The DHS RBPS guidance document provides a much more comprehensive discussion of features that a security program should address, but chemical security professionals will find many things of interest in this document. It reflects a slightly different appreciation of the potential terrorist threat and how industry and government should respond to that threat.
Investigation of Security Incidents
It goes without saying that any security program will provide for investigation of security incidents and section 2.3 of this SSCSG briefly addresses this issue. It includes a list of examples of incidents that “would warrant investigation”. It includes examples of things readily recognizable by security professionals in any industry:
• “Doors not secured, holes in fence lines, indication of illegal entryIt also includes examples that are very specific to the chemical process industry that might be overlooked as possible security issues:
• “Unauthorised (sic) entry by personnel into restricted areas of the facility
• “Signs of vehicles in restricted areas along pipelines, fence lines, electrical substations, or remote plant security gates”
• “Major unexplained process upsetsThe underlying incidents are typically investigated as process upsets that need to be resolved to ensure safe and profitable operation of the manufacturing process. What may be overlooked by chemical process professionals is that these may also be indications, especially if a routine processing issue cannot be identified as the root cause of the incident, of an attack on the site.
• “Unexplained loss of containment of hazardous material
• “Unexplained loss of raw material or product”
High-risk chemical facilities should include a chemical security professional in their routine incident investigation team. Even if the incidents provide no indication of a security breach, participation in the investigation will provide that security professional with additional insights into how the facility might be attacked.
Physical Security Measures
The discussion of physical security measures is generally much less detailed than that found in a number of different sections of the RBPS. There are some points in the discussion of access control that bear repeating. In listing the circumstances that must be considered in determining the appropriate level of access control (in section 4.1) they include the “degree to which facility operations are controversial”. This is something that is overlooked in the discussions in the RBPS.
For rather obvious reasons, there is a tendency in this country to equate a terrorist threat with a threat of an attack by Muslim Extremists. This is certainly not the limit of the terror threat. There are a number of other different (and evolving) types of organizations that might be expected to attempt attacks on chemical facilities. Target selection for each of these groups will be affected by their political goals and facility security assessments need to take this into account.
There is an access control measure included in the discussion in this section that I must admit that I had never considered, or heard mentioned in connection with chemical facility security. That measure is:
“Keep publicly accessible restroom doors locked and set up a key control system. If there is a combination lock, only office personnel should open the lock for visitors.”I have seen this security measure employed at some convenience stores to reduce the incidence of vandalism or street level drug sales, but I have never heard of it being applied to an industrial security situation.
Cyber Security
Most of the cyber security discussion in section 4.3, as in the RBPS, focuses on Information Technology (IT) systems rather than control systems. Most of the information covered here is covered in much more detail in the RBPS, but there is an interesting addition here that I have not seen elsewhere. In their discussion of the potential reasons that a hacker might attack a cyber system at a chemical facility they include to “prevent emergency response systems” from working.
As I have mentioned on a number of occasions, a prompt and effective emergency response to an attack (or accident) will go along way to mitigating the consequences, particularly the off-site consequences, of a chemical release incident. The speed and efficacy of the response will depend, in large measure, on the speed with which the responders are notified and the detailed information they receive about the incident. Thus, a very effective way of ensuring the effectiveness of an attack would be to hamper that exchange of information.
I have long advocated the use of automated systems to detect leaks of toxic chemicals, track the progress of the plume dispersion and provide that information to emergency response personnel. Timely sharing of that information is crucial to maximize the effectiveness of the emergency response process. Protecting these automated systems should certainly be included in the cyber security program for the facility, particularly if they are connected to outside communications systems.
Chemicals of Interest
One key element of any chemical security program is the determination of which chemicals will be covered. The RBPS does not specify the DHS chemicals of interest (COI), but it is certainly based upon that list. Similarly the SSCSG depends on the Australian list of ‘chemicals assessed as of immediate potential security concern’ (I won’t even try to list that acronym, I’ll just use our ‘COI’) which is reproduced in Appendix A (how appropriate) of the SSCSG.
The Australian COI list only contains 96 chemicals (vs. over 300 on the DHS COI list) and there are substantial differences. The rationale for the Australian list is not included in this document, but it certainly focuses more on toxic chemicals and less on flammable chemicals. The Australian list includes a large number of pesticides where the DHS toxics list is mainly limited to Toxic Inhalation Hazard (TIH) chemicals as they are more easily ‘weaponized’.
While the pesticides included in the Australian list are not regulated under CFATS, chemical security professionals will want to take a look at the security of these chemicals where a facility may have been identified as a potential target for some eco-terrorist groups. Some of those groups would be at least as concerned about the production, storage or use of these pesticides as they would industrial TIH chemicals.
Risk Management Model
Though DHS does not specifically call it a ‘risk management model’ the CFATS program is clearly (and specifically) based on the Deter, Detect and Delay model, a very comprehensive model as far as it goes. The model used in this document (outlined in limited detail in Appendix B) expands that model to include Response and Recover. Response is defined as the “level of reaction required to counter an intrusion”. And Recover is defined as the “ability to ensure that operations can continue”.
As DHS, as an organization, is trying to advance their homeland security efforts to include ‘resiliency’ as part of their management mantra, the CFATS program should certainly consider expanding their model to what the Australians call the D3R2 (D Cubed, R Squared) model to address these resiliency issues. That should certainly include the provisions for a more comprehensive emergency response program for high-risk chemical facilities.
Reviewing Other Security Programs
The Australian Site and Supply Chain Security Guidance, like the CFATS RBPS, exists within a security framework that includes a variety of laws, regulations and industry standards. Viewing this document provides only a limited view of the Australian chemical security landscape.
Having said that, security professionals involved in chemical facility security activities would do well to review this relatively short (30 pages of relatively large type and white spaces) document. It provides a slightly different focus on chemical security issues from that found in the RBPS. As such it helps provide a more complete look at the chemical facility security picture.
Posts
No comments:
Post a Comment