Cyber Espionage Campaign Hits Energy Companies
4 months ago
“Now, however, Congress is threatening to change horses in midstream. The law authorizing all these risk and security measures in the chemical industry, the 'Chemical Facility Anti-Terrorism Security Act,’ (CFATS) expires in September, 2009. But a new bill in Congress, expected to be a simple extension of the old authority, instead proposes to mandate the government to take a large measure of control over products and processes in the chemical industry, much like it has taken over leadership, compensation and control functions at some banks, insurance and auto companies.”There are lots of details in that paragraph that are wrong; not lies, misinformation, or distortion; just mistakes in information. CFATS is the ‘Chemical Facility Anti-Terrorism Standards’ and has certainly never been an ‘Act’ or law. The current CFATS authorization expires toward the end of October, 2009. Now none of these errors make a hill of beans difference about the politics involved, but they do point to a poor understanding of some of the basic elements of the discussion. In the WichitaLiberty.org article the author quotes a letter from a ‘coalition of industry groups’:
“For example, last year’s 'Chemical Facility Anti-Terrorism Act' could have caused disruptions of new federal security standards and reduced jobs in the short term, and in the long term weakened infrastructure protection and economic stability.”Unfortunately, there are no facts or explanations to back up any of these claims, so they only serve to inflame and polarize the discussion. It is hard to support claims that HR 5577 would have disrupted new federal security standards when the legislation implicitly re-affirmed the existing rules while adding additional requirements. The inherently safer technology (IST) provisions of that rule were fairly narrowly written and could have only affected a very small percentage of the facilities covered under the existing regulations. The facilities over which it would have had the most impact, water treatment facilities, were exempted from the most stringent penalties and were probably never going to be actually covered in any case.
“I wonder what kind of a step forward DHS is taking in "be required to identify criteria and establish a process for approving and maintaining a list of approved private third-party providers of security training"...What I hope they do is take a long hard look at the maritime security training approval process, and avoid making the MTSA mistakes.”I’m not sure what ‘MTSA mistakes’ Anon is talking about, but I have only been casually looking at MTSA regulations for a short time. I certainly haven’t been covering MTSA news in anything more than a cursory manner. If anyone can point me in the direction of these ‘MTSA mistakes’, I would certainly appreciate it so I can look into this for lessons learned before we get to that point for TSA. I am a firm believer that a smart person learns from their own mistakes, a truly wise person learns from the mistakes of others. To be clear though, DHS isn’t looking at this yet; Congress is. If the bill passes and these provisions remain intact, then TSA will eventually have to figure out how to make them work. This will involve the writing of regulations so there will be time for us to publicly comment on previous mistakes in that process. I hope that Anon will remember these concerns when it comes time to write comments on the ANPRM or NPRM.
“SEC. 538. Section 550 of Pub. L. No. 109-295 is amended in subsection (b) by deleting from the last proviso ‘three years after the date of enactment of this Act’ and inserting in lieu thereof ‘October 4, 2010’.”Without any fan-fare or notice the White House is proposing to extend the authorization for the CFATS program almost one year. A Fail-Safe Plan? Now, there is no way of actually telling from this document if this is anything more than a stop-gap measure, put in place to protect against the eventuality of the Congress not being able to pass a re-authorization bill. If that were the case, you would like to think that the President (more likely an advisor) would have explained this to the necessary leaders in Congress so that they would continue to try to work out an appropriate re-authorization bill. This could explain why Congressman Dent’s reauthorization bill (HR 2477) was not referred to the Homeland Security Committee. It would not actually be needed as a stop-gap measure, because the fall back plan was in the budget. From the best that I can tell my contacts in working in the CFATS program at DHS did not know about this provision being in the budget. They might have been told not to talk about this, but they have seem kind of concerned about the future of their program and the lack of public action in Congress on the reauthorization process. Some of them were actually relieved to see HR 2477 introduced; it would only have been a stop gap, but it would keep their jobs going. Or the Real Plan? Back at the end of April I wrote about the change in wording about chemical facility security on the WhiteHouse.gov web site. At about that time there were indications that the two Committee staffs were still having problems working out their jurisdictional issues on the reauthorization bill. Those delays may have made it essentially impossible for the House to hold hearings in the two committees, mark-up and resolve the resulting conflicting issues, and get a bill to the floor of the House in time to get the bill to the Senate before the August recess. This would make it unlikely that a re-authorization bill could be passed before the expiration of the current program. I have a feeling that the Obama Administration has made a series of political calculations and decided that it has more important things on its plate than resolving the many issues involved in revising the CFATS program. A great deal of political capital would have to be expended to get a major revision through the Senate and health care, energy policy, cap-and-trade, and the economy are much higher priority. They can almost certainly wait a year for this fight. Industry would prefer to see a two or three year extension, but will certainly accept a straight one-year, no-modification extension. The question becomes will the coalition calling for IST implementation accept that deal? They have been fighting hard for over two years now and have little to show for their efforts. Many of the organizations will see the energy policy and a cap-and-trade bill as an adequate short term trade.
DHS IG to report on the “feasibility and merit of establishing a Deputy Assistant Secretary for Surface Transportation Security in the Transportation Security Administration” §312(b) of the Thompson Amendment; and Comptroller General to report on “the roles and responsibilities of the Department of Homeland Security and the Department of Transportation with respect to pipeline security” §406(a) of the Thompson Amendment.The one substantive amendment that could affect chemical transportation security is the Castor Amendment. This amendment would add §403(r) to ‘Safe Trucker Act of 2009’ section of the bill to address the issue of redundant background checks required by state and local governments. It would require the Secretary to establish regulations to prohibit “a State or political subdivision thereof from requiring a separate security background check for any purpose for which a transportation security card is issued under this section”. It does provide the Secretary the discretion to waive this requirement if the State or local government can demonstrate “a compelling homeland security reason that a separate security background check is necessary”. Early Consideration of HR 2200 As noted earlier, HRes 474 provides for early consideration of HR 2200. This ‘early consideration’ carries with it some restrictions. There will only be ‘one hour’ of debate allowed on the floor of the House with each of the fourteen amendments getting ’10 minutes’ of that debate. I know, 10x14=140 not 60, but that is how Congress does its math. This limited debate and early consideration comes with a cost to the House leadership, the bill will require 2/3 vote for passage. If it fails on this vote (probably unlikely), it can be brought up again later in the session. At that time the debate would be longer, additional amendments could be offered, and (most importantly) only a simple majority would be required to pass the bill. I’ll be watching next week to see how this bill fairs. I expect that it will pass. The Thompson amendment will probably also pass. I would not be surprised to see the Castor amendment also pass. None of this is really controversial.
“High-risk chemical facilities can use this document both to help them gain a sense of what types and combinations of security measures and processes are likely to satisfy a given RBPS for a facility at their tier level and to help them identify and select processes, measures, and activities that they may choose to implement to secure their facility.”Organization The Guidance document is set-up essentially the same way as was the draft version. It is laid out into 18 chapters corresponding to each of the 18 RPBS. There are a couple of appendixes that provide additional information on specific topics including a more in depth discussion of some of the security measures that might be employed. Included in those discussions in Appendix C are lists of references that facilities can use to learn more about the technical details involved in developing their site security plan. Each RBPS discussion is arranged in much the same manner. There are three common sections; an ‘Introductory Overview’, one covering ‘Security Measures and Considerations’, and the ‘RBPS Metrics’. Many of the sections have a table that explains what attack scenarios from the SVA are addressed by that Standard. What RBPS Apply? The CFATS regulations require that each high-risk facility must “must satisfy the performance standards” outlined in §27.230. This means that all eighteen of the RBPS must be addressed in the site security plan. The Guidance document notes that each facility will be notified which security issues and COI must be addressed in their site security plan. These security issues and COI will determine the relative emphasis that will be placed on each RBPS. Additionally the Guidance notes that: “Different security measures or activities may be more or less effective depending on the specific security issues.” There is a detailed discussion on pages 17 thru 20 on how the security issue may affect the security measures selected to secure the facility. Any facility developing a site security plan would do well to read and understand that discussion. Not only is it good advice, but it is the best summation of what DHS will be looking for in approving site security plans. Facilities with more than one security issue will find that their security situation will be very complex, but understanding the reasoning that DHS applies to the individual issues will make planning a little easier. Inherently Safer Technology DHS has not addressed the issue of the use of inherently safer technology (IST) in the RBPS Guidance document. A coalition of labor, environmental and other activist groups suggested in their response to the Draft Guidance document that DHS include a discussion of IST in the Guidance. DHS replied in their recently published response to comments that:
“While facilities may voluntarily choose to consider IST solutions as part of their overall security approach, the examination or implementation of IST is not required under CFATS to satisfy the RBPSs and thus is not addressed in the Guidance. No change to the Guidance based on this comment is warranted.”Strictly speaking, IST is not a security measure. It generally falls into the category of risk elimination, risk reduction or risk mitigation measures. The first two categories are better addressed in the Top Screen portion of the CFATS process. If a facility either eliminates or substantially reduces the amount of a COI on site, both well established forms of IST, they need to re-submit the Top Screen as this may change their status as a high-risk facility by removing them from the list entirely or lowering their Tier level ranking. There actually is an IST provision mentioned in the Draft RBPS Guidance Comment document. On page 7 in response to questions about the ‘interdiction requirement’ DHS made the following comment:
“While an armed security force is one potential way of accomplishing this [delay] (and something high-risk chemical facilities may wish to consider), there are many other options for achieving this result (e.g., establishing capabilities to detect an attack early enough and delay it long enough so that local law enforcement can intervene; implementing process controls or systems that rapidly render a target non-hazardous even if an attack successfully breaches containment [emphasis added]).”While this will not be a commonly available option, the rapid conversion of a COI to a non-hazardous chemical or form would certainly fall under the heading of IST. Other risk mitigation measures that provide for automatic post-release neutralization while not strictly IST also should be considered in the development of the site security plan. Facilities that have release COI as their principal security issue need to take a hard look at the whole range of IST possibilities. Looking at the RBPS it will quickly become clear that any security plan for a release COI high-risk facility will quickly become expensive. The easiest way to reduce those potential costs may be to reduce the risk associated with the chemical used on site by using any one of a number of well established inherently safer engineering alternatives.
“Agricultural Chemicals Distribution, Agricultural Chemicals Manufacturing, Agricultural Products Processing, Chemical Distribution, Chemical Manufacturing, College/University, Food Distribution, Food Processing, Health Care, Mineral Extraction/Processing, Natural Gas Storage/Transfer, Petroleum Products Distribution, Petroleum Refining, Pharmaceutical Manufacturing, Power Generation, Propane Distribution, Research, Waste Management, Other”The discussion in the earlier blog about the on- and off-site emergency response capability appears to have addressed that section pretty well. I have found an interesting error in the SSP Instructions in this area. Section 3.4.3 is inaccurately titled. The printed title is “Emergency Management Team [emphasis added] (EMT) Information”; the discussion makes it clear that it should refer to “Emergency Medical Technicians”. While I did note in the earlier blog that this section of the SSP Tool allows the facility to upload an Alternative Security Program (not ‘plan’ like I called it in that blog) I failed to note that there were five questions that the facility had to answer about the ASP before it can be uploaded. An affirmative answer to each of these five questions will automatically transfer the facility to the APS Upload Page. A negative response to any of the questions will require a facility to answer yes to the following question before being given access to that upload page:
“The ASP does not address all pertinent factors in 6 CFR 27. Do you wish to continue to upload an ASP in lieu of the CSAT SSP?”The reason for this question is that if an ASP does not adequately address the requirements of 6 CFR §27.235 there is very little chance that the SSP will be approved. As I noted in my earlier blog, with the history of problems that facilities had with getting an ASP approved for Tier 4 Security Vulnerability Assessments, I would bet that very few, if any, ASP’s will be approved on the first submission. If a facility selects to upload an ASP in lieu of the SSP, then that facility will be done with their initial submission through the SSP tool one that upload is complete.
“Acceptance of the CVI Authorizing Statements makes the individual a CVI Authorized User, with their access limited to the Top Screen. The individual’s access is limited to CVI created by the preparation and submission of the CSAT Top-Screen. The individual will not be issued a CVI Authorized User Number.”The important part here is the phrase “a CVI Authorized User, with their access limited to the Top Screen”. This brings the instructions in line with the new CVI manual issued last October. There is an additional paragraph explaining the requirement to complete CVI training before work can begin in the next CSAT tool if the facility remains in the CFATS process. Additionally, the screen-shot of the “CVI Authorizing Statements” screen has been updated to reflect the current screen. New Buttons on Choose Facility Screen The next page that a new facility will see after accepting the ‘CVI Authorizing Statements’ is the “Choose Facility” screen. There are two buttons on that screen that need explanation One of those is the “Update Facility Info” button. The new manual adds a brief description of the purpose of that button in para 1.1.1 and refers the user to the “Update Facility Information section” (2.1.1) later in the manual for further information. The second button is the “Manage User Roles” button which allows an authorizer, submitter or preparer “to add or delete reviewers for the Top Screen Survey”. A new para 1.1.2 provides brief instructions for completing the addition of a Reviewer. It also warns users not to put an authorizer, submitter, or preparer into a Reviewer status because this will remove their rights to enter or change data in CSAT. Save Button Explanation A change has been made to the navigation buttons on each page of the Top Screen. The old controls consisted of “Back” and “Next” buttons to allow the user to change screens. Pushing either button saved the information that had been entered into that page before the new page was displayed. DHS has added a “Save” button between those two buttons. This will allow the user to save the data entered on that page without changing the page that is displayed. This would be important if you were nearing the 20-minute “time-out” limit and wanted to ensure that you saved the data that had been entered on that page.
There are already TWIC Readers commercially available; Vessels and facilities should be allowed to use commercially available TWIC Readers while TSA is ‘evaluating’ TWIC Readers; and The IBIA disagrees with allowing Risk Group B vessels and facilities to only biometrically verify identity ‘randomly once per month’ under MARSEC 1 conditionsMy Comments on Comments It should go without saying that the TWIC rules do not apply to military vessels. It is not clear that all of the vessels in being addressed in the MSC letter strictly fall under that description. As long as the MSC vessels are operating out of Navy ports, there not having TWICs will not be a problem. However, I believe that these vessels frequently operate out of civilian ports. For non-military crews to not have TWIC or an operationally equivalent ID could cause some problems in that situation. This certainly needs to be addressed in the NPRM. The IBIA comments about the current availability of TWIC readers are a tad bit self-serving. They note that there are at least 17 models that have successfully undergone TSA ‘laboratory testing’, so they could be voluntarily used by MTSA covered facilities while TSA completes their more extensive ‘functional and environmental’ testing. While I agree that such voluntary interim use could provide valuable information for TSA rule development efforts, I am not sure why the IBIA is making that comment here. TSA is unlikely to ‘officially’ approve voluntary interim use, but it certainly has not prohibited that use. Individual Captains of the Port may currently authorize that interim use as part of facility or vessel security plan approval process. The purpose of the environmental and operational testing being conducted by TSA is to ensure that TWIC readers will reliably work in the sometimes challenging environment associated with port facilities and ships. TSA does not want to require the use of equipment that cannot survive for a reasonable period of time in that environment. Justifiably, IBIA member companies would like to recoup their investments in TWIC Reader developments sooner rather than later. Selling them before they are approved or required could be a challenge for the best sales person, but TSA is not going to ‘authorize’ interim use to aid sales. One minor comment on the Coast Guard meeting slides. Whoever put this .PDF document together oriented the slides so that they show up in the .PDF Reader software rotated 90 degrees out of standard. This means that you have to play with the size controls and turn your head sideways to be able to read the slides. This is the first time that I have seen PowerPoint® slides displayed this way in a .PDF file. It is certainly not user friendly. Not only was this poor attention to detail on the part of the preparer, but who ever approved this document for release needs to be hung from the modern equivalent of the yard arm.
“Version 2.7.a -> Version 2.8 “Updated version number and date “Updated section 1.1 (text and images) to reflect a revised set of CVI Authorizing Statements each CSAT User must agree to prior to accessing the Top Screen. This update aligns the CSAT Top Screen with the revised CVI Manual issued in October 2008. “Updated section 1.1.2 and section 2.1.1 with the new Update Facility Info features “Updated section 1.1.2 to include the new Manage User Roles features “Added the Save button explanation to section 1.2”This looks like procedural stuff not a substantive change in the Top Screen (the Questions manual has not been updated). I’ll take a closer look at the changes later today and may have more information on this tomorrow.
“To make the Guidance shorter and easier to read, the Department has decided to replace most of the disclaimers and related language with a single disclaimer at the beginning and in a brief footer on every page.”Anyone that will be using the RBPS Guidance to inform their development of a site security plan (and that should include all Facility Security Officers at all high-risk chemical facilities) should take the minimal effort to read this 30 page document. Even if one hadn’t read the draft document, the explanation of the changes made to the document, as well as the changes not made, will provide additional information and guidance on what DHS is looking for in the Site Security Plan. Disclaimer There is still a substantial disclaimer at the beginning of the document. The meat of that disclaimer has not changed from the one found in the draft document. The most important part states:
“This Guidance reflects DHS’s current views on certain aspects of the Risk-Based Performance Standards (RBPSs) and does not establish legally enforceable requirements for facilities subject to CFATS or impose any burdens on the covered facilities. Further, the specific security measures and practices discussed in this document are neither mandatory nor necessarily the ‘preferred solution’ for complying with the RBPSs. Rather, they are examples of measures and practices that a high-risk facility may choose to consider as part of its overall strategy to address the RBPSs. High-risk facility owners/operators have the ability to choose and implement other measures to meet the RBPSs based on the facility’s circumstances, including its tier level, security issues and risks, physical and operating environments, and other appropriate factors, so long as DHS determines that the suite of measures implemented achieves the levels of performance established by the CFATS RBPSs.”Additionally, at the foot of each page is another, simpler disclaimer that essentially covers the same information. That disclaimer reads:
“Note: This document is a “guidance document” and does not establish any legally enforceable requirements. All security measures, practices, and metrics contained herein simply are possible, nonexclusive examples for facilities to consider as part of their overall strategy to address the risk-based performance standards under the Chemical Facility Anti Terrorism Standards and are not prerequisites to regulatory compliance.”These disclaimers are required because when Congress authorized DHS to write the CFATS regulations they placed a number of restrictions on that authority. The one restriction that applies here is that the §550 authorization included language that prohibits DHS from requiring any specific security measure to be included in the Site Security Plan as a prerequisite for the approval of that plan. In order to be able to provide the guidance necessary the writers had to ensure that no one could interpret the guidance as requiring any specific security measure. The writers did not limit their conformance to that restriction to just the inclusion of these disclaimers. The entire document was carefully crafted to avoid the appearance of requiring any specific security measure. The only exceptions to this are found in the discussion of RBPS #18, Records. There are specified record retention requirements listed, but, since these are not ‘security measures’ by any definition, and they come directly from the CFATS regulations (§27.255), they do not violate the Congressional prohibition. The vast majority of the changes made from the draft Guidance document were made in the ‘metrics’ portion of the document. These metrics are misnamed because they do not really allow for measurement of compliance, which would be seen as prescriptive, but they do provide a broadly written narrative description of the type actions that DHS would like to see taken. The changes made in the final version of the document were not so much substantive, as editorial, to remove even the remote appearance of specifying a security measure. RBPS Guidance and Enforcement More than one commentor on the Draft Guidance document expressed their concern that the Guidance document would be used by DHS inspectors as an expression of requirements during the enforcement phase of the CFATS implementation. It may be a well founded concern, but for the wrong reason. The wording in §550(a) of the Homeland Security Appropriations Act of 2007 (Public Law 109-295) is quite specific; “the Secretary may not disapprove a site security plan submitted under this section based on the presence or absence of a particular security measure”. The language is quite specific in referring to the ‘approval’ of the site security plan. There is no such restriction in the §550(e) wording concerning the requirement for the Secretary to “audit and inspect chemical facilities for the purposes of determining compliance with the regulations issued pursuant to this section”. No one that I have talked to from DHS has ever mentioned this distinction. I have been told, however, that DHS will consider the approved Site Security Plan as a ‘contract’ between the facility and DHS outlining exactly what the facility is required to do to adequately secure the facility against terrorist attack. DHS may very well use the RBPS Guidance metrics as a measure of how well the facility has complied with that contract.
“That is, when you jump back to a previous section, all preceding sections will become un-highlighted [inaccessible] and you will be required to page through all the subsequent pages of the SSP tool. This is necessary because the SSP tool adapts the pages presented for completion based on answers on previous pages and a change within one section might require you to answer additional/different questions later.”Given that subsequent pages may affected when data is entered into an SSP page, it will be a good idea for facilities to coordinate the data entry efforts made by multiple Preparers. When changes have to be made on previously completed sections it will certainly be a good idea for Preparers to review subsequent sections that have already been completed. This will make the review job of the Submitter much easier and reduce the number of SSPs rejected by DHS. Data Preparation The Instructions manual (page 5) provides a fairly comprehensive list of resources that facilities will need to complete the SSP submission process. The DHS list includes such things as copies of the CFATS regulations, the facility Top Screen and SVA submission, a copy of the FNL, among other things. All of the things on the list will undoubtedly be valuable for the Preparers and Submitter have readily at hand during the preparation for the SSP submission. In fact, it would make things much simpler if all of this material were maintained in a lockable office set up just for CFATS administration at the facility. This would make it much easier to comply with rules for safekeeping of CVI. A number of the items on the DHS list of resources are CVI and draft documents that the facility compiles for the purpose of SSP submission will be CVI as well. A dedicated room to which only CVI authorized personnel will have access to will make the required CVI security procedures much less intrusive to the SSP preparation and submission process. One invaluable resource that is not included on the DHS list is the SSP Questions manual. This manual provides a list of the questions found on the SSP tool. With room available to record answers and write notes this manual can serve as a workbook for the off-line preparation of the SSP submission. Again, as soon as any facility information is added to this manual it becomes CVI and only CVI Authorized Users may have access to the annotated document. The manual can also be used as a management tool for assigning responsibility for collecting and developing submission data. The manual can be printed and taken apart to provide teams or responsible individuals as an assignment template. This will allow them to work on portions that they are most familiar with. This will also provide for management review and approval of the data before it is added to the on-line tool. This will also make the Submitters review easier before the SSP is actually submitted to DHS. Once again, these partial documents will become CVI as soon as facility information is added. This means that marking and security provisions will apply to these portions of the manual and only CVI Authorized Users may work with them.
“This document is a copy of certain portions of the Chemical Security Assessment Tool (CSAT) Site Security Plan (SSP) template and is intended merely to give the reader some idea of the questions that an actual SSP will need to address.”This is a real lengthy document and I don’t see how much use it will actually be to getting ready to submit the SSP. The question document will be a better preparation aid. Still, some people will find it useful to be able to look actual pictures of what some of the SSP screens.
Dennis Deziel Deputy Director Infrastructure Security Compliance Division U.S. Department of Homeland Security, Mail Stop 8100 Washington, DC, 20528
/* Use this with templates/template-twocol.html */