Cyber Espionage Campaign Hits Energy Companies
4 months ago
Peter Silva, US EPA Office of Water Rand Beers, DHS NPPD Brian Ramaley, Association of Metropolitan Water Agencies Marty Durbin, American Chemistry Council Darius Sivin, CWA-UAW Legislative Alliance Stephen Poorman, Society of Chemical Manufacturers and AffiliatesI am a little surprised that there are no representatives of any of the environmental activist organizations that have been so active in supporting HR 2868 and HR 3258 over the last six months or so. The CWA-UAW has actively joined these organizations in supporting this legislation, but since they represent so many chemical facility workers, they deserve their own seat at the table. Additionally, they have been actively involved in IST issues at refineries, opposing the continued use of Hydrogen Fluoride as a catalyst. If there is much discussion of this particular issue I would expect the whole committee would probably hear from a representative of the American Petroleum Institute at a future hearing. The industry representatives are a mixed bag in regards to their support of these two bills. The ACC has generally been more supportive of CFATA than has SOCMA. SOCMA would prefer to see a bill that would make the current CFATS program permanent. ACC has been more willing to work with Congress on expanding the program. The AMWA will probably have objections to the IST provisions in HR 3258, but will probably favor the EPA regulation of their facilities instead of being lumped in with high-risk chemical facilities under CFATS. The most interesting testimony will come from the two government witnesses. Rumors have been making the rounds that DHS will come out in support of some version of IST, something that have been less than enthusiastic about in the past. Last year EPA supported the idea of increased chemical security regulation of water treatment facilities, but they have not made a public stand on the provisions of HR 3258. I do expect that they will come out in favor of including waste water treatment facilities in HR 3258 as opposed to their current inclusion in HR 2868. One last item; currently the Energy and Commerce Committee and the Judiciary Committee are supposed to report on HR 2868 by September 30th. Neither will make that deadline. The Speaker will almost certainly extend that deadline on Wednesday, probably until October 31st. Even that date might slip as the Energy and Commerce Committee continues to work on health care issues.
Outcome 2.2.1: Access to dangerous materials is limited to legitimate users. Outcome 2.2.2: A culture of awareness and responsibility exists within industries that manufacture, store or sell potentially dangerous materials and among experts with knowledge of their use. Outcome 2.2.3: The manufacture, storage, or transfer of dangerous materials is protected by physical, personnel, and cyber security measures commensurate with the risks.Over the next couple of days, I will be posting some ideas to address how I think that these outcomes can become reality. The suggestions will be directed at both DHS and the chemical security community. I would hope that readers would also have, and share, ideas about these specific outcomes. As I did in the previous Dialogue, I will be limiting the discussion of these ideas to the QHSR site. That is where the comments will serve the greater purpose. That is where this discussion needs to take place if this portion of the QHSR is to succeed. I look forward to seeing your ideas and your comments on my ideas posted on the QHSR site. When you post your ideas, drop me an email or post a comment to the blog point me and the rest of our community at your ideas.
Nancy Wong Department of Homeland Security National Protection and Programs Directorate Washington, DC 20528According to the Federal Register notice “CIPAC represents a partnership between government and critical infrastructure and key resources (CIKR) owners and operators and provides a forum in which they can engage in a broad spectrum of activities to support and coordinate critical infrastructure protection.” The discussion at this meeting will center around information sharing and cyber security.
CFATS Helpdesk 25,000 @ 0.25 hrs/request CVI Authorization 8,073 @ 1.00 hr/request CSAT User Registration 4,167 @ 1.00 hr/request CSAT Top Screen 4,167 @ 30.3 hrs/request SVA and Alternative SVA 825 @ 250 hrs/request SSP 825 @ 200 hrs/requestChemical-Terrorism Vulnerability Information New – OMB Number: 1670-New – Docket Number: DHS-2009-0034 I discussed the details of this in a previous blog but here is a quick summary of the data collections covered by this ICR (Title #collections @ time/collection):
CVI Authorization 8,073 @ 1.00 hr/request Determination of CVI 250 @ 0.25 hrs/request Determination of a “Need to Know” 12,500 @ 0.25 hrs/request Disclosure of CVI Information 250 @ 0.25 hrs/request Notification of Emergency or Exigent Circumstances 250 @ 0.25 hrs/request Tracking Log for CVI Received 25,000 @ 0.08 hrs/requestChemical Facility Anti-Terrorism Standards New – OMB Number: 1670-New – Docket Number: I discussed the details of this in a previous blog but here is a quick summary of the data collections covered by this ICR (Title #collections @ time/collection):
Request for Redetermination 1,041 @ 0.25 hrs/request Request for an Extension 1,454 @ 0.25 hrs/request Notification of a New Top Screen 6,250 @ 0.25 hrs/request Request for a Technical Consultation 1,454 @ 0.25 hrs/request
“Officials from EPA and DHS announced this week that the Obama Administration wants to see both drinking water and wastewater under EPA jurisdiction for purposes of chemical security regulation. The Administration would like to see EPA adapt DHS’s current security program (called the Chemical Facility Anti-Terrorism Standards or CFATS program) to the water sector, in consultation with DHS.”I have not found a public pronouncement that supports this claim, but I do understand that there have been conversations between the two departments and potentially affected organizations in the private sector. This is a common strategy when an administration is planning on making a new policy statement at a congressional hearing. This allows for other witnesses at the hearing to make an informed statement in support (or opposition since the government does not control the opinion of these organizations) of the policy. I do know that not everyone in the DHS is in agreement with the policy of separating out the responsibility for chemical security operations at water and waste water treatment plants from the general CFATS scheme. As I have noted in a couple of blogs there are points in favor of both points of view, but this is as much a political decision as it is a security based decision. While many will deplore the fact that politics would have an effect on security decisions, at this level it is a fact of life that must be dealt with. I will say that I do not think that this political decision will have a significant effect on the outcome of the security arrangements that will be required under the impending rules. If the EPA patterns their rules on the CFATS model, there will be an increase in security at these facilities. Combining Water and Waste Water Security Another interesting point is that while the Administration may want to ensure that both water treatment and waste water treatment security are based under the EPA, the current wording of both HR 2868 and HR 3258 place waste water treatment facility security under DHS. This too was apparently a political decision, but in this case made by Chairmen Thompson and Waxman. This decision was made as part of their divvying up the oversight responsibility for chemical security. I’m not sure about the details of that bargaining, so I can’t predict how this will play out in the legislative process. I do know that the two types of facilities have more in common with each other than they do with a typical chemical manufacturing facility. For one thing they use the same limited number of chemicals of interest. From an enforcement point of view, inspectors familiar with one of these types of facilities would not find the other hard to understand. Witness List There is still no official word about the hearing on the House Energy and Commerce Committee web site, but I don’t expect that until probably late Friday at the earliest. It will be interesting to see who is included on the witness list. DHS and EPA representatives will surely be included as I expect will be the American Water Works Association (AWWA). Since Subcommittee Chairman Markey is such a proponent of IST, I would expect to see at least one representative of an organization like Greenpeace that has been very vocal in their campaign in support of the IST provisions in both bills. Since industry was so heavily represented in the last Homeland Security Committee hearing on HR 2868, I don’t expect more than one representative from industry at the hearing if there are any. I do understand that SOCMA has submitted written testimony for the hearing. Other industry organizations will certainly do the same.
“Every inbound loaded tank wagon will be stopped at the front gate. The driver’s identification and manifest will be checked against the information provided by the facility Receiving Clerk. A walk around inspection will be done and the Inbound Vehicle Checklist will be prepared documenting the results of that inspection. The Unloading Supervisor will be contacted for spotting instructions for the vehicle. The driver will be given a copy of the Inbound Vehicle Checklist and directed to the proper spotting location.”From this job description we can look for specific tasks that the security guard will have to complete to successfully perform this job. Typically we write tasks in a specific format. They start with an action verb and provide a brief description of what must be done. A list of tasks for this job would include:
Stop inbound vehicle at front gate. Check commercial driver’s license. Check inbound manifest. Conduct walk around inspection of tank wagon. Look for improvised explosive devices. Check seals on locking device. Prepare Inbound Vehicle Checklist. Direct Driver to spotting location. Respond to leaking tank wagon. Respond to security incident at front gate. Contact Security Supervisor.Many of the tasks in the list are clearly taken directly from the written procedure. Others are taken in a more generic manner from the procedure. For example the requirement to stop every ‘inbound loaded tank wagon’ is changed to the stopping a more generic ‘inbound vehicle’. This is because the task of stopping vehicles at the front gate is generally the same, regardless of the type of vehicle. In the case of checking the driver’s identification, the task became the more specific ‘check commercial driver’s license’. This is because a tank wagon driver is required to have a specific type of identification and the procedure could include checking the driver’s license against a faxed copy of the license, or comparing the number on the license with a number on a provided list. This would be significantly different than checking an employee ID or a visitor’s ID. Two of the tasks on this list, looking for IEDs and checking seals, are tasks that are included in the larger task of conducting a walk around inspection. These are tasks that are common security tasks regardless of the station. Instead of having to re-write the instructions for these tasks in every larger task where they might be included, they are written separately and referenced in the other appropriate tasks. The task list includes one non-security related task; ‘respond to leaking tank wagon’. Every person on a chemical facility has certain emergency response requirements that they are responsible for. Reporting spills and or leaks is one of the most basic. Because the guard is required to conduct a walk around inspection of the tank wagon they will sooner or later find one leaking and have to react accordingly. Each security station will have its own set of emergency response requirements. They may be listed as jobs in the procedure or as tasks that are parts of jobs, depending on the local situation. The next to last task, ‘respond to security incident at front gate’, is a variation of a task that will be found at each security station. A security incident is any violation of security rules. This task will include a listing of the potential violations and the appropriate reactions for each. The list should include a generic ‘other violation’ listing to recognize the fact that security planners are not omniscient. This task will typically be reproduced as a poster (called a ‘job aid’ in the training development community) prominently displayed at the security station, out of public view. This will aid in a quick yet appropriate response to potentially unnerving situations. The last task addresses those inevitable situations that security planners did not foresee. When ever something arises that is not covered in the instructions, yet is not obviously a potential threat, the security guard needs to contact the supervisor for instructions. This task would address that situation, providing routine contact instructions for the Security Supervisor, Facility Security Officer and other appropriate personnel in order of contact priority. Consolidation of Task Lists Once tasks lists have been prepared for every job at every security station, they are brought together for consolidation. Many task will be identical or nearly so at every security station. These similar tasks need to be grouped together before the next step in the process can begin. That step is the fleshing out each task into a description exactly what must be done, a listing of the conditions under which it must be done, and specifying how well it must be done. We’ll cover that in the next installment.
“The facility has a documented security awareness and training program and a corresponding set of minimum skills and competencies for security personnel, as well as a testing program through which security personnel can demonstrate their ability to perform their security-related tasks in a reliable and effective manner. A typical training program will include such features as: “Training is provided on recognition of a security incident, reporting of a security incident, emergency procedures, and operation of security equipment. “Training is held on a regular basis for security personnel. “Objectives are established for each element of the training plan. “Training records are maintained in accordance with 6 CFR § 27.255(a)(1).”The security metric does not provide a list of what would be considered to be a ‘set of minimum skills and competencies for security personnel’. Part of the reason for lack of such a listing can be found in the §550 prohibition of DHS requiring any specific security measures. A more important reason would be that a comprehensive listing of such skills would vary widely from facility to facility depending on its specific security needs. Additionally, there will be some variation based on what State and local laws allow security guards to do and require in the way of training. Security Job List The first thing that must be done in developing a security personnel training program is to develop a listing of the jobs that security personnel are going to have to perform. We generally start with the high-level task. For example we would start with a security guard at the front gate of the high-risk facility. A list of jobs at the front gate might include:
Maintain security equipment Check pedestrian traffic entering facility Check vehicles entering the facility Check vehicles exiting the facility Respond to security incidents Respond to safety incidents Conduct countersurveillance activitiesThe facility security officer, the security supervisors, and security guards should all provide input during the development of the of the job list. Most facilities will remember to include the first two, but most will forget to include the most important, the experienced security guard. No one knows better what is actually done on a day-to-day basis than the person actually doing the job. Once a basic job list is developed take a close look at each job listed to see if the listing is too general. For example the listing for ‘Check vehicles entering the facility’ may cover too much, depending on the facility. A different process might be used depending on the type of vehicle being checked. That could be divided into more jobs depending on the type vehicle. For example:
Employee/contractor vehicles Non-chemical delivery vehicles Chemical delivery (inbound) vehicle – dry box Chemical delivery (inbound) vehicle – tank wagon Chemical delivery (outbound) vehicle – dry box Chemical delivery (outbound) vehicle – tank wagonOnce the job list is developed it needs to be carefully checked against the Site Security Plan (SSP) and its supporting procedures. Every time the plan or procedures mentions something that must be done or accomplished at the front gate there needs to be a corresponding job on the job list. A single job might cover multiple listings in the SSP or procedures, but there does need to be a job on the list for every mention of the front gate. Anytime that there are changes made to the SSP or its supporting procedures, the job list needs to be reviewed and updated as necessary. One other thing needs to be included in this job list, actions required to be taken in emergency situations. This absolutely needs to include non-security emergencies such as fires, injuries, and chemical releases. The security guard at the front gate typically has a number of critical jobs to perform in each of these situations, but all security personnel will have specific tasks to perform in each of the typical facility emergencies. Front Gate Procedures Book The Security Job List for the Front Gate will be the basis for determining what must be included in the procedures book for that location. That procedure book will provide information of a general nature for all security personnel as well as the detailed procedures necessary for the performance of all of the jobs in the Job List. There should be a separate procedures book for each security station. Tomorrow we will look at how the Security Job List will allow us to develop a list of specific tasks that the front gate guard needs to be able to perform to successfully meet the requirements of the job list.
“Training details the performance standards related to security and response training, exercises, and drills. By performing proper security training, exercises, and drills, a facility enables its personnel to be better able to identify and respond to suspicious behavior, attempts to enter or attack a facility, or other malevolent acts by insiders or intruders. Well-trained personnel who practice how to react will be more effective at detecting and delaying intruders and provide increased measures of deterrence against unauthorized acts.”The emphasis here seems to be on facility/security group response training. In fact, a large portion of the discussion in RBPS #11 is focused on this type of group training. But anyone with training development experience is aware of the fact that before training can be conducted on group response, individuals must be trained in the skills that they will need to participate in those group actions. The RBPS does provide a detailed list of the training topics (Table 13, pgs 93-4) to which various personnel probably need to be exposed. The list is broken down into requirements for three categories of employees; Facility Security Officer (FSO) and Assistant FSO, Personnel with Security Responsibilities, and All Remaining Employees. Obviously the most extensive training will be required for the FSO. The ‘All Remaining Employees’ category will receive the least training, what is usually termed ‘general awareness’ training. This is the type training that companies usually use professionally developed training videos to present the general concepts followed by a brief discussion of company specific policies. I have not yet heard of anyone developing this type video for CFATS general awareness training. There is one interesting pair of items in the Table 13 list of training subjects; CVI and SSP training requirements. As you would expect, both the FSO and Personnel with Security Responsibilities groups will be required to be CVI Certified. There is no such requirement for the All Remaining Employees group. But there is a requirement to train that group on “Relevant provisions of the SSP”. Since the SSP is clearly CVI it will take some careful preparation to extract relevant information for presentation to a non-CVI certified audience. One last point about the RBPS training ‘requirements’; the RPBS recommends the inclusion of off-site personnel in the training program. The RBPS #11 introduction (pg 90) notes that:
“A strong training program typically includes not only personnel-specific exercises and drills but also joint activities involving both facility personnel and law enforcement and first responders. Including law enforcement and first responders in training, exercises, and drills improves responder understanding of the layout and hazards associated with the facility while strengthening relationships with the emergency response community.”One thing that facilities need to remember when they bring outsiders on site for this type training is that they need to include at least some minimal Hazcom training for those personnel. If these personnel are going to be moving about the facility, even escorted, they need to be made aware of the chemical safety considerations that must be taken into account at the facility. Training Development Ideas I have more than a little experience in training development and presentation. I spent fifteen years as an Infantry NCO, developing and executing informal and formal training programs for individuals, small units and up to company size units. While working in the chemical industry for 16 years I developed and presented Hazcom and process safety training. And for the last year or so I have been doing contract training development and presentation for Georgia QuickStart, an industrial training program run by the State of Georgia. Professional training development takes time. If you are just developing a simple stand-up classroom presentation using tools like PowerPoint® it can easily take 20 to 40 hours for each hour of instruction. Most of that work goes into the task identification process, determining what information actually needs to be communicated to the target audience. Making a training video or developing a computer based training program takes a great deal more time. Needless to say, all of that time takes money. This is one of the reasons that most companies turn to the use of generic training videos for a wide variety of periodic government-required training programs. Usually a one hour period of instruction will include a 20 minute video, a 20 minute discussion of company or facility specific requirements and then a written test with a post-test review of the answers. This type training would probably be okay for the training requirements for the ‘All Remaining Employees’. A training video along the lines of the computer based awareness training developed by DHS Infrastructure Protection would be valuable. An experienced instructor could even use that DHS computer based training program for group instruction, using discussion techniques to identify the security problem and appropriate response in that program. Another training requirement from the RBPS #11 that is clearly amenable to this type of video training program would be the “Recognition and detection of dangerous substances and devices” requirement for all personnel in Table 13 (pg 93). I know that TSA has developed a similar DVD based training program for IED’s on railcars, but I have not been allowed to review the program. A generic training video for would be a valuable addition to the CFATS training process. Most of the training for FSO’s will be given to such a small target audience (two or three people per facility) that it would probably not make financial sense to develop a training video for the limited market. On-line computer based training would make much more sense. Most of the FSO unique training is generic CFATS, security or intelligence information. Since the work of the FSO is such a key component of a successful security program it would probably be better for DHS Infrastructure Security and Compliance Division (ISCD) to develop this training as part of the CSAT tool. It would be done along the same lines as the CVI certification. There is a large number of training requirements in Table 13 that the FSO and ‘Personnel with Security Responsibilities’ have in common. A generic video could be developed to deal with many of these requirements, but many will have to be dealt with on a facility specific basis. While small facilities may be able to get away with in-house developed training for these objectives, most large facilities are going to have to turn to professional training developers. One final note; the Table 13 group “Personnel with Security Responsibilities’ is actually going to be at least two and possibly more groups at most high-risk facilities. The most obvious members of this group will be security personnel including guards, roving patrols and monitoring personnel (including off-site monitors). Next there will be production personnel that have a variety of security plan responsibilities including controlling access to secure/critical areas. Finally, there will be the maintenance personnel (including contractors) that will be maintaining security related equipment. The training programs for these three groups will be substantially different. Complex Training Requirements So you can see that the training requirements for supporting the CFATS program at a high risk facility are going to be complex. It is no wonder that my inquisitive reader was looking for someone who was working on the issue. Oh, there is some bad news associated with this. While the RBPS #11 training guidance is relatively general, there are more specific training requirements being considered in the CFATA legislation currently being considered in Congress. Most importantly the legislation requires 8 hours of training per year for all employees. Final note: If anyone knows of someone developing security related training programs for high-risk chemical companies please let me know. I would certainly like to share that information with my readers.
● Assessment module collects relevant information necessary for analysis.
● Vulnerability Analysis module displays vulnerability level and prioritizes security measures.
● Risk Analysis module displays the current and projected risk score for the overall assessment, as well as for each threat and critical asset.
● Risk Management module provides the ability to assign and track the progress of proposed security measures.The VCAT includes a list of potential security measures. The security team at the facility can use this list to play a variety of ‘what-if’ scenarios; plugging in a variety of combinations of security measures to see what effect they have on the facility risk level. This would allow the facility to pick the most cost-effective security measures for their unique situation.
“At present, government agencies that administer various security programs in the transportation sector lack coordination, resulting in security programs with duplicative background checks and requirements that create unnecessary burden and cost. Also, multiple security plans and training requirements that govern the transportation of certain types of products and operations in specific areas threaten to erode the trucking industry’s ability to continue delivering the goods that the consumer expects.”Multiple Security Regulations While the TSA has done relatively little to directly regulate the security of the trucking industry, truckers have come under other security regulations including the Coast Guard’s MTSA regulations and the Infrastructure Security and Compliance Division’s CFATS regulations. You will notice that there are at least three different organizations that are regulating various portions of trucking security. Part of the problem can be traced back to fact that two of the regulations that affect truckers are not trucking regulations. Truckers are being forced to comply with security regulations that are directed at fixed facilities. Since there are no general security regulations for all truckers, there was no way for the facility based regulations to refer back to transportation regulations to provide adequate security requirements for truckers servicing those facilities. Vetting of Truck Drivers One of the major problems that truckers are facing is that there are a variety of identification and background check requirements depending on the cargo they haul and where they haul it. A truck driver is required to have a Commercial Driver’s License, another document for hauling hazardous materials, another document to enter a port facility, and another document to aid in custom’s clearance going to Canada or Mexico. There may be additional requirements for entering high-risk chemical facilities. Each of these requires slightly different background investigations. One thing that could ease the burden somewhat would be for DHS to require the use of the TWIC for truck drivers entering high-risk chemical facilities. Currently DHS is prohibited by law from doing this. Congress needs to consider adding specific language to legislation like HR 2868 that would require the use of TWIC for truck drivers servicing those facilities. This would stop duplication of efforts and help relieve some of the competing requirements on truck drivers.
/* Use this with templates/template-twocol.html */