Thursday, January 31, 2008

Personnel Surety and SCADA

One of the nice things about the Internet is the wide variety of news and reading sources that I have available every day. Yesterday I read two interesting articles that started me thinking about security and control systems. The first article was on EETimes.com about the new cybersecurity standards recently established by the Federal Electric Regulatory Commission (FERC). The second article was on HSDailyWire.com about an employee at an architectural firm that sought revenge on her employers by deleting seven years worth of drawings and blueprints valued at about $2.5 Million.

 

The first article was a review of why FERC adopted the new standards and includes a quick overview of the requirements outlined in those standards. Those guidelines include:

·        Critical cyber asset identification.

·        Security management controls.

·        Personnel and training.

·        Electronic security perimeters.

·        Physical security of critical cyber assets.

·        Systems security management.

·        Incident reporting and response planning.

·        Recovery plans for critical cyber assets.

 

The second article reminded me of what I wrote in a blog last week, “Control systems vulnerable to attack”. I discussed a CIA report about criminal organizations overseas that seized control of electrical grids by cyber attacks on the control systems for those utilities. The purpose of those attacks was for those organizations to extort money from the companies. These various reports show that there are a number of different possible motivations for assaults on control systems.

 

These two unrelated articles came together in my mind and made me realize that a detailed cyber security program would protect a facility against more than just a terrorist attack or even a disgruntled employee. It would also form the basis for a disaster response plan in the event of a natural disaster or a severe accident at the facility. After all, these different scenarios all have one thing in common, contingency planning.

 

With that in mind, we will take a quick look at how some of the bulletedpoints above can be used in the vulnerability assessment of a SCADA, or Supervisory Control and Data Acquisition, system in a chemical facility. For purposes of this blog, we will only look at those parts of the system that apply to the DHS required SVA for high-risk chemical facilities. That means that the SCADA system is only considered where it impacts controls on one or more of the chemicals of interest (COI) listed in the DHS letter informing the facility that they are required to do an SVA.

 

Critical Cyber Asset Identification

 

The most important part of the SCADA vulnerability assessment is determining just what physical parts of the system can be considered a Critical Cyber Asset (CCA). In a perfect world everything within the facility would receive equal attention. In practice there is only a limited amount of time and money available to get the facility adequately secured. Those resources need to be first focused on the critical parts of the system.

 

While the central processing unit (CPU) of the SCADA system is certainly a Critical Cyber Asset, not all of the sensors and controls attached to that CPU need to be considered a CCA. Systems that monitor and control critical safety parameters (like temperature, pressure or tank level) on the COI will normally be identified in safety reviews. If a successful attack could be executed by manipulating those devices they would be considered CCA.

 

Any input device that would allow a person to modify the control scheme to allow an unsafe upset condition should also be considered a CCA. A careful review of these devices is necessary. Frequently a keyboard that is normally used only for data entry can, with the appropriate password, be used to modify the programming of the CPU. Laptops that can be used to access the system from outside of physical confines of the facility also need to be considered.

 

The power system for the SCADA system certainly should be considered a CCA. This includes anyuninterrupted power supply (UPS) that keeps the system operating in the event of a failure of the primary power supply to the facility. Even if the facility systems can automatically revert to an inherently safe state in the event of a power failure, the power supply should be considered a CCA.

 

Personnel and Training

 

There will be three classes of people working at the facility when it comes to access to the SCADA systems; those with no access, those with limited access, and those with full access. Identifying which people fall into what class can be difficult. People with no access have no ability to interact with the system other than to read the output of fixed displays (temperature, pressure or level for example). Limited access individuals can input data to, or request data (as opposed to reading a fixed display) from, the system. Personnel with full access can modify the actions or response of the control system.

 

In cases where the SCADA is a two layer system with the safety interlocks separated from process controls, a facility may decide that only personnel with access to the safety interlocks have full access. To come to this conclusion their analysis would have to show that actions taken in just the process control section of the SCADA could not result in a runaway reaction or catastrophic release.

 

While those definitions seem to be clearly defined, it may not be so clear cut in practice. If data entry keyboards are not locked or left in a secure area when unattended, anyone with access to the facility has limited access to the SCADA system. If someone with full access can use those same keyboards (with the appropriate password) to modify the system, the distinction between limited and full access is determined by the password control system actually in use. The use of compromised, easily hacked, or infrequently changed passwords makes the distinction unimportant.

 

All employees need to be trained in the importance of the SCADA system for both process safety and protection against terrorist attack. That training should include the importance of reporting any signs of tampering with the SCADA system or attempts by outsiders to gain information about the system. Personnel with any level of access should be trained in the importance in securing data entry devices and the proper selection and use of passwords. Personnel with full access should receive additional training and repeated reminders from management about the importance of security of SCADA interface devices.

 

Personnel Surety Program

 

The Risk Based Performance Standards in Section 27.230 of the CFATS regulations require that anyone with unaccompanied access to critical parts of the high-risk chemical facility undergo a background investigation. This certainly applies to personnel with full access to the SCADA. In practice, since it is nearly impossible to prove that someone with limited access does not have full access, those personnel with limited access should probably also undergo the same background investigation.

 

DHS has not provided any detailed guidance on what sort of background investigation is required under 27.230, but they have volunteered, for high-risk facilities, to complete a check against DHS known and suspected terrorist lists. This leaves the facility management with a great deal of leeway in what to check and what findings require dismissal of individuals as a facility security risk.

 

A one time background check is not an adequate surety program. Supervisors at all levels need to be aware of personality changes and negative changes in an employee’s attitude toward the facility, co-workers and management. The reasons for these type changes need to be identified as soon as possible. Obviously this means that supervisors need training in the early identification of these personality changes.

 

IT Security Professionals?

 

There is, of course, a great deal more that goes into setting up an adequate IT security program for a vulnerable SCADA system. Those details are better left to those with that particular expertise. The decision to hire the services of an IT Security professional should be predicated on the initial analysis of the threat to the SCADA system. Some things to consider are:

 

·        Can a runaway reaction or catastrophic release of a COI be caused by the manipulation of the SCADA? If yes,

·        Does the company have a trained IT security specialist on staff? If no,

·        Can the SCADA be accessed from off site? If yes, consult with a professional. Or, if no,

·        Can access to the SCADA be completely isolated to vetted and trusted employees? If no, consult with a professional.

Wednesday, January 30, 2008

Ethanol Production and CFATS

I ran across an article yesterday on EthanolProducer.com, the web site of a magazine serving the ethanol production industry. The article, “Costly Chemicals”, looks at the reason for the high prices associated with some chemicals used in the production of Ethanol. Of the four chemicals referenced in the article (sulfuric acid, caustic soda, urea and anhydrous ammonia), only one is currently of interest to the Department of Homeland Security, anhydrous ammonia.

 

When I saw anhydrous ammonia listed in the opening paragraph I immediately said, “Oh yes, its used in the refrigeration system for the condensers used during distillation.” I read a little further and learned that my assumption was wrong. According to the article an ethanol plant in Mason City, IA uses 600 tons of anhydrous ammonia every year. It is “used in the early stages of the process to balance the pH and improve the action of enzymes used in the slurry system”.

 

That is a lot of anhydrous ammonia. By my calculations 600 tons is 1.2 million pounds. Surely the facility keeps more than 10,000 pounds on site at any one time. In short, they meet the STQ for anhydrous ammonia and should have completed a Top Screen by last Tuesday. If the article is right, then almost all of the corn based ethanol plants in the country should have completed a Top Screen.

 

With that in mind, I searched the back issues of Ethanol Producer to see what they had to say about the new security regulations. I did a general site search and then a search of each issue since April of 2007. I could find no references to “plant security”, “security”, “CFATS”, “CSAT”, or “Top Screen”. In short, I could find nothing on their web site that showed they even realized that the new chemical facility security regulations had anything to do with ethanol producers.

 

Of course ethanol production facilities have other sources of information that may have provided information to them about the requirements to register for CSAT and complete the Top Screen. Their suppliers of anhydrous ammonia, for instance, should be well familiar with these requirements. The article points out that most of the supply for anhydrous ammonia now comes from imports from outside the United States. This would increase the probability that their suppliers were not aware of the US Government requirements.

 

I would be of the opinion that Ethanol producers should be included in the requirement for refineries to make a Top Screen report. The large amounts of flammable Ethanol produced and stored on site would make for a rather spectacular terrorist target. Unfortunately, there is nothing that I read in 6 CFR part 27 or Appendix A that would support my opinion.

 

Furthermore, the reactivity of the four chemicals listed in this article in Ethanol Producer would also, in my mind, make this a target. Sulfuric acid and caustic soda react almost instantaneously, producing more than enough heat to cause a low volume steam explosion. Sulfuric Acid reacts explosively with anhydrous ammonia and violently with Urea. Improperly isolated storage tanks would make it easy to start a conflagration that would rapidly consume the entire facility. Finally, many of these facilities are located in or near towns and small cities scattered throughout the middle of the country.

 

I think it would behoove DHS to check and see if all of the ethanol production facilities in the United States have completed a Top Screen. Any facility that failed to do so should be directed to complete a Top Screen. This would be an industry that should be very easy to check up on the compliance rate. There are a relatively small number of facilities (certainly a smaller number than say the food processing industry) and most of them are well known to the federal government since they are receiving federal subsidies.

Monday, January 28, 2008

Chemical Incident Review – 1-28-08

With the publication of the final version of Appendix A and the attendant attention on completing Top Screens, I have not written much about chemical incidents in the last couple of months. While there have been no reports of terrorist related chemical incidents there have been a number of chemical accidents that can provide information to people conducting SVAs and developing Site Security Plans. With that in mind I’ll look at some of the chemical incidents in the last couple of months.

 

T2 Labs Explosion – Jacksonville, FL

 

On December 19th there was a large explosion at the T2 Labs chemical plant in Jacksonville, FL. Four people were killed, a number were injured (both on and off site) and there was significant building damage at a number of businesses off site. The investigation included four federal agencies, Jacksonville homicide detectives and the state fire marshal.

 

A CE&N reporter quotes a Chemical Safety Board investigator as saying it was the largest blast that the board has investigated to date. The CSB preliminary report indicates that a runaway chemical reaction in a pressure vessel resulted several thousand pounds of pressure in the vessel. The pressure was too much for the vessel (with 3” thick steel walls) to contain so the vessel ruptured sending a stream of flammable gasses into the air. Those gasses almost immediately ignited in a fuel-air explosion that resulted in the fire on site.

 

Neither the EPA nor OSHA regulations deal with reactive chemistry like that that was involved in this explosion. The new CFATS regulations, with their strong reliance on EPA and OSHA identification of hazardous chemicals, does notdeal with this type of threat either. Unless one or more of the solvents used in this process was listed in Appendix A, or if the amount Hydrogen produced in the reaction was more than 10,000 lbs, this facility was probably not covered by the CFATS regulation.

 

Admittedly this is not the type incident that most people consider when they think about a terrorist attack. This type incident could only be brought about by insider collusion or an insider attack. To deliberately bring about this incident someone would have to bypass process controls that keep this reaction within normal parameters. Even if someone were to gain manipulate the process controls from the outside, they would need insider information about the process being run.

 

That does not mean that terrorists could not pull off this type of attack. There is an increasing realization that terrorist groups are looking to recruit disaffected employees to acquire this type of information or to actually conduct attacks on site. This was an item of interest at the latest National Infrastructure Advisory Council meeting. This is also one of the reasons that the CFATS rules require a personnel surety program as part of the Site Security Plan for covered facilities.

 

JBS Swift & Company Ammonia Leak – Worthington, MN

 

On January 15th there was a leak of the anhydrous ammonia coolant in the refrigeration system at the JBS Swift plant in Worthington, MN. Over thirty people were treated at local hospitals for minor injuries related to their chemical exposure. The leak was handled by the plants HAZMAT team. Ambulances from three separate companies transported the most seriously injured and a local bus company was contacted to provide transportation for those with minor injuries. None of those injured required hospitalization.

 

This incident shows how important it is to have a good plan. The company’s HAZMAT team removed people from the affected area, conducted effective triage on site and got everyone to appropriate medical care. At the same time the leak was identified, isolated and repaired. If this had been a terrorist attack instead of an accident, these same mitigation techniques would have served to reduce the effectiveness of the attack.

 

Vertellus Specialties Chemical Leak – Water Gap Delaware

 

On January 12th a storage tank at Vertellus leaked about 17,000 pounds of a mixture of maleic anhydride and octene into a diked area on the facility site. About 30 local residents were evacuated and local fire companies and HAZMAT units responded. A private HAZMAT response company responded and cleaned up the spill. There were no injuries and no fire.

 

The local response was prompt and included responders coming to the site with foam fire suppression equipment, a requirement for many chemical fires. Multiple localities responded. The national HAZMAT response company was notified at the same time as the local 911 call was made. It looked like a well coordinated response prevented a potentially large fire. Again prior planning with local response agencies is an important incident mitigation tool and would be important in any chemical attack.

Saturday, January 26, 2008

Inherently Safer Technology, Pros and Cons

The CFAT Act of 2008 discussed in Friday’s blog would try to enforce a requirement for chemical facilities to use what is generically called Inherently Safer Technology. This is a broad term that refers to the use of less dangerous chemicals, less energetic reaction conditions and/or even reduced chemical inventories to reduce the hazards to a surrounding community from the results of a successful terrorist attack. While this appears to be an easy way to reduce hazards, it is not the panacea that many advocates claim.

 

Generally speaking, chemical facility operators would prefer to use inherently safer technology. A great deal of time, energy and money is spent in making chemical processes safer. No one makes any money when a reaction vessel or storage tank explodes, especially when it effects potential litigants outside of the front gate. When highly hazardous chemicals are used or produced in a process, extensive work has to be done to analyze the hazards associated with the process and to implement additional control measures to keep that process within safe operating parameters.

 

Now with the implementation of the CFATS regulations, facilities with dangerous chemicals and or processes will be spending additional money on layering security controls on top of the safety controls already in place. No one is arguing that these measures are not necessary, but they will be expensive. If a facility could avoid that expense by changing to a less hazardous chemical they almost certainly will, if they can.

 

I have worked as a Process Chemist in the specialty chemicals industry for 12 years. I have worked in R&D and in chemical plants. I have worked with new product development and introduction as well as on process improvement operations. One of the things on which I have spent a great deal oftime is the substitution of chemicals in an established chemical process. A look at how that process works will illustrate the problem with requiring the use of inherently safer technologies.

 

Substituting with the Same Chemical

 

The most frequent chemical change made in an established process is the substitution of a chemical with the same chemical made by a different supplier. This is done to reduce costs or to assure the ready supply of a chemical. While this sounds like a simple substitution, it is not.

 

First lab work needs to be done to confirm that the two chemicals are the same, or close enough to the same not to matter. With industrial chemicals there is no such thing as a pure chemical; there is always some level of contamination. Different processes, different raw materials, and even different process equipment can lead to changes in both the amounts and types of contamination present in a chemical. Analytical tests are done to measure the types and amounts of that contamination.

 

Lab batches are made using the new chemical and all of the other actual raw materials from the manufacturing plant. This is done to assure that there are no unusual side reactions that arise because of the differences in the contaminants. Reaction conditions are observed to see if there are unusual increases in temperature, production of gasses or other byproducts. Multiple production lots of the new chemical are used to look for production variations in the new supplier’s process.

 

Extensive testing of the finished lab batches will be done to insure that the same product is being made with the newly sourced chemical. If the manufactured chemical is used as a raw material in another chemical process, samples are sent to customers (both internal and external) for them to evaluate. Those customers will have to go through a similar testing process.

 

Once these tests are completed the product can be introduced into the manufacturing facility. A limited supply of the chemical will be obtained from the supplier and a trial batch of material will be made. The batch will normally be segregated while additional in-house and customer testing is done on the trial material. Once approved the new supplier is allowed to provide this raw material. Unfortunately, this simple type of change has nothing to do with changing to an inherently safer process.

 

Substituting an Entirely New Chemical

 

Changing one of the chemicals involved in a chemical reaction is not the same thing as substituting olive oil for corn oil in a cooking recipe. To get the same final product changing one raw material usually requires the changing of at least one of the other chemicals involved in the reaction. What you are essentially doing is developing an entirely new product.

 

First someone has to come up with the idea for the new reaction. Then a literature search has to be made to see if someone else has done work on that process. If there are no current patents involved then the chemists involved can start their lab work. As the lab work progresses the Environmental, Health and Safety people start to take a hard look at the prospective chemicals and processes involved.

 

The lab work involved can take months to years, depending on the complexity of the process. Minor variations of the process need to be run to see what process upsets can be tolerated, both from a quality and safety point of view. Intermediate samples from the process will require testing to see how they willbehave in various process upset conditions; high and low temperatures, high and low pressures for example.

 

Lab samples of the product need to be sent to customers for testing. The testing for a new material, rather than a simple substitution of the same raw material, will require substantially more testing. If this is an industrial chemical the product made from this material will require substantial testing, some of the testing can take months or years to complete depending on the application. If this is a commercial product going directly into the hands of consumers, safety testing will also have to be done to detect health or safety issues. That testing can also be quite time consuming.

 

It is not unusual for test results to require additional lab work to correct problems found in the testing process. This means that it is quite typical for a change in raw materials to take years of lab work to get the new process into shape for introduction into the manufacturing facility.

 

Introducing a new process into a manufacturing facility is also a time consuming process. If new process equipment is required this must be purchased, installed, and employees trained on the operation of the equipment. If no new equipment is needed the introduction process is only slightly easier.

 

New chemicals require a safety review prior to introduction. Employees have to be trained on safe handling. New processes also require a safety review prior to being run in the facility. Invariably some equipment modifications will have to be done. Procedures will have to be written and reviewed. Employees will have to be trained on the new procedures. Depending on the complexity of the new process this pre-introduction procedure can take any where from weeks to months.

 

Finally a trial batch of material is made using the new process. If every thing works as planned, and it seldom does the first time, the material again is sent out for testing. Frequently the testing is not required to be as extensive as with the lab samples, but this will still be time consuming. If testing reveals new problems more lab work is required. Depending on the extent of process changes required to correct those problems, the whole process introduction work may have to be repeated.

 

Once all of the bugs are worked out the new process is put into commercial production. Except that there are a number of check points along the way at which the process can be stopped. Economic analyses are done at just about every step of the process to ensure that only potentially economically successful processes are worked upon. The time and resources necessary to bring a new process or product to fruition are expensive. If the new process is not economically viable, the company needs to know that as soon as possible.

 

The Chemical Industry Does Not Support Mandatory Reliance on Inherently Safer Technology

 

Because of the time and resources involved in developing and implementing any significant process change, industry is reluctant to allow a government agency to determine what process change can reasonably be made. If the agency were to make the same type of well thought out economic evaluation that the company would expect to make, the company would have to share way too much information with that agency. Any thing short of that level of information sharing would leave the decision by the agency potentially devastating to the company or suspect to proponents of the forced application of Inherently Safer Technology. In short, it is a no win situation for both the agency charged with making the decision and the company thatis forced to comply with that decision.

Friday, January 25, 2008

Chemical Facility Anti-Terrorism Act of 2008 Markup

As I reported briefly on the 23rd in my blog, “Chemical Facility Anti-Terrorism Act of 2008” the House Subcommittee on Transportation Security and Infrastructure Protection held a session yesterday to markup a draft of a new bill, Chemical Facility Anti-Terrorism Act of 2008. As of yesterday that bill had not yet been officially introduced into the formal legislative process.

 

The reason for this bill is that the authority for the CFATS regulations issued last year expires on October 31st, 2009. The main purpose of this proposed bill is to codify and make some ‘minor’ revisions to those regulations. Chairwoman Jackson-Lee summarized the bill in her prepared testimony;

 

“…under the Chemical Facility Anti-Terrorism Act of 2008, the Secretary is required to maintain a list of “significant chemical facilities” which have more than threshold quantities of “substance of concern” or that meet specific criteria. Facilities will be required under the regulations to notify the Secretary if there is any change in the threshold amount of substance of concern.”

 

“Whereas this bill makes a stronger promotion of lowering off site consequences, requires employee training, protects against Whistleblowers and illegitimate use of background checks, it does not change the function of the CFATS regulation.”

 

While I haven’t had a chance yet to read the 65-page bill, I have reviewed the subcommittee’s summary. Much of the CFATS regulation will face little or no change by the version of the bill passed in subcommittee today, but there will be some significant changes. Of course, this is an election year so there is no telling if this bill, in any form, will make it to the floor of the House for a vote, much less survive to become law. With that caveat in mind, it would be beneficial to look at how this subcommittee would like to see the CFATS regulations modified.

 

Probably the most significant change is the expansion of the universe of regulated facilities. This bill would expand the facilities to be covered to all facilities that possess more than a threshold quantity of a “substance of concern” (Section 2102) rather than limit it to only high-risk facilities. Facilities that fall under the Safe Drinking Water Act and the Maritime Transportation Safety Act would also fall under the new regulation (Section 2103).

 

The Secretary still retains the authority to “designate or exempt a chemical substance as a ‘substance of concern’ and to establish those threshold quantities. There does not appear to be any reason why the current Appendix A could not serve this purpose.

 

The Secretary would still be responsible for establishing a tiered hierarchy of risk and assigning each "significant chemical facility” to one of those tier rankings. Of those tiers DHS would still have to define which facilities are at high-risk for terrorist attack. High-risk facilities would still be required to perform Vulnerability Assessments and Facility Security Plans (Section 2103).

 

Enforcement would become a little stricter. Facilities failing to submit a Vulnerability Assessment or Facility Security Plan would receive an order to submit from the Secretary. Failing to do so then would result in an order to cease operations. Furthermore, DHS would be required to establish a procedure to allow individuals to directly notify the department of any “problems, deficiencies, or vulnerabilities at a chemical facility.” (Section 2105). Whistleblower protections would apply to such informers.

 

Penalties would be significantly increased. The Secretary could issue administrative penalties of up to $250,000 for failure to comply with an order. The Secretary could also bring a civil action in U.S. District Court “against a facility that violates or fails to comply with any order, directive, or facility security plan” (Section 2106). Criminal penalties could also be sought against owners or operators “who knowingly and intentionally violates a compliance order”.

 

It appears that the CVI rules would also have to be changed. “Information submitted to or obtained by the Secretary under this title or related vulnerability or security information shall be treated as classified material” instead of the current sensitive but unclassified rules for CVI.

 

Federal preemption rules would follow those seen in the 2008 budget bill. The Secretary would have to establish procedures for states and individuals to request the preemption status of any state or local law (Section 2107). This law would also specifically provide for judicial review of any such decision.

 

This bill would include specific provisions for inherently safer chemicals, processes and technologies. It would require that “the facility security plan include an assessment of methods to reduce the consequences of a terrorist attack on a facility” (Section 2110). It also requires the Secretary to require the implementation of such methods if the Secretary determines that the methods “would significantly reduce the impact to health or the environment from a terrorist release; can be feasibly incorporated into the facility’s operations; and would not significantly and demonstrably impair the ability of the facility to sustain operations.” An appeal panel would be established by Secretary and would include members of Federal and State agencies and independent security experts.

 

The rules for background checks are codified in this proposed bill. It would extend the rules used for Hazmat drivers (part 1572 of title 49, CFR) to employees of covered chemical facilities (Section 2115). The wording appears to allow employers to retain people that fail such a background check but prohibits them from firing employees that fail a less stringent standard. This is the type wording that unions have been looking for to protect their members.

 

As would be expected the devil is in the details. Since this regulation is unlikely to survive as written in the legislative process, I will probably forgo trying to do a detailed analysis of this legislation. Anyone interested in looking at those details can find a copy of the bill on the subcommittee web site.

Thursday, January 24, 2008

Control systems vulnerable to attack

According to the Washington Post, the CIA, at a recent cyber security conference, disclosed successful cyber attacks against a number of electrical systems outside of the United States. These attacks reportedly resulted in power outages in a number of cities. In the reported instances the goal of the attack was apparently extortion. It is unusual for the CIA to declassify and report this type of information in an open meeting of this sort; it is most certainly a mark of their concern

 

Most chemical processors use some sort of electronic control system to monitor and/or control their manufacturing processes. Any such control system with any sort of connection outside the plant gates could be liable to this type of attack. Enterprise software, holding company inventory, orders and customer requirements are also vulnerable to this type of criminal attack. While losing control of any software system to an outsider would be bad from a business perspective, it is the process control systems that are at the highest risk from terrorist attack.

 

From a CFATS perspective it is the process control software that is of the most concern. I’ll leave the details of protecting software systems to the IT Security Professionals, but I will note that it is becoming more difficult to completely isolate these control systems from outside access. An system that is not isolated must be considered vulnerable to attack. Rather than aiming for complete protection of the control system software there might be another technique that would provide better protection against terrorist attacks.

 

Most chemical facilities have a system of safety interlocks and control systems that protect their chemical processes from the most dangerous process upsets. In ideal situations these safety systems reside on a separate computer system that has been hardened and protected against power failures, unauthorized access and other upsets that could shut down the safety system. Isolating these relatively limited systems from outside access should be easier than isolating the entire control system.

 

A properly isolated safety system could help to mitigate the effects of an attack on the main control system, keeping process parameters within safe operating ranges. Additional security controls could be added to the same system. For example if there were a concern about a discharge of a COI into a tank farm, there might be a remotely operated valve that must be  opened along with a manual valve at the tank in question. Access to the control to that automated valve would be accessible only to supervisors and work through the safety control system.

 

An isolated safety/security control system would go hand in hand with reasonable efforts to limit the possibility of a terrorist attack gaining control of the main control system. This would also be a good example of the layered protections envisioned by the CFATS rules. It is also an example of the creativity that a good site security plan will require.

Wednesday, January 23, 2008

Chemical Facility Anti-Terrorism Act of 2008

A notice appeared today on the House Homeland Defense Committee web site about a meeting of the Subcommittee on Transportation Security and Infrastructure Protection concerning the markup of the “Chemical Facility Anti-Terrorism Act of 2008.” The meeting is scheduled for 1:30 pm today. I will try to get additional information.


Tags: ,

Academia Looks at the Chemical Security Rules

While the deadline for Top Screen filing has come and gone, I found an interesting journal article about the effect of the final Appendix A list on college and university labs. It was published in the Journal of Chemical Health and Safety, a journal of the American Chemical Society. Interestingly, the article is available online without charge.

 

Because of the vagaries of journal publication this was published too late to be of much practical use for these labs in dealing with CFATS unless the lab took advantage of the 60 day extension offered in the Final Rule Appendix A. Neal Langerman, the author and a chemical safety consultant, points out this extension but incorrectly implies that it is not available to commercial facilities.

 

He also points out that labs with a good handle on their chemical inventory will have little problem in completing the Top Screen. There is a wide variability in how well academic institutions do with this particular task; though the same can be said for commercial labs. Unfortunately, there is nothing stopping the facility with poor inventory control from using that inadequate data to complete a Top Screen.

 

Langerman looks at the EPA definition of a ‘technically qualified person’ since DHS incorporates that definition in the rule for the laboratory exclusion for counting lab chemicals for Release COI Top Screen reporting. While it is worthwhile to look at this definition (and it is written broadly enough to exclude very few, if any, labs) he uses this definition to determine that the lab supervisor (“Principal Investigator or faculty member”) instead of the EHS people will be responsible for administering the CFATS rules.

<PCLASS=MSONORMAL style="MARGIN: 0in 0in 0pt"> 

Actually, the problem is more complex than that. The CFATS rules were clearly written with corporate facilities in mind. According to the CSAT User Registration User Guide, the Authorizer for the CSAT Registration is to be “an officer, or be designated by an officer of the Corporation.” It is not clear how that translates into academia; would that be the dean of the school, the president of the institution, or the board of trustees. I would suspect that the intention of the rule would be the board of trustees.

 

Langerman also uses this article for a platform to take on a New York Times editorial about the Appendix A final rule. While I missed the NY Times editorial, it sounds very similar to the Washington Post article I wrote about in my “DHS increases the number of flammable chemicals regulated under CFATS” blog. In short the big city press misread the requirements of the rule, the intent of the rule, and ignored the limitations imposed upon the department by Congress.

 

In any case I recommend this article to anyone involved in CFATS implementation at a university or college laboratory. I am continuing to look for article on how various industries are looking at these new regulations. If any reader knows of such an article that I have not discussed please let me know. I am looking for the good, the bad, and the ugly. I want to see how these regulations are being interpreted in the real world.

Tuesday, January 22, 2008

Getting ready for Security Vulnerability Analysis

Today is the last day to complete Top Screens so it is a good time to look at taking the next step. Those facilities that have been told that they “may be regulated” have to start getting ready to prepare their SVA. While the details of the DHS guidelines for the SVA have yet to be published, there are some steps that can be taken to get ready to prepare any form of SVA

First the SVA team needs to be selected. There is no required number of people that have to be on the team, but there are certain skills that will be necessary. The CCSP Guidelines for SVAs provides a list (pg 46) of the minimum knowledge and/or skills needed to complete an SVA.

            ·         “Security vulnerability analysis procedures and methodologies”

·         “Security procedures, methods and systems”

·         “Process safety including PSM and RMP requirements and programs (as appropriate)”

·         “Knowledge of the facility (and site) under study including:

v  “Potential hazards associated with the process chemistry, raw materials, finished goods, and the physical location of each”

v  “Process and equipment design bases”

For facilities that have done PSM or RMP process reviews should be able to use similar a similar team to do an SVA. It does have to be stressed that a Process Hazard Analysis (PHA) is not the same thing as an SVA. The main difference is that an SVA looks to determine what a determined, educated adversary can cause to go wrong with the safety and security systems of a facility.

The following skills should also be considered  (pg 47) when looking for team members:

·         “Military doctrine, especially in terrorism, weapons, targeting and insurgency/guerilla warfare and knowledge of weapons of mass destruction (WMD)”

·         “Adversary characteristics and capabilities knowledge, especially of transnational terrorist groups”

·         “Safety and industrial hygiene”

·         “Environmental engineering”

Most chemical facilities do not have security professionals on staff. One of the questions that must be answered early in this process is where to get that security knowledge. An obvious source is to look for a security consultant that has some experience in the chemical industry. A less obvious source would be to look for personnel working on site that have military experience with security.

The team members will be handling and preparing Chemical Vulnerability Information (CVI) so they need to take the online training program and get certified as being authorized access to CVI. If an outside consultant is going to be used, the CVI training of that individual can be confirmed with DHS. Internal procedures will have to be developed for marking, handling and securing CVI.

The other thing that team members need to do is to become familiar with the SVA process. Once again, pending the publication of the DHS procedures, a good place to start is by reading the CCPS book. This book can be bought online. Other approved SVA process descriptions can be downloaded from the CCPS site.

Saturday, January 19, 2008

Help Desk Hours Extended on Monday

The Chemical Security Assessment Tool web page again announces extended Help Desk Hours for people trying to Register and complete their Top Screen. The Saturday hours are the same as previously announced. They have added hours on Monday (a Federal holiday so it probably was not scheduled to be operating) from 7:00 a.m. to 7:00 p.m.

 

Again, DHS is experiencing an increased volume of requests for assistance on their Help Line. If you are experiencing difficulty getting through you need to be patient. Apparently lots of facilities have waited until the last minute to try to get their Top Screen completed.

Friday, January 18, 2008

After the Top Screen

With the Top Screen deadline being next week, most facilities (hopefully) that are going to be designated High-Risk facilities will have all ready completed their Top Screen and have received their notification that they “may be regulated” by electronic notification after submission. These facilities will have started to turn their thoughts towards the next step in the CSAT process the Security Vulnerability Analysis (SVA)/

Letters should be going out shortly to those facilities that have received a preliminary designation as a high-risk facility. According to Attachment C to the CSAT Top-Screen User Manual those letters will notify the facility:

1.      They have been given a preliminary designation as a high-risk facility, and

2.      Their Tier ranking (Tier 1 – highest risk, Tier 4 – Lowest risk), and

3.      The security issues (Release, Theft/Diversion, etc) and chemicals that must be addressed in their SVA, and

4.      The date by which their SVA must be completed, and

5.      If the facility has received a preliminary tier ranking of #4, that they may submit an Alternative Security Plan.

Tier 1 facilities will be given the earliest submission dates for their SVA. This is part of the DHS strategy of giving first priority to the highest risk sites. Given their limited manpower this is the only strategy that makes sense. Unfortunately for those Tier 1 facilities, it also means that the facilities with the hardest SVAs to complete will probably have the shortest time within which to complete their work.

The SVA will be submitted on-line through the same secure web site that DHS used for the submission of the Top Screen. The only personnel that will be able to access that site are the Preparer and Submitter previously registered on the CSAT. If the facility needs to change one or both of these individuals prior to the new submission, the procedures can be found in the CSAT User Change Request Guide, available on-line.

DHS has not yet published a set of instructions for completing the SVA submission. This is probably the reason that none of the Phase II facilities has yet been notified of the date that their SVA is due. The facilities that completed their Phase 1 Top Screen submissions last summer were supposed to have received their letters in September so they should have completed their SVAs last month. The lessons learned from those submissions (presumably made with active DHS assistance as were their Top Screen Submissions) are almost certainly being incorporated in the instructions.

For those Tier 4 facilities that do not want to wait for the SVA instructions to be published to start work on their Alternative Security Plant, the easiest thing to do is to get a copy of  "Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites." This book is producedby the Center for Chemical Process Safety. Any alternative plan must conform to the standards set forth in this book. They also have a web site that lists those SVA procedures that they have already reviewed and certified as conforming to their standards.

Actually, any facility that is required to submit an SVA to DHS would probably do well to get a copy of this book. While the DHS SVA is not going to be identical to the CCPS SVA, it was the starting point for the development of the DHS program. Studying this book will almost certainly make it easier to complete whatever vulnerability assessment the chemical facility is going to undertake.

Thursday, January 17, 2008

Agriculture does not understand even the revised rules

I have wondered for some time how well the new CFATS rule is understood outside of the traditional chemical industry. With less than a week to go before the Top Screen deadline I have found some information that bodes ill for the success of this DHS attempt to protect our communities from terrorist attacks on chemical facilities.

 

One of the web sites that I routinely check is GCN.COM. A recent article by William P. Dizard III describes the agricultural extension recently granted by DHS for Top Screen completion. The article provides little information and that little information is confused and misunderstood. For example there is this excerpt from the middle of the article.

 

“The department’s online tool, the Chemical Security Anti-Terrorism (CSAT) Top Screen, is designed to assist farmers in complying with the CSAT Final Rule, a 41-page mandate that the department imposed Nov. 7.”

 

The ‘CSAT Final Rule’ referred to is actually the Appendix A final rule. The list of chemicals and their associated STQs provide direction to facilities to complete a Top Screen. The only one that receives any ‘assist’ from the Top Screen is DHS in that they are assisted in making the decision if the submitting facility is at high-risk of terrorist attack.

 

The interesting thing from this article was a link to a Michigan Farm Bureau site that explains the CFATS regulation to farmers and other agricultural businesses. This site does a pretty good job explaining the indefinite extension that DHS gave to farmers and ranchers in completing a Top Screen for agricultural chemicals. Additionally the site did point out that there may be a significant number of agricultural facilities that have anhydrous ammonia in significant quantities on site. This was a chemical that I missed in my earlier blog; Update on Agriculture Top Screen Extension.

 

There was a glaring error on this site. In their discussion of agricultural sites that would still have to complete a Top Screen by January 22nd, they made this comment about propane:

 

“Farms with ‘large vessel’ storage of propane, including Butane, at levels meeting or exceeding 60,000 pounds (14,285 gallons.)”

 

While propane does indeed have a 60,000 lb STQ, Butane has a much lower STQ of 10,000 pounds. I was not aware that Butane was used much as a commercial fuel, but then again, I have not spent any time in Minnesota. If they are talking about a Propane-Butane blend (possible, I guess), then the 1% concentration rule would require reporting the entire blend as Butane up to a quantity of 60,000 lbs. After 60,000 lbs the higher concentration component would be reported. The 10,000 lb minimum container rule would also no longer apply.

 

The same error was made in a publication that the Minnesota Farm Bureau produces, DHS Chemical Facility Anti-Terrorism Standards Farm & Ranch Guide. Another error was made in this publication, an error in explaining the STQ for fertilizer grade ammonium nitrate (a Theft/diversion COI with an STQ of 2,000 lbs and a minimum concentration of 33%). The MFB publication states: “On the farm, this amounts to 100 fifty-pound bags of granular solid ammonium nitrate.” Their figure would be correct for an STQ of 5,000 lbs; it should be 40 bags (40 x 50 = 2000). The entire weight of a commercial blend in excess of 33% ammonium nitrate will be counted (page 41, Final Rule Appendix A)

 

These are significant errors in explaining the provisions of the CFATS regulations to a class of facilities that does not normally have an on-site regulation expert. The butane and ammonium nitrate errors could result in a significant under-reporting of these two COI on a number of Top Screens. Unfortunately, these are the types of publications that too many chemical facilities will rely upon to have these regulations explicated. It will be interesting to see how DHS goes about dealing with these errors when they are ultimately detected.

Wednesday, January 16, 2008

New Jersey Chemical Rules Stand

This was a minor headline in the New York Times last Friday. According to the brief article, almost a month after President Bush signed H.R.2764, the Consolidated Appropriations Act, 2008; Senator Frank R. Lautenberg declared victory over DHS in protecting the citizens of New Jersey against terrorist attacks against chemical plants. More appropriately he declared victory against federal pre-emption of state laws.

 

Senator Lautenberg and others in New Jersey are very proud of their state’s efforts to regulate chemical plants, especially in respect to their actions to protect the state’s citizens against attack on those plants by terrorists. When the draft CFATS regulations came out two years ago they were concerned that the primacy of federal law over state law would allow DHS to negate portions of their efforts.

 

The portion of the CFATS regulation that they objected to is Section 27.405, “Review and preemption of State laws and regulations.” The wording of the section is a fairly typical statement of the relationship between Federal and State laws as set forth in many Supreme Court decision over the last 200+ years. The actual pre-emption wording is found in subsection (a);

 

“As per current law, no law, regulation, or administrative action of a State or political subdivision thereof, or any decision or order rendered by a court under state law, shall have any effect if such law, regulation, or decision conflicts with, hinders, poses an obstacle to or frustrates the purposes of this regulation or of any approval, disapproval or order issued there under.”

 

The part that caused the politicians in New Jersey the most problems was where it says: “hinders, poses an obstacle to or frustrates the purposes of this regulation”. They felt that this would give the Secretary of DHS too much leeway to void sections of their regulations that the chemical companies did not like. In particular they thought that it would be used to attack New Jersey’s insistence on ‘inherently safer technology’ and replacing hazardous chemicals where possible with ones that were less hazardous.

 

Because of the efforts of Senator Lautenberg, and others, language was added to section 534 of the Consolidated Appropriations Act, 2008 that prohibited DHS from pre-empting state and local laws “unless there is an actual conflict between this section and the law of that State”. This language preserves the supremacy of the Federal Law while trying to limit the Secretary’s discretion in enforcing that supremacy.

 

In the short term this was a tempest in a very small teapot. Secretary Chertoff has said on a number of occasions that he does not see anything in the current New Jersey regulations, or any other current state regulations, that would cause him to exert his pre-emption authority. In fact, the only line that he has drawn in the sand is that any state or local law that requires disclosure of CVI information to the public would be considered to be null and void. Section 534 would do nothing to avoid that conflict because it would constitute an “actual conflict” that even Section 534 prohibits.

 

Of course, in just a little more than a year from now there will almost certainly be a new Secretary of DHS. How the new administration and its Secretary plans on dealing with chemical facility security remains to be seen. One thing that is clear to any student of the last fifty years of American political history, if a new Secretary wants to pre-empt a state law dealing with National Security or Homeland Security, that Secretary will be over ridden only after a long, tedious series of court battles; court battles that are very likely to be won by the Federal Government in the end.

Tuesday, January 15, 2008

So, your facility will not be regulated

The response that most facilities will receive to their Top Screen submission will be a letter from DHS explaining that their facility “has been determined not to present a high level of security risk.” (Appendix B, CSAT Top-Screen User Manual) This means that DHS will not require the facility to complete a Security Vulnerability Assessment or a Site Security Plan at this time. It does not mean that the facility is done with the CFATS regulations

 

Facilities have a responsibility to re-submit a Top Screen anytime there is a material change to their operations that could affect their status. Some of the items that could affect that status include:

 

·        The facility acquires a new chemical listed in Appendix A at or above the STQ for that chemical.

·        The facility has a substantial increase in the inventory levels of one of the chemicals reported in the previous Top Screen.

·        There is a change in the area surrounding the facility that would lead to a substantial increase in the number of people affected by the release of a COI from the facility.

 

Facilities are also going to have to keep an eye on the regulatory environment. Under the present law DHS can add chemicals to Appendix A or change the levels of the various STQ with no more effort than publishing a notice in the Federal Register. While a comment period for such a notice is not required, DHS has bent over backward in the past to ensure that such comments are received and reviewed. There is no telling what a change in legislation might require from previously unregulated facilities.

 

DHS could also determine that a change in the threat situation might justify the change in the risk ranking of facilities. The CFATS regulations {Section 27.200(b)(1)}specifically allow DHS to designate individual facilities or classes of facilities that may be required to submit a Top Screen. Such notification could be done by letter to individual facilities or by posting of a notice in the Federal Register. DHS could presumably re-designate a facility a High-Risk facility based on a previously submitted Top Screen based on a changed threat situation.

 

In short, facilities that completed the Top Screen and came up less than “High-Risk” cannot count on staying that way. They are going to have to continue to monitor the CFATS rules and the way DHS implements them.


Tags: , ,

Monday, January 14, 2008

The Deadline Approaches

The deadline for the Top Screen submissions grows ever closer; it is just eight days away. DHS realizes this as well. Last Saturday they opened their CSAT Help Desk from 10:00 a.m. to 4:00 p.m EST to help facilities solve problems with their CSAT registrations and Top Screen Submissions. Next Saturday they will be doing the same thing. This was announced on their Chemical Security Assessment Tool web page last Friday.

 

The Help Desk is normally open 9 to 5 during weekdays. DHS is going the extra mile to ensure that chemical facilities get the best chance to submit a timely Top Screen. If you had signed up for DHS’s notification of web page changes on their Critical Infrastructure: Chemical Security page you would have received an email telling you that that page had changed. By tracking the changes on there you would have discovered that the CSAT page had a notice on it about the Saturday operating hours.

 

Well, their heart was in the right place. It still takes more effort than most users would exert to find the web page changes. If DHS wants to improve their change notification process, the email they send out could include a brief description of the change. That would make it easier for more people to keep trackof what was going on.

 

What would have been more effective would have been if they had sent an email to each of the Preparers and Submitters that were registered in the CSAT. This would have ensured that most of the people that might need the extra assistance were notified. Of course, they may have done that. Since I am not registered as either a Submitter or Preparer, I would not have received such notification. If any reader did receive such an email, please let me know.

 

Of course, that sort of email would never have reached those facilities that have not yet registered in CSAT. While it seems to be a little late to worry about getting facilities registered, I think that DHS needs to make that outreach effort. There are almost certainly a large number of facilities that have chemicals listed in Appendix A on hand that would never think of themselves as “Chemical Facilities”. As such many of them have not paid sufficient attention to the new CFATS rules.

 

What might be effective would be a press conference by Secretary Chertoff or Assistant Secretary Stephan describing the approaching deadline and discussing the types of facilities that might be covered. This might get some of the general press coverage for this issue that seems to be lacking to date.
 
/* Use this with templates/template-twocol.html */