“Hijacking - An example would be placing an order that puts the goods in motion and then stealing them in route. “Dummy Company - Setting up a fake company and placing an order. Once the order is delivered the company disappears. “Breakout Scheme - Variation on a Dummy Company, but a real company is purchased, usually on credit, and orders are placed through that company. The company operates until the credit runs out. “Co-opted Customer - An existing customer is co-opted by a terrorist group and is either coerced, infiltrated or bribed into ordering materials. “False Flag - Terrorists place an order as existing customer, but steal the goods once they are delivered or the order is sent to a new false address. “Pretext Purchase - For example, an order is placed by someone pretending to be a professor at a university or college chemistry department. “Cyber Attack on Business Management System - The network or computer system is hacked and a reoccurring delivery is scheduled and hidden.”Since the whole point of a diversion is to gain access to chemicals that can be converted into some sort of weapon, an improvised explosive or a toxic gas for instance, the idea behind a diversion is to keep it hidden from view at least until the subsequent attack with the new chemical weapon can be initiated. Ideally, from the terrorist’s point of view, the diversion can be maintained undetected for a long period of time, allowing the cell to conduct multiple attacks. Needless to say, this is not typically the type of operation that the typical jihadist-wannabe is going to be able to execute with any kind of effectiveness. This type of operation requires a detailed knowledge of commercial processes, contacts within the industry, and a substantial amount of money to finance the operation. Insider knowledge of the business and ordering processes within the facility will make these types of operations much easier to successfully pull-off and hide for lengthy periods of time. Security Measures The types of physical security measures that are usually thought of when one talks about facility security will be of little or no use against diversion operations. Preventing the diversion of precursor chemicals for chemical weapons and explosives will take a well thought out review of business and order processing procedures to make sure that there are safeguards in place to require investigation of unusual order patterns and new customers. Proper protections of the enterprise software and computer systems will also need to be put into place to ensure that a hacker cannot bypass those established controls via manipulation of the company computer systems. This may be particularly challenging for facility security officers to put into place when, in multiple facility companies, these systems are the responsibility of people completely outside of the facility’s control. Hijacking Diversion Chemicals Even a cursory glance at the seven tactics described by Loughin will reveal that the first is substantially different from the remaining six. The classic hijacking of a chemical shipment is usually much less subtle and more prone to quick discovery than the other tactics. With a national law enforcement hunt for the missing truck being an expected response, the terrorist would have to have a way of transferring the load to another vehicle. Alternatively there would have to be a quick way of converting the precursor chemical in the shipment to the desired chemical weapon allowing for deployment before discovery. What is not clear is how the folks at ISCD will require facilities to address the prevention of hijacking diversion COI. Technically, the security of chemicals in transit is the responsibility of TSA (and PHMSA) not ISCD. There are current PHMSA rules (49 CFR 172.800) for the development of shipment security plans, but they are weak and security measure requirements are essentially unenforceable. More over, changes being considered (in HM-232F) for the list of chemicals covered under the PHMSA rules may leave shipment security for many diversion COI unregulated under PHMSA and TSA rules. Anti-Hijack Security Measures The ISCD approach on this matter has not yet been explained, but could include the expectation that facilities would establish in-route security measures for theft-diversion COI in addition to the requirements set forth in §172.800. Such measures could include constant driver communications with a central dispatch, requirements for using safe havens for in route stopovers, and other techniques similar to what ATF requires for the shipment of certain explosives. Since theft-diversion COI do require some additional processing before they can become useful weapons, ISCD may take the stance that the prompt identification of the diversion/hijacking could allow for an appropriate law enforcement response that would be expected to prevent the conversion to weapons. In that case, the security plan requirements for these chemicals would be expected to be heavier on communications and tracking of containers rather than the near absolute physical security measures mandated for some explosives.
Sunday, June 6, 2010
Theft and Diversion
Ryan Loughin has an interesting blog posting over at ChemicalProcessing.com about the different security issues associated with various chemicals of interest under the CFATS regulations. Early on he makes the point that the release and theft security issues are relatively easy to understand, but it takes a little more thought to see what is meant by ‘diversion’. While he gives a pretty good definition of diversion, Ryan provides a much more valuable learning aid; he describes seven different types of tactics that someone could use to divert chemicals without conducting a physical attack on the high-risk chemical facility. These seven tactics are: