Wednesday, October 24, 2007

Ohio EPA pinpoints potential terrorist target

The Ohio EPA announced fines against the Dole Fresh Vegetables facility in Springfield, OH. According to a article the facility uses large quantities of Anhydrous Ammonia (in a refrigeration system) and Chlorine (Water Treatment). The Ohio EPA cited the facility for numerous short comings in the facility’s Risk Management Plan implementation. Specifically, a 2006 inspection found failures to:


  1. Establish a written management system for risk management plan elements;
  2. Provide supporting hazard assessment documentation;
  3. Develop process safety information;
  4. Analyze hazards relating to the chlorination process and address recommendations from the anhydrous ammonia refrigeration process hazard analysis;
  5. Include operating limits, consequences of deviations and safety functions for the ammonia process and complete operating procedures for the chlorination process;
  6. Provide refresher training to employees at least every three years;
  7. Implement preventive maintenance procedures;
  8. Complete pre-startup reviews;
  9. Conduct an risk management plan compliance audit at least every three years; and
  10. Implement the contractor program

In short, it appears thatlittle has been done to comply with Federal Laws requiring the facility to identify the risks associated with handling two toxic, inhalation hazard chemicals so that appropriate plans could be developed and implemented to protect their employees and neighboring facilities and residences from the hazards associated with these chemicals. It takes no great leap of imagination to assume (rightly or wrongly) that this facility has poor security around the storage, movement or usage of these same chemicals.


While there are few nearby residences or schools to target with such an attack, there are enough on-site employees (looking at the size of their parking lot from aerial photos on-line), neighboring businesses, an Interstate, and a nearby National Guard facility, that this would appear to be a ‘legitimate’ terrorist target. Two mutually-reactive inhalation hazard chemicals at a facility known to be lax on following government regulations and little in the way of visible security make this an attractive potential target.


To be fair, since this fine resulted from a 2006 inspection, I am sure that the facility has taken steps to correct the deficiencies noted. The facility is also not currently under any Federal requirements to provide any security for these two chemicals at the facility. The CFATS regulation does not apply to this facility because Appendix A has not yet been approved.


Nor has the Ohio EPA violated any security laws in pointing out the deficiencies noted in their reporting the fines levied against the facility. In fact, a strong case can be made that under community right-to know legislation, the Ohio EPA (apparently acting as the enforcement agency in Ohio for the US EPA) has a responsibility to let the people of Ohio know about these deficiencies. Certainly nothing in this news report would violate CFATS Chemical Vulnerability Information (CVI) rules, even if this facility was currently covered under CFATS.


This is one of the basic problems that an open society has in protecting itself against terrorist attacks. The government has a certain amount of responsibility to share information with its citizens. Under various legislative requirements, companies are required to provide public information about their operations. People living or working around a facility that houses hazardous materials need to know in advance what actions they have to take to protect themselves from those chemicals in the event of a successful terrorist attack or even just an industrial accident. All of the above require public disclosure of information that would be useful to a terrorist organization looking for potential targets.


Short of shutting down this legitimate flow of information to the public, the only thing that the security community can do is to realize that anytime an announcement like this is made, the facility becomes a higher risk target for possible terrorist attack. Local security procedures need to be visibly reinforced and local law enforcement agencies need to make irregular increased patrols in the area surrounding the facility. After some amount of time has passed, after the news report becomes old news, the security can return to a more normal level.


One other thing can be done in this particular instance; under section 27.200 of 6 CFR the Secretary should notify this facility that it is required to complete a Top Screen because the publication of this information puts this facility at a potentially high risk for terrorist attack. In fact, anytime that a chemical facility is publicly identified as having chemicals on-site that might make them a target (Appendix A chemicals when that is finally approved), those facilities should be notified by DHS that they are temporarily at a higher risk and need to increase their security posture. Any such publicly identified facility that has not completed a Top Screen should be required to do so.

Monday, October 22, 2007

An Anhydrous Ammonia Attack Scenario

A recent accidental release of about 1,800 gallons of anhydrous ammonia at a farm supply store in an Oregon farm community has some interesting security implications. According to news reports a farm vehicle was loading ammonia from large tanks at the supply store when the driver pulled away from the loading site without disconnecting the hose. The valve on the farm vehicle was pulled off of the tank and the entire contents of the small tank were released. Two local schools were evacuated and the nearby residents were told to shelter-in-place. Only one person was transported to the hospital though many people experienced some breathing discomfort or burning sensations to their eyes or throats.


It was fortunate that the valve on the trailer broke off and not the valve on the tank. If the valve on the tank had failed, it would have been significantly more than 1,800 gallons of ammonia released and the results would probably have been more serious. While an explosive device may be a more effective weapon to attack storage tank, facilities might want to examine this as a possible mode of attack on their storage tanks. Let’s look at a possible scenario.


A delivery driver that has been suborned by a terrorist organization or a terrorist substituted for a legitimate driver, shows up with a scheduled delivery of a toxic chemical. The paperwork and load are verified and the tank truck is hooked up to a storage tank. During the off-loading process the driver re-enters the vehicle, starts the engine and drives off. The still connected hose pulls the bottom valve off of the storage tank and the entire contents spill and a toxic cloud begins to drift downwind. The driver/terrorist drives the truck off-site during the resulting confusion and escapes.


While the accident in Oregon demonstrates that it would not be a sure thing that the valve on the storage tank would be the first to fail, the failure of the valve on the truck or the hose breaking would provide nearly as good a result if done early enough in the unloading process.


The protections against this type of attack are relatively simple and very low cost. The first thing to do is to isolate the outsider (the driver) from the unloading process. The driver should be kept in a break room or office away from the vehicle and restricted areas of the facility. Secondly, keys to the vehicle should be surrendered to the unloader (a site employee) before the vehicle is hooked up to the unloading line. Finally hoses from trucks should never be hooked directly to the bottom valve of a tank. If the tank is not loaded through a line over the top of the tank (generally the preferable method), then there should be a significant length of piping between the hose connection and the bottom valve with at least one valve between the two.


This example illustrates the fact that security solutions do not have to be high tech or expensive. Identification of attack scenarios and then walking through those potential attacks frequently makes it easy to identify places where it is relatively easy to interrupt the chain of events that is necessary to execute a successful attack. Not all scenarios will be this easy to disrupt, but many of them will be.

Saturday, October 20, 2007

IED’s and Chemical Facilities

Yesterday while giving a speech on Improvised Explosive Devices (IED’s) to the Center for Strategic International Studies in Washington, DC, Secretary Chertoff briefly talked about the chemical facility security program. He made the point that most IED’s outside of active war zones like Iraq or Afghanistan were made from chemicals rather than military or commercial explosives. This is the reason that 64 of the more than 300 chemicals on the DHS Chemicals of Interest list (Appendix A, 6 CFR part 27) are theft risk items according to the current Top Screen questionnaire; these chemicals can be used to manufacture IED’s.


Once again, Secretary Chertoff said that; “…we are very close to issuing our Appendix A…” He also reiterated that, while the department certainly considered “a high concentration of a chemical like propane or chlorine in outside tanks right next to a school” something worth regulating, DHS had no intention of trying to outlaw or regulate small propane tanks people used in barbeque grills. While these tanks could be used to make IED’s, a risk-balanced approach would rely on giving “guidance to people, including merchants, about what to look for if they see something suspicious, or people seem to be buying lots of propane” to protect against that kind of threat. That would allow DHS to concentrate on preventing attacks on larger targets.


DHS does seem to be spending a lot of effort lately in addressing the propane issue. Of course, propane distributors have been part of an organized campaign to get end users of propane exempted from the CFATS regulation. That coupled with agricultural users of propane using senatorial pressure to achieve the same end, may explain why the final version of Appendix A has been so long in coming. Political pressure by special interest groups has a long history of gutting the effects of important legislation.


The big problem with the delay in the issuing of the final version of Appendix A is that most of the chemical industry has taken the wait and see approach on implementing the requirements of 6 CFR part 27. The way they look at it, if DHS is not going to require them to take a more active role in their facility security, why should they bother to spend any more money on security than they already have? After all, no one has attacked a chemical facility yet … in the United States (ignore that terrorist attacks against gas and oil pipelines in Mexico)… maybe (the Spokane DA has refused to charge the 19 year old blamed for starting the Whitley Fuel Depot Fire because of insufficient evidence).


When the first attack does take place, DHS will be the first one to be blamed. Congress, which has failed miserably in every attempt to address the issue except for a single paragraph in the 2007 authorization bill for DHS, will point the finger again at DHS. The chemical industry, citing the lack of guidance, will point the finger at DHS. DHS will be the scapegoat for the politicians and special interest groups that have done their best to make sure that DHS does not have the authority or money to do anything about the problem.

Thursday, October 18, 2007

Coast Guard Chemical Transportation Advisory Committee Meeting

The Coast Guard announced a meeting of the Chemical Transportation Advisory Committee on November 1, 2007 Top of the Town, 1400 14th Street North, Arlington, VA. While chemical shipments via water are not covered under 6 CFR part 27, this meeting might be of interest to any chemical facility that does ship by water.


The agenda includes the following:


(1) Progress report from the Outreach Subcommittee and its Barge Emission/Barge Hazard Communications Workgroup.

(2) Status report on the implementation of MARPOL Annex II regarding Offshore Supply Vessels (OSV).

(3) Progress Report on the NFPA 472 Subcommittee on revisions to the emergency responder chapter for tank vessels.

(4) Presentation on Biofuels and its impact on the maritime shipping industry.

(5) Presentation on Hazardous Materials First Responder training offered by the International Association of Fire Fighters.

(6) Status report on the implementation of the International Maritime Solid Bulk Cargoes (IMSBC).

Wednesday, October 17, 2007

Congressional hearing on cyber security

While today’s hearing of the House Subcommittee on Emerging Threats, Cybersecurity
and Science and Technology
was called to address the threat of cyber attacks on control systems in the electrical power generation industry, testimony of two of the witnesses briefly touched on the similar problem in control systems in the chemical industry.


Mr. Gregory C. Wilshusen, Director, Information Security Issues, GAO, briefly discussed a recent GAO investigation (GAO-07-1036) into the security of control systems. The report concluded that while multiple agencies and private entities have responsibility for cyber security, DHS has the responsibility to coordinate actions between the various parties to ensure the overall security of the United States. The GAO study faulted DHS for lacking an overall strategy for coordinating actions or sharing information.


Mr. Greg Garcia, Assistant Secretary, Office of Cyber Security and Telecommunication,
Department of Homeland Security, briefly discussed how the Department views the threat. First he stated that the primary responsibility for securing control systems rests with the private sector that owns 85% of the control systems in this country. DHS views its responsibility as providing guidance, developing and enhancing partnerships, and preparing for and responding to incidents.


As part of the providing guidance portion of the DHS responsibility Mr. Garcia reported on an evaluation tool developed by the Department that can be used to evaluate the cyber security of a control system. The Control Systems Cyber Security Self Assessment Tool (CS2SAT) will be made available by the Instrumentation, Systems and Automation Society (ISA) to their members. DHS has also provided cyber security training to over 7,000 IT and control systems professionals, including some web based training. Additionally DHS worked with NIST to produce “Guide to Industrial Control Systems (ICS) Security,” which provides an overview of control systems, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.


Control systems are an integral part of most chemical manufacturing processes. In most facilities that will be required to perform SVA’s and SSP’s special attention will need to be shown to these systems. Section 27.230 lists “Cyber” as one of the Risk Based Performance Standards that must be addressed in Site Security Plans; and this includes the security of various control systems on site.

Tuesday, October 16, 2007

“Were terrorists involved?”

There is an ongoing chemical spill incident in progress outside of Detroit, MI as I write this blog. There was a hydrochloric acid spill at a metal plating company; conflicting reports say anywhere from 500 gallons to 3000 gallons were spilled from a roof top storage tank. Some nearby schools and a senior housing complex have been evacuated. There have been no reports of injuries. The clean-up is under way and the only complicating factor appears to be the possibility of rain showers coming into the area before the material is cleaned up. While no doubt exciting for the people involved, it appears to be a relatively minor chemical spill that is well under control; a perfectly ordinary accident at a chemical facility.


That is it is ordinary until you read the reader comments below a Detroit Free Press article on the subject. The first comment comes at 10:31 am CDT from “Moesgaard” who writes: “Were terrorists involved?” Now I have been reading press reports on chemical incidents for the last five years and that includes the reader comments that more and more news organizations are publishing along with these on-line articles. This is the first time that I have seen a reader ask this question. Even during the Whitley Fuel Depot Fire in Spokane, which was identified as suspicious very early on, no readers suggested the possibility of terrorism.


While hydrochloric acid (in concentrations greater than 37%) is on the DHS Chemicals of Interest List (the still as of yet unapproved Appendix A to 6 CFR part 27), this is a chemical with few off site consequences in most instances. It is on the Toxic Chemical list in the Top Screen, but as an inhalation hazard this chemical is only truly toxic as Hydrogen Chloride gas (no water) or perhaps where concentrated acid reacts with water to form vapor clouds. There are reaction hazards associated with this chemical and certainly skin contact hazards, so this is not a “safe” chemical by any stretch of the imagination.


While this facility appears to fall under the Top Screen reporting requirements (if and when Appendix A is approved), the 11,250 lb STQ equates to about 1200 gallons, and the evacuations indicate that there is a local population to consider as potential targets, there appears to be little else in the news articles that indicate that this facility, an auto parts supplier, would be a Tier 1 terrorist target. Why then would a local citizen jump to this conclusion early in the news reporting cycle?


I am afraid that this has more to do with the relatively high Muslim population in Michigan than anything else. In an area with declining manufacturing jobs, little in the way of a high tech economy, and increasingly deteriorating neighborhoods, it is too easy to equate Muslims with terrorists. Thinking about that brings to mind another kind of terrorist attack.




I have never been in this neighborhood. I know nothing about the company where this spill occurred and I know nothing about its employees. Having said all of that lets look at a hypothetical situation. Suppose that this neighborhood had had a recent influx of Americans of Southwest Asian decent, those who trace their ancestry back to the area spanning Israel to Pakistan. Suppose that a group of these people had pooled their hard earned money and bought out an aging auto parts manufacturing firm. Through hard work, community ownership, low wages, and plowing profits back into the business the company came back and successfully competed in this core business.


There would be some levels of resentment in various portions of the remaining citizens of Detroit. Most of those resentments would remain below the surface and never cause any serious problems. But, there would be small portions of the population that would hold serious grudges about lost jobs taken away by “foreigners”. Hate groups of various denominations would gain support from some of these people. The more violent extremes ofthese groups might find it politically expedient to physically attack such a facility, especially if they could slide the blame for the attack on Al Qaeda terrorists, even if just for a moment. Their attack would serve two purposes, hurt the ‘enemy’ and increase the level of mistrust for that enemy.




The whole point of this exercise is to point out how easy it is to come up with potential reasons for a terrorist attack. It is also a reminder that Al Qaeda and its wannabes are not the only potential terrorists that have to be considered when looking at possible terrorist targets. Terror targets can be selected for who the owners are or who the neighbors are; it makes little difference as long as there is a connection between the target and the cause.

Sunday, October 14, 2007

Delivery of Hazardous Materials

An interesting article in a Roanoke, VA newspaper points out some potential changes in delivery of hazardous materials. A local facility there is looking into changing from railcar shipments of Anhydrous Ammonia (about a railcar a week) to truck delivery (four trucks per week). The increasing costs associated with rail shipments and the railroads inability to guarantee delivery times (or even dates) are driving the facility to consider making this change.


Railroads are under increasing pressures from federal and local governments to put restrictions on the shipments of Inhalation Hazard chemicals like Chlorine and Anhydrous Ammonia. DHS does not want these chemicals sitting on sidings for any longer than necessary, since they are a potential terrorist target. Many cities do not want them transiting rail lines through urban areas for the same reason. This combined with the potentially extreme liability costs associated with an accident involving these material is resulting in large increases in freight rates for these materials (a 300% increase in 15 months was reported in the article). 


Security issues are another concern that will have to be taken into account when changing delivery modes for hazardous materials, especially those materials that result in a facility coming under the provisions of 6 CFR part 27 (CFATS), and Anhydrous Ammonia certainly falls within that category. Delivery of hazardous materials is part of one of the Risk Based Performance Measures (#5: Shipping, Receipt and Storage) listed in section 27.230 of the regulation. Changes in delivery mode would certainly require changes in the Security Vulnerability Assessment and subsequent Site Security Plan.


Delivery involves allowing outsiders access to a facility. Procedures need to be put into place for advance notification of who is being sent with the delivery and then verifying that the person being admitted is that person. When receiving railroad deliveries a limited number of people are available for making deliveries so on-site personnel can usually visually identify the railroad crew that normally makes deliveries to the site. This makes the substitution of attackers for deliverers much more difficult. The same cannot always be said for truck deliveries.


Railroad deliveries are more physically constrained than truck deliveries. It is much more difficult to get a railcar to run into a potential target than it is a truck. While it is possible to deliberately run one railcar into another, the low speeds attainable on a siding track usually limit the amount of possible damage that can be done by this type of attack; railcars are relatively resistant to low speed impact damage. Trucks on the other hand are much more maneuverable and may be able to breach dike walls and storage tanks, or damage other critical parts of the facility.


It is also easier to hide an explosive device on a truck than it is on a railcar. There are more enclosed compartments on a truck/trailer than there are on a railcar. This makes it easier to get a vehicle borne bomb onto a facility using truck deliveries and the maneuverability of the truck makes it easier to get that bomb to a critical part of the facility.


Finally, it is harder to substitute incompatible materials on a railroad shipment than truck shipment. Hijacking a truck and substituting a trailer of Chlorine for a trailer of Anhydrous Ammonia (with appropriate changes in trailer markings, of course) would have catastrophic results during unloading. While it is probably not impossible to do the same thing with a railcar, it is significantly more difficult and thus a much less likely method of terrorist attack.


Any facility considering changes in the delivery mode of inbound hazardous materials needs to include a security review in the decision process. The additional security costs may out weigh the differences in delivery costs. Or, conversely, reduced security costs of rail delivery may help justify switching to rail delivery of a hazardous raw material. On the other hand, truck delivery might allow for changes in a facility Top Screen submission that could allow the facility designation as a High Risk Facility to be changed, or might allow the facility to be changed to a higher Tier within the high risk category and thus reduce security requirements.

Friday, October 12, 2007

DHS Changes CSAT Registration Manual Again

Yesterday DHS made two changes to their web site; they updated the Chemical Security Assessment Tool page to include the updated link to the new CSAT User Registration User Guide. This .pdf file provides instructions for a new user of the CSAT to register. This new version (ver. 1.2.3) does not appear to have any significant differences from ver 1.2.2., but anyone trying to maintain a current library of CFATS documents should probably download the new version of the manual whether or not they have already registered with CSAT. If nothing else, it will make you look diligent when the DHS inspector comes to your site to look at your SVA and SST.


Back in the bad old days before the internet, when a government agency made a change to a document like this they printed up and distributed a change document. That document was a brief cover letter describing the changes made to the document and a copy of each page in the manual that had been changed. The change document was sent out to each “known” holder of the document; in a case like this the change document would have been sent to each facility registered in the CSAT system. The person receiving the change document would substitute the appropriate changes in the document and file a copy of the cover letter. When an inspector wanted to check up on someone’s document management they would look to see that all of the current changes were posted to the documents; presumably properly posting the changed pages ensured that people would have read and understood the changes to the document.


Today, of course, we have gotten much more efficient. Since the government is not actually printing these manuals any longer, they have no incentive to print and distribute a change document. All an agency has to do is to post the new document to the appropriate web sites and distribution is made. A new date is put on the cover page of the document and a new version number is issued. Sincethe most up to date version of the document is on the agency web site, all a user has to do is to go to the site and open/download the document. The new system appears to be very efficient.


The only problem is that not everyone is going to go back to the government web site each time they need to use a manual. First off, government web sites can be very complex and the navigational shortcuts are few and far between. It does little good for users to keep shortcuts to government web pages on their computer since web page changes invariably come with changes to the web page address. So, unless someone readily remembers the series of links to click to get to a document, it is easier to download the document and either print it out, or keep it on a local computer. In either case, if there is not some notification made when a change is made to that document, the user will continue to rely on an outdated document.


While in the case of this particular document it does not really make any difference (once you register a facility if CSAT you should not need to use this document again), this does illustrate a flaw in the US Government’s current document handling procedure. It does not appear that at DHS (though I certainly do not believe that they are alone in this area) that there is due care being taken to communicate changes to informational documents. DHS does generally to a good job of updating the page date at the bottom of each web page, it is only site-geeks like me that make copies of each page of a web site so that we can go back and track those changes. The normal site user would never know that a change had been made to this .pdf document.


If I were in charge of the DHS web page, I would have a “Documents” page link on the Chemical Security web page (that page address doesn’t usually change). On that page I would list each of the current documents referred to on the site with a date and version number of the current documents. When there was a change to the document, I would include a brief description of what was changed. This would serve two functions; first it would provide ease of access and secondly one point checks for updatingdocuments. Easily accessed documents are more likely to be used live, thus ensuring that the most current document is being used. Allowing for ease of verifying document versions would allow people that wanted their own copy to easily verify that they are using the most current information.


Fortunately for me, I am not in charge of their site. Now people have to rely on site-geeks like me to know what is happening on the web site.

Thursday, October 11, 2007

Whitley Fuel Depot Fire Arrest

Back in late July I wrote about a fire at the Whitley Fuel Depot in Spokane, WA. Early on the local authorities claimed that the fire was “suspicious” and called in the ATF to help them catch the “arsonist”. Yesterday, local news reports indicated that an arrest had been made. The local 19 year-old male is accused of starting the fire by firing bottle rockets into the fuel depot. Needless to say, he claims to be innocent and was somewhere else when the fire started.


Obviously, there is not enough information provided in news reports to make a decision about gilt or innocence. The authorities do not tell the newspapers all that they know, or more importantly, all that they do not know; neither do defense attorneys. Having said that, it does not look like a not so juvenile delinquent with bottle rockets is the whole story, if news stories are any indication. In a subsequent blog I wrote:


An earlier newspaper article claimed that there were holes in two of the tanks on site and that investigators appeared to have found a tool on site that could have made those holes.


Holes punched in storage tanks would seem to imply a premeditated attempt at arson. If that is the case, and I do not know how accurate those news reports were, the use of bottle rockets to ignite the blaze is incredibly stupid. While they could work, if they detonated at a place with the proper concentrations of fuel and air, it would be difficult to get them to hit and detonate in the proper place; variations in packing the propellant and internal fuse length are huge. Additionally, they have a distinctive smoke trail that points right back at the person launching them. There are a number of other ways that such a fire could have been ignited that would have been much more effective.


There is, of course, nothing that requires criminals to be smart. A nineteen year old pyromaniac, if that is what he is, may not have the experience or knowledge to realize how stupid this ignition device was. Then again, how would he have known enough to punch holes in the storage tanks? All in all it does not seem that the news reports have the whole story, but I guess that that is to be expected.


The one thing that this incident does show is how important it is to have at least some minimum level of security procedures in place when one has hazardous chemicals like gasoline on site. If the holes had not been punched in the tanks, it is very probable that bottle rockets could not have started this blaze. Just a little bit more security would have prevented this accused 19-year old from entering the facility and punching holes in the tanks. Security managers at other chemical facilities need to keep this type attack inmind when they go through their SVA and design their SSP; just remember that bottle rockets should not be the expected source of detonation.


Now if the police in Houston could just find that chlorine cylinder…..

Tuesday, October 9, 2007

How could a foundry be a terrorist target?

In a Chemical Plant Security News blog earlier this week I detailed how a foundry like the one in Tacoma, WA, that was involved in a large propane fire last week, could be protected against a successful terrorist attack against its propane tanks. While the costs for that security would not be too high (certainly less than the costs of rebuilding the plant that the owners are going to see in the coming months) a typical foundry owner might ask themselves: “Why would our facility be a terrorist target?”


In fact, lots of chemical facilities are asking themselves the same question as they look at preparing Security Vulnerability Assessments and Site Security plans required under the new CFATS regulations. The easy answer is because DHS designated you a chemical facility at high risk of being a terrorist target. Unfortunately, DHS has taken the probably proper stance that they will not enumerate the reasons that a particular plant is designated a High Risk facility. The details of that process, if disclosed, would provide too much information to possible terrorists.


So, what then makes a good terrorist target? While there are lots of technical or political descriptions the easiest one to understand is that a good terrorist target is one that, if successfully attacked, provides the terrorist with the loudest, most visible, most painful stage from which to proclaim the Message. Sometimes the message is overtly political; do this or that thing or we will continue to attack. Other times it may be a simple statement of superiority; you are the enemy and we can strike you where ever and when ever we want. Or it can be simple revenge for some slight or attack, real or imagined. But, what ever the message, the purpose of the attack is to draw attention to the message.


The larger and splashier the attack the less it has to be linked to the message. Thus the Twin Towers were a target, not necessarily due to their connection to any specific target of Al Qaeda, but because they were so large, so easily seen, and full of so many people that a successful attack on them made for a very big stage, a stage of world wide scope. A chemical facility that would provide a spectacle of comparable size would be a comparable target. Thus an LPG tank near a major city, or a Bhopal like disaster in an American city would be great target. Targets of this size need no proclamation of responsibility; the medium is the message.


Slightly smaller targets can be made larger by some sort of connection to the cause, a political or cultural linkage. This was how a relatively small firearm attack on a building in Munich became such a good terrorist target. Killing Israeli athletes at the Olympics made the small scale attack a large terrorist incident. Thus an attack on a chemical facility that produces material used by the US Military in Iraq or Afghanistan or was owned or affiliated with an Israeli company would be a good target for an Al Qaeda associated terrorist. Targets like this require a little political statement to ensure that everyone understands the message; a short claim of responsibility and explanation of the connection usually suffices.


Smaller targets can be made splashy enough with a loud, frightening message. Most chemical facilities would fall under this type target. The attack has to be splashy enough to catch regional media attention, like the fireballs and explosions in the foundry fire in Tacoma. The message must then be communicated while the media attention is focused. The message must be loud and arrogant; “We can hit you. We can hurt you. At any time or place of our choosing.” It is better if the effects of the attack can be felt a distance away from the physical damage; toxic fumes down wind, interruptions to utilities, or if the weak (children, the infirm or the old) can be put at special risk; anything to make the pain of the attack more obvious.


Finally, the very small targets can be successfully used by terrorists ifthey can be attacked at will and at random. This is the suicide bomber with the explosive vest walking into a department store, a gasoline station or the local chemical warehouse;  if done frequently enough and in a random manner, the entire society becomes the platform for the message. This requires the largest propaganda effort to accompany the attacks. The terrorist group must strive to make everyone fearful that they could become the victim of the next attack.


Looked at in this way it is easy to see that any chemical facility could be the target of a terrorist attack. The trick to avoid becoming a target is to make the chance of a successful attack as unlikely as possible, to make the terrorist look elsewhere for a more profitable target.

Monday, October 8, 2007

Protection against attacks on large propane storage tanks

A recent propane explosion and resulting fire in Tacoma, WA severely damaged a foundry. A propane delivery truck and one or more on site propane tanks caught fire or exploded. An electrical sub-station was damaged, shutting off power to 13,000 customers. Portions of the delivery truck were thrown onto a nearby highway and portions of the road were closed until state inspectors could inspect bridge supports for possible damage. All 32 employees on site were accounted for, but three people, including the delivery driver, were hospitalized.


While a complete investigation of the incident is on going, the initial indications were that the fire originated in the vicinity of the delivery truck. There are no indications in any of the news reports that this was anything other than a horrible accident. There is not a hint of any report of any deliberate acts being involved and nobody has even mentioned the words ‘terrorist attack’ in any news reports. Having said that; lets play the ‘What If’ game.


A foundry is about as far as one can get from most people’s idea of what constitutes a chemical facility. While this facility would come under that definition, if DHS would ever get their Appendix A, DHS Chemicals of Interest, to 6 CFR part 27 approved, due to the large amount of propane on site (potentially 59,000 gallons according to a Tacoma newspaper account), I would expect that the security around this facility was limited at best; probably a perimeter fence and gate guard at best.


If a terrorist group wanted to get a bomb near one or both of the two large, on-site propane tanks, the simplest way of doing so would be on or in a propane delivery truck. The driver might be involved, and thus become a suicide bomber, or he might not know about a device in or on his vehicle. The driver might be a suborned employee of the gas company or a driver substituted after the truck was hijacked enroute to the facility. The truck could even be a complete substitute painted to resemble a delivery truck from the gas company. Given these alternative methods of this type of attack, what security procedures could have been put into place to prevent a successful attack?


The first layer of defense, working from the tanks outwards would be to isolate the two tanks from each other. This would limit the results of the successful attack to the explosion of a single tank. Furthermore, blast walls near the tanks could limit the effectiveness of any attack by directing the force of any explosion away from high value targets, people or high value capital equipment. Additionally, the unloading location could be physically isolated from either tank, by either distance or location of blast walls, to reduce the potential effectiveness of a truck mounted bomb. Next, all other delivery vehicles would be kept away from either tank or the unloading station by a secondary fence and vehicle barriers. Finally, neither of the propane tanks nor the unloading area would be visible from any fence line on the property; at a minimum a chain link fence taller than the tank, equipped with privacy strips would be between the tank and any fence line.


A propane delivery vehicle entering the restricted area around the tanks or unloading station would have to undergo a physical inspection before entry is allowed. A slow walk around inspection with all equipment doors open with the driver away from the vehicle would normally suffice. During periods of high terrorist threat potential, a bomb sniffing dog could be added. This could be done while the driver was having his paperwork checked and verified in an office. The driver’s identity would be verified with the propane company during this paperwork check.


A delivery truck would not be allowed through the outer perimeter gate unless a delivery was scheduled for that day and time period. The guard would have a truck number and driver’s name provided at the beginning of the shift or physically delivered by someone from the facility office before the truck arrives at the gate. When the gas truck arrives at the front gate the driver would have to enter the guard shack to prove that he was not under duress. A quick walk around inspection would be done by the gate guard. If no delivery was scheduled the truck would not be allowed enter the front gate. If the driver’s or truck identification did not match the list, the truck would not be allowed enter the front gate.


While none of these measures would provide absolute protection against a terrorist attack, they would provide enough security to make most terrorists look elsewhere for an easier target. The tank barriers, separation and separate unloading facility would slow down the progress of a terrorist attack so that authorities could be notified and appropriate facility evacuations could be initiated. Finally the blast walls and separation between tanks and supply truck would mitigate the effects of a successful attack. How a foundry could be a terrorist target will be discussed in a future blog.

Friday, October 5, 2007

Electronic Keyboard Security

As I discussed in an earlier blog, when an electronic control system is part of the security protection system of a chemical facility, or is simply a component of the facility that requires protection as part of the Site Security Plan, on site access to that control system has to be protected. I have discussed using physical security of keyboards as a method of controlling that access. Now it is time to look at using electronic access controls as part of the security procedures for the facility.


The simplest way to protect access to a computer electronically is to require the user to sign on when turning the computer on and require the use of a password or biometric device to complete the sign-on process. At shift change, in control rooms for example, the outgoing operator would be required to log-off of the system and the on coming operator would then log on. To control mid-shift access the Screen Saver option can be used; requiring password or biometric verification to turn off the Screen Saver.


While this system is simple in concept, operationally it is abit more difficult. First it requires that each person authorized routine access to the control system as part of their normal duties has access to a unique computer or work station. While that access point can be shared across shifts, within a shift that person should be the only one with access through that keyboard.


Setting up this type of access control for an electronic control system is straightforward, requiring no real programming knowledge. It does, however, require some training as to why the operator has to go thru the extra work of repeatedly signing on to the work station or computer. If passwords are used, employees need to be trained on proper password selection, use, and protection; they must be taught the reason for the use of the password protection and monitored in their proper use of the password protection system.


A more efficient way of controlling access to the electronic control system requires some system engineering and programming. The first thing that must be done is to determine which portions of the control system are actually security related. For example control valves on a highly hazardous raw material tank might require access controls where the control valves of a nearby fatty alcohol would probably not. Identification of these controls should be covered in the Site Security Plan.


Once these controls are identified, it then becomes a programming function to require password or biometric identification to access those particular controls. Adding dual access control, two different people using separate passwords of biometric identification, for especially critical functions is not much more difficult.


While either method can limit access to critical portions of the electronic control system for the chemical facility, the selection of which system to use will depend on the facility. Where the facility only has a limited number of operations of the control system that directly affect the site security; the programmed system is better. If operators spend most of their shift in front of the keyboard so that they are not constantly re-logging onto the system due to screen saver shutdown, then the log on controls are probably adequate. The team designing the site security plan will have to take these variables into consideration.


Finally, these access controls, like the physical security controls discussed in the earlier blog, are only as good as the auditing system put into place to ensure their proper use. If management is not willing or able to periodically check that these programs are being used, operators will find ways to short cut the system to make their jobs easier; that is simply human nature. The auditing system does not have to be punitive, but it does have to be visible to be effective; management has to demonstrate that they believe that the systems are integral to the security of the facility.

Thursday, October 4, 2007

DHS Website light housekeeping

DHS finally took care of some dead links in its CVI web pages. Each of the pages listed below had a link on the page that was supposed to take the user back to the main CVI page. Unfortunately, the last time these pages were updated the link was not changed to reflect the new main CVI page.


Defining Chemical-terrorism Vulnerability Information

Evaluating Need to Know for Chemical-terrorism Vulnerability Information

Accessing Chemical-terrorism Vulnerability Information

Sharing Chemical-terrorism Vulnerability Information

Training for Chemical-terrorism Vulnerability Information Access


The changes responsible for making these dead links took place in July and August. What’s more, the page ‘Handling CVI” page still has the same dead link. DHS really needs to tighten up its web management.

Wednesday, October 3, 2007

Email Security Issues

I subscribe to DHS Daily Report, a service provided by the Department of Homeland Security that abstracts various news reports about things dealing with various aspects of Homeland Security and then emails that abstract to subscribers. It is a valuable service that anyone involved in the homeland security business ought to subscribe to; obviously many people do. “How many?” subscribers found out today when one subscriber tried to get his address changed by replying to today’s message, and hit the “Reply to all” button on his email; his message went to everyone that receives these daily reports.


Rather than letting this simple, obvious and all too common mistake slip by, many people receiving this ‘reply’ responded with one of their own, again hitting the “Reply to all” button. I stopped counting when the number of replies got close to 100. Many people simply pointed out how stupid the original replier had been, others realized that they had an excellent mass mailing marketing opportunity to get into contact with other people in the security business, and quite a few just seemed to have too much time on their hands.


What few of these people realized is that they were violating a cardinal rule of internet communications security, they were giving an unscreened audience a view into how their organization’s email systems were set up; understanding the email naming conventions used by an organization makes it easier to craft denial of service attacks and start sophisticated spam campaigns. These follow-on repliers also provided anyone that was interested with a confirmed list of email addresses (found in the list of ‘To:’ addressees). Both of these are valuable services to a wide variety of spammers. The confirmed list of email addresses is a commodity that can be sold to any number of legitimate marketing and not so legitimate spamming organizations. Every one of the subscribers will start to receive an increase in the amount of spam that they receive.


Furthermore, most of these repliers provided a sophisticated signature block on their email. The block provided name, organization, title, email, fax, phone and mailing address for someone involved in the security of the organization; someone that is apparently not sophisticated in the area of counter intelligence. This provides various intelligence agencies with a list of possible human intelligence targets that could be used to circumvent the internal security of those organizations. Many sophisticated terrorist organizations probably have intelligence units that could exploit this type of information and almost all countries actively try to develop such intelligence targets. A major gift was handed to these organizations today.


The internet and email are forms of communication that are invaluable to today’s society. But, they are communications mediums and are subject to intelligence gathering techniques. The sooner that people realize this, the sooner they will be able to take an active role in the security of their organization.


One last point; I am disappointed that DHS had not taken actions to disable the “reply to” capability on these messages. The DHS security managers should have recognized the potential intelligence information bonanza that could be reaped by sending a simple “Reply to All” message to one of these daily messages. It is very disheartening to see that information security is so poorly understood by the largest single US Government security agency. Some counter intelligence training is definitely needed.

Tuesday, October 2, 2007

Misplaced Chlorine Cylinders Injure 20 and Hospitalize 4

News reports Friday from Fort Wayne, IN indicated that a number of workers at a scrap metal recycling company were injured when two one-ton chlorine cylinders on the property leaked when the containers were breached. Apparently the containers had been transported to the company for recycling without having been emptied and cleaned. As of Saturday morning no one knew where the cylinders came from or how much chlorine was left in them when they arrived. The only thing that is certain is that about 20 people were taken to area hospitals for evaluation/treatment and four were kept for treatment and were still in the hospital Sunday.


The ongoing investigation will be able to tell authorities where the cylinders came from as they are serial numbered; some interesting explanations should follow. There are any number of legitimate reasons that an empty (and cleaned) chlorine cylinder could find its way to a scrap metal yard; the most likely was that it had reached the end of its service life. What is beyond explanation is how a not empty cylinder of an inhalation hazard chemical could find its way to such a facility.


There are security implications to this incident. The facility that let the now quite empty containers leave their facility appears to have a number of potential problems associated with this incident, but let us examine just one possibility; an insider terrorist related incident.


Suppose there was a disgruntled employee at the facility; one that had a grudge against management for offenses real or imagined. One potential way to get back at the company would be to mark chlorine cylinders at the end of their service life as “clean and empty”. With inadequate controls in place, a company might consider that marking as allowing for the shipment of those containers to a scrap metal yard without any further checks.


Would this be considered a terrorist attack? It does employ a poison gas to injure people not a party to the conflict, but that might not justify the use of the term “terrorist attack”. If the grudge were politically based, it becomes easier to assign that terminology. If the person with the grudge had been manipulated by someone with ties to a terrorist organization, it would certainly be a terrorist attack.


This is one of the reasons that the CFATS regulations require facilities to look at insider and insider assisted attacks when conducting their Security Vulnerability Assessments and developing their Site Security Plans. In this unknown facility’s case they should, now at least, look at what it would take for an individual in the organization to deliberately ship chlorine containing cylinders to improper destinations. They could then take adequate measures to ensure that this type thing could not happen in the future.


I am certain that a week ago, most chlorine filling or production organizations would not have included this eventuality in their security planning; most people would not want to think that one of their own employees could contemplate doing such a thing. Today we know that, either thru planning or incompetence, it is possible to ship a chlorine containing cylinder to some one that should not come into possession of such dangerous material. From this point forward all such organizations would be criminally negligent if they did not attempt to take precautions against this happening at their facility.


/* Use this with templates/template-twocol.html */