Thursday, August 23, 2007

More changes to the DHS Web Site

There have been changes to two more of the DHS Chemical Security Web Site Pages. The first is more cosmetic than anything else. The 2007 Chemical Sector Security Summit page has been changed to an advertisement for the up coming June 2007 meeting to a report on that meeting. It reads more like a press release than an actual information page. Along with this they removed access to the Proposed Agenda page which makes a great deal of sense.

 

The second change was made on the Accessing the Chemical Security Assessment Tool (CSAT) page. They added access to a new .pdf document: the CSAT User Change Request User Guide (PDF, 26 pages – 686 KB). This document provides instruction on how to make changes to the previously registered Preparer, Submitter, and Authorizer for a site. It also provides instructions on how to convert a Submitter for multiple sites to a single user/password status. This will make it easier for corporations with multiple sites to use a single Submitter for multiple sites, and that Submitter will only have to remember a single User Name and Password.

 

I am still expecting to see a final version of the Appendix A out some time soon, along with the appropriate changes to the Top Screen. DHS is again getting some heat from Senators (Delaware this time) complaining about agricultural propane users being affected by this legislation. I expect to see some sort of clarification on this issue, among others, when the final version of the Appendix A comes out.

Friday, August 17, 2007

The National Infrastructure Advisory Council meeting

The Department of Homeland Security (DHS) published an meeting notice in today’s Federal Register announcing the upcoming meeting of the National Infrastructure Advisory Council on October 9, 2007 in Washington, DC. One of the items to be covered at this meeting be a presentation by the Insider Threat to Critical Infrastructure Operators Working Group. This working group made an initial presentation at the July meeting of the advisory council.

 

DHS considers the “Insider Threat” of particular importance in planning for security at high-risk chemical facilities. Section 27.215 of the new 6 CFR part 27, Chemical Facility Anti-Terrorism Standards (CFATS), specifically requires that the Threat Assessment includes a description of “possible internal threats, external threats, and internally-assisted threats”; two of the three possible threats include operations by insiders. In Section 27.230 the seventh Risk Based Performance Standard covers sabotage and specifically describes the requirement to: “Deter insider sabotage”. The same section also requires the establishment of a Personal Surety Program, performance standard 12, a tool to help prevent insider attacks.

 

Anyone that will be working on Security Vulnerability Assessments or Site Security Plans for high-risk chemical facilities should be interested in the presentations made by this working group

Monday, August 13, 2007

Other terrorist threats

While there has been a great deal of attention paid to the threat posed by Al Qaeda in potential terrorist attacks against chemical facilities, there is nothing in the new Chemical Facility Anti-Terrorism Standards (CFATs, 6 CFR part 27) that refers to Al Qaeda or infers that there is only a single type of terrorist threat. In fact, the recent National Intelligence Estimate, The Terrorist Threat to the US Homeland, mentions threats of terrorist attack by Hizballah, home grown Islamic radicals, and “single issue” non-Muslim terrorist groups, specifically saying:

 

 

“We assess that globalization trends and recent technological advances will continue to enable even small numbers of alienated people to find and connect with one another, justify and intensify their anger, and mobilize resources to attack—all without requiring a centralized terrorist organization, training camp, or leader.”

 

One such “single interest” group that has been showing increasing readiness to use violence in support of their cause is the radical side of the animal rights movement. Last month there was an attempted bombing of a UCLA researcher’s car, purportedly by the Animal Liberation Brigade.   Jerry Vlasak, co-founder of  the North American Animal Liberation Press Office, and self appointed spokesman for radical animal rights groups has been quoted in the LA Weekly as saying; ““I think the animal-rights movement has been way too slow in taking radical actions,” he says. “And they’ve been way too nice.””

 

This is not the only type of group that has its violent radical fringe. In fact, every legitimate protest group in the country attracts its own radical element that, while beyond the control of the main stream body, receives some measure of support and respect from the nonviolent side of the protest. This was seen in the Civil Rights movement in the 1960s, the Anti-War movement of the 1970s, and more recently in the Anti-Abortion movement. Similar fringe groups can be found associated with almost any significant protest movement.

 

While it is easy to dismiss these small fringe groups as being ineffective, we must remember that the second most deadly terrorist attack in the United States to date, the bombing of the Murrah Building in Oklahoma City, OK was carried out by a small group of people, with only two being actively involved in the actual plot. Facilities storing dangerous chemicals are potentially a valuable target for such groups because a relatively small, uncomplicated attack, if successful, can have a spectacular result.

 

Chemical facilities will have to take these fringe groups into account when they do their security planning. Part of the Security Vulnerability Assessment (SVA) that all high risk facilities are required to submit to DHS includes a threat assessment. In this part of their SVA the facility should include mention of any organizations with potential fringe elements that may pose a threat to the facility because of facility’s products, business associates, or political ties in this country or overseas. These fringe organizations may increase the threat to that particular facility beyond that seen in the industry as a whole.

 

Threat assessment is a key part of any security plan. Acknowledging that fringes of political and social protest movements may pose a threat to organizations or facilities protested against is a first step in developing a viable threat assessment.

Saturday, August 11, 2007

First Security Vulnerability Assessments to be done soon

On June 8th of this year the new Chemical Facility Anti-Terrorism Standards (CFATS) went into effect. Three days later, according to congressional hearing testimony by Col. Bob Stephan, Assistant Secretary Infrastructure Protection, the first notifications went out to fifty facilities to complete a Top Screen with additional facilities being notified on the 13th. The sixty-day deadline to complete those first Top Screens was over yesterday with the remaining to be completed by Sunday. This means that notifications to start completing Security Vulnerability Assessments (SVA) should start going out in the next week or so to the highest risk facilities, Tiers 1 and 2.

 

We should be seeing additional changes to the DHS web site with explanations about how the SVAs will be completed in the Chemical Security Assessment Tool (CSAT). There is also the possibility that the revised Appendix A, DHS Chemicals of Interest, will be released soon, along with changes to the Top Screen. Those changes would effect those facilities not already notified to complete a Top Screen that have (or plan to have) chemicals on site listed in the revised Appendix A at levels above the STQ.

 

Additional information provided by Col. Stephan indicated that there would be significant revisions to Appendix A with changes to some of the Screening Threshold Quantities (STQ) and the addition of blend rules for some chemicals. This would require some changes to the Top Screen including revisions of the two .pdf downloadable files supporting the Top Screen on the CSAT web page; CSAT Top-Screen Questions and CSAT Top-Screen User Manual. It would have been very inappropriate to change the Top Screen during the middle of the initial 60 day filing period.

 

It will be interesting to see if DHS publishes any data about these initial entries into the CSAT system. While no one expects them to provide any site specific data, a brief press release about the number of facilities that provided data, and were subsequently declared to be High-Risk Facilities would be interesting as would information about the Tier ratings. Because of the way these facilities were selected for providing Top Screen information we should expect that a very high ratio would be declared to be at high risk for terrorist attack.

Thursday, August 9, 2007

Biometric Security for Control Systems

We are a little bit early in the process yet to be worrying too much about Site Security Plans, but there is going to be a teleconference next week that will be looking at biometrics and security systems that Security Managers might want to pay attention to. The teleconference is being sponsored by IBG, a biometrics provider, and can be watched on the web live or archived after the event.

 

One of the problems that many chemical manufacturing sites will have with their security plans is that the best way to attack many of their critical assets will be through their automated control systems. While there are many things that can be done to help to prevent off-site access to these systems, hardening the on-site controls to prevent unauthorized access is more difficult. One of the options is to use biometrics to control access to the controls.

Wednesday, August 8, 2007

More DHS website updates

DHS is continuing to make changes on their web site with respect to the chemical facility security pages. Today the pages dealing with Chemical-terrorism Vulnerability Information (CVI) have been updated. The old page, Chemical-terrorism Vulnerability Information, has been modified by adding links to six new pages:

 

Defining Chemical-terrorism Vulnerability Information

Evaluating Need to Know for Chemical-terrorism Vulnerability Information

Accessing Chemical-terrorism Vulnerability Information

Handling Chemical-terrorism Vulnerability Information

Sharing Chemical-terrorism Vulnerability Information

Training for Chemical-terrorism Vulnerability Information Access

 

The information on these pages is mainly a re-write of the information provided in the CVI Procedural Manual. It is a bit more accessible on these web pages, but there is no new information here. It is odd that, while there are references, and links, to many pdf documents on these pages, none of them has the link to the Adobe Acrobat download page that was recently added to some other pages on this site, see my earlier blog entry. It would seem that DHS is not doing a good job on site continuity, with different people preparing different pages. This is a common problem with complex informational web sites.

Monday, August 6, 2007

Minor DHS Web Site changes

DHS is continuing to update their web site. Two pages were changed today to add a link to download the Adobe Acrobat (pdf) reader software necessary to read some of the DHS publications that can be downloaded from the site. The two pages that have changed are:

 

Chemical Security Assessment Tool

 

Accessing the Chemical Security Assessment Tool (CSAT)

 

This download link is common on web sites that provide pdf files for downloads. Practically speaking, just about everyone that will be accessing the site will already have the reader on their computer, but this is just good web site management.

How much is too much security?

I started a reply to a comment by frenv posted to my 8-5-07 blog entry, but it got too long and the question posed by frenv deserves a widespread discussion by everyone involved in the security of chemical facilities. Here is the original comment:

 

 So here is the question I have about all this and other postings on this site/blog.  How do we achieve a reasonable balance between real security (not "Mission Impossible"), and boogyman paranoia?  Untold dollars could be spent and reduce our overall economic viability as a nation.  No?

 

This is the basic problem that anyone has to deal with when looking at providing security for anything. The first thing that we must accept is that there is no such thing as absolute security; any security system that man can design can be defeated. Once that is understood, it becomes a cost benefit analysis problem; what is the potential cost of a successful attack, what is the probability of a successful attack, and what is the cost of the security precautions?

 

Realistically speaking, at this point in time there is a very low probability that any specific plant is going to hit by a terrorist attack; no one has attacked a chemical plant to date. This is one of the reasons that there has been so little work on providing much in the way of security at most chemical plants in this country; the cost of security precautions far outweighs the expected cost of a successful attack.

 

Of course the same thing could have been said about the probability of any specific airliner being hijacked and run into the twin towers prior to 9-11-2001. The cost of the necessary security procedures far out weighed the perceived costs of a successful hijack. In hind sight we can see that the analysis used the wrong cost basis for the cost of a successful attack.

 

The purpose of the new DHS regulations is to try to get all owners of all high-risk chemical facilities to make a structured, standardized calculation of the costs of security and the potential costs of a successful attack. Since chemical facility owners cannot be expected to have enough data to evaluate the potential of attack, the Congress gave DHS the responsibility since they have the access to the requisite intelligence information.

 

 This is the purpose of the TOP SCREEN process, each facility that has a potentially dangerous quantity of a potentially dangerous chemical reports the quantities they have on hand and where the facility is located. DHS then calculates the likelihood of attack and the potential consequences of a successful attack. Facilities that are determined to be at high-risk based on those calculations will be placed in a four level tier system based upon their relative risk in that high-risk category. Those facilities placed in the higher tiers (tiers 1 & 2) will have to have more extensive security procedures in place to protect their facilities.

 

If a facility then determines that the cost of security is too high a cost to pay, a business decision certainly, they have a couple of options:

 

Fight the DHS designation – almost certainly a losing cause sinceDHS has the sole authority to make or change this designation, or

 

Reduce the amount of the dangerous chemical on-site at any given time – this should reduce the risk and thus lower the cost of security, or

 

Eliminate the dangerous chemical from their process – this is the solution that a lot of people outside of the industry would like to see, but is likely in very few instances, or

 

Get out of the business.

 

 The good side of these new regulations is that all chemical facilities are going to have to play by the same rules. DHS will be the impartial arbiter of the game. Thus everyone’s cost basis for security will be based on the same set of calculations for the cost of a successful attack.

 

One final point, these regulations are not just directed at Al Qaeda, they are directed at all potential terrorist attacks. As a side light they will also be directed against a number of non-terrorist attacks as well. If there had been better security at the Whitley Fuel Depot in Spokane, WA, perhaps the person that apparently maliciously started that fire would have been prevented from doing so. How much security would have been enough? We won’t know until the investigation is complete, but there certainly would have been some level of security that would probably have prevented this incident (again there is no perfect security) ask the insurance companies how much security cost would have been too much? Or maybe we should ask the surrounding business owners, or the people that lived nearby, or the firemen that had to fight the fire. Security is truly like car or fire insurance, you complain about how much it costs until you have to use it.

Sunday, August 5, 2007

Update on arson investigation at Spokane, WA fuel depot fire

At a news conference this last Friday (8-3-07) in Spokane, WA Norm Brown, an FBI spokesman, confirmed that the Whitely Fuel Company fire was considered to be an arson caused fire, though the exact cause of the blaze has yet to be established. A $10,000 reward has been established by Northwest Insurance Council. No further details of the investigation were discussed at this news conference.

 

An earlier newspaper article claimed that there were holes in two of the tanks on site and that investigators appeared to have found a tool on site that could have made those holes. As noted in an earlier blog over on MySpace.com I noted that for a fire in a tank farm to have maximum destructive effect some of the tanks will have to be punctured to allow the spread of flammable liquids to carry the fire beyond the immediate area.

 

There has been no mention in any of the press reports about any possible terrorism link in this fire. Since there has been no public claim of responsibility by any radical groups for this incident, most reasonable people would move terrorism down their list of probable reasons for the arson attack. A claim of responsibility would have added a great deal to the confusion and fear that accompany any fire of this size.

 

Such a claim of responsibility would also have resulted in an increase in the level of security around other such fuel terminals around the country. If this was a trial run of a technique that was being developed to optimize this kind of attack, then a terrorist team might not want their normal publicity.

 

In any case this fire should still serve as a wake-up call for increased security at such fuel depots. While the fire in Spokane was destructive, it was limited to the immediate area of the depot and no one was seriously hurt or killed. If the two largest tanks on site had contained fuel, instead of being shut down for maintenance, this fire could have been a lot worse.

Saturday, August 4, 2007

Changes to the DHS Chemical Facility Security Web Site

In the last week there have been some major changes to the Web Site that the Department of Homeland Security maintains to explain the various parts of the Chemical Facility Anti-Terrorism Standards (CFATS, 6 CFR Part 27) regulations. In almost all cases the changes are adding information and explanations rather than reflecting any changes in procedures or policies.

 

Two entirely new web pages have been added to the site:

 

Risk for Chemical Facility Anti-Terrorism Standards (CFATS) This page explains the concepts of risk, risk-based performance standards and risk-based facility tiering.

 

How Appendix A: Chemicals of Interest Was Developed This page explains how the chemicals in Appendix A were selected as well as the different types of security issues that might involve these chemicals.

 

The following pages had significant additions or changes made to existing pages on the site:

 

Chemical Facility Anti-Terrorism Standards  A section was added explaining how the interim final rule was developed.

 

Chemical Security Assessment Tool Added a section to explain how the CSAT data will be used by DHS. Completely revised the section on when surveys are due.

 

Identifying Facilities Covered by the Chemical Security Regulation  Added explanations for the exceptions from this regulation for certain types of sites. Specifically noted for the first time on the site that railroads and pipelines do not fall under this regulation at this time.

 

The following pages had minor editorial changes or simply added links to the new pages described above:

 

Critical Infrastructure: Chemical Security

 

Chemical Facility Anti-Terrorism Standards Proposed Appendix A: DHS Chemicals of Interest

 

Chemical Facility Anti-Terrorism Standards Fact Sheet

 

It is nice to see a government agency taking the time to insure that the information that they communicate via their web site is more complete and detailed. This reflects positively on the outreach efforts that DHS is making to ensure that the new chemical facility security regulations are implemented effectively and efficiently. It would have been better, however, if DHS had announced that they were making changes to their site instead of relying on muckrakers like me to point it out.

 
/* Use this with templates/template-twocol.html */