules into a seamless bureaucratic cloth is a major ‘harmonization’ challenge. According to the DHS presentation slide OIC and the Coast Guard are working to define which facilities fall completely under MTSA (which are exempt from CFATS) and which fall only partially under MTSA. The non-MTSA covered portions of those facilities would fall under CFATS. Those dual regulated facilities will be a major challenge; both for the regulators and the facility personnel. The main issue with TSA will be the ‘Rail Secure Areas’ in which covered shippers and receivers are required to hold their RSSM loaded railcars. TSA and OIC are trying to develop a common operational definition of such areas so that a single performance standard can be applied. Outliers The last bulleted point on the second Program Issues slide is labeled “Identification of Outliers’. The items listed under this bullet are brief and cryptic. I’ll take my best shot at discussing them, but my take on them may bear no relation to what the DHS presenter covered. ‘Pilot with NY and NJ’. I have heard rumors of a pilot program where DHS inspectors were going back and trying to track down facilities that should have filed Top Screens, but did not. If there has been any such effort I would expect it to be put on hold while the SSP issues are worked. ‘Follow-up on Water Treatment Facility Exemption’. I would have thought that this was a congressional issue. ‘EPA RMP list under review’. DHS has never publicly addressed the issue of changes to Appendix A. One thing that would certainly lead to a possible change is the inclusion of new chemicals on (or removing old chemicals from) the RMP list since that list was one of the starting points for Appendix A. ‘Tip Line’. I can only assume that this is a reference to the FAQ question on the Chemical Security site that describes a mechanism for providing chemical security tips directly to TSA. I called it a Whistleblower line in an earlier blog. Well, that about covers the slides that I have. Again, by the looks of the slides I missed a pretty decent presentation, especially since DHS couldn’t discuss what everyone came to hear about. Anyone that actually saw the presentation, please leave some comments about how it looked live.

Friday, March 27, 2009

Congressional Hearings for Week of March 30th

Congress is taking their traditional Friday Travel Day to get back home for the weekend. I’ve looked at that posted schedules on a variety of Committee web sites and I don’t see any hearings of particular interest to the chemical security community. There will be some more hearings on the problems along the Mexican border, but the two most potentially interesting homeland security type hearings will be conducted by the House Homeland Security Committee. The Subcommittee on Intelligence, Information Sharing and Terrorism Risk Assessment will hold a hearing on Fusion Centers on April 1st at 10:00am EDT. They will have a wide variety of witnesses, including two from DHS this time. The agenda includes looking at the recent DHS IG report on Fusion Centers and the Chairwoman promises to “explore the potential pitfalls that fusion centers present in light of recent reports of privacy and civil liberties abuses at several fusion centers.” The full committee will hold a hearing on April 2nd at 10:00am looking at the potential reorganization of the Homeland Security Council in the White House. Interestingly there is no one from the White House on the witness list. Of course, everyone is still waiting for the results of the 60-day review of the HSC/NSC issue ordered by President Obama.

CG ANPRM for TWIC Reader Rules

The Coast Guard published an advance notice of proposed rule making (ANPRM) in today’s Federal Register covering their current thinking on the use of electronic TWIC Readers as a method of controlling access to MTSA covered facilities. It looks at potential requirements associated with that use, including record keeping requirement and changes to security plans. The Coast Guard is requesting public comments on the issues and questions raised in the ANPRM. The deadline for comments is May 26th, 2009. Comments may be filed on this docket (USCG-2007-28915) on-line at the www.Regulations.Gov site or they may be mailed to the DOT Docket Management Facility at:
Docket Management Facility (M-30) U.S. Department of Transportation West Building Ground Floor, Room W12-140 1200 New Jersey Avenue, SE. Washington, DC 20590-0001
I’ll have more information on this ANPRM in future blogs.

Reader Comment – 03-26-09 – Webinar

Fred Millar provides a friendly yet sarcastic comment about on an earlier blog concerning the ChemITC webinar next week. While Fred’s comment was probably intended at least partially in jest, there is a serious point underlying the comment. Fred said:
“Just for fun, you might good-naturedly with a virtual wink ask Henry if anyone worries that hackers might someday intrude upon the major shippers' use of sophisticated computer hazmat re-routing programs to avoid major target cities (by truck and rail), with the result that some TIH cargoes begin again going through all the 46 major US target cities until the local officials catch on to the enormous catastrophic risk?”
Computer controls are becoming a larger part of everything. Computers keep track of every bit of information in the modern chemical facility from product development, personnel, inventory, scheduling through packaging and shipping. On the process side the computers open valves, control weighment, heating, and cooling. Now we are starting to make computers a major part of security systems. IT Security people have been battling hackers, viruses, worms and Trojans in their information systems for quite some time. Control system engineers are just now starting to deal with similar problems. The question is are the security system people going to be proactive about security of their systems or will they wait until they are attacked? My bet is on the latter.

Chem Sector Security Summit Update 03-26-09

I reported on an update of the CSSS web page update yesterday. Another change was posted yesterday afternoon. Nothing earth shattering unless you are trying to get the special Summit rate for your hotel room. The latest version of the page states that you need to “mention the reservation code: socsoca” to get that special rate. Just thought that some people might be interested.

DHS Presents CFATS Update at ChemSecure

I had hoped to get to ChemSecure, the ACC Chemical Security Conference in Houston, this week; unfortunately my personal economy is in no better shape than that of the country as a whole. I had particularly wanted to get to this conference because it looked like it would be the first conference after DHS released the new RBPS Guidance Document and the SSP roll out. I was really looking forward to the DHS presentation on CFATS. Last weekend when I found out that DHS could not roll out the next stage of CFATS because of the continuing review of the RBPS Guidance document by OMB, I was less disappointed. Another part of me still wanted to go just to see how well the DHS presenters filled up their assigned time while saying essentially nothing about SSP and RBPS. Well, I did not get to see the presentation, but I have gotten hold of a copy of the DHS slides. It looks like I missed out on a good presentation, but I still do get to talk about it. One caveat, I have copies of the slides but I did not hear the words that were spoken with them. A good presentation is a lot more than just the information on the slides. Updated Top Screen Results DHS provided some interesting figures on results from Top Screens. The slide repeated the June 2008 figure of about 7,000 high-risk facilities and then reported that the current number has dropped to 6,419. This is one area where I would have liked to hear the explanation, but I can make some educated guesses about the 10% drop. With the number of chemical facilities that have shut down, cut back or slowed down, I would bet that the economy is a large factor in the drop in high-risk chemical facilities. If I were a facility manager for a high-risk chemical facility that had cut inventories to reflect current production needs, I would certainly try to ensure that my COI were among the chemicals whose inventories were reduced. Once some of those COI levels were below STQ amounts, I would immediately re-submit my Top Screen. I would hope to get bumped off the high-risk list, or at least have my Tier level changed. This may be reflected in another figure on the Top Screen slide. The bottom line on the slide shows that DHS is still receiving Top Screen submissions at the rate of about one per week. I would have loved to ask how many of those submissions are from new facilities and how many are essentially re-submissions. SVA Results Actually there were no SVA results presented. Since DHS has not yet made any notifications to facilities they would be reluctant to discuss results. They are not making notifications because that would start the SSP submission clock and DSH still does not know for sure when they will be able to roll out the SSP. The SVA slide did still get a chance to provide some interesting information. First all of the SVA’s from facilities with preliminary Tier 1 status have been submitted and DHS is prepared to make notification when SSP becomes available. DHS hopes to make Tier 2 notifications in April, Tier 3 in June and Tier four in August. I expect that those times may slip as they want to give their greatest attention to the Tier 1 facilities when the SSP becomes available. There were two pieces of numerical data on this slide. First the slide notes that there were still 40 Tier 3 SVA’s due with a due date of 3-25-09. Since the initial Tier 3 SVA’s were due on November 24th this looks unusual. This could mean that these facilities were not in the original June 2008 notifications because of new first time Top Screen submissions. Or there could have been requests for SVA extensions requested and approved by DHS. Finally there could have been Tiering downgrades because of resubmission of Top Screens. We have a similar data point provided in the Tier 4 listing. The SVA slide shows that there have been 3142 SVA’s submitted, but the Top Screen slide showed that there were currently 3943 Tier 4 facilities. The difference of 801 facilities is probably due to similar circumstances examined for the Tier 3 numbers. Site Security Plan Update This was, of course, the area that I had hoped for the most information, but DHS just could not provide it while the RBPS is still under review. We did find out that the SSP tool on CSAT is ready to go (unless major revisions are required for RBPS). It has been field tested at 9 facilities of various types that volunteered to be guinea pigs. That was probably a good move on the part of the facilities; get brownie points and free help at the same time. One interesting looking item is not totally clear due to the use of acronyms that I am not familiar with; again they would have been explained in the actual presentation. What I do understand is that DHS is working with TSA and SCO (?) to develop an on-line portal to allow facilities to check employee names against the TSDB (Terrorist Status Data Base, I think, but certainly the terrorist database by some name) which is ‘required’ for RBPS #12, Personnel Surety. DHS expects that this will be operational in October (the same month that CFATS is technically slated to turn into a pumpkin). One final thing that is interesting is something that I cannot figure out from the slide so it grabs my attention. Can someone translate the following for me? “PIA and SORN under review” There are more slides, but I’ll save them for another day.

Thursday, March 26, 2009

2009 Chemical Sector Security Summit Update 03-25-09

Yesterday DHS updated the 2009 Chemical Sector Security Summit web page. They provided new information on the planned agenda, registration information, and information on hotel and tourist sites in the Baltimore area. Preliminary Agenda The preliminary agenda, with the careful explanation that topics are subject to change, contains a combination of speeches, instructional sessions, workshops, and ‘ongoing demonstrations’. Currently scheduled speakers include:
Janet Napolitano, Secretary, DHS General James Snyder, Acting Assistant Secretary of IP, DHS Clyde Miller, BASF Corporation and Chairman of Chemical SCC
Currently scheduled instruction sessions include:

Threats to the Homeland and the Chemical Sector Identifying and Defeating Weapons of Mass Destruction Overview — Chemical Facility Anti-Terrorism Standards Chemical Vulnerability Information Update Congressional Perspective State and Local Issues Multi-Agency Harmonization on Chemical and HazMat Security Regulations Developing a Security Exercise Guidance to Achieve Successful Site Security Plan Development and Inspections

Currently scheduled workshop sessions include:
Pipeline Security Freight Rail Transportation Risk — Security Issues Ammonium Nitrate Regulations Implementation of Federal Freight Rail Security Rules Theft & Diversion: Prevention and Compliance Maritime Transportation Security Act – TWIC Surveillance Detection
Currently scheduled on-going demonstrations include:
Voluntary Chemical Assessment Tool and TRIPwire Site Security Plans
Registration The registration for the summit is free of charge, not so unfortunately for the hotel (Baltimore Marriott Waterfront). The registration web page provides an email address to which the registration information will be sent. Confirmation will be by return email. There is something new this year; there is a Privacy Act Statement on the registration page. It provides for a method of opting into the summit directory where attendees names and company names will be reported. There is one other new thing on the registration front. Last year it was strictly first come first serve. This year they are limiting initial registration to two people per company or organization. Companies can provide a prioritized list of people to attend; the first two will be given registrations and the remainder will be placed on a waiting list. There is no information provided about when they will start pulling from the waiting list. Presumably the waiting list will be pulled first come first served, so still get registration lists in early.

Wednesday, March 25, 2009

Webinar on Transportation and Cyber Security

ChemITC is certainly keeping me hoping on the blog this week. In yesterday’s ACC SmartBrief email (you can sign up for the free email news source at http://www.smartbrief.com/acc/) there was a notice about a webinar that ChemITC will be holding next week about the interface between cyber security and chemical transportation security. Sounded like an interesting combination of subjects so I asked the friendly ChemITC Manager, Bridgette Bourge for some additional information and she quickly responded (even though she was down in Houston for the ChemSecure conference). The free (ACC calls it ‘complementary’ but I like the term free) webinar will be held at 10:00 am EDT on Tuesday, March 31st (next week). According to ChemITC it will “provide an overview of transportation security in the chemical industry, with an emphasis on how cyber systems are enabling chemical supply chain security processes”. You can sign up by clicking here and will receive a confirmatory email after completing a short online form. If you can’t make the webinar Bridgette tells me that it will be available on their website in a couple of weeks. The two presenters will both be from Dow Chemical. Henry Ward (Global Supply Chain Director for Transportation Safety and Security) and Craig Casto (Global Leader for its RFID, GPS and AutoID Expertise Center) will “provide a context for security experts in both the cyber and transportation fields to bridge the gap between the important work each is doing on a day-to-day basis”. It certainly sounds like it will be an interesting presentation. I certainly plan to ‘be there’.

UP STB Filings Update – 03-25-09

Two new filings were posted to the STB web site on the UP declaratory order proceedings (FD 35219). On Friday a TSA filing was posted. On Monday a filing from US Magnesium was posted. With each new posting the situation gets more complicated. Request for Delay The Transportation Security Administration filing was a request for delay. TSA was one of the two federal agencies (the Federal Railroad Administration was the other) mentioned in the STB notice of initiation of declaratory order proceedings as potentially having information valuable in the proceedings. Additionally, the STB notified the TSA by letter that they were ‘invited and encouraged’ to provide specific input about the security issues raised by UP. The TSA filing states that:
“The issues the petition raises are complex and require a review of how they relate to TSA regulations and policies. It will be difficult to complete TSA's analysis and coordinate our comments with other components within the Department of Homeland Security, and submit the comments to the Board by March 31, 2009.”
The TSA requested that the filing date be extended until April 10th, 2009. While I am not a lawyer, I do not see how complicated the transportation security issues are in this case. Union Pacific claims that they have been asked to reduce the number of PIH shipments through HTUA. That has certainly not been the intent of the only freight rail regulation that TSA has published to date. Either there has been private communications made to UP to that effect or there have not. In either case the STB needs to be told. What I suspect is taking place is that the Obama Administration is taking a hard look at the hazmat rail routing issue. There have certainly been vigorous calls for tougher restrictions on TIH shipments through HTUA among some supporters of the Administration. TSA comments in this case may provide a window to watch how the new administration is planning on proceeding on this issue. Shipper Self-Identified It seemed a little odd to me that in the original public filing UP redacted the name of the shipper that had originally requested the rates for these chlorine shipments; there just are not that many chlorine producers in Utah. Yesterday, US Magnesium filed a reply to the UP petition and identified themselves as the chlorine producer. Their filing includes a request for the STB to compel UP to provide the common carrier rates originally requested by US Magnesium. The identity of the chlorine producer adds another peculiar twist to the issue. US Magnesium produces chlorine as a byproduct of their magnesium production. They harvest (for want of a better word) magnesium chloride from the Great Salt Lake and separate it into its two constituent components. As their magnesium production increases, so does their chlorine production. To make matters more complicated, US Magnesium is the only domestic magnesium producer. According to their filing US Magnesium had requested new chlorine shipment rates for shipping chlorine from their facility in Utah to 35 cities where potential customers existed. They wanted these rates so that they could quote delivered chlorine costs to potential customers in these cities. UP initially provided rates to all but seven of the cities. Subsequent to its filing of the petition to the STB, UP provided tariff rate to three of the seven cities (Dupo, Ill; Festus, MO; and Memphis, TN). Looking at the supporting documents that US Magnesium included in their filing it may be that they inadvertently encouraged UP to file their original petition. In a copy of a January 16th letter to UP (Appendix A) US Magnesium raised the possibility of questioning the fairness of UP rates for chlorine transport. In the next to last paragraph of the letter Howard Kaplan (VP, US Magnesium) writes:
“US Magnesium and UP have reached mutually satisfactory solutions in previous negotiations. We remain open to reasonable solutions and encourage UP to join together with US Magnesium again in developing an acceptable negotiated solution. If such does not occur we see a distinct possibility that US Magnesium will reluctantly decide to seek a rate reasonableness determination from the Surface Transportation Board.”
UP may have decided that filing their petition could fulfill a two fold purpose; pre-empt the rate fairness filing and establish the precedent that there are limits to the carriers obligation to provide carriage for TIH chemicals. Note: Yesterday US Magnesium filed a correction to their earlier reply. It was a minor correction to a footnote in their original submission that appears to be of now major consequence. Moving Forward We still have to hear from the Federal Railroad Administration. If, as I suspect, the motivation for the delay request by TSA is the Obama Administration reviewing their stance on the hazmat routing issue, I would be very surprised if we did not see a similar request for delay from the FRA before the week is out. Other chlorine shippers are sure to chime in with their views on the common carrier obligation issue. This morning the STB filings web page showed that Olin was filing a reply to the UP petition, but no document was attached. I expect that that document will be available later today. I also expect supporters of more aggressive route restrictions to provide supporting comments for the UP petition. This issue has the potential to be a precedent setting matter. If the STB rules in favor of the UP petition, it will certainly lead to multiple requests from other carriers to avoid the carriage of TIH chemicals through HTUA.

DHS COE for Command, Control and Interoperability

In yesterday’s Federal Register DHS announced the designation of two lead institutions for the DHS Center of Excellence (COE) for Command, Control and Interoperability. DHS designated Purdue University as Visualization Sciences and Education Lead Institution and Rutgers, the State University of New Jersey, as Data Sciences Lead Institution. DHS noted that “This team of institutions is uniquely well qualified and located to address data analysis, visualization, cyber security and other related issues”. The purpose of this Center of Excellence was explained in the Federal Register notices.
“This COE will conduct fundamental research into the technological issues, challenges, and policy issues related to (1) dynamic, on-demand data processing and visualization; (2) hypothesis-driven data analysis; (3) visualization of structured, unstructured, and streaming data; (4) mathematics of discrete and visual analytics; (5) scalable information filtering and dissemination; (6) visualization and simulation of information; (7) mobile and light-weight information analytics and sharing. This COE will create the scientific basis and enduring technologies needed to analyze massive amounts of information from multiple sources to more reliably detect threats to the security of the nation and its infrastructures, and to the health and welfare of its populace. These new technologies will also improve the dissemination of both information and related technologies.”
While not specifically designated to support the chemical security operations at DHS, this COE, with its data analysis and visualization and cyber security focus will probably have more of a direct impact on chemical facility and transportation security functions than the original 14 COE out-lined in Section 308 of the Homeland Security Act of 2002 and its subsequent amendments.

Reader Comments – 03-24-09 – Hazmat Routing

Fred Millar, a long time reader and commenter as well as a hazmat transportation consultant, provided comments on two recent blogs dealing with hazmat rail transportation issues. First he wants to correct some information that I provided on routes around Washington, DC and then he suggests information that I might want to dig up. I can always count on my readers to keep me on my toes. Alternate Rail Routes Fred pointed out that in my blog on potential new rail routes around Washington, DC that there was at least one Class 1 rail line that avoided the Washington DC-Balt-Philly-Newark-NYC metroplex. I will certainly bow to Fred’s superior knowledge of rail routes. When he tells me that the Norfolk Southern I81 corridor bypasses these cities (presumably to the west) I must presume that he is correct. The interesting point that this raises is that the ‘offending’ rail line running through Washington, DC is owned by CSX. This would mean that for a CSX customer shipping from say Eastern Virginia to New York State, CSX could run the load along its own lines to through one or more of these cities (I’m not sure where their lines actually run) or they could transfer the shipment to the Norfolk Southern line for the majority of the trip and bypass these urban areas. Of course, Norfolk Southern would presumably get the bulk of the shipping fee. One could see why CSX would be reluctant to share those revenues. This is, of course, the heart of the hazmat re-routing issue. There are a number of reasons why railroads do not want to transfer their customer’s railcars to other lines and most of them come down to revenue. Now railroads do transfer cars to other lines all of the time. Very few long distance rail trips stay completely on one carrier’s rails for the entire trip. But, it is only done when there is no ‘reasonable’ alternative; with ‘reasonable’ being defined by the railroad. To add to the complexity there is the problem of how to define a ‘safer route’. While most of us would assume that a route that bypasses high-threat urban areas (HTUA) would be safer than one that would go through such an area, the issue is more complex than that. Smaller cities would argue that they are also potential terrorist targets and are less able to afford the equipment necessary to respond to a major hazmat incident. Do longer transit times make a TIH railcar more susceptible to terrorist attack if the car avoids HTUA? Even with all of the potential complexities, I believe that the real basis for the lack of voluntary re-routing around HTUA comes down to money. The question comes down to how much money is re-routing worth? Section 333 Meetings Locally, railroads are monopolies. Typically a facility with a rail line has only one railroad that they can turn to to pick-up or deliver railcars from their facility. Where monopolies are necessary or inevitable, they are supposed to be closely regulated. Railroads are separate companies and are not supposed to communicate in a way that might look like they are fixing rates or otherwise regulating business. But railroads have to coordinate schedules and the like. To avoid the appearance of illegally setting rates there is a Federal Railroad Administration regulation that prescribes how and about what they can communicate. One of the approved communication tools is covered under 49 USC § 333. One area that railroads are supposed to be coordinating is the routing of hazardous material shipments so that they can reduce standing time and route around high-risk targets. In his second comment, made on the blog discussing the Chlorine Institute comments on the UP rate controversy before the STB, suggested that I should investigate the § 333 meetings between railroads and some shippers discussing these hazmat shipments. He is apparently concerned that ‘secret’ decisions made in these meetings may have been made without due consideration for public safety and security. I would certainly like to know more about any § 333 discussions about hazmat routing. But, I am not an investigative reporter. I do not have the funds or connections to travel around asking questions of people involved in these discussions. I have only ever talked, face-to-face with one railroad employee, the guy on the local train that brought railcars to our facility. Fred, I’ll try to see what I can find out, but you probably have better contacts than I do. Unless, of course, there is another reader that can point me in the right direction……

Tuesday, March 24, 2009

100% Rail Screening Southbound to Mexico

The DHS web site has a listing of new enhancements to the Mexican border operations to be undertaken by DHS “designed to crack down on Mexican drug cartels through enhanced border security”. One of the measures listed in the press release is “implementing 100 percent southbound rail screening using non-intrusive inspection equipment to detect anomalies in rail cars.”

Now the implied intention is to intercept the shipments of arms and drug money going back to Mexico to support the drug cartels. This is a measure designed to support the efforts of the Mexican Government to crack down on these cartels. As such, it should certainly be supported. But, there is no mention of inspections of north bound rail cars, especially TIH rail cars.

As of April 1st of this year, all TIH rail car shipments originating in the United States are physically checked for the presence of IEDs and signs of tampering. All transfers of TIH rail cars must be physically handed off to ensure that a strict chain of custody exists from the time those IED checks are made until the time the rail car is delivered.

A major hole in those requirements exists for TIH rail cars entering the United States. There are no requirements to show that the IED checks were made at shipper’s locations in Mexico or Canada. There are no requirements for IED checks to be made at the US border. In fact, these TIH rail car shipments from areas under the physical control of the drug cartels may not be checked for the presence of IEDs until they reach a rail secure area in one of the high-threat urban areas in the United States.

The 100% screening of rail cars heading south across the Mexican border may certainly be a reasonable attempt to cut down the smuggling of arms and drug money. But, it seems to me that the screening of TIH rail cars coming into the United States from areas controlled by the drug cartels might be a little more important to homeland security.

Monday, March 23, 2009

SSP-RBPS Status 03-23-09

Everyone in the chemical security community is wondering when DHS will be rolling out the CFATS Site Security Plan and Risk-Based Performance Standards Guideline documents. Over a month ago it was being reported that it would be rolled out in February. That didn’t pan out too well. It seems that OMB is still looking over the RBPS Guidelines. Once those are approved, DHS is prepared to move forward with the SSP Tool on their CFATS web site. No telling when OMB will be done with their review. Remember President Obama has had them re-looking at all in-process rules and redefining the regulation approval process. Needless to say this will upset the ACC people at ChemSecure this week. There were supposed to be some DHS explanations of both the SSP and RBPS this week at that conference. I doubt that much information will be forth coming until the official role out. Oh well, we wait and watch.

Insider Cyber Attack Example

There is an interesting short article over on SCMagazineUS.com about an insider cyber attack against a gas/oil field developer. A federal grand jury indicted a ‘disgruntled IT contractor’ for “unauthorized impairment of a protected computer”. Apparently the contractor set up a computer system that among other things monitored leak detection equipment at gas and oil wells. After finding out that he was not going to be offered full-time employment he reprogrammed the system to provide faulty data. There are few details in the article about how the damage was done, but at least one quote indicates that the ‘reprogramming’ was done after the defendant left the company. This indicates that either his access was not terminated or that he had programmed an ‘alternative method of access’, or back door, to the system. In either case he had unauthorized access to the system. This article points out two different potential security problems that are becoming increasingly familiar to high-risk chemical facilities; computer consultants and laid-off employees. In this particular case the incident included both problems. Computer Consultants More and more companies, inside and outside of the chemical industry, are increasingly using outsiders, contractors and consultants, for ‘non-core competencies’. The installation, implementation and maintenance of a wide variety of computer systems, including process control systems, is probably the area where this trend is most pronounced. This makes it easier to adjust headcount for the ebb and flow of personnel requirements as new systems are brought on-line. All companies, but high-risk chemical facilities in particular, need to take particular care to do detailed background checks of all personnel with access to their computer systems. With the increased complexity of all computer systems, it is unlikely that only the personnel that you see on site will be working on your system. Contracts with consultants and contractors should make clear the security responsibilities of all parties, including sub-contractors. Special efforts need to be made to ensure that all access to company computer systems are removed when a contractor or consultants services are terminated. For all high-risk control systems, and certainly for stand-alone safety systems, off-site access to these systems should require special review, justification and control. Terminated Employees Computer access levels for all employees should be periodically reviewed to ensure that they only have access to systems and data necessary for performance of their jobs. A listing of the systems to which they have access should be part of their personnel files. This way a formal process for removing access to these systems can be made part of the termination, voluntary or involuntary, process. Not only should there be a system to terminate access, but there should be an independent system to verify termination to sensitive systems. Termination verification should probably be done by security staff rather than IT or Personnel. Changing Environment The current economic situation is just the latest in a long series of changes in the business environment that is changing the personnel environment at most facilities. High-risk chemical facilities have an especially important job to ensure that these changes are properly reflected in their security plans.

TSA Information Collection Request 03-20-09

Last Friday the Transportation Security Administration posted an information collection request (ICR) in the Federal Register. This is part of the process to get OMB approval to collect information from the public. In this instance the purpose is to get feedback from personnel that complete a voluntary security-related training course to the Hazardous Materials (Hazmat) motor carrier and shipper industry. This ICR was originally submitted back in November. Public comment by email is requested before April 20th. According to the ICR registered hazmat carriers and shippers will have three options to complete the training; instructor lead classes at sites around the country, DVD courses to be used at employer sites, or on-line courses. Further information on the classes will be made available by the TSA. This sounds like the motor carrier training that I have described in an earlier blog.

Long Term Rail Routing Solutions

I have frequently maintained that the long term solution to the hazmat rail routing problem is not the use of a patchwork of inter-tie agreements to move individual hazmat railcars around large cities and high-threat urban areas (HTUAs), but a routing of all through freight-rail corridors around such areas. According to an article on Fredricsburg.com last week, it looks like such an approach is being proposed for the area around Washington, D.C. The nation’s capital has long been the poster city for re-routing efforts. The fact that freight rail lines carrying PIH chemicals like chlorine and anhydrous ammonia routinely pass within blocks of the Capitol Building presents a particularly rich potential terrorist target. This is one of the reasons that the city government has tried to be pro-active in requiring the re-routing of such shipments. In many instances there are Class 2 and Class 3 rail lines that would allow for re-routing of hazmat rail cars around the large cities and HTUAs. Unfortunately this causes potential problems of scheduling. With the Class 1 railroad transiting through the urban area, it would only drop off its hazmat cars for the bypass route. Those cars would wait until a smaller railroad formed up a train for movement around the urban area. They would then wait on the other end for the next Class 1 railroad scheduled freight train. Not only do the Class 1 railroads object to sharing their revenue with the smaller railroads, but the re-routing also causes potential delivery delays beyond the control of the Class 1 lines. Security issues with these transfers cause additional problems. With the new railroad freight security rules going into full effect next week, there will have to be a physical, person-to-person hand-off of the PIH and other selected hazmat cars. This will pose manning issues for many of the Class 3 rail lines. Storage of those hazmat cars awaiting train formation is not yet covered by regulations, but railroads have agreed to try to minimize the idle time for PIH railcars. If the long-run, through rail lines went around these urban areas instead of thru them there would be no reason for the Class 1 lines to carry these high-risk rail cars through urban areas. The only requirements would be for rail cars to be delivered to customers in the cities or HTUAs. This would be a significant reduction in hazmat volume. This would be the long term solution to the hazmat problem. It would take time to plan for and acquire the land necessary for running the tracks around these urban areas. The railroads would be hard pressed to be able to afford these projects. It will take some sort of public-private partnership with much public money. Fortunately, we are at a point where there are a number of issues that could be aided by establishing these out-of-urban-area routes. The rationalization of rail mass transit lines would be aided by freeing up these urban rail routes. These extra-urban rail rights of way would allow for the expansion of mass transit rail service to new areas. Many of the large freight yards in urban areas would no longer be needed, freeing up valuable land for revitalizing city centers. This would also ease some of the heavy truck traffic that served those freight yards.

Friday, March 20, 2009

ChemITC Survey

In a recent SmartBrief© email I was notified of a survey being conducted by the Chemical Information Technology Center (ChemITC) people at the American Chemistry Council. According to the Smart Brief article they are looking for “industrial-automation and control-system security experts from all ACC member companies to participate in a technical survey regarding the use of intrusion detection and intrusion prevention technologies within chemical process industries.” I contacted Bridgette Bourge, the ChemITC manager, and she confirmed that the survey was underway. She noted that this was a survey of ChemITC membership. According to Roger Sharpe, Director ChemITC Survey & Benchmark Program, the survey is intended “to obtain information to help companies evaluate potential technological approaches and items for consideration within their own companies”. ChemITC expects to have the survey forms returned by April 1st. Survey results will be shared with all participants. This is part of the ongoing program at ChemITC to improve computer and control system security practices in the chemical industry. ChemITC members who have not yet signed up for the survey should contact the Cyber Security Program for more information.

House Appropriations Looks at Rail Security Grants

A week ago Thursday, the Homeland Security Subcommittee of the House Appropriations Committee held a hearing to look at the security of transit and freight railroad operations. As befits an appropriation committee they were really looking at how efficiently TSA and FEMA were dispersing grant monies. Time Delay Note: A week ago Thursday, give me a break! What took so long? Well the Appropriations Committee Staff takes that long to get copies of prepared testimony up on their web site. This is the largest committee in the House and routinely holds five or more sub-committee hearings each day. Oh yes, and the rarely web cast their hearings. So, for those of us that live away from Washington, this is as good as it gets. Transit Systems Most of the testimony dealt with grant support for transit systems. In fact, two of the four witnesses were from major metropolitan transportation authorities. This has been the main focus of rail security since the Madrid and London bombings. It certainly makes sense. Al Qaeda and its affiliates have demonstrated their ability to attack these types of systems, so protecting US systems from similar attacks is a high priority. Freight Rail System The only witness to specifically address freight rail security was John Sammon Assistant Administrator, TSA. First he addressed the primary focus to date of the TSA freight rail program:
“The principle element of TSA’s Rail security strategy is to reduce the risk of Toxic Inhalation Hazard (TIH) chemicals in high threat urban areas. TSA works in close cooperation with the Rail industry to measure risk as a function of unattended standing TIH rail car time in high-threat urban areas. We track every TIH rail car using the Rail industry’s Automatic Car Identification readers. These readers are accurate for mainline movements, but are less accurate in complex urban areas. The Rail grant program prioritizes awards to compensate TIH tank car owners and lessors for installing Global Positioning Satellite (GPS) devices on their tank cars. The GPS devices will ensure awareness of the location of the highest risk shipments and enable appropriate security response as such shipments move into or through high consequence urban areas.”
Next he noted the priority that TSA has placed on security awareness training for frontline rail personnel in both the transit and freight side of the business. He noted that while the formal rule making process was underway to meet the 9/11 Commission Act training requirements, TSA was using grant funding to encourage and support railroad initiated programs in this area. Finally, he noted that TSA was continuing to work with railroads in conducting vulnerability assessments of high risk lines. To aid this and other enforcement actions TSA has added an additional 50 Surface Transportation Security Inspectors. Interestingly he made no mention of the recently implemented freight rail security rules (which go fully into effect on April 1st, less than two weeks from now). Freight Rail Security Low Priority From the testimony presented at this hearing it sure looks like the transit security effort remains far and away the highest priority for TSA. Very little money and effort is being expended on protecting high-risk freight rail targets from terrorist attack.

Thursday, March 19, 2009

Reader Comment 03-19-09 – CSB vs Bayer

Poppy left a comment on my blog from Monday about the CSB vs Bayer controversy. The comment provides links to a couple of articles/editorials on C&E News, a publication of the American Chemical Society about the secrecy-disclosure issue. I would add to that a link to the blog from the editor of the West Virginia Gazette. I was concerned that none of these mentioned the CSB press release from last Friday that announced that the public meeting was going forward. I just went back and confirmed that that press release was still on the CSB web site, so presumably the public meeting is still on. I still have not heard or seen anything that would indicate that there will be any restrictions on what the CSB will discuss about the results of their inspection. While I can understand the Bayer would not want any security details about their facility discussed in a public forum, I do not think that that is their real issue in this case. If it were they could have quietly contacted the Captain of the Port who could have had a quiet talk with the CSB. CSB could have gone forward with their original public meeting while practicing a little discretion about the discussion of security issues. But, looking at the CSB reports from previous incidents I see no indication that they would have had anything to say about security issues. Wait, let me modify that; unless they thought the security issue contributed to the accident. This has not been an issue to date, but it could conceivably be in this or some future case. But there is another way that the CSB could compromise security. Process Safety is Part of Security Process safety and facility security are curiously intertwined. A process that is not adequately protected from a safety stand point cannot be adequately defended from a terrorist attack. If the process controls (physical, electronic and human factors) are not designed to protect against all known and suspected catastrophic process upsets, the process becomes that much more susceptible to a successful terrorist attack. If, for example, there are not multiple redundant systems to protect against a known runaway reaction condition, a terrorist would only have to interrupt only a single control system feed to cause a catastrophic chemical reaction. Now if this is the type security issue that Bayer is trying to avoid having discussed, too bad. It is not something that has been addressed by either MTSA or CFATS. Neither Congress nor DHS is chemically savvy enough to have realized that process safety is part and parcel an integral component of facility security; which is a shame in many ways. I think the people from DHS would be much more aggressive at enforcing process safety rules than either EPA or OSHA has been to date. CSB will Investigate and Report CSB will continue to do what they do best. Investigate chemical related accidents and get to the root cause of the incident. And from their search they will distill the lessons that the chemical community needs to learn to move forward to a safer and more secure future. Bayer needs to do what so many other companies have done before them in this situation; suck it up, say the ‘mea culpa’, and fix the identified problems. If they can’t or won’t do that, security is the least of their problems.

Reader Comment – 03-18-09 – CFATS Inspectors

Yesterday Luke Von Cfats posted a comment to the blog on the Chemical Security Academy. He pointed out there would be additional training requirements that would have to be added to support IST if required by Congress. He also provides some figures for the number of inspectors currently on hand and to be added this year. I have not been able to independently confirm these numbers, but they sound about right. 2008 (current) 45 Area Commanders/Inspectors and 50 HQ 2009 (total) 149 Area Commanders/Inspectors/Field Support and 74 HQ Luke: What does the ‘FTE’ mean?

HS Committee Hearing on Bottom-Up Intelligence

What was billed as a hearing on DHS intelligence efforts (“Homeland Security Intelligence: Its Relevance and Limitations”) turned out to be more about local police forces and their place in the counter-terrorism intelligence picture. While only one question was addressed to civilian and private sector input into the process, many of the issues discussed in this forum were of some importance to intelligence activities supporting high-risk chemical facility security. Suspicious Activity Report One of the major focuses of the discussions at this hearing was the Suspicious Activity Report (SAR) intelligence collection tool developed by the Los Angeles Police Department. Joan McNamara from the LAPD described the program she helped develop for the Subcommittee on Intelligence, Information Sharing and Terrorism Risk Assessment. She described how the program worked and the civil liberties safeguards that were built into the program. The program relies on the observations and reports from patrol officers to help detect the indicators of potential terror attacks or other criminal actions. Officers are trained to look for signs of potential surveillance activities as well as other indicators of preparations for a terrorist attack. These observations are intended to be part of their every day patrol activities not actual counter-terrorism investigations. The SAR is reported on a standard form using pre-set codes to indicate the observed behavior or indicator along with the officer’s notes about the details of the observation. Once the report is reviewed and approved by a supervisor it is entered into an electronic data base that allows for analysis. One of the analysis tools available is the integration of the reports with a GIS that allows for a map display of the different types of activity. If there is a physical concentration of reports around a potential target area, additional investigation efforts are initiated. Civil Liberties Protections The biggest concern with the SAR program is the fact that most of the SAR reports turn out to have nothing to do with terrorism or other criminal activities. What might be a potential indicator of terrorist surveillance activities usually turns out to be innocent or even protected activities. Terrorist are certainly likely to photograph a targeted high-risk chemical facility as part of their planning process, but so are environmental activists gathering evidence of illegal chemical discharges. Gregory T. Nojeim, the Director of the Project on Freedom, Security & Technology of the Center for Democracy & Technology recommended that SARs be limited by the ‘criminal predicate’ standard. This means that unless there was evidence of actual criminal activity, the SAR would not be entered into the intelligence database. This would prevent the legitimate tourist taking pictures of a critical bridge from showing up in the database. The civil liberties advocates in the second panel were not so much concerned with an innocent’s appearance in the database, but with potential actions that could be taken against people found in the database. They noted a number of notorious examples of the abuse of police investigative powers directed against people practicing their protected freedom of speech and association. One of the main problems in this debate is that frequently there is not a clear distinction between protected freedom of speech and ‘terrorist’ activity. There is a continuum of political expression that runs from freedom of speech, thru lawful dissent and civil disobedience to terrorism. Where an action falls within that spectrum is frequently a matter of perspective. Finding the Balance As many post 9/11 reports noted, proper and efficient collection and analysis of information that, in retrospect, was readily available might have allowed authorities to intercept the hijackers before they boarded the planes that were turned into weapons. The SAR process has the potential of collecting the dots necessary to prevent the next major terrorist attack. The difficulty will be in developing a process for collecting and analyzing the necessary data without compromising the legitimate expectation of privacy of the vast number of innocents identified in the collection process. The protection of political expression is every bit as important at preventing terrorist attacks. I wish Chairwoman Harmon and her colleagues the best of luck in crafting rules that will successfully address both issues.

Reader Comments: 03-17-09 – Web Page Update

Liz left two quick posts to the St Patrick’s Day post about the changes to the CSAT Web Page. She echoed my praise for the people that run the site. I hope that someone in DHS management is passing these comments on to the web team. While I hope that they are readers, it is more important that someone in management tells them that they are doing a good job. Uncle Sugar does not pay enough money to their ‘lackeys’ so they have to make do with the currency of praise. Actually, there was a small glitch with a dead link on the new CSAT page. I was writing a real short note about it yesterday morning when they corrected the problem before my very eyes. Now anyone can make a mistake, especially when you are typing code or URLs. A professional fixes those mistakes as soon as they are found. Again, good job.

Chlorine Institute Response to UP Petition

Last week I reported on the initiation of declaratory order proceedings by the Surface Transportation Board. Those proceedings were initiated in response to a petition by the Union Pacific Railroad (UP). On Thursday the Chlorine Institute (CI) filed a response to the original petition by UP. In their response CI claims that the UP petition is based on “incomplete facts, as well as facts that are untrue and that the UP should know to be untrue”. CI claims that the petition is actually “a request for an exemption to the UP's common carrier obligations”. Claims and Counter-Claims The original petition by UP was a request for approval to not provide a rate quote on a series of shipment of chlorine gas from a redacted shipper in Utah to customers in Louisiana and Texas. The petition claimed that there were adequate chlorine resources within 300 miles of each of the customers and that the UP route to serve these shipments would have required the chlorine to transit four high-threat urban areas (HTUAs) while the closer alternative sources would not have required transit of any additional HTUAs. The CI counter claims that “there simply is not enough chlorine produced in the Gulf Region to meet demand. Some portion of Northeastern, Western and even Canadian production needs to be utilized to fulfill Gulf Coast demand”. Further, they note that UP is cognizant of this fact since “UP delivers 250,000 tons of chlorine per year to one of these destinations in a move that covers more than 800 miles”. Common Carrier Obligations The railroad industry for the last couple of years has been trying to avoid having to carry poisonous inhalation hazard (PIH) chemicals. They have openly expressed their concerns about their potential liability exposure in the event of an accident or terrorist attack that resulted in the catastrophic release of a PIH chemical in an HTUA or other large urban area. Unfortunately, they have a ‘common carrier obligation’ to carry any properly offered shipment. Since railroads are effectively monopolies in most of the area that they serve they are regulated by the Federal government. The Surface Transportation Board is the government agency that is responsible for overseeing the railroad rate setting process and serves as a resolution agency for disputes between carriers and shippers. Based on the claims and counter-claims to date it appears that what the UP has been attempting to do is to establish an acceptable reason to avoid their common carrier obligation with respect to PIH chemicals. Apparently they are attempting to establish that a combination of alternative supply and safety-security concerns are adequate reasons not to establish a new PIH service. Establishing this precedent would allow the railroads to use these and similar arguments to avoid carrying PIH chemicals on other routes. The STB has asked the Federal Railroad Administration (FRA) and the Transportation Safety Administration (TSA) to weigh in on the safety and security arguments presented by UP. It will be interesting to see how the new Administration deals with this issue.

Wednesday, March 18, 2009

Lieberman Weighs in on CFATS Spending

Last week Sen. Lieberman (I, CT), the Chairman of the Senate Homeland Security Committee, sent a letter to the Chairman and Ranking Member of the Senate Budget Committee outlining his thoughts on the Department of Homeland Security budget. It is a rather lengthy letter, as one would imagine given the breadth of DHS operations. There is one paragraph in that letter that refers to Chemical Site Security and I will reproduce it here in its entirety:
“I am pleased that the Department continues to move ahead with the critical chemical Facility Anti-terrorism Standards or CFATS program. This is a critical and long overdue effort to enhance security at facilities, some in or near densely populated areas, that make or use hazardous chemicals and could prove inviting targets for terrorists. As Congress examines how best to reauthorize this program, it is essential that it receive adequate funding to continue the work of soliciting and reviewing facility security plans and beginning site inspections. Last year, DHS saw a significant funding increase for the CFATS program to $73 million, and we need to maintain and expand those resources in the coming fiscal year.”
This comment is important because Congress keeps programs and funding in separate categories. The legislation for re-authorizing CFATS will be separate from the bill authorizing DHS to spend money on CFATS. Lieberman will have a significant role in the Senate in the re-authorization process, but will have less direct control over the budgeting process. The fact that he is asking for a generic increase in the spending for CFATS may indicate that he thinks that the reauthorization will not greatly expand the program. Finally, there are some people that believe that simply continuing the funding for CFATS will be the easiest way for Congress to deal with the reauthorization issue. The $73M+ is a relatively small amount of money in the overall DHS budget and it would probably draw little attention in the overall debate on that budget. An actual reauthorization bill, with the almost certain inclusion of some sort of IST language, may be too controversial to get through a closely divided Senate.

Chemical Security Academy

A little over a month ago one of my readers asked me if I had heard of the Chemical Security Academy. He had heard that this was the training program that all of the CFATS inspectors had to go through. I had only heard of the name (and I cannot even recall the context). I started checking around and yesterday got a nice email from Sue Armstrong at the Infrastructure Security Compliance Division at DHS. She provided a very nice outline of the program. Trained and Certified Inspectors According to Ms Armstrong the purpose of the training is to produce “a trained and certified cadre of Inspectors who are conversant in CFATS and their authorities, familiar with the chemical industry, processes, and safety issues while onsite, and who are ready to assist industry in complying with CFATS, including support for Site Security Plan (SSP) development.” Inspectors fitting this description should be a welcome addition to the DHS family and should be well equipped to fulfill their rolls at high-risk chemical facilities. Since there is really no pool of qualified chemical facility security personnel for DHS to pull from, they have had to hire people with a wide variety of backgrounds. They have pulled a variety of people with security backgrounds from DHS (ICE, FSPS, TSA, Secret Service) and other agencies. They have also added to this mix a variety of personnel with experience in and around high-risk chemical facilities, including chemical manufacturing, emergency responders, hazmat responders, and agriculture. This mix of backgrounds, combined with the extensive training program should provide a well rounded inspection force. Training Program Ms Armstrong describes a rather extensive training program for these inspectors. It starts by bringing all prospective inspectors up to speed on general physical security procedures. This is done by sending them to the Federal Law Enforcement Training Center (FLETC) to attend the Federal Protective Service’s Physical Security Academy. Here they should learn the basics of physical security; how to use video surveillance and detection devices, the use of barriers and fences to control access, the role of security personnel, and the coordination with first responders and emergency response personnel. Once they have completed this basic background development they begin to learn about chemical facilities and their security. In twelve weeks of classroom, hands-on, and on-site training they gain familiarity with, among other things:
CFATS Physical Security – Basic Physical Security – CFATS Specific Other Federal Regulatory Programs - Familiarization HAZMAT Certification HAZMAT Research and Emergency Services Familiarization Chemical Facility and Chemical Operations Familiarization Safety and Personal Protective Equipment
Moving Forward While everyone will have ideas for additional training and information that might make these inspectors more professional there is only a finite amount of time available. Further, the first official inspections have not yet happened so no one really has a good handle on how this process is going to work on the ground. As the inspections begin the inspectors will gain experience at working at the wide variety of facilities that have been declared to be high-risk chemical facilities. The lessons learned from these inspections, not just the results, need to be analyzed. That analysis will need to be fed back into the training development process to keep this inspection force well trained and effective.

Tuesday, March 17, 2009

CSAT Web Page Update – 03-16-09

Sometime yesterday DHS completed a major change to the layout of their CSAT web page. The new page is cleaner and easier to find links to documents. What used to be a single page is now a number of separate pages for each of the major CSAT tools. Each page is easily viewable on a single screen, reducing the need for scrolling to get to needed information. The one thing that I particularly like is the listing of all of the CSAT related documents in a single block on the right hand side of the main page. This will make it very easy to user’s to find the document that they are looking for. The only improvement that I could suggest would be to include version numbers or publication dates to make it easy to see when a document changes. As I have mentioned on a couple of occasions, I think that the team that keeps the DHS chemical security web pages up-to-date has done an excellent job. If there is somebody in the federal government that keeps track of work done on web sites, they should certainly use these pages as an example of how to prepare a successful and helpful web site. I just wish that the folks over at TSA and PHMSA(DOT) would learn from this example.

Napolitano Wants Private Sector Involved in Fusion Centers

Last week Secretary Napolitano addressed the Fusion Center Conference in Kansas City, MO. She re-affirmed the importance of the Fusion Centers as information collection, analysis, and sharing organizations. She also told the conferees that these centers should develop the capability for lateral sharing of information amongst the Fusion Centers as well as sharing with elements of the Federal Government. Finally she noted that Fusion Centers needed to have increased private sector involvement. Private Sector Information Flow While Secretary Napolitano mentioned that Fusion Centers should be processing more than just terrorist information, the primary focus of these centers is counter-terrorism. Since many of the potential terrorist targets are privately owned, it seems obvious that the private sector needs to be included in the information sharing aspects of Fusion Centers. Information needs to flow from these centers to facility security managers about changes in the local terrorist threat status. Increased chatter indicating terrorist interest in a state, region or city should result in increased vigilance and counter-surveillance activities at high-risk facilities. That can only happen when the information gets down to the facility level. Likewise, information needs to flow from facility level to the fusion centers. High-risk facilities need to have a direction information submission channel to the local Fusion center. Reports of suspicious activity, apparent surveillance activities, or testing of security measures are all indications of potential future activities. Fusion centers have the capability to draw these reports together and put them together with information from other sources. Private Sector Analysis One of the main objectives of intelligence analysis is to ‘connect the dots’ between disparate pieces of information. For example, the theft of a single drum of a non-hazardous chemical means little. Combine that with the chemical process knowledge that this chemical is a potent polymerization initiator and you have a possible indicator of a sabotage attack on a chemical facility. Further combine that with the disappearance of an empty tank truck from a company known to ship monomers and you have the potential means to execute an attack and the information necessary to identify potential targets. This type technical information is not normally available to law enforcement personnel. The background to evaluate this type information is not included in the development of most intelligence analysts. This is where the private sector can help in the data analysis function. Unfortunately, there is currently no mechanism for getting the information to technically qualified analysts. And this is true for other sectors than just the chemical sector. Each of the 18 critical infrastructure/key resource (CIKR) sectors in the National Infrastructure Protection Plan has a different set of specialized knowledge that would have to be tapped to adequately protect high-risk facilities in that sector. To make matters worse, each of those sectors has a wide variety of specialties with its own knowledge set. It would be nearly impossible to staff each of the fifty odd Fusion Centers with a sufficiently large set of sector analysts to make a significant difference. Sector Fusion Centers Each of the CIKR has its own Sector Coordinating Council (SCC). For example the Chemical Sector Coordinating Council is made up of representatives of eighteen chemical trade associations. The Chemical SCC works with DHS and other Federal Agencies to ensure that the industry security efforts are coordinated with Federal NIPP efforts. Each SCC could form its own Fusion Center. Each center would provide data analysis unique to its sector, supporting State and regional Fusion Centers. It would also provide a unique base for industry specific data analysis supporting conventional intelligence organizations. It would also allow for communication of intelligence information to high-risk facilities within the Sector. The ‘analysts’ would be drawn from companies within the sector. Mid-level managers that have been identified as future security managers would be seconded to the Sector Fusion Center for a period of 12 to 18 months. This would provide them with the training and experience necessary for managing security and intelligence positions within their parent organization. It would also provide them with personal contacts in the intelligence side of the Federal government as well as personal security contacts across the Sector. Congress has a unique chance to establish a sector specific Fusion Center during the re-authorization of CFATS. The Chemical Sector Fusion Center could be authorized in that legislation. It would serve as a test bed for establishing similar fusion centers in each of the 18 CIKR sectors.

Monday, March 16, 2009

Another CCTV Information Source

Since video security systems are certainly going to be a major component of an site security plan I try to keep an eye on developments in that field. Readers know that I have frequently mentioned John Honovich’s web site. Another source of valuable information has been Doktor Jon out of the UK. He has offered his informative comments on a number of issues on this blog. Recently he has published his first newsletter and was kind enough to send me a copy. It is a little different set of information than provided by John, but I think it will be a valuable resource for security managers looking to install and manage security cameras. Jon is making this newsletter available on-line. And he has promised to keep his eye out for issues specific to chemical facilities.

HS Committee Schedule – Week of 3-16-09

The House Homeland Security Committee has a full slate of hearings this week. There are four subcommittee meetings scheduled covering a wide range of subjects; from FEMA preparedness to human trafficking. Only one looks to be of potential interest to the chemical security community; a hearing on DHS intelligence on Wednesday at 10am EDT to be conducted by the Subcommittee on Intelligence, Information Sharing and Terrorism Risk Assessment. According to the Committee web site the hearing will “examine what homeland security intelligence is; the Department's role in developing it as a new intelligence discipline; and how the Department and others can provide State, local and tribal authorities with national situational awareness of threats while building privacy and civil liberties protections into the process”. I would be happier if the “and others” were more explicitly listed as ‘private sector partners’; the usual term that is applied to the privately held components of the critical infrastructure/key resources (CIKR) portion of the National Infrastructure Protection Plan. I have yet to see any specific plan for sharing intelligence or ‘national situational awareness of threats’ with high-risk chemical facilities. I doubt that the Subcommittee will address this issue as none of the witnesses has a background in industrial security nor will there be anyone present from DHS to answer a whole list of questions that I would like to hear asked. It will, however, be interesting to hear from the wide variety of law enforcement types about how they view the current information sharing situation with DHS intelligence types.

Top Five Cyber Targets

According to an article on SCMagazineUs.com chemical facilities are in three of the top five industrial sectors susceptible to web-based malware attacks. According to the March 12th article:
“Based on an analysis of 200 billion web requests processed by the security company [ScanSafe] on behalf of its worldwide customer base, the top five verticals most susceptible to web malware infection were energy and oil, pharmaceutical and chemical, engineering and construction, transportation and shipping and travel and entertainment” (emphasis added).
Currently the target appears to be the vast amounts of intellectual property stored on these systems; information that apparently is being sold to competitors. Unfortunately there is no reason that these criminals will limit their sales to competitors. How much would terrorist organizations pay for access to information about security systems or routings of high-risk chemical shipments? Why Not Sell Access The article only deals with intellectual property theft, but there is no reason that the elements behind these data thefts will necessarily continue to limit their criminal activities to just theft. Process control systems that are electronically linked to facility business systems will inevitably become lucrative targets. Last year the FBI reported that there had been Eastern European electrical power system controls that had been hacked to hold the systems for ransom. As malware authors expand their repertoire there is little reason to believe that high-risk chemical facilities will be spared the threat of having control of their production systems seized for ransom demands. Once that capability has been demonstrated, it opens up the possibility of the malware authors selling access to control systems. An easy way to reduce competitive pressures in tight economic markets would be to access a control system and induce expensive process upsets or equipment shutdowns in a competitors manufacturing system. Even engineering a few noticeable environmental releases could increase a competitor’s manufacturing and regulatory costs. Of even more concern would be the selling of control system access to terrorists. Even if stand-alone safety systems were to prevent a catastrophic process upset, a serious process disruption could provide the level of facility confusion necessary to allow for a successful terrorist attack on the facility. Comprehensive Cyber Security It is becoming increasingly obvious that all organizations are going to have to take a hard look at their cyber security measures. High-risk chemical facilities are going to have to protect both their business and control computer systems from cyber attack.

CSB to Hold Bayer CropScience Public Meeting

On Friday the Chemical Safety Board announced that they would hold a public meeting in Institute, WV to discus the August 2008 fatal accident at the Bayer CropScience facility. The meeting will be held on April 23, 2009 at West Virginia State University. According to the press release: “Pre-registration is not required, but to assure adequate seating attendees are encouraged to pre-register by emailing their names and affiliations to bayer@csb.gov by April 10. There is no mention in the current press release about the previous Bayer warning that the information to be covered in the meeting was protected from public release under provisions of the Maritime Transportation Security Act (MTSA). The meeting that was originally scheduled for March 19th, was canceled to allow the CSB to investigate the Bayer claim. I have not seen any public comment about the discussions between CSB and the Coast Guard, the agency that administers the MTSA. There have certainly been discussions, but no one is discussing what limitations (if any) the Coast Guard feels the MTSA information security requirements places on the public discussion of the CSB investigation of the incident. There is always the possibility that Bayer might try to get an injunction to stop the public meeting based on their earlier claim of information protection under the MTSA. Courts are usually reluctant to get involved in pre-emptive disclosure arguments. Alternatively, Bayer might appeal to Secretary Napolitano as the person ultimately responsible for actions taken under MTSA. Action would probably be unlikely if the Coast Guard and the CSB have come to an agreement on disclosure limits. That agreement would probably already have been vetted to the Secretary’s office. It will be interesting to see what questions, if any, the CSB refuses to answer at their meeting. Unless there are questions specifically about the security arrangements at the facility, I would not expect there to be any problems. Security arrangement questions would probably not have been answered by the CSB in any case. I do expect that there will be a Coast Guard representative present at the meeting, probably even the local Captain of the Port, the person responsible for port facility security under MTSA.
 
/* Use this with templates/template-twocol.html */