Monday, August 31, 2009

QHSR Dialogue 2

Today the second phase of the Quadrennial Homeland Security Review (QHSR) Dialogue officially started. This phase of the web-based dialogue will be opened through September 6th. The study groups have taken the work they had previously done, combined it with the information provided in the first phase of QHSR Dialogue and come up with a series of goals that support the four action areas listed in the first Dialogue. Those action areas are: Counterterrorism and domestic security Securing our borders Tough, smart enforcement of immigration laws Preparing for, responding to, and recovering from disasters The other two study areas listed in the original Dialogue (Homeland Security Nation Risk Assessment, and Homeland Security Planning and Capabilities) were not continued into the current goal-setting portion of the current dialogue. Their ‘squares’ on the dialogue page were ‘grayed out’ for that reason. There are, however, provisions for continuing the discussion of ideas for those areas started in the previous dialogue. Counterterrorism and Domestic Security Like I did in the previous Dialogue, I will be spending most of my time looking at Counterterrorism and Domestic Security (CTDS) section. That happens to be where my interests lie, but the general outline of each of the areas will be the same. Everyone should certainly take at least a little time to look at all four areas. The QHSR Study Groups have identified three general goals for the CTDS section. They are:
“Terrorists and other malicious actors are unable to effectively operate within or against the homeland.” “Terrorists and other malicious actors are unable to acquire or move dangerous chemical, biological, radiological, nuclear, and explosive materials or capabilities.” “Critical infrastructure assets, systems, networks, and functions are safeguarded and resilient.”
Rating the Objectives Each goal has a number of supporting objectives. The purpose of the second Dialogue is to rank each of the objectives supporting the goals. The set up for the rating is sort of unique; each goal is given an allowable number of points (equal to 10 points for each objective) that may be distributed between those objectives. Each objective has a scale with ratings from -30 to +30 in 10 unit increments. After rating each objective the sum of the ratings awarded must equal the available points. So, for example, on Goal #1 I assigned the following ratings for the five objectives:
Understand the Threat – +20 Stop the Spread of Violent Extremism – -10 Counter their Capabilities – +10 Interdict Threats – +20 Build Community Support – +10
There is a separate information page for each action area that provides a little bit of information on the Goals and their Objectives. The information is not extensive, but it does at least provide for a general definition of the objectives. It should help keep everyone on the same sheet of music anyway. Discussion of Ideas Once again the major information exchange process for the Dialogue takes place on the “Discuss” page. To date there are only two ‘ideas’ identified in the CTDS section. Every person has the ability to post an idea that is then open to discussion. The general set up is the same as in Dialogue 1. There is a serious improvement however; you can now formulate your idea or response to an idea off-line in MS Word® and cut/paste your entry into the dialogue. Security Issues Remain The security issues that were identified in the previous dialogue remain. The registration form that must be completed before one is allowed to make ratings or contribute to the discussion is still not protected in transmission. If anyone wants to make their comments to the discussion anonymously (there are people that cannot openly discuss policy issues for legal reasons) needs to realize that if they provide personally identifiable information in the registration process it is attributed to their comments. This is not readily apparent, nor is it fully disclosed.

CFATS Hearing on September 11th

Last week William_Allmond reported on Twitter that there would be a CFATS hearing before the House Energy and Commerce Committee on Friday, September 11th. That would be the end of the first week back from recess. I have been able to confirm that there will be a hearing of the Energy and Environment Subcommittee at 10:00 a.m. that day. This is apparently the same Subcommittee hearing that was cancelled before the recess because of the Committee being tied up with the mark-up of the health care reform bill. That mark-up is still pending, of course, but it appears that the Democrats are confident that they can get that finished earlier in the week. It is way too early to have this hearing appear on the Energy and Commerce Committee web site, but I have been told that Under Secretary Rand Beers has been asked to testify and he will probably bring along Sue Armstrong from ISCD as he did in the similar hearing before the House Homeland Security Committee last June. He would discuss policy, she would supply answers on details of the program. This hearing is likely to look at both HR 2868 and HR 3258 as they are essentially companion bills. With that in mind I would expect that Beers and Armstrong would be joined by someone from the EPA for the first panel of the hearing. It is unlikely that these two bills will make it to the House floor (much less the Senate) before the current CFATS authorization expires on October 4th. The DHS budget bill that would extend the CFATS authorization one year is still stalled, waiting for Speaker Pelosi to appoint the House Conferees. Once the Conference Committee can meet it should not take long to iron out the differences between the two version of that bill. Quick passage in both the Senate and House should follow relatively quickly if things don’t get bogged down on the health care and the cap and trade bills.

DHS CSAT FAQ Page Update 8-28-09

Last week DHS updated the responses to two of the questions on the DHS CSAT FAQ web page. Those questions were: 707 How do I change the name of the Authorizer/Submitter/Preparer? 1633 As used in the CSAT SSP tool, what is the difference between a planned security measure and a proposed security measure? The update to the response to question 707 involved the correction of a minor typo. The update to the response to question 1633 involves a clarification of a definition of a ‘planned security measure’ in the Site Security Plan. The old definition included the explanation that such a measure was one that the facility had “definitely decided to install/implement”. The new wording changes that to read “committed to install/implement”. This should make it more clear that a facility will have to be able to show some sort of documentation to a DHS inspector to demonstrate that commitment if the measure had not yet been installed at the time of the inspection. Additionally a missing phrase, “for facility to remain in compliance with the SSP” was added to the statement explaining that planned security measures that are approved by DHS must be implemented. There were also some minor formatting changes made in the response to this question.

HR 3258 Analysis – Risk Based Tiers

This is another in a continuing series of blog postings about the recently introduced HR 3258, the Drinking Water System Security Act of 2009. This bill is designed to be a companion bill to HR 2868, the Chemical Facility Anti-Terrorism Act of 2009, extending chemical facility security rules to water treatment facilities. Previous postings in this series include: HR 3258 Section-by-Section Analysis HR 3258 Analysis – Political Background HR 3258 Analysis – 50 Enforcement Agencies HR 3258 Analysis – Substance of Concern HR 3258 Analysis – Vulnerability Assessments HR 3258 Analysis – IST Assessments HR 3258 Analysis – VA-SSP Review HR 3258 Analysis – Protected Information HR 3258 Analysis – Employee Participation HR 3258 Analysis – Emergency Response Plans The drafters of HR 3258 copied a number of ideas from the current CFATS program. One of these was the idea of four risk based tiers, with a first tier facility having the highest risk and a fourth tier facility having the lowest risk. There is a significant difference between the two risk standards employed; the CFATS standards start with all facilities being at high-risk for terrorist attack, the §1433 standards do not use relative risk to establish that the facilities are covered. Thus, the potential range of risk measured by the four tiers at water treatment facilities is much wider for the water treatment facilities. Assignment of Tier Ranking Section 1433(d) requires that the Administrator establish regulations to assign facilities to the four tiers. Again, patterned after the CFATS regulations the section provides for the Administrator requiring facilities to provide information specifically to allow for assignment to an appropriate tier. This ‘Top Screen’ type information would probably ask for the number of people served by the facility, major industries served, the type of water-treatment regime used, and what substances of concern are found on site. This legislation only generally provides guidance on how the tier assignments will be determined. It does explain that the Administrator will consider “consider the potential consequences (such as death, injury, or serious adverse effects to human health, the environment, critical infrastructure, national security, and the national economy)” {§1433(d)(1)(B)} of an intentional act. It then goes on to specify three types of ‘intentional acts’ that will be taken into consideration:
"(i) an intentional act to cause a release, including a worst-case release, of a substance of concern at the covered water system; "(ii) an intentional act to introduce a contaminant into the drinking water supply or disrupt the safe and reliable supply of drinking water; and "(iii) an intentional act to steal, misappropriate, or misuse substances of concern."
The second type of ‘intentional act’ has nothing to do with specific substances of concern at the facility, though such chemicals could certainly be considered to be a ‘contaminant’ in concentrations higher than those allowed by other environmental laws. The inclusion of this type act is a continued acknowledgement that water treatment systems have their own particular risks beyond those found at other ‘chemical facilities’. While the term ‘intentional act’ is widely considered to be a politically correct euphemism for ‘terrorist attack’, it is not defined in the legislation. This opens up the consideration of the last type of ‘intentional act’ to potentially include anti-drug operations. Many facilities use anhydrous ammonia in their treatment process. This is a critical chemical in the illicit manufacture of methamphetamines and there have been wide spread instances at other storage facilities where the attempted theft of this chemical has resulted in the release of this toxic chemical. Explanation of Tier Assignments Another significant difference between this legislation and the CFATS regulations is that the drafters of HR 3258 are trying to avoid some of the secrecy associated with the CFATS assessments. DHS has been reluctant to discuss how it makes their tier ranking assignments, fearing that it would provide too much potential targeting information to terrorists seeking high-visibility targets. For water treatment facilities §1433(d)(2) would require the Administrator to “provide each covered water system assigned to a risk-based tier with the reasons for the tier assignment”. The information would still be protected information not subject to public disclosure, but it would provide the facility with information that could be used to lower their tier rankings. This would be especially important for facilities in the two highest tiers, since reducing the tier ranking to three or four would remove them from having to do an assessment of methods to reduce the consequences of a chemical release from an intentional act.

Friday, August 28, 2009

CSB Meeting on T2 Laboratories Explosion

Today the Chemical Safety and Hazard Investigation Board (CSB) published a notice in the Federal Register that it will be conducting a public meeting on September 15, 2009 concerning the results of it’s investigation into the December 19th, 2007 explosion and fire at the T2 Laboratories manufacturing facility in Jacksonville, FL. Reporting back in late 2007 and early 2008 indicated that this was one of the largest explosions that CSB had looked at to date. It was the apparent result of an over-pressurization of a reaction vessel that caused that vessel to fail. The resulting flammable-vapor release formed a large fuel-air-mixture cloud which provided the situation for the actual devastating explosion. The accident caused four on-site deaths, including one of the owners, and a large number of on- and off-site injuries. It will be interesting to see what CSB determined the cause of the accident to be. One thing that will almost certainly come out of the investigation is a renewed call by CSB for both EPA and OSHA to be more proactive in regulating reactive-chemistry safety. DHS might want to re-look at their stand on what constitutes sabotage COI after seeing the results of this meeting.

HR 3258 Analysis – Emergency Response Plans

This is another in a continuing series of blog postings about the recently introduced HR 3258, the Drinking Water System Security Act of 2009. This bill is designed to be a companion bill to HR 2868, the Chemical Facility Anti-Terrorism Act of 2009, extending chemical facility security rules to water treatment facilities. Previous postings in this series include: HR 3258 Section-by-Section Analysis HR 3258 Analysis – Political Background HR 3258 Analysis – 50 Enforcement Agencies HR 3258 Analysis – Substance of Concern HR 3258 Analysis – Vulnerability Assessments HR 3258 Analysis – IST Assessments HR 3258 Analysis – VA-SSP Review HR 3258 Analysis – Protected Information HR 3258 Analysis – Employee Participation One of the major differences between this legislation and HR 2868 is that here §1433(i) requires each covered system to prepare and periodically update an emergency response plan (ERP). Such plans are not specifically targeted at chemical issues, but they are only required to look at responses to effects of ‘intentional acts’. I am not familiar enough with other EPA water treatment facility regulations to know if there are similar emergency response plan requirements for results of accidents or incidents due to natural causes such as weather, earthquakes or fires. ERP Certification There are no requirements for facilities to submit their ERP to the Administrator or State agencies with oversight responsibility for the facility. Instead, the drafters of this legislation simply require the facility to certify to the Administrator that they have prepared such a plan. The timing for such certification is based upon the submission of the facility vulnerability assessment. The legislation would require the facility to submit their certification “not later than 6 months after the system’s first completion or revision of a vulnerability assessment under this section and shall submit an additional certification following any update of the emergency response plan” {§1433(i)(2)}. This time limit is interesting because the ERP is required to incorporate the “the results of the system’s most current vulnerability assessment and site security plan” {§1433(i)(1)}. Since the time frame for preparing and submitting a site security plan is not set in this legislation (the Administrator will set that time limit in subsequent regulations), it is not clear that the site security plan will be completed by the time that ERP certification is due. ERP Coverage The ERP will cover ‘plans, procedures and identification of equipment’ that will be used to respond to “an intentional act at the covered water system” {§1433(i)(3)(A)}and “…obviate or significantly lessen the impact of intentional acts on public health and the safety and supply of drinking water provided to communities and individuals” {§1433(i)(3)(B)}. This legislation does do more than look at just chemical related security issues related to water treatment facilities, but the failure to specify that the ERP must outline chemical release notification procedures for neighbors of the facility is difficult to understand. Facilities with substances of concern need to be required to include in their ERP to provide specific coverage of issues related to releases of chemicals, especially when there is a possibility of off-site consequences from such a release. ERP Coordination While §1433(4) is labeled ‘coordination’ it only requires one-way communication of ‘appropriate information’ from the covered facility to “any local emergency planning committee, local law enforcement officials, and local emergency response providers”. The provision of such information (presumably to be more clearly specified in the resulting EPA regulations) is certainly an important first step in the development of a comprehensive ERP, but does not constitute ‘coordination’ in any sense of the word. At the very least, since this is a certification requirement not a requirement to submit an ERP for approval, the facility should be required to include in its certification an acknowledgement by at least one local law enforcement agency and one local emergency response agency that it has coordinated its ERP with that agency. Real Emergency Response Planning As readers of this blog are well aware, I am an outspoken proponent of effective emergency response planning. While I am pleased to see an ERP requirement in this legislation, the specific ERP requirements are weak at best. The legislation should require the Administrator to develop specific requirements for the ERP just as it does for the vulnerability assessment and site security plan mandates in the bill. Certification of the existence of an ERP meeting such requirements might be appropriate for low-risk facilities, but higher risk facilities with the potential for significant off-site chemical release consequences should be required to submit their ERP for approval. A facility has no control of the planning actions or capabilities of other local government agencies that must actually execute the off-site ERP response. Covered facilities must however, be required to initiate specific coordination efforts. For facilities with potential for significant off-site chemical consequences, this legislation should require that they provide local law enforcement and emergency response agencies with the following information, at a minimum:
Identification of on-site chemicals with potential off-site affects; Material Safety Data Sheets for those chemicals; Potential exposure distance for a worst case release for those chemicals; Information about inbound shipments of those chemical; and Facility point of contact for incident information.
The facility should be required to include in their side of the ERP:
Methods for detecting a potential chemical release; Methods for directly notifying immediate neighbors of toxic chemical releases; Methods for notifying local law enforcement and emergency response personnel of initiation of the ERP; and Methods for ensuring communication with local law enforcement and emergency response agencies during a chemical release emergency.

Thursday, August 27, 2009

2nd QHSR Dialogue Starts Monday

I got a TWIT the other day from qhsrdialogue to remind me that the second Quadrennial Homeland Security Review (QHSR) Dialogue will start on Monday, August 31st. The QHSR Dialogue staff at the National Academy of Public Administration promise that the web site has been improved for the Second Dialogue and it will be even more interactive. This dialogue will focus more on helping to set priorities for DHS. If you signed up for the First Dialogue, you should continue to receive notices about the 2nd. If you are not already signed up you can sign up at http://homelandsecuritydialogue.org/. They have already made one improvement they no longer require you to provide any personal information beyond your email address.

Reader Comment 08-26-09 HR 3258 IST

Scott Jensen from the American Chemistry Council left an interesting comment on my earlier blog about the IST provisions of HR 3258. The comments are relatively long analysis of the IST issues associated with water treatment facilities. Any one interested in this issue should certainly read his entire comment. I would like to expand on a couple of points that Scott makes in his comment. Are Substitute Chemicals Safe? Scott writes that “it would be a mistake to believe all facilities can be secured by simply requiring them to use different chemicals”. The easiest substitution to effect to replace chlorine gas would be the use of sodium hypochlorite, essentially industrial strength bleach. Scott notes that you need to use eight times as much bleach as chlorine gas in disinfection operations. This is because you need the same number of chlorine molecules per unit volume of water regardless of your source for chlorine. Since hypochlorite is less stable than chlorine gas, it is typically not shipped in rail cars. This means that unless the bleach is produced on site it will be shipped to the site in tank wagons over the road. This will increase the number of truck shipments of hazardous chemicals to the site. In turn, this will inevitably increase the incidence traffic accidents that result in the release of industrial strength bleach. Anyone that has spilled laundry bleach, a diluted version of the same chemical, will understand the types of problems that will cause. Another side issue of the instability problem is that sodium hypochlorite is a very reactive chemical. Chemical reactions with mineral acids or ammonia are very violent. They produce large amounts of chlorine gas very quickly. The liberation of that gas produces quick rises in pressure that resemble explosions. If either of these chemicals is introduced into a sodium chlorite storage tank in volume, either as the result of an accident or an intentional act, the pressure rise is likely to result in the rupture of the storage tank releasing a cloud of chlorine gas. Collateral damage from that rupture will include additional equipment damage on site and probable off-site environmental affects. Additionally, the facility will likely be put out of operation for an extended period of time while the problem is cleaned up and the storage tank replaced. Where that facility is a community water treatment facility, that means that the community will be without potable water while the facility is put back together and the water system purged. This does not mean that sodium hypochlorite is a poor substitute for chlorine, just that the problems associated with that chemical have to be addressed. There will be facilities where the cost of addressing those problems is too high to justify the switch. Unfortunately, it would seem that the facilities with the highest chlorine use rates would be the least likely to be able to switch to hypochlorite. Problems with IST Mandates Scott points out that:
“By placing the final decision with the state agencies, and by requiring consideration of "factors appropriate to the security, public health, and environmental missions of covered water systems," the bill has addressed some concerns related to IST mandates.”
One of the concerns with the IST mandates in the chemical facility security bill (HR 2868) is the lack of IST expertise in DHS and the wide range of industrial backgrounds that such expertise would have to address in chemical facilities. Water treatment facilities will be using a smaller range of chemicals and processes, so it will be easier to establish the requisite expertise within the agency evaluating the IST application. Since the State agency making the evaluation is already familiar with the operation of water treatment facilities, it will be even easier to ensure that those agencies understand the systems being evaluated. Even so, there are no clear cut guidelines that the State agencies, or the EPA for Wyoming and Washington, DC, are required to use to evaluate the potential IST measures that they may require to be implemented. This problem is compounded by the fact that facilities are required to ignore cost factors in reporting the potential feasibility of the substitute measures. Cost factors will be reported separately from the feasibility issue leaving the State agency to decide how those cost factors will affect their implementation decision. One of the reasons that the drafters included this separation of costs from feasibility was that they intended that the grant program included in the authorization section of the legislation would go a long way towards alleviating the cost problem. Unfortunately, no one knows if this will be enough money or how that money will be allocated. Relying on the availability of these grants in making implementation mandates will likely put a number of facilities in the position of being required to make changes that they cannot pay for. This brings us to another of the points that Scott makes in his comment (and I made in the original blog) “the bill provides no way for a utility to appeal the state’s determination”. The lack of an appeal provision makes is a political certainty that there will be decisions made that cannot be implemented. Continuing the Discussion Scott’s comments provide a reasoned look at some of the issues that argue against including the current mandatory IST implementation language in HR 3258. Hopefully, this type discussion, on both sides of the issue, will allow for the development of reasonable IST provisions in the final bill.

Wednesday, August 26, 2009

NJ Chemplants to Watch for Danny

Tropical Storm Danny formed in the Atlantic Ocean this morning and it may have a serious impact on the extensive chemical facilities located along the New Jersey coast. As of 11:00 am EDT this morning the NOAA National Hurricane Center showed that the western edge of the 5-day Track Forecast Cone covered the State of New Jersey. According to the latest forecast Danny could be a Category 1 Hurricane by the time it reached the vicinity of the New Jersey coastline. Facilities on the Gulf Coast have become well practiced in the last couple of years in preparing their facilities for hurricane operations. One would assume that the same owners would be able to transfer that expertise to their New Jersey facilities. One thing of special concern to readers of this blog will be how to maintain adequate facility security in the lead up to and in the aftermath of a hurricane impact. Some Gulf Coast facilities have resorted to constructing hardened facilities for their security and critical control operations. It is a little too late to plan for that type response for this storm, but facilities should study their contingency plans to make sure that they have everything in readiness for Saturday’s storm.

MIC Storage to be Reduced by 80%

In news releases by the Chemical Safety Board and Bayer CropScience, it was announced this afternoon that the Bayer CropScience facility outside of Institute, WV will voluntarily reduce their routine inventory of Methyl Isocyanate by 80% and eliminate all above ground storage of that material. This will involve shutting down all production at the facility’s West Carbamoylation Center within one year. This center was the site of last year’s fatal accident. According to an article by Ken Ward on WVGazette.com local activists are pleased with the announcement.

Fake DHS e-Mail

I ran into an interesting, but too short, article over on SecurityManagement.com about a series of fake emails. Apparently they appear to have come from DHS intelligence folks, but were really malware containing missives from IP addresses in Latvia and Russia. The emails contained links to known password stealing software. The article notes that DHS has sent out warnings to Defense Department and state and local officials. Nothing has been said about these fake emails going to private companies, but it is probably just a matter of time. Neither has anything been said about the warning going out to private companies. Unfortunately, there is no word in the SecurityManagement.com article or the source AP article about how sophisticated the scam actually is. I have seen similar emails where the source address was well hidden from standard email software and others where the actual origination address was clearly shown. I would be interested in hearing from anyone in the chemical security community if they have seen either one of the fake emails or a notification from DHS about the problem. If the problem is making its way down to the chemical security community I certainly want to get the word out.

TSA: Reporting Security Issues NPRM

The Transportation Security Administration (TSA) published a notice of proposed rule making (NPRM) in today’s Federal Register regarding the establishment of a system through which the public could report security concerns and issues related to transportation security directly to the TSA. Comments on the proposed rule need to be submitted to the Regulations.gov web (Docket # TSA-2009-0014) site by October 26th. This regulation is required under 49 U.S.C. 20109(j)), 1536(i) and 31105(i). These provisions were adopted as part of the Implementing Recommendations of the 9/11 Commission Act of 2007 (Public Law 110-53). After TSA published their final rule on re-organizing section 1503 of 49 CFR earlier this summer, Subpart A was left ‘reserved’ for future regulatory action. This NPRM would add Subpart A, Reports by the Public of Security Problems, Deficiencies, and Vulnerabilities. It would provide a number of reporting routes for the public to identify “a problem, deficiency, or vulnerability regarding transportation security, including the security of aviation, maritime, railroad, motor carrier vehicle, or pipeline transportation, or any mode of public transportation, such as mass transit” {§1503.1(a)}. Reports could be filed by mail, email, or telephonically. The proposed regulation would include the address, email address and telephone numbers for making such reports. If the report submitter provided contact information, TSA would ‘promptly’ acknowledge receipt of the report. After receiving a report through this new mechanism TSA would “review and consider the information provided in any report submitted under this section and take appropriate steps to address any problems, deficiencies, or vulnerabilities identified” {§1503.1(c)}. As one would expect there are no provisions listed for TSA providing investigatory feedback to the filer of the initial report. TSA is taking pains to note that reports made through this mechanism will not relieve people of the requirement to make transportation related reports mandated by any other regulation. The preamble to the rule also makes it clear that new mechanism “is not intended for issues of immediate or emergency security or safety concern” (74 FR 43089); those should be reported using the 911 telephone system. This is not addressed in §1503.1.

HR 3258 Analysis – Employee Participation

This is another in a continuing series of blog postings about the recently introduced HR 3258, the Drinking Water System Security Act of 2009. This bill is designed to be a companion bill to HR 2868, the Chemical Facility Anti-Terrorism Act of 2009, extending chemical facility security rules to water treatment facilities. Previous postings in this series include: HR 3258 Section-by-Section Analysis HR 3258 Analysis – Political Background HR 3258 Analysis – 50 Enforcement Agencies HR 3258 Analysis – Substance of Concern HR 3258 Analysis – Vulnerability Assessments HR 3258 Analysis – IST Assessments HR 3258 Analysis – VA-SSP Review HR 3258 Analysis – Protected Information This legislation, like its companion bill HR 2868, specifically addresses the roles of employees in the security process. While certainly a part of labor agenda, these provisions address a reality that facility employees must perform a number of critical roles in addressing the protection of the facility from ‘intentional acts’. Role of Employees Section 1433(f)(1) requires that site security plans and emergency response plans must address the specific roles that employees are “expected to perform to deter or respond to the intentional acts”. While this would seem to be an obvious requirement for any such plan, this has been identified by labor unions as a significant shortcoming in many security plans that they have seen. The inclusion of ‘emergency response plans’ in this section is something that is not seen in HR 2868. An emergency response plan should be an integral part of any security or safety plan. It is should be included as a recognition that there is no such thing as a foolproof plan. Employee Training This legislation carries the same 8-hour training requirement for facility employees that is found in HR 2868. Section 2103(f)(2) of that legislation provides an extensive list of areas that must be covered in that 8-hour training requirement. That is lacking in this legislation. Without this listing of coverage requirements, the 8-hour training requirement is excessive. One provision of the HR 2868 legislation that certainly needs to be transferred to this legislation is the requirement to allow “instruction through government training programs, chemical facilities, academic institutions, nonprofit organizations, industry and private organizations, employee organizations, and other relevant entities that provide such training” {HR 2868, §2103(f)(2)(H)}. With the small size of many of these facilities with their limited training resources it would be extremely difficult to develop such training programs in-house. Section 1433(q)(4) provides for a federal grant program to provide monetary support for training for facility employees and contractor employees. The grant program would be administered through the National Institute of Environmental Health Sciences. Training grants under this program could also be used to train first responders and emergency response personnel that would respond to incidents at the facility. An odd provision of this grant program, and a similar program under HR 2868, is that the monies would not go to the covered facility but to ‘eligible entities’. An eligible entity would be “a nonprofit organization with demonstrated experience in implementing and operating successful worker or first responder health and safety or security training programs” {§1433(q)(4)(D)}. There is no money specifically appropriated in §1433(r) to fund these grants. Employee Participation From the perspective of labor organizations the most important provision of this section is found in §1433(f)(3) which outlines the requirements for employee participation in the development of vulnerability assessments, site security plans and emergency response plans. Labor has long maintained that there members have an intimate knowledge of the facilities in which they work that would be invaluable in the development of safety and security plans. The language of this legislation requires that there must be at least one supervisory and one non-supervisory employee involved in the development of these plans. Where there is a union that is certified or recognized as a bargaining agent for employees or contractors at the covered facility, each such union will have a representative involved in the development of these plans.

Tuesday, August 25, 2009

Theft of Anhydrous Ammonia

While there has yet to be a documented terrorist attack on a chemical facility in the United States (knock on wood) there are relatively routine thefts of anhydrous ammonia from rural and small town storage sites. These thefts are not driven by terrorism, but by the illicit manufacture of methamphetamines. While that is reason enough for concern, there have also been a number of significant releases of anhydrous ammonia over the last couple of years associated with these thefts. A recent article on the CourierPress.com site points out a new tool to help prevent these thefts and their associated potential releases of a dangerous PIH chemical. The news story tells about a recent theft of anhydrous ammonia from a small town chemical facility in Epworth, IL. The sheriff notes that the perpetrators may be easy to identify because at least one of the anhydrous storage tanks that was hit was treated with a chemical dye. Furthermore, any attempt to manufacture methamphetamines with that anhydrous ammonia will result in a visibly off-spec product that will be difficult to market. The development and marketing of this dye is an anti-drug effort by GloTell Distributors out of Washington Court House, OH. Developed in cooperation of the Southern Illinois University Carbondale, the dye is added to agricultural or cooling system grade anhydrous ammonia. The dye stays in the liquid phase of the material and stains almost any object a brilliant pink when the dye comes in contact with the air. The dye is biodegradable and the visible color disappears in about 72 hours, though it is still detectable under UV light for another 48 hours. In addition to marking the thieves, the GloTell dye stays in the methamphetamine produced with the marked anhydrous ammonia. In addition to making the product pink it makes it very difficult to dry the methamphetamine, making the illegal drug slimy and almost impossible to smoke. This combination should make it more difficult to sell the street drug. While this technology may not be very useful in stopping someone that wants to use anhydrous ammonia as a potential weapon, it does show how the proper combination of ingenuity and cooperative development can come up with unusual solutions to security problems.

HR 3258 Analysis – Protected Information

This is another in a continuing series of blog postings about the recently introduced HR 3258, the Drinking Water System Security Act of 2009. This bill is designed to be a companion bill to HR 2868, the Chemical Facility Anti-Terrorism Act of 2009, extending chemical facility security rules to water treatment facilities. Previous postings in this series include: HR 3258 Section-by-Section Analysis HR 3258 Analysis – Political Background HR 3258 Analysis – 50 Enforcement Agencies HR 3258 Analysis – Substance of Concern HR 3258 Analysis – Vulnerability Assessments HR 3258 Analysis – IST Assessments HR 3258 Analysis – VA-SSP Review One of the continuing controversies regarding security programs at chemical facilities, including water treatment plants, is allowing public access to public safety related security information. This legislation takes a fairly conventional type approach by limiting access to specific sensitive information, while requiring information sharing among affected parties. The term ‘affected parties’ includes emergency response agencies, State and local officials, and employees, but does not include the neighboring public. Section 1433(l) does not assign the protected information to any of the current categories of controlled but unclassified information, nor does it try to specifically create a new standard. It does specify SSI protections in some cases and lists protection requirements in other cases. This cut and paste information protection scheme is confusing and part of the larger problem that the government is having in trying to determine how to protect security information for private companies. Freedom of Information Act Exemption Section 1433(l)(1) specifically exempts the ‘protected information’ from public disclosure “under section 552 of title 5, United States Code” and similar State, local or tribal laws. This means that the general public, including news agencies, has no rights to access the information. Security personnel will certainly agree with this exemption while environmentalists and local activists will feel that it shuts them out of determining if the facility is taking adequate measures to protect the public. This is a continuing source of conflict between these two groups and is aggravated in this case by the fact that most of the covered facilities will be publicly owned facilities. Sharing Requirements Section 1433(l)(2)(a) specifies that the regulations developed to implement this legislation will make provisions for sharing ‘protected information’ with a wide variety of categories of personnel. Those categories include:
Federal, State, local, and tribal authorities, First responders and law enforcement officials, Designated supervisory and non-supervisory covered water system personnel with security, operational, or fiduciary responsibility for the system, and Designated facility employee representatives, if any.
Specific provisions in this section require sharing of information related to employee responsibilities for actions under facility Site Security Plan. The complete Vulnerability Assessment and Site Security Plan must be made available to “a representative of each certified or recognized bargaining agent representing such employees”. Presumably this is to allow the experts within those labor organizations to review those documents and ensure that adequate measures are being taken to protect their members from the results of ‘an intentional act’. With the wide number of personnel given access to ‘protected information’ under these provisions, the legislation attempts to limit the subsequent spread of such information by providing sanctions against the unauthorized disclosure of such information. Anyone “who purposefully publishes, divulges, discloses, or makes known protected information in any manner or to any extent not authorized by the standards set by the Administrator” {§1433(l)(2)(B)} may be imprisoned or fined for a misdemeanor violation in accordance with chapter 227 of title 18 USC. Sensitive Security Information This legislation does not make the ‘protected information’ Sensitive Security Information under §525 of the Department of Homeland Security Appropriations Act, 2007 (Public Law 109–295; 120 Stat. 1381). Section 1433(l)(3) does, however, provide the same protections to the ‘protected information’ in ‘adjudicative proceedings’. Thus, the SSI disclosure rules do apply in administrative hearings and court cases. Definition of ‘Protected Information’ The drafters of this legislation start their discussion of what is covered as ‘protective information’ by describing what is not included in that term. First {§1433(l)(4)} they note that the ‘protective information’ protections do not apply to any information required to be submitted to other Federal, State, tribal or local government agencies under any other laws. This should prevent the information disclosure problems seen in the recent CSB investigation of the Bayer CropScience incident, but I would be more comfortable if CSB and other Federal, state and local accident investigations were specifically addressed in the language. Next {§1433(1)(5)} notes that the ‘protected information’ provisions of this legislation may not be used to prohibit sharing information with Congress. That section does not exempt members of Congress or their staffs from subsequent unauthorized disclosure sanctions of §1433(l)(2)(B). I suspect that constitutional scholars would assert that there were other provisions of the Constitution that would protect actual members from those sanctions. Finally, §1433(l)(7) provides a typical list of the types of documents that would be considered ‘protected information’. Even then only specific portions of those documents would meet that definition. Only portions that would be detrimental to the security of the facility, or other covered facilities, if disclosed could be protected. Even then, that information only becomes protected if it was developed “exclusively for the purposes of this section” {§1433(l)(7)(B)(ii)}. This would mean, for example, that the amount of a substance of concern stored on site could not be considered ‘protected information’. Exclusions The final part of the ‘protected information’ portion of this legislation is the ‘exclusions’ paragraph {§1433(l)(7)(C)}. This reiterates most of the previously described types of information that cannot be considered ‘protected information’. One sub-paragraph that appears to be a simple re-wording of previously stated exemption deserves special recognition:
‘‘(i) information that is otherwise publicly available, including information that is required to be made publicly available under any law;”
This section would appear to allow any State, tribal or local government to pass a law that would make any security information publicly available. I’m sure that this is not what was intended, but the broad wording of the section certainly allows for that interpretation. There is certainly a conflict between this section and the wording of §1433(l)(1)(B), but that conflict could be explained away by stating that the earlier wording only applies to ‘protected information’ while the latter wording allows the for the exemption of information being considered ‘protected information’.

Monday, August 24, 2009

PTC NPRM Comments

The end of the comment period for the Federal Railroad Administration’s Positive Train Control (PTC) NPRM came last week. As I noted in a blog last month this is a very complex rule and only limited parts of it directly affect the chemical security community. In my review of the comments I will only look at those parts of the comments that will affect our community. Comments were received from 15 organizations and the FRA posted a transcript of a public meeting held on August 13th. Comments were received from: Utah Transit Authority Labor Union Invensys Rail Group CSX Transportation National Railroad Passenger Corp BNSF Railway Company American Assoc of Highway and Transportation Officials Northern Indiana Commuter Transportation District GE Transportation NJ Transit HCRQ, Inc The Chlorine Institute Southern California Regional Rail Authority New York State Metropolitan Transportation Authority Association of American Railroads A number of the commentors related their concern that the 30-day comment period, particularly at this time of the year, was too short to allow for an adequate analysis of the rule. The following organizations requested an extension of that time:
CSX Utah Transit Authority
Notes from Public Meeting The ARA noted that the determination of what routes should be covered by the PTC rules should be based on the effective date noted in the statute, 12-31-15. They noted that the Congress realized that there would be significant changes in PIH routings based on the recently implement re-routing rule and that re-routing would not even have begun until after 2010. CSX noted that the recent PIH chain of custody regulations would also affect PIH routings after the 2008 deadline in the NPRM. They suggest using a 2009 routing history for initial planning with a yearly revision based on current routing changes. BNSF notes that 30% of the PIH shipment destinations that delivered to in 2008 have yet to receive PIH shipments in 2009. There followed an extensive discussion (pgs 51 – 68) about how the re-routing rule and the PTC rule would affect each other. The ARA objects to the NPRM’s exempting the Class 2 and 3 railroads from having to have PTC equipped locomotives operating on PTC equipped Class 1 tracks. BNSF believes that concentrating PIH shipments on a smaller number of PTC covered routes would increase the safety of those shipments. Union Pacific notes that they have a number of routes with only a few PIH shipments, typically anhydrous ammonia destined for agricultural co-ops, that it would like to equip with PTC only after all higher priority lines were so equipped. BNSF would like to see a minimum value for the amount of PIH shipments that would trigger the PTC requirement for a freight rail line. The Chlorine Institute Comments The CI would ultimately like to see PTC on all freight railroads. The CI is concerned that using the 2008 freight history for determining which routes will receive PTC systems might serve to limit future routes that railroads will accept PIH shipments across. New York State Metropolitan Transportation Authority Comments The NYSMTA objects to allowing Class 2 and Class 3 railroad from operating non-PTC equipped trains on PTC-required systems. Association of American Railroads Comments AAR provides more detailed comments on their opposition to using 2008 traffic data for determining which routes carry PIH and on which they are thus required to implement PTC. AAR proposes exempting PIH rail cars that have been ‘vacuum pumped’ from being considered as PIH railcars for purposes of PTC routing. AAR objects to the use of a single PIH shipment as a requirement for PTC installation. AAR objects to allowing Class 2 and Class 3 railroads from operating non-PTC equipped trains on PTC-required systems. AAR OMB Appeal The AAR took the unusual step of filing an appeal with the Office of Management and Budget (OMB) in regards to two provisions of this NPRM. The provision covered that will be of interest to the chemical security community is the previously identified issue of the 2008 traffic data being used to determine which routes must be equipped with PTC systems. The appeal is being made using the justification that the FRA is exceeding the mandate of the Rail Safety Improvement Act of 2008 (RSIA) (PL 110-432) which is the authorizing legislation for this rule. The OMB conducts final reviews of all regulations to ensure that they meet the requirements of their legislative mandates and take all other Federal laws and regulations into account. As part of that review the OMB is expected to review public comments submitted during the rule making process to ensure that the rule making agency has adequately addressed those comments. In that respect, AAR is just asking OMB to do its job. Practically speaking though, this formal letter to the OMB is raising the stakes on this portion of the NPRM. This will certainly result in a slowing of the OMB review process, reducing the time between the publication of the final rule and legislatively required implementation date. My Comments on Comments With the extent of the complexity of the PTC issue it would seem to be surprising that the PIH issues consumed so much of the discussion time at the public meeting. When one looks at how much the PIH routing issue will impact the cost of implementing PTC it becomes less surprising especially considering that it was the railroad representatives that were engaged with FRA personnel in that discussion. What was missing from the discussion was representation of the two Federal agencies with PIH routing rules, PHMSA and TSA. The PHMSA rule on PIH routing and the TSA rule on PIH security in transit will both have some interaction with the PTC regulation. The FRA acknowledges that there is the potential for the cost of PTC implementation affecting routing decisions under the PHMSA rule. The railroads maintain that it is the rerouting decisions they make based on the PHMSA and TSA rules will affect which lines will be required to have PTC installation. This certainly requires more inter-agency dialogue. I did not see any discussion of the security aspects of this rule. It would have been nice to see some members of the process control community adding their two-cents worth to the discussion. PTC is certainly a control system writ large. It will require wireless communication between system components and specifically requires the active interaction between control systems of different companies. The fact that these systems are being designed to protect the shipment of PIH chemicals makes them a potential terrorist target. Thus, security is very important. One last interesting comment from the Public Hearing, there will be one additional venue for public comment on the PTC rule before it becomes a final rule. The PTC Working Group of the Railroad Safety Advisory Committee will meet on August 31st thru September 2nd. The meetings will only consider issues raised in filed public comments, but according to the FRA Hearing Officer, late comments filed on this docket will be considered.

HR 3258 Analysis – VA-SSP Review

This is another in a continuing series of blog postings about the recently introduced HR 3258, the Drinking Water System Security Act of 2009. This bill is designed to be a companion bill to HR 2868, the Chemical Facility Anti-Terrorism Act of 2009, extending chemical facility security rules to water treatment facilities. Previous postings in this series include: HR 3258 Section-by-Section Analysis HR 3258 Analysis – Political Background HR 3258 Analysis – 50 Enforcement Agencies HR 3258 Analysis – Substance of Concern HR 3258 Analysis – Vulnerability Assessments HR 3258 Analysis – IST Assessments I mentioned in an earlier blog that the EPA is likely to work with existing State enforcement authorities to manage this security program. One area of enforcement is reserved to the Administrator in this legislation; that is the review of the submitted vulnerability assessments and site security plans. Section 1433(h) specifies that VA and SSP submissions must be made to the Administrator who will review them and either approve them or require the facility to correct ‘significant deficiencies’. Administrator Review of VA and SSP Even where the legislation provides the Administrator with specific responsibility for enforcement, it still requires this determination to be made “in consultation, as appropriate, with the State exercising primary enforcement responsibility for such system, if any” {§1433(h)(2)}. Once again, this is in keeping with the EPA process for oversight of water treatment systems, so it is not surprising that the Energy and Commerce Committee drafters of this legislation would include such language. Significant deficiencies are determined by finding that a:
Vulnerability assessment does not comply with the requirements of §1433(a)(1); Site security plan does not address the vulnerabilities found during the VA; or Site security plan does not meet all of the appropriate risk-based performance standards (RBPS) required in §1433(b).
No Submission to State or Local Governments Even thought the State enforcement agency is required to be consulted on the determination of deficiencies, the legislation is quite specific in noting that facilities are not required to provide copies of the VA or SSP to State or local agencies. Section 1433(h)(3) states that:
“No covered water system shall be required under State, local, or tribal law to provide a vulnerability assessment or site security plan described in this section to any State, regional, local, or tribal governmental entity solely by reason of the requirement set forth in paragraph (1) that the system submit such an assessment and plan to the Administrator.”
This is a very odd provision given the ‘consultation’ requirements of §1433(h)(2) and the pre-emption provision of §1433(n) that specifically allow for state and local rules that are “more stringent than a regulation, requirement, or standard of performance under this section”. Thus, a State or local agency may not require that the facility provide a copy of a VA or SSP made for regulations developed under this legislation, but may require the completion of a separate VA or SSP with stricter requirements. Risk-Based Performance Standards The RBPS mentioned in the ‘significant deficiencies’ section mentioned above is only very broadly outlined in this legislation. Section 1433(b) only requires the Administrator to set forth RBPS in the regulations supporting this legislation and that those standards will be “increasingly stringent based on the level of risk associated with the covered water system’s risk-based tier assignment”. The Administrator is required to ‘take into account’ the RBPS set forth in the CFATS regulations {6 CFR 27.230} or such successor regulations required by new legislation (like HR 2868). The phrase ‘take into account’ is very vague. It would allow the Administrator to adopt the entire §27.230 as part of the regulations (with or without using the RBPS Guidance document adopted by DHS last year), use parts of that section as a template for writing the EPA rule, or writing off the DHS effort as inapplicable to water treatment facilities as long the matter was addressed in appropriate preamble to the publication of the draft rule. There is nothing in the RBPS section of this legislation that would require, or prohibit the Administrator from requiring specific security measures. Typically risk-based performance standard type regulations specify what must be accomplished rather than how something must be done, but without a specific prohibition against requiring a specific measure (as was found in the §550 authorization for CFATS), there is nothing that would stop the regulations from specifying some specific security measures as long as most of them were performance based requirements.

Friday, August 21, 2009

NIAC Meeting 09-08-09

DHS announced in today’s Federal Register that the National Infrastructure Advisory Council will be holding their next meeting on September 8th in Washington, D.C. The primary reason for this meeting will be the presentation of the Final Report of the Critical Infrastructure Resilience Working Group. The public is invited to attend, but there will be no provisions for oral presentations by the public at this meeting. Written comments may be submitted by September 1st, either through the www.Regulations.gov web site (Docket number DHS-2009-0100), or by mail to:
Nancy J. Wong Department of Homeland Security National Protection and Programs Directorate Washington, DC 20528

HR 3258 Analysis – IST Assessments

This is another in a continuing series of blog postings about the recently introduced HR 3258, the Drinking Water System Security Act of 2009. This bill is designed to be a companion bill to HR 2868, the Chemical Facility Anti-Terrorism Act of 2009, extending chemical facility security rules to water treatment facilities. Previous postings in this series include: HR 3258 Section-by-Section Analysis HR 3258 Analysis – Political Background HR 3258 Analysis – 50 Enforcement Agencies HR 3258 Analysis – Substance of Concern HR 3258 Analysis – Vulnerability Assessments Every covered water treatment facility that possesses a substance of concern (SOC) above the established threshold quantity would be required to conduct an assessment of ‘methods to reduce the consequences of a chemical release from an intentional act’ (Methods) {§1433(g)}. These Methods, commonly referred to as ‘inherently safer technology’ or IST (though those terms are not used in the text of this bill), include {§1433(g)(1)}:
The “use of alternate substances, formulations, or processes”; The “modification of pressures, temperatures, or concentrations of a substance of concern”; or The “improvement of inventory control or chemical use efficiency”.
The wording of this section does not limit which SOC must be covered under such assessments. While most public discussion of IST provisions focuses on toxic chemicals such as chlorine gas, anhydrous ammonia or sulfur dioxide gas, there is no specification of which SOC should be addressed. Presumably then, every SOC possessed or planned to be possessed at the site would be required to undergo such an assessment. The Assessment The assessment of Methods is required to be included in the Site Security Plan submission required under §1433(e) and must be submitted to the Administrator and the State agency exercising primary enforcement responsibility over the facility (except Wyoming and DC). Section 1433(g)(2) specifies what information must be included in the report of the assessment. That section requires that the regulations developed by the Administrator require that the assessment “consider factors appropriate to the system’s security, public health, or environmental mission”. In addition to a description of the methods assessed, the assessment must include a description of how each method would “reduce the potential extent of death, injury, or serious adverse effects to human health resulting from a chemical release” {1433(g)(2)(B)}. These potential benefits are to be contrasted with potential adverse affects of the implementation of the Methods to include how it would affect “the presence of contaminants in treated water, human health, or the environment” {1433(g)(2)(C)}. The assessment would then have to address the feasibility of implementing each Method. It specifies that the facility will use the feasibility rules currently described in §1412(b)(4)(D) of the Safe Drinking Water Act (42 U.S.C. 300i–2). This feasibility assessment would specifically exclude cost factors. Costs will be reported separately from the feasibility assessment. Cost analysis would be done showing the costs of implementation (both capital and operational costs) and the avoided costs (savings and liabilities). This cost analysis would be done for each of the Methods described for that facility. There are no definitions provided for what avoided liabilities should be required in this cost reporting. Finally, after reporting any other “relevant information that the covered water system relied on in conducting the assessment” {1433(g)(2)(F)}, the facility would report if the facility has implemented or plans to implement any of the reported Methods. The assessment report would have to explain why any of the described Methods is not being implemented. Implementation Requirements In regulations implementing this legislation the Administrator will establish a time limit for the administrative review of these assessments. Within that time limit, the State agency exercising enforcement authority (or the Administrator for Wyoming or Washington, DC) over the facility will evaluate the assessment and determine if the facility will be required to implement any of the assessed Methods. Only facilities in the two highest ranked Tiers may be required to implement such Methods. The State agency will report the result of their determination to the Administrator. In making the determination the State agency (Administrator) will “consider factors appropriate to the security, public health, and environmental missions of covered water systems” {1433(g)(3)(C)}. Included in those factors will be an analysis of:
The reduction of “the risk of death, injury, or serious adverse effects to human health”; The “interim storage of a substance of concern”; The ability of the facility to “comply with other requirements of this Act or drinking water standards established by the State or political subdivision in which the system is located”; and The feasibility of the Method under §1412(b)(4)(D)
Enforcement In the event of an incomplete assessment, the Administrator may require an assessment to be re-submitted within 60 days. The Administrator may take enforcement actions under §1433(o) if the assessment is not submitted within the required time frame. If the State agency fails to make a timely determination of whether or not to require a covered facility to implement a Method, the Administrator will provide the agency and the covered facility with a 30 day notice to make the determination. Failure of the State agency to make a determination within that time frame will allow the Administrator the authority to make that determination. A similar 30 day notice would be provided if the State agency fails to take enforcement action for failure to implement a required Method in a timely manner. The ultimate sanction available against the State agency is for failure to act under the provisions of this section includes removing the State agency’s authority to supervise water treatment facilities. There are no provisions included in this legislation for the Administrator to review or overturn a determination made by the State agency to require (or not require) the implementation of Methods. Neither are there any provisions made for the covered facility to appeal a requirement to implement such Methods.

Thursday, August 20, 2009

TSA Pipeline Security ICR

The TSA published a 60-day advance notice of intent to file a new information collection request (ICR) with the Office of Management and Budget (OMB) to allow TSA to collect information during planned Pipeline Corporate Security Reviews (PCSR). According to the ICR the “The Pipeline Corporate Security Review is a new information collection request that will assess domain awareness, threat prevention, and security awareness at various pipeline sites across the nation” (74 FR 42086). Comments on the proposed ICR are requested by October 19th. TSA is not handling the request for comments through the Regulations.gov web site that DHS normally uses for such ICR’s and no docket number is provided in the Federal Register Notice. Comments can be mailed to:
Ginger LeMay PRA Officer Office of Information Technology Transportation Security Administration 601 South 12th Street Arlington, VA 20598-6011
TSA plans to establish the PCSR program to allow TSA ‘subject matter experts) to conduct pipeline site visits and collect information on ten subject areas from the owner/operator of the pipeline. Those subject areas would be:
(1) Management and oversight of the security plan, (2) Threat assessment, (3) Criticality, (4) Vulnerability assessment, (5) Credentialing, (6) Training, (7) Physical security countermeasures, (8) Information technology security, (9) Security exercises and drills, and (10) Incident management and communications.
TSA maintains that the information collection would only take place in face-to-face meetings at the owner/operator’s location. TSA plans on conducting twelve of these 8 hour meetings per year at a potential 2,200 locations. Based on this count they expect the collection to take 100 hours/year of agency time and be done at no cost to the owner/operators (eight hours of owner/operator time costs nothing?).

Reader Comment 08-18-09 More on ‘Dr. Joe’

Sometimes I am surprised at what ‘issues’ get the most reader response. Tuesday night John left a post about the ‘Dr Joe’ issue. John wrote:
“If you made an error in referring to Joe Weiss as Dr. Weiss you are in good company. His name plaque read, "Dr. Weiss" when he testified before the Senate Commerce, Science and Transportation Committee. Here's the photo to prove it... http://www.controlglobal.com/multimedia/2009/WeissTestifies0903.html
Looking back at my records I did not get a chance to watch Joe’s testimony before the Senate Committee so I did not get my information there. In fact, I cannot find any where in my records that includes any reference to ‘Dr. Weiss’. So when I referred to ‘Dr. Weiss’ in my posting last week, it was entirely an assumption on my part that Joe had received an PhD at some point in his illustrious career. Now, I am not a person that is overly impressed with a ‘piled higher and deeper’ certificate from an institution of higher learning. In too many instances as a practical matter it is not much more than a ‘you were there’ badge. But there are many people that do worship at that church and they get highly offended when the honorifics are not used or used inappropriately. I am reminded of the Professor at the Frie Universitie in West Berlin with two PhDs who insisted that his students refer to him as ‘Herr Doktor Doktor’. In any case, I just want to make sure that everyone understands that the misuse of the honorific was entirely my fault and was not the result of a misrepresentation on the part of Joe Weiss or anyone associated with him. While my readers are free to continue posting comments on the subject, this will be my last word….

Wednesday, August 19, 2009

Security at Small Wastewater Treatment Plants

The Water Environmental Research Foundation (WERF.com) website is currently advertising a web seminar covering security at small wastewater treatment facilities to be held on September 16th. Dr. Chuck Herrick of Stratus Consulting will be conducting the webinar. While wastewater treatment facilities are currently exempted from CFATS requirements by the §550 authorizing language, chemical security issues for these facilities will be briefly addressed. Registration for the webinar is currently open. The CFATS reauthorization legislation (HR 2868) currently being considered in Congress will remove the §550 exemption from waste water treatment facilities, so some of these facilities may find themselves falling under CFATS if the legislation passes. I briefly talked with Chuck Herrick earlier this week and asked him if this was being addressed in the webinar. He told me that this small facility security program has been under development for some time and is designed to address the current situation, not potential new legislation. Of the ten ‘best practices’ being discussed in the webinar, only one will address chemical security issues. The chemical security portion of the webinar will look at a listing of potential waste water treatment chemicals that present security issues, including, for example, chlorine gas. The webinar will address 9 practice areas or activities that can be used to address chemical security issues. Special emphasis will be placed on coordination with local law enforcement and emergency response agencies. Finally, participants will be provided with links to EPA and ASME web sites that deal with security issues at wastewater treatment facilities. The facilities being targeted by this webinar are facilities that service small communities and tribal areas. As a result the security budgets for these facilities are very limited. The security functions are folded into the duties of the one to two employees that service the facilities. This makes the security challenge that much tougher. I’m glad to see that someone is attempting to assist this type of facility in making reasonable adjustments to their operations to protect the security of the facility and their surrounding community.

TRANSCAER Newsletter

TRANSCAER, a public-private partnership for assisting communities to prepare for and respond to possible hazardous materials transportation incidents, recently published the second issue of their TRANSCAER Today newsletter. The newsletter highlights the continuing efforts of TRANSCAER to provide emergency response training for local first responders, teaching them the appropriate ways to deal with a variety of railroad related chemical incidents. The summer 2009 issue looks at recent training tours in the Dakotas, Missouri, and California. It also provides a listing of future training sites including ethanol specific and chlorine specific training to be conducted over the coming months. Anyone interested in emergency response training related to chemical railcar incidents should get a copy of the free newsletter.

HR 3258 Analysis – Vulnerability Assessments

This is another in a continuing series of blog postings about the recently introduced HR 3258, the Drinking Water System Security Act of 2009. This bill is designed to be a companion bill to HR 2868, the Chemical Facility Anti-Terrorism Act of 2009, extending chemical facility security rules to water treatment facilities. Previous postings in this series include: HR 3258 Section-by-Section Analysis HR 3258 Analysis – Political Background HR 3258 Analysis – 50 Enforcement Agencies HR 3258 Analysis – Substance of Concern HR 3258 requires each covered facility to complete a vulnerability assessment and update that VA every five years or whenever a facility change is made that “could cause the reassignment of the system to a different risk-based tier” {§1433(a)(1)(B)(ii)}. Since the Administrator is required {§1433(d)(2)} to explain the reason for the tier ranking assigned to the facility (which is significantly different that the process under CFATS where the Secretary has decided to keep the reasons for tier assignments restricted information), the facility would presumably be able to determine what changes would result in a reduction in tier ranking. It is less clear that they would be able to determine what changes would raise their tier ranking. Chemical and Non-Chemical Risks Unlike the CFATS regulations, regulations developed to support this legislation would be required to address chemical and non-chemical risks. Section 1433(c) requires facilities to assess the water system’s vulnerability to a range of ‘intentional acts’. While HR 3258 does not define the term ‘intentional acts’ it is generally accepted to mean a terrorist attack. Having said that it could reasonably be stretched to include thefts of anhydrous ammonia for the production of methamphetamines, or even less reasonably stretched to include acts of vandalism. As one would reasonably expect, the vulnerability assessments will be specifically required to address chemical risks. The wording of §1433(c) addresses the issue of chemical security by requiring the vulnerability assessments to look at intentional acts “that results in a release of a substance of concern that is known to cause or may be reasonably anticipated to cause death, injury, or serious adverse effects to human health or the environment”. As far as I can tell, the term ‘release’ in environmental regulations does not typically include theft, so the resulting regulations might not require the prevention of the theft of anhydrous ammonia, chlorine gas cylinders or other dangerous chemicals. Assessment Requirements This bill does provide a list of seven areas that the vulnerability assessment must address. Those areas are:
“(1) pipes and constructed conveyances; “(2) physical barriers; “(3) water collection, pretreatment, treatment, storage, and distribution facilities; “(4) electronic, computer, and other automated systems that are used by the covered water system; “(5) the use, storage, or handling of various chemicals, including substances of concern; “(6) the operation and maintenance of the covered water system; and “(7) the covered water system’s resiliency and ability to ensure continuity of operations in the event of a disruption caused by an intentional act.”
It can be readily seen that these requirements cover a great deal more ground than the CFATS SVA requirements. This is understandable since this revision of the Safe Water Drinking Act replaces the current requirements for protecting water treatment facilities from terrorist attack. Those current requirements are designed to insure that an attack would not compromise the production of potable water for the served community. This revision of that law must continue those protections and while adding protection of dangerous chemicals used at those facilities. State Enforcement Issues This multifaceted approach is one of the main reasons that the drafters of this legislation kept the chemical security coverage of these facilities under the EPA rather than placing it under the CFATS rules at DHS. So many of these requirements are already addressed under EPA regulations that it would seem reasonable to add relatively limited chemical security regulations to the extensive EPA body of regulations for these facilities. The major drawback to this approach is that EPA has already delegated enforcement of water treatment regulations to the states, and continues that delegation in this proposed legislation. Adding chemical security regulatory enforcement to the overloaded state governments is going to result in uneven enforcement at best. The added chemical security issues and the increased enforcement requirements are going to require additional assets at the State level.

Tuesday, August 18, 2009

DHS Chemical Security Webpage Update 08-18-09

DHS has improved the usability of their web site by adding another link to the Chemical Security landing page. The new link takes one to the National Infrastructure Protection Plan page dealing with the Chemical Sector. There is no new information on that page, but this change does make the landing page a one-stop link to a larger variety of chemical security information. There is still one page that DHS should include a link to on this landing page; the chemical security section of the Laws and Regulations page. This would put all of the legal documents supporting the CFATS program just one click away from the rest of the chemical security information on the DHS web site.

Video Quality in Public Safety Conference

Yesterday the DHS Office for Interoperability and Compatibility (OIC), in partnership with the Public Safety Communications Research (PSCR) program within the U.S Department of Commerce posted a notice in the Federal Register that they would be holding the second Video Quality in Public Safety (VQiPS) conference on September 1st in Boulder, CO. The conference will provide stakeholders with the opportunity to discuss their successes and the challenges related to video quality and interoperability. With emergency services increasingly utilizing video systems to provide detailed information to guide their response it is becoming more important that they have a voice in the establishment of video standards, especially in regards to the issue of interoperability. This is why last year the DHS OIC and DOC PSCR formed the VQiPS Working Group, which is composed of volunteers from each public safety discipline. According to yesterday’s notice the conference will also review the work of the VQiPS Working Group. The Working Group coordinates efforts among organizations and agencies that are developing video standards for their own use. Future outputs of the Working Group will include a glossary of shared terminology related to video quality, video equipment, and specifications to aid public safety agencies in becoming more effective. There is no cost to attend this conference and you can register on-line. Additional conference details can be found at http://www.its.bldrdoc.gov/psvq/vqips/. Or you can contact Cuong Luu, DHS OIC by email (VOIP_Working_Group@sra.com).

2009 Control Systems Cyber Security Conference

Joe Weiss and Applied Control Solutions are announcing that the 2009 Control Systems Cyber Security Conference will be held October 19th-22nd in Bethesda, MD. The conference will look at Control system policies, procedures, technologies, and cyber vulnerabilities that affect a wide variety of industries including chemical facilities. As such it will include presentations from multiple industries. While most people think of control system cyber security as protection against intentional attacks, this conference looks at all communications related actions that impact the performance of control systems. According to Joe Weiss this would include “intentional unintended events (eg, viruses and worms), malicious directed attacks (eg, hackers), and unintentional incidents (eg, inappropriate policies and testing)”. According to the tentative agenda, the sessions will include the following that may be of interest to the chemical security community:
+ IT Security/Networking for Control System Engineers + Cyber threats to ICS – Open Discussion + Process control reliability demonstration + AMI hacking demonstration + Current status of education for ICS Security + DCS Upgrade Experience + Review of Control System Vulnerabilities + Review of Selected Control System Cyber Incidents/Failsafe Discussions + Case History of Control System Hacking Incident
Registration information can be found on-line. This is an expensive conference (well outside my travel budget), but it does cover an important topic. I hope some ISCD people will be able to take advantage of the large government discount to attend.

Monday, August 17, 2009

CVI for Sales People

It is amazing where you find CFATS information on the web. Thanks to Google® I found a press release for “Henry Bros. Electronics, Inc. (Nasdaq: HBE), a turnkey provider of technology-based integrated electronic security solutions”. It is a press release announcing their second quarter results. While you would expect that they would talk about their sales into the chemical sector, they actually spent more time talking about Chemical-Terrorism Vulnerability Information (CVI). They note that:
“We are also positioning ourselves to benefit from activity coming from the new Chemical Facility Anti-Terrorism Standards (or CFATS) legislation. Before a company in our industry can even speak with a prospective CFATS client, you are required to have a CVI number, which encompasses the passing of a qualifying test to be registered. To date, 19 of our sales people have qualified for their CVI number, and we expect to focus intently on this potentially lucrative market over the next six to eight quarters.”
CVI Requirements for Contractors I’m not sure that it would be absolutely necessary for a contractor to be CVI certified to be able to sell, install and service a ‘technology-based integrated electronic security solutions’. As long as the contractor was not privy to actual SVA or SSP documents the only CVI restrictions would be those under §27.400(b)(6), “Any records required to be created or retained by a covered facility under §27.255”. Those records would be associated with training records or maintenance, calibration and testing of security equipment. If those records were maintained by facility personnel then the CVI rules would probably be met without contractor certification. Having said that, I think that a CVI certified sales force would certainly be a good sales point for a security related contractor. If I were a facility security officer, I would also probably ask about the CVI status of maintenance and back-office people since they would also have access to ‘sensitive information’ about the security systems. While records developed and maintained by this third-party are not technically covered by the CVI rules, they do contain nearly identical information to covered records maintained by the facility. This is a major loophole in the CVI rules, but one that cannot be easily closed. So it would be reasonable to ask contractors to protect this information as if it were CVI, and that would only be possible to do if they had received the CVI training. Background Checks One item that was not mentioned in the press release is the matter of background checks having been conducted on the company personnel. DHS does not currently (because it is prohibited by §550 restrictions) specify what background checks are adequate for high-risk facilities other than the review of the TSA terrorist database. If contractor personnel are not given ‘unescorted access to critical areas’ of the facility, it is not clear that CFATS rules require any level of background checks. Most security related companies have their people bonded, so some level of background checks have been done. We have not yet seen the details of the CSAT application that DHS is developing for the TSDB check, but it may not be accessible by contractors. The explanations given to date indicate that only CSAT registered facilities will have access to the TSDB check tool. This would mean that contractors would not have access because they would not be registered in CSAT. It would be helpful if DHS would make provisions for contractors to be able to access the TSDB check tool.

DHS CSAT FAQ Page Update 08-14-09

Last week DHS reviewed/updated six answers to frequently asked questions (FAQ) on the CSAT FAQ web page. All six questions dealt with user roles and account transfers. The six questions were: 706 I have multiple usernames. Can I get rid of the duplicates? 707 How do I change the name of the Authorizer/Submitter/Preparer? 711 What are the responsibilities of a submitter? 724 What are the responsibilities of a preparer? 1391 When would I transfer accounts? 1392 When would I have the ability to transfer my account or reassign my user role? The only change seems to be a name change of an application/tool within the CSAT system. The new FAQ answers tell the User to use “Manage My Account application” instead of the “User Change Request System” referenced in the earlier versions of these FAQ answers. Since I am not a registered CSAT User (not being a ‘high-risk chemical facility’) I cannot access the CSAT system to see if there are any significant differences between the old and new tools. But, looking at the changes in the answers it does not seem that there are any significant differences. Interestingly, the DHS CSAT web site uses yet different terminology on the Update My Information page. It calls for using the “Update My Information” link after logging into CSAT.

CFATS Background Check ICR Comments – 07-14-09

Last Monday marked the requested end of the comment period on the proposed DHS CSAT Personnel Surety Program information collection request (ICR) filing. These ICR filings seldom garner many comments, but the CFATS background check program broke that standard with twelve comments in the last week. Comments were received from:

Institute of Makers of Explosives;
Compressed Gas Association;
American Trucking Association;
BP;
American Air Liquide USA;
First Advantage Background Services Corp;
Industrial Safety Training Council;
International Society of Explosives Engineers;
American Chemistry Council;
International Liquid Terminals Association;
National Petrochemical and Refinery Association; and
American Petroleum Institute

Institute of Makers of Explosives Comments 

The IME expressed their disappointment that ISCD “implement this regulatory requirement through an ICR to OMB”. IME also requested that ISCD formally implement the reciprocity of background checks outlined in the Risk-Based Performance Standards Guidance (Guidance) document. Specifically IME would like to see that reciprocity extended to ATF background checks. IME would like to see ISCD notify facilities when individuals fail the TSDB check. IME believes that an individual’s possession of TWIC should relieve the facility of the responsibility of submitting that individual’s information for the TSDB check. IME believes that the information provided in the ICR notification is really inadequate to completely evaluate the proposed program.

Compressed Gas Association Comments

The CGA objects to the apparent requirement that facility personnel, regardless of whether or not they have unescorted access to restricted areas, in the background check requirement. CGA suggests that the requirement for periodic updates of PII reports be changed to an annual requirement. CGA recommends that DHS develop and publish a procedure for appealing disputed background check findings. CGA recommends that DHS allow facilities use a third-party vendor of background check services to submit the PII for the TSDB check.

American Trucking Association Comments

The ATA recommends that the Guidance document specifically state that DHS identification that requires TSDB background checks is an acceptable substitute for background checks by the facility. ATA recommends that the CSAT Personnel Surety Tool include provisions for inputting the name, type credential and ID number for personnel who hold DHS vetted IDs in lieu of submitting PII for those individuals.

BP Comments

BP objects to the potential inclusion of physical description information in the PII submission requirements. BP suggests that large facilities be allowed to upload a file containing PII rather than manually enter each individual’s PII into the CSAT tool. BP recommends that third-party vendors of background check services be allowed to enter PII data for the facility. BP objects to the expansion of the list of personnel required to undergo a TSDB check to include all facility personnel (employees and contractors) regardless of whether or not they have unrestricted access to critical areas in the facility.

American Air Liquide USA Comments

ALUSA objects to the inclusion of facility personnel without unescorted access to critical areas in the requirement for conducting a TSDB check. ALUSA suggests that DHS should notify the facility and individual in the event that a TSDB check results in an adverse determination. This would allow for the individual to initiate an appropriate appeals process and the facility to restrict individual access pending resolution of the appeal. ALUSA recommends that third-part be authorized to assist facilities in the submission of PII. ALUSA is concerned about the PII update requirements since the actual PII to be included has not yet been officially defined. ALUSA does recommend that PII should be limited to that necessary for the TSDB check and be allowed to be updated on an annual basis.

First Advantage Background Services Corp Comments

FABSC suggests that third-party vendors be allowed to submit PII on behalf of covered facilities. They note that background check service providers are fully cognizant of the legal requirements for the protection of PII and already have compliance procedures in place.

Industrial Safety Training Council Comments

ISTC supports the inclusion of all facility personnel, including contractors, in the population requiring TSDB check, regardless of their access status for critical areas of the covered facility. ISTC suggests that third-party vendors be allowed to collect and submit PII on behalf of covered facilities. ISTC notes that DHS already allows such vendors to submit data for TWIC.

International Society of Explosives Engineers Comments

ISEE supports comments submitted by IME

American Chemistry Council Comments 

The ACC objects to the expansion of covered individuals to include facility personnel with only escorted access to critical areas of the facility. ACC questions whether ISCD has accurately identified the internal resources required to implement this program. ACC recommends that DHS establish procedures for notifying the individual and covered facility when an adverse determination is made as a result of the TSDB. ACC notes that many companies would prefer to conduct background checks on a company-wide basis instead of on a facility basis due to the frequent movement of personnel through multiple covered facilities. ACC questions how DHS can establish an adjudication process when they are not notifying personnel or facilities when an adverse determination is made. ACC objects to the inclusion of a compliance statement with regards to state, local and tribal privacy laws.

International Liquid Terminals Association Comments

The ILTA suggests that DHS provide TSDB cleared individuals with appropriate identification so that company employees that have undergone the check will not have to have their PII re-submitted when they work at another covered facility. ILTA recommends that resubmission of PII only be required every 3 to 5 years. ILTA suggests that all four RBPS ‘required’ background checks be handled through the same DHS CSAT tool. ILTA objects to the proposed exemption to Paperwork Reduction Act requirements. ILTA recommends that the TSA directly accept data from covered facilities rather than requiring submission through ISCD. ILTA believes that the 35 min/PII submission may grossly underestimate the time burden. ILTA suggests that ISCD adopt the TWIC program or initiate a similar program.

National Petrochemical and Refinery Association Comments

The NPRA notes that PII requirements outlined in separate ISCD presentations include substantially more PII than briefly outlined in the ICR and suggest that those expanded requirements are not justified. NPRA objects to the requirement to re-submit PII data on TWIC holders. NPRA objects to the lack of clear definition of ‘critical assets’ and ‘restricted areas’. NPRA questions the advisability of using third-party vendors because of potential CVI, security and privacy issues. NPRA suggests that DHS establish time limits for initial data submission. NPRA objects to the proposed policy of not notifying facilities when an adverse determination is made during the TSDB check. NPRA objects to the proposed exemption to the Paperwork Reduction Act. NPRA is concerned about the definition of personnel for whom a TSDB check is required, noting that there are at least two disparate discussions of which facility personnel are covered.

American Petroleum Institute Comments 

The API is concerned about the lack of a clear definition of PII in the ICR. API suggests that personnel vetting be tied to the individual not the facility, similar to the process used by the TWIC program. API is concerned that without notifying the individual of adverse TSDB determinations, there exists the possibility that individual liberties may be affected. API believes that the requested Paperwork Reduction Act exemption is unwarranted. API suggests that unnecessary duplication of TSDB check efforts may be avoided by requiring ISCD to use the TWIC process.

My Comments on Comments

There is near universal objection to the coverage of facility personnel without unescorted access to critical areas of the facility. The only two commentors that did not object to the expansion of coverage were background check service providers, and only one of them ‘supported’ the expansion. Such service providers would have a vested interest in expanding the list of personnel to be checked even if they are not allowed to do the TSDB PII submission, since three other data base searches would presumably be required for the personnel.

The one point that was not discussed in any of the objections was how the facility stopped employees without unescorted access from accessing the critical or restricted areas of the facility. DHS will make that determination during the review of the Site Security Plan. Where adequate controls are in place DHS need not ‘require’ that facilities conduct TSDB checks on personnel without unescorted access. Where adequate controls to not exist, there are no employees that should be exempt from such checks.

The idea of allowing facilities to use service providers to submit PII information certainly makes sense. Presumably the same providers are doing the other background checks for the facility so they would already have the required information. The point made by FABSC that they already have the data protection processes in place is an important point to consider. API’s objection to the use of such vendors based on CVI or CSAT security concerns ignore the way that ISCD has used the CSAT registration process. Presumably ISCD would develop another category of user that is just authorized to submit data for TSDB checks. Those users would still have to be verified by the Authorizer and would only be allowed data submission access and would not be able to access other information in CFATS.

I have already expressed my opposition to not notifying facilities and individuals when adverse determinations result from the TSDB. I did find it interesting that an industry group (API) and not a labor group raised an individual’s right to redress as a reason to oppose not notifying individuals of an adverse determination; shame on organized labor. The problem of individuals working at multiple facilities provides a good example of why public comments are so necessary to the regulatory process. Having worked in a company where I provided support to at least two different manufacturing facilities and worked in an R&D lab all of which might have been covered facilities under CFATS regulation, I can testify that I had unescorted access to critical areas of all three facilities. It would have made much more sense to have a single company background check instead of three separate checks. Furthermore, there were contractors that worked at all three facilities that also had access to certain critical areas in these facilities and a large number of other potentially covered facilities. Having a single clearance procedure with its attendant identification card would make the security vetting process much more efficient. The only problem is how to verify that the card is ‘good’ and the individual possessing the card is the vetted individual. This is a problem that is being discussed separately in the TWIC Reader regulation process underway at TSA.

It will be interesting to see how DHS deals with these comments in preparing their actual ICR submission to OMB. We can expect to see that in the coming weeks.
 
/* Use this with templates/template-twocol.html */