Monday, June 30, 2008

Reader Comment – 6-29-08

Fred Millar has provided some comments on one of my recent blogs (see: "SVA – Facility Security Information").

Lack of Seriousness

He notes that the short comings that are pointed out in my blog indicate "lack of seriousness of these DHS programs".

I have to vehemently disagree here. What I would like my readers (including my readers at DHS) to understand is that what I intend is a critique not a criticism. Too many people in today’s culture do not understand the difference. A critique is an observation that is intended to be of assistance, to help a person or agency improve. A criticism is an observation made more in the way of an attack.

DHS has spent a great deal of time and energy working on the many documents required to support and illuminate these programs in the Chemical Facility Anti-Terrorism Standards. As a writer, a technical writer who has written many instructions in technical areas over the years, I greatly appreciate how hard it is to craft a set of instructions that is clear and concise. On the whole, the DHS writers have done a very credible job.

The other thing that must be remembered, my comments and suggestions are not word from on high. I have no access to "Truth". I only have observations and my personal opinions. I would like to think that they have some worth based on my background and their internal consistency, but they are only my opinion.

Chlorine the Only Weapon?

Fred questions why a terrorist would want to go to the effort of stealing or diverting chemicals "when we already daily pre-position for him or her the most dangerous industrial poison gas (TIH) chemicals in the middle of our 60 target cities?"

All I can say is that Fred has a severe case of chemical myopia. Yes, chlorine gas is a dangerous chemical, but it is certainly not the "most dangerous industrial poison gas"; for my money Hydrogen Fluoride is much more dangerous. There are other chemicals out there that are also dangerous, and many that are much more flexible in their utilization.

The 9/11 attackers did not seek to kill the largest number of people they could. They never would have flown into the Pentagon if that were their aim. They attacked specific targets for social, political and economic reasons, not just to kill people. Could some of those chlorine rail cars be used for political ends? It is very likely to be the case.

Are there other targets where other chemicals would be better suited as a weapon? The answer is an unqualified yes. Theft/diversion chemicals were selected for inclusion in Appendix A for just this reason.

Fred Millar is campaigning against chlorine. I think that that campaign may be short sighted and is certainly too narrowly focused. Do I agree that Chlorine is dangerous? Of course I do. Do I agree that it must be eliminated? I certainly do not, as I have said time and again.

DHS Must Have a Broader Focus

Fortunately, DHS does not have the luxury of being able to campaign against a single chemical, they are charged with developing a program for ensuring a minimal level of security for the gamut of highly hazardous chemicals. Have they thought of everything? Certainly not. Have they thought of things that I have missed? You bet.

My hope is that they will be given the chance to continue with their efforts and will continue to improve the program that they have started.

Barton Solvents Fire Report

Last week the Chemical Safety Board issued their final report on the storage tank fire at the Barton Solvents’ fire in Valley Center, KS. As had long been expected the cause of the fire was determined to be a static discharge inside of the storage tank. What is important from a chemical safety point of view is that the Board determined the root cause of the discharge and disclosed a significant, apparently widespread, potential safety issue. This safety issue could be easily turned into the operational equivalent of a vehicle-borne improvised-explosive to attack chemical facilities.

As a Process Chemist with 12 years manufacturing experience I am certainly interested in the safety issues that the Board has pointed out. In all fairness to the companies that I worked for, these issues are not new; we took them into account in the Process Hazard Analyses’ and Process Safety Reviews that we conducted. We evaluated every flammable organic liquid that we handled for static accumulation hazards; when data was lacking we assumed it accumulated static charge. This is one of the reasons that we nitrogen blanketed the head space over flammable liquids as a matter of course.

Chemical Safety Issue as a Facility Security Issue

As I noted in a blog shortly after this incident (see: "Security aspects of Barton Solvents fire in Valley Center, KS") incidents like this point to a number of potential security risks. Little did I know then that the Chemical Safety Board, in their case study of this incident, would point to a new class of chemical storage targets. According to the CSB Barton Solvents Case Study (page 5):

  • "VM&P naphthas, however, and other flammable liquids (e.g., many NFPA Class IB Flammables), may form ignitable vapor-air mixtures inside tanks at normal handling temperatures."

This is unusual. Most flammable liquids have such a high vapor-pressure that the headspace in storage tanks is so saturated with flammable gas molecules that there is not enough oxygen available to support combustion. The atmosphere in the tank is above the flammability limit for the chemical.

What this means is that storage tanks containing these chemicals identified by the CSB may have a bomb in the head space just wanting a detonator to set them off. What is very scary from a security point of view is that there are a number of very common industrial chemicals that form these ignitable vapor-air mixtures. According to the study these chemicals (IVAM chemicals, a new term of mine) include (but are certainly not limited to):

  • Cyclohexane
  • n-Heptane
  • Benzene
  • Toluene
  • n-Hexane
  • Xylene
  • Ethyl Benzene
  • Styrene

Chemicals Not Regulated Under CFATS

None of these eight IVAM chemicals are on the list of Chemicals of Interest (COI, found in Appendix A, 6 CFR part 27) that DHS uses to evaluate a facility to see if it is at high-risk of terrorist attack. That means that facilities that store significant amount of chemicals in this group may not be required to complete a Top Screen unless they have at least one other chemical on site that appears on that list and is above the Screening Threshold Quantity (STQ) for that COI.

Furthermore, even if a facility did meet the requirements for being designated as a high-risk facility for some COI on site, the facility would not need to consider the presence of any of these chemicals on site. This would allow the facility to overlook the possibility of a terrorist using a simple attack (incendiary bullet shot into the headspace of the storage tank) on an IVAM chemical storage tank as a means to catastrophically release a toxic COI in a nearby storage tank.

IVAM Chemical as a Terror Weapon

The Chemical Safety Board, as part of their final report, released a safety video (follow the link on the report page) showing the lessons learned from the Barton Solvents’ Fire. This video should be viewed by every security manager and facility manager for a facility that has storage tanks containing IVAM chemicals.

Watching the animation of the naphtha storage tank being launched by the initial explosion is impressive enough. Watching nearby storage tank lids being blown off by the expansion of gasses being produced by the boiling liquid contents is truly scary. Fortunately, in this incident the other storage tanks only contained flammable and combustible liquids. They did not contain any toxic release COI. The problems of fighting this fire would have been greatly complicated by a plume of toxic gasses.

Anyone who watched this drama play-out over a couple days last summer will remember the impressive camera shots of the black smoke cloud rising over Valley Center, KS. The flat, open terrain made it look even more impressive with the flames flashing through the base of the smoke. If there had been a message of responsibility released by a terrorist group shortly after the start of the fire, the national coverage would have been much more intense. Local news shows would cut in with local experts discussing the vulnerability (real and imagined) of local chemical facilities.

If a nearby storage tank had contained a toxic-release COI, the news coverage would have gotten insane. The relatively organized evacuation of the nearby neighborhood would quickly have turned to panic as some people began to be affected by the chemical cloud, both physically and psychologically. The news coverage would have switched with music-video rapidity from long shots of the ‘toxic’ cloud, to local news crews filming and interviewing panicky residents ‘fleeing for their lives’, to contract talking-heads in New York and Washington exaggerating the effects of the ‘dangerous industrial chemicals’.

Mode of Attack

All of this could be set off with a relatively easy rifle shot using military grade, or even civilian available, tracer rounds. The walls of non-pressurized storage tanks are typically just sheet metal that could be penetrated by a pistol round. A high-speed rifle round would fly right through and potentially penetrate multiple tanks.

The tanks at Barton Solvents were exposed and relatively close to a public road. They were certainly close enough to the road to be engaged by a rocket propelled grenade like an RPG-7, the second most common terrorist weapon after the AK-47. A gunner standing in a sun roof of a car or in the back of a pick-up truck stopped momentarily in front of the facility would have been high enough to clear the fence while targeting the top couple of feet of the storage tank.

Defending Against the Attack

While the attack would relatively simple to execute there are a wide range of defenses that could be employed to prevent the attack.

A high privacy-fence could be erected at any fence line along a public road; this would increase the difficulty in targeting the tank. A tall sheet metal fence around the tank farm would achieve the same effect and probably require fewer linear feet of fence. Neither fence would have to provide ballistic protection; they would be designed to interfere with targeting not to stop bullets.

Ballistic protection could be provided for the IVAM by adding Kevlar® jackets to the storage tanks. The facility could also use bolt on ceramic or steel armor to provide ballistic protection. The engineering would be fairly straightforward, but the price would be higher than fencing discussed earlier.

A very easy solution would be to keep oxygen out of the headspace of the storage tank; without oxygen there could be no fire. Keeping a nitrogen, or some other non-flammable gas, blanket on the headspace of the tank would prevent the explosive ignition of the IVAM chemical. This could not be used for monomers like styrene; they frequently require the presence of oxygen to stabilize the chemical. For those chemicals a collapsible bladder could be placed in the headspace of the tank to exclude the monomer molecules from the headspace instead of excluding oxygen.

DHS Needs to Re-look at Flammable Release COI

As I have said on a number of other occasions, I believe that DHS has been overly selective in the flammable liquids that they have included in their flammable release COI. This newly identified ‘class’ of flammable chemicals could easily be added to Appendix A, using the CSB report as justification.

Lacking that, DHS should require facilities currently beginning the SVA submission process to report the IVAM chemicals they have in storage tanks within some pre-defined proximity to any toxic-release COI storage tank. That way this ‘release-trigger’ for the toxic COI can be identified.

Common Carrier Obligations Public Hearing Rescheduled

Last week the Surface Transportation board announced that they were changing the date of their hearing, "Common Carrier Obligation of Railroads--Transportation of Hazardous Materials" (see: "STB Hearing on Railroad Common Carrier Obligations"). Instead of being held on July 16th, the meeting will be held on Tuesday, July 22nd. This was done to accommodate some witness availability issues.

The date for registering to speak at the hearing and submit prepared testimony and information for the record has also been changed to July 10th. This change was made after the Board took into account the 4th of July holiday and its impact on schedules.

Identification of COI Assets

This is the next in a series of blogs concerning the Security Vulnerability Assessment (SVA) instructions recently published by DHS. This blog deals with the identification of assets associated with each chemical of interest (COI) listed on the initial notification letter received from DHS. The previous blogs in this series are listed below.

Each high-risk chemical facility is required to identify at least one asset associated with each COI. If a COI is listed under two security issues (e.g.: toxic release and toxic theft/diversion) there will have to be at least on asset identified for each combination. The asset may be the same for each security issue. In short, if the facility were to list each COI/Security Issue identified in the DHS letter, there would be at least one asset associated with every item on that list.

What is an Asset?

The simplest way to think of an asset is to consider it the on-site target of a potential terrorist attack. The CSAT Security Vulnerability Assessment Instructions (page 38) describes an asset this way:

  • "COI-related assets may include, but are not limited to vessels, process units, piping, equipment items, transportation packaging (or clusters of packages), or other containers that hold a specific COI. For purposes of these instructions, any hardware, packaging, or other containers holding a COI is referred to as ‘equipment’."

A number of tanks and pieces of equipment can be identified as a single asset if damage to any one of the components would result in a release from the combination. For example a processing building where there is a distillation process producing a release COI. The building, the reaction vessel, the distillation column and associated piping, and the receiving vessel could constitute a single asset.

Each security issue will have a slightly different set of criteria for asset identification. For example a COI that is both a release and a theft/diversion chemical would have a theft/diversion asset in a couple of stacks of palletized 5-gallon containers if it contained a STQ of the theft/diversion chemical. That same stack of pallets would not be an asset for the same chemical in the release case.

Asset Identification for Release COI

Each release COI will have its own list of assets prepared. That list will include:

  • The largest inventory concentration of that COI in a single vessel or collection of equipment that could result in a release of the largest amount of that COI at the facility. For example a large storage tank or collection of closely located storage tanks containing the COI.
  • A separate inventory concentration than that listed above that would be more vulnerable to a successful attack due to location or configuration of the equipment containing that inventory. For example: Inbound COI stored in rail cars on a siding close to the facility boundary.
  • An inventory of that COI in a separate location than those described above that would have a different consequence than the attack on the largest inventory. For example a separate storage tank of a flammable release COI located near other storage tanks containing flammable liquids that are not COI.

Asset Identification for Theft/Diversion COI

Each theft/diversion COI will have its own list of assets prepared. That list will include:

  • The largest quantity of the COI in co-located transportation packaging. For example a parked tank wagon (disconnected from a tractor) containing the COI.
  • A separate quantity of the COI in transportation packaging that is more vulnerable to attack due to location or packaging. For example a collection of palletized 5-gallon containers of the same COI at the shipping dock.

Asset Identification for Sabotage/Contamination COI

Each theft/diversion COI will have its own list of assets prepared. That list will include:

  • The largest inventory of the COI that requires a placard in accordance with DOT hazardous material shipping regulations (Subpart F of 49 CFR part 172). For example a parked tank wagon (disconnected from a tractor) containing the COI.
  • A separate inventory of the COI that is more vulnerable to attack due to location or packaging. For example a collection of tote bins of the COI at the shipping dock.

The List of Assets

The facility should prepare the list of assets as a working document for the preparation of the SVA. The list, as such, is not entered into the SVA. Each item on the list will be the starting point for a series of SVA entries used to characterize the asset. This will be the next portion of the SVA covered.

Saturday, June 28, 2008

SVA – Facility Security Information

This is the next in a series of blogs concerning the Security Vulnerability Assessment (SVA) instructions recently published by DHS. This blog deals with the reporting of the existing security information at the facility. The previous blogs in this series are listed below.

 

 

Most high-risk chemical facilities already have taken some steps to secure the facility against terrorist attack. This section of the SVA looks at the existing equipment, processes and procedures that are currently in place to reduce the vulnerability of the COI at the facility as well as off-site features that might increase that vulnerability. The inclusion of a security measure on the SVA Tool does not imply that such measures will be required in the Site Security Plan.

 

Security Equipment at the Facility

 

This portion of the SVA requests information about security equipment at the facility. This would be equipment that might reduce the vulnerability of COI and applies across the entire facility. Three data entry boxes are provided; Equipment, Location, and Support Systems Required.

 

The Equipment box has a pull down menu that provides a list of typical security equipment. The Preparer will select an appropriate type of equipment. Entries will then be made in the Location and Support Systems Required boxes for that equipment. Once that information is entered the “ADD” button will be pushed. If the facility’s security equipment is not listed in the pull down menu, a blank equipment box is available for listing that equipment.

 

Unfortunately the pull down menu (according to the CSAT SVA Questions manual) does not include a number of typical types of security systems. Additional security equipment might include:

 

  • Perimeter Fencing
  • Secondary Fencing around COI Storage Areas
  • Blast walls or berms
  • Vehicle Barriers
  • Chemical Detection Equipment

 

Utility Systems and Infrastructure Support

 

If a facility reports and security equipment that requires utility or infrastructure support the Preparer is required to enter data about the location of those utilities. Two data entry boxes are provided; System/Infrastructure and Location.

 

The System/Infrastructure box has a pull down menu listing typical utilities that would provide support for security systems. The Preparer will select an appropriate utility and then fill in the location box for that Utility. Once that information is entered the “ADD” button will be pushed. If the facility’s supporting utility or infrastructure is not listed in the pull down menu, a blank System/Infrastructure box is available for listing that equipment.

 

Inventory Control Measures

 

For facilities that have one or more Theft/Diversion security issues listed on their DHS initial notification letter there will be a section for inventory control measures on their SVA. This section will deal with a variety of inventory control techniques that might be useful at reducing the vulnerability to theft or diversion of these chemicals.

 

The Preparer will first enter a name for each inventory control measure into a data entry box, pressing the “ADD” button when each entry is completed. Once all control measures are listed additional questions will be asked about each measure. Those questions are:

 

·         Is the inventory procedure automated? (Yes/No – No Default)

·         Frequency Applied? (pull down menu)

·         Location? (data entry box)

·         Inventory Procedure? (checklist, check all that apply)

·         List of COI procedure applicable to? (Yes/No – No Default)

 

Personnel Access Control Measures

 

If a facility has procedures in place that control or limit access to the facility that might limit the facilities vulnerability to attack. This section looks at such control measures that are already in place at the facility.

 

The Preparer will select from a drop down list the personnel access control systems in place at the facility. If the control measure in place is not described in the options provided a data entry box is available for naming that system. The available options are:

 

·         Personnel recognition by officer – no badges or pictures used.

·         Manual badge validation by officer – officer looks at badge or identification

·         Biometric validation – biometric device used to verify identity

·         Computerized access with no validation – swipe or proximity card with no guard or computer validation (password, etc)

·         Personnel access allowed on foot only – passenger vehicles not allowed in facility

·         Visitor access clearance and badging

·         Visitors require advance registration – a list at entrance control point

·         Visitors require full time escort

 

Additional information will be required for each control measure. This information includes:

 

·         Is the control measure automated? (Yes/No checklist)

·         Frequency Applied? (checklist – select one)

·         Location? (data entry box)

·         Personnel Covered? (data entry box)

 

Unfortunately this section does not recognize that personnel access controls at many facilities change at different times of the day or week. During off-shifts there may be no guard at the entrance, it is normally left closed. On shift personnel will provide necessary access when required. In that case most facilities will probably want to complete this portion with information for normal daytime operations.

 

Shipping and Receiving Control Measures

 

This is another set of questions that will only show up if a facility has a theft/diversion security issue listed on their initial notification letter from DHS. The SVA question asks if the facility has any shipping and receiving measures that could reduce the vulnerability to an attack. Keep in mind that the kind of attack envisioned here would be the diversion of these COI.

 

The Preparer will enter the name of the control measure in a data entry box. After pushing the “ADD” button to enter that name a list of questions will appear for that control measure. Those questions include:

 

·         Automated? (Yes/No)

·         Frequency Applied? (Pull down menue)

·         Location? (Data entry box)

·         Control Measure Feature? (Checklist, check all that apply)

·         COI Covered? (Checklist, check all that apply)

 

Post-Release Measures and Equipment

 

For facilities that have one or more Toxic Release security measures there will be a section on the SVA Tool asking about post release measures that might mitigate the effects of a successful attack. This does not include single asset measures like dikes around storage tanks. It is looking for items like community warning systems or evacuation plans.

 

The Preparer will use a pull down menu to select a measure. If the facility’s measure is not listed there is a data entry box for additional measures. When the “ADD” button is pushed additional questions will appear for that measure. Those questions include:

 

·         Location? (Data entry box)

·         Support Systems Required? (Data entry box)

 

Site Vulnerability Factors

 

All facilities will see the question about additional site related factors may increase the sites vulnerability to attack. These would include off-site terrain and infrastructure items. These could be items that make it easier for surveillance to be conducted without observation or make it harder for police and emergency personnel to respond to an attack.

 

The Preparer will list each vulnerability in a data entry box. After the “ADD” button is pushed a Comment data entry box will appear to allow recording any additional information about that site vulnerability.

Friday, June 27, 2008

SVA – Facility Security Issues

This is the next in a series of blogs concerning the Security Vulnerability Assessment (SVA) instructions recently published by DHS. This blog deals with the facility security issues that will be reviewed in the SVA. The previous blogs in this series are listed below.

Based on information provided in the facility Top Screen submission, DHS has notified each high-risk chemical facility what security issues and chemicals of interest (COI) must be addressed in the SVA. The facility will use these to identify critical assets and to select the appropriate attack scenarios later in the SVA.

Pre-populated Data

For most facilities this section of the SVA tool will be already pre-populated with the appropriate data from DHS. In effect, DHS will have already filled out the data in this section based on their records. The facility is still responsible for the accuracy of this data. Using the DHS Initial Notification Letter verify that all of the security issue and COI data in the letter is included in this section of the SVA.

Identifying Security Issues

This section will consist of seven questions identifying whether or not the facility will have to deal with the seven basic security issues listed below. The basic format for the questions will be the same; "Does the DHS initial notification letter indicate that the facility should address security issues related to _____?"

  • Release-Toxic COI
  • Release-Flammable COI
  • Release-Explosive COI
  • Theft/Diversion-Explosive/Improvised Explosive Device Precursor COI
  • Theft/Diversion-Weapons of Mass Effect COI
  • Theft/Diversion-CW/CWP COI
  • Sabotage/Contamination COI

There will be a ‘YES’ and ‘NO’ button associated with each question. The default answer is ‘No’. This means that the Preparer only needs to take action (click on the button) for those questions requiring a positive answer.

The attentive reader will note that there are two security issues that were documented in the Top Screen that are not dealt with here, Mission Critical Chemicals and Economically Critical Chemicals. DHS has not yet said if it will require SVA filings for these two security issues at some future time. At this time these chemicals would only be included in the SVA if they fall under the definitions of one of these seven security issues and were included in the DHS letter.

At the end of the seven questions there will be a final question to verify that all of the security issues listed in the DHS letter have been marked ‘Yes’. Pressing the ‘YES’ will set up most of the remaining requirements of the SVA. It is important to remember that any changes to this portion of the SVA will affect large portions of the remaining material. Re-check all of the remaining SVA sections if changes are made to this section.

Identifying Chemicals of Interest

Depending on the answers in the previous section there will be as many as seven lists of chemicals in this section; one for each identified security issue. The lists will show each of the chemicals from Appendix A that make-up that security issue.

Again, there will be a ‘YES’ and ‘NO’ button associated with each chemical. The default answer is ‘No’. This means that the Preparer only needs to take action (click on the button) for those chemicals listed in the DHS letter.

It is important to remember that the facility is not checking off chemicals that it has an STQ amount of on hand; that was done in the Top Screen. The Preparer is checking off chemicals under that security issue that were identified in the DHS letter for that security issue.

A number of chemicals are found in multiple security issues in Appendix A. That has no bearing on this portion of the SVA. Chemicals are checked ‘Yes’ only if they appear under that security issue in the DHS notification letter.

Summary of Facility Security Issues

At the end of each active list of COI there will be the inevitable question asking if all of the chemicals listed in the DHS initial notification letter for that security issue have been marked ‘Yes’. Once the ‘YES’ button has been checked for this final question in each open list, the SVA Tool will show a summary screen for security issues and COI.

This summary screen should show all of the security issues and COI for those issues that were listed in the DHS initial notification letter. If that is not the case, the ‘NO’ button should be pushed. This will give the Preparer another chance to get everything properly entered into the SVA tool.

It is important the check the summary screen carefully. Mistakes here will cascade through out the remainder of the SVA. The resulting errors will cause no end of confusion for the Preparer. If not corrected, they will certainly result in DHS sending the SVA back for revision.

S 3181 – Senate DHS Appropriations Bill 2009

There is an interesting article on HSToday.US comparing the House and Senate appropriations bills for DHS. The general figures in the article are the same ones discussed here in an earlier blog (see: "Congress Working on DHS Appropriations Bills"). There are some interesting observations about some pork barrel spending found in the House bill. Since I have yet to see a published copy of the House bill I cannot really comment except to say "Who wouda thought?"

The article provides a date for the target adjournment date for the House; September 26th. Presumably the Senate will not adjourn to stop the President from making any between-session appointments to the Judiciary.

In a ‘don’t we wish it were so’ moment, the article ends with an interesting comment:

  • "The full Congress will consider the appropriations bills next month, potentially moving a politically uncontroversial homeland security funding bill to the White House before the November elections."

I am still halfway expecting someone to slide in a provision extending the authorization for the CFATS regulations for at least an additional year. This would probably make many in the industry happy. It would also give the House leadership some political cover for their failure to get HR 5577 to the floor in a timely manner. Such a provision would be anything but quiet; too many people (myself included) are watching for it.

S 3181

The Senate bill (S 3181) was available on both Thomas.LOC.gov and the GPO web sites today. Thomas.LOC.gov also has a link to the Senate Report (110-396) for the bill. As of today there are no ‘chemical security’ provisions found in the Title V, General Provisions (sections 500 thru 549) portion of the bill where so many legislative goodies are found. This section always provides interesting reading.

Infrastructure Security Compliance

The Appropriations Committee Report on S 3181 (Report 110-396) has an interesting comment about the funding for chemical facility security programs:

  • "The Committee recommends $75,000,000, an increase of $12,000,000 from the budget request, for chemical site and ammonium nitrate security programs. The Committee notes that while the administration has requested increased funding for what it now calls Infrastructure Security Compliance, new statutory requirements for the regulation of ammonium nitrate will consume a substantial amount of the requested increase. The Committee recommends $10,750,000, to fully fund the authorized appropriation amount for ammonium nitrate regulatory activities."

This means that my earlier report of a $12 Million increase for chemical facility security is actually only a $1.25 Million increase. Oh well, it is still an increase and DHS will need every penny it can get if it is to manage CFATS implementation with any reasonable degree of oversight. Remember next year is Site Security Plan reviews and DHS facility inspections.

For those who have forgotten (or maybe never knew if you are new reader of this blog) last year’s omnibus spending bill contained one of those neat ‘General Provisions’ programs requiring DHS to establish a regulatory program covering the buying and selling of ammonium nitrate (see: "DHS and the Omnibus Spending Bill"). We should expect to see a proposed rule being published on these regulations in the next week or so.

Thursday, June 26, 2008

HR 6193 Approved by Homeland Security Committee

No one has ever accused Chairman Thompson of running an inefficient committee. A 10:00 a.m. full committee hearing this morning marked up eleven separate homeland security measures and by a voice vote reported them all to the House with a favorable recommendation. By noon time the Committee Action document was posted on the committee web site, along with a congratulatory message from the Chair.

Included in the eleven bills was HR 6193, a bill we reviewed earlier (see: "Subcommittee Hearing on HR 6193"). This bill aims to bring the "sensitive but unclassified" document marking/classification mess under control. As I noted in the earlier blog this bill was approved out of the subcommittee in an, as of yet, unpublished substitute version. That substitute was approved in today’s committee action.

It will take a day or two for the new version of this bill to make its way to thru the GPO process. That means that I won’t have a chance to review it for that length of time. Hopefully the substitute will better address some of the problems I pointed out in the earlier blog.

Blogosphere Reaction to SVA News

There has been some reaction to news reports from last week that DHS was going to notify 7000 facilities that they would have to submit SVA’s. Blogs from Armchair Generalist (Locking up the Chemicals) and John Schroeder (So, Who Pays?!) show some of the less than enthusiastic support for SVA’s. Surprisingly the reaction wasn’t that the ‘new’ regulations did not go far enough. Both questioned the need for the regulation, for different reasons in each case.

Updated SVA Information

Before we look at this blogosphere response, I would like to review some updated information that I have received from DHS about the SVA notifications that went out on Monday. Letters were mailed to 7,006 facilities. The tiering data for those facilities is:

    • Tier 1 – 219 facilities
    • Tier 2 – 756 facilities
    • Tier 3 – 1,712 facilities
    • Tier 4 – 4,323 facilities

SVA completion requirements vary according to the risk involved. The highest risk facilities must complete their SVA quickly. The Tier 4 facilities have the option of submitting an alternate security plan in lieu of an SVA (see: "SVA for Tier 4 Facilities"). The deadlines for these facilities to complete their SVA’s are:

    • Tier 1 – 90 days
    • Tier 2 – 120 days
    • Tier 3 – 150 days
    • Tier 4 – 180 days

According to my source the Chemical Security Compliance Division will not be treating the appearance on the high-risk chemical list as Chemical-Terrorism Vulnerability Information (CVI), so the names of the 7006 facilities should be public record. The tier rankings and the chemical security issues (including Chemicals of Interest on site) would be CVI and thus not publicly available.

In a move sure to please many critics of the ‘secrecy’ of the current CFATS regulations, DHS will be providing to each state a list of high-risk chemical facilities in that (and near that) state. That list would include tier rankings and chemical security issues. This is being done to help states develop their own risk management programs for their citizen’s safety.

Lack of ‘Actionable Intelligence’

The Armchair Generalist, a blogger on military matters, notes that

    • "…DHS is forcing this exercise without any indication of domestic threats and without any past history of these sites being hit by outsiders for chemicals. Better security is always good to discourage vandals and thieves, but unless we see evidence of actual terrorist activities (actionable intelligence, if you will), we ought to take this slow."

The problem with this point of view is that ramping up security at chemical facilities is not something that is easy or quick to do. By the time the government gets ‘actionable intelligence’ of intent to attack a chemical facility it will be too late to start looking at security. One does not need actionable intelligence to know that a huge LPG tank is a potential terrorist target, the tactical equivalent of fixed-site WMD. The trick is to identify the less obvious chemical targets.

What DHS has done is to look at the 30,000+ chemical facilities in the country that have significant quantities of a rather small list (300+ chemicals) of extremely hazardous chemicals in their inventories. Using data provided by those facilities and looking at the surrounding community, DHS performed a risk analysis and determined that 7,006 of these facilities looked like they were at a high-risk for a terrorist attack. To make a final determination if these facilities will have to ‘ramp up their security’ DHS is requiring the facilities to provide additional information about their current security situation, the Security Vulnerability Assessment.

Cost of Security

John Schroeder asks who is going to pay the cost for the additional security. He makes the following point:

    • "In a nation where we are willing to use public funds to compensate the victims of terrorism, how can we possible expect corporate citizens to not only bear the cost of securing their facilities against terrorist attack, but also subject them to PUNISHMENT if they do not. Is not national security one of the very legitimate functions of the federal government?"

This is certainly a valid point, especially since the recently passed farm bill provided some federal money for grants to agricultural operations to increase their chemical security (see: "Farm Bill Contains Chemical Security Provisions"), operations that probably do not make the list of high-risk chemical facilities. Congress has yet to stand up and address this issue.

The short answer is that the people that benefit from the use of the hazardous chemicals that make these facilities targets, ultimately consumers who buy the products, will be the ones that pay for the increased security. Businesses will pass these costs on in the price of their goods.

There is actually an upside to this. If this were actually a ‘command-and-control’ regulation there would be no way for facilities to shave their costs while maintaining security. They would have to do what the ‘govern meant’ told them to do. The way the CFATS regulations were written (and in fact mandated by Congress) DHS does not specify security measures, it requires security outcomes (levels of protection) based on the level of threat for the facility. This encourages facilities to look for cost effective ways to implement the necessary level of security protection.

Chemical Security Program is Moving Forward

In any case, the CFATS program is moving forward; not as quickly as some had hoped, but it is moving. While most of this work will be moving forward out of public view, I am sure that we will be hearing from facilities that believe that they have been unfairly rated as high-risk. I predict that propane suppliers will be the first to ‘cry foul’ loudly and publicly. I mean, how much damage could a 60,000 pound propane tank actually do?

The Goodyear Explosion Hearing

The Homeland Security Committee’s Subcommittee on Transportation Security and Infrastructure Protection held a hearing on Wednesday that had one of the most misleading titles of any congressional hearing that I have ever seen. It was entitled: "The Goodyear Explosion: Ensuring Our Nation is Secure by Developing a Risk Management Framework for Homeland Security". Only two of the witnesses had anything to say about the explosion at the Goodyear Chemical plant. The other four witnesses addressed risk management and completely ignored the Goodyear explosion in their prepared testimony.

Incident Background

On Wednesday, June 11th, 2008 at about 7:30 a.m. CDT there was a ‘small explosion’ in a ‘heat exchanger’. As a result of the explosion there was a small fire and some of the refrigerant, anhydrous ammonia, was released. The facility was evacuated. Initial news reports said that six people were taken to local hospitals for injuries related to ammonia exposure; one of which was ‘life-threatening’.

After the ammonia fumes had dissipated hours after the accident, crews went back into the facility to survey the damage. After moving some of the wreckage the body of an employee was found. Early on there were questions raised about the possibility of her being rescued if teams had gone back into the facility earlier. According to testimony at the hearing provided by her husband, Mrs. McInnis was killed in the explosion.

Goodyear Incident Testimony

As I mentioned earlier only two of the witnesses addressed the Goodyear incident in their prepared testimony; Mr. McInnis, a retired Goodyear employee and the husband of the supervisor killed in the explosion, and Mr. John S. Morawetz, International Chemical Workers Union Council of the United Food and Commercial Workers International Union.

Mr. McInnis provided the committee with a graphically drawn word picture of his wife, Gloria McInnis, and her roll as a veteran Goodyear employee of 31 years. He also described the confusion on the day of the incident when the company first reported that his wife‘was fine’ only to be told later that she was found dead hours after the accident. While confusion is understandable in any industrial accident of this scale the extent of the confusion at this scene goes beyond that, as exemplified by this extract from Mr. McInnis’ testimony:

  • "I did not understand why the Houston Fire Department did not go into the plant and search for employees. But my son’s firefighter friend explained that the Department had considered going in and told Goodyear several times they were willing to go in but Goodyear was adamant that everyone was accounted for. The Department weighed that against the danger to their rescue crews and decided it was not worth the risk since Goodyear told them everyone was safe. The Fire Department left the plant and then had to be called back after Gloria was found by plant workers."

Mr. McInnis concluded his prepared testimony by describing a series of changes that he had seen made at the facility that he claims decreased safety at the facility. These changes include:

  • Elimination of the facility fire department,
  • Reduction in training time for EMS crews,
  • Replacement of experienced workers with contract crews with little experience,
  • Reduced expenditures on replacing old equipment,
  • Procedures that allow employees to be inaccurately accounted for.

The testimony of Mr. Morawetz did not directly address what happened in the Goodyear incident as he admittedly did not have any direct knowledge of that facility. He did provide a thorough review of a number of process safety, employee training, security and regulatory issues that might have a bearing on the on-going investigation. He has obviously spent some time on the production floor at multiple chemical facilities and is passionate in his concern for employee safety.

Risk Management Testimony

The prepared testimony of Robert D. Jamison (DHS), Norman J. Rabkin (GAO), Dr. James Jay Carafano (Heritage Foundation), and John P. Paczkowski(Port Authority of NY and NJ) the issue of risk management and the development of a risk management framework within DHS to develop and foster a risk management focus in the homeland defense community.

While this is without a doubt a valuable exercise, the risk management protocols discussed in these prepared testimonies would have had little effect on the incident at the Goodyear Chemical Plant in Houston, TX. It was as if the subcommittee only had a limited amount of time and conducted hearings on two different subjects at the same time.

Commentary

It always distresses me to hear reports of chemical companies taking shortcuts on employee safety. Having spent 12 years as a process chemist in a specialty chemical manufacturing environment I have a deep and abiding concern about the development and maintenance of safe chemical manufacturing processes.

What does process safety have to do with chemical facility security? First it the tools of process safety can be directly used in developing facility security plans. A comprehensive understanding of the chemicals on site will provide the security management team with a better understanding of the risks associated with those chemicals.

On a more fundamental level, a company that does a poor job of maintaining a process safety program will get only limited support for its security planning from the employees at the facility. More over, a record of incidents such as the one reported by Mr. McInnis does little to provide confidence to the surrounding community. Both of these provides a potential breeding ground for dissatisfied personnel that could support or lead an attack on that facility.

Not only that, but these types of news stories also shine a bright light on facilities that, because of their poor history maintaining an effective process safety program, are probably doing a poor job of protecting against possible terrorist attacks on their facilities. Finally, this type incident makes it easier for Congress to decide that the chemical industry cannot be trusted to develop adequate security procedures without detailed oversight.

Wednesday, June 25, 2008

Chemical Facility Security Does Not Make Top 5 List

A recent article on HLSWatch.com describes the top 5 priorities for DHS as seen by the chairman of the House Homeland Security Appropriations Subcommittee. Chairman Price does not include chemical facility security in that list. While there are many activists and security professionals that might disagree, the level of funding and staffing shows that Congress shares this view in general.

Three of Price’s top 5 are certainly high priorities on anyone’s list. Few can argue that Immigration, Disaster and Emergency Response, and Technology and Privacy should be high priorities for DHS funding. Inclusion of Management reflects the continuing challenge of creating a fully functional cabinet level agency out of an ad hoc collection of agencies. The final priority, Grants and Risk Analysis, reflects the political reality that congress is as interested in pork barrel spending as in accomplishing anything of substance.

While no one could reasonably expect chemical facility security to make even a top 10 list of priorities for DHS, it would certainly have seemed reasonable for Security to be one of the top 5. None of the Top 5 Priorities of Chairman Price had anything to do with security. Even the immigration issue is more about jobs and political posturing than security.

Until Congress starts to take homeland security more seriously we will continue to see under funded efforts run by under manned agencies. We will continue to see important legislation like CFATA languish in committees more capable of finger pointing than conducting hearings. We will continue to see pork barrel grants to agricultural chemical security while there is no funding to protect chemical plants or water treatment facilities.

DHS FAQ Page Update 6-24-08

DHS published a number of new questions (#1489 thru #1513) about the completion of SVAs on their FAQ page. It is interesting that these Frequently Asked Questions were posted within a little more than a day after the SVA documents were released. I doubt that these were recently asked questions. More likely these questions come from Phase I facilities that have been working on their SVAs for almost three months now (see: "Vulnerability Assessments are Underway").

For most facilities there is no point in covering these FAQ questions and answers until they get a chance to review the new instructions (or read my continuing reviews of the same). There are a couple of interesting points that we can look at without confusing a complex situation.

Attack Scenarios

One thing that comes up frequently in these questions is how to use the various attack scenarios provided in the SVA. For personnel without experience in looking at how attacks are conducted this requirement could be confusing. There is little specific guidance about these scenarios in the SVA instructions. There is a good reason for that, the details of those scenarios is considered Chemical-Terrorism Vulnerability Information (CVI).

Thinking about that for just a moment, it makes a great deal of sense to ‘classify’ this information. The attack scenario would give the budding terrorist ideas about how an attack could be conducted. It would also provide insights into how facilities were expecting to be attacked. Attacking in an unexpected manner is the surest way to achieve operational surprise.

DHS does have a document available with more information on the attack scenarios. It is available only to registered-users of CSAT that are CVI trained and certified. It can be obtained by contacting the Help Desk at 866-323-2957 from 7:00 a.m. - 7:00 p.m., Eastern Time, Monday-Friday. The document will have to be protected as CVI.

Knowing Your Customers

For theft/diversion chemicals one of the ways that a terrorist might obtain these COI would be to set up a phony company (see: "Chemical Incident Review – 3-03-08") to buy the chemicals from a reputable company. DHS provides references to a number of documents from various industry associations and government agencies that deal with this issue.

SVA for Tier 4 Facilities

This is the next in a series of blogs concerning the Security Vulnerability Assessment (SVA) instructions recently published by DHS. This blog deals with the options available to Tier 4 high-risk chemical facilities. The previous blog in this series is listed below.

Tier 4 chemical facilities are the high-risk facilities with the lowest level of a threat for terrorist attack. DHS made this preliminary determination based on information provided in the Top Screen submission made by the facility. This preliminary determination may be changed based on information provided during the SVA submission; the facility may be:

  • Removed from the high-risk list,
  • Have their Tier ranking increased to Tier 1, 2 or 3; or
  • Remain a Tier 4 facility.

Alternate Security Program

Tier 4 facilities have the option of completing the SVA in the CSAT tool or submitting an Alternate Security Program (ASP). The ASP option is designed to lower the regulatory burden on facilities that have already completed a vulnerability assessment using techniques other than those embodied in the CSAT program. The lower risk rating of these facilities means that there is less of a likelihood of this alternative program significantly compromising the safety of the facility or its community due to a successful terrorist attack.

When an ASP is submitted by a Tier 4 chemical facility DHS has the option of:

  • Approving the ASP as providing for an equivalent level of security as the CSAT program,
  • Disapproving the ASP in its entirety (resulting in the facility having to complete an SVA), or
  • Requiring the facility to provide additional information that will bring the ASP to an equivalent level of security.

Before attempting to submit an ASP the facility management must satisfy itself that the program being submitted meets the requirements of Section 27.215 (Security vulnerability assessments) and Section 27.235 (Alternative security program) of 6 CFR. Failure to understand these requirements may result in a disapproved ASP and the subsequent requirement to complete a CSAT SVA.

ASP Questions for CSATSubmission

Tier 4 facilities will have a question not seen on SVA’s for higher Tier facilities; "Do you want to upload an Alternate Security Program (ASP)?" A ‘No’ answer will return the facility to questions for an SVA. A ‘Yes’ answer will result in an additional set of questions being added to the SVA tool. The answers to these questions will aid DHS in deciding to accept all or part of the ASP in lieu of an SVA. Generally speaking a ‘No’ answer to any of the subsequent questions will lower the possibility of approval of the ASP.

Does the ASP cover all of the facility assets that are associated with the security issues and chemicals of interest specified in the DHS Initial Notification letter? This includes all of the Appendix A chemicals of interest at the facility in excess of the STQ and all of the security issues identified in the notification letter from DHS.

Does the ASP use a Center for Chemical Process Safety (CCPS)-approved methodology? The CCPS helped to develop the methodology used in the CSAT SVA. It has certified to DHS that the following publicly available methodologies have been reviewed and have found to meet the CCPS SVA criteria:

  • CCPS® SVA
  • API/NPRA SVA (for petroleum and petrochemical sites)
  • SOCMA SVA (manual must be used)
  • National Paint and Coatings Association SVA (for Paint and coating sites)

As of January of this year CCPS has reviewed the following company SVA’s and found that they meet the CCPS SVA criteria:

  • ExxonMobil SSQRA
  • BASF SVA
  • Air Products and Chemical SVA
  • Georgia-Pacific SHA
  • FMC SVA
  • PPG SVA
  • Asmark SVA (For Ag Chemical Distributors)
  • Bayer SVA
  • Marathon Ashland Petroleum

There will be a series of questions dealing with the provisions of Section 27.215. The questions will ask if the ASP addresses Asset Characterization, Threat Assessment, Countermeasures Factors, and Risk Assessment Factors specified in that section.

Does the ASP cover all of the applicable attack modes included in the CSAT SVA? A yes answer means that the ASP covers all eight of the attack scenarios used in the SVA. Details of these scenarios are available online at http://www.csat.dhs.gov/csat "to active CSAT users that have completed CVI training and have started their SVA" {page 16}.

Finally, the facility will be asked to provide the name of the SVA methodology used to develop the ASP to be submitted and the date the analysis was completed. The last question to be asked (if a ‘no’ answer was provided for any of the above questions) is: Do you still want to upload the ASP for consideration? A yes answer will take the facility to the uploading step. A no answer will take the facility back to the SVA submission program.

Uploading ASP Files

To start the upload process type a descriptive file name into the provided box for the first data file and push the "ADD" button. A "DESCRIPTION" button will then appear, push it. Use the resulting block to browse for the File Name on the facility computer and click the "ADD" button. Repeat as necessary to add all of the data files for the ASP.

Once the facility can answer the following question in the affirmative; "Have all the ASP files been uploaded?" the facility can begin the submission of plot plans or maps that support that ASP. These files will be uploaded using the same basic procedure used for the data files. There are, however, two additional pieces of information for these mapping files, the image width and height expressed in miles.

When all of the data and mapping files have been uploaded and confirmed as having been completed by the Preparer. The following notice will appear on the screen:

  • "Thank you for submitting an ASP in lieu of the CSAT SVA for consideration by DHS. DHS will review your ASP submission and subsequently inform you of its acceptance or rejection."

Finish Filing ASP

The remainder of the filing process is the same as will be used by those facilities that are completing a CSAT SVA. The Preparer will complete a validation process to ensure that all of the appropriate information is provided and is in the expected format. A summary report will be prepared and printed. The Preparer will then ‘send’it to the Submitter for approval.

After checking the document for accuracy and completeness the Submitter can return it to the Preparer for editing. Once the document is complete and accurate the Submitter will print a final copy of the document and then submit the ASP to DHS. Once it is submitted, the facility will no longer have access to the document. The printed document is required to be maintained in the facilities security file and is considered a CVI documents, requiring the appropriate protections.

DHS will review the submitted ASP and notify the facility of the results of the review. If the ASP is approved, the facility will be notified of the final tiering decision based on the Top Screen and ASP data. If the ASP is not approved, DHS may require additional information to be provided or require the facility to submit a regular SVA.

Tuesday, June 24, 2008

HS Subcommittee Looks at Chemical Incident

Chairman Thompson announced today in an email that the Transportation Security and Infrastructure Protection Subcommittee would be holding a hearing on a recent (06-11-08) chemical incident at the Goodyear Plant in Houston, TX. The hearing will be tomorrow at 2 p.m. EST. I have seen nothing in the news reports that would indicate a homeland security connection with this incident where one employee was killed in an apparent process accident.

I am currently on the road and do not have access to my incident news file, but as I remember the details there was an explosion in the condenser on vessel used in some sort of high temperature distillation process. The explosion released some quantity of ammonia that was being used as the coolant fluid in the condenser. Because of the presence of ammonia fumes in the area, there was only a limited initial search of the area that did not find the worker that was later found dead under some debris. There were some questions raised about whether a more complete, earlier search would have found her alive.

This incident did not make the short list of chemical incidents that is investigated by the Chemical Safety Board, but that may be due more to the limited manpower that safety organization has than the severity of the incident. OSHA is almost certainly investigating since a death resulted from the incident.

The list of witnesses is a very interesting collection of interest groups and government agencies as well as the widower of the veteran worker that was killed in the incident. The witness list includes:

  • Robert D. Jamison, Under Secretary National Protection & Programs, DHS
  • Norman J. Rabkin, Managing Director for Homeland Security and Justice, GAO
  • James Jay Carafano, Assistant Director, Kathryn and Shelby Cullom Davis Institute for International Studies and Senior Research Fellow, Douglas and Sarah Allison Center for Foreign Policy Studies, Heritage Foundation
  • Raymond McInnis, former employee of the Goodyear Plant in Houston and widower of Gloria McInnis, who was killed at the plant on June 11
  • John S. Morawetz, Director, International Chemical Workers Union Center for Worker Health and Safety Education
  • John P. Paczkowski, Director, Emergency Management and Security, The Port Authority of New York and New Jersey

This might be an interesting hearing.

Getting Started with SVA Submissions

As noted in yesterday’s blog (see: "SVA Announcement") DHS has published instructions for the completion of SVA’s. From other reports (see: "Vulnerability Assessments are Underway") it is apparent that DHS is (or already has begun) in the process of sending out high-risk facility notifications that includes the tier ranking for those facilities. These notifications are based on the Top Screen Submissions that were submitted late last year through January of this year.

SVA Tool

The SVA Tool is one of four components of the Chemical Security Assessment Tool (CSAT). The facilities being required to complete an Security Vulnerability Assessment using the SVA tool have already dealt with two of the components of the CSAT, the Registration and Top Screen tools. The basic operation of the SVA Tool is very similar to the two components already used.

Like the other components of CSAT this tool is a secure, on-line computer application. Only registered users for that facility may access the SVA tool to enter, edit or submit data. The same roles that were used for the Top Screen will be used for the SVA Tool, unless they are specifically changed using the registration maintenance process (see: "Updates of CSAT Top Screen Manuals")

Those roles are briefly reviewed below. While there are four distinct roles, one person may fulfill as many as three of these roles. All of these people must have completed Chemical-Terrorism Vulnerability Information (CVI) training and DHS certification procedures before they can work with the SVA Tool (this was not required for Top Screen submission).

  • Authorizer – An officer of the corporation (or a person directly authorized by an officer of the corporation) who can designate the other roles within the CSAT. Does not enter or submit data in this role.
  • Submitter – An employee of the corporation who has been given the authority to submit CSAT information to DHS.
  • Preparer – A person who has been given the authority to enter information into CSAT.
  • Reviewer – A person who has been given the authority to look at submission in the CSAT system.

Data Entry Procedures

There is no doubt about it. The SVA tool is more complex than the Top Screen. It will take more time to completely enter the data into the tool, so it will not be done at a single setting. One simple procedure must be used to ensure that the data entered is properly saved by the system before logging off, or else the data will be lost. That procedure is the same as used in the Top Screen; use the on-screen navigation buttons ("NEXT" and "BACK") to move from screen to screen. Using the back and next buttons on your computer browser may not result in the information being saved.

There is an interesting note on page 8 about navigating pages; it notes, in bold print:

  • "Please note that if a user returns to a section of the SVA that was previously completed, all the subsequent pages need to be reviewed".

It is important that people remember this. There are a number of pages that are only shown to users that are required to fill them out. That requirement is determined, in many cases, by answers provided to questions within the SVA. Changing those answers may change what pages are seen or what subsequent questions must be answered.

There are some data entry procedures that are new to the SVA tool. There are places where additional lines of data may be required. This will be accomplished by pushing a "ADD" button. If a line is not needed it may be removed by pushing the adjacent "DELETE" button. There are also provisions for adding descriptions for various devices or systems named in the SVA. The Preparer will push a "DESCRIBE" button to open a data box to provide the needed description.

One last data entry point; there is a 20 minute ‘time out’ provision on the SVA tool. This means that if there is no activity on the site for 20 minutes the site will close. Any data that was entered after the last time a "NEXT" or "BACK" button was pressed will be lost. All other data will be available the next time the site is entered; log-in will re-open the last screen being worked on.

Pre-populated Data

When the facility representative signs on to the SVA tool for the first time some of the information may already be filled out. The location information completed in the Top Screen will normally be filled in on the SVA. Most of this data may be changed or updated if needed. The one exception is the longitude and latitude data. That data can only be changed by calling the Help Desk. While this is not explained in the instructions, it is apparently due to thefact that DHS has included a ‘map’ of the facility in the SVA. Changing the latitude and longitude would also require a change in that map.

The other class of pre-populated data is that information that would be taken from the DHS ‘High-Risk Facility’ notification letter. This information may include such items as the Facility ID Number, the COI security issues that must be addressed in the SVA and a list of the COI associated with those security issues. If these are pre-populated (presumably the normal case) they will not be editable. In some cases, the pre-populated questions will not even be seen. Facility specific questions on this should be referred to the Help Desk (866-323-2957; 7:00 a.m. to 7:00 p.m. EST, Monday thru Friday).

Monday, June 23, 2008

SVA Announcement

The schedule information is the generic schedule based on the Tier ranking for the facility, no actual dates are given just the number of days from the time DHS notifies the facility of their Tier Ranking. The schedule is:

  • Preliminary Tier 1 facilities have about 90 days to complete and submit the SVA;
  • Preliminary Tier 2 facilities have about 120 days to complete and submit the SVA;
  • Preliminary Tier 3 facilities have about 150 days to complete and submit the SVA; and
  • Preliminary Tier 4 facilities have about 180 days to complete and submit the SVA or an Alternative Security Program (ASP) in lieu of an SVA.

The new CSAT Page notes that extension requests can be requested. The only information given is a mailing address, so I suspect that only written requests will be accepted.

SVA Manuals

DHS has published two manuals for the SVA in much the same vein as they did for CSAT registration and the Top Screen. I have not yet (they were just posted within the last two hours) had a chance to review the lengthy manuals, but rest assured that I will delve into them with my typical anal retentive thoroughness. For now, the manuals can be found at:

CSAT Security Vulnerability Assessment Questions

CSAT Security Vulnerability Assessment Instructions

One note on the SVA access, the CSAT Web Page notes that only people that are CVI (Chemical-Terrorism Vulnerability Information) certified may access the SVA Tool. It does provide a link to the training necessary to get certified.

Apologies to DHS

Faithful readers of this blog will no doubt remember that I have taken DHS to task a couple of time (see: "Vulnerability Assessments are Underway") for not publishing the instructions for the SVA. It seems that my concerns were misplaced. I offer my apologies for my doubting the Department’s willingness to make this program as open as security concerns would allow.

DHS FAQ Page Update – 06-20-08

On Friday, DHS added a large number of questions to its FAQ page. I usually try to at least list each of the questions, but this time, with 42 new questions posted, it does not appear to be reasonable to do so. Instead, this time any way, I will list categories under which the questions are listed.

  • Sabotage Contamination
  • Thresholds
  • Top Screen Resources
  • Top-Screen Navigation and Troubleshooting
  • Total On-site Quantity
  • Total Production Value
  • Toxic Chemicals
  • User Registration Process
  • User Roles

There are a few of the questions or answers that are interesting, either from the point of view of new information or highlighting unusual situations.

Facilities Directed to Provide Top Screen Information

  • 1441: I do not have any chemicals of interest (COI) in an amount at or above the applicable Screening Threshold Quantities. However, I received an email from DHS requesting that I complete a Top-Screen. Do I need to complete a Top-Screen?

The answer notes that Section 27.200 of 6 CFR provides the Secretary with the Authority not notify individual facilities or classes of facilities to submit information to be used to determine if they are high-risk facilities. One reason for DHS to do this would be if a given industry appears to be under represented in the Phase II Top Screen Submissions. For example:

  • Industry B is known to typically use large refrigeration systems that use anhydrous ammonia as the coolant. If there are known to be 1000 facilities across the country in that industry and there were only 300 Top Screens completed by those facilities. DHS might ask the other 700 facilities to complete a Top Screen to get a better picture of how many those facilities actually did have an STQ amount of anhydrous ammonia on site and just failed to submit a Top Screen for some reason.

Password Problems

  • 1451: When I log in to the Top-Screen, I get a message that my passwords has expired and that I need to create a new one. However, when I enter a new password, I get an "invalid" error. What do I do next?

Apparently some people are having problems changing their password. One problem is that the requirements for the password are a little more complex than most internet require. An acceptable passwordmust:

  • Contain at least 8 characters, and
  • Contain at least one uppercase letter, and
  • Contain at least one lowercase letter, and
  • Contain at least one number, and
  • Contain at least one special character, e.g., !@#$%&*).

DHS has used a peculiar system. It requires that the password is entered three times instead of the normal two times. After the each of the first two entries the system apparently shows a bogus ‘invalid’ message instead of a prompt for a re-entry of the new password. Now wonder someone got confused….

Friday, June 20, 2008

The Farm Bill is Approved Again

Well Congress and the President went back through the scripted Farm Bill dance of re-passing, re-vetoing and once again overriding that veto. All of this was done because a printing error removed 34 pages of the bill that was passed earlier. As I noted in an earlier blog (see: "Farm Bill Passes Over Bush Veto – Maybe") I expected that DHS would not count the earlier passage of the Farm Bill as the start of their 30 day clock on establishing an Agricultural Outreach Program about propane and the Top Screen.

Well, that clock should definitely start today. This is just another of those pesky congressional mandates that takes up the time of the people at DHS that are trying to get the CFATS implementation going.

Congress Working on DHS Appropriations Bills

In this election shortened legislative year the budget season starts early. Both the House and the Senate are in the process of crafting their budget bills for the Department of Homeland Security. Last week the news came out of the House Appropriations Committee. This week the news comes from the Senate Appropriations Committee. So far the news is encouraging; there are no discussions of budget cuts for chemical facility security programs. In fact, both houses intend to appropriate more money for DHS than the President requested.

Budget Increases

Last week the House Appropriations Committee announced that it intended to increase the DHS discretionary budget by about $2 Billion to $39.9 Billion. The bulk of this extra money would go into various grant programs to state and local governments. The biggest increase goes to State homeland security grants, restoring the $750 million that the administration had transferred to other DHS programs.

This week the Senate Appropriations Committee added almost $2 Billion more than the House brining the discretionary spending to $41.3 Billion. The Senate also increased money going to the grant programs, but also added some monies to a variety of specific programs within the DHS budget. Of interest to readers of this blog is that they propose to double the President’s increase in the budget for ‘Chemical Regulatory Activities’ bringing that total to $75 Million for 2009.

Both of the Houses are writing their own budget bills. This will mean an inevitable conference to iron out the differences. There is no telling what will happen in conference.

Program Add-ons

Keeping in mind that the current CFATS regulations were the result of insertion of Section 550 into the 2007 Appropriations Bill, we are well aware that it is not unusual for Congress to slip new programs and modifications to current programs into the Appropriations Bill. Chairman Thompson is making no bones about adding five recently passed house bills to the house appropriations bill. Those bills are:

  • HR 1333 – Directing a study of the use of the Civil Air Patrol to support DHS operations.
  • HR 2631 – Directing an increase in efforts to develop nuclear forensics capabilities.
  • HR 4179 – Establishing a new redress procedure for No Fly List errors.
  • HR 4749 – Providing authority for the current Bombing Prevention Office within DHS.
  • HR 5982 – Directing a study of the use of biometric identification for airport workers.

Neither bill is yet available on Thomas.LOC.Gov so there is no telling what other goodies have already been added to these bills. Two things to watch for: reauthorization of the CFATS program passed October 2009 and the addition of IST requirements to the current CFATS regulations. Either, or both, of these provisions could be added to one of these bills to avoid a big fight over the passing of HR 5577 this summer.

 
/* Use this with templates/template-twocol.html */