Monday, May 31, 2010

Energy Facility Security

I got an interesting email from a reader yesterday, a reader who is active on the Safe Pipeline Group on Yahoo.com. He pointed me at the discussion on that group about the recent explosions at a number of remote drilling site storage facilities. He was upset that it was only the Chemical Safety Board that was addressing the issue of security at these sites, especially since the CSB has no authority to require anyone to do anything about the problem. Drill Sites Not Covered Now I have briefly addressed this issue, commenting on the YouTube video that CSB had posted on the issue, over on my personal blog. I have not yet addressed the issue here because it is not a CFATS issue. Crude oil is not listed in Appendix A, nor is it an NFPR 4 flammable liquid, so it isn’t covered under the mixture rule either. Even if crude oil were a COI, these remote sites would almost certainly not be covered once the facility submitted their Top Screen; their remote locations would not make them good terrorist targets under the CFATS evaluation methodology. True, non-oil company people have been killed in accidental explosions at these sites, but that was because they were trespassing, not because they lived or worked near the site. Having said that there have been actual terrorist attacks on similar sites in Canada. None of those attacks have caused any deaths or injuries, only some property damage and that was limited to oil company property. This just goes to show that just about anything is a potential terrorist target. Higher Security Risks There are large number of energy related targets that would be a lot higher priority for general terrorist (as opposed to enviro-terrorist) attacks because they would affect larger portions of the population. A successful attack on a gasoline storage terminal would certainly have more direct effect on the local population. The way that DHS set up their mixture rule has made their attempt to regulate security at these facilities problematic. Fuel pipelines are still not regulated from the perspective of their security. TSA has been slow to regulate this area. The main reason is that the length of these pipelines makes any real security effort nearly impossible to effect. The much larger fuel related target that has yet to be regulated from a security point of view is the retail distribution side of the issue. Both fuel trucks and the commercial gas stations are essentially unprotected from terrorist attacks. Again, the cost of effective security at these facilities would be so high that the public would scream about the resulting huge increases in the price of gasoline. Can’t Protect Everything It is a truism in the security business that you can’t protect everything. There are not enough resources available and too many things require unfettered access in a free society. We have to pick and choose those things that, if attacked, would have the most significant impact on society. Having said that, I think that we do need to have a more public discussion about what parts of the energy distribution network do require additional security enhancements. While the oil industry can argue that attacks on fuel distribution facilities would have minimal off-sit physical impact, there is no doubt that such attacks would have an immediate and profound affect on the cost of gasoline. A series of such attacks by a dedicated cell of terrorists could cripple our economy. Similarly, attacks on the retail distribution end of the fuel line would have spectacularly impressive visual affects on the evening news. Enough well publicized attacks spread across the country would have the public up in arms, demanding protection. Again, the economic affects would be profound.

Sunday, May 30, 2010

DHS CSAT FAQ Page Update 05-28-10

This last week saw DHS make more modifications to the responses on their Chemical Security Assessment Tool (CSAT) Frequently Asked Questions (FAQ) page than they have in quite some time. They modified responses to three previously asked questions and added seven new questions. The modified responses were for the following questions: 1473 What information do I need to know about my facility in order to register? 1563 How do I know if my facility is a Treatment Works as defined in Section 212 of the Federal Water Pollution Control Act? 1604 Do I need to keep a record and/or printout of my survey before transmitting it to DHS? There were no material changes to any of the modified responses. The DHS people were just cleaning up typographical errors and misspellings; all typical work that needs to be done to a data base this large. Special Note to DHS: you missed one error in the answer to question 1563: “recy6cling”. New FAQ I routinely recommend that all facility security managers (and other interested people) read the responses to all new questions, even if they do not appear to apply to the facility. This is because they always provide some level of insight into the thinking of ISCD and that is always valuable. The new questions added this week were: 1403 In the on-line SSP, how do I identify my facility's Cyber Control System on the map if it is managed off-site? 1661 What is the definition of A Commercial Grade (ACG) for the purposes of CFATS? Specifically, under Appendix A of the Chemical facility Anti-Terrorism Standards (CFATS), 6 CFR Part 27, if a chemical facility manufactures or otherwise possesses a Theft/Diversion or Sabotage chemical of interest (COI) but does not directly offer the chemical for commercial sale, does the facility need to count the chemical toward the applicable screening threshold quantity to determine if the facility must submit a Top-Screen to DHS? 1662 I have received an email notification that a CSAT Letter is available for viewing. How do I access this letter? 1663 I have a final tiering determination and SSP deadline, but have not yet submitted my SSP. I have also made material modifications to my site. What should I do? 1664 Between the time a facility submits an SSP for review and ISCD inspects the facility, could DHS direct a facility to cease operations? In other words, could DHS shut down a facility based on the content of a submitted SSP without an actual facility inspection? 1665 What are examples of redundant radio systems? 1666 Does a facility have an obligation to notify DHS if the facility itself is shutting down/closing? A Commercial Grade The response to question 1661 should be closely looked at by any facility that has an STQ amount of either a Theft/Diversion COI or a Sabotage COI on site. DHS clarifies in this response the status of a facility that possesses but does not sell those COI. DHS explains that the phrase “offered for commercial sale” does not mean that facilities that use but not sell these COI are exempt from reporting these materials on their Top Screen. The phrase is used to describe the chemical not the facility. There still remains one potential loop hole in this definition. If a facility produces the material for internal consumption and does not sell or transfer that material off-site, then it would appear that the facility would not be required to report it on the Top Screen. If I were in that situation, though, I would specifically ask DHS for their opinion on the matter before submitting my Top Screen. Change in COI The response to question 1663 is of particular importance to a wide range of facilities. When a facility has received their final notification letter of their tiering and SSP due date, but have not yet submitted their SSP, the facility does not get a reprieve from the SSP requirement by submitting a ‘material change’ Top Screen showing a reduction or removal of a COI from the facility. In addition to filing a new Top Screen, DHS wants facilities to report the change on their SSP. If the change has already been done, DHS wants it to be reported on the SSP as a “Planned Measure”. If the change is in process or planned to take place, DHS wants it to be reported as a “Proposed Measure”. This will allow DHS to evaluate the effect of the change on the security profile of the facility. For “Planned Measures”, DHS will consider those measures when deciding on the approval of the SSP. For “Proposed Measures”, DHS will not consider them in the approval decision process, but ISCD will inform the facility of the potential affect of the change on their CFATS Status. The most important part of this response, however, is found in the last paragraph:

“By stating a COI has been or will be permanently removed from a facility in the SSP, or that conditions have otherwise been permanently and materially changed, the facility is then legally bound to ensure that COI is in fact never held at that facility again or that the condition or material change remains in effect unless and until DHS approves a revision to the facility’s SSP. See §§ 27.210(d) and 27.245(a)(iii).”

It would seem to me that facilities would want to be very careful in reporting this type of change as a “Planned Measure”. If there is any reasonable chance that the facility will be returning the material to the facility, then it may be more prudent to report the change as a “Proposed Change”. This will not carry the same legal burden as a “Planned Measure” since DHS is not using that report in their actual consideration of the SSP.

Saturday, May 29, 2010

Long Weekend

Congress finished their work yesterday afternoon and took off for the long Memorial Day weekend; they won’t be back to work until June 7th (the Senate) or June 8th (the House). Not that they will actually be taking much time off, this is an election year so most of them will be spending lots of time talking to constituents back home. With the number of upsets so far this year in just the primary elections, electioneering is likely to be even more of a factor in the deliberations of Congress this year. Democrats will likely to try to bring up some measures for votes that their liberal base want to see passed, even though any realistic observer would be well aware that Senate Republicans, appealing to their conservative base, would certainly block actual votes. All posturing for the base, but it will take up time and make it more difficult to get any real work done.

This year it is possible that electioneering might even interfere with passage of the DHS budget. Typically the Defense budget and the DHS budget get passed even if the rest of the government gets covered by a continuing resolution until after the election. This year, because of immigration issues, the DHS budget might get held up as well. Then we will have to pay particular attention to the actual language of the continuing resolution to make sure that it actually continues the CFATS program that currently expires on October 4th.

Friday, May 28, 2010

Water Facility Security Training

I ran across an interesting training notice on Facebook for a training class for water facility personnel to prepare utilities for the security and safety requirements under House of Representative’s Bill HR 3258, the “Drinking Water System Security Act of 2009.” The class will be held the week after next in Murfreesboro, TN. According to the notice:
“Utility operators will become familiar with the requirements of this Bill and how to comply with the Bill. Free RAMCAP compliant software is available to help systems prepare risk-based security plans, and alternative chemicals and processes to replace compressed gases.”
Now HR 3258 was incorporated in HR 2868 as Title II of that bill and was subsequently passed in the House. Readers of this blog will know that I do not believe that this bill will come to a vote in the Senate this year. Having said that I am nearly certain that a similar bill will come up next year and there will be some sort of provisions for water facility security in that bill. I’m not sure what ‘RAMCAP compliant software’ Taud Training Station is using, but the RAMCAP program was one of the bases for the development of the current CFATS tools. Additionally, addressing the issue of ‘alternative chemicals and processes’ (I like that better than IST) should certainly be of benefit to water system operators even if there is no IST mandate in future legislation. A six hour training program will not provide in depth coverage of any of these topics, much less all of them, but it is certainly enough time to give a good overview and point participants in the proper direction for further training. I don’t know anything about the Taud Training Station or any of the specifics of their proposed training, but the info provided on the Facebook page certainly would be enough to get me to make a call to John Shadwick for further information if I was a small water system operator.

Reader Comment 05-26-10 CG Inspectors III

It always amazes me what subjects call forth reader’s comments. We have another look at the issue of Coast Guard Inspectors (CGI) with a response from another reader, Osocampna, to my post from February. Again, this is a lengthy comment and well worth the read at the end of that post. I want to take a look at one point that the writer makes about turn-over. Osocampana writes:
“Once the young man or woman figures out how to run the program, they move on and then people like me, who've been overseeing the regulatory compliance programs for major companies is left dealing with a new guy that doesn't know his arse from a hole in the ground. He interprets everything differently in an effort to distinguish himself from his predecessor and you find yourself revisiting ridiculous issues that were laid to rest years ago and that not only goes with the young E3, but for the officers as well. We recently had a LtCmdr openly state that "I reserve the right to be more intelligent that my predecessor." Upon hearing that, I could only shake my head.”
In my time in the physical security field in the military I took for granted the phenomenon that Osocampana describes; that was simply the way the military did things. When new inspectors rotated into the command they brought a new way of looking at things and the focus of inspections changed slightly. In a way it made for a program that did not grow stale overtime. Of course, the only thing that we were expending on the program was time and hard work; inspectors could not require the expenditure of real money or long term capital expenditures. In the CFATS program, or the MTSA program, the new look can require the significant expenditure of money, money that inevitably must come from business revenues and could potentially have an important impact on profits. Fortunately for Osocampana and his fellow regulatory compliance officers, the CFATS program is being administered by the civilian side of the Federal government where professional inspectors can be expected to be around for long periods of time. No, the ‘new requirements’ in the CFATS program will from the minds of politicians not the opinions of the new inspector on station. This will make them more predictable and allow for facilities to have more input into the change. I’m just not sure that it will make for a more robust program over time or if it will just end up like the enforcement programs found in OSHA and EPA; only effective in response to incidents not preventing problems. We’ll see.

Thursday, May 27, 2010

Private Sector Resources Catalog

Lately I have been taking DHS to task for a variety of weaknesses in their ‘Open Government’ efforts so it is only appropriate that I say something positive about their latest effort in this area. Yesterday, after almost two weeks of silence, the DHS Blog had a post about the recent publication of their Private Sector Resources Catalog. The blog describes it this way:
“The catalog provides information, contact numbers and email addresses, and websites for almost every program, office, and component within DHS.”
The table of contents (which provides a click-able link to the chapters, a real valuable tool) provides a quick look at the available information. Of potential interest to the chemical security community are chapters on Cybersecurity and Communications (CS&C), Office of Infrastructure Protection (IP), Science & Technology Directorate (S&T), and Transportation Security Administration (TSA). Each chapter provides a fairly comprehensive list of programs with points of contact (POC) and/or web pages where further information can be found. Many of the programs listed are hard to find on the Internet without this guide. Other programs are briefly mentioned on the Internet, but no POC information has been made available for more information. So this is a valuable guide, though I don’t recommend printing it out; the real value lies in the link and it is easier to use them in a computer file than from a printed document. The web page for this document promises that “this catalog will be updated regularly to publicize new resources and increase private sector awareness”. Unfortunately, the page does not include a link that would enable someone to be notified when the catalog is updated. The page does include a ‘last reviewed’ date so it will be a fairly simple matter to click through to see when the catalog is revised, but it would be simpler if DHS would add this to their list of pages for which they provide notification of changes service. If DHS provides regular updates of the information (and some parts of DHS have better histories of updating information than others) available and provides links to that information in future updated versions of this guide, they will have gone a long way in redeeming their ‘Open Government’ operations in my eyes. This is a valuable document which will become even more valuable if it is kept updated at regular intervals.

Chemical Monitors

There is an interesting piece at 2TheAdvocate.com about a parish government (I’m not sure what a ‘police jury’ is, but that is Louisiana) that is selling off some property to partially fund a set of chemical monitors around a UP rail yard in Livonia. According to the article:
“Juror Kurt Jarreau said the parish had been battling the railroad company for years about quickly alerting emergency personnel when spills occur during derailment or other accidents, which he said happen often.”
While I am glad to see that a local government is being proactive in taking steps to protect its citizens against potential toxic chemical leaks, I certainly don’t think that it should be their responsibility to take this particular action. For high-risk chemical facilities housing release toxic COI I have long advocated that such detection networks should be a necessary part of their security mitigation plan. Additionally, EPA should have required such systems as part of the emergency response requirements under a variety of community right-to-know rules. Of course, the CFATS rules explicitly exempted rail facilities from being considered as high-risk chemical facilities, noting that those facilities would be more appropriately regulated under TSA rules. Of course, TSA has done little to affect chemical security at rail (or any other type of transportation) facilities. They have regulated tracking and transfer activities for TIH rail shipments, but have not addressed any actual security activities except at shipper and receiver facilities that would presumably already be regulated under CFATS or MTSA regulations. Even at these shipper and receiver locations TSA has simply required the establishment of ‘rail secure areas’ for the storage of TIH railcars without specifying what that means. Presumably they would be expected to provide some physical security for TIH railcars stored on site, but there are no requirements for any kind of emergency response planning. And besides which, those ‘rail secure areas’ are not required when those same cars are stored 'temporarily' at rail yards. So, a small community in Louisiana is responsible for detecting a chemical leak on private property in order to protect their citizens from the toxic affects of such a leak. The railroad that owns the property apparently has no responsibility for notifying that community, no responsibility for planning for what must happen in the event of such a leak. That doesn’t seem right.

NSTAC Teleconference 06-10-10

DHS posted a notice in today’s Federal Register that the President’s National Security Telecommunications Advisory Committee (NSTAC) will be holding a teleconference on June 10th, 2010 that will be open to the public. The NSTAC advises the President on issues and problems related to implementing national security and emergency preparedness telecommunications policy. The NSTAC Principals will deliberate and vote on comments on the draft National Strategy for Secure Online Transactions. Anyone wishing to submit comments on this action can post them on www.Regulations.gov (Docket #: NCS-2010-0002). Anyone wishing to access the teleconference should contact Ms. Sue Daage at (703) 235-4964 or by e-mail at sue.daage@dhs.gov by 5:00 p.m. June 3, 2010.

Wednesday, May 26, 2010

Reader Comment 05-26-10 ICSJWG Agenda

Earlier today, Bob Radvanovsky, the man behind the SCADASEC mailing list (among others) posted a comment to yesterday’s blog about the Industrial Control System Joint Working Group’s Fall Conference. I had complained that the Call for Papers for that Conference did not include a listing for papers on any of the cyber security regulatory standards. Bob, the ever practical one, noted that “there is nothing there for ‘defining forensics capabilities’”. One of the problems, one of many unfortunately, with ICS security issues is the fact that there is no ready way to determine if an incident with an ICS system is due to a system error or an external attack. With the complexity of ICS systems (sometimes multiple computer systems with hundreds of devices, sensors and communications devices) there are a large number of potential individual failure points, numerous sources of possible communications errors, and typically an unknown number of points of potential outside access to the system. From personal experience I know that we unconsciously placed explicit trust in the data and response of our control system. I have taken part in probably a hundred or more process upset investigations where we used data historian information to try to track the root cause of the process upset. Not one time did we ever consider the possibility that the control system could have been the source of the problem, not even when we could not isolate another potential cause. Sure, we checked peripheral devices to ensure that the sensors and actuators were operating as expected, but we never questioned the system. The ICS security community does not limit its concern about cyber security to attacks by terrorists or even disgruntled employees. When they talk about cyber incidents they worry about those attacks, but also about unexpected interactions between system components, programming and operator controls. An unexpected opening of a drain valve on toxic chemical tank could be caused by any of those. In fact, if it must be admitted in public, incidents are much more likely to be caused by system problems than by terrorist attacks. So, Bob is absolutely correct; it would sure be nice if there were a reliable, easy to use tool that we could use to diagnose the cause of a system failure and quickly determine if it was the result of a deliberate attack, device failure, or some more complex unintended interaction between system components. While it probably wouldn’t change the immediate emergency response, it would certainly make it easier to fix the problem.

CG Final Rule for LNG-LNH Facilities

Today the Coast Guard published their final rule for the revision of the requirements for waterfront facilities handling liquefied natural gas (LNG) and liquefied hazardous gas (LHG). This rule modifies 33 CFR Part 127 to harmonize the Coast Guard’s regulations for LNG with those established by the Federal Energy Regulatory Commission (FERC) and applies those regulations to LHG facilities as well. With minor changes to clarify requirements, this final rule adopts the proposed rule found in the NPRM published on April 28th, 2009 (74 FR 19159). I discussed the details of that NPRM in an earlier blog. While one would be hard pressed to describe this rule as setting forth security requirements for these facilities, it does describe the requirements for a risk assessment (safety and security) as well as a definition of the assessment required for maritime security and response resource requirements. Since the new rules would require submission of a slightly different set of data requirements by facilities, the Coast Guard is in the process of revising the current information collection request (ICR; 1625-0049). The 60-day request for comments on that revision was submitted at the same time as the NPRM. The rule states that the revision request has already been submitted, but the OMB web site (as of 5-25-10) does not show that a revision request has been submitted. The effective date for this rule will be June 25, 2010. The Coast Guard will not be able to require the actual submission of information under this regulation until the OMB has approved the revision to the ICR. The Coast Guard will provide notification through the Federal Register once that approval is received.

CIKR Learning Series Page Update 05-25-10

Late yesterday DHS updated their Critical Infrastructure and Key Resources Learning Series [link added 05-26-10 22:45 EDT] web page. For some unexplained reason they removed the link to the last webinar that was added to the available archives, 2010 Hurricane Season: Tools for Understanding Risk. This webinar was held earlier this month and had just been added to the archive earlier this week. I checked this morning and the link above is still operational.

Tuesday, May 25, 2010

Reader Comment 05-25-10 CG Inspectors II

Earlier today I received a very interesting and important comment on an earlier blog about the Coast Guard MTSA inspections from an anonymous Coast Guard Inspector (and I certainly appreciate the reasons for that anonymity having spent 15 years in the Army). While the entire response is well worth reading (see the end of that earlier blog) I would like to address two important portions of that comment. Training First our Coast Guard Inspector (CGI) doesn’t think that my comment on the one-day training in A School tells the entire story. CGI writes:
“My point is, as a CG Facility Inspector I want to make sure everyone who reads that story understands there was more than 1 day of training during MST "A" school. There is in-field training that is required prior to receiving that qualification that takes months and requires a lot of shadowing of someone qualified.”
As a former military instructor I am well aware of the differences between formal instruction and on-the-job training. Both are an important part of producing a professional in any field. OJT, particularly when supervised by an intelligent and experienced mentor, is an invaluable part of the development of a security professional. The details of day-to-day operations; what to look for in a wide variety of facility settings, and, more importantly, how to deal with a variety of facility personnel; can only effectively be taught in a real world setting. There is, however, an inherent weakness in OJT; the lack of control of subject matter exposure. A daily work environment frequently limits the number and types of encounters that will be experienced in an OJT period. One of a kind facilities with unique requirements and characteristics are frequently missed in such programs. Types of facilities not found in a particular area will obviously be glossed over or ignored. A CGI trained at a West Coast port will have no exposure to the security concerns associated with loading bulk ammonium nitrate on river barges, for example. Now a classroom period of instruction on bulk loading of river barges will never completely substitute for working along side someone who has done hundreds of inspections of such facilities. But that classroom instruction will provide much more information than what someone would pick-up on the job in Long Beach. This is one of the reasons that when DHS set up the Chemical Inspector Academy that they include both the classroom instruction and visits to a variety of chemical facilities. And I certainly agree with our commentor that an experience CGI would almost certainly have an easier transition to become a chemical facility inspector than, for example, someone from the Federal Protective Service with more experience at office building security. But, we probably need all of the CGI that we have to continue to keep our MTSA facilities properly secured. Working-out Program Bugs Our anonymous commentor makes a point about the MTSA implementation that certainly applies to some extent to the CFATS program as well, writing that:
“I think it is worthy to note that the Coast Guard Facility Inspectors were handed a set of regulations a few years back and told to enforce them with little to no guidance. While we can all rant and rave about the injustice's done to the "mom and pop" facilities who had stringent (and arguably unnecessary) regulations enforced on them I think you have to remember that there should be a grace period for the CG to figure out how to do their job the best and safest way. In this instance I would consider the Coast Guard's approach to 33 CFR 105 facility security was "better too much then too little". Again, that can be argued either way.”
CFATS inspectors are getting more formal training than the original MTSA inspectors did, but they are still the first ones on the ground, learning as they enforce. While it will be hard for facility personnel to accept this, they are going to have to deal with it. Even the ‘senior’ inspectors will only have a couple of facilities worth of experience under their belt when they show up at the front gate. There is a very good chance that they have never been in that particular type of chemical facility ever before in their life. There are no checklists and the inspectors are working off the same ‘vague’ guidance document that industry has been complaining about for a year now. This is another reason that these initial inspections are so time consuming. The inspectors are having to work with facilities to understand each facility’s unique situation. With the lack of CFATS inspection experience achieving that understanding will be that much more difficult. Both sides of the inspection process are going to have to work together to make this program effective.

ICSJWG Page Update 05-24-10

Yesterday, while making one of my periodic checks of the Industrial Control System Joint Working Group web page I noticed that they had updated information available about their fall meeting. Their Fall Conference will be held on October 25-28, 2010 in Seattle, Washington. They have general agenda and Call for Papers information available. On the last day of the Conference there will be an 8-hour Introduction to Industrial Control Systems Cybersecurity training session. Proposals for papers and panels need to be submitted by July 28th via an electronic form that is not yet available. The program committee is looking for presentations in the following topics of interest:
Workforce Development Control Systems Security Research International Coordination Standards Development Incident Response and Handling Vulnerability Management Emerging Technologies Managing Vendor Relations Law Enforcement and Forensics for ICS Integration of Cryptographic Technologies Security Management Metrics Information Sharing Wireless Integration in ICS environments Lessons learned Securing network perimeters Malware and Vulnerabilities Effective Cybersecurity Programs Coordination of Threat Reporting and Determining Attribution
I don’t see a single topic listed here that wouldn’t be a valuable subject for discussion, but I would have liked to see at least one topic that directly addressed government cyber security standards (CIP, CFATS, etc). In fact, it would probably be worth while to have a representative of the various enforcement agencies provide updated information on their programs.

CSSP Page Update 05-24-10

Just last week I updated you on the changes to the DHS-CERT Control System Security Page and I discussed their updated reporting procedures for industrial control system cyber incidents. Unfortunately, some of the information that I told you about has been removed from the CSSP main web page. DHS removed the email address for reporting ‘general cyber activity’ (soc@us-cert.gov) as well as a second phone number. There hadn’t been an explanation of what that second number would be used for so that doesn’t seem to be a major change. The one change that I am disappointed to see is that DHS removed their offer to “provide onsite assistance, free of charge, to organizations that require immediate investigation and resolve in responding to a cyber attack.” I had noted that this type of assistance could be invaluable for facilities experiencing a cyber incident, especially since most facilities don’t have the necessary internal expertise to conduct these investigations or correct the problem. All was not negative in this latest change. DHS did move the link to their public-key to the main page so that facilities can encrypt confidential or sensitive business information when making their reports. Fortunately the links that I provided (and are still not available on the CSSP page) for the Phishing reporting procedure and reporting vulnerability issues are still active.

CFATS Webinar

The folks at Chemical Processing Magazine and ADT Advanced Integration are sponsoring a CFATS Webinar on June 17th at 1:00 pm EDT. The three presenters, Ryan Loughin (ADT), Michael Kennedy (SOCMA), and Steve Roberts (Roberts Law Group) will address:
• CFATS Road Map & Timeline • CFATS Regulatory & Legislative Updates • CFATS Regulatory Considerations for SSPs
All three of these presenters are very knowledgeable and experienced speakers. The topics are timely and they certainly have the experience and background to provide valuable insights on their respective topics. Traci Perdum, the Senior Digital Editor for ChemicalProcessing.com will be moderating the program and live Q&A session that will follow the presentations. The only thing missing from this webinar is participation by DHS. ADT has had DHS presenters at earlier webinars. What would be interesting would be to have Larry Stanton give his presentation on the IST reporting tool that DHS is considering adding to the CFATS program. I have an article on their proposal coming out in the upcoming issue of the Journal of Hazmat Transportation. Stanton made his presentation back in March at a CCPS meeting and it would be interesting to see the response to the proposal before a more general audience like this.

Monday, May 24, 2010

Reader Comment 05-24-10 Video Surveillance Training

John Honovich (www.IPVideoMarket.info) left a very nice reply to yesterday’s blog about his video surveillance training program. He announced a change in his site’s pricing policy, writing that:
“In July, we are going to introduce a new plan just for basic video surveillance - $99 for the year. We want to make it as affordable as possible for end users to learn more about video surveillance.”
I always applaud suppliers rolling back their prices. I know that John isn’t just targeting this price at the chemical security community, but I know that it will be appreciated by the facility security managers that that are trying to get up to speed on a wide variety of security subjects. This will make that task just a little easier.

Development Along Rail Lines

This weekend there was an interesting article in my home town newspaper about the renovation of an old textile mill into offices, retail, and apartments. It is a deserted, historic old-building on the outskirts of the downtown area and it certainly deserves renovation; except that it has a major rail yard as a next door neighbor. The article makes a big thing about how lots of old mills across the South have been renovated along rail lines; rail lines were typically run near mills, or vice versa to provide shipping and receiving for those mills. The builder notes that the thick walls and insulated windows helps knock down the noise associated with rail lines so residents of the high-end loft type apartments typically put into these renovations don’t complain about the noise. That’s all good, as far as it goes. I just wonder if they are putting in airtight seals on the doors and window and auto shutdown mechanisms on the central heat and air. Oh, and more importantly chemical detectors for anhydrous ammonia and chlorine. You see this is not just a rail line alongside of the mill property, but it is a rail yard. This is where trains are taken apart, stored and formed up again. And some of the train cars coming through this particular yard contain chlorine gas and anhydrous ammonia. I know, I’ve watched them come in and go out. And the risk for an accidental release of chemicals from rail cars is higher at rail yards than just along rail tracks. More handling means that there are more chances for accidents. To make matters worse, there is next to no security at this particular rail yard. There are surface streets that cross the tracks and vast stretches of the perimeter with no fencing. In fact the only fencing that I know exists was part of the old mill perimeter fence. This means that if terrorists were interested in gaining access to these high-risk rail cars, this would be a good place to do so. Add a bunch of high-rent apartments on the perimeter and it becomes a potential terrorist target. Do the real estate disclosure laws cover this situation? Does the developer understand the potential hazard? Did the Planning Advisory Commission take these factors into account when they recommended that the zoning be changed from light industrial to an Uptown (mixed residential and commercial) zoning? You make your guesses; I know what I think. The only saving grace is that it will not be poor folks living next to the tracks; it will be well to do folks. People with access to well paid lawyers. People with access to important politicians. People who will ask "Why wasn’t I told, warned or protected?" when the accident or attack exposes them to toxic inhalation chemicals. Maybe that is what it will take to get these rail yards moved out of city centers.

Sunday, May 23, 2010

HR 5346 Introduction

On Wednesday Rep. Thompson (D, MS), chairman of the House Homeland Security Committee, introduced HR 5346, billed as a bill to enhance the homeland security in the ports and waterways of the US. This bill is essentially Title XI, Port Security, of HR 3619 as it was passed in the House last October. HR 3619 and Politics As I noted earlier this month, the version of HR 3619 that was passed by the Senate was substantially different than the House version; one difference was that the Senate version did not include Title XI. The Conference Committee for this bill has yet to be appointed so it is a little surprising that Chairman Thompson is apparently assuming that Title XI will not be added back to the bill in Conference. It also begs the question that, if Title XI would not be acceptable to the Senate Conferees, how much of a chance will this bill have of being considered in the Senate in the limited amount of time left in the election shortened session. There is another interesting political oddity about HR 5346. HR 3619 was not acted upon by the Homeland Security Committee. It was introduced by Chairman Oberstar of the Transportation and Infrastructure Committee and the House Report on that bill only included actions by his Committee. One would have thought that it would have been Chairman Oberstar that would have introduced this bill, or at least co-sponsored it. Now I understand that Title XI of HR 3619 does specifically address port security issues and one would think that this would come under the purview of the Homeland Security Committee. This is one of the continuing problems that homeland security issues have in Congress, there are too many committees with their fingers in the homeland security pie. Politically speaking there is another possible explanation for the introduction of this bill. Chairman Thompson might be planning on getting this passed in the House (which could happen fairly quickly since it has essentially already been considered). Instead of trying to get it through the Senate he could be intending on getting it included in the DHS Budget bill (that has yet to be introduced). This is a technique that he has used for a number of pieces of legislation since he became Chairman in 2007. Chemical Security Provisions In my initial blog about HR 3619 I noted that there were a limited number of provisions in that bill that would directly affect the chemical security community. Interestingly all of those provisions were included in Title XI and made it into this bill. There was one significant change to Title XI provisions since I wrote that initial blog that will be of interest. The provisions related to the definition of ‘Especially Hazardous Materials’ were removed. Actually that term was changed to ‘certain dangerous cargo’ and a specific reference to any chemicals was not included in the definition of that term. It now leaves that definition up to regulations to be written by the Commandant. There was one other provision in HR 3619 as passed by the House that I noted in a later blog as being of potential concern to our community. That provision (§ 1332) dealt with Coast Guard actions against semi-submersible vessels used by drug traffickers. That provision was not included in this legislation. Moving Forward This bill should be able to make it through the two committees, Homeland Security and Transportation, that it has been referred to in the House. There should be no major opposition to the bill if/when it makes it to the House floor. The major question is how likely it is to get considered in the Senate. There is very little that looks the least bit controversial to me, but there is some reason that Chairman Thompson thinks that this will not be acceptable to the Senate conferees; so I don’t know.

SCADA Vendor Support

I just finished reading an interesting article on ControlGlobal.com. It describes ABB’s (a SCADA equipment vendor) ability to provide “advanced diagnostics and data collection tools to provide levels of access and maintainability for ABB equipment or monitoring of PCs in any environment” via remote access. Reading the article it struck me that ABB, and many other SCADA vendors offering similar services, may provide security managers at high-risk facilities with an overlooked security problem. Unescorted Access The CFATS regulations require that facilities conduct a variety of background checks on “for unescorted visitors with access to restricted areas or critical assets [emphasis added]” {6 CFR 27.230(a)(12)}. It would seem to me that even the most restrictive definition of ‘critical assets’ would include SCADA and industrial control systems at CFATS covered facilities. A vendor technician working on such systems on site would certainly fall under the ‘unescorted visitors’ definition unless accompanied by some one qualified to understand what the tech was doing with the cyber system. What would make that same technician exempt from the background check requirement if they were accessing the system from off-site? Any such off-site access must be considered ‘unescorted’ access to a critical asset. Two Options Now as I see it, there are at least two options. First CFATS covered facilities could shut down the off-sit access capabilities of these vendors. There is certainly a security argument to be made for that option. Unfortunately, most facilities do not have anyone on the payroll that can conduct the appropriate diagnosis, much less make the repair and adjustments that these vendor offer. Without these on-line services, facilities would have to be shut down until a technician could physically arrive on site; very costly. The second, and more useful, option would be to have these vendors conduct the appropriate background checks for each of their employees that have the access to these systems and to certify that they have met some minimum background check requirements. Of course, this would have to include the check of the terrorist screening database (TSDB) that DHS is requiring all others with access to the CFATS facilities to undergo. The current way that DHS is considering how to implement the TSDB check would require that each facility being served by these vendors would be required to submit data on each of the vendor employees with potential access. Not only would that be time consuming for the facility, but it would raise some privacy issues as well. Additionally that would drastically inflate the number of records that would have to be processed by the DHS folks. Alternatively, DHS could set up their TSDB tool to allow the SCADA vendors to have their own accounts where they would submit the information on their employees. CFATS covered facilities would then identify the vendors that their facility uses that would be authorized off-site access to their control systems. This would allow DHS to identify who had access to the facility equipment and yet protect the privacy of the vendor’s employees. A similar technique could be employed for other companies that have employees with routine access to multiple high-risk facilities. A Not So Minor Problem One small problem with this idea; the CFATS regulations only apply to high-risk chemical companies. DHS does not have the authority to regulate the vendors and contractors that support the covered facilities. Just one more thing that needs to be added to the re-authorization of CFATS.

Basic Video Surveillance

Long time readers of this blog will be familiar with the name John Honovich. John has web site, IPVideoMarket.info, that deals with the details of video surveillance. He has started a new service that looks very promising for security managers wanting to learn more about the basics of video surveillance technology, a video surveillance training program. The only drawback to the service is that it is not a free service, but the corporate membership rate is only $299 per year, so it isn’t much of a drawback drawback especially since it provides full access to the information on John’s site. John uses a combination of podcasts and printed material in the training program. I just finished listening to the first of three podcasts in the “Basics for Using Video Surveillance” program. It was an interesting 52-minute conversation about “Basic Uses of Video Surveillance” and it covered:
Different approaches to live surveillance monitoring Types of alarm monitoring Examples of conducting investigations Common number of cameras being used Common locations and types of cameras being used Privacy issues in using video surveillance Unrealistic or science fiction approaches to video surveillance
It included a very good discussion about when and why facilities may or may not decide to have someone constantly monitoring the feeds from their security cameras. I especially appreciated the discussion of video quality and why it isn’t practical to have 100% perfect videos throughout the day. There are two additional podcasts in this introductory program; Video Surveillance Products Basics and Basics on Cost and Value of Video Surveillance. John includes links to written reports on both subjects for further detailed information. Once again I have to recommend another of John’s products. The podcasts are interesting conversations instead of lectures. Combined with the links to reports on information covered in the podcast the training value for this material is high. Once again, John is not trying to make anyone a video surveillance technician or integrator with this program, but he is providing valuable information to someone who will be dealing with these professionals.

Counter Surveillance

Long time readers of this blog will be well familiar with my consistent calls for high-risk chemical facilities to establish counter surveillance programs as part of their security planning. Two internet articles, one from London and one from here in the US, from last week take a brief look at formal counter surveillance programs established by government agencies look at some of the issues that face such programs. Security Guard Interactions The program in London provides training to local security guards in how to deal with individuals taking pictures or making sketches of public buildings. The article points out the concerns of civil rights activists that the program has security personnel and police unlawfully stopping people for doing nothing more than taking pictures, hardly an illegal activity. Anyone setting up a counter surveillance program needs to take care to ensure that their legitimate security efforts don’t trample on the civil rights of the public. While taking pictures of chemical plants is less likely to be an action taken by simple tourists, there are still a number of legitimate reasons for people to be taking such pictures. Chemical safety and environmental activists all have a politically protected right to take such pictures as long as they don’t trespass on facility property. There is nothing wrong with security personnel talking with such off-site observers as long as care is taken to ensure that nothing in the actions and demeanor of those personnel that would indicate an effort to ‘detain’ the off-site personnel. Politely asking who the people are and why they are taking the pictures is unlikely to raise civil rights concerns. Crossing the line by demanding to see identification or blocking the movement of individuals or their vehicles until the police arrive should be avoided unless there is some other clear indication of obviously illegal behavior. Extensive training, vetted by company legal staff, needs to be provided to security personnel interacting with non-company personnel. Having said that, taking pictures of a high-risk chemical facility is an action that might be an indicator of a pre-attack terrorist planning process. Terrorist would need that type of detailed facility information to conduct target selection and planning activities. Identifying people conducting this type surveillance activity is a key part in preventing terrorist attacks. This makes identifying personnel taking pictures of a chemical facility a key intelligence activity. General Public Observations The second article looks at providing training to non-security personnel to report suspicious activity. The program sponsored by DHS relies on the fact that people working in the community have a better chance of observing suspicious activity than intermittent police patrols. They may spend more time in a single area making them more attuned to what is normal and what is abnormal. High-risk chemical facilities can utilize local neighborhood organizations to perform a similar function. The facility neighbors have a strong self-interest in helping to detect potential terrorist attacks that would directly affect the local population. Since management needs to be talking with these same people on emergency response planning matters, they might as well be asking these same people to help identify unusual individuals that show an interest in the operations of the chemical facility. To be effective any such observation program needs to include a reporting procedure that is simple and encourages participation. A phone number needs to be made readily available to the local population. More importantly there needs to be a positive person on the receiving end of that phone call that knows how to ask questions to draw out additional details. A voice message system is unlikely to inspire continued participation. Facility employees can be trained to accept these calls, but it would probably be more effective if trained security or law enforcement personnel handled this.

Friday, May 21, 2010

Greenpeace Security Inspections

No matter which side you take on the politics of the Greenpeace efforts, no one can ever accuse them of lack of chutzpah. Thanks to a Twitter® post from greenpeaceusa I found their latest effort in the campaign against industrial chlorine use. They have a series of pictures, with appropriate captions, on their “Real Chemical Security Now” page on FLICKR®. Most of the pictures show their green airship over the DuPont facility in Edge Moore, DE. Now the pictures do not show anymore detail than Google Maps® provides for similar facilities, so they haven’t really compromised the security of the facility. The pictures from another aircraft, probably a helicopter, do show how easy it would be to do an aerial reconnaissance of these sites. Or conduct an aerial attack if you knew what to aim your small plane at. I haven’t heard anything in the news about FAA complaints about over flights, so I would assume that: a – no one at DuPont noticed, or b – there are no special flight restrictions in these areas. It is almost certainly a combination of the two. In any case, Greenpeace once again gets style points while keeping their message fresh. I’m only surprised that they didn’t have a ground-based photo op to compliment the aerial photography. Keep your eyes open in the DE-NJ-MD area for the green airship over other chemical plants. BTW: Greenpeace – Hydrogen or Helium? Hydrogen would be greener if slightly more dangerous.

FCC’s ERIC Rule

Yesterday the Federal Communications Commission published their Final Rule for the establishment of the Emergency Response Interoperability Center (ERIC). According to the preamble to the rule “ERIC will be tasked with implementing national interoperability standards and developing technical and operational procedures for the 700 MHz public safety broadband wireless network” (75 FR 28207). The rule establishes ERIC within the Public Safety and Homeland Security Bureau (PSHSB), but the details of the internal operation of ERIC were largely excluded from the final rule “because the adopted rules are rules of agency organization, procedure, or practice that do not substantially affect the rights or obligations of non-agency parties”. The rule does provide for the appointment of advisory bodies to advise ERIC. There is nothing in the rule that would specifically affect the chemical security community, but it does give me a chance to continue to plug for ensuring that security programs at high-risk chemical facilities can and do routinely communicate with local law enforcement. The development of the use of the 700 MHz for broadband wireless communications for the public safety community provides an excellent opportunity to tie both the security teams and emergency response teams at high-risk chemical facilities into the communications capabilities of local law enforcement and first response community. In most cases where there is a serious incident, either accidental or as the result of an attack, at these facilities the on-site personnel will already be attempting to deal with the situation by the time that local response arrives on scene. As the local incident commander takes control of the scene, gaining up-to-date information from the facility response teams will be critical in planning and executing the off-site response. This informational exchange can only be enhanced if the on-site personnel have interoperable communications and have trained with the local responders. Of particular importance in this interoperable communications will be the provisions for high-speed data communications to share information like live video from on-site surveillance cameras. Additionally a wide range of process sensors could provide invaluable information about the physical conditions of critical storage tanks and process equipment. Facilities with a network of chemical detectors to identify and track leaks would find that the local responders would greatly appreciate that information.

So, I’m taking this opportunity to stand on my soap box to urge the FCC, through ERIC, to take into consideration the high-speed data communications requirements between high-risk chemical facilities (and obviously other critical infrastructure and key resource facilities) and local first responders and law enforcement when they plan. Unfortunately the FCC did not make provisions for public comments in the publication of this rule, so I just stand here on my soap box. Perhaps Congress could include provisions in any CFATS reauthorization (if and when) mandating the establishment of such communications channels.

Thursday, May 20, 2010

HR 4842 Committee Report

The House Homeland Security Committee published their report on HR 4842, the Homeland Security Science and Technology Authorization Act of 2010 on Tuesday, though the report was not available from the GPO until Thursday. The bill was then assigned to the House Committee on Science and Technology for a period ending not later than June 18, 2010. Depending on how fast the Science and Technology Committee gets through their review, it is just barely possible that this bill could get to the floor of the House before the July 4th recess. Lacking that, it still has a decent chance of making it to the floor before the summer recess on August 6th. Whether or not it has any chance of making it through the Senate during this session remains to be seen. The chemical security related provisions that I described in an earlier blog remain intact and unchanged. There have been a number of new provisions added to the bill during the two markup hearings that were held in the Homeland Security Committee. Only one of those provisions will have any significant effect on the chemical security community. The Commission Section 701 of the revised bill provides for the establishment of the Commission on the Protection of Critical Electric and Electronic Infrastructures. Mainly directed at assessing the vulnerabilities of the electrical grid it also covers ‘electronic infrastructures’ that includes “all computerized control systems used in all United States critical infrastructure sectors” {§701(b)(1)(A)(ii)}. The Homeland Security Committee intends for the Commission “to take up where the former Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack—often referred to as the EMP Commission—left off when its authorization expired in December of 2008” (pg 48 of House Report 111-486). They have however, greatly expanded the scope of threats to assess.
“The Commission shall give particular attention to threats that can disrupt or damage critical electric and electronic infrastructures, including— “(A) cyber attacks or unintentional cyber disruption [emphasis added]; “(B) electromagnetic phenomena such as geomagnetically induced currents, intentional electromagnetic interference, and electromagnetic pulses caused by nuclear weapons; and “(C) other physical attack, act of nature, or accident [emphasis added].”
I think that it is entirely appropriate that the Commission is specifically being tasked to look at cyber disruptions that have nothing to do with intentional acts. Cyber attacks will almost certainly remain much less common than the accidents, equipment failures and weather events that will be a common part of our world for a long time to come. Their ability to disrupt the operation of critical cyber systems will vary from the inconvenient to catastrophic. But, they will inevitably cause more problems than actual terrorist attacks. The authorization for this Commission includes funding for two years. That is certainly reasonable for a comprehensive study like that envisioned in HR 4842. That is also the main shortcoming of these types of studies. They take too long to complete and then Congress will play with the results for a while before they have any chance of putting substantive legislation together Then there will be a lengthy rule making process started in motion. Even if this bill were approved this summer it would be late 2012 before we could possibly see even obvious measures make their way through the political system. The controversial recommendations could take much longer to move through the political maze.

CIKR Learning Series Page Updated 05-20-10

Today DHS updated their Critical Infrastructure and Key Resources (CIKR) Learning Series web page. They moved the listing for the webinar that was held earlier this month to the “Review past CIKR Learning Series webinars” list on the page. Clicking on the “2010 Hurricane Season: Tools for Understanding Risk” will take one to a recorded version of that webinar.

Wednesday, May 19, 2010

Right-to-Know vs Security

Not long after the 9/11 dust settled on the streets of New York the Environmental Protection Agency was required to remove a great deal of information about chemical facilities from its web sites. The community right-to-know information had been posted on the web site to allow any US citizen to know what dangerous chemicals were being used in large quantities in their neighborhoods. The security folks decided that the same information could be used by the likes of al Qaeda to select their next target, high-risk chemical facilities. The Information This last Monday, the pendulum started officially swinging in the other direction. The EPA posted a press release on its web site announcing that it had “added more than 6,300 chemicals and 3,800 chemical facilities regulated under the Toxic Substances Control Act (TSCA) to a public database called Envirofacts”. This was being done as “part of Administrator Lisa P. Jackson’s commitment to increase public access to information on chemicals”. The Envirofacts database includes “facility name and address information, aerial image of the facility and surrounding area, map location of the facility, and links to other EPA information on the facility”. It also includes information on nearby populations, including sex, age, ethnic background and income. The data base can be searched by chemical or by geographic area. The Uses This information is valuable to environmental activists to help them identify and target facilities that are ‘likely’ to be having a negative impact on the health of their neighbors. The information could be used to initiate investigations into populations to see if they have higher than normal rates of medical issues related to chronic exposure to chemicals reported to be released from the nearby facilities. Unfortunately, it could also be used by terrorists looking for potential targets. A search could be done by toxic chemical and then each facility in a geographic area holding that chemical could be evaluated to determine which targets would have the highest off-site impact. The population data, maps and aerial photographs of the facility could provide initial planning information. The information available on the site would not be enough to provide the necessary details about chemical storage locations and security arrangements to conduct the actual attack, but it could provide necessary data for target selection. I remember how the environmentalists complained in the fall of 2001 about how this valuable information was taken down without any discussion of the pros and cons; without any discussion of how legitimate security concerns could be addressed while allowing for public dissemination of the information. I would have hoped that they had also remembered, but I guess it is just another example of turn-about being fair play. The Barn Door is Open It is too late to reverse disclosure. The internet is a vastly different place than it was 9 years ago. I am sure that there are copies of the information on a number of repeater sites as well as postings on independent environmental sites. There is no sense in fighting this disclosure, it is a done deal and no amount of court rulings or legal threats will change that. All we can do now is to see how this will play out. Fortunately we as a nation do have one thing going in our favor this time. The CFATS program is in place and we are improving the security at the highest-risk sites (except water facilities of course). We will be much better prepared to counter terrorist attacks on those facilities than we would have been in 2002. BTW: The data base is full of holes. I did a quick check on some facilities that I am familiar with and there are a number of critical chemicals are not listed for one reason or another; just another example of the efficacy of the EPA’s regulatory reach.

ICS Incident Reporting

The DHS-CERT Control Systems Security Program (CCPS) web page recently had a major change in the reporting procedures that they have for industrial control systems (ICS) incidents. In addition to providing reporting mechanisms they offer additional investigative and resolution assistance for such incidents. New Information In addition to the on-line reporting form that also appeared on the old page, the new page provides some new contact information, including:
ICS-CERT Watch Floor: 1-877-776-7585 ICS related cyber activity: ics-cert@dhs.gov General cyber activity: soc@us-cert.gov Phone: 1-888-282-0870
On the ICS-CERT web page they provide a valuable piece of additional advice for on-line reporting (in my opinion it should be located on the reporting page as well, but no one is perfect). To protect sensitive business or systems information ICS-CERT recommends that that type of information should be encrypted and provides a public-key to accomplish that encryption. Old Information The old version of the CSSP page had some additional information that would still be of value. Fortunately the links from that old page are still active so I will provide the links here. First is the reporting of Phishing attacks. While these are not uniquely an ICS issue, I found that the Phishing reporting procedure can be very helpful. The second set of links provides a method of reporting vulnerability issues for industrial control systems. Reporting newly identified vulnerabilities is an important part of improving the overall security of control systems across the industry. ICS-CERT Assistance The CSSP page provides the information below about the assistance available from ICS-CERT. Unfortunately there is no specific information about how to request that assistance. I can only suggest that such requests should be included when contacting CERT with the information about the incident.
“The ICS-CERT encourages organizations to report vulnerabilities, suspicious activity, and cyber incidents that could have an impact on critical infrastructure control systems. The ICS-CERT will analyze the information and provide mitigation strategies as needed. In addition, the ICS-CERT is able to provide onsite assistance, free of charge, to organizations that require immediate investigation and resolve in responding to a cyber attack.”
When an ICS incident, deliberate attack or miscellaneous system upset, occurs any additional assistance that can be had to help alleviate the situation means that the facility can get their critical systems up and working just that much faster.

Protection Against Explosions

Earlier this week I was asked by a long time reader if I could discuss ways to protect critical assets from an attack by a vehicle borne improvised explosive device. The facility at which he worked was trying to figure out what they could do to address this particular attack scenario. As always I am more than happy to express my thoughts on security related topics. Standard caveat; I am not an engineer; I am a chemist by schooling. I do have some experience with explosives from the Army, but I am not an explosives expert and I have never detonated anything as large as a VBIED (if someone wants to let me push the plunger on one in a controlled test, I will certainly be there). Finally, before you actually install some protective device make sure that you are dealing with an engineering firm that has some experience in the field. Prevent Detonation The most obvious protective technique is the prevention of the detonation of the explosive device. While most of the responsibility for this lies with the intelligence and law enforcement people, the facility does have some basic techniques that they can employ to aid in the effort. The most obvious is the employment of an active counter-surveillance program. Any effective terrorist attack is going to be preceded by a variety of surveillance efforts. The earlier efforts may be harder to detect, but as attack planning advances the terrorists will have to acquire more detailed information about facility security procedures. Facility employees and security personnel should always be on the watch for suspicious personnel hanging around the facility. The facility counter-surveillance plan should include an educational component to make personnel aware of the potential threat and their responsibility to be aware of what goes on around the facility. There needs to be a clear reporting procedure and the reports need to be promptly forwarded to local law enforcement for follow-up investigation. Standoff The closer you can get an explosion to your target the more effect it will have. Conversely the further you can keep the explosion away from critical areas of the facility the less effect it will have. For a standard, non-focused explosion the force of the explosion should falloff as a square of the distance from the explosion. This means that even a small increase in the distance from the explosion can have a significant effect in force reduction. Of course, the size of the explosion has an effect on the distance as well. I mean if you have a dry-box trailer packed with 40,000 lbs of commercial grade explosives the standoff distance will have to be much larger than if you have 500 lbs of homemade explosives in a panel van. So, to determine how far you have to keep the VBIED away from the potential target, you have to know how large a VBIED the terrorists will use against that target. Obviously the terrorists are not going to tell you how large a VBIED they are going to use. So you have to guess; hopefully an educated guess, but a guess none the less. The guess should be based upon the potential risk; I would expect that a Tier 1 facility should expect a bigger VBIED than would probably be used against it than against a Tier 4 facility. Don’t expect me to tell you what size to use; I just don’t have enough information to make even a lucky guess. Hopefully your security consultant will be able to provide a rationale for what ever size you pick. Once you have established your planning VBIED size you should be able to calculate (well the experts should be able to calculate, I haven’t seen the formulas) how far you have to keep the VBIED away from the target to have a reasonable chance of surviving without catastrophic damage. If you want to keep your consultant on his toes, ask about max pressure and impulse effects. But, remember, you are going to need an expert. Anyone that tells you that there is a reasonable distance at which no damage will occur is either exaggerating or doesn’t understand explosions (a mile away from a 500 lb VBIED I would feel comfortable predicting little or no damage). With a VBIED attack if you can avoid catastrophic damage (ie: a quick, total drainage of a release-toxic COI from a large tank) you have achieved a reasonably successful defense. Your release mitigation techniques should be able to handle the results of non-catastrophic damage. Blast protection The last type of protection is the one that probably requires the most expertise, physical blast protection. This can either be some sort of hardening of the target so that the blast will not affect it, or putting some sort of barrier between the potential blast and the target. Both require some special engineering skills and experience to properly design. Once again, the size of the VBIED is a key design variable. If you dramatically underestimate the size of the device your blast barrier will become flying fragments that will contribute to the destruction of your target. One design element that needs to be considered is ‘line-of-sight’. Over longer ranges flying stuff from an explosion follow what is called a ‘ballistic arc’; the pieces fly up and out then fall to earth along an arc. The closer the initial trajectory is to 45° the further the projectile will fly. At distances where blast effects predominate, however, the blast and projectiles are flying in essentially straight lines. Thus, any barrier must block the line of sight from the blast to the target. But, don’t forget to harden the top of the target to protect against falling debris. Combination Plate The most effective VBIED protection scheme will utilize all three protective elements. Preventing detonation is, in my book, the most important element of the program. The lack of an explosion is the best protection. Remember, that the larger the VBIED, the more likely that there will be extensive pre-operational surveillance. Putting together a large VBIED takes a lot of resources so the terrorists will do what ever is necessary to optimize their chance of a successful deployment; this means more surveillance. The last two, standoff and blast protection both require the services of someone who understands blast effects and blast protection engineering for optimal results. If you cut corners here you had better hope that your prevention program is very effective. A poorly designed protective program may actually increase the risk of a successful VBIED attack.

Special NOTE: Since this is a rather specialized field of study and application, I would certainly like to hear from practioners in the field. Discussion of the blast effect protection techniques would be particularly instructive.

Tuesday, May 18, 2010

Multiple Explosions

In a recent chemical facility fire in North Georgia there were reports of multiple explosions which hampered fire fighting efforts. There were no explosive chemicals stored on site so what caused the explosions? It was just another example of a phenomenon that I have discussed before, the BLEVE (boiling liquid expanding vapor explosion) writ small. In a fire any liquid chemicals in containers impacted by flames are likely going to quickly reach their boiling points. This is going to result in a rapid rise in pressure in the container. Larger storage containers should have pressure relief devices designed into the system to safely vent those fumes, protecting the containers from catastrophic failure. Unfortunately, drums do not come equipped with formal pressure relief devices. This means that they will burst. The two weakest points of the construction are where the bottoms and tops of the drums are joined to the side. One or the other of these seams will fail catastrophically, releasing a cloud of chemical vapors that will almost certainly ignite in a quick ball of fire. The loud boom is not technically an explosion; it is a pressure release event. To make matters worse, when the failure is along the base of the drum the upper portion of the drum is launched into the air like a rocket. It looks especially impressive at night as the flaming gasses shoots out of the bottom of the drum flying through the air. The flaming residues in the drums can cause an expansion of the fire perimeter depending on where they land. This is one of the reasons that fighting fires at chemical facilities can be so dangerous. Even when the drums are not launched into the air, drum lids and other pieces of flying metal are hazardous to fire fighters. The only way to prevent this problem is to keep the flames away from the drums; this requires a properly designed fire suppression system in chemical warehousing areas.

Monday, May 17, 2010

CSB ANPRM Comments Posted

Last June the Chemical Safety Board published an advance notice of proposed rulemaking on chemical release reporting. Comments on the ANPRM were required to be submitted to the CSB by August 4th of last year. Today, the CSB published on their Open Government web page a link to a document that compiles all 27 responses that the CSB received about that ANPRM; late is always better than never. I would expect that this means that the CSB will be considering the publication of a notice of proposed rulemaking with the actual language of their proposed rule sometime in the near future. I will be looking at these comments and will probably report on them later this week.

Sunday, May 16, 2010

CFATS Background Check ICR Comments – 05-14-10

Last week the 30-day comment period ended on the DHS information collection request (ICR) supporting the proposed CFATS Background Check Tool. These ICR filing seldom garner any comments, but, as was expected, there were a relatively large number of comments, 20 comments, on this ICR. There are a number of important issues raised in these comments, but I would like to address just a couple in this blog post. ICR or Rule On issue that made a reappearance on these latest comments on the proposed information collection request (ICR) was the use of the ICR process versus going through the rule making process to establish this Background Check Tool. These commentors felt for a variety of reasons that the ICR was not an appropriate vehicle for establishing the personnel surety tool. For example the commentor from Shell noted that; “We believe that implementation of a PSP program is of such a impact and significance that using the ICR approach is not adequate for the task at hand, and we see it as a most disturbing precedence.” (pg 2) From a detailed reading of these comments it is pretty clear that these commentors do not object to the actual Background Check Tool so much as the requirements for whom and when the checks will be required. The NPRA commentor noted that: “The processes and procedures outlined in this ICR do not reflect a simple information collection under an existing rule; rather, the prescriptions in this ICR establish new requirements and burdens on industry.” Since these concerns were included in comments made last summer for the 60-day ICR notice, it would seem to me that the folks at ISCD disagree with these commentors assessment of the legal requirements involved. Unfortunately, these types of substantial legal disagreements inevitably end up in court and, in this case, end up slowing the implementation of a necessary security tool. Section 550 Limitation A couple of commentors pointed out that the way the ICR is worded makes it clear that the Background Check Tool (BCT) would be the only way that facilities would be able to fulfill the RBPS 12 requirement to check personnel against the TSDB. This would run afoul of the Section 550 prohibition against DHS mandating any specific security procedure as a pre-requisite for approval of the facility SSP. If ISCD made clear in its documentation for the BCT that personnel with TWICs or other TSDB based clearances would not have to be run through the BCT, the legitimacy of this claim against the §550 prohibition would be greatly lessened. Though the fact that few facilities could legitimately require all of their covered personnel to acquire a TWIC would have the practical effect of mandating the use of the BCT. Background Check Required Coverage A number of commentors were apparently caught by surprise by the number of facility personnel that would be subject to the TSDB check requirement. Section 27.230(a)(12) states that all facility personnel “with access to restricted areas or critical assets” would be subject to the personnel surety program checks. The ‘unescorted’ modifier clearly only applies to ‘visitors’, so all employees have access of one sort or another under this section. The one thing that could cause some problems is how contractors will be treated since many facilities use contractor employees to actually run many, if not all, of the physical processes at the facility. Other Issues There are a number of other issues that were raised by commentors that will have to be addressed by DHS when it refers this ICR to the Office of Management and Budget (OMB). If DHS continues to treat this as a ‘simple’ ICR rather than going to the rule making process, we may never know how DHS responded to each specific comment; there would be no further postings in the Federal Register unless OMB fails to approve the final ICR. Unfortunately, I expect that this ICR will not get submitted to OMB. It will fall behind the other controversial items (ammonium nitrate rule and the ‘temporary’ agricultural exemption for example) in the DHS regulatory black hole, bouncing back-and-forth between the approval and re-write requirements of the political appointees, never again to see the light of day. Until, of course, an attack on a chemical facility blasts it free of the political event horizon.

Saturday, May 15, 2010

CSB IST Study Comments 05-14-10

On Friday the Chemical Safety Board (CSB) posted a new document link to their Open Government web page to replace the two earlier documents that provided copies of comments that they had received about their proposal for a National Academy of Sciences study of the use of methyl isocyanate at the Bayer CropScience facility outside of Institute, WV. The purpose of that study is to determine if it is possible to use an inherently safer technology (IST) technique to further reduce or eliminate the storage of MIC at that facility. The Politics of the Study While Congress tasked the CSB to specifically look at the Bayer situation, the CSB formulated their proposal to first have the NAS investigation establish a methodology for evaluating IST techniques. In the long run, this methodology will probably be more politically significant than the application of that method to the CropScience facility. This is especially true as Congress continues to consider as part of the permanent authorization of the CFATS process requiring high-risk chemical facilities to conduct their own IST evaluation. This political situation is certainly reflected in the variety of organizations that contributed to the 28 responses contained in this document. Only four of the comments come from the immediately affected West Virginia community and this includes the Bayer response. Most of the remaining comments come from organizations from both sides of the IST political debate. As I noted in an earlier blog, this is not only appropriate given the proposed scope of the study, but politically important. A rigorously developed methodology for evaluating the relative effectiveness of IST technique that takes into account both the technical and financial issues will go a long way in refining the debate on the IST in CFATS debate. Combined with the soon to be released science-based definition of IST from the Center for Chemical Process Safety (CCPS) this study should provide a detailed, practical basis for the political discussion so that it can move beyond the current philosophical realm; there being no potential short-term resolution to the philosophical differences between the two sides. Study Design CSB now has the difficult task of formulating their formal requirements for this study. They must take into account the issues identified in the conflicting comments received from the larger community as well as the separate requirements of the local issues at the Bayer facility. It might actually be best if they task the NAS with establishing two separate panels. The first would be tasked with the methodology development task while the second would be responsible for implementing that methodology on the specific facts associated with the Bayer CropScience facility. The first panel would have technical experts from academia and organizations like CCPS. Organizations on both sides of the political debate should also provide technical representation on this panel. Additionally, this panel should include some representation that could specifically address the financial analysis questions that will inevitably need to be addressed in the methodology. The second panel would need to be more focused on the specific needs of the local debate. The bulk of the panel would again be technical experts without a specific interest in the local situation. The panel should also include representatives from Bayer, the local government, and the local community advocacy groups. The Way Forward What is not yet clear is how the CSB intends to handle further public discussion of this study formulation process. One school of thought would have the CSB provide a copy of the final draft proposal for additional public comment; roughly the equivalent of posting a ‘final rule’ in the Federal Register. This would be a formal recognition of the political nature of this proposed study. Those that would look at this as a strictly scientific endeavor would note that CSB has already provided more than enough public comment opportunities and further delay would serve no legitimate purpose. I tend to fall more into the middle ground. While I think that further debate might be beneficial, I think that the political need for the IST evaluation methodology is so great that further delays for more discussion is not warranted. I would like to see the CSB post a copy of the formal study requirements on their web site when they send it to the NAS. This would allow for a parallel political discussion to take place while the formal study gets under way.

Friday, May 14, 2010

Water System Security Issues

There is an interesting story on EastBayRI.com that, while it doesn’t deal with water treatment chemicals, does shed some light on how little attention is paid to water supply security issues by the Environmental Protection Administration. According to this local news story the police are investigating the release of 40 million gallons of water from a reservoir. Someone had cut locks on chains securing some large water valve handles which allowed the water to discharge into a creek. Interestingly no one knows when the valves were opened, but it was discovered by a water system employee making a ‘routine check’ of the reservoir. Any security professional knows that locks do not provide any kind of security unless they are watched; bolt cutters are available at any hardware store. Since this reservoir is a secondary water source for the water system, it probably doesn’t make any sense to have anyone on-site watching the locks. There are, however, a number of devices that could do that watching; video cameras, flow meters on the discharge lines, valve position sensors, etc. Any of these would have allowed for a response that would have prevented 40 million gallons of water being discharged. The local police chief told the reporter for this story that, because “it involves a water supply and water safety, it is something we take very seriously”. Unfortunately, current federal regulations do not take water system security seriously. The only requirement is for facilities to certify that they have completed water system security vulnerability assessments. There are no security standards, not even risk-based performance standards. There are no requirements for outside inspectors to check or verify that security measures are actually in place and functional. The EPA has the technical knowledge necessary to assure water quality issues, but does not have the necessary security background to assure that water quality is defended against potential attack or even vandalism. Congress needs to realize that security issues at such a vulnerable yet crucial public resource needs to be overseen by security professionals. Either EPA needs to be given that capability/responsibility by Congress or it should be given to DHS.

ICSJWG Teleconferences

Today the DHS-CERT Control System Security Program Calendar web page shows a series of teleconferences to be held by various elements of the Industrial Control System Joint Working Group (ICSJWG) over the next two weeks. No real details are available, though I expect that the individuals involved probably understand what is going on. I suspect that it has something to do with the recently announced dates for the 2010 ICSJWG Fall Conference, October 25-28, 2010. The following teleconferences have been announced

ICSJWG Government Coordinating Council Teleconference – 5-20-10

ICSJWG Research and Development Subgroup Teleconference – 5-20-10

ICSJWG Vendor Subgroup Teleconference – 5-24-10

ICSJWG Workforce Development Subgroup Teleconference – 5-25-10

ICSJWG Industrial Control System Roadmap Subgroup Teleconference – 5-27-10

The web site provides an email POC, ICSJWG@dhs.gov, for further information about these teleconferences.

Hazardous Materials Seminar

Thanks to the folks at ProgressiveRailroading.com for pointing me at this hazardous material seminar. The Bureau of Explosives and the American Association of Railroads is holding the 23rd Hazardous Materials Seminar on May 25th thru 27th in Kansas City, Mo. The meeting will cover the whole scope of topics concerning shipping hazardous materials by rail, including security issues. According to the schedule on the seminar web site specific topics that might be of interest to the chemical security communities include:
Hazmat Intelligence Portal Beyond the Routing Regulation Rail Car Security Inspections (IEDs and More) TIH Risk Assessment National Hazmat Fusion Center
You can still register for this seminar on line.

Thursday, May 13, 2010

NSF Cybersecurity Meeting 05-19-10

In today’s Federal Register the National Science Foundation (NSF) announced that they would be making a public presentation on their recently identified R&D themes that will “exemplify and motivate future Federal cybersecurity game-change research activities” (75 FR 27007) on May 19th at the Claremont Hotel in Berkeley, CA at 1:30 pm PDT. Following that presentation the NSF will be opening an on-line discussion forum for public comments and feedback on the proposal starting May 19th thru June 18th. A separate notice in the Federal Register provides more information on “Federal cybersecurity game-change research and development agenda” (75 FR 27006). There will be three ‘themes’ that will be an integral part of that agenda; “(a) Tailored Trustworthy Spaces, (b) Moving Target, (c) Cyber Economic Incentives”. While most of the discussion will apparently be focused on information technology the NSF definition of cyberspace is the “globally interconnected network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors in critical industries [emphasis added]”. So there may be something of interest to the chemical security community in this discussion.
 
/* Use this with templates/template-twocol.html */