Wednesday, September 30, 2009

HR 2918 Status 09-30-09

According to yesterday’s Congressional Record Daily Digest the Senate will begin their discussion of the conference report on HR 2918 (pgs D1099-1100). The preparation for the voting process is scheduled to begin at about 4:30 pm. Since this bill now contains the continuing resolution federal budget for the next fiscal year, which starts at midnight, the Senate needs to pass this bill this evening. Amendments to a bill after conference are typically very unusual. In this case they would be even more unlikely than normal. Any amendments to the bill will require the House acquiescence or another round of conference committee and new votes in each house. This makes the passage of any amendments even more unlikely.

QHSR Outcome 2.2.2

Last night I made my second posting to the QHSR Dialogue about the proposed outcomes for Counterterrorism Objective 2.2. This time I looked at the self-regulation of the potential transfer of dangerous chemicals to terrorists or other malicious actors. Earlier Idea When I posted this second idea, I checked the first idea that I posted yesterday. There were eight responses and four people had rated my idea. I’m not sure that I understand some of the responses that were posted, but I am glad to see that people are taking the time to read and respond. The one interesting comment was from a person that wanted to know what types of readily available chemicals could be used to make toxic or explosive weapons. The commentor noted that only with such a list could an evaluation be made of whether strictly controlling those chemicals would be too intrusive. Any such list would reflect the experience and deviance of the provider. I would include household bleach and ammonia cleaners. Nitrogen trichloride is probably too unstable to be listed as a usable explosive by even terrorists, but as a binary explosive it has interesting capabilities, including the production of a toxic cloud. In any case, join the discussion at Counterterrorism on the QHSR Dialogue.

Tuesday, September 29, 2009

QHSR Outcome 2.2.1

This morning I posted a cautionary idea to the QHSR Dialogue. The idea deals with Counterterrorism outcome 2.2.1; “Access to dangerous materials is limited to legitimate users.” Feel free to jump in and comment on this, and other ideas posted on this Dialogue. It won’t be a dialogue unless people share their opinions.

CFATA Hearing Update

Yesterday the Energy and Commerce Committee web site had some updated information on the HR 2868/HR3258 hearing that the Energy and Environment Subcommittee will be conducting on Thursday. The hearing web page now provides a list of the witnesses that will appear before the subcommittee. The currently scheduled witnesses are:
Peter Silva, US EPA Office of Water Rand Beers, DHS NPPD Brian Ramaley, Association of Metropolitan Water Agencies Marty Durbin, American Chemistry Council Darius Sivin, CWA-UAW Legislative Alliance Stephen Poorman, Society of Chemical Manufacturers and Affiliates
I am a little surprised that there are no representatives of any of the environmental activist organizations that have been so active in supporting HR 2868 and HR 3258 over the last six months or so. The CWA-UAW has actively joined these organizations in supporting this legislation, but since they represent so many chemical facility workers, they deserve their own seat at the table. Additionally, they have been actively involved in IST issues at refineries, opposing the continued use of Hydrogen Fluoride as a catalyst. If there is much discussion of this particular issue I would expect the whole committee would probably hear from a representative of the American Petroleum Institute at a future hearing. The industry representatives are a mixed bag in regards to their support of these two bills. The ACC has generally been more supportive of CFATA than has SOCMA. SOCMA would prefer to see a bill that would make the current CFATS program permanent. ACC has been more willing to work with Congress on expanding the program. The AMWA will probably have objections to the IST provisions in HR 3258, but will probably favor the EPA regulation of their facilities instead of being lumped in with high-risk chemical facilities under CFATS. The most interesting testimony will come from the two government witnesses. Rumors have been making the rounds that DHS will come out in support of some version of IST, something that have been less than enthusiastic about in the past. Last year EPA supported the idea of increased chemical security regulation of water treatment facilities, but they have not made a public stand on the provisions of HR 3258. I do expect that they will come out in favor of including waste water treatment facilities in HR 3258 as opposed to their current inclusion in HR 2868. One last item; currently the Energy and Commerce Committee and the Judiciary Committee are supposed to report on HR 2868 by September 30th. Neither will make that deadline. The Speaker will almost certainly extend that deadline on Wednesday, probably until October 31st. Even that date might slip as the Energy and Commerce Committee continues to work on health care issues.

Monday, September 28, 2009

QHSR Dialogue 3 Started

Earlier today DHS and the National Academy of Public Administration started the third and final public dialogue on DHS goals and objectives. These dialogues are part of the first Quadrennial Homeland Security Review (QHSR); taking a hard look at where the Department has been and where it is going in the next four years. The QHSR is patterned after the DOD Quadrennial Review, but the public dialogue is something unique to the QHSR. The first Dialogue had the public look at goals that were proposed by a variety of study groups from within the Department. The public was given an opportunity to rate and comment upon those goals and suggest potential objectives that would support the achievement of those goals. The study groups took the feed back from the first dialogue and refined the goals and suggested objectives that would support them. The second Dialogue provided a new public forum to rate the newly developed objectives and suggest ways that those objectives could be achieved. Once again, the information and suggestions developed in that dialogue were given to the study groups to further refine the goals and objectives. Today, as part of the last Dialogue the study groups have provided refined goals and objectives and a series of ‘outcomes’ that would support each of those objectives. Rather than have the public numerically rate each of the potential outcomes as they rated the objectives in the previous Dialogue, DHS is instead asking for comments and suggestions on how those outcomes can be achieved. Chemical Security The term chemical security is not specifically used in any of the Counterterrorism and Domestic Security Management section of the Dialogue. There are, however, a number of objectives and outcomes that are directly related to the chemical security community. The most obvious is Objective 2.2, Control Access. That objective states that terrorists “and other malicious actors are unable to gain access to dangerous materials, technologies and expertise”. There are three proposed outcomes that support that objective; outcomes that are directly related to the chemical security community. They are:
Outcome 2.2.1: Access to dangerous materials is limited to legitimate users. Outcome 2.2.2: A culture of awareness and responsibility exists within industries that manufacture, store or sell potentially dangerous materials and among experts with knowledge of their use. Outcome 2.2.3: The manufacture, storage, or transfer of dangerous materials is protected by physical, personnel, and cyber security measures commensurate with the risks.
Over the next couple of days, I will be posting some ideas to address how I think that these outcomes can become reality. The suggestions will be directed at both DHS and the chemical security community. I would hope that readers would also have, and share, ideas about these specific outcomes. As I did in the previous Dialogue, I will be limiting the discussion of these ideas to the QHSR site. That is where the comments will serve the greater purpose. That is where this discussion needs to take place if this portion of the QHSR is to succeed. I look forward to seeing your ideas and your comments on my ideas posted on the QHSR site. When you post your ideas, drop me an email or post a comment to the blog point me and the rest of our community at your ideas.

HR 2918 Status

I never thought that I would be paying much attention to a spending bill supporting the legislative operations of the House and Senate, particularly in this blog, but the House leadership decided that HR 2918 would make the ideal vehicle for the continuing resolution that will keep the government funded through October 31st. This will allow the House and Senate an additional month to finish work on the spending bills. The House passed HR 2918 again last Friday. The Senate can be expected to take up the bill early this week. It should pass without any major problems. The continuing resolution will not have any impact on the support for this legislation. Adding it was a parliamentary maneuver, but certainly not an underhanded or devious one. It was just the least disruptive method of getting the job done. The continuing resolution language provides for the “continuing appropriations for all agencies and activities that would be covered by the regular fiscal year 2010 appropriations bills, until enactment of the applicable regular appropriations bill, or until October 31, 2009, whichever occurs first”. This language should support the ISCD understanding that the continuing resolution would allow for the extension of the CFATS rules pending the passage of HR 2892, the DHS appropriations bill that will specifically extend CFATS for one year.

Congressional Hearings Week of 9-28-09

There are currently two congressional hearings that slated for this week that might be of interest to the chemical security community. One hearing looks at the evolution of counterterrorism efforts while the other looks at new regulations for security measures. HR 2868/HR 3258 The House Energy and Commerce Committee web site lists the sub-committee hearing that will be looking and both HR 2868 and HR 3258, the two chemical security bills that are being looked at to replace the current CFATS program. This hearing has been some time in coming (and may yet be canceled again). There is no information on the web site indicating who will be appearing as witnesses, so I’ll stand on my previous guesses. The hearing is currently scheduled for October 1st at 10:00 am EDT. Confronting the Terrorist Threat The Senate Homeland Security and Governmental Affairs Committee will be holding a hearing on September 30th at 10:00 am EDT. Secretary Napolitano (DHS), Director Mueller (FBI), and Director Leiter (NCC) have been asked to address “Eight Years After 9/11: Confronting the Terrorist Threat to the Homeland”. This hearing might be particularly interesting after last week when three separate potential terror attacks on the United States were publicly foiled. We might hear some additional details that have not been completely digested in the news.

CSAT FAQ Update 09-25-09

Last week the Department of Homeland Security updated the responses to three questions on their CSAT Frequently Asked Question Page. The questions addressed were: 1373: If a mixture has multiple COIs as flammable release, does the facility need to list the entire weight of the mixture for each COI or does it only need to be listed once. Listing it multiple times would give the appearance that the facility has a lot more COIs than they actually do have. 1532: How may I request an extension of my facility's SVA deadline? 1557: What should I do if I think my facility was incorrectly determined to be high-risk or received an incorrect preliminary risk-based tier determination? Acting Assistant Secretary Two of the questions (1532 and 1557) that were reviewed/updated had the same change made in their answers. It seems that Mr. James L. Snyder is no longer the Deputy Assistant Secretary for Infrastructure Protection. The two answers require that requests that would have been addressed to him are now to be addressed to Mr. William F. Flynn, Assistant Secretary (Acting) for Infrastructure Protection. The personnel change was apparently made since June 5th of this year when the two questions were last updated. Multiple COI in a Mixture I can’t find a previous entry for question 1373 in my records, so it looks that this is one of those questions that had a pre-formulated response for a question that was not asked until recently. It addresses the situation where a flammable mixture contains two or more flammable release COI. The answer notes that the COI with the highest percentage concentration in the mixture will be the COI that is reported on the Top Screen for the entire contents of the mixture. This will prevent double or triple counting the same flammable mixture on the Top Screen.

Saturday, September 26, 2009

WSJ Misunderstands CFATS

While the Wall Street Journal is not exactly a security (in the physical not the financial sense) publication I was really surprised to see the gross error about the CFATS regulations that was mentioned in an article today found on their on-line site. The article by Cam Simpson was about the recent terrorism story and the purchase of commercially available explosive precursors; “Chemical Purchases Enough for Big Bomb”. Simpson writes: “In November 2007, the Department of Homeland Security published rules for regulating chemicals that can be used by terrorists to make explosive devices, including limits on products that include hydrogen peroxide.” It is a gross misunderstanding of the intent of the regulation to say that the Chemical Facility Anti-Terrorism Standards (CFATS – 6 CFR part 27) were ‘rules for regulating chemicals’. While the November 27th date mentioned by Simpson was the publication of the list of the DHS Chemicals of Interest (Appendix A to 6 CFR part 27), neither that list nor the base regulations were ever designed to regulate chemicals. CFATS is strictly a regulations establishing minimal standards for the security of high-risk chemical facilities. It is absolutely amazing to me that as prestigious a publication as the WSJ could allow such a fundamentally incorrect statement to appear in their publication. The implied criticism of DHS found in the next paragraph is even more surprising. Simpson writes: “But the regulations make clear that DHS and the FBI were envisioning a large car or truck bomb, rather than smaller-style bombs like those used in the deadly July 2005 London transit attacks.” In a modern society there are a number of readily available chemicals that can be used to make explosives. Trying to control access to hydrogen peroxide and acetone would be nearly impossible given their widespread use in commercial products. If controls were instituted on the 10-12% hydrogen peroxide found in the personal care products bought by Mr. Zazi, the chemically knowledgeable terrorist would just buy the 6% hydrogen peroxide solution found in any home and concentrate it to the necessary level using straightforward chemical laboratory techniques. One last word from the WSJ article, it notes that the “threshold for reporting requirements is 400 pounds of hydrogen peroxide”. That is less than complete reporting of the facts. The Appendix A reporting requirements pertaining to hydrogen peroxide only pertain to concentrations of at least 35%. Even if there were storage tanks full of the products bought by Mr. Zazi they would not be regulated under CFATS. DHS understood, even if the WSJ does not, that it is impossible to completely deny terrorists, or even just plain criminals, access to any and all dangerous chemicals that could be used to harm someone. What the CFATS regulations are designed to do is to ensure that the chemical facilities that present the highest risk to American society if attacked by terrorists are required to take reasonable security precautions to prevent such attacks. It was never designed to prevent access to dangerous chemicals; those are too ubiquitous in our industrial society. DHS keeps getting caught in the public crossfire. They were pilloried when they tried to require security controls on facilities that had 10,000 pounds of explosive propane gas on site because it was too restrictive on farmers and home owners. Now the WSJ expects them to keep track of purchases of beauty products containing hydrogen peroxide. I do hope that our friends in the Department have thick hides, but they do not deserve the abuse.

Friday, September 25, 2009

CIPAC Meeting 10-07-09

DHS announced in today’s Federal Register that the Critical Infrastructure Partnership Advisory Council would be holding their next meeting on October 7th in Washington, DC. The public is invited to attend but will not be allowed to take part in the discussions unless specifically invited to do so by DHS. Written comments may be submitted electronically via Regulations.gov (Docket Number: DHS-2009-0117) or by mail to:
Nancy Wong Department of Homeland Security National Protection and Programs Directorate Washington, DC 20528
According to the Federal Register notice “CIPAC represents a partnership between government and critical infrastructure and key resources (CIKR) owners and operators and provides a forum in which they can engage in a broad spectrum of activities to support and coordinate critical infrastructure protection.” The discussion at this meeting will center around information sharing and cyber security.

Three CFATS ICRs

In today’s Federal Register DHS submitted their 30-day notice of intent to file information collection requests (ICR) for a variety of CFATS related programs. The 60-day notice for each of these ICR was submitted back in July and there were no comments filed on any of those submissions. Anyone wishing to comment on any of these three ICR has until October 26th to electronically submit their comments to Regulations.gov using the appropriate docket number listed below. Chemical Security Assessment Tool Renewal - OMB Number: 1670-0007 – Docket Number: DHS-2009-0033 I discussed the details of this in a previous blog but here is a quick summary of the data collections covered by this ICR (Title #collections @ time/collection):
CFATS Helpdesk 25,000 @ 0.25 hrs/request CVI Authorization 8,073 @ 1.00 hr/request CSAT User Registration 4,167 @ 1.00 hr/request CSAT Top Screen 4,167 @ 30.3 hrs/request SVA and Alternative SVA 825 @ 250 hrs/request SSP 825 @ 200 hrs/request
Chemical-Terrorism Vulnerability Information New – OMB Number: 1670-New – Docket Number: DHS-2009-0034 I discussed the details of this in a previous blog but here is a quick summary of the data collections covered by this ICR (Title #collections @ time/collection):
CVI Authorization 8,073 @ 1.00 hr/request Determination of CVI 250 @ 0.25 hrs/request Determination of a “Need to Know” 12,500 @ 0.25 hrs/request Disclosure of CVI Information 250 @ 0.25 hrs/request Notification of Emergency or Exigent Circumstances 250 @ 0.25 hrs/request Tracking Log for CVI Received 25,000 @ 0.08 hrs/request
Chemical Facility Anti-Terrorism Standards New – OMB Number: 1670-New – Docket Number: I discussed the details of this in a previous blog but here is a quick summary of the data collections covered by this ICR (Title #collections @ time/collection):
Request for Redetermination 1,041 @ 0.25 hrs/request Request for an Extension 1,454 @ 0.25 hrs/request Notification of a New Top Screen 6,250 @ 0.25 hrs/request Request for a Technical Consultation 1,454 @ 0.25 hrs/request

New Chlorine Safety Info

There was a report on posted on WaterTechOnLine.com last week that the Chlorine Institute is now making available 10 new technical publications available as free .PDF downloads. Topics include “nitrogen trichloride, pool chlorine, handling of sodium hydroxide and potassium hydroxide solutions, and the handling of hydrochloric acid”. One of the most important from my point of view is the incompatibility chart for sodium hypochlorite (bleach). It lists the chemicals that react badly with bleach and the consequences of those reactions. Any facility that handles these chemicals, and that includes all pool owners, or might be required to respond to incidents involving these chemicals should look into the available information. After all, you can’t beat the price. One note; while the publications are free, the site does require users to register to gain access to the publications.

S 1649 Hearing

Earlier this week the Senate Homeland Security and Governmental Affairs Committee held their first hearing for S 1649, the WMD Prevention and Preparedness Act of 2009. The Chair and Vice-Chair of the Commission on the Prevention of Weapons of Mass Destruction Proliferation and Terrorism testified as did Gregory D. Kutz of the Government Accountability Office. As I noted in an earlier blog this bill is mainly targeted at biological weapons not chemical or nuclear weapons of mass destruction, though it does address some issues related to all three types of weapons. This hearing carried that emphasis on biological weapons even further. The GAO testimony dealt entirely with security at labs that handle the most dangerous organisms. Senator’s Graham and Talent acknowledged that their commission dealt with biological and nuclear WMD, but their testimony was focused on bio-weapons. No mention was made of chemical WMD in any of the prepared testimony. A Committee press release posted after the hearing noted that Senator Lieberman “hoped to move the legislation through the Committee next month”. While this hearing had nothing substantive to say about chemical security issues, there are provisions in the bill that will affect positively affect responses to intentional or accidental releases of toxic chemicals.

Duplicate DHS ICR

Earlier this month I noted that the Obama Administration was more aggressive than its predecessor in filing information collection requests (ICR) with the Office of Management and Budget (OMB), apparently reflecting a more expansive definition of what is required under the Paperwork Reduction Act of 1995. Yesterday it was taken to a new level when an ICR 60-day notice was posted in the Federal Register that was a word-for-word duplicate of an earlier submission made by the DHS National Protection and Programs Directorate; that earlier filing was made on September 14th. Now, in the vast expanse of the Federal Government, this must certainly rank very near the bottom of the severity list of government errors. I am not sure where the mistake was made in the office of the Chief Information Officer at DHS NPPD or whether it was made at the Government Printing Office where the Federal Register is assembled. Perhaps it was even the OMB that caused the error. This ranks even lower on the magnitude of cost list for government errors. I’m sure that there is almost no incremental administrative cost for the filing of this ICR. The people doing the work were going to get paid for the couple of minutes involved in processing this ICR. There might have been an extra page in yesterday’s Federal Register, but since most people (but certainly not all) receive the FR electronically, the extra paper and printing costs are inconsequential. If this is such an inconsequential error, why am I even pointing it out? It just goes to show how often government rules become counter productive. The original point of the Paperwork Reduction Act was to reduce the amount of government paperwork that people and business were required to complete. I would be surprised if there have been many (if any) significant federal forms that were prevented or removed by this act in the last ten years. I would bet, however, that the cost of administering the program is significant. I would like to suggest to the Obama Administration that, if they are looking for government programs to reduce or eliminate as cost saving measures, this is one program that ought to be on their list. Lacking that, they need to re-evaluate their increased emphasis on making initial filings existing programs. If the program needs to be eliminated, get rid of it. If not, don’t waste the time.

Thursday, September 24, 2009

Third QHSR Dialogue

Yesterday DHS started publicizing the third and final public dialogue that is being used to augment the Quadrennial Homeland Security Review (QHSR). The Third Dialogue will run from September 28th thru October 4th. DHS would like to build on the success of the First and Second Dialogues and see even more participation in this final public discussion before the study groups present their final recommendations on the four mission studies and two process studies that will help to guide the Department’s operations over the next four years. Secretary Napolitano will present her final QHSR report to Congress by December 31st. DHS is reporting that over 11,000 people participated in the 2nd Dialogue, an increase of more than 50% over the first Dialogue. Those participants prioritized the strategic objectives that the study groups had developed (with help from input during the 1st Dialogue) and provided over 400 comments on how the Department could achieve those objectives. The 3rd Dialogue will seek your review of the final study group content submission including the vision, goals, objectives, and key strategic outcomes from the mission studies. I don’t have any information yet on how this review will be conducted, but as soon as I get the information I will share it with my readers. As with the previous two Dialogues, I will be actively encouraging people to participate in the Dialogue all week long. I firmly believe that anytime that the public is allowed to directly participate in the development of long term government policy that it is a good thing. The more people that participate in the Dialogue the better off we will all be. NOTE: If you haven’t registered to participate in the Dialogue do so now and avoid the rush. Remember, the User Name and Organization that you supply on the registration site will appear with any comments that you post in the Dialogue. If you are in a job that prohibits public policy discussion, select a name and organization that won’t be easily traced back to you.

CFATS Training- Task Definition

We continue looking at training development for security forces at high-risk chemical facilities. Many of the concepts, if not the details, we are discussing can be applied to development of any of the security training that needs to be conducted at such facilities. The earlier blogs in this series include: CFATS Training CFATS Training – Security Job List CFATS Training- Security Task List In earlier postings we looked at how security procedure books for each security station at a high-risk chemical facility provides a listing of the security jobs that security personnel at that station need to be able to perform. Then we looked at how those jobs can be broken down into their component tasks. Today we will look at how those tasks are fleshed out into useable training tools. Task Definition Once the task list for all of the jobs at all of the security stations is compiled we need to further define what those tasks entail beyond just their task name. In the 1970’s the US Army revolutionized its training development with the realization that before they could define how a job needed to be done they first had to determine the conditions under which the job would be required to perform and how well the job needed to be done. This led them to the use of the Task-Condition-Standard method of defining a job task. When determining the task performance conditions, one of the first things that one needs to determine is if the task is a knowledge task or a performance task. Knowledge tasks are more passive and require the person completing the task to know something and process information based on that knowledge. This type of task is ideally suited to classroom type instruction and written tests. A performance task is one that requires physical action to complete. Most security duties predominantly utilize performance tasks. These tasks are better suited to hands on training with the equipment that will be utilized in a real world situation. Task performance evaluation is best done by requiring the person to actually perform the task with the provided equipment. This also lends itself to periodic on-the-job evaluation of task performance by observing the task completion in an actual job situation. Condition Statement For knowledge based tasks the condition statement for the task will explain under what conditions the knowledge will be applied in the field and the type decision that the person performing the task will be expected to make. For example the ‘Respond to a Security Incident’ task identified in an earlier blog would be a knowledge based task requiring the security person to correctly identify the type and severity of the situation before responding. The condition statement for a performance task details the equipment and information that must be available to complete the task as well as the conditions under which the task will be performed. In the “Conduct walk around inspection of tank wagon” task we listed earlier we would obviously need to have a tank wagon stopped at the security station. It would also require the presence of a shipping manifest or other document for the vehicle that describes essential information that the guard would be expected to check during the inspection Standard Statement The standard statement provides a measurable description of adequate performance of the task. For many tasks this is a relatively easy statement to define. On the “Check inbound manifest” the standard statement would require the detection of 100% of the differences between the offered manifest and the file manifest. Other tasks are more difficult to define measurable standards. On the “Check seals on locking device” the standard statement could require the detection of 100% of tampered seals but this would require the careful definition of ‘tampered seals’. Specific measurable performance standards typically lend themselves to realistic performance evaluations. A properly developed performance standard provides an unambiguous measure of task competency. This is an essential requirement for an effective training program. Knowledge based tasks are potentially the hardest to write performance statements for. What is frequently done is to use a standard written test and require a set number of correct answers to demonstrate adequate performance. While simple multiple choice tests for this type standard are easy to write, they are seldom good measures of a person’s knowledge of the information. A more thorough written test follows the case study model. A detailed description of a real life type situation that the person could be expected to respond to is provided. Pictures and short videos can be used to enhance the written description of the situation. If multiple choice answers are used to check responses, the provided responses need to be developed carefully. Providing incorrect responses that are obviously wrong defeats the purpose of the evaluation. These case study type evaluations can be useful for some hands-on type tasks. Where setting up a hands-on evaluation would be expensive or dangerous a properly designed case study written evaluation is probably a good choice. Other Supporting Information Once the task list is developed and the task definition is complete, the training developer begins to collect additional information about the task. Instructions on how to complete a task, safety information and, in some cases, legal requirements all need to be collected before the training developer can begin to develop the training plan.

Wednesday, September 23, 2009

Rail Line Relocation Grants

There is a brief article on ProgressiveRailroading.com about the recent release of seven Rail Line Relocation and Improvement Grants by the Federal Railroad Administration. Two of those grants were used to relocate train yards and two were used to relocate rail lines. This grant program was created under the SAFETEA-LU Act and are intended to “improve rail safety, motor vehicle traffic flow or a community’s ‘quality of life,’”. I have long maintained that one of the reasons (though certainly not the only reason) that there are so many rail shipments of TIH chemicals through urban areas is that that is where the rail lines and rail yards are. Too many cities and towns grew up around their rail lines and yards. The relocation of rail yards outside of urban areas will help reduce the potential risk of a catastrophic release of TIH chemicals in an urban area. There is no indication in the article that these four grants were (or were not) designed to reduce the risk of urban releases of TIH chemicals. Besides that is not a focus of the grant program. Hopefully, though, this grant program, which is in its last year, will be re-authorized with additional funding specifically targeted in the relocation of yards and lines that handle significant amounts of TIH chemicals. That would help to ensure that intelligent rerouting decisions easy to make.

CFATA Hearing Update

There is a report over on the ISAWWA Blog that the Energy and Environment Subcommittee will be holding their first hearing on both HR 2868 and HR 3258 on October 1st. This is not the first such report that I have seen and I understand that the hearing is scheduled for 10:00 am EDT. There is an interesting item in the blog that I do think is worth sharing. They report that:
“Officials from EPA and DHS announced this week that the Obama Administration wants to see both drinking water and wastewater under EPA jurisdiction for purposes of chemical security regulation. The Administration would like to see EPA adapt DHS’s current security program (called the Chemical Facility Anti-Terrorism Standards or CFATS program) to the water sector, in consultation with DHS.”
I have not found a public pronouncement that supports this claim, but I do understand that there have been conversations between the two departments and potentially affected organizations in the private sector. This is a common strategy when an administration is planning on making a new policy statement at a congressional hearing. This allows for other witnesses at the hearing to make an informed statement in support (or opposition since the government does not control the opinion of these organizations) of the policy. I do know that not everyone in the DHS is in agreement with the policy of separating out the responsibility for chemical security operations at water and waste water treatment plants from the general CFATS scheme. As I have noted in a couple of blogs there are points in favor of both points of view, but this is as much a political decision as it is a security based decision. While many will deplore the fact that politics would have an effect on security decisions, at this level it is a fact of life that must be dealt with. I will say that I do not think that this political decision will have a significant effect on the outcome of the security arrangements that will be required under the impending rules. If the EPA patterns their rules on the CFATS model, there will be an increase in security at these facilities. Combining Water and Waste Water Security Another interesting point is that while the Administration may want to ensure that both water treatment and waste water treatment security are based under the EPA, the current wording of both HR 2868 and HR 3258 place waste water treatment facility security under DHS. This too was apparently a political decision, but in this case made by Chairmen Thompson and Waxman. This decision was made as part of their divvying up the oversight responsibility for chemical security. I’m not sure about the details of that bargaining, so I can’t predict how this will play out in the legislative process. I do know that the two types of facilities have more in common with each other than they do with a typical chemical manufacturing facility. For one thing they use the same limited number of chemicals of interest. From an enforcement point of view, inspectors familiar with one of these types of facilities would not find the other hard to understand. Witness List There is still no official word about the hearing on the House Energy and Commerce Committee web site, but I don’t expect that until probably late Friday at the earliest. It will be interesting to see who is included on the witness list. DHS and EPA representatives will surely be included as I expect will be the American Water Works Association (AWWA). Since Subcommittee Chairman Markey is such a proponent of IST, I would expect to see at least one representative of an organization like Greenpeace that has been very vocal in their campaign in support of the IST provisions in both bills. Since industry was so heavily represented in the last Homeland Security Committee hearing on HR 2868, I don’t expect more than one representative from industry at the hearing if there are any. I do understand that SOCMA has submitted written testimony for the hearing. Other industry organizations will certainly do the same.

Tuesday, September 22, 2009

Cyber Security at ChemITC Conference

Last week I receive an email notice via ACC@smartbrief.com that the American Chemistry Council’s ChemITC Conference at the end of this month would have a significant focus on cyber security issues. Thanks to Bridgette Bourge at ChemITC I received a copy of the just released program for that conference. It is certainly no exaggeration to say that ChemITC is working hard to keep their members up to date on the ever changing world of cyber security. The four day conference will be held September 28th thru October 1st at the IBM Executive Conference Center in Palisades, NY. Registration is still open. According to the ACC website this program will “appeal to all chemical company IT executives and their senior thought leaders”. The cyber security portion of the program does not get started until the second day of the conference and even that is mainly an introduction of the ChemITC working groups that are looking at cyber security issues for the chemical industry. There will be a brief update on the work being done by each working group. The third day of the program, however, has lots of interesting presentations on cyber security issues. The first program of the day is a one hour ‘conversation’ with FBI Supervisory Special Agent Frank Torkel from the National Cyber Investigative Joint Task Force. That conversation will look at the current state of cyber crime. DHS will provide two updates later that day, one from the National Cyber Security Division and the other from the Chemical Sector Specific Agency. There will be two industry lead discussions on cyber security issues related to CFATS. The first will be on Day 3 by Keith Lichtenwalner, from Air Products and Chemicals. The second will be on Day 4 by Mark Gandy, from Dow Corning. While this conference will not be addressing any of the nut and bolt (or should I say ‘coding’) level issues of cyber security, it will provide valuable insight into the management level issues that are important for planning and budgeting for the cyber security challenges facing high-risk chemical facilities.

DHS Budget Status – 09-22-09

There is an interesting article on GovExec.com about the potential for a continuing resolution this year as none of the budget bills have yet been passed. The House Rules Committee is scheduled to hold a hearing late this afternoon on a CR, allowing for consideration in the House as early as tomorrow. The DHS budget bill (HR 2892) is one of five (out of 12) that has been passed in both the House and Senate, but in different versions. This means that a conference committee has to meet and iron out the differences allowing a common bill to go back for a final vote in both houses. The Senate appointed their members of the conference committee back in July, but the House has, as of yet, failed to do that. The GovExec.com article notes that conference committee meetings could start this week. Passage of HR 2892 is important to the chemical security community because it includes a one year extension of the CFATS authorization. Without that extension it is likely that the current chemical security program would come to a screeching halt on October 2nd (it expires on the 4th but that is a Sunday). A continuing resolution with CFATS wording would certainly bridge the time between October 4th and the passage of HR 2892 if that passage is late. Actually, as I understand the DHS position, they will continue the CFATS program under a continuing resolution even if it does not include specific CFATS language. Their lawyers reason that since both versions of HR 2892 contain exactly the same CFATS extension language, it is inevitable that the final version of HR 2892 will extend CFATS. Thus a continuing resolution would express the will of Congress to extend CFATS. There should be no reason that HR 2892 could not be reconciled and brought to a successful floor vote in both houses before September 30th. The two versions are not that far apart. In fact, I do not understand why the conference committee has not already met, but then I am not privy to the machinations of the House leadership.

CFATS Training- Security Task List

We continue looking at training development for security forces at high-risk chemical facilities. Many of the concepts, if not the details, we are discussing can be applied to development of any of the security training that needs to be conducted at such facilities. The earlier blogs in this series include: CFATS Training CFATS Training – Security Job List Today we will look at how security procedures are mined for information about the individual task that security personnel will have to be able demonstrate competency at to be considered proficient at their job. Again, we will continue to look at the front gate and actions of the gate guard for the examples used in this discussion. Procedures Book We finished off yesterday’s discussion with a brief look at the procedures book that would be found at each security station. Each book will detail the procedures that will be executed at that station in support of the facility site security plan (SSP). Where security forces are provided by contractor, it will typically be the contractor that writes the actual procedures, but it remains the responsibility of the Facility Security Officer (FSO) to ensure that the procedures properly reflect the requirements of the SSP submitted to DHS. One easy way to do this will be for the FSO to take a copy of the submitted SSP and go through every SSP question to determine which ones pertain to each of the security stations. A copy of the pertinent questions will be made and placed in a requirements book for that station. That way the security supervisor for the guard company and the FSO will have a common understanding of what is required for each station. Since this information is directly abstracted from the SSP it will need to be marked and protected as Chemical-terrorism Vulnerability Information (CVI). The security agreement between the facility and the security company needs to specify that the security company is qualified to handle and store CVI. The facility does need to insure that the security supervisor they provide the requirements data to is a ‘qualified person’ under the CVI rules and that only qualified personnel with a need to know at the security company will have access to the CVI data. One last comment on CVI; it would certainly be possible to write a security procedures manual that is not CVI. It would include no reference to the Site Security Plan or any other document covered in 49 CFR 27.400. Since the information in the security procedures manual needs to be protected against disclosure to potential terrorists anyway, there is probably no reason to adequately sanitize the manual so that it does not include reference to CVI material. If the procedures manual is CVI, the security personnel using that manual will need to be cleared for CVI. Creating the Task List From a training development perspective the purpose of the security station procedures manual is to provide a description of the jobs that need to be accomplished at that station. The training developer can take that job description and develop a list of specific tasks that the security personnel will need to be able to perform to complete that job. First we need to look at an example of a possible job listed in the procedure manual for the front gate; Chemical delivery (inbound) vehicle – tank wagon:
“Every inbound loaded tank wagon will be stopped at the front gate. The driver’s identification and manifest will be checked against the information provided by the facility Receiving Clerk. A walk around inspection will be done and the Inbound Vehicle Checklist will be prepared documenting the results of that inspection. The Unloading Supervisor will be contacted for spotting instructions for the vehicle. The driver will be given a copy of the Inbound Vehicle Checklist and directed to the proper spotting location.”
From this job description we can look for specific tasks that the security guard will have to complete to successfully perform this job. Typically we write tasks in a specific format. They start with an action verb and provide a brief description of what must be done. A list of tasks for this job would include:
Stop inbound vehicle at front gate. Check commercial driver’s license. Check inbound manifest. Conduct walk around inspection of tank wagon. Look for improvised explosive devices. Check seals on locking device. Prepare Inbound Vehicle Checklist. Direct Driver to spotting location. Respond to leaking tank wagon. Respond to security incident at front gate. Contact Security Supervisor.
Many of the tasks in the list are clearly taken directly from the written procedure. Others are taken in a more generic manner from the procedure. For example the requirement to stop every ‘inbound loaded tank wagon’ is changed to the stopping a more generic ‘inbound vehicle’. This is because the task of stopping vehicles at the front gate is generally the same, regardless of the type of vehicle. In the case of checking the driver’s identification, the task became the more specific ‘check commercial driver’s license’. This is because a tank wagon driver is required to have a specific type of identification and the procedure could include checking the driver’s license against a faxed copy of the license, or comparing the number on the license with a number on a provided list. This would be significantly different than checking an employee ID or a visitor’s ID. Two of the tasks on this list, looking for IEDs and checking seals, are tasks that are included in the larger task of conducting a walk around inspection. These are tasks that are common security tasks regardless of the station. Instead of having to re-write the instructions for these tasks in every larger task where they might be included, they are written separately and referenced in the other appropriate tasks. The task list includes one non-security related task; ‘respond to leaking tank wagon’. Every person on a chemical facility has certain emergency response requirements that they are responsible for. Reporting spills and or leaks is one of the most basic. Because the guard is required to conduct a walk around inspection of the tank wagon they will sooner or later find one leaking and have to react accordingly. Each security station will have its own set of emergency response requirements. They may be listed as jobs in the procedure or as tasks that are parts of jobs, depending on the local situation. The next to last task, ‘respond to security incident at front gate’, is a variation of a task that will be found at each security station. A security incident is any violation of security rules. This task will include a listing of the potential violations and the appropriate reactions for each. The list should include a generic ‘other violation’ listing to recognize the fact that security planners are not omniscient. This task will typically be reproduced as a poster (called a ‘job aid’ in the training development community) prominently displayed at the security station, out of public view. This will aid in a quick yet appropriate response to potentially unnerving situations. The last task addresses those inevitable situations that security planners did not foresee. When ever something arises that is not covered in the instructions, yet is not obviously a potential threat, the security guard needs to contact the supervisor for instructions. This task would address that situation, providing routine contact instructions for the Security Supervisor, Facility Security Officer and other appropriate personnel in order of contact priority. Consolidation of Task Lists Once tasks lists have been prepared for every job at every security station, they are brought together for consolidation. Many task will be identical or nearly so at every security station. These similar tasks need to be grouped together before the next step in the process can begin. That step is the fleshing out each task into a description exactly what must be done, a listing of the conditions under which it must be done, and specifying how well it must be done. We’ll cover that in the next installment.

Monday, September 21, 2009

DHS CSAT FAQ Page Update 09-18-09

Last week DHS revised the answer to one of the frequently asked questions on the CSAT FAQ page. The underlying question was: 1461: What resources are available to determine the total production value for an economically critical chemical? The revision was the addition of a brief description of the current version of the Top-Screen User’s Manual, “(PDF, 86 pages – 1.13 MB)”. DHS uses this description as a short hand to identify changes in the version of document. I’m not sure why they use that convention instead of a standard version number or version date, both of which are published on all CSAT reference documents. The only thing that I can think of is that it does provide some indication of how long it will take to download the documents. This is not nearly as important as it used to be with most corporate internet users having routine access to high-speed internet access.

CFATS Training – Security Job List

As I mentioned on Saturday’s blog I did receive an encouraging comment on Friday’s blog about CFATS training. As is expected with positive reinforcement comments like this are a sure way to get me to revisit a topic. Today I would like to take a closer look at CFATS training for security personnel. RBPS #11 and Security Personnel The Risk-Based Performance Standard Guidance document does make two specific mentions of training for security personnel. The first is in an explanation of how training topics need to be adjusted to the target audience. RBPS #11 (pg 91) notes that: “Typically, if the audience consists of designated security personnel, the details of security procedures, operations, communications, etc., will warrant extended discussion.” A more significant discussion of security team training is found in Metric 11.1, Security Training Program for Security Personnel. For all four Tier levels, this metric provides the following guidance (pg 95):
“The facility has a documented security awareness and training program and a corresponding set of minimum skills and competencies for security personnel, as well as a testing program through which security personnel can demonstrate their ability to perform their security-related tasks in a reliable and effective manner. A typical training program will include such features as: “Training is provided on recognition of a security incident, reporting of a security incident, emergency procedures, and operation of security equipment. “Training is held on a regular basis for security personnel. “Objectives are established for each element of the training plan. “Training records are maintained in accordance with 6 CFR § 27.255(a)(1).”
The security metric does not provide a list of what would be considered to be a ‘set of minimum skills and competencies for security personnel’. Part of the reason for lack of such a listing can be found in the §550 prohibition of DHS requiring any specific security measures. A more important reason would be that a comprehensive listing of such skills would vary widely from facility to facility depending on its specific security needs. Additionally, there will be some variation based on what State and local laws allow security guards to do and require in the way of training. Security Job List The first thing that must be done in developing a security personnel training program is to develop a listing of the jobs that security personnel are going to have to perform. We generally start with the high-level task. For example we would start with a security guard at the front gate of the high-risk facility. A list of jobs at the front gate might include:
Maintain security equipment Check pedestrian traffic entering facility Check vehicles entering the facility Check vehicles exiting the facility Respond to security incidents Respond to safety incidents Conduct countersurveillance activities
The facility security officer, the security supervisors, and security guards should all provide input during the development of the of the job list. Most facilities will remember to include the first two, but most will forget to include the most important, the experienced security guard. No one knows better what is actually done on a day-to-day basis than the person actually doing the job. Once a basic job list is developed take a close look at each job listed to see if the listing is too general. For example the listing for ‘Check vehicles entering the facility’ may cover too much, depending on the facility. A different process might be used depending on the type of vehicle being checked. That could be divided into more jobs depending on the type vehicle. For example:
Employee/contractor vehicles Non-chemical delivery vehicles Chemical delivery (inbound) vehicle – dry box Chemical delivery (inbound) vehicle – tank wagon Chemical delivery (outbound) vehicle – dry box Chemical delivery (outbound) vehicle – tank wagon
Once the job list is developed it needs to be carefully checked against the Site Security Plan (SSP) and its supporting procedures. Every time the plan or procedures mentions something that must be done or accomplished at the front gate there needs to be a corresponding job on the job list. A single job might cover multiple listings in the SSP or procedures, but there does need to be a job on the list for every mention of the front gate. Anytime that there are changes made to the SSP or its supporting procedures, the job list needs to be reviewed and updated as necessary. One other thing needs to be included in this job list, actions required to be taken in emergency situations. This absolutely needs to include non-security emergencies such as fires, injuries, and chemical releases. The security guard at the front gate typically has a number of critical jobs to perform in each of these situations, but all security personnel will have specific tasks to perform in each of the typical facility emergencies. Front Gate Procedures Book The Security Job List for the Front Gate will be the basis for determining what must be included in the procedures book for that location. That procedure book will provide information of a general nature for all security personnel as well as the detailed procedures necessary for the performance of all of the jobs in the Job List. There should be a separate procedures book for each security station. Tomorrow we will look at how the Security Job List will allow us to develop a list of specific tasks that the front gate guard needs to be able to perform to successfully meet the requirements of the job list.

Saturday, September 19, 2009

Reader Comments – 09-18-09 CFATS Training

I had three comments from Anonymous on the CFATS Training blog on Friday. One was a generic good job (I always like those) comment, but two dealt with a mistake I made with a link to a previous blog on the DHS Security Awareness Training. That problem has been corrected in the blog posting. Thanks for pointing out the mistake. A Brief Explanation about that Error Up until October of last year this blog was carried on AOL’s ‘Hometown’. They closed that section of their service down shutting down a number of blogs and web sites. They made it easy for us to transfer our blogs to Google’s ‘Blogspot’ service, including transferring copies of all our old posts. They did not, however, leave transfer links in place to the new blog location. I have usually done a pretty good job of pointing to the new location but it has been a while since referenced a post from before October 2008, so I forgot. Sorry about that.

Friday, September 18, 2009

Congressional Hearings – Week of 9-21-09

Only three hearings are of potential interest to the chemical security community are currently scheduled for next week, and none of them deal with CFATS or HR 2868. The Senate side will look at WMD’s while the House will look at Cyber Security and Intelligence. WMD September 22, 2009; 10:00 am EDT; Senate Homeland Security Committee Sen. Lieberman’s Homeland Security Committee will hold their first hearing on S 1649. As I noted in an earlier blog this is principally focused on biological attacks, but there are provisions that will impact chemical security issues. Two of the witnesses will be the Bob Graham (Chairman) and Jim Talent (Vice-Chair) of the Commission on the Prevention of Weapons of Mass Destruction Proliferation and Terrorism. The third will be Gregory D. Kutz Managing Director, Forensic Audits and Special Investigations. Cyber Security September 24, 2009; 2:00 pm EDT; House Science and Technology Committee Congressman Lipinski’s (D, IL) Subcommittee on Research and Science Education will hold a hearing on a yet to be published bill entitled the Cybersecurity (sic) Research and Development Amendments Act of 2009. There is no word about what the bill contains or who will appear before the subcommittee. Homeland Security Intelligence September 24, 2009; 10:00 am EDT; House Homeland Security Committee Congresswoman Harmon’s (D, CA) Subcommittee on Intelligence, Information Sharing and Terrorism Risk Assessment will have DHS Acting Undersecretary Johnson back before the subcommittee for an update on his “ongoing efforts to focus the intelligence and information-sharing missions of I&A (Intelligence and Analysis)”.

Transportation Security Debate 09-18-09

Yesterday afternoon the NationalJournal.com web site added two more contributions to their week long debate about transportation security. The two comments were from James P. Hoffa, President, International Brotherhood of Teamsters and Ed Hamberger, President and CEO, Association of American Railroads. They both address freight security issues. Teamster Comments Hoffa notes two freight security issues; inadequate security training and lack of risk communications with communities along rail lines. On security training he writes: “Our nation’s rail system remains vulnerable to a terrorist attack. The rail workers we represent – locomotive engineers, trainmen, and track and bridge workers – still do not have adequate security training.” The TSA currently requires train crews to receive IED recognition training and provided DVD’s to conduct that training earlier this year. It would be interesting to find out if this training has been conducted and what other training Mr Hoffa would like to see included in ‘adequate security training’. On risk communications he notes: “Freight rail corporations, however, still do not give fire and rescue operators real-time information about their trains’ cargo.” I am not sure that there is a real need to tell every local government organization when every railcar of hazardous material runs thru their jurisdiction, but there is certainly a need to have the information available if needed. The freight rail security rule put into place earlier this year required railroads to give that information to State Fusion Centers who would act as clearing house for the information for local emergency response personnel. ARA Comments Hamberger brags about the progress the railroad have made in security matters since 9/11. He does make the pitch for the use of inherently safer technologies to rid the rails of highly toxic substance when he writes: “And until safer technologies are used as a substitute for these highly toxic substances, the nation’s railroads will remain the safest mode for the transportation of hazardous materials.” The ARA has long staked out their position that while they can safely handle toxic inhalation hazard (TIH) chemicals like chlorine and anhydrous ammonia, they do not like being stuck with the liability for accidents/incidents involving those chemicals. As long as no one else will share their liability they would just as soon that they did not have to carry those chemicals.

CFATS Training

I received a series of emails last night from a reader in the security industry. He wanted to know if I new of any training programs that could be used for security personnel working at CFATS covered facilities. I had to tell him that I had not heard of any training programs other than one Chemical-Terrorism Vulnerability Information training program that I had written about last spring. Unfortunately I forgot about a DHS general awareness training program [NOTE: Updated Link 9-18-09, 14:39] that is available through the Sector Specific Agency Executive Management Office that I wrote about last year. He was, of course, familiar with the CFATS CVI training program used to become an authorized user of CVI. Training Requirements He does bring up an interesting problem that high-risk chemical facilities are going to have to start looking seriously as they think about moving into the SSP implementation phase of the CFATS process. That is how to go about training facility employees and security personnel. The Risk-Based Performance Standard Guidance document does address the training issue in RBPS #11. The introduction to that RPBS (pg 90) provides this explanation about the importance of training:
“Training details the performance standards related to security and response training, exercises, and drills. By performing proper security training, exercises, and drills, a facility enables its personnel to be better able to identify and respond to suspicious behavior, attempts to enter or attack a facility, or other malevolent acts by insiders or intruders. Well-trained personnel who practice how to react will be more effective at detecting and delaying intruders and provide increased measures of deterrence against unauthorized acts.”
The emphasis here seems to be on facility/security group response training. In fact, a large portion of the discussion in RBPS #11 is focused on this type of group training. But anyone with training development experience is aware of the fact that before training can be conducted on group response, individuals must be trained in the skills that they will need to participate in those group actions. The RBPS does provide a detailed list of the training topics (Table 13, pgs 93-4) to which various personnel probably need to be exposed. The list is broken down into requirements for three categories of employees; Facility Security Officer (FSO) and Assistant FSO, Personnel with Security Responsibilities, and All Remaining Employees. Obviously the most extensive training will be required for the FSO. The ‘All Remaining Employees’ category will receive the least training, what is usually termed ‘general awareness’ training. This is the type training that companies usually use professionally developed training videos to present the general concepts followed by a brief discussion of company specific policies. I have not yet heard of anyone developing this type video for CFATS general awareness training. There is one interesting pair of items in the Table 13 list of training subjects; CVI and SSP training requirements. As you would expect, both the FSO and Personnel with Security Responsibilities groups will be required to be CVI Certified. There is no such requirement for the All Remaining Employees group. But there is a requirement to train that group on “Relevant provisions of the SSP”. Since the SSP is clearly CVI it will take some careful preparation to extract relevant information for presentation to a non-CVI certified audience. One last point about the RBPS training ‘requirements’; the RPBS recommends the inclusion of off-site personnel in the training program. The RBPS #11 introduction (pg 90) notes that:
“A strong training program typically includes not only personnel-specific exercises and drills but also joint activities involving both facility personnel and law enforcement and first responders. Including law enforcement and first responders in training, exercises, and drills improves responder understanding of the layout and hazards associated with the facility while strengthening relationships with the emergency response community.”
One thing that facilities need to remember when they bring outsiders on site for this type training is that they need to include at least some minimal Hazcom training for those personnel. If these personnel are going to be moving about the facility, even escorted, they need to be made aware of the chemical safety considerations that must be taken into account at the facility. Training Development Ideas I have more than a little experience in training development and presentation. I spent fifteen years as an Infantry NCO, developing and executing informal and formal training programs for individuals, small units and up to company size units. While working in the chemical industry for 16 years I developed and presented Hazcom and process safety training. And for the last year or so I have been doing contract training development and presentation for Georgia QuickStart, an industrial training program run by the State of Georgia. Professional training development takes time. If you are just developing a simple stand-up classroom presentation using tools like PowerPoint® it can easily take 20 to 40 hours for each hour of instruction. Most of that work goes into the task identification process, determining what information actually needs to be communicated to the target audience. Making a training video or developing a computer based training program takes a great deal more time. Needless to say, all of that time takes money. This is one of the reasons that most companies turn to the use of generic training videos for a wide variety of periodic government-required training programs. Usually a one hour period of instruction will include a 20 minute video, a 20 minute discussion of company or facility specific requirements and then a written test with a post-test review of the answers. This type training would probably be okay for the training requirements for the ‘All Remaining Employees’. A training video along the lines of the computer based awareness training developed by DHS Infrastructure Protection would be valuable. An experienced instructor could even use that DHS computer based training program for group instruction, using discussion techniques to identify the security problem and appropriate response in that program. Another training requirement from the RBPS #11 that is clearly amenable to this type of video training program would be the “Recognition and detection of dangerous substances and devices” requirement for all personnel in Table 13 (pg 93). I know that TSA has developed a similar DVD based training program for IED’s on railcars, but I have not been allowed to review the program. A generic training video for would be a valuable addition to the CFATS training process. Most of the training for FSO’s will be given to such a small target audience (two or three people per facility) that it would probably not make financial sense to develop a training video for the limited market. On-line computer based training would make much more sense. Most of the FSO unique training is generic CFATS, security or intelligence information. Since the work of the FSO is such a key component of a successful security program it would probably be better for DHS Infrastructure Security and Compliance Division (ISCD) to develop this training as part of the CSAT tool. It would be done along the same lines as the CVI certification. There is a large number of training requirements in Table 13 that the FSO and ‘Personnel with Security Responsibilities’ have in common. A generic video could be developed to deal with many of these requirements, but many will have to be dealt with on a facility specific basis. While small facilities may be able to get away with in-house developed training for these objectives, most large facilities are going to have to turn to professional training developers. One final note; the Table 13 group “Personnel with Security Responsibilities’ is actually going to be at least two and possibly more groups at most high-risk facilities. The most obvious members of this group will be security personnel including guards, roving patrols and monitoring personnel (including off-site monitors). Next there will be production personnel that have a variety of security plan responsibilities including controlling access to secure/critical areas. Finally, there will be the maintenance personnel (including contractors) that will be maintaining security related equipment. The training programs for these three groups will be substantially different. Complex Training Requirements So you can see that the training requirements for supporting the CFATS program at a high risk facility are going to be complex. It is no wonder that my inquisitive reader was looking for someone who was working on the issue. Oh, there is some bad news associated with this. While the RBPS #11 training guidance is relatively general, there are more specific training requirements being considered in the CFATA legislation currently being considered in Congress. Most importantly the legislation requires 8 hours of training per year for all employees. Final note: If anyone knows of someone developing security related training programs for high-risk chemical companies please let me know. I would certainly like to share that information with my readers.

VCAT Compliments CSAT

As I have hinted a couple of times this week, DHS has another security program for the vast majority of chemical facilities that are not determined to be high-risk facilities governed by CFATS. It is one of the better kept security secrets at DHS and you have to hunt around a little bit to find it. But it is designed to help those non-CFATS facilities that have some concerns about their security to identify and evaluate their security risks so that they can develop a cost effective security program. It is called, imaginatively enough, the Voluntary Chemical Assessment Tool, or VCAT.

Voluntary Chemical Assessment Tool 

It is run out of another office in the Office of Infrastructure Protection, the Sector-Specific Agency Executive Management Office. The VCAT was developed by the Methodology Technical Implementation (MTI) team in the Infrastructure Information Collection Division (IICD). It is an on-line tool that allows an owner/operator to “identify their facilities’ current risk level using an all-hazards approach, and facilitates cost-benefit analysis by allowing them to select the best combination of physical security countermeasures and mitigation strategies to reduce overall risk.” There is a real nice video that was shown at this summer’s Chemical Sector Security Summit that provides an overview look at the VCAT program. In general the program consists of four on-line modules:
● Assessment module collects relevant information necessary for analysis.
● Vulnerability Analysis module displays vulnerability level and prioritizes security measures.
● Risk Analysis module displays the current and projected risk score for the overall assessment, as well as for each threat and critical asset.
● Risk Management module provides the ability to assign and track the progress of proposed security measures.
The VCAT includes a list of potential security measures. The security team at the facility can use this list to play a variety of ‘what-if’ scenarios; plugging in a variety of combinations of security measures to see what effect they have on the facility risk level. This would allow the facility to pick the most cost-effective security measures for their unique situation.

The information put into the VCAT program will also aid the Chemical Sector Specific Agency to improve their infrastructure protection activities under the National Infrastructure Protection Plan. The collated information will be used to address facility assessments, response planning, risk mitigation execution and incident management activities across the chemical sector. The data entered into the VCAT is protected under the Protected Critical Infrastructure Information (PCII) rules. This means that DHS is prohibited from disclosing this information, even from Freedom of Information Act requests. Facilities wishing to learn more about the VCAT should contact DHS by email; chemicalsector@hq.dhs.gov.

VCAT Information Collection Request 

Interestingly enough, DHS filed a 60-day notice of their intent to submit an information collection request (ICR) to the Office of Management and Budget about the VCAT program earlier this week. The ICR estimates that it will take the average facility about 8 hours to complete the VCAT. I do find it slightly disturbing that they expect only about 50 facilities to complete the VCAT every year. Part of the problem here is that DHS is doing very little to advertise the VCAT program.

Comments and questions about this ICR will be accepted until November 13th. Comments and questions about this Information Collection Request should be forwarded to Amanda Norman, Program Analyst, DHS/NPPD/IP/IICD, Amanda.norman@hq.dhs.gov.

Thursday, September 17, 2009

SCADA Security Discussion 9-17-09

Yesterday Ron Southworth from the ‘SCADA Gospel’ mailing list added to the SCADA Security discussion over at the Process Automation Usability Project on ControlGlobal.com. He makes some important points about taking data out of the process control system and transferring it to the corporate enterprise computer system. While this may potentially make the control system vulnerable, he points out that there may be good business reasons for that data exchange. The question then becomes what the cost of protecting against the added risk is compared to the benefit obtained. There are methods that can be used to control the risk of interconnecting those two networks for the purpose of limited data exchange, but they need to be thought out in advance. He also makes a good point about the use of portable USB drives as a method of data transfer. Given their near universal use it is probably impractical to prohibit their use. The better option would be “to issue devices used for specific purposes to staff and have limited approved activities and locations (consoles) for which these drives can be used to port data to from”. Good discussion.

Reader Comment 09-16-09 INL on Facebook

Yesterday a reader, htomfields, left a brief comment on my blog about the SCADA Security Summit. He noted that the Idaho National Laboratory, a federal lab that is doing a great deal of work on control system security, now has a Facebook® page. The page that has videos, news articles and job posting for the lab can be found at http://www.facebook.com/idahonationallaboratory. While I am not active on Facebook, I’m sure a number of my readers are. Thanks for the link.

Transportation Security Debate 09-17-09

On Tuesday afternoon Bill Graves, President and CEO, American Trucking Associations, added his comments to the debate on NationalJournal.com about transportation security that I mentioned in an earlier blog. Since the members of the ATA handle freight not passengers, his comments may be of interest to those in the chemical security community. One specific area that Graves mentions deserves some discussion here. He writes:
“At present, government agencies that administer various security programs in the transportation sector lack coordination, resulting in security programs with duplicative background checks and requirements that create unnecessary burden and cost. Also, multiple security plans and training requirements that govern the transportation of certain types of products and operations in specific areas threaten to erode the trucking industry’s ability to continue delivering the goods that the consumer expects.”
Multiple Security Regulations While the TSA has done relatively little to directly regulate the security of the trucking industry, truckers have come under other security regulations including the Coast Guard’s MTSA regulations and the Infrastructure Security and Compliance Division’s CFATS regulations. You will notice that there are at least three different organizations that are regulating various portions of trucking security. Part of the problem can be traced back to fact that two of the regulations that affect truckers are not trucking regulations. Truckers are being forced to comply with security regulations that are directed at fixed facilities. Since there are no general security regulations for all truckers, there was no way for the facility based regulations to refer back to transportation regulations to provide adequate security requirements for truckers servicing those facilities. Vetting of Truck Drivers One of the major problems that truckers are facing is that there are a variety of identification and background check requirements depending on the cargo they haul and where they haul it. A truck driver is required to have a Commercial Driver’s License, another document for hauling hazardous materials, another document to enter a port facility, and another document to aid in custom’s clearance going to Canada or Mexico. There may be additional requirements for entering high-risk chemical facilities. Each of these requires slightly different background investigations. One thing that could ease the burden somewhat would be for DHS to require the use of the TWIC for truck drivers entering high-risk chemical facilities. Currently DHS is prohibited by law from doing this. Congress needs to consider adding specific language to legislation like HR 2868 that would require the use of TWIC for truck drivers servicing those facilities. This would stop duplication of efforts and help relieve some of the competing requirements on truck drivers.

Wednesday, September 16, 2009

CIKR Webinars

Thanks to the folks at transec@news.infracritical.com, a transportation security discussion group, I found a DHS web site that provides a listing of webinars offered by the Infrastructure Protection Office of the DHS National Protection and Programs Directorate. These webinars are part of the Critical Infrastructure and Key Resources (CIKR) Learning Series. The two webinars remaining in the series for the fall are: Monday, September 28, 12:00 PM - 1:00 PM EDT CIKR Private Sector Preparedness: What You Need to Know About the New Voluntary Preparedness Standards To register for this event, please go to: https://connect.hsin.gov/psprep/event/registration.html Wednesday, November 4, 2:00 PM - 3:00 PM EDT The Infrastructure Protection Security Survey. What’s in it for You? To register for this event, please go to: https://connect.hsin.gov/cikrls_ecip/event/registration.html The website provides an email address for further information: IP_Education@HQ.dhs.gov. I hope that you have better luck than I did getting a response; my email of August 28th has yet to be answered. Waiting for that response I missed a chance to tell you about a flu response webinar this last Monday.

Three New ICR for IP

Earlier this week the Infrastructure Protection (IP) Office in the DHS National Protection and Programs Directorate (NPPD) issued three new information collection request (ICR) notices in the Federal Register. These notices are the 60-day advance notice of the Department’s intent to file the ICR with the Office of Management and Budget. All three ICR are being issued for existing programs reflecting an expanded view of the necessity for filing ICR in the Obama Administration. The three programs are: CAPTAP Train the Trainer Survey IP Data Call Survey MTI Functional Survey CAPTAP Train the Trainer Survey The CAPTAP Train the Trainer Survey is a training management tool used to monitor and improve the Critical Infrastructure Key Resources (CIKR) Asset Protection Technical Assistance Program (CAPTAP) Train the Trainer course. This course provides State and local government officials training in the use of the Constellation/Automated Critical Asset Management System (C/ACAMS) tools. These tools allow first responders, emergency managers, and other homeland security officials training to develop comprehensive CIKR protection programs in their respective jurisdictions Written comments and questions about this Information Collection Request should be forwarded to: DHS, NPPD, Infrastructure Protection Attn.: Veronica Heller Team Lead, Planning and Policy Integration Ballston One 4601 N. Fairfax Drive 5th Floor Arlington, Virginia 22203. IP Data Call Survey The IP Data Call Survey is a project management tool that the Infrastructure Information Collection Division (IICD) of the Office of Infrastructure Protection (IP) uses to improve the Infrastructure Protection Data Call Program. This program is used to help DHS, State and territorial Homeland Security Advisors (HSA), and Sector Specific Agencies (SSA) develop a current Critical Infrastructure List. The Critical Infrastructure List includes assets and systems that, if destroyed, damaged or otherwise compromised, could result in significant consequences on a regional or national scale. Written comments and questions about this ICR should be forwarded to NPPD/IP/IICD, Attn.: Mary Matheny-Rushdan, mary.matheny-rushdan@dhs.gov. MTI Functional Survey The MTI Functional Survey is a project management tool that allows the Methodology Technical Implementation (MTI) Project Office of the Infrastructure Information Collection Division to gauge the effectiveness of their development of MTI tools. These tools are tailored solutions that enable the identification, analysis, and management of sector-specific security risks. These tools are used by Sector-Specific Agencies (SSAs), Sector and Government Coordinating Councils (SCCs and GCCs), and divisions within the Department of Homeland Security's Office of Infrastructure Protection. Written comments and questions about this Information Collection Request should be forwarded to Lisa Hormann, Infrastructure Information Collection Division, DHS/NPPD/IP/IICD, Lisa.hormann@associates.dhs.gov. One More ICR There was another Infrastructure Protection ICR published in the same volume of the Federal Register. It dealt with a program that I alluded to on Monday. I’ll discuss that ICR when I describe that program later this week.

Security for 100 Propane Railcars

Thanks to the folks at transec@news.infracritical.com, a transportation security discussion group, I’ve seen a copy of an article from Blogs.KnoxNews.com about a study being conducted about storing up to 100 full propane railcars on an ‘unsecured’ rail siding in East Tennessee Technology Park in Oakridge, TN. This industrial park sits on a portion of the old Oakridge nuclear weapons development site. There were evidently not a lot of details available to the local blog writer and it wasn’t even certain that if the storage was eventually approved by the locals that it would even happen. What was interesting to me was the cavalier way that the lack of security at the site was completely overlooked in the article. Actually, this shouldn’t be too surprising. While the TSA does have a freight rail security regulation in place (49 CFR part 1580) propane is not considered to be a rail security-sensitive material (selected toxics, explosives and radioactive materials) that would be covered by that regulation. A rail siding storage location might be considered a chemical facility, but DHS specifically said in the pre-amble to the CFATS regulation that they were not currently addressing rail facilities. The reason that TSA did not include flammables in their freight rail security regulations was that a successful attack on a rail car full of propane would only affect a limited area. Typically a propane railcar will start to leak and the propane will catch fire. It will make an impressive fire and anyone nearby will get toasty real quick, but unless you are near a refinery or flammable liquid tank farm the damage will be very localized. The problem here is that 100 rail cars is a completely different proposition than one rail car. Readers of this blog will remember a couple of weeks ago I pointed them at a video of a BLEVE. That showed a rather impressive explosion from a small propane tank. Scaling that up to a propane railcar would be beyond impressive. Of course, getting a propane railcar to become a BLEVE is extremely difficult. It would take a great deal of heat over a long period of time to make it happen. It would be difficult to pull off, but a properly twisted person could come up with an appropriate method. For example…. Deliberate Propane Railcar BLEVE Two propane railcars are sitting on an isolated siding hooked together. A savvy terrorist places a small shaped charge device on the end of one railcar, on the end facing the second car. A properly placed shape charge will place a small diameter hole through the pressure wall of the rail car. Because there is no air inside the railcar, the propane will not ignite inside the car. Instead it will start flowing out of the car through the hole; very likely igniting as it passes over the melted metal on the edges of the whole. You now have a propane torch pointing directly at the end of the second propane rail car; much like the flame in the BLEVE video. Periodically, the pressure relief device on the second car will release some of the stored pressure in the car. If the valve is far enough away from the first car it might not immediately ignite. That would result in a small cloud of propane gas that would eventually reach the torch and cause an impressive but ineffective explosion. Sooner or later the metal wall under the torch will weaken and there will be a catastrophic failure of the railcar wall and there will be a very large explosion and the overpressure developed will create a large damage footprint. Just how large will depend on the amount of propane left in the car when the car wall failed. A second explosion will follow very shortly afterwards because of the blast effects on the first railcar will cause a catastrophic failure of that already damaged car. A prompt emergency response could prevent the BLEVE by applying copious amounts of water to the second car. Trained fire fighters would probably not try to put out the torch; as a safety measure they would let it continue to burn until the propane was consumed. As long as they kept the car walls cool enough to prevent the catastrophic failure of the second car, the fire would be visually impressive and expensive but not overly dangerous. Multiple BLEVE Incident You can make things even worse by putting a third propane railcar on the far side of the target car. If that second railcar becomes a BLEVE, it is likely that large portions of metal from the first explosion will fly into the third car and create a catastrophic failure of that car. The gas cloud explosion from the third car will be much larger because very little of the propane will have been lost through pressure venting. A fourth car in line would be a little less likely to be catastrophically damaged; at some point the chain reaction of detonations would no longer continue. With a slightly larger string of propane cars a creative terrorist could place a second shaped charge device on the last rail car in the string, pointing back towards the center of the chain. If everything works perfectly the two strings of explosions will meet in the middle. With each explosion the damage zone will expand because structures that were slightly damaged in the initial explosion would receive additional damage with each subsequent explosion. With a one-hundred car train of propane a really efficient and demented terrorist would set off multiple initial shape charge ignition points, as many as could be managed. As many as possible would be placed at points where it would be difficult to get fire fighting equipment. This would force the incident commander to surrender the attempt to contain the fires and concentrate on evacuating an extensive blast zone. A string of 100 cars, parked end to end would create a very large effective blast zone. If the targeted cars were in an industrial park, there would almost certainly be secondary fires and release of toxic chemical caused by the explosions. Security Requirements Because of the way that the freight rail security rules were written, TSA would have no authority to direct security measures for a railcar storage facility that contained even as many a 100 propane railcars (or other equally flammable materials). The CFATS regulations would probably be the only way that the federal government could mandate security rules. I know, I said that the CFATS preamble said that DHS would not be regulating rail facilities, but the Assistant Secretary still does have the authority {49 CFR §27.200(b)(1)} to require any facility to complete a Top Screen by simply sending a registered letter or posting a notice in the Federal Register. The legislation currently under consideration in the House would confer similar authority on the Secretary. While we don’t know how the CSAT tool determines which facilities are high-risk, I think that it can be reasonably assumed that a Top Screen filed for a facility storing 100 railcars worth of propane would be determined to be a high-risk facility almost anywhere in the country (in the middle of nowhere Montana might allow it to escape that designations). Again, I would guess that that much propane in one location would probably be a Tier 1 facility. Perhaps the company reviewing the proposal, Bechtel Jacobs, should consider the security implications as well as the safety aspects of the potential plan.

Tuesday, September 15, 2009

New Cyber Security Questions

The Process Automation Usability Project has two new cyber security questions posted on their discussion board. Those questions are: 1. Has anybody gained any experience on the performance of a control system where they have implemented security features? 2. How do you prevent unauthorized changes to smart instrument settings without limiting usability? They are looking for input from SCADA system users. While you’re there look at the other questions and responses listed on the site. This will be a valuable tool for the exchange of cyber security information if people use it. Do your part, put in your two-cents worth.
 
/* Use this with templates/template-twocol.html */