Wednesday, June 30, 2010
Tuesday, June 29, 2010
“CAAR proposes a 50% enhanced tax credit with accelerated capital depreciation for eligible security expenses similar to legislation passed under the U.S. Farm Bill for American agri-business facilities.”BTW: The US farm lobby was only able to get a 30% tax credit included in the 2008 Farm Bill (Section 12405). If CAAR gets their 50% credit will their US counterparts then request a 70% credit so they can continue to compete with their northern neighbors? CAAR, it seems, has seen the writing on the wall and realizes that its constituent retailers are going to be required to take substantial efforts to secure such agricultural ‘inputs’ as ammonium nitrate and anhydrous ammonia fertilizers as well as a variety of pesticides and fumigants. Rather than try to legislatively fight those requirements, they are pushing for financial support in executing those requirements.
TITLE II—Authorization Of Appropriations TITLE III—Congressional Oversight TITLE VI—Transportation Security TITLE VII—Maritime Security TITLE VIII—Infrastructure Protection And Cybersecurity TITLE XII—Miscellaneous ProvisionsThe following sections should be of particular interest to our community:
Sec. 685. Pipeline security study. Sec. 692. Surface transportation security. Sec. 694. Limitation on issuance of HAZMAT licenses. Sec. 709. Waterside security of certain dangerous cargo. Sec. 724. Risk-based cargo security program. Sec. 811. Extension of chemical facilities antiterrorism security program. Sec. 904. Metropolitan Medical Response System program. Sec. 1203. Civil liability for disclosure of protected security information.The §811 provisions would extend the current §550 authorization for the CFATS program until October 4th, 2015. It would also add a voluntary chemical security training program and a voluntary chemical security exercise program. Readers of this blog will recognize that these are the same provisions found in S 2996 and its companion bill HR 5186. Congressional Oversight Even though the CFATS reauthorization provision would be primarily targeted at our community, I think that the most important provision of this bill would be found in §301(c) that deals with Congressional oversight of homeland security matters. That paragraph reads:
“The Speaker shall consider the recommendations of the National Commission on Terrorist Attacks Upon the United States for consolidating oversight and review of homeland security, and to the maximum extent feasible, minimize the impact that the referral to multiple committees of matters under paragraph (a) related to homeland security and the Department of Homeland Security will have on the ability of the House of Representatives to provide clear and consistent guidance to the Department and act on such measures in a timely and effective manner consistent with those recommendations.”If actually passed (unlikely with so many different committees having to sign off on this bill) this would greatly reduce the number of committees that would have their hand in the homeland security pie. This could greatly streamline the law making process for homeland security matters. I know that the leadership of DHS would greatly appreciate the decrease in the number of times that they have to explain the same thing to different committees. Committee chair are more likely to vote to completely stop their own pay than reduce the areas over which they exert power. This is not a partisan slap as the Republicans did nothing to address this problem when they controlled both houses of Congress and the White House. This is strictly a matter of the exercise of personal political power. That means that this provision would probably be doomed even if this bill had a chance
Monday, June 28, 2010
I have been hearing from a number of different sources that the folks at ISCD are working with a couple of different industry groups at looking at modifications to the list of DHS chemicals of interest found in Appendix A. This November it will be three years since the publication of that list so it is certainly time for adjustments to be made. No word on any specifics of those discussions, but I have some ideas about what may be under discussion and, of course, some ideas of what changes I would like to see made. Gasoline One thing that is certainly under discussion will be the issue of the coverage of gasoline storage terminals. Back in January DHS issued a request for comments on their attempts to regulate security at gasoline storage terminals. This was basically issued in response to a petition submitted by the International Liquid Terminals Association (ILTA) that “raised both technical and procedural issues related to the applicability of Appendix A and the Top-Screen requirement to” gasoline terminals (75 FR 2446). One of the major issues raised by industry was the fact that the DHS interpretation of the rules as applying to such terminals had never been expressly discussed in any rule making process, thus violating a number of rules for establishing regulations. So any rule updating Appendix A will certainly include addressing the gasoline issue. As I have mentioned on a number of occasions, I firmly believe that gasoline terminals should be regulated under CFATS. While gasoline vapor cloud explosions are not easy to affect, I think that the danger of a potential VCE is being down played by industry. An accidental VCE is a low frequency hazard because of the various factors that must come together for the VCE to occur. In a properly planned and executed terrorist attack every effort will be made to optimize conditions to provide the necessary prerequisites for a VCE. I also think that even if a terrorist attack fails to put those various conditions together to actually form a VCE and only causes a major terminal fire, that would be counted as a successful terrorist attack. Because of the special place that gasoline has in our economy, the destruction of a major gasoline terminal with the accompanying probable damage to a fuel pipeline would have serious economic effects. This is especially true in a weakened economy. Finally, serious consideration needs to be made about declaring gasoline a theft/diversion chemical of interest. A tanker load of gasoline is an easily transportable and deployable potential flame weapon. Either through a fire in the tanker on a crowded freeway during rush hours in a major urban area or pouring gasoline from a four inch hose into a large building like a major shopping mall could cause huge number of casualties at very soft targets. While the same could be said for any flammable liquid, gasoline has a special place because of the huge number of tankers on the road every day and the political connections to the Middle East. Al Qaeda has remarked on this political status and has vowed on a number of occasions to target gasoline manufacture and distribution. Removing COI or Increasing STQ I would hope that DHS would take a look at the data that they have accumulated on a huge number of Top Screens submitted over the last two and a half years. I would be very surprised if such a review did not find that there were some chemicals on the list of COI that did not result in facilities being declared high-risk chemicals. This could be caused by either relatively low inventory levels or isolation from civilian populations or other potential targets. If a chemical currently on the list is not associated with any high-risk facilities, it would seem that we could remove that chemical from the list. Without increasing the risk of potential terrorist attack, we could reduce the administrative burden on facilities submitting needless Top Screen. The same could be said for the setting of Screening Threshold Quantities (STQ). If all high-risk facilities for a particular COI have substantially more inventory than the current STQ, then DHS would be justified in increasing STQ for that COI; again reducing a needless administrative burden.
On the other hand if every facility (or even most of them) with just barely an STQ amount has been declared a high-risk facility, then DHS might want to consider lowering the STQ. If the risk for just an STQ is high enough to be of concern, then we are almost certainly not identifying all of the at-risk facilities. Methyl Bromide I have pointed out on a number of occasions that DHS relied on misleading information from the EPA when it specifically included methyl bromide from the list of release toxic COI. EPA assured DHS that methyl bromide was being phased out as use as a soil fumigant, but subsequent EPA actions reveal that the chemical will be around for some time. This combined with the political reasons that methyl bromide is supposed to be phased out could make this a specific target chemical for any number of different eco-terrorist groups. DHS needs to consider adding this to the list of COI. Feedback As I understand things, during this development process, DHS is working with a variety of industry groups on the revision of Appendix A. While some people get upset about this type of ‘special privilege’ being given to industry, I think that it is entirely proper that the people that will be most directly affected by these regulations have some input in their development. Let’s face it, the real probability of any given facility being attacked is quite small, but all of the high-risk facilities are being required to spend big money to prevent the low-probability occurrence activity. On the other hand, groups other than industry also have a stake in these regulations. The environmentalists will probably get more say in the development of the revision to Appendix A than they did the development of the original list, just give the political party in power. Unfortunately, that still leaves many groups under represented; including local emergency response planning groups and even first responders. I would like to open this up discussion here on this blog. I know that there are a number of DHS folks that read this blog, including someone in the Secretary’s office. Let’s see if we can get a good discussion about what types of changes should be made to the Appendix A list of COI, including changes in specific SQT amounts. For this discussion I would appreciate it if we left the ‘Anonymous’ identification alone. If you don’t want to give your name (and I know a number of good reason why that would happen) at least give a description of your background or affiliation (ie: “chemplant worker”, “local organizer”, “EMT”, or “security guard”). Remember, for most of us this will probably be your only chance for input until the NPRM for the change is published.
Saturday, June 26, 2010
• Energy Efficiency • Intellectual Property (IPR) Enforcement • National Values, National Security • PS-Prep • Administration Continues to Coordinate Closely with State and Local Partners on BP Oil Spill ResponseEach topic receives a brief discussion in the newsletter with embedded links to more information. For example the ‘PS-Prep’ section explains that the Department of Homeland Security announced the standards that would be used for the new voluntary accreditation and certification program for private sector organization preparedness planning. It provided links to the standards, the FEMA preparedness web site, as well as a preparedness web page targeted at families. I have been critical of the Open Government efforts of the Department (they still are not actively pushing their public participation web site), but this is a very well intentioned effort in brining information about what the government is doing directly to the public. Unfortunately, if they don’t do more to publicize their efforts, this will become just another show piece that accomplishes nothing. The Department has to learn that you can’t just build it and expect the public to come; that only happens in corn fields. I certainly think that this email notification is worth while and I am glad that I signed up for it, even if I didn’t know what I was getting at the time. I think that most of the readers of this blog would also find this a valuable information resource.
Friday, June 25, 2010
The cyber security bill, S 3480, that I mentioned earlier this week, was ordered reported favorably out of the Senate Homeland Security and Governmental Affairs Committee on Thursday. As I expected it was amended with substitute wording on a voice vote, and the details are not available. There were no indications that there was the addition of any significant ICS security measures. As I mentioned in my earlier blog we will just have to wait for the bill to actually be reported and that could take a while; we are still waiting for the report on the Lieberman-Collins WMD bill (S 1649) that was ordered reported back in November.
At the same hearing the Committee also ordered reported favorably the nomination of Nomination of John S. Pistole to be an Assistant Secretary, U.S. Department of Homeland Security (TSA). That report (a much less formal document) was acted upon by the Senate today when they confirmed Pistole to be the head of TSA.
“An active shooter is an individual actively engaged in killing or attempting to kill persons in a confined and populated area. In most cases, active shooters use firearms with no apparent pattern or method to select their victims.”We have seen these types of incidents take place at all sorts of facilities; it is only a matter of time before one happens at a chemical facility. This guidance document was developed based upon a number of table top exercises that DHS held with a variety of chemical facilities across the nation. The guidance in the document is written with a broad brush reflecting the reality that each facility is going to have their unique situation that will have to be dealt with in their emergency response plan. The booklet does briefly address arguably the most important part of an active shooter plan; how to recognize the warning signs of an employee on the edge of breaking and becoming an active shooter. The ‘red flags’ that it identifies may be predictors of potential for violent behavior, but I don’t think that it adequately addresses the fact the vast majority of people exhibiting these factors never take up a gun to threaten much less shoot their co-workers. Over reacting to these indicators could do serious damage to the morale and cohesiveness of the facility work force. Pre-Planning The one of the strong points in this document is the section dealing with pre-planning guidance. The pre-planning section provides a list of things that the facility management needs to do during the development of their plan. The actions listed are not targeted specifically at chemical facilities; they could be used by just about any civilian facility in developing an active shooter plan. For example, the document advises:
“Invite all emergency services responders to tour your site and provide details about the facility that will help responders to adjust their protocols if necessary.”This is certainly good advice for any facility, but it fails to address many of the special situations involved at chemical facilities. I would have liked to see this statement followed by a list of some of those chemical specific situations, including:
HAZMAT storage locations; Locations where flammable atmospheres might be expected; Listing of hazardous chemicals on site, to include MSDS; and Chemical release evacuation procedures.If the active shooter remains in the office areas of the facility there would be no problems for the responders. As soon as the shooter moves to production or storage areas, the law enforcement personnel are going to have to take many more factors into account in their shoot/no shoot decision making process. Without significant prior training, they are going to make poor and potentially catastrophic decisions. Incident Response The section on the planning for the actual response to an active shooter incident switches to a slightly different format. It poses a number of questions that management needs to take into consideration in planning what should take place during an incident. Once again, most of these questions would apply to any facility. Three very good questions, however, target chemical specific situations. These are
“Are there any safety concerns as emergency responders enter process areas?” “What are the personnel procedures for safely securing operations that include hazardous materials?” “At what point do site emergency procedures dictate process shutdown?”This section also provides a brief listing of the ways that a relatively ‘simple’ active shooter scenario can get really complicated. In addition to the typical problems potentially found in any facility (hostages, explosive devices, etc) this section identifies a “chemical release” as a potentially complicating situation. Someone is going to have to start thinking about how an active shooter could complicate the chemical release emergency response plan. Incident Recovery This guide continues the question format into the section on what needs to be done after the active shooter is killed/detained. I am really happy to see that this important part of the situation is addressed. Most planning operations fail to take into account what happens after the active portion of the operation is completed. There is a nice balance in the questions posed in this section. Safety, security, and business continuity are all at least briefly addressed. Two questions have special significance for chemical facilities:
“Who will make re-entry decisions?” “Who will provide safety and security debriefings?”Again, I would have liked to see more chemical facility specific details provided for both of these questions. Re-entry decisions will require taking into account legal (crime scene), psychological (clean up of blood etc), and chemical safety issues. A number of people will provide input on the decision, but who will have the responsibility and training to make the decision needs to be identified in advance. And don’t forget to take into account that the selected individual may be in the hospital or the morgue; identify multiple backups. The safety debriefing is particularly important at a chemical facility. Every attempt must be made to identify all shots fired in, around or at process areas of the facility. Then every bullet must be traced to see what equipment may have been damaged before start up begins. Actual shutdown activities need to be reviewed to see what was done and what wasn’t; inadequate shut down procedures could have catastrophic consequences if not identified and addressed in a timely manner. Employee Response There is a section of this guide that specifically addresses individual employees responses in an active shooter incidet. It addresses issues that need to be considered prior to an active shooter incident occurring, actions to take initially during an incident and, very importantly, how to respond to law enforcement personnel entering the facility during an incident. The guidance is good for general facility type response but, once again, does not adequately address the complicating factors that are found in chemical facilities. Tabletop Exercises The final section of the guidance document very briefly addresses the importance of conducting tabletop exercises of the facility’s emergency response plan for active shooters. The opening paragraph of this short section is one of the best descriptions of the importance of exercises in general.
“Proactive chemical facility managers and emergency responders use facilitated tabletop exercises to simulate security incidents or natural disasters and engage in interactive discussions on how to prepare for, respond to, and recover from such events. Interactive tabletop exercises allow participants to test critical thinking skills, learn how the public and private sectors will react to a security breach, and identify areas for improvement.”DHS, through the Chemical Sector office, has worked with state chemical industry councils to “develop the voluntary Security Seminar and Exercise Series”. These facilitated exercises can help facilities and local responders work out the bugs in their emergency response plans before they actually have to be implemented. The DHS Chemical Sector-Specific Agency can be contacted for further information about these exercises. Recommendation When I requested this booklet from DHS I was hoping to see a guide on how to prepare for an active shooter terrorist attack where a team of terrorists attacks a facility with small arms and limited size explosive devices. While I was slightly disappointed that it didn’t address that scenario, this document is probably more valuable since the probability of the type of disgruntled ex-employee active shooter described in the guidance is a much higher probability event. High-risk chemical facilities will have many counter-terrorist security measures that reduce the chance of an active shooter incident, but the chance of a gun toting employee getting past those security measures can be way too high to prevent these types of attacks. An emergency response plan for these situations needs to be developed for all chemical facilities regardless of their risk for a terrorist attack. While I have some concerns that there is not enough information in this guide specifically tailored to chemical facilities, I think that this guide is well worth the time and energy needed to read and consider the implications for your facility. The price (did I mention that it is free?) obviously can’t be beat. And there is an awful lot of valuable information in the 16 page booklet. I fully recommend that every chemical facility manager should have a marked-up, well read copy of this booklet on his desk. Contact the DHS Chemical Sector-Specific Agency today to get your copy.
Thursday, June 24, 2010
Wednesday, June 23, 2010
“All 18 sites refused to turn in their SSP back in 2009. All of these sites had SSP deadlines prior to February. All were also issued warning letter after warning letter regarding the issue.”Finally, Anonymous asks “what else CAN DHS do?” The legalistic answer, of course, is assess $25,000 per day fines and ultimately shut down the facilities. I’m sure that was not the intent of the question that Anonymous asked. Again, I sense the frustration of a DHS employee that I’m sure reflects the frustration of the leadership of the Infrastructure Security Compliance Division. DHS has worked hard to make the CFATS regulations work. They developed the initial framework in record time and worked hard to keep the regulated facilities in the loop during the development of the process. With each new process added to the program, they field tested their newly developed tools at some of the highest risk facilities in the country. Even after being tested and revised, the DHS people have been quick to correct and revise their tools to reflect the real world problems that can only be found during the enforcement process. This is not to say that industry has always been happy with the rules that came out of the CFATS process. From the beginning a number of groups attempted to bring political pressure to bear on DHS to go easy on them. Where there were legitimate reasons to ease the rules (most farmers are hardly terror targets so DHS gave them a temporary bye while they worked on the higher risk facilities first) DHS backed off. Where the reasons were less clear cut, DHS went to a formal comment process to get a clearer understanding of the issues. DHS has worked hard to keep the community informed about the process. They have gone to just about every possible venue where they could talk about CFATS to people that would actually be implementing the rules. They have gone to talk to industry groups and participated in webinars. They established a truly extensive frequently asked questions page and regularly updated the information on that page. They offered to conduct courtesy visits and routinely negotiated differences between what they wanted and facilities were able or willing to give. Finally, DHS has taken a great deal of heat about the slow pace of their inspections and approvals. They stoically stood and took the abuse for that, knowing full well that the reason that the process was taking longer than many people expected was that DHS was proactively living within the constraints set by Congress and taking pains not to try to specify procedures and equipment. Instead of taking the regulatorily easy route to enforcement, they have been negotiating appropriate security measures for facilities. So, with DHS taking great efforts to work with industry to come up with the appropriate ways of protecting facilities against terrorist attacks, they still run into 18 facilities that essentially thumb their nose at ISCD, the Federal Government and of course their neighbors. I understand the frustration but take heart, those 18 facilities are less than 1/3 of 1% of the universe of high-risk facilities. If that is the limit of the recalcitrant facilities they have to deal with, DHS can mark itself lucky. This is why sanctions were included in the CFATS regulations. DHS just needs to continue to slog on and apply those sanctions as they have done all of their work to date, professionally, dispassionately and effectively. If these facilities cannot come into the fold, fine them and shut them down. Don’t waste a great deal of time or effort; there are many more facilities that need and want the assistance that DHS can provide.
Tuesday, June 22, 2010
Monday, June 21, 2010
“Some homeland security experts talk about "The next BOOM?" that will compell attention to lack of effective regulation, whereas I tend to focus on the the next screaming "WHOOSH!" of toxic gas, which the best US gas modelers assume will mostly all blast out of a 90-ton chlorine railcar , e.g., within 2 minutes. Leaving local emergency responders no effective response except to run with everybody else.”Fred is absolutely correct, the catastrophic failure of a chlorine (or anhydrous ammonia, or hydrogen fluoride, or whatever TIH of your particular fear) railcar is just about the most horrible consequence that can be reasonably imagined as a consequence of a terrorist attack or even just a plain old accident. Forget the overblown fears of a rogue nuke or a jihadist bio-attack; those are just Hollywood scenarios. Having said that, I don’t spend much time worrying about a catastrophic failure of a railcar. That takes too much skill, practice and patience to execute. You can’t just slap an explosive charge on one of the essentially armored tanks and get a catastrophic failure (and I have been assured by some people that would know that such testing has been done). I know the techniques that would have to be used, on a theoretical basis, and they are painstaking and require extensive practice and precise execution. In my opinion this puts them beyond the skill set of our recent attackers. So, I am concerned, but not worried. Less than Catastrophic Leaks No, what I am more afraid of happening is that an adequately trained and experienced attacker manages to put a relatively small hole in the side of one of these tankers. The huge toxic cloud that Fred fears from a catastrophic failure would not result and quite frankly no one would know to run from the much smaller toxic cloud that would form along the right-of-way of the train. The deaths would be relatively few, probably measured in the low hundreds (I know hundreds of dead civilians is unthinkable, but much less terrible than the tens of thousands that Fred is concerned with). The concentration would be low enough and the gas irritating enough to cause most people to get out of the cloud before they were exposed to a fatal dose. As the train continued to motor unaware through a large urban area at 10 to 15 miles per hour it would spread a cloud of chlorine gas that would permeate the areas on either side of the tracks, as the urban wind currents spread the cloud in unpredictable local eddies. Determining what areas to evacuate, and in which to order residents to shelter-in-place would take so much time as to be totally ineffective. Large numbers (thousands?) of people would be seriously injured before anyone realized the source of the release and could do something to stop the train and mitigate the release. For most of those injured people, if they were treated properly and promptly, the effects would be unpleasant, but certainly survivable. Unfortunately, our medical services are not set up to handle truly mass casualty type events over a large area of an urban center. The lung damage alone will require large numbers of ventilators and specialized therapies that are just not available on that scale. This would lead to subsequent deaths that would not be laid at the feet of the attackers, but would be blamed, with more than some justification, on the government for not adequately addressing the emergency needs of the populous. Prevention Which ever of us is more probably correct in predicting the more likely attack, I don’t think either of us really expects such an attack to happen (I know I don’t; I fear it, but don’t expect it). If that’s the case why worry? If I’m wrong about the attack not happening, the results just don’t bear considering. We call this low probability, high consequence event; you know like a well blow-out a mile down in the Gulf. With events like this you know that you have to take some action to prevent the unlikely. The question is how many resources can you afford to expend to prevent an unlikely event like this? This is what we need to decide. Both Fred and I would like to see all through-shipments of TIH chemicals moved outside of major urban areas. This would effectively eliminate the risk of these cars being targeted by terrorist, reducing the risk to ‘just’ the normal (very low) accident rate associated with the shipment of these chemicals. Fred believes that re-routing can accomplish this in most instances, I think that it is going to require some significant infrastructure changes (I know Fred, I oversimplified both of our positions, completely overlooking the elimination of some number of shipments). But, in any case, no matter how much Fred and I argue this between ourselves, it is readily apparent that no one is really willing to address this issue in a meaningful way. The costs are just too high it seems. Hopefully we will have time to change that calculation before such an attack actually occurs.
· Web-Based Chemical Security Awareness Training · Chemical Sector Explosive Threat Awareness Training Program (CSETAT) · Voluntary Chemical Assessment Tool (VCAT) · Security Seminar & Exercise Series with State Chemical Industry Councils · Chemical Sector Security SummitAdditionally the page provides a listing of a number of valuable documents available from the Chemical Sector Office. These include:
· Who's Who in Department of Homeland Security Chemical Sector Security · Chemical Sector Security Awareness Guide · Chemical Facility Security: Best Practices Guide for an Active Shooter Incident · Infrastructure Protection Sector-Specific Tabletop Exercise Program (IP-SSTEP) Chemical Sector Tabletop Exercise (TTX) MaterialsI’ll try to get hold of some of these guides so that I can review them and give you a better understanding of their utility.
“Was the rail yard access secure today?” “Was the equipment access secure today?”Without a common definition of ‘secure’ the response to these questions could mean a wide variety of things to different people. Even when taking that into consideration the responses to those questions point to a wide spread dissatisfaction with the effectiveness of security measures; the overwhelming response (92% and 86% respectively) is that these areas were not adequately secured. Question Order Even the order that questions are asked can have an important affect on how one can interpret the responses. The two different surveys used similar questions in differing orders to look at the presence of security officers. The BLET survey asked (pg 13):
“Was there a visible rail police presence in the yard today?” “Was today a heightened terrorist alert day?”The BMWED (Brotherhood of Maintenance of Way Employees Division) survey asked (pg 14):
“Was today a heightened terrorist alert day?” “If yes, were there additional security personnel on duty in the yard or on locomotive?”The response to the BLET survey tells us something about general rail police security presence (93% said ‘no’) while the BMWED responses only tells us about that security presence on days when there was a heightened alert level (98% said no). The reduction in sample size for the second question is not addressed. BTW: There was an interesting bit of information about the effectiveness of terror threat level communication produced in the responses to the ‘heightened terrorist alert’ questions; a large number of responders did not know if there was a heightened threat level (58% and 47% respectively) on the day they answered the survey questions. Employee Observations There were a large number of sanitized comments from individual employees included in the report. The report writers are to be commended for their well documented editing to remove information that would allow someone to identify specific locations where security issues were identified. This serves to both protect the facilities and to prevent identification of personnel making negative comments about their employers. While adding color commentary to the discussion, these comments were entirely one-sided (critical of security) and did not significantly add to the discussion of the overall security of the industry. These apocryphal reports could be significant to local facilities, but I would expect that the Teamsters’ leadership would be less than willing to share that level of information, fearing potential retaliation on the individuals making the comments. Deserves Consideration This report is an important, if somewhat flawed, look at railroad security issues. The report certainly indicates that there are a wide variety of problems with the security at railroad facilities across the country. The problems identified deserve consideration by congressional committees responsible for both homeland security and transportation safety.
Sunday, June 20, 2010
Friday, June 18, 2010
Thursday, June 17, 2010
“Are we really proposing that DHS set the regulations, be in position to issue fines, and help owner/operators comply with regulations, and be brought in for remediation? So then they could be regulating the security controls they recommended, designed and maybe helped implement? Sounds like the days of the accounting companies providing services to companies they audited.”Then he questions if this is what DHS wants or if it is completely from the minds of the Senators. I can’t answer that question any better than Dale can apparently. I would hope that if DHS was buying off on this they would point out the need for loads of additional resources. I’m not sure completely I share Dale’s concern about the internal conflicts of interest. This could be set up in such a way that separate sections of DHS-CERT have responsibility for the different parts of the system. ICS Remediation Interestingly, the Control System Security Program people at DHS-CERT did apparently volunteer to get into the remediation business for a short period of time last month. I noted in an earlier blog that they posted the following offer on their web page:
“In addition, the ICS-CERT is able to provide onsite assistance, free of charge, to organizations that require immediate investigation and resolve in responding to a cyber attack.”The offer was missing from the revised web page just five days later. No explanation was given, but it could have been due to lack of manpower, or even complaints from the industry that this was putting CERT in direct, and unfair competition with a number of companies. I just don't know, but it is an interesting coincidence. I’ll be trying to wade through the lengthy bill to pull out the stuff of interest to the chemical security community. In the mean time, take a quick look at Dale’s post, it is an interesting read. BTW: Yesterday Rep. Harmon (D, CA) introduced another ‘comprehensive’ cyber security bill (HR 5548). It is not yet available from GPO so I have no details available yet, except that it is also a bipartisan bill, having been co-sponsored by Rep King (R, NY) the ranking member of the House Homeland Security Committee.
Wednesday, June 16, 2010
“Cost is always going to be a stickler when it comes to this, however, what is the cost of not doing something to prevent a catastrophe from occurring, versus cleaning up after the catastrophe has occurred.”He then points to the current problem of crude oil blowing into the Gulf of Mexico as an example of why planning is preferable to reacting. I certainly agree with this in principle. Being an ex-military man I am well aware of the adage about ‘proper prior planning prevents piss poor performance’. But, the problem of cost cannot be ignored. This is the reason that ‘risk based planning’ has become such an important buzz phrase. A manager in a modern business is just like any other employee, he holds his job only as long as he demonstrates that he can do it well; maximizing profits and minimizing risk. Since evaluation cycles are relatively short, any low probability risk will probably not get serious attention as it would be unlikely to come to pass within time that the manager is in charge of the facility, project, or product line. This is where the Government comes into the business decision process. Congress determines what risks that the people have determined to be unacceptable to the majority of the citizens. They then establish laws specifying what actions business must take to minimize or mitigate those risks. The Executive Branch then implements rules and regulations to enforce those laws and ensures that business complies with those rules. A problem arises when the Government must rely on the expertise of the regulated community to identify how to regulate the risks. When knowledge only comes from practical experience in the field, then the Government needs to draw upon that knowledge to effectively regulate. The problem comes when the agency responsible for the regulation becomes so dependant on the industry information that they abdicate their responsibility to enforce the regulations. It looks like that is what happened in the MMS-BP case.