Friday, February 29, 2008

Congressional Hearing – Cyber Initiative

Last week I mentioned that the House Homeland Security Committee was holding a hearing on the Cyber Initiative (see: “DHS Appearances Before Congress”)and that it might have some bearing on chemical facility security matters. OOPS, I was wrong. Even though it was billed as addressing issues of computer security in Critical Infrastructure it focused almost entirely on computer security issues in DHS.


In ten items (letters, statements and testimony) shown on the Committee Web Site there is only one paragraph that really mentions the implementation of cyber security actions in the Critical Infrastructure Sector Specific Plans. According to the Letter from Rep Langevin, Chairman of the Emerging Threats, Cybersecurity, and Science and Technology Subcommittee, a GAO report on the 17 separate Sector Specific Plans (including the Chemical Sector) “found that none of the plans fully addressed all 30 cybersecurity criteria.”


These sector plans are all voluntary initiatives and the Chemical Sector Plan has nothing to do with the CFATS rule. I would be willing to bet that few chemical facilities have any idea what the Chemical Sector Plan says. Well, that’s an issue for another day. Today there is no news to report on this hearing.

Change to CSAT Registration Manual

Well the DHS Web Presence continues to evolve. As with all change the good comes with the bad. The change started on the Chemical Security Assessment Tool page. Once again you can tell that something has changed by the new date on the bottom of the page. Clicking on the various links, one-by-one, you can find out that the CSAT User Registration User Guide has changed. Everything is perfectly normal so far; a pain, but normal.


Download the .PDF file and you note the first new thing, there are now security settings on that document. You can save and open the manual, but you cannot print it. Nor can you copy anything from the document. This is a real pain. This makes it real hard to review or use the manual.


When you get to Page 2 of the manual (page 6 of 45 according to the Adobe Acrobat Reader) you see the good thing. DHS has added a change log to this manual. It tells you that the following have been changed between version 1.5.b and 1.5.c:


  • Text added to emphasize that the “County” field is NOT a “Country” field (in the Facility Address Section)
  • Added the “Change Log” page
  • FAQ added about Submitters and Authorizers needing to be an employee of an organization


Well, I salute DHS for adding the Change Log. I hope that they continue that with all of their manuals. I really hope that the security settings on this document were an error of some sort. They can correct that error the next time the change the document.

Tags: Chemical Facility Security, ,

More Reader Comments on IST

Thomkay07 had some additional comments on IST. They were posted to my earlier blog on Congressional Hearings. Since one of the points of this blog is to get people discussing chemical security issues we’ll take a look at those comments.


Costs too High


Thomkay07 mentioned that my point that a company might move their operations off shore if their security costs were too high was briefly discussed in the hearing. The witness from New Jersey noted that no one had yet closed plants in that state because of the costs associated with new security rules there. To the best of my knowledge that hasn’t happened (or even been threatened) yet anywhere in the country.


My point wasn’t that the new rules in New Jersey or those proposed as part of CFATA of 2008 were going to cause anyone to lose money. I do not believe that these rules will require anyone to actually implement IST programs. The loopholes are so broad that no one who does not want to change their processes will be able to be required to do so.


All these rules do is to establish paperwork requirements that will place a small burden on the manufacturers to prepare the paperwork and an unwieldy burden on DHS to review the paperwork; all for no effect. Few, if any IST’s will be implemented due to this requirement. No one will be made safer, and DHS will have less time and manpower available to inspect and improve security at facilities around the country.


I do not want to yell that too loud. Well-minded people are likely to take that as a challenge to tighten up the IST requirements to the point that facilities will be required, against their best judgement, to implement IST. When we get to that point, my comment becomes much more probable.


I think that there are a large number of facilities that should probably institute some sort of IST program to make their facilities safer. The problem is how do you write a law to make this happen? I believe that the current CFATS regulations are probably going to be effective in the long run. Once companies get a good handle on how much security is going to cost they are going to find those IST measures that will reduce those costs.


Environmental Extremists


I almost edited that phrase out of my blog. It has the same potential for being misunderstood as the phrase “Islamic Terrorist”. Because an “Islamic Terrorist” is bad (from a western point of view at least), it does not mean that an Islamic person, an Islamic country or even Islamic politician is bad. I do think that environmental extremists are dangerous (just about any extremist is dangerous in my book), but that brush does not paint all environmentalists or even a sizeable minority of them.


People who propose that IST requirements be included in any chemical security legislation are not, ipso facto, environmental extremists. They are not even misguided idealists. They are simply people that think that the way you get businesses to do something is to write a law telling them to do it. I disagree.


Costs of IST


Thomkay07 makes the following statement:


“Of the hundreds of facilities across the country who have implemented IST, 1/3 expect to save money, 1/2 expect to even out, and more than half will spend less than $1 million to make the switch.”


His figures come from a 2006 report, Preventing Toxic Terrorism, prepared by the Center for American Progress. He makes the same mistake with those figures that its authors make. Their analysis was done by looking at companies that had completed voluntary IST programs. It did not include companies that had looked at and rejected IST projects on technical or financial grounds. Extrapolating those successful IST projects to all facilities, or even similar facilities is not appropriate. It does demonstrate that chemical companies will initiate IST’s without regulations requiring their implementation.


Once again, let me make this point as strongly as I can. There are certainly a significant number of facilities that could successfully implement IST techniques to improve their safety and security. The evaluation has to be made on a facility by facility, chemical by chemical basis. The question is how to get facilities to legitimately make that analysis?


How Not to Encourage IST


Section 2110 of the proposed legislation (according to the Section by Section analysis by the committee staff) requires that:


“… the facility security plan include an assessment of methods to reduce the consequences of a terrorist attack on a facility. These include substitution of chemicals, changes in processes, storage or use of less of a chemical of concern on site, changes to safer practices, reducing consequences of equipment failure or human error, improvements in inventory control, and reduction or elimination of storage, transportation, handling, disposal, or discharge of substances of concern.”


A realistic assessment of IST possibilities will likely be a time consuming, resource intensive operation. Given the relatively short time frame, within which a site security plan has to be completed, most facilities will not opt for a realistic assessment. They will have someone prepare a quick, timely assessment that supports their current corporate view of the IST possibilities for their facility.


Furthermore, a negative assessment will be relatively easy to write. And, since most significant IST programs will take longer than the mandatory 180 days to implement (see: “Inherently Safer Technology, Pros and Cons”, a facility would be ill served by reporting that any but the easiest to implement IST is possible. In short, everything points to this requirement being just a paperwork drill.


DHS will, however, have to review each and every IST assessment as if it were a legitimate analysis. With the obvious Congressional interest in IST implementation, the attention applied to the IST assessment portion of the security plans will probably be higher than on the rest of the plan. In short, the paperwork drill for the facilities will turn into a paperwork mess for DHS.


Water Treatment Facilities


Water treatment facilities will probably have the most pressure to implement IST programs to eliminate the use of chlorine gas in their disinfection processes. Large storage tanks, transport trucks and rail cars of chlorine are fairly obvious potential terrorist targets. That, combined with a wide variety of alternative technologies for water disinfection, will make it difficult for water treatment facilities to justify keeping their chlorine injection systems.


Kevin Wattier’s testimony is a good example of how difficult it is to implement an IST program. Long Beach has been working on their substitution of on-site produced chlorine since 2004. They still have some time to go before they finally eliminate their chlorine storage tanks. Subsequent facilities will be able to learn from their efforts, but are unlikely to be able to meet the 180 day limit suggested by the draft legislation.


Thomkay07 provided a link to an article about the use of ozone to treat waste water in Montreal. This is another of the alternative water treatment schemes that may be an alternative to chlorine injection. As the article points out, its effectiveness depends on what is in the water. One point of error in the article though, oxygen is not the only byproduct of ozone treatment, CO2 is another byproduct.




For the third time; IST’s can be a legitimate method of reducing the threat of a terrorist attack or increasing site safety and should be encouraged. The technical and business people on site will have to make the determination if implementing IST’s is the best (or even a good) way to achieve these ends at that particular site.


The proposed wording in the CFATA of 2008 will not force anyone to implement any IST. If it makes Congress feel good about their role in increasing security and safety to put this modest requirement in the law, I guess this is a good thing. They just need to include increased funding for DHS personnel to review the paperwork.

Thursday, February 28, 2008

Physical Security of Critical Cyber Assets

Continuing with the analysis of the FERC Reliability Standards and how they might help chemical facilities secure their electronic control systems, we look at the fifth standard, Physical Security of Critical Cyber Assets. The FERC standards are written for electrical utility systems not chemical facilities so we need to read the Final Rule discussion carefully to see what might fit into chemical facility systems.


For previous blogs in this series see:


·        Security Management Controls

·        Personnel and Training

·        Electronic Security Perimeter


This standard requires “a responsible entity to create and maintain a physical security plan that ensures that all cyber assets within an electronic security perimeter also reside within an identified physical security perimeter.” (para 548 page 7422) Footnote 132 on the same page provides two key definitions:


Electronic Security Perimeter – the  “logical border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled”

Physical Security Perimeter – the “physical, completely enclosed (‘six-wall’) border surrounding computer rooms, telecommunications rooms, operations centers, and other locations in which Critical Cyber Assets means are housed and for which access is controlled”


Physical Security Plan


The following items are required to be included in the Physical Security Plan (para 561 page 7422 and CIP-006-1, para R1) that has been approved by a senior manager:


1.       Require that all critical cyber assets are within a ‘six-wall’ physical security perimeter. If that is not physically possible the alternative physical security measures must be documented.


2.      Identify all access points through each Physical Security Perimeter and document measures to control entry at those points.


3.      Identify processes, tools, and procedures to monitor physical access to the physical security perimeter. Include procedures for the proper uses of access controls to include visitor pass management, response to loss of passes, and consequences for improper use of access controls.


4.      Procedures for approving access authorizations and revocations.


5.       Procedures for escorted access personnel not authorized for unescorted access.


6.       Process for updating the physical security plan within ninety calendar days of any physical security system redesign or reconfiguration.


7.       Requirement Cyber Assets used in the access control and monitoring of the Physical Security Perimeter(s) shall be treated as critical cyber assets.


8.      Requirement for annual review of physical security plan.


Most chemical facilities can roll these requirements into their physical security plan for the entire facility. In fact, these requirements provide a good outline for that plan. If the facility cyber assets are extensive enough to require a separate cyber security plan, the facility will have to be careful to keep their access passes identifiably separate from those used for facility access.


Physical Access Controls


The physical security plan will provide for 24-hour a day, 7-day a week physical access controls to authorize access through the physical security perimeter. The Commission requires (CIP-006-1, para R2) that at least on of the following access control systems will be used:


·         Card Key.

·         Special Locks.

·         Security Personnel.

·        Other Authentication Devices.


All of these control systems have their own special requirements. Card key systems require that card readers on each access point be wired to a common controller containing an up-to-date access database. Keyed locks require key control procedures for limiting access to keys and promptly identifying lost keys. Other authentication devices, like biometric devices, have their own unique requirements.


Monitoring Physical Access


The physical security plan will provide for continuous monitoring of the access points to the physical security perimeter. The purpose of monitoring will be the prompt identification of unauthorized access to the critical cyber assets within the perimeter and provide for alerting an appropriate response force. According to the standard (CIP-006-1, para R3) there are two accepted method of effecting this monitoring requirement:


·         Alarm Systems.

·        Human Observation of Access Points.


Alarm systems need to announce the unauthorized opening of any door, gate or window providing access to the physical security perimeter. The announcement should specify which opening was accessed. Human observation can be by personnel within the perimeter or by remote observation via closed circuit television.


An integral part of monitoring physical access is the logging of each access event. This can be done by electronic, video or written records. Since the purpose of logging is to document every entry, authorized or not, written records must be maintainedby security personnel. Logs must be kept on hand long enough, the Commission requirement is 90 days, to allow for periodic reviews. Logs documenting unauthorized access should be kept with the report of the investigation of that entry.


Maintenance and Testing


The physical security plan must also document the maintenance and testing requirements for all devices in the physical security system (para 577 pages 7424-5). Records of the actual maintenance and testing will be held for the length of the maintenance cycle.

Wednesday, February 27, 2008

House Hearing on Chemical Facility Anti-Terrorism Act of 2008

The full House Homeland Security Committee held a hearing yesterday concerning a ‘committee print’ of the Chemical Facility Anti-Terrorism Act of 2008.  A committee print is an informal draft of a bill that has not yet been introduced. According to Chairman Thompson’s prepared statement:


“I decided to use the vehicle of a Committee Print rather than an introduced bill because of the flexibility it offers us. This way, every time we hear a good idea on how to make the legislation better, we can incorporate it.”


DHS Update on CFATS Implementation


Assistant Secretary Robert Stephan’s testimony included an update on the progress on the implementation of the CFAT regulation that went into effect last June. He reported that as of the January 22nd deadline to complete the Top Screen there was a total of 24,891 facilities that had completed their Top Screen submission and about 7,800 facilities that had requested an extension of that deadline.


That means that about 32,600 facilities are in compliance with this stage of the CFATS program. This is significantly short of the 40,000+ facilities that DHS had estimated would be required to submit Top Screen information. Of course there is an unreported number of agricultural facilities that have been given an indefinite extension of time to complete their Top Screens.


According to Col Stephan’s testimony this reported number of Top Screen submissions includes the facilities that completed their Top Screen as part of the Phase I implementation in June of last year. Interestingly he said that:


“Those Phase 1 facilities determined to be high-risk will receive written notification from the Department informing them of the Department’s determination and instructing these facilities on their requirements to complete a Security Vulnerability Assessment (SVA) for departmental review.”


I added the Italics. This wording seems to indicate that these facilities have not yet started their SVA submissions. I believe that this is because DHS has not yet gotten their SVA site up and working on their secure CSAT web site. Of course, the DHS FAQ page still maintains that only those facilities registered on CSAT will be able to see the SVA information so I cannot be sure that this is the case.


I will disappointed if we do not get a chance to see what types information DHS will require facilities to submit for their SVA’s. I understand and support the need for DHS to protect the information submitted by facilities. I understand and support the need for DHS to protect the methodology that they use to evaluate those submissions. I do think, however, that DHS owes it to the American public in general, and those people living near high-risk facilities specifically, to allow us to see and critique the types of information that they are using to make their decisions.


Agricultural Chemicals and CFATS

Secretary Stephan commented briefly on the agricultural exemption for the Top Screen. He noted that DHS was working with the agricultural community on this issue. The objective is to see if any changes are needed to the Top Screen to adequately address the differences between agricultural chemical users and other chemical facilities.

He also included a discussion about the upcoming rules for regulating the sales of ammonium nitrate. Congress provided fairly detailed guidance in the 2008 budget bill (see: “DHS and the Omnibus Spending Bill”), but lots of work needs to be done to iron out the details. He said that DHS was working with other government agencies to insure that there would be minimal conflicts between various rules.


CFAT Act of 2008 and Inherently Safe Technology


One of the controversial aspects of the draft legislation is the requirements for high-risk facilities to look at reducing their risk by implementing inherently safe technology (IST) (see: “Chemical Facility Anti-Terrorism Act of 2008 Markup”). In this hearing the Committee invited two witnesses with some experience looking at IST in their facilities. According to Chairman Thompson’s statement;


Dr. Pulham {Siegfried (USA) Inc} is here to help us understand the impact of the chemical security legislation on smaller facilities, as well as tell us how his facility is complying with the State of New Jersey’s chemical security requirements.”


“And Mr. Wattier (Long Beach Water Department) is here to give us the feedback from a water facility about the legislation—especially given that it would subject water facilities to the same chemical security framework as is in place for all other chemical facilities.”


Dr Pulham made two points; first, the New Jersey rules were more of a paperwork exercise than anything else and second, chemical companies look at IST as a mater of course in their process development procedures. On the later he said: “Simply put, inherent safety is a concept that the chemical industry invented, and we consider it continuously as we design and modify our production processes.”


Mr Wattier reported on his department’s implementation of IST; replacing their chlorine injection system with one using chlorine produced on site. This will avoid having large storage tanks of chlorine gas on site and reduce the transport of chlorine significantly. He made the point that “Any consideration of alternative technologies must include assurances that maintain reliability of water systems, as well as the flexibility needed to enable water treatment operators to adhere to strict Federal and State water quality standards.”


As I mentioned in more detail in my other blog today (see: “Blog Comments – A late reply”) water treatment facilities are in a particularly bad position to implement alternate treatment technologies to reduce their risks. They have thin margins and are frequently required to go to the voters to seek approval for funding. Mr Wattier makes the following point in his testimony:


I would propose the Committee amend its current draft to include an authorization of appropriations for voluntary integration of technologies that reduce or eliminate the risk posed by transport and storage of containerized gaseous chlorine. Federal participation in voluntary demonstration scale projects of this type would have a profound impact on the United States water treatment industry.”


The question of financing IST implementation or even the costs of security measures has been largely overlooked in these discussions. One thing that has not been said in public, but has almost certainly been said in boardrooms, if the costs are too high, we can expect to see more chemical facilities in this country close and their production move off shore. This would probably make some environmental extremists happy but would not provide a service to citizens of this country.

Blog Comments – A late reply

I missed comments made about two of my earlier blogs (see: “Inherently Safer Technology, Pros and Cons” and “DHS 2009 Budget Released”); something that no blogger should do. Fortunately they were both by the same person so I only had to send one email apology. I think that I have fixed the problem that caused me to miss the comments when they were made. Having gotten that out of the way, let’s look at the comments.


In his comments on inherently safer technology (IST) Thomkay07 pointed out the large number of facilities that could affect 1,000 or more people with a chemical release. The key point, I think, that he made is:


“I'm a more moderate advocate of IST than many, in that I have a great deal of appreciation of the economic concerns of the businesses effected (sic) by this legislation. However, I believe that there is too much at stake to simply hope that each of the thousands of chemical facilities across the country will take the initiative to eliminate off-site risk.”

Cost Benefit Analysis


There will always be a trade off between cost and risk. Every business makes cost-benefit analyses every day. The problem in this case is how to make a chemical facility internalize the risk to the population outside of its gates. One sure way to do that is to impose a corporate responsibility to protect those people. That is what CFATS does. It establishes the responsibility and imposes an outside judgment on the adequacy of that protection.


Facilities have not yet established the cost of that responsibility. Because DHS was prohibited from specifying (correctly in my mind) security procedures, it will take some time for facilities to arrive at an acceptable (to DHS) response to the threat. Only then will they know what their cost will be. If the cost is too high for their business model, they will take a hard look at alternatives, including IST to reduce their costs.


IST from a Chemical Company’s Perspective


Another way of looking at this (from the chemical company perspective) was put forth yesterday in testimony before the House Homeland Security Committee during a hearing on the Chemical Facility Anti-Terrorism Act of 2008. Dr. David C. Pulham of Siegfried (USA), Inc was asked to testify about his company’s experience with the New Jersey chemical security rules, specifically their IST requirements. In his testimony he said:


“Securing our products is an ongoing responsibility. So is complying with the comprehensive system of existing state and Federal laws. These regulatory regimes require extensive process hazard analysis, risk management planning, and public reporting on chemicals we handle on-site and, in some cases, prior to handling them on-site. We feel that these regulations, complemented by our own process-safety decision making, provide a concrete and meaningful level of consequence reduction at all stages in the product lifecycle.”


IST analysis should always be part of a chemical facility’s safety and security considerations. All companies do it to one extent or another; the successful companies do a better job of it than do their competitors. The CFAT regulations will make that more apparent.


Water Treatment Facilities


In his comments on the second blog, Thomkay07 posed the following:


“You talked about IST before, and I wonder what you think about the implementation of IST, at least at water treatment facilities where ultraviolet rays and onsite bleach have proven to be successful.”


Chlorine gas injection is the most common water disinfection process used in the United States (and likely the world). It is a mature, well understood technology. The relationship between the water flow rate, the chlorine injection rate and level of disinfection is well understood. This means that monitoring the two variables allows a certain assurance of the outcome. This, in turn, allows for a much reduced rate of biological testing of the water.


Ultra-violet radiation of drinking water is another successful treatment method. Unfortunately there are more variables that need to be controlled and it is difficult to do real-time measurement of some of the variables. This means that it is harder to assure adequate disinfection; not impossible, just harder.


Sodium Hypochlorite (Bleach) is an alternative method of chlorine injection that does not require storage of chlorine gas. Under current DHS rules this would be a preferable technique since bleach is not listed in Appendix A.


Unfortunately this overlooks the reactivity of bleach. Bleach at industrial concentrations reacts violently and even explosively with other chemicals found at many water treatment facilities. A byproduct of that reaction is chlorine gas. This may make a bleach disinfection plant more of a target because the water treatment plant would be physically damaged while releasing chlorine gas, giving the terrorist both short term and long term effects from their attack.


In short, there is in water treatment the same cost benefit analysis that must be made when considering IST. Smaller utilities with ground water sources may use small, 100-lb chlorine cylinders at their pumping stations with relatively little thought to chlorine release. Larger utilities with centralized treatment facilities may find it more effective to utilize bleach or UV treatment. The largest centralized facilities may find it more cost effective to electrically generate their chlorine on site from sodium chloride to avoid the large storage tanks of chlorine gas. In each case the decision will have to be made on a facility by facility basis.


Utilities constructing new facilities will find it easier to do the cost benefit analysis leading to a more secure facility. Retrofitting for security will be something that most utilities will have a hard time justifying. Utilities operate on a very narrow margin and changing treatment technologies will be very expensive. Since to date there has been no attack on a chemical facility in the United States, it will be difficult to convince voters to increase their water rates to improve security.


IST Cannot be Imposed


The bottom line is that I cannot think of a legitimate way for the government to impose a realistic IST requirement. There are too many variables involved in making the legitimate business decision on what processes a company will use to make their product. Any rule that completely takes that decision out of the hands of the business people will drive manufacturers out of the country. They would have a legal responsibility to their stock holders to do so.


Anything short of that will be unenforceable. There is no government agency that would have the expertise or manpower to do the requisite analysis to decide if a company’s decision not to employ some IST was reasonable. In the end it would be a meaningless paperwork exercise that woulddetract from other efforts to protect the facility from a terrorist attack.


The only way that I can see to make IST a more acceptable option for more facilities is the course that DHS is currently on. If we make the facility responsible for the safety of their neighbors, fairly and equitably responsible, and make them pay the costs of that responsibility, then more facilities will take a harder look at how IST could make their costs lower.

Tuesday, February 26, 2008

Security Equipment Review 2-26-08

Once again it is time to look at some new technology and gadgets that are being developed that could be used in protecting a chemical facility from a potential terrorist attack. Warning: I have not laid a hand on any of these gadgets so all of this information is from the web sites indicated; appearance on this page is not an endorsement of any product or technology.


Vehicle Barriers


One of the quickest ways to achieve the catastrophic release of either a toxic or flammable release COI is to detonate a vehicle bomb in the general vicinity of a large storage tank. Stopping a vehicle from getting close enough for the bomb to damage the storage tank is a key requirement in any site security plan. We’ll look at two different approaches.


The first device is a variant on the fixed bollard, vertical poles sticking out of the ground. Delta Scientific has developed a shallow foundation version that overcomes many of the problems facilities encounter when post-fitting these devices into facilities. The standard bollard can require four foot or deeper holes for installation. The DSC650 Shallow Foundation Bollard only requires a 12” foundation and still meets ASTM F2656-07 Crash Test standards.


Bollards are not really a useable option at a truck gate and the swing arms normally used at such gates will do little to stop a speeding vehicle. Engineered Arresting Systems Corporation (ESCO) has used its background in carrier aircraft arrester systems to develop a Vehicle Arresting System (VAS). The net type arrester is capable of stopping a 15,000-pound vehicle traveling at up to 50 mph. The retractable system is installed in the ground and can be command deployed or automatically deployed.


Non-Lethal Weapon


There is a long running debate about the use of armed guards versus unarmed guards. Many facilities are reluctant to incur the added cost and liability of sustaining an armed guard force. There are the additional problems that firearms present in a chemical facility; bullets can put holes in storage tanks and discharging a firearm in a flammable atmosphere is dangerous to say the least.


A California based company, Intelligent Optical Systems (IOS), has developed a non-lethal weapon that would seem to be well suited to use by guards at chemical facilities. The device is a LED flashlight that flashes at alternating frequencies and disorients individuals that look into the beam. It does not do permanent physical harm or even incapacitate individuals so the suspect still has to be physically detained. The device can also be used as a standard flashlight; an essential tool for security personnel.


Mobile CCTV


Many facilities are going to use a variety of electronic systems to monitor the facility perimeter to detect unauthorized intruders. Any such system will still require that security personnel be dispatched to the scene to determine what is happening. A prompt, detailed report will be required to allow the security manager to decide what type of response is warranted.


A British company, Wireless CCTV, has developed a mobile CCTV system that will ensure that the security manager gets real-time, detailed information from that initial response team. Security personnel can wear the camera vest and pictures can be transmitted by cell-phone technology to the facility base station. This allows the supervisor to see and hear what the security personnel do. This will allow an informed response and allow management direction of the personnel on scene.

Monday, February 25, 2008

Electronic Security Perimeter

Continuing with the analysis of the FERC Reliability Standards and how they might help chemical facilities secure their electronic control systems, we look at the fourth standard, Electronic Security Perimeter. The FERC standards are written for electrical utility systems not chemical facilities so we need to read the Final Rule discussion carefully to see what might fit into chemical facility systems.


For previous blogs in this series see:


The Electronic Security Perimeter standard “requires identification and protection of the electronic security perimeters inside which all critical cyber assets are located, as well as all access points.” (para 477, page 7415) Every critical cyber asset identified in the first standard must be protected within an electronic security perimeter, though there may be more than one such perimeter at any given facility.


Because of the technical nature of the variety of measures necessary to meet the requirements of this standard, the discussion in today’s blog will be limited. I just do not have the technical qualifications to do much more than report the requirements. Likewise, chemical facilities need to insure that the personnel implementing these types of measures have the proper training and experience.


Adequacy of Electronic Security Perimeters


The Commission takes the stand that no single defensive measure provides adequate protection of the critical cyber assets. This is due to the fact that every perimeter defensive measure, like firewalls, still depends on adequate maintenance or response by people. Thus they require that each electronic security perimeter include at least two separate defensive measures, providing defense in depth (para 496 page 7417).


Protecting Access Points and Controls


The Commission requires a “responsible entity to implement organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the electronic security perimeter.” (para 505 page 7417) The use of digital certificates, two-factor authentication and encryption systems are examples of controls that meet this requirement (para 511 page 7418).


Monitoring Access Logs


This standard requires that “responsible entities to implement electronic or manual processes for monitoring and logging access at access points to the electronic security perimeter at all times.” (para 512 page 7418) An electronic system is preferable since it can provide for real-time detection and reporting "for attempts at or actual unauthorized access.”


Manual review of all logs should be conducted periodically. For automated systems the review should be done to confirm that the system is reporting properly; avoiding too many false positives yet detecting unauthorized access. For systems without automated reviews the manual review of access logs is the only way to detect unauthorized access or attempts at unauthorized access (para 526 page 7419).


Manual review does not necessarily mean that every entry needs to be reviewed. Statistical tools are available to determine how many entries need to be reviewed to detect unacceptable events. When using this technique it is important in insure that a random sample of log entries is used for the review (para 528 page 7420).

Vulnerability Assessments


The standard requires that a responsible entity is required to “perform a cyber vulnerability assessment of the electronic access points to [an] electronic security perimeter at least annually.” (para 529 page 7420) When significant modifications are made to the electronic security perimeter a new vulnerability assessment should be made, even if the previous review was made less than a year before.

Sunday, February 24, 2008

DHS Appearances Before Congress

The House Homeland Security Committee will be busy this coming week. Four separate hearings, three of which may deal with issues affecting chemical facilities. The fourth hearing deals with border issues. The hearings that may deal with chemical issues are:


2/26/08            “Chemical Facility Anti-Terrorism Act of 2008”

2/26/08            “Homeland Security Intelligence at a Crossroads:  the Office of Intelligence and Analysis’ Vision for 2008”

2/28/08            “The Cyber Initiative”


“Chemical Facility Anti-Terrorism Act of 2008”  

This is the committee’s third meeting on this subject (see: “House Committee Held Hearings on CFATS Implementation” “Chemical Facility Anti-Terrorism Act of 2008 Markup”). The following people are currently scheduled to testify:


Mr. Robert B. Stephan, Assistant Secretary, DHS

David C. Pulham, Ph.D. Director of Compliance, Siegfried (USA)

Mr. Kevin Wattier, Long Beach Water


As of this Friday morning (02-22-08) this bill had still not been officially filed. This means that it can not be found on Currently the only place that I have been able to find a copy of the bill to be discussed is on the Committee’s web site.


“Homeland Security Intelligence at a Crossroads”


This hearing was originally scheduled for 1/14/08 but was postponed. DHS had posted Under Secretary Charles E. Allen’s testimony on their web site, but it was subsequently pulled. Fortunately I copied the testimony before it was removed from the web site and have already written my blog about his testimony (see: “Budget Testimony from DHS Intelligence and Analysis Under Secretary”).


As in the originally scheduled hearing, Secretary Allen is the only person scheduled to testify.


“The Cyber Initiative”


According to an email from Chairman Thompson: “The Full Committee will examine details of the Administration’s new ‘Cyber Initiative’, including trusted Internet connections, the expansion of EINSTEIN to monitor Federal agencies, privacy implications of collecting information, cyber counter-intelligence, and the goal of the Initiative to address cyber attacks on critical infrastructure.” Of particular interest to those of us looking at chemical facility security is the part dealing with cyber attacks on critical infrastructure.


The following people have been asked to testify:


Robert Jamison, Under Secretary for National Protection and Programs Directorate, DHS

Scott Charbo, Dep. Under Secretary for National Protection & Programs Directorate, DHS

Karen Evans, Administrator for Electronic Government & Information Technology, OMB

            Shawn Henry, Deputy Assistant Director of the Cyber Division, FBI

DHS Web Site Update

It has been over a month since I last reported on changes to the DHS web site. That isn’t because there haven’t been changes; the changes were just too small to worry about. That has changed. Here in the last week there have been two changes worth talking about and one from January that I just discovered recently.


Top Screen Manual Change


In an earlier blog (see “Top Screen User’s Guide: Release COI”) I mentioned that neither the Top Screen User’s Guide nor the Top Screen Questions publications showed the fuels that had to be reported in the Release Flammables portion of the Top Screen. Well, sometime in January DHS published a new version (ver 1.4, January 2008) of the Top Screen Questions booklet with those fuels listed.


I missed this change for the same reason that it is easy to miss many changes on their site; DHS doesn’t tell you what changes on their site. On most pages you can tell that something has changed by the changes in the ‘last reviewed/modified’ date on the bottom of the page; then you have to search out the change. The new manual was probably added on one of those days when they changed the note about extended ‘CSAT Helpline’ hours.  


The listed fuels that have to be reported in the Top Screen (if other flammable COI are present at greater than STQ amounts) are:


Bunker Fuel



Home Heating Oil

JP A (jet fuel)

JP 5 (jet fuel)

JP 8 (jet fuel)




If anyone at DHS is listening, I think they should have included Ethanol and Gasohol in their fuels list. Especially with Ethanol becoming such a wide spread fuel. There are lots of large producers and fuel blenders that are potential targets. Maybe when they update the current manual (it has a 02-29-08 expiration date) they can include this.


Link to Chemical Security Regulations


DHS added another link to the Critical Infrastructure: Chemical Security web page. This is a good page to bookmark for entry into the CFATS portion of the DHS web site. The new link takes you to the portion of the Laws and Regulations web page providing links to various laws and regulations that pertain to CFATS. Some of the links on that page include:


Homeland Security Appropriations Act of 2007 H.R.5441 Sec.550 (Public Law 109-295) 

Advance Notice of Proposed Rulemaking: Chemical Facility Anti-Terrorism Standard (CFATS).

Interim Final Rule: Chemical Facility Anti-Terrorism Standard (CFATS).

Appendix A to the Chemical Facility Anti-Terrorism Standard, Final Rule.

This is a valuable link and helps make navigation of the DHS site much easier. They could add a link to the 2008 budget bill section requiring new regulations for ammonium nitrate and modifying the rules on federal preemption by CFATS. If DHS wants to make their site even better they might include a reference page for the various ‘fact sheets’ that they have on their site. Then they could include a link to that page on the CI:CS page.


2008 Chemical Sector Security Summit


DHS finally removed the link to the 2007 Chemical Sector Security Summit page and replaced it with one for the 2008 Chemical Sector Security Summit. There is currently very little information on the page and the links on the page were not working today. Here is what is known:


2008 Summit
July 21 - 23, 2008
Bethesda, MD
Tentative Location


The 2008 Chemical Sector Security Summit, co-sponsored by the Chemical Sector Coordinating Council and the Department of Homeland Security, will offer presentations on chemical security standards, maritime security transportation regulations, security assessments and best practices.

Last years summit included both Secretary Chertoff and Assistant Secretary Stephan as featured speakers. There was some DHS led training on the then newly released Final Rule for CFATS, along with a variety of workshops and breakout sessions on various topics. With 350industry attendees last year’s summit was a good opportunity for networking and discussing security matters with a wide variety of industry professionals.

Friday, February 22, 2008

Personnel and Training

Continuing with the analysis of the FERC Reliability Standards and how they might help chemical facilities secure their electronic control systems, we look at the third standard, Personnel and Training. Again, the FERC standards are written for electrical utility systems not chemical facilities so we need to read the Final Rule discussion carefully to see what might fit into chemical facility systems.


For previous blogs in this series see:



The Personnel and Training Standard “requires that personnel having authorized cyber access or unescorted physical access to critical cyber assets must have an appropriate level of personnel risk assessment, training and security awareness.” (para 413 page 7409) In general, this parallels the personnel surety requirements of the Risk Based Performance Standards found in CFATS (6 CFR Section 27.230).




The Commission explains the importance of training this way:


“…training is integral to the protection of critical cyber assets, and that allowing personnel access to critical cyber assets prior to receiving training increases the vulnerability of and risk to such assets.” (para 416, page 7409)


The idea is that unless a person is adequately trained, they have no way of knowing how to protect the critical cyber assets or even which assets are critical. To insure that personnel receive this training ahead of being allowed access, the Commission recommends that all personnel receive a minimum core training. This core training would cover the importance of protecting critical cyber assets and potential threats to those assets. Personnel would also be told how to report suspicious activities associated with those assets.


In high-risk chemical facilities this core cyber awareness could be included in general security awareness training that should be given to all employees. Again there should be training directed to employees that are given physical or electronic access to critical cyber assets consistent with their level of access. Again, how to spot and report suspicious activity should be included in all security training at all levels.


Personnel Risk Assessment


The Personnel and Training standard requires that each responsible entity “responsible entity to have a documented personnel risk assessment program.” (para 436 page 7411) This policy should specify who is allowed unaccompanied physical access to critical cyber assets or electronic access to those systems. As in all real world applications of policies and procedures there should be provisions for providing emergency access to these assets.


A critical part of this policy is the requirement for personnel to have a completed criminal background check completed before being allowed routine access (para 443 page 7412). The Commission noted that it would be reasonable to allow a 30-day exception to current employees and vendors who were hired before the requirement was put into place.


The Commission has not yet made a determination of what background check information would constitute grounds for denying access (para 446, page 7412). The current CFAT rules seem to take the same stand that it is a management decision, possibly made on a case by case basis, as to what information would be disqualifying. A prudent approach for the risk assessment policy is to specify who has the authority to make that determination.


Cyber and Physical Access


The standard requires “the responsible entity to maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to critical cyber assets.” (para 447 page 7412) The purpose is to allow the people on the ground to know who has approved access. This would seem to require that copies of these lists are available at locations where the access is possible.


Along with the requirement to have such lists is the requirement to keep them up to date. Obviously, when a person is terminated for cause, their name should be removed from the access list in a timely manner (less than 24 hours). Less obviously, a person whose duties no longer require unaccompanied physical access or electronic access to critical cyber assets also need to have their name removed from those lists.


A possible way to deal with this not covered in the Reliability Standards is to use a badge system instead of the lists. Most facilities are now using badges to identify employees, contractors and visitor. A color-coded badge could be used to identify what level of access the wearer is authorized. An example is given below


Color Code


Green – Unaccompanied Access

Yellow – Accompanied Access

Red – No Access


Location Code


A – All areas of the facility

B – Chemical Storage Areas (numbers for specific areas)

C – Labs (numbers for specific labs)

D – Maintenance Areas (numbers for specific areas)

E – Electronics (numbers for specific areas)

F – Manufacturing Areas (numbers for specific areas)


Employee and Contractor badges would include a picture and then large letters in the appropriate color to designate areas of authorized access. Visitors would be given badges with Yellow letters designating those areas of the plant that they may enter when accompanied by a person with appropriate access. Using such a system would allow anyone in the facility to see if a person had the appropriate level of access to the specific area.


Verifying Compliance


As mentioned in an earlier blog any procedure or policy is only as strong as its enforcement. It is easy to get complacent and employees have a natural tendency to take affront at being denied to access to areas in the workplace. Management must be proactive in explaining the reasons for limiting access to areas and assets. It must also fairly and routinely enforce those access limitations.

Thursday, February 21, 2008

Security Management Controls

Continuing with the analysis of the FERC Reliability Standards and how they might help chemical facilities secure their electronic control systems (see “Critical Cyber Asset Identification”), we look at the second standard, Security Management Controls. Again, the FERC standards are written for electrical utility systems not chemical facilities so we need to read the Final Rule discussion carefully to see what fits into chemical facility systems.


Management Commitment to Security


The main requirement of this standard (para 342, page 7403) is that corporate management accepts responsibility for securing the critical cyber assets of the facility. This is acceptance is evidenced by the adoption of a corporate cyber security policy and the designation of “a senior manager to direct the cyber security program and to approve any exception to the policy.”


The idea is that only with a senior member of management championing security can the facility be assured of the necessary support for its security program. Adequate allocation of resources, internal conflict resolution, and interpretation of legal requirements all require senior management control. Security decisions may also impact other business decisions. Only a senior member of management will insure that those security requirements are given adequate weight in the business decisions.


Most chemical facilities are not going to require a separate cyber security policy. The cyber assets on the production side (as opposed to the enterprise systems) will be limited enough that the cyber security policy discussed here will be part of the corporate security policy. Large, continuous-process operations on the other hand rely much more on an extensive electronic network to control their operations, so they may require a separate cyber security policy.


Discretion to Grant Exceptions


This standard recognizes that technical, financial or even business reasons may require that exceptions to that policy must be made (para 361, page 7404). The standard does require, however, that any exceptions must be documented and approved by the designated senior manager. That documentation must include the reason for the exception and what mitigation efforts will be put in place during the period of the exception.


The commission emphasizes that there is a difference between an exception to corporate policy and an exemption to the requirements of the Reliability Standards. For a chemical facility this would be similar to the difference between policy and the CFATS regulations. No one at the facility or corporate level can authorize an exception to a regulatory requirement; that can only be done by the regulatory authority.


The procedure for granting exemptions to the security policy should be incorporated in that policy. The procedure should include requirements for documenting the reason for and duration of the exception as well as the special procedures to be put into place to mitigate the increased security threat. Procedures also need to be included for emergency exception approval by local management with a time limit to get formal approval.


Change Control and Configuration Management


The standard requires that cyber security policy include (para 388, pages 7406-7) a “a process of ‘change control and configuration management’ for adding, modifying, replacing, or removing critical cyber asset hardware orsoftware.” There are two reasons for this requirement. First to ensure that changes to the critical cyber assets are made with full consideration of the security consequences. Second to ensure that all personnel affected by the change are notified of the change.


An interesting component of this portion of the standard is the requirement “to take actions to detect unauthorized changes to critical cyber assets (para 397 page 7407), whether originating from inside or outside the responsible entity.” With the large number of computer intrusions seen in the news every day (viruses, trojan horses and botnets to mention a few), the commission wanted responsible entities to establish procedures for discovering unauthorized changes as quickly as possible.


The security policy should address how changes are made to cyber assets. This would include provisions for vendor updates and patches for software. It should also address requirements for using tools like anti-virus software and periodic system tests to insure that there have been no unintentional or unapproved changes made to the system.


Interconnected Networks


In today’s world the interconnectedness of electronic devices and systems is increasing all of the time. Control systems that used to be stand alone systems are now connected to the Internet to allow for vendor troubleshooting and support and may be connected to enterprise software to update inventories and batch recipes. Every point of connection is a point of possible intruder entry. FERC calls for responsible entities to establish “a mutual distrust posture” to “protect a control system from the ‘outside world’”. (para 401 page 7408).


The commission explains a ‘mutual distrust posture’ this way (footnote 111, page 7408):


“An architecture with a mutual distrust posture could involve various hardware or software mechanisms or manual procedures to restrict and verify access to the control system from these outside sources. Examples include: firewalls; data checking software(s); or procedures for manually implementing a connection to allow a vendor to perform maintenance work.”


Verifying Compliance


Any policy should include provisions for verifying compliance. This is especially true of a security policy since it does little to directly contribute to the bottom line and frequently inconveniences employees and contractors. Provisions must be made for internal (facility level) and external (corporate level) audits of compliance. The Corporate Security Officer should review results of those audits with the view to revising policies and procedures as necessary to insure future compliance.
/* Use this with templates/template-twocol.html */