Saturday, September 29, 2007

Slow pace of CFATS implementation

Well the last working day of September 2007 has come and gone. If the DHS website it to be believed, the notifications have gone out to the first chemical plants to complete Security Vulnerability Assessments (SVA). According to the latest data publicly available, Congressional Testimony on July 24th, there are at least 194 facilities that have completed their Top Screen process and could be determined to be at high risk for terrorist attack and thus required to complete an SVA. For many reasons DHS is being spectacularly uncommunicative about the progress of implementation of the CFATS regulations.


One thing we do know is that on their public web site, where they have posted extensive documentation on CATS registration, CVI requirements, and Top Screen completion, there are no instructions about how to complete the SVA, other than the general comments on the FAQ page. Now this is either because DHS is restricting access to these instructions (a possibility) or there are no instructions available (more likely). In either case, DHS is doing little to make the critics or supporters of CFATS feel good about the pace of implementation.


While I understand that a certain amount of secrecy and discretion is required in the implementation of any security program, DHS is providing too much ammunition to its critics, especially those that accuse DHS, and the Bush Administration in general, of collusion with industry. These are the people that are in favor of nationwide implementation of New Jersey like regulations that favor elimination of all hazardous chemicals and public disclosure of all security plans. If the current management of DHS wants to be forced to implement these types of regulations, then they need to do nothing more than continue on their current course of obfuscation and foot dragging.


DHS needs to be more forth coming in its implementation of CFATS. There needs to be a public acknowledgement about the numbers of facilities that have completed the Top Screen and the relative number that have been declared high risk facilities. If there have been any facilities that have been less than cooperative on completing the Top Screen requirements, that number should also be disclosed. The date of official notification to complete the SVA for the first set of high risk facilities should also be disclosed. No one should expect DHS to disclose names or even general location of facilities, but there is no security justification for not disclosing numbers at this point.


Finally, DHS needs to be more publicly forthcoming about the reasons behind the delays in announcing the final version of Appendix A, DHS Chemicals of Concern. The vast majority of chemical facilities in the United States are not going to join CFATS implementation until they are required to do so and are waiting for the final version of Appendix A to provide the necessary notification. The chemical industry and the public deserve to know why DHS is dragging its feet in publishing this crucial document.

Friday, September 28, 2007

Threat communication

By now, just about everyone has seen the video of simulated hackers destroying an electrical generator or read the news reports about the video. Now, according to an Associated Press article yesterday, that video, the “Aurora Generator Test”, was shown to people at a trade convention in Atlanta last March, shortly after it was made, without proper authorization to disclose the classified, “For Official Use Only (FOUO)”, information. The government had to go back and notify the people that were shown the film that it was classified. Apparently, the unnamed DHS employee that showed the film to a select group of industry researchers felt that they needed to understand the vulnerability that the electrical grid could face in order to be able to develop appropriate countermeasures. Nothing has been publicly said about whether the employee was punished for this “Leak”.


This goes hand in hand with my earlier blog, “How do we know we are protected?”, in examining the bounds of the conflicting demands between information security and the dissemination of information required for development of adequate physical security measures. This is an issue that will come up again and again in communicating threat assessment information to chemical facilities. If too much threat intelligence is communicated to the multitude of chemical facilities that might have to respond to the potential threat, some of that information is going to make it into the press. On one hand that may help to prevent attacks; as terrorists realize that their potential operation is compromised, but it will also allow the terrorists to realize that their security has been breached and take appropriate corrective measures.


While section 27.215 of 6 CFR requires each covered facility to make a threat assessment as part of their Security Vulnerability Assessment, most organizations are ill prepared to do so. While the Exxons and Dow Chemicals may have intelligence gathering and assessment capabilities, most organizations do not. Chemical facilities are going to have to rely on government agencies, local, state and national, to supply that expertise. Most of the detailed information will be classified at a much higher level than CVI (Chemical Vulnerability Information) or even FOUO and will thus be unavailable to most chemical facilities.


Perhaps DHS should modify their CVI information protection system to include threat assessment information disseminated by DHS. Appropriate intelligence information could be cleaned up so as to avoid the most egregious disclosures of collection means and methods (what intelligence agencies want most protected) and then sent out to the applicable facilities. The person responsible for the CVI program at each facility would then become a CVI Security Officer instead of just a point of contact, since they would then also be responsible for the security of information provided by the government rather than just the information provided to the government. The disclosure of CVI at the facility level would have to be more formally controlled than currently planned, but would still not require the level of controls necessary for Classified Documents.


Intelligence information is going to have to flow from DHS to chemical facilities if the security at those facilities is going to be adequately maintained. Proper protection of facilities from terrorist attacks will require some level of knowledge of terrorist interests and capabilities. The mechanism for this intelligence transfer need to be established now, as chemical facilities are starting to work on their SVA’s and well before they start developing their Site Security Plans.

Thursday, September 27, 2007

Chemical warfare agent injures over 100 in Nevada onion field

News reports out of Reno, NV describe over 120 farm workers being treated at local medical facilities for exposure to chloropicrin, an agricultural chemical that was used as a chemical warfare agent in World War I. The chemical had been spread on a field on Monday and a Wednesday temperature inversion kept the fumes close enough to the ground that workers in an adjacent field were overcome by the fumes; at least two were unconscious but breathing when emergency personnel arrived at the scene.


According to the Columbia Encyclopedia, Chloropicrin (CCl3NO2) boils at 112° C with partial decomposition to phosgene and nitrosyl chloride. According to a Cornell University Pesticide Profile the half life in air-sunlight is 20 days and the product is normally provided in cylinders or tanks that can be pressurized. According to and exposure level of 1 ppm (in the air) causes eye irritation, 4 ppm may incapacitate, and 20 ppm causes lung damage. While this chemical would probably not produce a huge number of deaths in a terrorist attack, the victims would hurt be badly and require extensive treatment for their wounds. Clean up would not be easy. Chloropicrin sounds like a good terrorist chemical weapon.


All in all it is easy to see why DHS has this chemical listed in the chemical weapons section of the Top Screen with no minimum level listed for the Screening Threshold Quantity (STQ) in the proposed Appendix A to 6 CFR part 27. How many farmers or agricultural suppliers holding this material were notified by mail when the June 2007 notifications went out to the 50 facilities that are, to date, the only facilities required to submit Top Screen information; almost certainly none. The users and probably manufacturers of Chloropicrin will not be required to start the CFATS process until Appendix A is approved. Isn’t it about time that this Appendix gets the required political approval?

Tuesday, September 25, 2007

Another state to check security at chemical plants

According to a story on a Boston, MA television station, Massachusetts may become the second state to have a formal program to check security at local chemical plants. The report quotes a report issued Monday on a homeland security strategy for the state that will include “inspections of smaller chemical facilities”. The report cites the 2006 explosions at a Danvers, MA chemical plant as an example of why the additional checks are needed at smaller facilities.


While the Danvers explosions are still technically under investigation by the Chemical Safety Board, a preliminary investigation report cites the accumulation of heptane and isopropanol fumes in the manufacturing building as the source of the explosion. Neither of these chemicals is on the proposed list of DHS Chemicals of Interest (Appendix A to 6 CFR part 27), so it does not appear that the Danvers facility would have been regulated under the Chemical Facility Anti-Terrorism Standards (CFATS). While this was an accident, with the number of houses and local business buildings destroyed and damaged, this could have been a very successful terrorist attack.


If DHS cannot include plants like the Arnel Chemical Plant or the Barton Solvents facility that burned in Wichita in their extensive list of chemical facilities to be regulated, and political constraints from Congress do seem to prohibit that, may be the individual states do have the responsibility to protect their citizens from potential attacks against these facilities. First New Jersey, then Massachusetts; keep an eye on California, I expect that they may be next. It will be interesting to see what regulations Massachusetts puts into place to follow their new homeland security strategy.

Monday, September 24, 2007

How do we know we are protected?

Is a million plus gallon tank of ethanol a potential terrorist target? Perhaps, but we will not know for sure until it is attacked. Is it covered under the new Chemical Facility Anti-terrorism Standards (CFATS)? Probably not since ethanol is not one of the chemicals listed in the proposed Appendix A, DHS Chemicals of Interest, to that regulation nor has it been publicly designated a chemical of interest like LPG or gasoline refineries. Almost certainly not if that tank is a barge floating up and down the Columbia River transporting ethanol to market; CFATS does not cover chemicals in transit. Perhaps the maritime security rules apply….


According to a recent article in the Tri-City Harold (Kennewick, WA) a newly refurbished barge, the New Vision, is being put into just such service; delivering ethanol from a plant in Boardman, WA. The barge is double hulled to help prevent fuel leaks to the river, in line with new federal fuel transport rules. This is especially commendable since a leak of ethanol into the river would be virtually undetectable and impossible to clean up since ethanol is completely soluble in water.


What is not covered in the article is what precautions have been taken to protect this barge against terrorist attacks. A large enough mine attached to the hull, a bomb placed in the space between the two hulls, or even a high speed bomb-boat could turn this barge into a very large explosive device or just poison the river all the way to the ocean. What kinds of precautions have been taken to prevent such attacks? If properly protected, we will never know because security people do not broadcast their preparation for very legitimate reasons. If not protected we will never know because the company would not admit to such gross dereliction of their corporate responsibilities.


The only way that we can be assured that the necessary protections are in place is by placing trust in the appropriate government agencies to check that such necessary safeguards are in place. In this case it would be DHS and probably the Coast Guard that would have that responsibility, though I’m not certain that current maritime security rules apply to barges on inland waterways; it’s not my specialty so I just do not know.


It would be nice if DHS had an outreach program that would assure the people living and working along the Columbia River, in this case, or around chemical facilities in general, that the government is working with the companies involved, ensuring that the appropriate security plans and devices were in place, letting the public know that there was adequate inspection and enforcement activity taking place to ensure compliance with the rules, and finally assuring the public that the rules on the books would provide reasonable protection against a terrorist attack. I do not think that DHS has such an outreach program.


I know that DHS cannot tell us which chemical plants are covered under the CFATS rules; that would tell the terrorists what the largest targets are. Neither can they tell us which facilities are having problems implementing their programs; that would tell the terrorists the easiest targets. But they could tell us how many facilities have been directed into the Top Screen Program and how many additional facilities have been voluntarily provided data to that program. They could tell us how many of those facilities have been determined to be at high risk of terrorist attacks. And perhaps, even more appropriately, the could tell us what chemicals are actually of interest to DHS and under what quantities; DHS needs to publish a final version of Appendix A so that chemical facilities across the country know who should be covered under the rules.

Wednesday, September 12, 2007

DHS responds to agriculture and propane industry complaints

There has been some organized resistance to the inclusion of propane (at an STQ of 7,500 lbs) in Appendix A to 6 CFR part 27. The propane industry has lead this resistance with a comment campaign in the initial comment period for the appendix and has enlisted various agricultural organizations and their supporting Senators in the campaign to get a propane exemption since then. To date DHS has had very little to say in response other than they were looking into the comments. Today, DHS officially responded with a page on their web site.


The page reviews the industry claims and re-affirms that DHS is reviewing the comments that it received in the regulatory process and will make changes as appropriate. The site reiterates that it only intends to regulate high-risk chemical facilities, not isolated poultry farms. It objects to an AP report that claims 40,000 farms would be affected, responding that they only expected 50,000 total facilities to be affected during the first three years of the program.


Further, the web site maintains that only those farms storing more than the STQ would have to complete the Top Screen to allow DHS to evaluate the potential risk. The web page describes the Top Screen as a “‘Turbo Tax-like’ online tool that is extremely user friendly”.


Given the political rhetoric and threats (Senators threatening to withhold funds for enforcement) employed by the propane industry, this reply by DHS is very mild and probably less than effective; especially since it is buried in the DHS site. Hopefully, they will be replying in a little more public, or noticeable venue in the near future.

Sunday, September 9, 2007

DHS adds Frequently Asked Questions (FAQ) page to website

During an earlier blog I mentioned that DHS had made some changes to two CSAT web pages. There was a second change made to the Chemical Security Assessment Tool web page that I missed in that blog; DHS added a hyperlink to a Frequently Asked Questions (FAQ) page. 

The new Chemical Security Assessment Tool Frequently Asked Questions page is one of the longest (105 pages in an MS Word document in 10 pt type) and most comprehensive FAQ pages that I have ever dealt with. To make navigation of this page easier DHS has included an integral search feature at the top of the page and a list of categories of questions through which the user can browse. The only major defect that I have found on the page is the lack of a “last modified” date on the page. This will make it nearly impossible to determine if/when DHS makes changes to the page. This could be easily corrected by adding such a date when they do make a change.


I have briefly reviewed each of the answers provided and could only find 3 items that caught my attention; questions 55, 800, and 803. Question 55 deals with user fees; the answer states that DHS is considering the use of user fees; “including filing fees, fees for inspections and audits, and fees for screening of individuals against the Terrorist Screening Database”. Question 800 addresses tier levels; the answer refers to tiers 5 and 6 being assigned to facilities that did not meet the requirements of a High-Risk facility. Question 803 deals with notifications to complete SVA’s; the answer mentions that in September 2007 the initial notifications will be going out tofacilities that need to complete SVA’s.


User Fees


DHS might include such user fees in future rule making. To many members of the regulated community, user fees add insult to injury; it being bad enough that a facility is required to accept the ‘assistance’ of a government agency but they would also have to pay for that assistance. On the other hand, this is just about the only way that the government has to insure that the people who most obviously derive benefit from a regulation pay for it. In this case the assumption would be that the facility owners and their customers derive the most direct benefit from preventing terrorist attacks on the facility. Legitimate arguments could be made on either side of this assumption. As long as the fees are not too high, they may be politically necessary.


Tiers 5 and 6


Everything that I have read to date in the regulation and supporting documentation refers to four tiers with Tier 1 being the highest risk facilities in the group of High Risk Facilities and Tier 4 being the lowest that still meets the High Risk standard. Adding tiers 5 and 6 could allow DHS to extend the regulation of chemical facilities to lower risk groups if and when Congress changes their mandate. This would help to reduce the number of facilities that had to re-screen if Congress did allow DHS over site of less than High Risk facilities. This would also allow DHS to better categorize facilities that were required to complete the Top Screen, but did not meet the requirements for High Risk facilities.


SVA Notifications


I have been wondering if DHS would tell us anything more about the progress of the CFATS implementation. This is the first indication that I have seen of any movement beyond the Top Screen Process. It will be interesting to see if DHS provides information on their web site about the SVA procedure or just rely on the notification process to let only the people concerned learn more about the SVA process. I am hoping that they will publish the SVA questions and instructions much the same way that they dealt with the Top Screen. DHS has made it clear that they do not intend to share the details of how they evaluate the Top Screen or SVA data to determine the final risk tier assignment. Their argument that that information could provide terrorists a way to evaluate potential targets does not sit well with many people. Providing more details about how the information is to be collected may help to alleviate some concerns that these opponents have. DHS needs to provide as much information as possible, consistent with protecting facilities and their neighbors from the affects of a successful attack.


As I said earlier, this is one of the most extensive FAQ sections that I have seen and I particularly like the search provisions. A few of the answers provided are less than helpful, but that is to be expected in such a comprehensive list of answers. Hopefully, DHS will continue to upgrade its site in general and the FAQ section in particular.

Thursday, September 6, 2007

Keyboard physical security

As I mentioned in my earlier blog, one of the ways to control on-site access to the electronic control systems at a chemical manufacturing facility is to physically control access to the keyboards on computers and workstations that provide access to that system. This type security system usually appears to be the easiest to implement, but can be very complex operationally and frequently meets with the most opposition.


The first thing that must be done is to determine what computers and workstations have operational access to the control system. If the system has been established for a period of time, this system access inventory may turn up a surprising number of computers at the facility that have been allowed access to the control system over the years. Once the inventory of keyboards has been done, management will need to review the list of users to make sure that access is limited to those who actually require access for routine completion of their duties; then access should be reduced to just those that need it.


The Facility Security Officer (FSO) should keep a list of the people authorized access to the control system and add their names to the list of personnel that require background checks. One of the risk-based performance standards that DHS will require high-risk chemical facilities to address in their Site Security Plan (SSP) will be a personnel surety program {Section 27.230(12)} that provides for background checks for personnel authorized unaccompanied access to security critical areas of the facility. DHS will assist in the clearing of personnel against known and suspected terrorist lists, but each facility will be responsible for selecting, implementing, and justifying the level of other checks required.


Provisions then need to be made to physically secure access to those keyboards attached to computers or workstations with access to the control system. Effectively this means that only those people on the authorized access list should be able to get unaccompanied access to those keyboards. The simplest method is to keep the keyboards locked up in some manner. For computers in a cubicle or open bay where people who are not on the authorized access list also work, the keyboard will have to be locked in a desk drawer or container when it is not in use. This is probably easiest with wireless keyboards. Where the computer or workstation is in a room that is only accessible to authorized users, the keyboards may be kept out in the open, but the doors/windows to the room must be kept locked when no authorized user is present.


Where keyed locks are used to secure the keyboards or control rooms a key control system needs to be established. While there are a variety of systems available for key control they all have a couple of general procedures in common. First one person (usually the FSO) is responsible for maintaining the system and its records. That person has a lockable container for storing the master key set and any keys not currently in use; it is probably a good idea to have a current list of authorized users in the same container. Each person that requires a key, and is authorized unaccompanied access to the keyed area, is required to sign for each key issued. Regular and periodic, physical-inventories of all keys need to be conducted and documented. Provisions have to be made for changing locks any time a key is lost. Finally, a documented procedure and inspectable files go a long way to convincing an inspector that you have a workable and reasonably secure key control system.


A biometric access control system can be used in place of keyed locks to limit access to keyboards or control rooms. Most of the systems described in the GCN article can provide adequate security for such areas. Most of the requirements for a proper key control system also apply to a biometric access control system; except that the requirement to maintain keys and conduct periodic key inventories may not be required. Any reputable supplier of these systems can assist an organization in establishing the controls for the system and preparing the necessary documentation and records requirements.


Training is a key component to any access control system. All personnel working in the facility need to understand the need for controlling unaccompanied access to security critical areas and understand what those areas are. Personnel that are not authorized unaccompanied access need to understand that it is not a lack of trust that prohibits them from entering one of these areas by themselves, but rather the fact that their jobs do not require that they have unaccompanied access to some areas of the facility. Personnel with unaccompanied access clearance need to know what their responsibilities are in allowing other people into restricted areas and controlling their actions while they are in that area.


Finally, management in general, and the FSO in particular, need to establish a mechanism to ensure that the procedures are being followed. Management should include these access procedures in their periodic audit process. Each level of management in the facility should be responsible conducting and recording audits of the access procedures on a regular basis. The FSO should include in his daily walk around checklist a requirement to watch at least one person enter each restricted area in the facility to ensure that the procedures are being followed.


Using physical security procedures to limit access to security critical control systems is usually the low cost alternative if keyed lock systems are employed. These procedures do require a significant level of management interest to ensure that the procedures are not being bypassed in the name of expediency or efficiency.Bypassing any security procedure is a bad idea, but with the extent that automation is being employed in the chemical industry, not limiting access to the electronic control systems provides a very large hole through which potential terrorists can drive home their attacks.

Wednesday, September 5, 2007

Chertoff testifies before House Homeland Security Committee

Secretary Chertoff testified before the House Committee on Homeland Security on Wednesday during a hearing entitled “Holding the Department of Homeland Security Accountable for Security Gaps”. The Secretary was the only witness testifying at the hearing. From the opening remarks of the Chairman, Representative Bennie B. Thompson (D-MS), it was apparent that the committee was concerned about rumors that Secretary Chertoff would soon be appointed to the vacant position of Attorney General, and wanted to know where the Department stood on various on-going projects. In fact, the committee provided a “to-do list” for Secretary Chertoff to complete before he leaves the department.


There was only a brief, general mention of the new chemical facility regulations in the Secretary’s testimony. He reiterated past comments about his confidence in the chemical industry’s cooperation because it was in their self-interest to cooperate.


He spent significantly more time talking about in-transit chemical issues; specifically referring to the proposed rule issued last year to regulate the transport of Toxic by Inhalation (TIH) chemicals by rail. He described this proposed rule as a formalization of previously reached agreements with the railroad industry.


Less than two pages of the 23 pages of prepared testimony covered these two issues. The remainder of the submitted testimony covered other areas of DHS responsibility. Chemical security also appeared to be low on the committees priority list; none of the items on the committee’s To-Do list dealt with chemical facility security.

Biometrics for Security

In an earlier blog I wrote about a then up-coming teleconference about the use of biometrics for enterprise security. Unfortunately, I missed the teleconference, but I understand that it was pitched more at corporate and IT management decision makers than at the people that would be affected in a chemical security situation. I recently ran across an article in Government Computer News that provides some more useful information about how to choose a biometric system. There is a lot of information in the article and it lends itself as a good introduction about how such a biometric access control system could be used as part of a security plan for a chemical manufacturing facility.


A variety of electronic control systems are extensively used by the chemical manufacturing industry. In almost every case where these systems are employed, they are going to end up being identified as a security critical system when the facility does their Security Vulnerability Assessment (SVA). As such the facility will have to address the security of such systems in their Site Security Plans (SSP). While a great deal of the security emphasis will be placed on restricting outside (i.e. off-site) access to these systems, there is also going to have to be a hard look at key board access in Control Rooms and offices on-site.


Most facilities probably use some form of log-on access to their controlsystems. When the computer or workstation is turned on a log-on screen familiarto most corporate computer users requires the operator to enter a user name and password before the system will allow access to the control system. In most control rooms work stations are passed from shift to shift with no change in log-on. Even where an on-coming shift is required to re-log the work station onto the system most systems do not require the operator to re-log on to the workstation after a period of absence from the key board. This means that there is only limited keyboard level security on the control systems.


Additionally there are usually multiple people on the facility engineering and maintenance staffs that have varying levels of access to the control system outside of the control room. These people usually turn on their computer (and log-on) when they arrive at work and turn off their computer when they leave for the day. While some people program their system to require that they re-log onto the system after anything more than a brief absence, it is not unusual to find a live screen (and keyboard) in multiple locations in office areas at the manufacturing facility. Many of these computers have some level of access to the control system.


Most people in a chemical manufacturing environment see nothing wrong with this type of access control to their vital control systems. They reason that the only people with physical access to the keyboards are employees or trusted contractors so there is not a security issue involved. What they do not realize is that security professionals are more worried about insider attacks or insider assisted attacks than they are about attacks committed solely by outsiders. This a  reason that one of the risk-based performance standards that DHS will require to be addressed in the facility’s SSP deals with background checks on all personnel with access to critical security areas in the facility.


There are a couple of different ways that a facility can deal with this keyboard security issue. First they could physically secure the keyboards so that only specifically designated personnel would be able to have unaccompanied access to the rooms in which the keyboards were located. Another way would be to electronically limit access to the keyboards. Finally a third way would be to electronically limit access to specific security related actions within the control system. Each of these methods could provide adequate security under the proper conditions, and each of these methods could be based on biometric access controls.


The advantages and disadvantages of these access control systems are more complex than can be dealt with in a single blog so I will look at these varying systems in more detail in future blogs. Each facility will have to determine which system or combination of systems is most appropriate for their situation.

Tuesday, September 4, 2007

Private-Federal Cooperation

I recently received an email from an international researcher on chemical plant security. He wanted to know my opinion on how well the chemical industry in the United States and the Department of Homeland Security were cooperating on the implementation of the new CFATS regulations. Since I am not affiliated with DHS, nor am I working with any chemical company currently undergoing CFATS implementation, I could only provide him my opinion based on open source documentation. But, after sending my reply and getting involved in an extended discussion afterwards, I realized that this is an issue that deserves wider discussion.


DHS is not saying much about this subject, for legitimate reasons, in my opinion. They do not want to give away any substantial information to enemies of our country about how well they are progressing in assessing and addressing security at chemical facilities. Failing to cooperate with DHS would presumably indicate an unwillingness to address security concerns, making the facility more of a target. The intermediate sanctions available to DHS would not necessarily require public disclosure. The final solution of closing an uncooperative facility would certainly make the news, but with the deadlines for various requirements that would merit that response still well in the future and the series of appeals available to delay that response, we cannot expect the remotest possibility of that final sanction reaching the press for months at the earliest.


While DHS is not willing, nor able under CVI rules, to discuss individual facilities, they do have an obligation to Congress to keep them up to date on their progress in this area. On July 24, 2007 Col Robert B. Stephan, Assistant Secretary for Infrastructure Protection, testified before the House Subcommittee on Transportation Security and Infrastructure Protection about the progress DHS was making under the provisions of their new regulations. Interestingly, this testimony is not listed on the DHS Press Room Web Site, though it is freely available on the subcommittee site.


Col. Stephan testified that on June 11th DHS made verbal notification to 50 selected chemical facilities previously identified as potentially high risk to initiate the Top Screen Process. As previously coordinated, a DHS inspector was on site at each of these facilities to help them work through any problems they had with the Top Screen Process. This helped to get some of the highest risk sites quickly into the system and served as a real life validation that the Top Screen system worked as planned.


Additionally, the chemical industry was notified that self-identified potential high risk facilities could initiate their Top Screen process without waiting for publication of the final version of the Appendix A to 6 CFR part 27; that appendix provides specific guidance as to which facilities are required by law to complete that process. According to Col Stephan over 6,000 facilities were, as of the date of his testimony, registered in the CSAT process and in some stage of completion of their Top Screen.


Finally, he reported that 194 facilities had already completed their Top Screen as of July 24th. At the level of highest potential risk, we are apparently seeing at least a modicum of cooperation between industry and government.


At the lower ends of the risk scale we are seeing much less cooperation, and, in fact, some political fighting against the regulations. The Propane Industry has vociferously objected to the 7,500 lb Screening Threshold Quantity for propane listed in the Proposed Appendix A to the CFATS regulation. They and some of the agricultural users of propane have brought Senators from at least two states into the fray, demanding that DHS exempt their industries from compliance with the new regulations. Apparently this political infighting has been at least somewhat successful, the publication of the final version of Appendix A, “due out in a few weeks” according to Col. Stephan’s testimony, is still being held up; further delaying full implementation of the CFATS regulations.


The vast majority of the chemical industry falls some where in between, both in size and probably in the degree of cooperation that can be expected. Most facilities are ill equipped to tackle the detailed requirements of a brand new federal regulation, lacking the manpower, training and funding. Most recognize that they have a responsibility to their owners, employees and communities to protect their facilities from terrorist attack. DHS has two options to deal with this commercial disconnect; they can take the time consuming, manpower intensive road to train these companies in the requirements of the new regulations or they can publicly lower the hammer on a few non-cooperative facilities to scare the remaining companies into hiring the necessary expertise to achieve compliance.


For the time being it looks like DHS is taking the cooperative road. Hopefully there will not be a successful terrorist attack against an inadequately protected facility in the mean time. If that happens, Congress and the American people will come down on DHS and the chemical industry like a load of bricks. The outcry after the 9-11 attacks will pale into insignificance if a successful attack injures civilians outside of a facility that anti-chemical activists have been warning about for years. The political and commercial fallout will break DHS and the chemical industry.

DHS stops using Google Earth

At the end of last month DHS made some changes to their web sites dealing with the Chemical Security Assessment Tool (CSAT). None of the changes was earth shattering from a security point of view; they ditched the use of Google Earth for determining latitude and longitude and replaced it with Microsoft’s TerraServer. With the wide use of GPS receivers that can provide the same data this may not seem important, but it could mean the difference in a couple thousand hits between these two sites. As is the normal procedure, DHS made no announcement of the changes to their site and certainly did not provide a reason for change.


The pages that were changed were:


Chemical Security Assessment Tool (8-29-07)


Accessing the Chemical Security Assessment Tool (CSAT) (8-27-07)


CSAT Top-Screen Questions (PDF, 79 pages - 778 KB)


When they changed the CSAT Top-Screen Questions document they added the TerraServer link and instructions; there had been no mention of Google Earth in the previous document. Presumably they made the same change to the Top-Screen pages, but you have to be registered as achemical site to see those pages, so I cannot verify the change on the Top-Screen page.

/* Use this with templates/template-twocol.html */