Wednesday, March 31, 2010

DHS CERT Training Web Page Update 03-29-10

On Monday, DHS updated the CERT Control System Security Program’s Calendar web page. They updated the information available for the three regional training courses that CERT will be offering in May; Introduction to Industrial Control Systems Cybersecurity. I had mentioned these courses in a blog last week. In that blog I noted that two of the courses had only shown contact information while the third iteration provided a link to a .PDF brochure for the course. The updated page now provides a link to a separate .PDF brochure for each of the classes; San Diego, Orange County, and Scottsdale. As I had predicted (which required very little predictive skill, obviously) the brochures are essentially identical with the exception of location specific data of dates and venues. Interestingly, the Orange County, CA is still listed at ‘TBD’. The same point of contact is listed for all three courses: Pete Owen.

Tuesday, March 30, 2010

Radical Militias and Chemical Security

The recent arrests in the Midwest bring the focus of the country back on the ugly specter of right-wing militias. Once again we have to consider the very disturbing thought that terrorist attacks in this country might not be the sole purview of radical Jihadists. There is a good general review of the topic to be found at HomelandSecurityNewsWire.com. One of the links on that page will take one to the Southern Poverty Law Center web site where one can find a wealth of information on the topic. Now I have yet to find a public reference to any specific threat that these groups would pose to chemical facilities. I suppose that arguments could be made that foreign owned chemical facilities might draw the ire of groups like these; that might make them potential targets. There is an article on the SPLC site that provides a hint to another type chemical facility target. This article, Rash of Bomb Cases Tied to Radical-Right Views, points out that a large number of recent arrests of these American radicals included bomb making charges. It seems that there is a predilection for the use of explosive weapons by these groups. While some of these actual explosives used in these incidents were bought or stolen, many were manufactured from their precursor chemicals. As their bombs almost inevitably get larger, they will find their bomb making chemicals harder to get without attracting attention from authorities. Both the FBI and DHS have been deploying programs to help commercial facilities identify the odd purchase of potential bomb making chemicals. This will force these bomb makers to look to the manufacturing source of the various chemicals to get the amounts of these precursors that will be necessary for making larger bombs. This will make any chemical facility that manufactures, uses, or stores these precursor chemicals potential targets for these organizations. If the number and size of these right-wing militias continues to grow, the threat of their attacking this kind of facility will just increase. Since these groups tend to operate near their home base, it will be essential for facilities that have these types of chemicals on-site to maintain good relations with their local law enforcement personnel. These agencies are likely to have a reasonably good understanding of the threat posed by local militias and should be able to provide appropriate threat level information.

PHMSA Rushes Fee Increase Rule

I just recently completed an article for the next issue of the Journal of Hazmat Transportation reviewing the public comments on the PHMSA proposed rule to increase the Hazmat registration fees for large companies (actually the wording that the NPRM used was “not qualifying as a small business or not-for-profit organization” 75 FR 5258) to support the national Hazardous Materials Emergency Preparedness (HMEP) grants program. The comment period ended on March 4th. In an unusually quick regulatory move, PHMSA published the final rule on that fee increase today. To be fair to PHMSA, they were under somewhat of a tight time constraint because they intend to impose this fee increase starting this June when the next registration period begins. Even so, 26 days from the end of the comment period to the publishing of a final rule on a controversial subject (27 supporting comments and 19 opposing comments in a shortened 30-day comment period) must be close to being some sort of bureaucratic record. They did have an advantage in making such a quick decision; they did not have to get approval of the rule from the Office of Management and Budget. While the OMB has been known to move quickly on Administration priorities, it has also been known to drag out the review process for exceedingly long times. Now most of the supporting comments for this rule came from the emergency response community (ERC). These would be the people who would be receiving the grants from the HEMP program. Since Congress tied the funding for that grant program to the Hazmat shipper/carrier registration fees, the ERC has a vested interest in keeping the funding strong by supporting the higher fees; hardly a surprising position. Now, you will have to see my article in JOHT when it comes out early next month for a detailed analysis of the negative comments, but the large shippers/carriers had three main complaints about the NPRM: the fee tripled from $1000 to $3000 per year; there was no fee increase for small shippers; and the proposed increase came after almost everyone had finalized their 2010 budgets so there was no money in budgets for the much higher fee. PHMSA responded to the complaints about the size of the fee increase, by essentially claiming that there hands were tied by Congress. The size of the grant program had been doubled and the fees had to cover the cost of the grants. The large shippers/carriers responded that they understood that, but if the 83% of the shippers/carriers that were not covered under the proposed rule had some reasonable increase imposed upon them, the size of the increase on the large shippers/carriers would certainly be more reasonable. BTW: PHMSA ‘sharpened their pencil’ on their calculations and were able to decrease to fee increase to only $2600 [I corrected this value from $2500 at 7:50 EDT on 03-30-10] in today’s final rule. PHMSA’s response to that has been straightforward in both the NPRM and in today’s final rule. They maintain that although “there are exceptions, small businesses and not-for-profit organizations generally offer for transportation or transport fewer and smaller hazardous materials shipments as compared to larger companies” (75 FR 15616). Unfortunately there were comments from two smaller carrier support organizations that directly contradicted this claim. For example the Petroleum Marketers Association of America reported in their comment that they represent “approximately 8,000 independent small business petroleum marketers nationwide”; almost everyone of their shipments are placarded hazmat loads. Likewise the New England Fuel Institute reported in their comment that their memebership was “nearly 1,000 marketers of quality heating oil, kerosene, diesel fuel, and other petroleum products in the Northeast, many of whom operate small bulk plant facilities”; again almost all loads would be hazmat. So, is there an alternative reason why PHMSA would not want to raise the registration fees for small businesses? Well, if I recall correctly, any rule that has a significant financial impact on small businesses requires additional justification and review of that justification by the Office of Management and Budget. Now I don’t know anyone at PHMSA, nor have I talked to anyone that works there, but I would be willing to bet that a substantial reason for the lack of a small business rate increase is the ability for PHMSA to get this late filed rule through the process quickly by bypassing the requirement for OMB review. Maybe not the sole reason, but a substantial portion of the real reason; that’s my bet.

Water Facility Security Lacking

Last week there was an interesting water facility security breach out in Oregon. According to news reports an intruder broke into a local water treatment facility and stole the computer that operated the automated water treatment equipment at the facility, including the valves that control the addition of chlorine to the water. The article reports that “the burglar gained access to the plant by driving around a fenced and gated area through an adjacent tree farm”. The local residents can rest assured that local officials are taking action to ‘harden’ both the water treatment and waste water treatment facilities against future intrusions; too little, too late. Now current water security rules require all facilities that serve over 3,500 customers (and I am making the perhaps unwarranted assumption that this facility meets that requirement) have completed security vulnerability assessments. Unfortunately there are no provisions to allow the EPA (the water facility security enforcement agency) to require that facilities take action to correct security shortcomings. In this case the only thing that happened with the break-in was the loss of about $1,000 worth of computer equipment and significant amounts of overtime pay to cover having someone on site executing manual control of the system. What if this had been something more than vandalism or theft? What if this had been a terrorist attack on the water system? Or an attack on the chlorine used at the water system? Can anyone believe that the security system would have had any better result? This is a perfect example of why I am concerned about the lack of water facility security regulations that really mean anything. Requiring that facilities ‘conduct an SVA’ is a toothless requirement if there is no check of the adequacy of that evaluation. And an SVA does not provide any security, it just identifies the security needs. It should lead to the development and execution of a security plan and there are no current requirement for that to be done. Legislation like HR 2868 needs to be passed to give DHS or EPA the authority to provide proper regulatory oversight of the security of water treatment and wastewater treatment facilities. Sooner or later terrorists are going to see stories like this one in the Oregon newspaper and realize exactly how vulnerable our water treatment facilities actually are.

Monday, March 29, 2010

S773 Passed in Committee

This announcement is a little bit late, but on the 24th the Senate Commerce Committee voted in favor of requiring S773 to be favorably reported to the full Senate. A number of amendments were included with the action, all being passed by a single voice vote without apparent opposition. One of the amendments was the Sen. Rockefeller and Sen. Snows substitute language that they had reported on the previous week. Unfortunately, until the actual report is filed in the Senate, I won’t be able to comment upon the actual content of the reported version of the bill. Waiting for that report was the main reason that I didn’t report on passage of the bill. Now that the Senate is in their Easter Recess, that report cannot be filed any earlier than April 12th. So we will just have to wait and see if the Commerce Committee version of the bill contains any significant provisions affecting chemical facility control systems.

Sunday, March 28, 2010

DHS CSAT FAQ Page Update – 03-28-10

This last week DHS updated the responses to three existing Frequently Asked Questions (FAQ) on their extensive FAQ page. The three questions were: 1460: How do I calculate the Total On-site Quantity (TOQ) of COI in a mixture? 1557: What should I do if I think my facility was incorrectly determined to be high-risk or received an incorrect preliminary risk-based tier determination? 1575: Can a program other than RMP*Comp be used to calculate Distance of Concern? None of the answer changes were significant from a regulatory point of view. Two questions (1460 and 1575) had URL’s corrected to link to the CSAT Top-Screen User’s Manual; the previous answer had separate typographical errors in the listed URL’s. The third question updates the official title for Mr. Todd M. Keil to ‘Assistant Secretary for Infrastructure Protection’; the previous response showed the title as ‘Assistant Secretary (Acting) for Infrastructure Protection’. This points out the importance of feed back. Small, seemingly unimportant errors do creep into any document as complex as this. If anyone in the community finds an error, particularly inactive links to documents, you need to contact the Help Desk (866-323-2957, Monday-Friday 7:00 a.m. – 7:00 p.m., Eastern Time) so that they can correct the error.

Saturday, March 27, 2010

Reader Comment 03-24-10 LEPC

Earlier this week Fred Millar responded to my blog on Greenpeace and Sen. Collins with a comment that looked at how fast a toxic cloud would spread after a catastrophic release. Fred’s entire comment is worth reading. I would like to discuss, however, Fred’s closing comment about the effectiveness of Local Emergency Planning Committees: “This is one more piece of evidence on how dismally our two federal Right to Know laws have been thwarted by those who want to keep the public in the dark.” With only a little bit of nit-picking about word choice, what Fred is surely trying to say is that 1) LEPCs do a poor job of communicating the full details of potential chemical risks from (both deliberate and accidental) chemical releases, and 2) that they are prevented from communicating these risks by the chemical companies. Emergency Response Planning Since I have next to no personal experience with LEPC’s (as far as I can tell there are no local LEPC’s in the areas where I live or work), I am going to have to be careful in how I respond to this. I have read enough news reports about chemical incidents to assume that in general Fred is correct in his first point. I have heard of very few situations where it was apparent that local first responders were well aware of the hazards at local facilities, much less the public. I have read of a number of exceptions, but have seen too many reports where police and fire personnel making evacuation or shelter-in-place announcements drove into a chemical cloud and were injured as a result. Fortunately, I haven’t heard of any deaths attributed to this kind of response. The second point is even harder to refute. There have been too many news stories of chemical facility management failing to give adequate information to emergency response personnel during an incident. The outsider would find it easy to assume that there was a conspiracy trying to hide the deadly information (actually information about potentially deadly situations) from the public. I don’t think that this failure to communicate is always (or even usually) caused by deliberate desire to keep the public in the dark. Based upon my experience working in the chemical industry, these communication lapses are often (certainly not always) caused by two things. First and foremost, during an incident the facility management is too busy trying to define and respond to the incident on-site to think about providing good information to outsiders. Now this is short sighted and self-defeating, but it comes from the best motivations not the worst; they are trying to solve an immediate and difficult problem, the ‘stupid questions’ from ‘ignorant outsiders’ are not helping. The second problem actually aggravates (and actually may cause) the first problem. This is the very real failure on the part of many engineers to really consider the ‘worst case scenario’ as actually being possible. I have heard too many ‘that can’t happen here’ comments over the years about the EPA/OSHA worst case tank failures. First off, those types of failures are really rare, and they are usually caused by poor maintenance procedures; something that no one will admit to having. All of this leads to facility management, which is nearly always engineers, putting the emergency response planning well down on their priority list. If it ‘can’t happen here’, then why should I waste my valuable time on an effective emergency response plan? Unfortunately, without a good plan in place, practiced and updated there is no way that there will be an effective response to a real emergency. Lack of Oversight Now these reasons (both mine and Fred’s) are what caused the Federal Government to step in and require community hazard communication and emergency planning for all facilities with substantial quantities of selected hazardous materials. Unfortunately, there was a major flaw in those laws; there were no provision for outside review/approval of emergency response plans. Nor was there any outside review/approval of the information communicated to neighboring communities. This lack of oversight effectively told facilities that it wasn’t really important. It wasn’t that the requirements weren’t important; no the reason for lack of oversight was that proper oversight would be too difficult to do. DHS is finding out how hard it is to get an adequate response to difficult planning requirements. They have been working for months on getting a few Tier 1 SSP’s brought up to the level where they can be physically inspected. There is no telling how long it will take to get inspection discrepancies corrected to the point where DHS can give final approval to these SSPs. It will be interesting to see how closely DHS inspectors will look at the emergency response plans associated with the site security plans for these high-risk facilities. If they start talking to LEPC’s and local first responders, there might be some movement to make these plans workable. If they don’t, then we will continue to see LEPC’s and emergency response personnel who are left in the dark. And that’s a bad place to be when there are toxic clouds approaching.

Friday, March 26, 2010

Reader Comment 03-24-10 Chlorine Hazards

Fred Millar, a long time reader of this blog and frequent commentor, objected to my ‘attack’ on the political exaggerations used in some Greenpeace communications that are being used as part of their grassroots campaign in support of HR 2868. I’m sorry that Fred thought the posting was a ‘one-sided blog attacking Greenpeace’, but I stand by the discussion. As I pointed out in the opening to that piece, I have taken on the same type of political exaggerations used by industry groups in their opposition to HR 2868. I really do believe that both sides in this debate have legitimate concerns about the issues and wish that the discussion was limited to those concerns without having to resort to these exaggerations. Having said that, I think that Fred’s comments are certainly worth discussing; particularly the point about gas dispersion modeling. Fred wrote:

“You need to take a closer look at real data, e.g., from the gas dispersion modelers.And I'd appreciate if you would highlight for your readers the Chlorine Institute's venerable Pamphlet 74, available for download free from their website, especially the pages on the 90-ton chlorine tank car.”

Pamphlet 74 The Pamphlet 74 that Fred refers to is a very detailed discussion on how to determine the area at risk in the event of a variety of chlorine releases. Fred is correct that the Chlorine Institute offers this document as a free download. Unfortunately, they will not get any points for having a customer friendly web site to get the download; you have to go through a lot of steps to download a .PDF document. Be persistent, it is a valuable documents for anyone interested in discussing the very real threats from chlorine gas releases. I re-read the discussion on modeling chlorine gas release scenarios this morning and I will have to admit that my description of the dispersion pattern is a tad bit simplistic. I wrote: “The wind disperses a chemical cloud in a fan shaped pattern.” In the early stages of a catastrophic release of chlorine there are a number of factors that cause some initial dispersion that is not wind dependant. This is the reason that the base of the dispersion pattern shown on page 24 of Pamphlet 74 is so wide. To be fair, I also exaggerated the width of the cloud at its maximum extent by using the fan description. The width of the exposed area drops off fairly quickly at the far end of the dispersion pattern. Even so, the basic comment about the limited area of coverage stands. The area under the 3 ppm exposure limit on the diagram is a flattened oval 41.5 miles long and 2.3 miles wide, not a circular area with a radius of 41.5 miles. While the entire circle is ‘potentially’ at risk from a chlorine release, only a small fraction (1.8%) would actually be exposed in the event of the actual release. The two charts on the next page of the pamphlet provide some additional important details about the dispersion of the toxic cloud. The first chart, Peak Concentration as a Function of Time, shows how long it takes for the toxic cloud to reach various distances. More importantly it shows that the cloud moves through an area, leaving the area with minimal continued exposure after it has move on. This does ignore the fact that some residual chlorine gas could remain in low lying areas out of sunlight for significant lengths of time. This means that there will only be a limited need for decontamination after the incident. The second chart, Peak Concentration as a Function of Distance, shows how quickly the concentration drops off as the cloud disperses. To understand the practical affects of that change in concentration we need to understand the medical affects of chlorine gas as a function of exposure concentration. Chlorine Exposure Effects According to the OSHA web site for chlorine, an exposure “to 15 ppm causes throat irritation, exposures to 50 ppm are dangerous, and exposures to 1000 ppm can be fatal, even if exposure is brief”. As with any chemical exposure the longer one is exposed to a given concentration of the chemical, the greater the potential harm. Thus we can see that the peak concentration drops below irritant level fairly quickly. Chlorine is Very Dangerous Now, having exposed the hype, it must be clearly understood that there will be a significant area under the exposure curve where people will die if they are not adequately protected against exposure. There is an even larger area where there will be serious medical consequences from exposure to the peak concentration levels as the toxic cloud passes through the area. Looking at the charts on pages 24 and 25 of Pamphlet 74 it looks like anyone inadequately protected in the cloud for up to a couple of miles away from the catastrophic release from a full railcar is at serious risk of being killed by the cloud. Inadequate protection in the cloud at distances of up to 15 miles from the release could have very serious medical consequences.

This is why I am against the political exaggeration being used in the current Greenpeace campaign. The opposition can simply dismiss their warnings as exaggerations from people who don’t know what they are talking about (which is obviously another political exaggeration, but exaggeration begets exaggeration). This reduces the effectiveness of the very real message that should be communicated to everyone that lives near a chlorine storage facility. It diminishes the message actually communicated to the politicians who don’t have the time to read and interpret Pamphlet 74.

Thursday, March 25, 2010

Reader Comment 03-24-10 CVI Issue

It is always nice to know that readers are paying attention to the details. Jon Greenwood posted a comment on my post about the first responder training at the meat processing facility. When I wrote about security issues being addressed, Jon commented:

“What about CVI for CFATS facilities? I don't believe that includes the press, and members from the local schools, churches, and civic organizations. The first responders definitely have a "Need to Know", and I believe every facility should include them in their security plans. I guess that's why there is a section for them in the SSP. But if I was an SSO of a facility, I don't think I'd want the general public to know about the security features (or lack of, in some cases) at my facility and I think that would violate CVI unless all those people had CVI.”

Jon is obviously correct, I did not address the Chemical-Terrorism Vulnerability Information (CVI) issue in my comments and should have. Anytime there is a discussion about security issues for any kind of facility (CFATS or not), careful attention must be paid to the make-up of the audience. Depending on the level of detail provided in the discussion, there is a very good chance that only CVI cleared personnel would be able to hear the discussion of security issues. This is going to be one of the major headaches for a facility security officer. How can they determine what information they can share about the facility security plan? Now the average fireman or cop on patrol is probably not going to be CVI certified, but they should be aware of many of the provisions of the security plan so that they can properly respond to an emergency on site. There should be people in the various departments of the local emergency response community, however, that are properly certified for CVI access so that they can participate in the security planning process. But even these people will not need to be read in on all of the details of the plan. Public Involvement Having said that, I would maintain that there should be some level of involvement of the local community in the security process. First off, they are going to have to be made aware of their personal responsibilities in the emergency response plan for an attack on the facility; that ERP should be an integral part of the security plan. Every neighbor that would be affected by a successful attack is going to have to know how to respond in that event, in order to protect themselves. This means that they are going to have to know how to determine that they are at immediate hazard, and how to respond to various possible outcomes from a successful attack. Trying to explain this to them as a toxic cloud forms outside their home is too late.

Additionally, neighbors can be a valuable resource in identifying the early stages of the preparation for an attack on the facility. They would probably be the first to recognize strangers in the area; strangers conducting pre-operational reconnaissance. They would be able to report suspicious behaviors and unusual questions being asked about the facility. For them to be actively involved, they are going to have to be educated about the potential risk, the things they could be expected to report, and how to make such reports. Completely shutting them out of the security process because they are not CVI certified is short sighted. They don’t need to be informed about much of the security plan, but they do need to know that the facility is potentially at risk of being a target of a terrorist attack.

Wednesday, March 24, 2010

FBI and Optimizing CCTV

Thanks to an article on SecurityManagement.com, I took a brief look at an article on the FBI web page that discusses a new YouTube video produced by the FBI. The “Caught on Camera” video is billed as an instructional video designed “to show business owners how their security cameras can aid law enforcement investigations and maybe even help solve a terrorist attack”. According to the FBI: “Caught on Camera shows how to avoid common problems such as installing cameras in the wrong places, ignoring lighting and line-of-sight issues, and having administrators who don’t understand how the systems operate.” Instead of the usual talking-head type instructional video, this video uses a simulated investigation of a terror attack to look at how private CCTV systems can aid in a criminal investigation. Along the way an FBI spokesperson provides tips about how businesses can optimize the set-up of their CCTV systems. As I have said on a number occasions, this video will not make you a CCTV expert, but it will provide enough information to make a serious viewer more conversant with the requirements of a CCTV system. This will make it easier to talk with, and get the most out of a CCTV consultant. Even though this particular video concentrates on retail security CCTV systems, I still recommend that facility security officers take the 22 minutes necessary to watch this You Tube video. Oh yes, the article provides contact information to get a free DVD version of the video if you don’t want to get caught watching You Tube while at work. The FBI will provide free DVD’s to “to members of the law enforcement community, business owners, CCTV vendors, suppliers, contractors, and educators”. All they require is for you to provide “your name, position, agency, street address (no post office boxes), and telephone number”.

DHS CERT CSSP Calendar Page Update

Today the DHS CERT Control Systems Security Program Calendar page was updated to include a number of new training dates through December, 2010. Until this update the latest training date listed on the calendar was in April, 2010. The May program includes three regional presentations of the “Introduction to Industrial Control Systems Cybersecurity” presented by DHS CERT CCSP. They will be conducted in San Diego, CA (5-4-10); Orange County, CA (5-5-10); and Scottsdale, AZ (5-13-10). The first two courses provide email links for registration, but no info on the course. The last one provides a link to a course brochure that should be good (except for dates/locations) for all three courses.

Tuesday, March 23, 2010

Working with Local First Responders

I ran into an interesting article over on MarshallNews.com that tells an important story about how chemical facilities coordinate and work with their supporting first responders. Interestingly, it was a food processing facility with an anhydrous ammonia refrigeration system that took the extra effort that all chemical facilities (especially high-risk facilities) should take to ensure that first responders understand the chemical hazards at the facility. In this case the Cargill meat processing facility provided in depth information about the characteristics, both physical and toxicological, of anhydrous ammonia. They explained how to knock down the toxic cloud as well as the precautions to take while doing that critical emergency response task. They explained the difference between the ‘worst case scenario’ (a catastrophic failure of the 44,000 lb storage tank potentially affecting up to 450 personnel off-site) and a bad leak that could affect no more than 5 nearby residents. Finally, they took the emergency responders on a facility tour that showed the relative location of the buildings, the storage tank, and the anhydrous ammonia pipes for the refrigeration system (including shut-off valves on that piping). While the maintenance personnel showed the firefighters the details of the plumbing, the facility safety manager showed police, EMS, and even 911 personnel around the plant so that they could understand the layout of the facility. Now what really impressed me about this presentation was not the detail of the presentation to the firefighters and EMS personnel, after all that is self-preservation, or even the inclusion of the police and 911 personnel (that was a smart and creative move). No what surprised and impressed me was that the management was smart enough to include a press representative in the audience. After all, now the local public has a better understanding of the hazards at the facility and how they are being protected from those hazards. The only way that I could have been more impressed would have been if they had included local school, church and civic leaders in the presentation. Maybe they will include those personnel when they talk to their 450 neighbors that could be affected by a catastrophic release. If this facility were a CFATS covered facility (probably not given the small number of people in the worst case danger zone), then security issues would also have been addressed. I would expect that a facility this concerned about communicating with first responders would do a similar job in showing the local law enforcement personnel the ins and outs of the security system at the facility.

DHS Open Government Dialogue Closed

On March 19th, DHS (along with 23 other US Government Agencies) closed its Open Government Dialogue web site to further public input. The site is still available for viewing; there will be no new ideas to be posted nor will there be any more voting on ideas. A total of 150 Ideas had been submitted by the public along with 110 other Ideas that DHS determined to be ‘Off-Topic’. Each of those topics had been voted on by members of the visiting public. Now DHS will be taking a detailed look at those Ideas and ideas generated in-house to determine how they can be incorporated into the Obama Administration’s ‘Open Government Plan’. DHS plans to post a draft copy of their Open Government Plan to the same web site on April 7th. Below is the final status of the topics that I have been following on this blog: Fed Fatigue, Edward D Clark, 24 Positive Votes (Ranked #9) Homeland Security Critical Infrastructure Watch Program(HS CIWP), Steven Hopkins, 9 Positive Votes (Ranked #42) Port/Fuel Security, Tom Frock, 7 Positive Votes (Ranked #53) DHS Policy on Social Media, Hugh R. Griffiths, 3 Positive Votes (Ranked #82) The following is the final status of the two Ideas that I have submitted to the site: Public Security Reporting Tools, 9 Positive Votes (Ranked #42) Explanations for Delays in Rule Making Process, 8 Positive Votes (Ranked #46) I look forward to seeing if and how these Ideas are incorporated into the Open Government Plan.

Monday, March 22, 2010

DHS CSAT FAQ Page Update 03-19-10

Last week DHS posted updated versions of its answers to four of its extensive list of frequently asked questions (FAQ) on the CSAT FAQ Page. The four questions were: 1493: How much is a facility required to know about its customers’ business transactions to complete an SVA? 1581: How do I enter the potential refinery crude sources requested in the Top-Screen? 1606: I recently received an e-mail telling me there is a CSAT letter available for me to access and print. How do I go about accessing this letter? 1618: How do I access and acknowledge CSAT letters (for example, my facility's tiering letter)? The only change that I can find in any of the four answers is in the response to 1618. There I noted that DHS has changed the URL for the CSAT Portal to: https://csat.ornl.gov/csat. Unfortunately, the new link does not work. The old URL printed in the October 21st, 2009 version of the question, https://csat.dhs.gov/csat/, does work, but the link actually embedded in that URL, http://clickas1.csat.ornl.gov/csat/, does not work. So if you clicked on the previous answer it would not work, but if you cut/pasted the URL you would get the actual link to CSAT Portal, https://csat.dhs.gov/dana-na/auth/url_default/welcome.cgi. So when all ‘new’ responses are considered, it doesn’t look like any real changes were made to the CSAT FAQ page after all other than to remove an active link to the CSAT Portal.

Greenpeace Targets Collins

According to an article on MPBN.net (Maine Public Broadcasting) a Greenpeace activist talked to reporters outside of Sen. Collin’s (R, ME) office in Bangor, ME last week about the importance of supporting HR 2868 and the IST mandate included in that bill. Since Sen. Collins is leading the opposition to the IST mandate in the Senate Homeland Security and Governmental Operations Committee, changing her mind (however unlikely) would probably result in HR 2868 actually being considered by the Committee. David Pomerantz, of the Boston office of Greenpeace, pointed out that seven facilities in Maine have voluntarily “eliminated the [toxic chemical] risks by converting to safer, cost-effective chemicals”. He then named six facilities in Maine that have yet to make such a conversion and, as a result, still threatened “tens of thousands of Mainers”. Mike Belliveau, director of the Environmental Health Strategy Center in Maine, joined Pomerantz in calling for the Maine facilities to switch to safer chemicals. Unfortnately, Belliveau took the slightly exaggerated claim of facility risk made by Greenpeace and blew it all out of proportion when he said:
“If that chlorine was released in an accident or through a terrorist act, 145,000 Mainers in a 25-mile radius could immediately become injured and even killed through this toxic gas cloud rolling through our neighborhoods.”
First off, as I mentioned in the earlier blog, only a small fraction of that ’25-mile radius’ would actually be exposed to chlorine gas in a catastrophic release. Since chlorine can only spread with the wind it could take quite some time for the toxic cloud to spread to the 25-mile limit of exposure risk. In fact a stronger wind which would spread the cloud quicker would actually reduce the toxicity of the cloud. With a minimally effective emergency response plan there would be a couple orders of magnitude fewer casualties than claimed by Belliveau. Now, don’t get me wrong. Chlorine is a nasty toxic chemical. Those personnel exposed to lethal concentrations of the gas (most likely plant personnel and immediate down wind neighbors in a catastrophic release) will die a horrible death. Those exposed to less than lethal concentrations will have a variety of injuries, a limited number of which will affect the injured the rest of their lives. No Industry Response Unfortunately Public Broadcasting the piece by Anne Mostue, will leave the listener/viewers with the grossly exaggerated claims of Belliveau standing as ‘facts’. The article does note that the attempts were made to talk to facility representatives but no response was received. It is unfortunate that there was not an attempt to talk to first responders or local emergency planners in the area to get their view of the risk. With the public debate being pushed very effectively by Greenpeace and other environmental and labor activists, it is a shame that the chemical industry does not undertake an education campaign to provide potentially effected people with the actual facts about the possible hazards and the efforts being taken to both prevent and mitigate catastrophic leaks of these toxic chemicals. This lack of response is especially disturbing considering the legal and moral obligations that these facilities have to communicate chemical safety information to the population at potential risk. Allowing this exaggerated information to stand unchallenged is a complete abrogation of their hazard communication responsibility and probably increases the likelihood that counterproductive IST language will be included in any legislation that could come out of Congress, state legislatures or local government agencies.

Sunday, March 21, 2010

Congressional Hearings, Week of 3-22-10

While there are no hearings currently scheduled specifically on chemical security issues, there are a number of hearing that will affect the chemical security community tangentially. Two are mark-up hearings for cybersecurity legislation, three hearings on the nomination of the head of the TSA and one hearing on counterterrorism information sharing. There will also be an oversight hearing on FERC that may touch on SCADA security issues. Cybersecurity Legislation The Senate Commerce Committee will conduct a full committee markup of S 773, the Cyber Security Act of 2009, on March 24th at 10:00 am EST. When first introduced last year it was roundly criticized by many people for its apparently giving the President the authority to shut down the Internet (without ever saying how you could do that, of course). Sen. Rockefeller (D, WV) and Sen. Snowe (R, ME) recently announced a significantly revised version of the bill. This new version is sure to be the basis for the markup. Since a number of other issues are also going to addressed at this hearing, I just expect the new version to be voted upon as a ‘substitute in the form of an amendment’. More on this bill after the markup. The House Science and Technology Committee will be conducting a full committee markup hearing HR XXXX on March 25th at 10:00 am EST. The last time HR XXXX came up was back in November when the Subcommittee on Technology and Innovation met to markup HR XXXX, the Cybersecurity Coordination and Awareness Act. Since that bill has yet to be actually introduced, I assume that this is the same bill being considered this week. As I noted in an earlier blog this bill only had one section addressing industrial control system issues. We’ll see what, if anything gets added in this markup. TSA Nomination While the TSA is publically identified with airport security, the chemical security community also realizes that it deals with both air and ground freight security issues directly impacting our community. So we should be watching the hearings on the latest appointee with some interest. Both the Senate Commerce Science and Transportation Committee (March 23rd, 11:00 am EST) and the Senate Homeland Security and Governmental Operations Committee (March 24th, 10:00 am EST) will be holding nomination hearings this week. The Commerce Committee is currently scheduled to vote on the nomination at the same hearing that S 773 will be marked up. Counterterrorism Information The House Judiciary Committee will be holding a hearing on March 24th at 10:00 am that will look at “Sharing and Analyzing Information to Prevent Terrorism”. No witness list is yet available so it is hard to tell what will be addressed at this hearing. Sharing of counterterrorism information should be important to the chemical security community so this may be of some interest. SCADA Security This last one may be a stretch; the Energy and Environment Subcommittee of the House Energy and Commerce Committee will be conducting an oversight hearing of the Federal Energy Regulatory Commission. One of the issues that is likely to come-up (no details yet available) is security for the ‘Smart Grid’ system. Since this system is at heart an industrial control system of mega-proportions, Congressional responses to security issues identified here might trickle down to the types of control systems seen in high-risk chemical facilities.

Chemical Security Inspector Opening

I’m a little late in finding this job listing, but it does remain open until 03-25-10. DHS has posted a “few vacancies” for Chemical Security Inspectors on USAJobs.gov. I didn’t find a series of openings like I did the last time. I saw a similar listing on FederalGovernmentJobs.us, but that is not official site for applying for these jobs, so I would stay away from that site.

Friday, March 19, 2010

UP and USM to Settle

In the continuing saga of disagreements between U.S. Magnesium (USM) and the Union Pacific Railroad (UP) about the cost of shipping railcars of chlorine gas, we seem to have reached a point where the two sides have decided to go back to two-party talks to resolve the issue. The Surface Transportation Board (STB) announced today that, on two separate action before it, Board Proceedings are (on Docket #’s NOR 42115 0 and NOR 42116 0) being held in abeyance pending settlement talks between the two parties. These actions were requested jointly by both parties on March 11th. USM originally filed complaints with the STB on June 25th, and October 9th, 2009 challenging the reasonableness of rates for the shipment of chlorine gas from the USM plant in Rowley, UT to customers in California and Nevada. Two other complaints (UP v USM and USM v UP) over similar issues (to different customer locations) had both been resolved by the Board in favor of USM. While this may allow for a resolution of these particular rate disputes (that remains to be seen) it still does not provide any guidance to the hazmat shipping community or railroads on how the Board intends to handle the issue of TIH shipment rates. This issue will need to be addressed in the near future as many railroads maintain that they need to recover substantial portions of the costs for the installation of Positive Train Control (PTC) systems from the TIH shippers. This is due to the fact that the current FRA rules require installation of PTC systems on freight-only Class 1 mainlines only if TIH shipments are made on those lines. As part of this stay ruling, the Board will require a status report on the two-party talks be filed on May 18th and every 30 days there after until the problems are formally resolved. The issues may yet have to be resolved by the STB.

Counterterrorism Info to Private Sector

There is an interesting article over on FCW.com (Federal Computer Week web site) about a new program being planned by DHS to share classified anti-terrorism information with private industry (thanks to DHS CERT Control Systems web page for the link). The Cybersecurity Partners Local Access Program (CPLAP) will provide security clearances for select cybersecurity professionals in industry so that they can be informed about cybersecurity threat information. The distribution of information would be through local fusion centers that are already set up to provide such classified information to local law enforcement personnel. The CPLAP would also, according to the article, “allow industry officials to build relationships with their local fusion centers”. The cybersecurity officials would be from a variety of critical infrastructure sectors, presumably including the Chemical Sector. ChemPLAP Needed for CFATS I have been advocating for a while now that DHS should establish this type of information sharing as part of the CFATS program. I don’t know that DHS (or any other part of the intelligence community) has any particular intelligence related specifically to chemical facility security, but the time to establish this type of program is actually before actionable intelligence becomes available. The Infrastructure Security Compliance Division (ISCD) really does need to get started on establishing a ChemPLAP (Chemical Partners Local Access Program) for the CFATS community. With the inevitable funding and time constraints involved, they should probably concentrate first on Tier 1 facilities. Expansion to the other Tiers would proceed after the bugs were worked out of the program. InfoSec Problems The biggest obstacle to this type of information security (InfoSec) program is getting the appropriate security clearances for the civilians involved in the program. Having dealt with the security clearance program in the Army (and running it at the Company and Battalion level), I know how difficult it is to keep up with the bureaucratic requirements of the process. Throw in the background check requirements (though these are not too extensive for Secret level clearances) and you have a time consuming process on both ends of the system. There are other potential problems in establishing this type of program. Participants need some training about handling and disseminating classified information. Secure communications and storage need to be addressed. Proper classified document destruction procedures need to be established and followed. Finally there needs to be an audit process established to ensure that classified information is actually being protected in accordance with the proper laws and regulations. The article says that the industry professionals will have to go to their local fusion center to get the information. Presumably this is because of the need for secure communications links that are already available at these locations. If there is a prohibition against taking classified documents out of these centers, then many of the previously mentioned problems will be greatly reduced. Open Source Intelligence Of course, most of the InfoSec problems can be avoided if DHS were to establish an active open-source intelligence collection, processing and reporting program. Now, just because the information comes from open sources, doesn’t mean that the resulting intelligence products will be uncontrolled products. The process of analyzing and reporting makes the resulting information sensitive at the very least. Fortunately ISCD already has a methodology for handling and disseminating sensitive, but unclassified material. The Chemical Vulnerability Information (CVI) program is already in place at all CFATS covered facilities. This program should be adequate to protect intelligence products from open source information. The Chemical Security Assessment Tool (CSAT) could be adapted for the dissemination of CVI protected intelligence reports, with each facility designating one or more Intelligence Officers for access to an Intelligence Tool. I am glad to see that DHS is starting the move to making classified counterterrorism information available to industry professionals. Limiting that information sharing to the cybersecurity community is less helpful. Every sector needs this type of capability, but the CFATS community is probably the best organized to implement and successfully use such a program.

DHS Open Government Dialogue Last Day

There are only hours left to provide DHS with your Ideas on how they can make the Department more transparent and participative. I’m not sure exactly when today that they will stop accepting Ideas and/or votes on posted Ideas, so get the last minute submissions/votes in early. New Idea There is one new Idea since yesterday’s blog on this topic that is of potential interest to the chemical security community. Rjsind left an Idea, Discovery Channel, that questioned that TV Channel’s airing of an episode of ‘Breaking point’ that showed how a building being destroyed by a propane explosion. Now readers of this blog are fully aware of how destructive an vapor cloud explosion can be, but rjsind questioned the advisability of broadcasting that information to the world. Now I haven’t seen this particular show, but I doubt that it should any more information on the topic than any number of news reports, or a wide variety of other television shows. So the question isn’t really this show, but the general dissemination of this type of information. While this is a topic that should be discussed, I don’t see this as a viable part of the Open Government program, so I voted against this Idea. Ideas Being Followed Below is the current status of the topics that I have been following: Fed Fatigue, Edward D Clark, 23 Positive Votes (Ranked #9) Homeland Security Critical Infrastructure Watch Program(HS CIWP), Steven Hopkins, 9 Positive Votes (Ranked #40) Port/Fuel Security, Tom Frock, 7 Positive Votes (Ranked #52) DHS Policy on Social Media, Hugh R. Griffiths, 3 Positive Votes (Ranked #82) The following is the current status of Ideas that I have submitted to the site: Public Security Reporting Tools, 9 Positive Votes (Ranked #40) Explanations for Delays in Rule Making Process, 8 Positive Votes (Ranked #45)

Reader Comment 03-16-10 More HR 2868

An Anonymous reader posted a comment to my earlier blog on the earlier discussion on the status of HR 2868. Anonymous wrote: “Can't see why Sen. Lieberman would introduce anything now, being that 2 Democrats have already endorsed the Collins bill. He would not have the votes to get it out of committee.” Reality It sure would be nice if politics were that simple. First we must realize that there is no current open opposition for making the current CFATS regulations permanent. There is some significant opposition (firmly led by Sen. Collins) to including IST mandate language in the authorizing legislation. There is also significant support for such a mandate (just as firmly led in the past by Sen. Lieberman). Sen. Lieberman and Sen. Collins are well known for their ability and desire to work out reasonable compromises on a variety of Homeland Security issues. And both Senators want to see permanent chemical security authorization passed. Finally, we have to admit that, while S 2996 does have ‘bipartisan’ support in being co-sponsored by two Democrats, it has virtually no chance of being passed into law. Democrats in the House have firmly established that they will not accept permanent legislation for CFATS without a number of pro-labor provisions, including some sort of IST provision. I’m not even sure that there are enough votes in the Senate to pass S 2996. Actually, this calculus may explain why DHS began work on their own draft for CFATS legislation. The Administration supports having IST language in any legislation making CFATS permanent. If DHS can work out some compromise language that will be acceptable to the House Democrats and Sen. Lieberman while not overly offending industry and Sen. Collins, then we might have a chance of getting enough votes in both the Senate and the House for a bill that permanently authorizes CFATS. Potential for Compromise Now I do think that a reasonable IST compromise can be written that would garner grudging support of significant portions of the chemical industry. Such support would be key to gaining support of moderate Republicans and conservative Democrats. Just look at the reduced industry opposition to the water IST provisions in HR 2868. Next week’s CCPS meeting will be essential in establishing the theoretical basis for such support. The important consideration this year will be the issue of timing. The closer we get to the November elections, the harder it will be to get the necessary votes. Legislators are more likely to oppose making votes on controversial legislation the closer they are to the voters’ evaluations. IST supporters are less likely to support compromise wording because of the large groundswell of support for IST from labor and environmental groups (just search for ‘chemical security’ on Twitter to see how hard Greenpeace is working this issue). IST opponents are less like to risk charges of killing jobs.

The real problem is that the Obama Administration has just not demonstrated that they are capable of internally approving politically controversial proposals in a timely manner, particularly in the homeland security arena. If the White House can speed their internal approval process and get the DHS draft legislation to the Senate in a timely manner (and that draft adequately addresses legitimate industry IST concerns, of course) then CFATS can pass before the summer recess.

Thursday, March 18, 2010

CCSP Congress to Address IST Issues

Thanks to some prodding by a reader from DHS, I just finished taking a look at the program for next weeks Center for Chemical Process Safety’s (CCPS) 6th Global Congress on Process Safety. The reason for the DHS interest is explained in this quote from the CCPS web site:
“The US Department of Homeland Security’s Chemical Security Analysis Center (CSAC), part of the Directorate of Science and Technology, has initiated an effort to enhance the safety and security of hazardous chemicals. As a first step, AIChE’s Center for Chemical Process Safety (CCPS) has received a contract to develop a formal scientific and technical definition of Inherently Safer Technology (IST). This definition is intended to help inform discussions of the role of IST in chemical plant and refinery security.”
Back in February the CCPS and DHS held a workshop for technical experts in the field in Houston, TX. The formal report from that session will be presented at next weeks Global Congress on Process Safety. In fact, there will be two half-day sessions at the meeting in San Antonio that will specifically address the issues surrounding IST and chemical facility security. Both sessions will take place on Monday, March 22nd. The morning session will include:
10:00 am - Overview of Inherently Safer Technology (Dennis C. Hendershot) 10:30 am - The DHS Chemical Facility Anti-Terrorism Standards – A Risk-Based Approach to Chemical Facility Security (Larry Stanton) 11:00 am - Inherently Safer Technology Trade-Offs (Jatin Shah)
The afternoon session will include:
1:30 pm - Federal View of Inherently Safer Technology From the CSB Perspective (John Bresland) 2:00 pm - ACC Philosophy On the Appropriate Application of Inherently Safer Principles (Peter N. Lodal, Laurie A. Miller) 2:30 pm - Applying Inherently Safer Systems – Contra Costa County's Experience (Randall Sawyer) 3:30 pm - Facilitated Panel Discussion and Audience Q&A/Discussion Session
The panel for the afternoon’s discussion will include all of the earlier presenters. While the CCPS is preeminently a safety organization (recognized throughout the world for their safety expertise) they also provide information and expertise that is critical to the thoughtful development of security procedures and processes. As we have come to expect, there will be a number of other presentations at this process safety meeting that will address issues of concern to the chemical security community. They will include:
● Simulating the Consequences of an HF Release and Evaluating the Effectiveness of Safeguards to Reduce those Consequences (Randy Hawkins, Daniel Sheahan) ● Atmospheric Storage Tank Explosion Modeling (Jérôme Taveau, Jérôme Richard) ● Update of “Guidelines to Vapor Cloud Explosion, Pressure Vessel Burst, BLEVE and Flash Fire Hazards” (Quentin A. Baker, Adrian J. Pierorazio, John L. Woodward, Ming Jun Tang) ● Consequence Modeling of Chlorine Release (Prakash Amulakh Shah, Chandrakant J. Patel, Ms. Raja Kirthi Kalluri) ● Learning the Lessons From Buncefield (Ian Travers) ● Process Safety and Chemical Security—the Need for Company Specific Risk Criteria (Brad A. Fuller)
If you can make the time and get to San Antonio, TX next week, I think that the sessions would certainly be worth your time. Registration is still open and CCPS is allowing people to register on each day of the meeting.

DHS Open Government Dialogue 03-17-10

Tomorrow will be the last day for posting Ideas or voting for Ideas on the DHS Open Government Dialogue. As of last night the Idea count had increased to 136 Ideas while the Off-Topic Ideas had only gained one new entry, bringing the total to 110. There are no new chemical security related ideas since my last blog on this topic. Below is the current status of the topics that I have been following: Fed Fatigue, Edward D Clark, 22 Positive Votes (Ranked #9) Homeland Security Critical Infrastructure Watch Program(HS CIWP), Steven Hopkins, 8 Positive Votes Port/Fuel Security, Tom Frock, 7 Positive Votes DHS Policy on Social Media, Hugh R. Griffiths, 3 Positive Votes The following is the current status of Ideas that I have submitted to the site: Public Security Reporting Tools, 9 Positive Votes Explanations for Delays in Rule Making Process, 8 Positive Votes There is still time to vote on the current Ideas or to post an Idea of your own. If any reader posts a chemical security related Idea before this is shutdown tomorrow evening, let me know. I’ll provide links on this page (whether or not I agree with the Idea) so that other readers can vote on the Idea. It is really a shame that there hasn’t been more public participation on this site. It isn’t often that cabinet level agencies ask for public input on how that more effective communications can be established between the government and the public. Of course, DHS hasn’t been doing much to publicize their outreach, so I guess that the level of participation shouldn’t be too surprising.

Wednesday, March 17, 2010

DHS CIKR Learning Series Web Page Update 03-17-10

Today DHS updated their Critical Infrastructure and Key Resources (CIKR) Learning Page. They have moved the listing for their Infrastructure Protection for the 21st Century: Making Effective Use of Visualization Technology webinar to the archive page. No new webinars have been added to the page, but Spring seminar listing should appear on this page in the near future.

Reader Comment 03-16-10 Is HR 2868 Dead

There was an interesting reader comment from Anonymous posted yesterday to my earlier blog about whether CFATS is dying. The writer made some comments about how some readers could equate CFATS and HR 2868 as being the same thing, even though that isn’t actually correct. Then Anonymous asks me: “So the question, perhaps, remains --- is HR 2868 (and it's Senate version) dead? ie: Will the bill go to the President for signature?” DHS to Draft CFATS Legislation I believe that, after watching the webcast of the Senate Homeland Security and Governmental Operations Committee hearing on March 3rd, HR 2868, as passed in the House, will not be considered or reported by that Committee. Sen. Lieberman’s comments to Secretary Beers about the DHS draft of legislation for making CFATS permanent indicates that it will be that DHS document that the Committee will consider, mark-up and report. Now I have not yet seen a copy of that draft (nor has it apparently yet been approved by the White House) so I don’t know how much it differs from HR 2868 (as passed in the House). I would bet that there are significant differences or the Department would not be offering this draft for the Senate to consider. I would think that the Department’s bill would make it clearer that the current rules would remain in place and enforce until they were modified by subsequent regulations. I would also bet that the Department would phase in the new requirements (whatever they are) by Tier; with Tier 1 facilities being required to implement first. Legislative Process Now, let’s look at the mechanics of how the ‘DHS’ bill would be handled in the halls of Congress. First it is remotely possible that Sen. Lieberman would introduce an entirely new bill based on the DHS language. There is a certain amount of propriety associated with doing things this way, since it is really entirely new legislation. Unfortunately, politics is usually messier than this. What is more likely to happen is that Sen. Lieberman would call for the Committee to conduct a Mark-Up hearing on HR 2868. The first amendment to be considered would be for the Chairman to offer an ‘amendment in the form of a substitute’. This would allow everything but the bill number to be erased and the DHS language to be substituted for the House language. After appropriate additional amendments and modifications the new HR 2868 (DHS version) would be reported favorably to the floor of the Senate. There it would undergo additional modifications and amendments. When (or more appropriately if) the final Senate version of HR 2868 is passed it is likely to be completely unrecognizable to those members who voted in favor of HR 2868 last November. But, it will have been passed on both houses, so it will go to a Conference Committee to work out the ‘differences’ between the two bills. That Committee will revise and amend the bill to a form that the managers (probably Sen. Lieberman and Rep. Thompson) feel can pass in their respective bodies. Typically, the Conference Report version of the legislation will then be passed in each the House and the Senate. If that happens, it then goes to the President for signing into law (or veto). It does rarely happen that the managers misgauge the attitude of their respective body and the conference reported bill get further modifications in one or both houses. Then, further back and forth is needed to get both bodies to finally vote on the same language to pass the bill. This could happen with the CFATS legislation being written by DHS. I don’t believe however, that such a bill would get White House clearance in time to get through the wheels of the process in the Senate before the summer recess. With the fall elections staring Congress in the face nothing of substance will get done between the summer recess and the elections. Then there is the question of a post-election session of the lame-duck Congress. If the Democrats loose (or substantially loose) control of the House and/or the Senate in the fall elections, there might be an attempt by the Democratic Leadership to push through consideration of a new CFATS bill (this is how CFATS actually got established after the Republicans lost control of the House). I firmly believe that such a lame duck push will be rebuffed in the Senate. If the Democrats retain substantial control of both houses, then CFATS is likely to be shelved until the 112th Congress. HR 2868 is Dead So the short answer to the original question is that I truly believe that HR 2868 is dead. I don’t think that the White House has the political will (or time) to get their draft legislation approved and sent to Sen. Lieberman in time for it to be acted upon before the summer recess. Any CFATS legislation reported out of the Homeland Security Committee after the return from that recess will spend time in political purgatory to face re-birth in the 112th Congress. Oh yes. As an important sidelight to that question, the one year extension of CFATS will certainly be included in the final version of the FY 2011 DHS Budget bill, so CFATS will survive for another year (and probably continue to do so until a reasonable compromise on many CFATS issues are worked out). HR 2868 is dead… Long Live CFATS.

Security Incentives

I love the internet and Google; otherwise I never would have run across this interesting article at JournalOfAccountancy.com: “Growing Opportunities: The Agricultural Chemical Security Credit”. Actually I wrote about this tax credit when it was included in the 2008 Farm Bill, but it is interesting to see it rise to the surface now. This tax credit effectively refunds 30% of covered measure security implementation costs up to a maximum of $2 million per year. That is a lot of security measures. Now, of course, this is limited to chemical security measures for agricultural products and has a number of limiting factors. But, it does go to show how strong the Farm Lobby is in Washington. This credit was added to the Farm Bill when it became obvious that DHS intended to include a number of agricultural chemicals in their list of chemicals of concern (COI). This would lead to many distributors and users of these chemicals falling under the Chemical Facility Anti-Terrorism Standards (CFATS). This was after they lost the fight for these to facilities to be excluded. While a number of people have complained about the power of the chemical industry lobbyists to prevent costly legislation from passing, this once again demonstrates that the chemical industry is made up of rank amateurs when it comes to the business of lobbying. Maybe it is time for the K Street Chemists to start thinking about giving up the fight against some of the proposed chemical security rules and start fighting for tax breaks instead.

Tuesday, March 16, 2010

HR 4842 Mark-Up

Today the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the House Homeland Security Committee held a hearing to markup the recently introduced DHS Science and Technology Directorate Authorization bill, HR 4842. A number of minor amendments were adopted by voice vote and the Subcommittee favorably reported the amended bill to the full Committee. Chairwoman Clarke (D, NY) explained that the purpose of this legislation “is to ensure that the Science and Technology Directorate has the right tools available to be successful”. She further explained that success “means delivering products into the hands of our first responders, law enforcement officials, or critical infrastructure owners to help them achieve their mission and make America more secure”. Amendments were offered by Rep. Austria (R, OH), Rep. Kilroy (D, OH), Rep. Sanchez (D, CA), and Rep. Lujan (D, NM). All were passed on a voice vote with no demands for recorded votes. In today’s political climate this is a remarkable showing of bipartisan support for this legislation.

Two of the amendments might be of interest to the chemical security community. Ms Kilroy’s amendment added a new research program requirement to “develop and support cyber forensics and attack attribution” to §404(b). As part of the cyber security incentives research the S&T Directorate is required to under take with the National Research Council, Ms Sanchez’ amendment would include “analysis of the current marketplace and recommendations to promote cybersecurity insurance” in §405(b).

3 Reader Comments 03-15-10 SSP Experience

I got three different responses to my earlier post about Dick Sem’s thoughts on the SSP process. The first came from a long-time reader Edward Clark, the second from another security consultant that has apparently been reading the blog for a while, Jim Lupachinno. Finally Dick had a gracious response and new comment. All three comments are appended to the end of that blog post and are well worth reading. Both Ed and Jim had generally favorable comments about the SSP process, with both noting, however, that improvements can obviously be made to the program. Ed notes that CFATS “does allow the skilled security analyst [emphasis added] to assess the risk and implement appropriate mitigation strategies”. Dick acknowledges that, but notes that many facilities do not have such a person on staff and are attempting to complete the SSP using someone in-house without significant security training like the EH&S Manager. Jim emphasizes that the SSP process draws information from a number of different disciplines within the covered organization. He notes that:
“Sales, Human Resources, and Customer Service uniquely impact COI security at different phases of the inventory or production cycle. One effect of SSP interaction with support departments can be the bridging of ‘silos’ within some organizations.”
He also notes that communications with the emergency response community is necessary to answer some of the questions posed in the SSP. This communication “exchange contributes to a more thorough understanding of the challenges first responders face specific to the facility's COI”. This is another positive aspect of the SSP process. I urge all readers interested in the CFATS process to go back and read all three postings from these security professionals. I’m sure that these are not the only opinions out there on efficacy of the SSP process. I (and my reader presumably) want to hear about problems and challenges that facilities are having in their completion of the SSP. Those observations may lead to improvements in the methodology.

HR 4842 Introduction – DHS S&T Authorization Bill

On Monday, Rep. Yvette Clarke (D, NY), Chairwoman of the House Homeland Security Committee’s Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, introduced HR 4842, the Homeland Security Science and Technology Authorization Act of 2010. Chairman Thompson (D, MS) and the ranking member on the subcommittee, Rep. Lungren (R, CA) are co-sponsors of HR 4842. This bill would authorize the DHS S&T Directorate for FY2011 and FY2012. There are a number of provisions of this bill that will be of interest to the chemical security community. Cybersecurity R&D Section 404 of this bill calls for the S&T Directorate to conduct and support a variety cybersecurity research and development efforts. The bill would authorize the appropriation of $75 million in both FY 2011 and FY 2012 for such R&D efforts to “prevent, detect, and respond to acts of terrorism and other large-scale disruptions to information infrastructure” {§404(d)}. One of the specified efforts would be to assist “the development and support of technologies to reduce vulnerabilities in process control systems” {§404(b)(5)}. Section 405 would require the S&T Directorate to work with the National Research Council to conduct a study of incentives to encourage to private sector to increase its efforts in the field of cybersecurity. One of the areas the bill directs to be included in the study is the evaluation of the use of regulations that would impose “under threat of civil penalty best practices on system operators of critical infrastructure” {§405(b)(3)}. Chemical Security R&D Section 409 would establish requirements for R&D to be conducted by the S&T directorate in the areas of chemical and biological threats research. Specifically for chemical security the Directorate would be tasked to “develop technology to reduce the Nation’s vulnerability to chemical warfare agents and commonly used toxic industrial chemicals” {§409(d)}. Included in this would be the establishment of the Chemical Security Analysis Center. The CSAC would be tasked with “conducting risk and vulnerability assessments based on chemical threat properties” {§409(d)(1)}. Additionally the Directorate would be required to work to “foster a coordinated approach to returning a chemically contaminated area to a normal condition, and to foster analysis of contaminated areas both before and after the restoration process” {§409(d)(3)} Mark-up Hearing

The Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology has a hearing scheduled for today at 2:00 pm EDT to markup this bill.

IST Questions – Active Mitigation

This is another of a series looking at how DHS might construct an Inherently Safer Technology Assessment Tool (ISTAT) for the Chemical Security Assessment Tool if Congress were to include a requirement for conducting an IST assessment as part of their legislation to make the CFATS program permanent. The other postings in the series were:

An IST Tool for CSAT
Reader Email – 03-04-10 IST Rules
IST Questions – Inventory Management
IST Questions – Chemical Substitution

 As I explained in the initial posting in this series active mitigation systems include automated, active safety systems that chemically or physically modify an RTCOI so that a catastrophic release of the material does not have a significant effect outside the facility boundaries. The main controversy with these systems is their reliability in the destructive environments associated with terrorist attacks. Because of this controversy, the initial questions will establish the efficacy of the system.

Chemical Neutralization 

The initial questions will establish the existence of chemical reactions that will convert the RTCOI to a chemical that does not present the same vapor phase toxicity. Follow-up questions will look at how quickly the reaction proceeds and examine the byproducts, chemical and physical, of that reaction. Finally the questions will examine if it is possible to design an automated system to effect the chemical neutralization that does not require operator action and will proceed in the event of loss of power or computer control.

Once the effectiveness of the neutralization system is established, the cost of the system will be established. As in earlier process changes that require new equipment these questions will address engineering estimates for the costs of these installations. As with any preliminary estimates they will include known costs (e.g.: list cost of storage tanks) plus a standard engineering markup to cover installation costs. DHS would have to establish a standard method for determining that markup.

Physical Neutralization 

Typically physical neutralization systems convert the vapor phase of an RTCOI into a form that would not leave the confines of the facility; the most common is one that uses a solvent spray to dissolve the released toxic vapor. The initial questions will look at the efficacy of the spray system, establishing the amount of solvent necessary to knock down a catastrophic release of the material from the single largest container on site. Subsequent questions will establish how the system will be designed to remain effective if power systems are shut down by the terrorist attack. Again, once the efficacy of the proposed system was established the costs of the system would have to be examined.

100% Efficacy? 

One political question that would have to be addressed with this type of IST program is whether or not the neutralization system would have to achieve 100% neutralization to be considered an adequate IST system. The argument can be made that reducing the amount of the RTCOI that leaves the facility to an amount less than as the Tier Reduction Quantity (TRQ) or the Facility Elimination Quantity (FEQ) established for that facility would be a sufficient risk reduction to meet the requirements for the current language in HR 2868. Thus 100% efficacy would not be required for these systems.

Monday, March 15, 2010

Greenpeace Chemical Security Campaign

Greenpeace continues to roll out new variations on their messages calling for grassroot support for new, comprehensive chemical security legislation. The current campaign builds on their “Don’t Let the ‘Crazies’ Fool You” campaign that uses the latest zombies movie to stand as a symbolic exemplar of the hazards associated with dangerous chemicals. Each new variation brings a new round of social network site (Twitter and probably FaceBook) responses that spread the word virally around the internet. It is hard to tell from the outside how well this translates into clicks on the form emails to Representatives and Senators, or maybe more importantly, how well it gets contributions to the Greenpeace political coffers. Their campaigns do not call for contributions to Greenpeace, but I would be very surprised is such contributions did not track their efforts. Political Exaggerations I have chided the chemical industry opposition to HR 2868 for some of their exaggerations, so it is only fair that I point out that Greenpeace is guilty of the same type of political shenanigans. For example, in their latest piece touted on Twitter (though the actual web page may be older) they quote their standard statistic of “One in three Americans is currently at unnecessary risk from dangerous chemical plants.” While not false, this is an exaggeration of the first order based upon their failure to explain how the figure was arrived at. This ‘one-in-three’ number can be traced back to the figure of 110 million Americans ‘put at risk’ of a potential toxic inhalation hazard release due to a terrorist attack. This figure was developed by the Center for American Progress. They looked at 300 chemical facilities that reported storing large quantities of chemicals like chlorine gas and anhydrous ammonia. Using the maximum distance that a toxic cloud would spread before it became effectively non-hazardous, they then drew a circle around the facility with that distance as a radius. Counting all of the people that lived/worked within that circle provided the number of people at risk for that facility. While everyone within that circle is potentially at risk for injury from a catastrophic release, only a small fraction could actually be possibly exposed in an actual incident. The wind disperses a chemical cloud in a fan shaped pattern. The extent of the area covered by the cloud in that fan shaped area is dictated by the wind and temperature at the time of release. In any case that fan covers only a small portion of the circle used to calculate the ‘at-risk’ population cited by CAP and Greenpeace. Furthermore, toxic exposures within that fan area will vary widely; from deadly to no effect. Depending on the physical characteristics of the toxic gas, people above the ground floor in multi-story buildings might not be affected, even within hundreds of yards of the release. Finally, the medical effects on the great majority of the personnel actually exposed would be short term effects requiring little medical care. To be sure, a catastrophic release of a large chlorine tank car in an urban area would kill a large number of people, but not anywhere near the numbers being reported by the environmental activists. Assume that it is fair to calculate that anyone within the exposure circle as being at risk, because on any given day the wind could be blowing in any direction. Even if they might not be harmed in a given successful terrorist attack, they are at risk for being harmed if the wind is blowing the correct direction. Even then the 110 million people figure is misleading. Many of these facilities are concentrated in small areas around the country. Thus their circle-of-effects overlap to a great extent. If a single person is exposed to potential injury from multiple plants, they cannot be counted multiple times in the national ‘at-risk’ pool. Finally, we need to compare these potential risks to everyday risks that people accept as a natural part of their lives. For example since they count everyone in the potential effects area as being at risk, isn’t everyone that drives on or walks along roadsides at risk for severe injuries in an automobile accident. Thus the number at risk for that (certainly over 300,000,000) readily outweighs the risk of being exposed to hazardous chemicals from a successful terrorist attack. There is a Risk Now, don’t get me wrong. There is a large level of risk for significant portions of the population from a successful attack on a large toxic inhalation hazard chemical storage sites. One way of reducing that level of risk is to change over to less hazardous chemicals where possible and appropriate. There are also other ways that are nearly as effective given the actual probability of such an attack happening (based upon past history, no chance; based upon reasonable projections that such an attack could happen, some small chance). A reasonable discussion needs to take place on how to make that assessment in a way that best serves society as a whole. Trying to force that discussion based upon fear makes it very hard for the people with different ideas to take you seriously. Greenpeace, you need to come up with a better method for expressing your legitimate concerns about the real hazards associated with these materials. Until you do, your opposition will not take you seriously, and you will have little chance of affecting the political outcome.

Sunday, March 14, 2010

Reader Comment 03-13-10 SSP Experience

Dick Sem of Sem Security Management was one of the first people that I contacted when I started working on chemical facility security issues back in early 2007. I found his contact information thru an internet search. We have stayed loosely in touch since then. When he posted on LinkedIn.com that he had been working on some SSP submissions, I sent him a message, asking him to share some of his general impressions with readers of this blog. Late Saturday he left those comments appended to my recent post on the premature reports of the death of CFATS. His comments are worth reading in their entirety. He is an experienced security professional and his opinions on the process should be considered by DHS as they continue to review and update their process. One Size Fits All Dick’s ending comment is especially important. We always hear about how important it is for security measures to be risk based and how we must avoid a ‘one size fits all’ set of security requirements. In a slightly different look at this Dick writes:
“While I'm getting things off my chest, this process looks like its developers never actually saw especially small facilities with relatively limited resources. The SSP tries too much to be all things to all facilities with little concern for their size, function, location, etc. Perhaps it would have been better if there had been separate SSP's based, in addition to Tier level, upon the size of facility or type (i.e. chemical, educational, manufacturing, paper, water treatment, etc.)”
Now, I know that DHS developed all of their tools with the intention that any covered facility, regardless of size or type, could provide information about their security efforts. This means that there are many questions that will be answered “No” or “N/A” by many facilities; especially smaller facilities. I’m not sure, however, that DHS has communicated adequately that they are not expecting that facilities should be using these questions as security guidelines that must/should be followed by every facility. Part of the problem is, of course, caused by the Congressional restriction that DHS could not require specific security measures as a pre-requisite for SSP approval. I understand, and agree with, the underlying reason, but it does make it more difficult for DHS to communicate what is expected of facilities. Another problem was the short amount of time that DHS had to get this stuff all put together. There simply wasn’t time to develop separate SSP’s for each industrial sector that might have covered chemicals on-site. Though, to be fair, DHS has addressed a number of individual chemical communities with the suggestion that they develop an Alternative Security Plan process for their specific situations. Most have declined, allowing the burden to remain at the doorstep of DHS. Some individuals at ISCD have been particularly upset with the academic community in this respect. SSP Misnomer Dick Sem also points out a problem with terminology, writing about the Site Security Plan process that “And once you're done, you have a completed checklist with planned and proposed measures but no actual plan.” A number of writers (myself included) have pointed out this particular problem, but none of us have yet come up with a good solution. It certainly wouldn’t be practical for each facility to submit a compilation of all of the security procedures that are in use at a facility. For a larger facility this could easily run to a couple hundred pages of densely written pages explicating who does what to whom. Evaluating such documents at DHS would certainly be unmanageable with twice their current staff. Now, those procedures are actually more important than the SSP submission checklist when it comes to actually protecting the facility. But there is another problem with the submission of full procedures; DHS has taken the stance that the approved SSP is, in fact, an enforceable contract between DHS and the facility. Once the SSP is submitted and approved, DHS can require the facility to properly employ, train and maintain they system outlined in their SSP. Failure to do so, could result in $25,000/day fines. Now everyone knows that effective procedures must be living documents; constantly being updated and revised to reflect their operation in the real world. As long as such changes do not change the answers to the SSP questionnaire, facilities would have more leeway to make these modifications. If the actual procedures were submitted and approved, DHS would have to buy off on even the smallest procedural changes. Process Discussion One thing that we have seen is that DHS realizes that their process must also grow and evolve as lessons are learned. Comments like Dick Sem’s are an important part of the process of making the CFATS program more effective. I know that I have a significant readership at ISCD; so DHS is seeing this discussion. I would like to solicit comments from anyone that has been involved in the implementation process. Comments from security professionals are important, but so are comments from security managers of facilities that are going it alone, without advice from security professionals. System integrators and vendors will also have valuable inputs to this discussion. We do have to worry about CVI issues in this discussion. While I have decried the overuse of ‘Anonymous’ in posted comments, I would much rather have that than names that can be linked back to a single facility. And please, let’s keep the discussion generic so that no facility’s security is compromised.
 
/* Use this with templates/template-twocol.html */