Friday, April 30, 2010

DHS Open Gov Dialogue Update 04-30-10

It has been two weeks now since I reported that the DHS Open Government Dialogue web site was once again accepting comments on the DHS Open Government program. A second new comment (Federalize or Deputize the Contract Security Force) has joined mine on the site and both of our comments now have 2 positive votes. Great participation. Actually, considering that I am apparently the only one that is publicizing the DHS site, I guess the miniscule participation is to be expected. To make matters worse, anyone that had participated earlier in the dialogue and then returned to the site would see the old results as a default setting (showing the ‘most popular’ comments first). This would lead them to assume that there was nothing going on at the site and they would move on. If DHS had decided to justify killing their mandated participation in the Obama ‘Open Government’ program, this is the type design that I would use to make it clear that the ‘public’ just wasn’t interested. The lack of participation would, at some point, become adequate justification to stop expending the resources necessary to maintain the site; just another attempt to expand public participation in government that died because of public apathy. Now, to be fair, I don’t know that anyone at DHS is trying to kill this program. No one would admit such a thing if it were true. I can say that I have seen no attempt to direct traffic to this site. None of the Twitter or social networking tools have been used to let the public know that that there input is being requested on the site. Now it is a good thing that the old dialogue is still available, but those pre-plan ideas need to be moved to another page where they won’t confuse current efforts. Now those of us who submitted earlier ideas may decide to re-submit an old idea to address a new issue, but that should be kept separate from the historical record. How to Use the Dialogue This dialogue mechanism is a good way to get a large number of people to look at a significant problem and propose solutions. The voting mechanism can provide a first-sort mechanism that will allow promising ideas to become separated from the chaff. The current problem with the leaking oil well in the Gulf is a perfect example of the type problem that could be addressed by this mechanism. A new page on the site could be started for this ‘problem’. Two of three apparently intractable problem statements could be posted with a request for ideas. Publicize the hell out of the site and then watch the ideas flow. Now most of the ideas will not be workable. Ideas are like that. But the more suggestions that are received, the higher the probability that a potentially workable idea will arise. The voting mechanism allows the public to do the initial idea sort and then the experts can be brought in to look at the high-ranked ideas. Even when the actual ideas are not workable, they may trigger another idea in the mind of the expert, pointing them at new ways to think 'out-of-the-box'. Use the Dialogue Of course, this presupposes that the leadership at DHS really wants to engage the public. If they do want public participation, they have developed a tool through last year’s QHSR and this year’s Open Government Dialogue that can prove useful in pulling in the public’s input. All they have to do is use the tool that they have available. We’ll see….

CIKR Learning Series Update 04-29-10

Yesterday DHS updated their Critical Infrastructure Key Resources (CIKR) Learning Series web page to include an announcement about their next webinar: “2010 Hurricane Season: Tools for Understanding Risk”. While this is not strictly a chemical security topic, most chemplant security folks deal with planning for and responding to natural disasters as well. According to the notice this webinar will “highlight HITRAC’s hurricane-related advanced modeling, simulation, and analysis capabilities”. HITRAC is the Homeland Infrastructure Threat and Risk Analysis Center. It is the “Department's infrastructure-intelligence fusion center”, providing “actionable risk-informed analysis for federal, state, local, tribal, territorial, private sector, and international partners”. Using their risk analysis tools to look at hurricane related risks certainly falls within the new ‘all risk’ focus of the Department. Any chemical facility within hurricane distance of the Atlantic or Gulf coasts might find this informative. The webinar will be held on Wednesday, May 12, 2010, 1:00-2:00pm EST. You can register online.

Pre-Screen CFATS Inventory

In a couple of earlier blogs I looked at how DHS might help companies address changes in their inventory levels of chemicals of interest (COI). All of the situations discussed in those blogs involved reporting changes in inventory levels after they had occurred. This is fine from a regulatory point of view, but doesn’t make a lot of sense from a business point of view. The way things are currently set up, a company considering adding a new product line that requires the presence of a new COI, can’t determine the security needs for that new product until it is already on site; not a good way to run a business. The Problem When a company begins to consider making a new product, they have to determine what the manufacturing costs will be. The magnitude of those costs is a key determinate in the decision to move forward with the new project. If the costs are too high, the project will have to be killed. If the costs are substantially underestimated and the company proceeds with an unexpectedly costly new project, the result could be devastating. This is especially true in a recovering economy. For companies starting a project that includes the introduction of a COI into a facility, this is serious potential problem. If DHS were to determine that the facility had become a high-risk facility (or a higher tier rated facility) as a result of the new COI, the additional security costs could prove to be devastating to the financial health of the facility. One option would to assume that any project involving a new COI would result in being declared a high-risk facility. The facility could then factor in estimated security costs into their cost calculations. Unfortunately, that could result in projects being killed that would be financially feasible if the facility would not have been rated high-risk by DHS. In a recovering economy, it really doesn’t help if companies improperly kill potentially viable expansion projects. Because DHS refuses to disclose the details of their decision making process for determining the risk-status of a facility, companies do not have a reasonable process for making their decisions. I understand why DHS is reluctant to disclose these details, but it isn’t helpful to expanding chemical production. A Possible Solution Absent disclosure of the DHS decision model (unlikely), it seems to me that the best way to solve this problem is to provide a pre-screen capability to the Top Screen system. This would allow facilities to submit potential inventory levels to a Pre-Screen tool and to receive back a preliminary evaluation of their potential risk status. If the preliminary evaluation showed that they probably would become a covered facility, the added security costs could be factored into the cost model. To be truly effective this Pre-Screen tool would allow a facility to provide a number of different storage options and quantities to see how they would affect the outcome of the DHS evaluation. This way the facility could look at options for optimizing their use of the COI while minimizing their potential costs. While this would obviously be a benefit to the companies involved, it would also assist DHS in more effectively administering the CFATS program. This would allow companies to tailor their introductions of COI to ensure the lowest possible tier ranking. Since lower tiered facilities are re-inspected less frequently, this would help DHS reduce their inspection load. It would also help to reduce the work load associated with multiple subsequent Top Screens as facilities tried to reduce their security requirements by allowing those efforts to take place before DHS would have to officially recognize the issue. Include in Legislation As DHS is still (I suppose) working on their draft of CFATS reauthorization legislation, I think that these Top Screen issues should be addressed in that legislative draft. That is one of the good things about an executive agency drafting this type legislation. They can include those types of items that would be missed by legislators and their staffs. The regulators are closer to the real world and should understand the regulatory issues better.

Wednesday, April 28, 2010

Cyber Security Article

Twitter® is becoming a very valuable tool for finding articles of interest on the Internet. Many writers are posting notices of their articles on Twitter (like I have been doing for over a year now) and other writers and info gatherers re-tweet those notes. That’s how I found this article on ChemicalProcessing.com. It is an interesting look at cyber security for industrial control systems at CFATS facilities written by Andrew Ginter, of Industrial Defender. The article provides some valuable advice for dealing with Risk-Based Performance Standard 8, Cyber Security. It provides a list of 13 “Key Implementation Challenges” with a brief discussion of each. They range from having a security policy to using a layered approach to security design. There are a couple that deserve special mention and I recommend reading the author’s description:
Awareness and training; Monitoring and incident response; System development and acquisition; and Interconnectivity of critical and non-critical systems.
Oh, yes; I was particularly impressed that Andrew discussed “Business continuity and disaster recovery” and did not resort to using the current buzz word, ‘Resiliancy’. He does note that a good “cyber-security posture should include planning to ensure continuity of operations and facilitate restoration of all critical cyber assets”. In my mind this disaster recovery is especially important when the facility cyber assets can potentially control the release of toxic chemicals, prevent mixing of incompatible materials, or maintain safety-critical storage conditions. If these 13 challenges were all that were contained in this article it would be a valuable information source for CFATS security managers. But Andrew provides a special bonus in a side-bar entitled: “Field Surveys Provide Troubling Findings”. He provides a summary of cyber security information that Industrial Defender has compiled from critical infrastructure assessments that they have done over the last couple of years. The three “widespread cyber-security issues” will point cyber security managers at important potential flaws in their security posture that are well worth looking at. I certainly recommend that all CFATS security officers and cyber security officers read this informative article. Once again, a single article will not make you a cyber security expert, but it will give you an appreciation of the potential problems and allow you to talk to a real expert without feeling foolish.

Tuesday, April 27, 2010

DHS Spring Regulatory Agenda

This week DHS, along with the rest of the Executive Branch, published their Spring 2010 Regulatory Agenda. The Flexibility Agenda was published in Monday’s Federal Register and the complete agenda was published on the RegInfo.gov web site. The Flexibility Agenda is required to include those items “which (are) likely to have a significant economic impact on a substantial number of small entities” (75 FR 21806). Interestingly, nothing on that 'flexible' agenda is of specific interest to the chemical security community. BTW, the full explanation of the Spring Regulatory Agenda can be found under the Regulatory Information Service Center listing in the Federal Register. Chemical Security Agenda I have identified seven items on the DHS Spring Regulatory Agenda that are of likely interest to the chemical security community. Those items are: Secure Handling of Ammonium Nitrate Program Maritime Security (MTSA II) Revision of LNG and LHG Waterfront Facility General Requirements Transportation Worker Identification Credential (TWIC); Card Reader Requirements Freight Railroads--Security Training of Employees Freight Railroads--Vulnerability Assessment and Security Plan Reporting of Security Issues I discussed six of these items last December when the Fall Agenda was published. The new item is the second item, the MTSA II entry. According to the summary for that agenda item this rule addresses proposed updates to the TSA regulations:
“The Coast Guard proposes certain additions, changes, and amendments to 33 CFR, subchapter H. The proposed changes would enhance the security of our nation's ports, vessels, facilities, and Outer Continental Shelf facilities and incorporate requirements from legislation implemented since the original publication of these regulations in 2003. “
One item missing from my current list that was included in my December blog is the Protection of Sensitive Security Information (SSI), RIN 1652-AA08. This item was implemented as an ‘interim final rule’ back in June of 2004. The last Fall Agenda carried its final action as ‘To Be Determined’. That is still the listed final action so there is no real reason for me to continue to track it. Regulatory Timing Slips Once again, DHS has let the projected time for the completion of the next step in the regulatory process slip for four of the seven rules. It would probably have been seven for seven except that one of the rules listed is new and the other two never did have projected dates that could slip, they were just TBD. The dates that were provided are listed below. Of those in the list all but two are significantly past the date that Congress mandated in the authorizing legislation to have the regulations in place. Neither the MTSA II rule nor the LNG rule have been mandated by Congress.
Ammonium Nitrate Program – NPRM 07-2010 Maritime Security (MTSA II) – NPRM 11-2010 LNG and LHG Waterfront Requirements – Final Rule 08-2010 TWIC; Card Reader Requirements – NPRM 08-2011 Freight Railroads--Security Training – NPRM 11-2010
DHS has provided no public explanation for any of these delays. I’m pretty sure that the Coast Guard is being held up on the TWIC rule by the pending results of the various field trials of the TWIC Readers. I have no idea why ISCD has yet to complete their overdue work on the Ammonium Nitrate rules; for almost two years now they have been ‘just months’ away from completion. TSA has an even harder rule to explain; at least the other two are complex, but what can be holding up the railroad security training rule? Open Government Actually, there must be a pretty decent explanation for each of these rules being delayed; the yelling and screaming from Congress is very muted. Chairman Thompson makes the occasional pro-forma complaints about the ammonium nitrate rule. Chairman Rockefeller only made passing references to the training issue during last weeks hearing on rail security. Apparently DHS is keeping the Chairmen in the loop. What’s missing, of course, is the communication with the public. But, what the heck, this is the Federal government. The public doesn’t really need to know. That’s why they send Senators and Representatives to Washington; to keep track of the important stuff. The public doesn’t need to be bothered. But wait, didn’t the Obama administration just make a big deal about this whole ‘Open Government’ thing? Do you think that they might have included explaining to people why the government can’t obey its own laws? Apparently not….

2010 Chemical Sector Security Summit Update

DHS updated the 2010 Chemical Sector Security Summit web page yesterday afternoon. The new page notes that the registrations for the Summit are now full. They are accepting requests to be put on a standby list. This happened last year as well. This is one of the reasons that registration was limited to just three people per organization. Perhaps DHS should consider increasing the size of the Summit; though that might decrease the opportunities for personal communications. Alternatively, they could consider holding this twice a year instead of just once. As part of the Department’s Open Government policy, DHS should give serious consideration to web casting the conference, or at least the presentations made by Department personnel. Comment to the Chemical Security Community: If you have a confirmed registration that you are not going to be using for some reason, please contact Summit organizers as early as possible so that someone on the standby list can go instead.

HS Regulatory Briefing

The Roberts Law Group is holding their 3rd Annual Homeland Security Regulatory Briefing in Houston, TX next month. This annual symposium looks at federal rules for CFATS, MTSA, Rail Hazmat, and HM 232. They bring together experts to look at how these regulations are being implemented and how that impacts compliance. Additionally, they will look at legislation that is currently being considered in Congress to update and extend these security regulations. Luncheon is sponsored by ADT Advanced Integration. There will be three separate panel discussions featuring experts from industry. They will be looking at:
• Current Issues in Security Compliance for the Chemical and Petrochemical Sector • The Operational and Functional Implications of Security Compliance for the Chemical and Petrochemical Sector • Implementing Security Enhancements at the Facility Level
This one-day meeting will run from 9:00 am to 3:00 pm CDT on May 26th, 2010. It will be held at the Four Seasons Hotel in downtown Houston, TX. You can find more information or register at the ChemicalSecurity.com web site. I haven’t been able to attend one of these briefings yet, but I did receive some positive feedback last year from a reader about the first one. As always, I would certainly like to hear from readers about their experience with these briefings. The subject matter and the panels look to be interesting. And for the Texas lawyers in the audience, the Texas Bar has approved 6 CLE Credits for attending this briefing; that alone would be worth the $95 fee.

Monday, April 26, 2010

Update on Methyl Bromide Rule

This is just a quick update on the methyl bromide rule from the EPA that I have been following over the last 9 months or so. On Friday the Office of Management and Budget approved the Final Rule. This means that the polished version may be published later this week or next in the Federal Register. Actually the just published EPA Regulatory Agenda for the Spring of 2010 shows the final rule being issued this month; which means this week. From an environmental view point this only means that the phase out continues to be stretched well beyond the original 2005 target. Actually there isn’t any real end in site because of the lack of an adequate substitute in certain agricultural applications. The uses and inventories will continue to get smaller, but it looks like these annual regulations will continue for some time. From a chemical facility security point of view, it continues to point out the flaw in the reasoning of DHS when they excluded both methyl bromide and chloropicrin from Appendix A when that was adopted in 2007. I’m not faulting the DHS regulation writers; they were just taking the EPA information at face value. At this point I think that DHS just needs to bite the bullet and add these two chemicals to the release-toxic hazard list in Appendix A.

Security and CSB IST Study

This weekend I heard a reader comment on my blog last week on the CSB IST study. He noted that there was nothing in the CSB notice that said anything about security and asked why I thought that it would have an effect on the CFATS IST debate. That’s a question that certainly deserves discussion here. IST Proponents First off, inherently safer technology (IST) has always been a safety technique. That fact is explicit in the name as well as in how the concept was developed by the chemical safety community. Even the people that insist that the concept has application to security for high-risk chemical facilities acknowledge that this is a safety issue. They argue that, if chemical processes at a high-risk facility were made inherently safer, then the facility would not be a potential terrorist target. Or, at least, it would be at a lower risk for being targeted. Actually, the most vocal proponents mandating IST provisions in the renewal of CFATS authority are not as concerned about a terrorist attack causing a toxic release, as they are concerned about the potential for a toxic release from any cause. They certainly have a point since, extrapolating from recent history, an accidental release is more likely than a terrorist caused release. The cause of the release is not really important to most of the IST proponents. IST Opponents Opponents to including an IST mandate in CFATS reauthorization legislation do not argue with the basic idea that techniques for reducing the risk for a toxic release will reduce the attractiveness of the facility as a target. What concerns them is the apparent belief that it is a relatively simple matter to replace highly toxic chemicals with less toxic alternatives. They are concerned that an assessment procedure that does not adequately address the complexity of chemical processes has the serious potential to disrupt or even shut down their businesses. Since there is no established methodology for identifying and evaluating the application of IST techniques, opponents are concerned that legislators or DHS administrators could establish administrative review techniques to evaluate potential techniques. These reviews could then result in mandated application of techniques that would adversely affect either the manufacturing process or its financial stability. Safety professionals are concerned that a potentially limited and simplistic evaluation procedure will not address the shifting of potential risk from an existing facility to some other location, either in transit or at another physical plant. They fear that assessments that do not address the potential shift of risk may actually increase the over all societal risk. NAS IST Study The National Academy of Sciences study being commissioned by the Chemical Safety Board (CSB) may go a long way to helping to resolve at least some of these differences. If the study is able to produce an assessment methodology that adequately addresses the complexity of the processes involved, then there will be less resistance to the inclusion of such an assessment in a security analysis for high-risk facilities. Of course, the important phrase in the previous paragraph is “adequately addresses the complexity of the processes involved”. For this NAS study to resolve this political discussion, there will have to be a consensus in both communities that the study participants represent a proper mix of experts and the parameters of their investigation have been adequately defined. A one-sided panel, either way, will be ignored by the other side. A flawed study will be of no use either. Now I am not naive enough to assume that there is even a remote possibility that there can be an NAS study that will completely eliminate the differences on this political issue. There are people on both sides of the issue that will never admit that the other side has legitimate concerns. What a properly designed and executed study will do is to provide political cover for moderate politicians on both sides to come up with a compromise measure that can be approved. Adequate Design With the importance of this study extending beyond one facility in Institute, WV, it is very important that the design is up to the political task. I am concerned that the 15-day comment period that the CSB has established for this study is inadequate to the task. Corporate decision makers are notoriously slow to respond calls for public comments on controversial topics. The process of identifying and addressing issues, developing a written response, and then vetting that response through the various internal communities in a large organization does not happen quickly. I understand the urgency of this particular situation in West Virginia. But, given the fact that there will be at least 12 months before this study is completed, an additional ‘delay’ of 15 days is not unreasonable. A 30-day comment period will be inadequate for some commentors, but is an established standard used in developing many rules. I am sure that the next couple of days will see comments filed requesting this type of extension of the comment period. I urge the CSB to extend their comment period to 30-days to protect the political viability of the proposed study.

Sunday, April 25, 2010

CSSP Web Page Update 04-23-10

On Friday the DHS-CERT Control Systems Security Program website was updated with links to new security warning documents and information on training that will be offered by CSSP in July. Control System’s Analysis Reports Under the ‘What's New’ heading on the site there are two new documents that every security officer and cyber security officer at high-risk chemical facilities should read. They deal with two potential attack vectors that are being used to attack control systems. The first report, SSH Brute‐Force Scanning And Attacks, addresses an attack mode that has been familiar to the general IT community for years, the brute-force authentication search for authentication credentials on systems providing secure shell (SSH) command line access. Control systems or their components that are running SSH on a default TCP Port are particularly vulnerable to this type of attack. The report explains the risk for this type of attack and methods to reduce/eliminate the threat. The second report, USB Drives Commonly Used as an Attack Vector against Critical Infrastructure, describes a variety of ways that USB devices like thumb drives can be used to gain unauthorized access to control systems. From social engineering attacks, to malware infected devices, and intentional insider attacks using LaunchPad applications, a number of techniques for attacking control systems using these devices are described. Advanced Cyber Security Training The CSSP Calendar web page was updated, removing the April classes and providing information on a July training program, the Control Systems Cyber Security Training and Workshop for Federal Employees. This five day training course will be conducted on July 19th thru 23rd, 2010 and will be held at the Control Systems Analysis Center in Idaho Falls, ID. This program will address a variety of current cyber security techniques for ICS security and will include Red Team/Blue Team exercises. Hopefully, DHS ISCD will be able to get some of their chemical security inspectors to this type of training.

Saturday, April 24, 2010

DHS Renews CIPAC Charter

Earlier this week DHS published a notice in the Federal Register announcing that the Secretary had renewed the charter of the Critical Infrastructure Protection Advisory Council. The CIPAC aids the coordination between government officials at the federal, state, and local levels and the private-sector owner-operators of critical infrastructure and key resources (CIKR) identified in the National Infrastructure Protection Program. CIPAC was originally chartered in 2006. Because “of the sensitive nature of the subject matter involved in the CIPAC's activities” (CIPAC Charter, pg 1) the Secretary has exempted the Council from the provisions of the Federal Advisory Committee Act (PL 92-463). This means that most of the CIPAC meetings are not open to public participation or observation. Past meeting agendas are archived and accessible from the CIPAC web page The CIPAC Charter renewal notice also includes information on how the public can find out the membership of each of the 18 CIKR Committees (Council Members). Additionally, the notice outlines how the recently formed State, Local, Tribal, and Territorial Government Coordinating Council has been represented in CIPAC.

Friday, April 23, 2010

CSB IST Study

Today the Chemical Safety Board (CSB) published a notice and request for comments in the Federal Register concerning a proposed study to be conducted for the Board by the National Academy of Sciences NAS about the use of methyl isocyanate (MIC) at the Bayer CropScience facility in Institute, WV. The notice outlines the scope of the proposed study and requests public comments on that proposal. Authorization The FY 2010 budget for the Chemical Safety and Hazard Investigation Board (PL 111-88) included the following language authorizing this study:
“Provided further, That of the funds appropriated under this heading, $600,000 shall be for a study by the National Academy of Sciences to examine the use and storage of methyl isocyanate including the feasibility of implementing alternative chemicals or processes and an examination of the cost of alternatives at theBayer CropScience facility in Institute, West Virginia.” (PL 111–88, 123 Stat 2950)
This language was added by Sen. Byrd (D, WV) as a result of the August 2008 explosion and resulting deaths at that facility. The explosion involved one of the units that used on-site produced MIC. According to the CSB preliminary report on that incident a larg above-ground storage tank of MIC was very nearly impacted by projectiles produced by the explosion. This could have resulted in a catastrophic release of MIC that could have produced wide spread injuries and deaths at the facility and in the surrounding communities. Study to Look at IST This notice makes clear that the funded NAS study will look at the topic of inherently safer technology (IST) from a general perspective as well as how those techniques could be applied in this specific situation. It proposes to task the NAS with reviewing and evaluating the current state of the art in IST assessments and to report on the following specific subjects (75 FR 21224):
“Provide a working definition of Inherently Safer Technology (IST), as the term applies to the chemical industry and other process industries. “Review and evaluate current practices for inherently safer process assessments, including the goals and applicability of these tools. Specifically, do existing methods adequately account for all the potential life-cycle benefits and risks from adopting inherently safer technologies? “Review and evaluate current economic valuation methods for estimating the cost of alternative chemicals and processes. Specifically, do these methods accurately estimate capital investment costs, operating costs, and payback periods? “Review and evaluate current standards and metrics for measuring the effectiveness of inherently safer technology applications in the chemical and process industries. “Review and evaluate the impact of existing state and local regulatory programs that seek to promote inherently safer processes, such as the Industrial Safety Ordinance in Contra Costa County, California, and the Toxic Catastrophe Prevention Act in New Jersey. “Provide guidance on best practices for inherently safer process assessments, metrics, and IST cost evaluation methods.”
These subjects will bear on the current political debate on the current political debate on the subject of providing DHS with the authority to require IST assessments as part of the Site Security Plan required under the Chemical Facility Anti-Terrorism Standards (CFATS) and allowing DHS to require some facilities to implement feasible and effective IST alternatives identified in those assessments. Opponents will probably seize on the provision for a one-year time table on the completion of this study as a reason to oppose the inclusion of IST provisions in any legislation this year to extend the CFATS program beyond its current expiration in October of this year. Proponents will not be happy with that one-year delay, but will probably applaud a definitive answer to the questions that have been raised in political discussions on this issue by their opponents. Public Comments While general comments on the proposal will be accepted, the CSB is looking for comments on four specific areas (75 FR 21225):
1. “Does the proposed Task Statement include the appropriate topics for consideration by the NAS? Are there any additional general or specific topics the NAS panel will need to consider in order to reach a satisfactory answer on the feasibility and costs of reducing the use and storage of MIC? 2. “If funds are available, should the CSB initiate a second, related study to consider the feasibility, costs, and benefits of inherently safer alternatives to other chemicals? For example, should a study consider alternatives to the use of hydrogen fluoride in refinery alkylation processes and/or to the use of chlorine in water treatment? What other chemicals or processes should be considered if a second study is undertaken? 3. “What kinds of backgrounds and expertise should be represented on the NAS panel? 4. “Is the proposed timetable appropriate?”
Public comments may be submitted electronically by email to nascomments@csb.gov. CSB requests that comments in attachments be in PDF, MS Word or ASCII files; virus-free and unencrypted. Comments must include the docket number (CSB-10-01) and the providers full name and address. The CSB is providing a very short comment period; comments must be received by May 10th, 2010. I really wish that the CSB would use the Regulations.gov web site for their comments as it provides the public with an easy way to view the comments that have been submitted. I’ll try to get copies of the submissions at the end of the comment period to report on those comments.

Thursday, April 22, 2010

Chemical Security News

While Congress continues to dither on CFATS legislation, the publishing industry is certainly discovering CFATS. In an earlier blog I noted that there was a new chemical security blog at ChemicalProcessing.com and it looks like there will be a new posting there every Tuesday. Today the same web site has an ‘email preview’ of a new newsletter, CFATS E-News; no specific word on whether or not this will be a regular publication. I recently received an email from Rick Neigher at 1105Media.com telling me about their new newsletter, CFATS News, that will soon start publishing. Three years into the CFATS program it is nice to see the increasing attention to this critical topic. With almost 7,000 chemical facilities regulated under CFATS, an un-documented number covered under the MTSA rules, and then a sub-set of those two covered under TSA rules for freight rail security rules, it certainly seems to me that there is a significant potential market out there. Especially if you add in all of the security consultants, integrators, suppliers and vendors that will be supporting those facilities. As the ‘senior’ electronic publication in this sector, I welcome all comers. The more people in the chemical security community participating in the discussion, the better it is for all concerned.

Wednesday, April 21, 2010

HR 5057 Introduced

Last week Rep. King (R, NY) introduced HR 5057, the WMD Prevention and Preparedness Act of 2010, but the GPO version of the bill just became available yesterday. Since this bill was being aimed at preventing terrorists from using weapons of mass destruction in attacks on the United States, I was hoping that this bill would address the issue of chemical weapons and attacks on chemical facilities as a cheap and ready form of employing chemical weapons in attacks on the homeland. Too bad. As is usual with recent WMD concerns in Washington, this bill focuses on almost completely on bio-terror weapons and just briefly touches on preventing nuclear WMD. The word ‘chemical’ is used a couple of times in the bill, but never substantively. I don’t understand the politicians’ concern with weapons that are inherently difficult to develop and deploy while ignoring potential WMD attacks that can be affected by a couple of crazies armed with AK-47s or RPGs. I will watch this bill, just in case someone decides to add provisions to deal with the more likely chemical threat.

Top Screen Problems II

Earlier this week I looked at the Top Screen problems associated with chemicals of interest that periodically showed up at a facility because of intermittent manufacture of products. Security for these intermittent chemicals of interest (iCOI) can be planned for; ramping up security when the material is scheduled to be in the facility and then dropping back down to normal after it is consumed. A more difficult issue to deal with is the one time COI event. We had a problem one time at a facility where I worked with bacterial contamination of a number of our storage tanks. We had to bring in a tank wagon load of industrial strength hydrogen peroxide to conduct a detailed clean out of our process equipment, transfer lines and the storage tanks. This was a one time problem and we never had to repeat the process. These one time uses of chemicals are not an uncommon occurrence at specialty chemical manufacturers. If the chemicals are on the list of DHS chemicals of interest (COI) and the quantity received is in excess of the screening threshold quantity, then the facility will be required to submit a Top Screen. Then 60-days after the chemical is gone, the facility will need to submit a second Top Screen to show that the chemical has cleared their system. During that 60-day period DHS will be evaluating the Top Screen information. For facilities already on the list of covered facilities, they will be looking to see if an increase in Tier level might be required. For currently unlisted facilities, DHS will be evaluating the Top Screen to see if the facility is at high-risk for terrorist attack. A positive finding in either case will result in an SVA notification letter being sent to the facility. The subsequent Top Screen will not necessarily stop the process. There may need to be significant back and forth between DHS and the facility under the current scheme to essentially erase the initial Top Screen submission. This is not particularly efficient for either DHS or the facility. There are two potential ways to handle this situation. First DHS could change the wording of the CFATS regulations to make it clear that a one time possession of a COI that lasts only for a limited time need not be reported on a Top Screen. This would certainly be the easiest way to deal with the problem, easing the potential burden on DHS and many facilities. It would, however, put into place a loophole that would be open to abuse and deny DHS information necessary to monitor and quantify the extent of the problem. The second method of handling the situation would be to modify the Top Screen form to allow for notification that the possession was a one-time issue and that the COI has already been consumed. The 60-day time limit for Top Screen submission would be the time limit for clearing the COI from the facility. If a one-time COI were cleared within that time limit, then no additional action would be required by the facility or DHS. A subsequent Top Screen showing that the same COI was used at the facility would trigger the iCOI rules discussed in the earlier blog posting. One advantage to the second procedure would be that the requirement for filing a Top Screen would act as a formal notification to the facility management that the chemical in question had special security concerns attached to its presence at the facility. The short term presence of the COI should not place the facility at a real high-risk of terrorist attack, but it will temporarily increase the facility risk. This should cause management to at least consider the need for the addition of short term security measures to protect the facility. These one-time COI are probably not a huge problem, but the potential solutions are so easy to affect that it makes economic sense for both the regulator and the regulated community to proceed with fixing the problem.

Tuesday, April 20, 2010

Countering Violent Extremism

The Federal Register for May 19th contained a notice posted by DHS that the Homeland Security Advisory Committee (HSAC) would be holding a teleconference on May 13th to discuss the initial report of the Countering Violent Extremism Working Group. This task force was formed at the request of Secretary Napolitano at the February 3rd HSAC meeting. The following comment was posted to the written comments docket for this meeting (www.Regulations.gov; Docket Number DHS-2010-0030). This comment was listed at DHS-2010-0030-0002.1 on that site. Extremists and Critical Infrastructure I commend Secretary Napolitano for tasking the Homeland Security Advisory Committee with looking at the issue of countering violent extremists. Anyone with access to the national news must be concerned about the apparent increase in the number of violent extremist organizations from a wide variety of political, racial and religious backgrounds in the United States that seem to becoming more dangerous every day. Any assistance that the HSAC can provide to the Secretary in developing a comprehensive plan to counter this trend would certainly be beneficial to the Department and the country as a whole. While we have yet to see any chemical worker, transit employee, airline pilot, or nuclear power plant attendant involved in any of the publicly acknowledged terror plots, anyone with a background in security knows that it is just a matter of time before someone working at a publicly-owned critical-infrastructure facility will be identified as a member of one of the increasing number of radical groups found in the United States. Hopefully that identification will be made before they are involved in a successful attack on the facility at which they work. Any program developed to counter the growth of violent extremism will have to be two fold. One phase of the program will have to address the jump from legally protected political extremism to the illegal acts violent extremism; identifying the motivation for that transition and pre-empting that move. The second phase will have to deal with the identification of those individuals who have made the transition before they can consummate their illegal acts. That second phase will be especially important for critical infrastructure employees. Any terrorist plot needs to be disrupted, but a terrorist plot against critical infrastructure with active insider support is one with an especially high probability of success. This makes identifying those potential perpetrators a very high priority. Any efficient identification of transitioned extremists at critical infrastructure facilities will inevitably involve the management of those facilities. This will require that the management of those facilities be trained to recognize the individuals that are potentially violent extremists. Since the easiest to identify precursor to violent extremism is extreme political views, we need to be especially careful that any such training program be clear in its delineation of the difference between legally protected extreme political views and violent extremist actions. I think that it is especially important that the Countering Violent Extremism Working Group specifically address this issue in their report to the Secretary.

Pipeline Security Hearing

The Management, Investigations, and Oversight Subcommittee of the House Homeland Security Committee held a field hearing yesterday to look at the issues surrounding pipeline security. The hearing was held in Plant City, Hillsborough County, Florida in the home district of the ranking member of the Subcommittee, Rep. Gus M. Bilirakis. It is unfortunate that these field hearings are not normally web cast. Looking at the written testimony submitted by the seven witnesses it may have been an interesting meeting. The written testimony provides some interesting insights into pipeline security issues. There were three federal witnesses (TSA, PHMSA, and the Congressional Research Service), one industry representative, and three local emergency response officials from Hillsborough County agencies. Current Pipeline Security Program Dr. Parformak, Congressional Research Service, provided a thorough review of the current state of the Federal government’s pipeline security… oversight in his testimony. I really wanted to say regulation, but he makes clear that there are no current or planned regulations for securing fuel, natural gas, or hazardous material pipelines against potential terrorist attack, nor is there any Congressional mandate or authorization for such regulations. Parformak notes that at current funding levels, the 13 authorized personnel in TSA’s Pipeline Security Division, are hard pressed to complete the Corporate Security Reviews that constitute the closest thing to regulatory action that the Department has for pipeline security. Since the CSR program was instituted in 2003, the PSD has only visited 100 of the over 1300 pipeline companies in the United States. He describes a CSR visit this way: “TSA typically sends one to three staff to hold a three to four hour interview with the operator’s security representatives followed by a visit to only one or two of the operator’s pipeline assets” (pg 6). Jack Fox, General Manager of TSA’s Pipeline Security Division, in his testimony describes a Pipeline Corporate Security Review (PCSR) visit this way: “PCSRs have enabled TSA to build relationships with pipeline operators to assess their corporate security plans and programs and to provide them with recommendations [emphasis added] for improvement” (pg 3).He agrees with the 100 companies visited, calling them the “Top 100 pipeline systems” and noted that they have started to re-visit those systems. He also notes that the Division has worked with its Canadian counterpart to conduct joint visits similar to the PCSR at the six largest ‘cross-border’ pipelines (25% of the total number). In addition to these assessment visits, Fox notes that the Division has produced a 30-minute security awareness training CD and published a Pipeline Security Smart Practices document. He describes that document as a “qualitative and quantitative examination of data from PCSRs, coupled with literature research regarding pipeline security measures and consultation with the pipeline industry, [that] identified smart practices operators can implement to promote an effective security program” (pg 3). Gary L. Forman, Chairman of the Pipeline Sector Coordinating Council, provides a summary of the current situation from the industry perspective in his testimony. His view is more positive than Dr. Performak’s, but it is instructive, none the less. He provides one of the most concise and complete descriptions of the ‘security process’ that I have ever seen on page four of his testimony. It is well worth reading; lacking only one component, oversight. Pipeline Security Problems The testimony of these four gentlemen would have made the field hearing interesting enough, but that could have been done back in Washington. What made the field hearing more interesting was the testimony from the members of the second panel; a representatives of the Sherriff’s Office, Fire and Rescue, and Emergency Management for Hillsborough County, Florida. These were people that had dealt with three major pipeline incidents in recent years, including a vandalism incident in November 2007 where two juveniles punctured an anhydrous ammonia pipeline looking for money. Typical of most hazmat pipelines this one runs a relatively short distance (30 miles) between a storage facility (in this case at Port Sutton where it is off-loaded from ocean going vessels) to manufacturing facilities further inland. These pipelines are typically owned by chemical manufacturers, importers or local pipeline companies. They don’t fall within the ‘top 100’ pipeline companies visited by TSA’s Pipeline Security Division. All three of the local witnesses describe improvements that have been made in the local security and emergency response planning since the November 2007 incident. The anhydrous ammonia pipeline owner has placed additional jacketing around all exposed sections of the pipeline to make them more resistant to attack. There have been significant planning and educational improvements made to allow for a more effective response to a pipeline incident. But, they each point to more that needs to be done. Larry Gispert, the Director of Hillsborough County Emergency Management, would like to see more contact between TSA’s PSD and his office. He also notes in his testimony that the limited staff of the PSD includes “two managers and four branch chiefs” (pg 2); that doesn’t leave much in the way of inspectors. He also notes the dichotomy of approaches for the two federal agencies looking at pipelines; “you have one agency [PHMSA] who’s goal is to make the location of buried pipelines as visible as possible so no one accidentally digs them up and another agency [TSA-PSD] that would like to make them invisible so no one can intentionally blow them up” (pg 3). Col. Ed Duncan, of the Hillsborough County Sheriff’s Office, complains in his testimony that “no federal, state or local agency has clear regulatory authority to impose security requirements on companies involved in the production and transportation of chemicals through public areas” (pg 3). He would like to see the TSA be given the authority to ““establish and enforce” such security rules. Assistant Chief Ron Rogers, of the Hillsborough County Fire Rescue, has an even more basic problem. In his testimony Rogers notes that during the 2007 incident his people could not allow the pipeline company technicians into the hot zone at the leak because they lacked the documentation that they were appropriately trained and certified in hazmat operations. He would like to see the pipeline company be made responsible for providing Medical Surveillance and hazmat technician training documentation to the Local Emergency Planning Committee. Moving Forward Chairman Carney (D, PA) opened the hearing by stating that “Given the frequency of pipeline-related incidents that occur throughout the country, coupled with the extent of both human and economic loss that could result from these incidents, it may be wise to consider whether the systems should have written regulations.” Given the testimony provided at this hearing, I think we have come far past the ‘it may be wise’ point; we are certainly at the ‘it would be prudent to require and adequately enforce written regulations’ point. Hopefully Chairman Carney and Chairman Thompson will agree; the emergency response community in Plant City, Fl certainly would.

Waste Water Security

I ran into an interesting article at CullmanTimes.com about a recent ‘security incident’ at their local waste water treatment plant. A local council woman and a constituent are potentially facing trespassing charges for entering the unsecured waste treatment plant. There seems to be a local political angle involved in the story, but it is clear that, except for a lock on the front gate, there is no real security at the facility. It is made clear in the article that the facility is not manned on a continuous basis; it is set up for automated operation for significant portions of time. This is not unusual with these treatment facilities in small cities and towns. Apparently, neither is the lack of an on-site security guard. According to the article the existing security system “currently monitors only the entrance area”. Apparently they use a video system, but it is not clear from the article who monitors that system and why the two women were not detected entering the plant by that security system. In fact, it is curious why the unlocked gate, left open by a city street department employee, was not detected by the security system. This is a good example of why the current waste water treatment security regulations, managed by the Environmental Protection Agency, need to be updated. Facilities are required to conduct a vulnerability assessment and certify that they have addressed identified shortcomings. The EPA has no enforceable security standards in its regulations, nor does it have the authority to impose any. Some would question why a waste treatment facility really needs security in any case; after all the worst that could happen is untreated waste water could be released into local water ways. While certainly creating an environmental problem, this does not sound like a terrorist target. Except that most of these smaller facilities use chlorine gas as part of the final disinfection step before they discharge the treated water back into the environment. This chlorine gas is a potential release hazard at larger facilities and a theft hazard at the smallest facilities. In either case, that makes these facilities a potential terrorist target. Now, I don’t want to imply that Cullman, Alabama is specifically on a terrorist list of targets. But an outside assessment needs to be made of the level of the potential threat for each of these treatment plants. That will not be done under the current law. Congress needs to bring water, waste and drinking, treatment plants with significant inventories of chlorine gas and other hazardous chemicals under the Chemical Facility Anti-Terrorism Standards.

Monday, April 19, 2010

Top Screen Problems

I received an interesting email from a reader last week. It contained a copy of a proposal from the National Petrochemical & Refiners Association for some revisions to the Top Screen submission requirements. I’m going to be doing some additional research (I want to see what DHS has to say about it) on this proposal before I discuss it in detail, but I do think that it raises some issues that are worth discussing. The NPRA proposal notes that the current rules for Top Screen Submissions are based on the presence of a DHS chemical of interest (COI) at or above a screening threshold quantity (STQ) and re-submissions are required whenever there is a ‘significant change’ in that inventory. This works well for identifying potential security issues associated with relatively static inventory situations. The proposal notes, however, that there are a number of situations where there are short term changes in inventories that, while significant for short periods of time, do not really change the long term security posture of the facility. One Time Inventory Having worked at a specialty chemical manufacturing plant for a number of years, I have worked on a number of projects where we would produce a unique product for just a limited production run with a number of raw materials being introduced into the facility for just that product, never to be used or inventoried again. At least a couple of these materials would have triggered a Top Screen submission even though they would not have been on the inventory at the end of the 60-day time limit for the Top Screen submission. This situation has two relatively simple solutions. The first would be a slight re-wording of the rules for submitting a Top Screen, eliminating the need for a submission for a one-time inventory of a COI. The second would be the addition of question to the Top Screen that would allow the facility to identify the expected frequency that this chemical would be held in inventory at the facility. It would seem to me that the first solution would be more appropriate for initial Top Screen submissions. DHS would probably not want to be bothered with facilities that had no other COI and whose potential security situation would end before they had a chance to evaluate the Top Screen. For already covered facilities, however, the second option would probably be more appropriate as DHS would be interested in temporary changes in the security situations of those facilities. Recurring Short Term Inventory A more interesting situation arises when there are recurring inventories of COI, or intermittent COI (iCOI), that would trigger a Top Screen. The facility at which I worked had a number of products that were only produced intermittently and one or more of the raw materials were brought in to the facility only in the volume required for a limited production run. These production runs could be done as infrequently as once per year. In fact, there was one product that we expected to manufacture only once every five to ten years. Under the current rules a facility would be required to report these infrequently used COI within 60 days of use. Then they could re-submit a Top Screen without this material as soon as the material had been out of their facility for over 60 days. If this was the only COI being reported, presumably DHS would drop them off of the covered facility list when the second Top Screen was received. If the facility was determined to be a covered facility for other COI the issue would potentially be complicated by the place they were in their CFATS process. If the material had been included in their post-SVA notification letter, DHS would probably be reluctant to simply remove the material from coverage. Pre-SVA submission, the facility could probably convince DHS to remove the material from their list of covered chemicals. How to Deal with Intermittent COI at Covered Facilities A more rational method of dealing with these iCOI that a facility knows will be on site periodically would to be to provide a method for identifying this fact and allow for the submission of a contingency security plan for those periods. For facilities with other COI on site that contingency plan could be part of their SSP submission. These additional security procedures would be important since typically these temporary chemicals would be stored in ‘portable’ storage containers. For large scale use those containers could be tank wagons and even railcars. These portable storage tanks would require special protections because they would fall outside of the protections (permanent restricted areas, access control measures, intrusion detection and surveillance to name a few) normally afforded to fixed storage tanks. Even smaller portable containers, like drums and totebins, might require special security measures if the warehouse is not normally set up as a secure area. The additional security measure procedure would be put into effect when the decision is made to begin a manufacturing campaign using these iCOI. One part of that procedure would be a verification of the business inputs that require the production run to be made. Other measures that might be taken before the iCOI arrives at the site would be to increase the normal security personnel contingent, do maintenance checks of the special security equipment used for this material, and to review the special security procedures with affected personnel. One additional area that DHS would need to address in their rules covering iCOI would be residual inventory. It is not unusual for some inventory of these iCOI to remain on site at the end of a manufacturing campaign. If more than an STQ amount remains on site for significant periods after the campaign (typically until the next campaign if the excess inventory is not immediately returned to the manufacturer), DHS will have to delineate when that storage no longer falls under the temporary security plan and when modifications will need to be made to the overall plan to reflect the presence of that COI. The issue of how to deal with residual inventory is much less clear cut if the amount falls below the STQ amount. While the STQ is a specific measure, it is not clear that a difference in a couple of pounds of residual inventory makes a significant difference in the security requirements. Clearly some line in the sand must be established, but I would argue that the amount for residual inventory where the iCOI is expected to return in more than STQ amounts in the foreseeable future should be lower than the typical STQ. Where the residual inventory STQ should be set should be thoroughly discussed. Intermittent COI at Other Facilities For facilities without other COI, DHS could determine if, during the presence of those iCOI, the facility would be a covered facility using the normal Top Screen evaluation process. If a preliminary finding of being a high-risk facility during the presence of the iCOI were made, the facility would be required to go through the SVA/SSP process even after the 60 day period without COI inventory has elapsed. For these intermittently covered facilities, it might be beneficial if DHS were to establish a two tiered evaluation; one reflecting the security risk when the iCOI was present, and another lower tier ranking when it was not present. This might require the formation of a Tier 5 facility ranking for facilities that have no other chemical security risks. This would require a minimal, Tier 5, security plan when the iCOI was not present at the facility. This would require such things as background checks for facility personnel, security plan training and drills, and a maintenance plan for security equipment required when the iCOI was present. This is just a first look at how to deal with CFATS regulations at facilities where COI are only present on an intermittent basis. I’m sure I can think of more things that would need to be addressed. More importantly, I think the readers of this blog would also be a valuable source of insight. Please let me know what you think about this iCOI problem.

HR 4842 Markup

Last week the Homeland Security Committee completed their full committee markup of HR 4842, the Homeland Security Science and Technology Authorization Act of 2010. A number of amendments, including Chairman Thompson’s Amendment in the Nature of a Substitute, were introduced and agreed to. At the end of the hearing the bill as amended was ordered reported favorably by a unanimous recorded vote. As I noted in another blog, the earlier version of this bill provided a number of areas that could affect members of the chemical security community. Because of the way this markup was conducted (on an unpublished revision of the bill), and the slim documentation of the amendment process published on the Committee web site it is impossible to tell how those affects may have been changed in the amended legislation until the Committee Report is finally published. The absolute earliest that this could be done will be tomorrow, but it could take weeks or months, depending on how serious the Chairman is in getting this bill to the floor. While this authorization is apparently a serious matter for the Chairman, this bill need never come to a floor vote as a separate bill; it could simply be added to the DHS budget bill as it wends its way through the legislative process. That would not be an unusual way of handling this type of legislation. I would like to suggest to Chairman Thompson that his Committee’s web site could be significantly improved if these markup hearings were documented in a more thorough manner. A good example of a transparent markup process can be found on the Energy and Commerce Committee web site for a markup hearing they conducted on the same day. Chairman Waxman’s Committee does a very professional job of documenting their markup process and is well worth emulating.

Saturday, April 17, 2010

TSCA Change and Security

I was reading an article over at APP.com about the new Toxic Substances Control Act (TSCA) bill (S 3209) being introduced by Sen. Lautenberg (D, NJ). While TSCA is not really a security issue, I have a certain amount of personal interest in chemical safety, so this does get my attention. I was struck by some of the closing comments in the article that addressed security issues:
“While the Lautenberg bill incorporates some industry proposals, such as prioritizing chemicals based on the risks they pose, the measure could stifle business innovation and sow confusion by allowing states to write their own chemical security laws, the group [American Chemistry Council] said in a statement.
“New Jersey's chemical security law is considered stronger than the federal statute. The industry has long opposed state laws, saying it prefers to deal with a uniform set of standards written by the federal government.”
Now Sen. Lautenberg has been a strong proponent of tighter security at chemical facilities and was responsible for much of New Jersey’s tighter regulation scheme while he was that state’s Governor. Additionally, he has pushed for limiting the Federal rule’s ability to supersede State regulations on a variety of chemical issues. Still, I’m not sure how this bill might affect chemical security issues, but the Government Printing Office (GPO) has not yet published the actual language of the bill. Once it does, I will certainly look at the details and report on anything that might impact security issues.

Reader Comments – 04-16/17-2010 Government

PERSONAL to Fred Millar – Sorry Fred. I decided to leave the first post up since I didn’t know how many people may have read it and I didn’t want that to be your last word on the subject for those people. Would that I had never uttered/written an intemperate word, but that does happen. Rest assured that I had assumed that there was more than was written involved in your first post and I am thick-skinned enough not to have taken it too personally. Besides, you had previously compared me favorably with IF Stone, how could I be upset. TO EVERYONE ELSE – Fred Millar, a long time reader-commentor to this blog, posted two comments (please read both) to my recent blog about the DHS Open Government Dialogue. While Fred may regret the tone and word choice of the first post, he does bring up a very important point about advocates in general and this blog in particular; we are generally in an adversarial position with those that we write about. Advocates as Adversaries If I thought that industry and the Government were both doing everything possible to protect chemical facilities (and by extension their employees and neighbors) from the possibility of a terrorist attack, then there wouldn’t be much point in me writing this blog. It takes quite a bit of time and effort to put out these daily posts. No, I truly believe that there is substantial room for improvement on part of both parties, so I intend to educate, cajole, push and prod everyone further down the road to safety and security. I am different from a number of advocates, I don’t believe that those that those that I am trying to get to move in the desired direction are inherently evil or bad. I don’t believe that anyone in industry wants their facility to be attacked by terrorists, or wants dangerous chemicals to be released upon unsuspecting neighbors. I don’t believe that the politicians on the ‘other side’ are trying to destroy the country. I firmly believe that where inappropriate decisions have been (or will be) made, they have been the result of inadequate information, shortsighted reasoning, ignorance, and in some cases criminal stupidity. I can’t do much to stop the later, but the rest is fair game. Advocates as Trainers Having spent 15 years in the Infantry, most of it as a Non-Commissioned Officer, I learned an awful lot about people, how to train people and how to motivate people. One nearly universal lesson (there are no truly universal lessons) that I did learn was that beating someone over the head, calling them stupid, and only pointing out what is wrong with their actions is so completely counter-productive that I cannot understand why anyone does it. There are two important tools in training, repetition and rewards. You keep people practicing a task until it becomes second nature. You reward people when they do things right, always starting with small rewards because there is a long way to go to get near perfection. And, since my job here is essentially a training task, I’ll use the same tools. You’ll hear plenty of repetition from me. And when I see someone doing something right, I’ll give them the public recognition that they deserve. What about when something is not done well? Well my training experience has provided me with an exceptional tool for that as well; you use the “What, Why, and How” technique. You tell people what was wrong with what they did, why it was wrong (the consequences) and how it should have been done. If you can manage to do that without calling them names or making them feel stupid, you will usually succeed. Open Government Now, back to the original topic, the Obama Administration’s Open Government program, in particular the program at DHS. Will this make a positive change in how the government operates? Who knows, my crystal ball is still in the shop. It has a chance if the public becomes involved and contributes, and the politicians listen, and the bureaucrats find some useful suggestions. I can’t do much about the politicians and the bureaucrats (though many do read this blog so there is some hope even there), so I will continue to push for public involvement. Now before some one accuses me of be all ‘populist’ and such, I believe that the ‘public’ is just more than the people walking the streets. It includes corporate America, all of the NGO’s, the folks working on K Street, the labor unions, the churches and even the aliens (legal and otherwise) living here in this country contributing to our economy. All of those ‘people’ have a voice that deserves to be heard. Potentially the best thing about the DHS Open Government Dialogue, is that it gives those without the money and/or power to amplify their voices the chance to be heard. But that is only going to happen if all of the public participates, discussing and voting on the ideas that have been submitted. So, all of you with a soap-box, get your readers/listeners/followers to participate. The more the merrier; the more effective it can be.

Congressional Hearings for Week of 4-19-10

The Congressional Record Daily Digest for last Thursday provided a list (pgs D394-7) of Congressional Hearings planned for the coming week. There were three hearings listed that might be of interest to the chemical security community. Additionally, the House Homeland Security Committee has announced a field hearing for Monday that is not included in the list. Pipeline Security On Monday, April 19th, the Subcommittee on Management, Investigations and Oversight, will be looking at pipeline security issues at a field hearing in Plant City, Fl. The ranking member of that subcommittee, Rep. Bilirakis (R, FL) represents portions of this area which has seen a number of pipeline releases due to vandalism, including an anhydrous ammonia release in November 2007. There will be witnesses from DOT and TSA as well as local law enforcement and emergency response agencies. This hearing will not be web cast. Rail Security The Senate Committee on Commerce, Science and Transportation will take a look at rail security issues on April 22nd at 2:30 pm EDT. The current witness list includes representatives from GAO and DHS as well as Amtrak, New Jersey Transit, and CSX Transportation. The presence of the CSX representative tends to indicate that freight rail security will be at least briefly addressed. I assume that GAO will have a new rail security report to present to the Committee; their last freight rail security report was issued just about a year ago. WMD Issues The House Homeland Security Committee will be looking at WMD issues on April 21st at 10:00 am EDT. Since this is being billed as a ‘A Discussion with the WMD Commissioners’, I expect that the major focus of this hearing will be on bio-security issues. The problems of chemical weapons and chemical facilities as potential chemical weapons may be briefly addressed. PHMSA Oversight On April 22nd the House Transportation and Infrastructure Committee will be conducting an oversight hearing on PHMSA. Readers of the Journal of Hazmat Transportation will have seen my piece (subscription required) on the recent DOT IG investigation of PHMSA’s program for classifying explosives; that will probably be the focus of this hearing.

Friday, April 16, 2010

DHS Open Government Plan Discussion Site

I’m not sure when it exactly happened as I did not check the site yesterday, but the DHS Open Government Discussion Site has been re-opened to start the discussion process about the Plan that DHS is putting into place to help make the US Government more transparent, increase participation and collaboration, and to make the whole process more innovative. I mentioned in an earlier blog that DHS would be doing this, but they started the process earlier than anticipated. It appears that I have the honor or distinction of being the first person to post a ‘new’ idea to the site. I continue to harp on one of my key complaints about the Department (that as a whole appears to be doing a pretty decent job) and that is their lack of transparency in their regulatory processes. The Idea, Status of Regulations, is now available for voting and comments. It is interesting, and may end up being really confusing, to see that all of the Ideas that were posted to this site to aid the Department in developing their plan are still there. Those ideas are still open for comment and voting. I applaud the Department for keeping those Ideas available to the public, but it would seem to me that they should be on a separate site where their historical integrity can be maintained. Sites like this may end up being an important part of using 21st Century technology work in making government operations more efficient and responsive. I urge everyone to actively participate in this site. If there is no participation, it won’t remain around for very long.

New Threats Against Canadian Gas and Oil Sites

Yesterday the Dawson Creek Daily News (story via Edmonton.ctv.ca) reported that there were new threats being made against oil and gas sites in that area of Canada. This could mean that there will be a resumption in bombing attacks that has seen a total of six blasts being reported at remote pumping and pipeline stations owned by EnCana. Long time readers of this blog will recognize this on-going story; I wrote about it in October 2008, January 2009, and July 2009. Every indication points to an individual (or very small group) with a very personal objection to the production of ‘sour gas’ (natural gas contaminated with hydrogen sulfide) at wells owned by EnCana. There are no reports or claims of any sort of association with larger ‘ecoterrorist’ groups, or any other organization for that matter. Once again, I want to make the important point here that any company or facility can become the private target of an individual who has (self-determined) important grievances with the actions of the personnel or management of that facility. Furthermore, the tools to violently express those grievances are readily available. This means that every facility, particularly high-risk facilities, need to be aware of individuals or groups that have ‘serious’ grievances against the facility, it’s owners, or the industry to which it belongs. Threats received from those grievance holders need to be taken seriously enough for them to be reported promptly to that authorities. While all threats need to be reported, those from identified groups or individuals with public grievances need to be taken especially seriously. As I noted in my January 2009 blog on this subject; “Most of the threats received will lead to nothing. Failure to share all threats with government investigators may lead to an unexpected attack that could have been prevented.” To date this Canadian bomber has been careful to only attack unattended remote sites. It seems inevitable, however, that the continued lack of an ‘appropriate response’ from EnCana will lead to more spectacular and deadly attacks.

Wednesday, April 14, 2010

HR 4842 Mark-up Scheduled

The House Homeland Security Committee added a new hearing to its schedule since I posted my blog about Congressional Hearings on Sunday night. They now have a full committee mark-up scheduled for HR 4842, the ‘‘Homeland Security Science and Technology Authorization Act of 2010’’ tomorrow at 10:00 am EDT. I briefly discussed the cyber security and chemical security issues in the bill that might affect the chemical security community in a blog last month. Subsequently the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology held a mark-up hearing on the bill. The Subcommittee Action report noted that the amended bill had been passed by a voice vote. None of the amendments listed had any apparent affect on the chemical security provisions. That is not a definitive analysis because the HS Committee web site does not provide copies of the actual amendments nor does it provide a copy of the marked up bill.

Admin Review of QHSR Dialogue

Earlier this year I looked at the initial report by DHS on their Quadrennial Homeland Security Review. While we are waiting for the results of the Department’s ‘bottom-up’ review of the QHSR we can now read a review of the process used in the National Dialogue that formed a part of that review. The National Academy of Public Administration (the group that actually ran that ‘National Dialogue’) had a panel take a detailed look at the process and they published their report last week. Rather than looking at the QHSR Dialogue results, this report focuses more on the lessons learned in how to conduct this type of public interaction in the policy development realm. As such I think that this report will be beneficial to DHS and other government organizations at all levels in developing future interactive tools of this sort. Of particular interest to me was the 5th section of the report that dealt with the legal issues surrounding the conduct of this type of review. It includes a discussion of how the Paperwork Reduction Act of 1980 impedes the formation of this type of information exchange. The bureaucratic rules governing the ‘collection of information’ with its 60-day and 30-day notice requirements for information collection requests was never intended to deal with this type of electronic communications. This report recommends that OMB and the White House Counsel’s Office issue a “issue a legal opinion on the circumstances under which the PRA and similar statutes apply to publicly available collaborative engagement opportunities and such platforms as the National Dialogue on the QHSR” (page 60). I think that it might be more appropriate for Congress to look at updating the 30 year old legislation to bring it into line with the electronic age and Web 2.0 technologies. DISCLOSURE NOTE: One of my blog postings was quoted in this report (page 27, footnote 22), so the report drafters were astute and well read. Unfortunately they got the link wrong; the quote comes from the following blog post: http://chemical-facility-security-news.blogspot.com/2009/09/qhsr-bloggers-round-table-8-31-09.html In any case, this report provides some interesting discussions about the mechanics of last year’s National Dialogue and how to use that technique in the future. Of course, I’m more interested in the DHS report on the bottom-up review…

New CFATS blog

There is another new voice in the chemical security community looking at CFATS in a recurring blog over on ChemicalProcessing.com. Actually it is not quite fair to call Ryan Loughin a ‘new voice’ as he has been writing articles on CFATS for a number of magazines. Ryan is the Director of Petrochemical & Energy Solutions at ADT and has been the point man for that company’s CFATS seminars that have been mentioned here in this blog. The latest posting on the new blog briefly looks at the current status of CFATS legislation. Ryan provides a brief summary of the recent action on CFATS renewal in both the House and the Senate. He didn’t mention that DHS had promised to provide their version of a proposed CFATS renewal bill, but his summation of why HR 2868 and S 2996 won’t be considered in this session should also apply to the DHS written version so it isn’t an important omission. I would like to welcome Ryan into the public discussion of about CFATS issues.

Tuesday, April 13, 2010

CFATS Personnel Surety Program ICR – 30 Day Notice

On Tuesday, April 13th, the Infrastructure Security Compliance Division folks at DHS published a 30-day information collection request (ICR) notice in the Federal Register for the CFATS Personnel Surety Program (PSP). This is a follow-up to the original notice published last summer (June 10th, 2009; 74 FR 27555), responding to the numerous public comments submitted to DHS. This proposed program would allow DHS to conduct the personnel surety checks of personnel against the TSA’s Terrorist Screening Database for high-risk chemical facilities as required by 6 CFR 27.230(a)(12)(iv). This program will not replace facility responsibilities to conduct other background checks to verify identity, check criminal history, or validate legal authority to work in the United States. CFATS Personnel Surety Program The CFATS PSP will include a potential of three different types of information submissions by high-risk chemical facilities:
Initial submissions on affected individuals; Updated/corrected information on affected individuals; or Information that previously reported individuals are no longer affected.
DHS expects that it may require facilities to submit the information listed below to allow it to adequately screen individuals against the TSDB as well as identifying those CFATS covered facilities where the individual may have access to restricted areas or critical assets.
Full name Date of birth Place of birth Gender Citizenship Passport information Visa information Alien registration number DHS Redress Number (if available) Work phone number(s) Work e-mail address(es)
Follow-up information may be requested by DHS. In order to ensure that facilities may not assume that a request for follow-up implies that an individual has been identified on the TSDB, ISCD makes it clear that there are three reasons that they might request additional information on an affected person:
Confirm that an individual is or is not a match to a known or suspected terrorist on the TSDB; Provide redress for individuals who believe that they have been improperly impacted by the PSP; or As part of a data accuracy review and auditing process.
Affected personnel are all facility personnel (employees and contractors) that have access (either escorted or unescorted) to restricted areas or critical assets, or unescorted visitors who have access to those areas. Facilities will submit the required information via a PSP tool in the existing on-line Chemical Security Assessment Tool (CSAT). ISCD expects to provide for bulk data submissions as part of the PSP tool and requests comments from industry on what forms might be most appropriate for these bulk data submissions. Additionally, ISCD intends to allow facilities to use contractors, consultants or other outside agencies to submit the required data for them. This will be done under the “Preparer” provisions already allowed under other CSAT tools. ISCD will publish a schedule in the Federal Register of when facilities will be required to submit data on affected personnel, noting that the schedule will vary according to which Tier level the facility is assigned. A proposed schedule is included in this notice (75 FR 18853). Notification of TSDB Matches ISCD will send each facility a confirmation of their submissions to the PSP to allow the facility to demonstrate to inspectors that it has complied with the terrorist background check requirements of RBPS 12. In the event of a positive match against the TSDB, the Office of Transportation Threat Assessment and Credentialing (TTAC), the office that maintains the TSDB, will notify the FBI’s Terrorist Screening Center (TSC). The TSC will make the final determination if an individual is a match to a known or suspected terrorist listed in the TSDB. The TSC will make notifications to appropriate Federal law enforcement agencies for further investigation and response. Such agencies may contact the facility as part of their investigation. The Department does not intend to routinely notify affected facilities of positive TSDB matches. In response to comments that DHS should notify covered facilities if the TSDB check indicates a match with a known or suspected terrorist this ICR notes that the precise manner in which “DHS or Federal law enforcement entities could contact high-risk chemical facilities following vetting are beyond the scope of this PRA notice” (75 FR 18856). Paperwork Reduction Act Exemption DHS is including in this ICR a request for exemption from requirements of the Paperwork Reduction Act {5 CFR 1320.8(b)(3)}. The purpose of this exemption is to avoid having to require that facilities collect signatures of affected personnel affirming that they have been advised of certain information collection rules. This will not affect the notification requirements under the Privacy Act {5 U.S.C. § 552a(e)(3)} or other Federal, State, or local privacy rules or regulations. Public Comments DHS received 17 comments on the original 60-day ICR notice. DHS includes in this notice responses to those comments (75 FR 18852-6). ISCD has made appropriate revisions to the outline of the program provided in this notice. DHS requests public comments on the program outlined in this notice. In particular DHS requests comments on:
● Respond to the Department’s interpretation of the population affected by RBPS-12 background checks, as outlined in 6 CFR 27.230(a)(12); ● Respond to fact that the Department or a Federal law enforcement agency may, if appropriate, contact the high-risk chemical facility as a part of a law enforcement investigation into terrorist ties of facility personnel; ● Respond to the Department’s intention to collect information that identifies the high-risk chemical facilities, restricted areas and critical assets to which eachaffected individual has access; and ● Respond to the Department on its intention to seek an exception to the notice requirement under 5 CFR 1320.8(b)(3).
Comments must be submitted by May 13th, 2010. Comments may be submitted electronically at www.Regulations.gov (Docket Number: DHS-2009-0026).

Monday, April 12, 2010

DHS Leadership Journal Moves

Ran into a brief notice today when I went to check on the DHS Leadership Journal. The location for this blog has changed to http://journal.dhs.gov/. There is currently an automatic re-direct to take people from the old URL (http://www.dhs.gov/journal/leadership/) to the new URL. There is no telling how long that will remain in place; so go ahead and change your Favorites to reflect the new URL.

Critical Infrastructure Protection Page Update 04-09-10

Late last week the Department of Homeland Security updated their Critical Infrastructure Protection landing page. While they have yet to make their planned change of adding a change date on the bottom of the page, they did add a number of new links to the page. Those links included: Bomb-Making Materials Awareness Program (BMAP) Protective Security Advisors Federal Building Security Bombing Prevention Training BMAP The Bomb-Making Materials Awareness Program is mainly addressed at retailers that sell chemicals that can be used to make improvised explosive devices. While this may not seem to have much to do with high-risk chemical facilities, I think that CFATS covered facilities that deal with production/sales of such commercial chemicals should ensure that any commercial distributors that they deal with are actively involved with this program. Protective Security Advisors Protective Security Advisors assist owners and operators of critical infrastructure and key resources (CIKR) by coordinating requests for Department-provided services such as training, grants, and vulnerability assessments. While this is not a substitute program for CFATS covered facilities, chemical facilities that are not covered under CFATS may find some assistance from this program. Bombing Prevention Training The Office for Bombing Prevention (OBP) develops and maintains the training and works with state homeland security officials and state training offices to coordinate course delivery. This web page states that “critical infrastructure owners and operators can request courses through the Department’s Protective Security Advisors”. It would seem to me that someone at the Department’s Infrastructure Security and Compliance Division should be coordinating the development/deployment of this type training for CFATS covered facilities, but that doesn’t seem to be the case.
 
/* Use this with templates/template-twocol.html */