Tuesday, March 31, 2009
Monday, March 30, 2009
“Allow decisions about disinfectant choices to be made locally. “Prohibit the federal government from ordering the shut-down of water facilities. “Apply only to drinking water systems if they have chemicals of concern above certain threshold quantities.”HR 5577 and Water Facilities Last year’s attempt at reauthorizing CFATS, HR 5577, clearly addressed the water treatment facility exemption. It would have removed that exemption and brought water treatment and waste water treatment facilities under the CFATS regulations. They could only have become ‘covered facilities’ if they had one or more DHS chemicals of interest (COI; typically chlorine, anhydrous ammonia and/or sulfur dioxide for this type facility) on-site above the screening threshold quantity (STQ) listed in Appendix A to 6 CFR part 27. Chairman Thompson’s proposal specifically addressed water facilities when it authorized the Secretary to shut down non-complying facilities. In §2105(b)(4) the legislation established a higher standard for that sanction for water facilities:
“Notwithstanding the preceding sentence, the Secretary may not issue an order to cease operations under this paragraph to the owner or operator of a drinking water or wastewater facility unless the Secretary determines that continued operation of the facility represents a clear and present danger to homeland security.”There were no provisions in HR 5577 that would have exempted water facilities from the IST provisions of the legislation. In fact, there are many that feel that a large number of the facilities that the IST provisions were designed to affect would have been water treatment facilities using chlorine gas to disinfect the water. This is reflected in the large number of water treatment facilities that are listed in the Center for American Progress publication, Chemical Security 101. AWWA and CFATS Reauthorization It is almost a certainty that the legislation being developed by the House Homeland Security Committee will remove the water facility exemption from the §550 authorization. Where the AWWA will fall on the issue of CFATS authorization legislation then will be determined by the wording of the IST provisions. The AWWA had promised to come up with a model method for analyzing for technical and financial feasibility of replacing chlorine gas at water and waste water treatment facilities. If they can convince the Committee that the method provides a ‘legitimate analysis’ (technically and politically) they have a chance of getting IST wording that they can live with. Having the analysis peer reviewed would go a long way to convincing the Committee of the legitimacy of the analytical method.
Friday, March 27, 2009
Docket Management Facility (M-30) U.S. Department of Transportation West Building Ground Floor, Room W12-140 1200 New Jersey Avenue, SE. Washington, DC 20590-0001I’ll have more information on this ANPRM in future blogs.
“Just for fun, you might good-naturedly with a virtual wink ask Henry if anyone worries that hackers might someday intrude upon the major shippers' use of sophisticated computer hazmat re-routing programs to avoid major target cities (by truck and rail), with the result that some TIH cargoes begin again going through all the 46 major US target cities until the local officials catch on to the enormous catastrophic risk?”Computer controls are becoming a larger part of everything. Computers keep track of every bit of information in the modern chemical facility from product development, personnel, inventory, scheduling through packaging and shipping. On the process side the computers open valves, control weighment, heating, and cooling. Now we are starting to make computers a major part of security systems. IT Security people have been battling hackers, viruses, worms and Trojans in their information systems for quite some time. Control system engineers are just now starting to deal with similar problems. The question is are the security system people going to be proactive about security of their systems or will they wait until they are attacked? My bet is on the latter.
Thursday, March 26, 2009
Janet Napolitano, Secretary, DHS General James Snyder, Acting Assistant Secretary of IP, DHS Clyde Miller, BASF Corporation and Chairman of Chemical SCCCurrently scheduled instruction sessions include:
Currently scheduled workshop sessions include:
Threats to the Homeland and the Chemical Sector Identifying and Defeating Weapons of Mass Destruction Overview — Chemical Facility Anti-Terrorism Standards Chemical Vulnerability Information Update Congressional Perspective State and Local Issues Multi-Agency Harmonization on Chemical and HazMat Security Regulations Developing a Security Exercise Guidance to Achieve Successful Site Security Plan Development and Inspections
Pipeline Security Freight Rail Transportation Risk — Security Issues Ammonium Nitrate Regulations Implementation of Federal Freight Rail Security Rules Theft & Diversion: Prevention and Compliance Maritime Transportation Security Act – TWIC Surveillance DetectionCurrently scheduled on-going demonstrations include:
Voluntary Chemical Assessment Tool and TRIPwire Site Security PlansRegistration The registration for the summit is free of charge, not so unfortunately for the hotel (Baltimore Marriott Waterfront). The registration web page provides an email address to which the registration information will be sent. Confirmation will be by return email. There is something new this year; there is a Privacy Act Statement on the registration page. It provides for a method of opting into the summit directory where attendees names and company names will be reported. There is one other new thing on the registration front. Last year it was strictly first come first serve. This year they are limiting initial registration to two people per company or organization. Companies can provide a prioritized list of people to attend; the first two will be given registrations and the remainder will be placed on a waiting list. There is no information provided about when they will start pulling from the waiting list. Presumably the waiting list will be pulled first come first served, so still get registration lists in early.
Wednesday, March 25, 2009
“The issues the petition raises are complex and require a review of how they relate to TSA regulations and policies. It will be difficult to complete TSA's analysis and coordinate our comments with other components within the Department of Homeland Security, and submit the comments to the Board by March 31, 2009.”The TSA requested that the filing date be extended until April 10th, 2009. While I am not a lawyer, I do not see how complicated the transportation security issues are in this case. Union Pacific claims that they have been asked to reduce the number of PIH shipments through HTUA. That has certainly not been the intent of the only freight rail regulation that TSA has published to date. Either there has been private communications made to UP to that effect or there have not. In either case the STB needs to be told. What I suspect is taking place is that the Obama Administration is taking a hard look at the hazmat rail routing issue. There have certainly been vigorous calls for tougher restrictions on TIH shipments through HTUA among some supporters of the Administration. TSA comments in this case may provide a window to watch how the new administration is planning on proceeding on this issue. Shipper Self-Identified It seemed a little odd to me that in the original public filing UP redacted the name of the shipper that had originally requested the rates for these chlorine shipments; there just are not that many chlorine producers in Utah. Yesterday, US Magnesium filed a reply to the UP petition and identified themselves as the chlorine producer. Their filing includes a request for the STB to compel UP to provide the common carrier rates originally requested by US Magnesium. The identity of the chlorine producer adds another peculiar twist to the issue. US Magnesium produces chlorine as a byproduct of their magnesium production. They harvest (for want of a better word) magnesium chloride from the Great Salt Lake and separate it into its two constituent components. As their magnesium production increases, so does their chlorine production. To make matters more complicated, US Magnesium is the only domestic magnesium producer. According to their filing US Magnesium had requested new chlorine shipment rates for shipping chlorine from their facility in Utah to 35 cities where potential customers existed. They wanted these rates so that they could quote delivered chlorine costs to potential customers in these cities. UP initially provided rates to all but seven of the cities. Subsequent to its filing of the petition to the STB, UP provided tariff rate to three of the seven cities (Dupo, Ill; Festus, MO; and Memphis, TN). Looking at the supporting documents that US Magnesium included in their filing it may be that they inadvertently encouraged UP to file their original petition. In a copy of a January 16th letter to UP (Appendix A) US Magnesium raised the possibility of questioning the fairness of UP rates for chlorine transport. In the next to last paragraph of the letter Howard Kaplan (VP, US Magnesium) writes:
“US Magnesium and UP have reached mutually satisfactory solutions in previous negotiations. We remain open to reasonable solutions and encourage UP to join together with US Magnesium again in developing an acceptable negotiated solution. If such does not occur we see a distinct possibility that US Magnesium will reluctantly decide to seek a rate reasonableness determination from the Surface Transportation Board.”UP may have decided that filing their petition could fulfill a two fold purpose; pre-empt the rate fairness filing and establish the precedent that there are limits to the carriers obligation to provide carriage for TIH chemicals. Note: Yesterday US Magnesium filed a correction to their earlier reply. It was a minor correction to a footnote in their original submission that appears to be of now major consequence. Moving Forward We still have to hear from the Federal Railroad Administration. If, as I suspect, the motivation for the delay request by TSA is the Obama Administration reviewing their stance on the hazmat routing issue, I would be very surprised if we did not see a similar request for delay from the FRA before the week is out. Other chlorine shippers are sure to chime in with their views on the common carrier obligation issue. This morning the STB filings web page showed that Olin was filing a reply to the UP petition, but no document was attached. I expect that that document will be available later today. I also expect supporters of more aggressive route restrictions to provide supporting comments for the UP petition. This issue has the potential to be a precedent setting matter. If the STB rules in favor of the UP petition, it will certainly lead to multiple requests from other carriers to avoid the carriage of TIH chemicals through HTUA.
“This COE will conduct fundamental research into the technological issues, challenges, and policy issues related to (1) dynamic, on-demand data processing and visualization; (2) hypothesis-driven data analysis; (3) visualization of structured, unstructured, and streaming data; (4) mathematics of discrete and visual analytics; (5) scalable information filtering and dissemination; (6) visualization and simulation of information; (7) mobile and light-weight information analytics and sharing. This COE will create the scientific basis and enduring technologies needed to analyze massive amounts of information from multiple sources to more reliably detect threats to the security of the nation and its infrastructures, and to the health and welfare of its populace. These new technologies will also improve the dissemination of both information and related technologies.”While not specifically designated to support the chemical security operations at DHS, this COE, with its data analysis and visualization and cyber security focus will probably have more of a direct impact on chemical facility and transportation security functions than the original 14 COE out-lined in Section 308 of the Homeland Security Act of 2002 and its subsequent amendments.
Tuesday, March 24, 2009
Now the implied intention is to intercept the shipments of arms and drug money going back to Mexico to support the drug cartels. This is a measure designed to support the efforts of the Mexican Government to crack down on these cartels. As such, it should certainly be supported. But, there is no mention of inspections of north bound rail cars, especially TIH rail cars.
As of April 1st of this year, all TIH rail car shipments originating in the United States are physically checked for the presence of IEDs and signs of tampering. All transfers of TIH rail cars must be physically handed off to ensure that a strict chain of custody exists from the time those IED checks are made until the time the rail car is delivered.
A major hole in those requirements exists for TIH rail cars entering the United States. There are no requirements to show that the IED checks were made at shipper’s locations in Mexico or Canada. There are no requirements for IED checks to be made at the US border. In fact, these TIH rail car shipments from areas under the physical control of the drug cartels may not be checked for the presence of IEDs until they reach a rail secure area in one of the high-threat urban areas in the United States.
The 100% screening of rail cars heading south across the Mexican border may certainly be a reasonable attempt to cut down the smuggling of arms and drug money. But, it seems to me that the screening of TIH rail cars coming into the United States from areas controlled by the drug cartels might be a little more important to homeland security.
Monday, March 23, 2009
Friday, March 20, 2009
“The principle element of TSA’s Rail security strategy is to reduce the risk of Toxic Inhalation Hazard (TIH) chemicals in high threat urban areas. TSA works in close cooperation with the Rail industry to measure risk as a function of unattended standing TIH rail car time in high-threat urban areas. We track every TIH rail car using the Rail industry’s Automatic Car Identification readers. These readers are accurate for mainline movements, but are less accurate in complex urban areas. The Rail grant program prioritizes awards to compensate TIH tank car owners and lessors for installing Global Positioning Satellite (GPS) devices on their tank cars. The GPS devices will ensure awareness of the location of the highest risk shipments and enable appropriate security response as such shipments move into or through high consequence urban areas.”Next he noted the priority that TSA has placed on security awareness training for frontline rail personnel in both the transit and freight side of the business. He noted that while the formal rule making process was underway to meet the 9/11 Commission Act training requirements, TSA was using grant funding to encourage and support railroad initiated programs in this area. Finally, he noted that TSA was continuing to work with railroads in conducting vulnerability assessments of high risk lines. To aid this and other enforcement actions TSA has added an additional 50 Surface Transportation Security Inspectors. Interestingly he made no mention of the recently implemented freight rail security rules (which go fully into effect on April 1st, less than two weeks from now). Freight Rail Security Low Priority From the testimony presented at this hearing it sure looks like the transit security effort remains far and away the highest priority for TSA. Very little money and effort is being expended on protecting high-risk freight rail targets from terrorist attack.
Thursday, March 19, 2009
Wednesday, March 18, 2009
“I am pleased that the Department continues to move ahead with the critical chemical Facility Anti-terrorism Standards or CFATS program. This is a critical and long overdue effort to enhance security at facilities, some in or near densely populated areas, that make or use hazardous chemicals and could prove inviting targets for terrorists. As Congress examines how best to reauthorize this program, it is essential that it receive adequate funding to continue the work of soliciting and reviewing facility security plans and beginning site inspections. Last year, DHS saw a significant funding increase for the CFATS program to $73 million, and we need to maintain and expand those resources in the coming fiscal year.”This comment is important because Congress keeps programs and funding in separate categories. The legislation for re-authorizing CFATS will be separate from the bill authorizing DHS to spend money on CFATS. Lieberman will have a significant role in the Senate in the re-authorization process, but will have less direct control over the budgeting process. The fact that he is asking for a generic increase in the spending for CFATS may indicate that he thinks that the reauthorization will not greatly expand the program. Finally, there are some people that believe that simply continuing the funding for CFATS will be the easiest way for Congress to deal with the reauthorization issue. The $73M+ is a relatively small amount of money in the overall DHS budget and it would probably draw little attention in the overall debate on that budget. An actual reauthorization bill, with the almost certain inclusion of some sort of IST language, may be too controversial to get through a closely divided Senate.
Trained and Certified Inspectors
According to Ms Armstrong the purpose of the training is to produce “a trained and certified cadre of Inspectors who are conversant in CFATS and their authorities, familiar with the chemical industry, processes, and safety issues while onsite, and who are ready to assist industry in complying with CFATS, including support for Site Security Plan (SSP) development.”
Inspectors fitting this description should be a welcome addition to the DHS family and should be well equipped to fulfill their rolls at high-risk chemical facilities. Since there is really no pool of qualified chemical facility security personnel for DHS to pull from, they have had to hire people with a wide variety of backgrounds.
They have pulled a variety of people with security backgrounds from DHS (ICE, FSPS, TSA, Secret Service) and other agencies. They have also added to this mix a variety of personnel with experience in and around high-risk chemical facilities, including chemical manufacturing, emergency responders, hazmat responders, and agriculture. This mix of backgrounds, combined with the extensive training program should provide a well rounded inspection force.
Training Program Ms Armstrong describes a rather extensive training program for these inspectors. It starts by bringing all prospective inspectors up to speed on general physical security procedures. This is done by sending them to the Federal Law Enforcement Training Center (FLETC) to attend the Federal Protective Service’s Physical Security Academy. Here they should learn the basics of physical security; how to use video surveillance and detection devices, the use of barriers and fences to control access, the role of security personnel, and the coordination with first responders and emergency response personnel.
Once they have completed this basic background development they begin to learn about chemical facilities and their security. In twelve weeks of classroom, hands-on, and on-site training they gain familiarity with, among other things:
CFATS Physical Security - Basic Physical Security – CFATS Specific Other Federal Regulatory Programs - Familiarization HAZMAT Certification HAZMAT Research and Emergency Services Familiarization Chemical Facility and Chemical Operations Familiarization Safety and Personal Protective EquipmentMoving Forward
While everyone will have ideas for additional training and information that might make these inspectors more professional there is only a finite amount of time available. Further, the first official inspections have not yet happened so no one really has a good handle on how this process is going to work on the ground.
As the inspections begin the inspectors will gain experience at working at the wide variety of facilities that have been declared to be high-risk chemical facilities. The lessons learned from these inspections, not just the results, need to be analyzed. That analysis will need to be fed back into the training development process to keep this inspection force well trained and effective.
Tuesday, March 17, 2009
Monday, March 16, 2009
“Based on an analysis of 200 billion web requests processed by the security company [ScanSafe] on behalf of its worldwide customer base, the top five verticals most susceptible to web malware infection were energy and oil, pharmaceutical and chemical, engineering and construction, transportation and shipping and travel and entertainment” (emphasis added).Currently the target appears to be the vast amounts of intellectual property stored on these systems; information that apparently is being sold to competitors. Unfortunately there is no reason that these criminals will limit their sales to competitors. How much would terrorist organizations pay for access to information about security systems or routings of high-risk chemical shipments? Why Not Sell Access The article only deals with intellectual property theft, but there is no reason that the elements behind these data thefts will necessarily continue to limit their criminal activities to just theft. Process control systems that are electronically linked to facility business systems will inevitably become lucrative targets. Last year the FBI reported that there had been Eastern European electrical power system controls that had been hacked to hold the systems for ransom. As malware authors expand their repertoire there is little reason to believe that high-risk chemical facilities will be spared the threat of having control of their production systems seized for ransom demands. Once that capability has been demonstrated, it opens up the possibility of the malware authors selling access to control systems. An easy way to reduce competitive pressures in tight economic markets would be to access a control system and induce expensive process upsets or equipment shutdowns in a competitors manufacturing system. Even engineering a few noticeable environmental releases could increase a competitor’s manufacturing and regulatory costs. Of even more concern would be the selling of control system access to terrorists. Even if stand-alone safety systems were to prevent a catastrophic process upset, a serious process disruption could provide the level of facility confusion necessary to allow for a successful terrorist attack on the facility. Comprehensive Cyber Security It is becoming increasingly obvious that all organizations are going to have to take a hard look at their cyber security measures. High-risk chemical facilities are going to have to protect both their business and control computer systems from cyber attack.