Thursday, August 28, 2008

2008 Chemical Sector Security Summit Page Update 8-27-08

Well, it has been over a month now, and DHS has finally gotten around to updating the page dealing with the 2008 Chemical Sector Security Summit. No longer does the page give registration information. It now provides a summary of the going’s on at that gathering.


Unfortunately, the page is fluff with little substance. There are no links to any of the presentations. Yes, I understand that many of these presentations were not prepared by or for government agencies so there are copyright issues involved. But, these were shared at a public forum so there should be no proprietary information in the presentations.  So, copyright issues should have been able to be worked out.


There were no such issues with government agency presentations. It would be very nice if everyone that could not get to Maryland for this conference could get a chance to hear/see what DHS had to say about the Risk-Based Performance-Standards that high-risk chemical facilities will be using on their Site Security Plans. I do understand that DHS is working on a guidance document for those that will presumably be issued in time for the opening of the SSP-CSAT pages. So, maybe the RBPS slides aren’t that important. There were other government agency presentations and speeches by government officials for which links could have been provided.


There is an email address ( to request access to the Chemical Security Awareness Training Program, but that is old news to readers of this blog (see: “Chemical Security Awareness Training”). This is, however, the first official mention that I have seen/heard about this site. That alone may make this page valuable.

Adversarial versus Cooperative Inspections

I would like to continue to examine a theme started in yesterday’s blog (see: “Chemical Facility Inspection Team Philosophy”) and look more closely at why I believe that adversarial inspections are an inappropriate method of implementing the CFATS inspection process. The inspiration for these entries continues to come from a series of emails that I have exchanged with Brandon Williams. On this subject, Brandon made this comment:


  • “This effort will not be successful in a true sense if it is boiled down to a checklist drill executed in a strict, regulatory fashion.  It must be cooperative, flexible and joint with mutual understanding and information-sharing.”

Criminal Non-Compliance


I know that there are a large number of people (and at least a few of my readers) that will honestly and even vehemently disagree with the concept of cooperative inspections. They believe (and can certainly point toany number of contemporary and historical examples to support that belief) that American industry must be dragged, kicking and screaming into compliancewith federal rules and statutes.


The continuing enforcement history of the OSHA safety and the EPA environmental rules certainly shows that there are a number of criminal companies that will ignore and even flaunt those rules unless hammered with fines and criminal sanctions. There is every reason to think that that will also happen with the CFATS regulations.


Given that, how can I say that an adversarial inspection process will not work? It’s easy, all I need to do is to point to the same examples. In most cases, criminal negligence and criminal non-compliance has not been caught by routine, and inherently adversarial, compliance inspections. They have come to light when the non-compliance has resulted in off-site impacts or on-site deaths and injuries that could not be covered up by a criminal enterprise. Only then were detailed, comprehensive inspections done of those facilities


Fortunately, CFATS has the tools necessary to deal with facilities that willfully and criminally fail to comply with the regulations. While there are no specific criminal provisions (which should be corrected in future legislation) there are provisions for levying fines. More importantly the Secretary is given the authority to shut down facilities. This is an important tool to be used to deal with those individuals and companies that refuse to comply or are for some reason incapable of complying with the standards set forth in the regulations.


Site Security Plan Inspections


The CFATS regulations call for a two-step approval process for Site Security Plans (SSPs, the next step in the process after SVAs). They will first be reviewed administratively for completeness. That review will include insuring that all of the vulnerabilities addressed in the SVA are addressed and that all of the appropriate risk-based performance-standards are addressed. Once this review is successfully passed, a Letter of Authorization will be issued by DHS.


The second step of the process is the on-site inspection. Up until this time, most facilities will never have seen or possibly even talked to a DHS representative. Almost all interactions with the Department will have been done through the Chemical Security Assessment Tool (CSAT), the online tool used to submit information to DHS for review. The behavior and attitude of inspectors at this point will likely color all future interactions with the Department.


It is not expected that the SSP will be completely implemented at this point; capital improvements may take some significant time to plan and put into place. A facility is unlikely to spend large amounts of dollars on a major installation without knowing if DHS will consider it to be appropriate and adequate. The facility should be prepared to explain and discuss any such plans with the inspector.


Once this SSP site inspection process is successfully completed, DHS will issue the facility a Letter of Approval. Subsequent site inspections will be used by DHS to gauge the adequacy of the facility’s implementation plan and maintenance of the SSP. These inspections may be used to verify completion of major projects or to document that appropriate maintenance is being completed.


Hands-on Inspections


The typical check-list inspection is completely inappropriate for this SSP site inspection process. The first phase of the SSP approval process already ‘checked’ off the ‘required’ portions of the SSP before the inspector was even dispatched to the facility. This inspection needs to be a detailed, hands-on, get your shoes dirty, review of the facility’ implementation of the SSP.


For example, if the Site Security Plan includes a perimeter fence, the entire fence line should be physically checked. The inspector would be looking at the quality of installation and maintenance of the fence. Special areas of concern would be where the fence crosses creeks or gullies to ensure that there were no areas where an intruder could easily get under the fence. Questions would be asked of the maintenance department about the reliability of the contractor that provides fence repairs and the response times for fixing damaged sections of fence.


Video surveillance systems should be checked for dead spots. This can be best done by walking the area under surveillance and watching the camera. If the camera cannot be seen it is unlikely that the system can see that spot. The facility should know about such spots and have a plan for dealing with them. Video records should be checked to see how well the system adapts to changing lighting conditions at dawn and dusk. Video records may also be used to audit gate guard performance in day-to-day operations.


And we could go on, and on, and on….


This type of inspection takes time and requires the pro-active involvement of the facility security management team. That type of involvement cannot be demanded or coerced. It has to be freely given. The only way to receive that commitment is for the inspector to convince, by word and action, that he really is there to help the facility. 


Local Assistance


There is a way to ease the inspector’s problem of convincing the facility that the phrase “I’m from the government, I’m here to help” is not a joke, but the actual truth. That would be to bring in local assistance on the inspection. There are a number of local agencies that have a very large stake in the security of high-risk chemical facilities. They include local law enforcement, hazmat responders from the local fire department and the local emergency management agency.


DHS would do well to consider adding representatives from one or more of these local agencies in their initial inspection programs for high-risk chemical facilities. First it would provide extra sets of eyes to look at the problem and provide different perspectives. Secondly, it would insure that these local agencies are brought into the planning process for preventing and/or responding to a terrorist attack on the facility.


One last benefit that should not be ignored or minimized; bringing a concerned and knowledgeable outsider with contacts in the local community into the process would go a long way to providing DHS with political cover on what is, of necessity, a somewhat secretive process. That secrecy has provided extensive fodder for the groups that have various reasons to distrust the federal government and the chemical industry. Brining local ‘outsiders’ into the process would help to minimize those complaints.


These outsiders would have to be cleared and vetted for CVI, but their positions should make that relatively easy to do. They would probably have to undergo that process in any case, since they (or their co-workers) should be working with the facility in any case on the emergency response plan that should support the facility security program.

Wednesday, August 27, 2008

Chemical Facility Inspection Team Philosphy

In yesterday’s blog I looked at the factors that have delayed the fielding of the inspection teams that will visit every high-risk chemical facility in the United States. That blog was brought about by some questions asked by a reader, Brandon Williams. In addition to asking cogent questions, Brandon brought up some ideas that need to be considered when establishing teams like these.


Training and Background


The first thing that needs to be determined is the necessary qualifications for being an inspection team member. First off, there are very few people that have expertise in both security and chemistry. The situation is even worse when you consider that both fields have developed an impressive degree of specialization. This effectively means that there is no one that is really an expert in security or chemistry; they are experts in a limited subset of one of those fields.


I remember reading some where that DHS had decided that their initial hires (back in 2007) would be personnel from the security field. The idea was that they would have the primary skill set that would be lacking at chemical facilities. Chemical facilities would supply the chemical and engineering expertise, allowing for a well rounded team.


There is a problem with that rationale. There is a fundamental disconnect in vision and even language in people with a security background and those with a commercial or manufacturing outlook. Without experience in and around chemical facilities security personnel are going to have a difficult time communicating with personnel operating in that environment.


There is a group of people that have a requisite background in security and a basic familiarity with chemical manufacturing and distribution facilities. These are the people that have worked for the federal government in the Chemical Warfare Convention inspection process. These are the people that helped chemical facilities get ready for, and escort the international CWC inspection teams over the last ten years or so.


Enforcement or Assistance


The amount of communication required between inspectors and facilities will depend in large measure on the purpose of these teams. If their purpose is to enforce the CFATS regulations, then the level of communication required is relatively low. If their purpose is to help facilities achieve an acceptable level of security against terrorist attacks a great deal of two-way communication is required.


My high-school English teacher would have complained that the phrase ‘two-way communication’ was unnecessarily repetitive; communication requires a two-way exchange of information or ideas. Anyone that has sat through an EPA, OSHA, or DOT compliance inspection understands why the repetition is necessary. I can still recall a plant manager telling us: “Don’t say anything more than necessary. Answer all questions truthfully, but don’t provide more information than asked for”.


There are those that insist that federal inspectors are there to ensure that regulations are followed, that an adversarial environment is inevitable. In my opinion that is a fundamentally flawed outlook. It underlines the basic failure of both OSHA and EPA to make workers or neighbors safer. It ensures that inspections are limited to paperwork drills with inspectors seeing just what they ask to see, no more.


Checklist Inspections


With a small number of inspectors and a large number of complex facilities to inspect and re-inspect there will be a natural tendency for an inspector to arrive with a checklist of things to see. Those items will be looked at; a few pointed questions will be asked and succinctly answered; then the inspector will move on to the next facility. This will ensure that facility reports are easy to write and a year-end report can be prepared for congress showing that the agency met its requirement to check all 7,000 high-risk facilities.


As time goes on, budget cuts will result in fewer inspectors. They will conduct shorter and more infrequent inspections. There will be minimal communication between inspectors and facilities. The result will be an agency that is no more effective than OSHA or EPA at proactively detecting and preventing problems. The problem is that a failure of the DHS CFATS program will result in one or more successful terrorist attacks on vulnerable chemical facilities.

Tuesday, August 26, 2008

Toronto Propane Fire Follow-up

In yesterday’s blog reviewing recent chemical incidents (see: “Chemical Incident Review 8-25-08”) I mentioned that it “is unlikely that it was caused by a legitimate transfer operation”. Well it seems that the accuracy of that observation would hinge on what is a ‘legitimate transfer’. Recent news reports indicated that just before the first explosion there was a propane transfer conducted by company personnel; a transfer prohibited under Ontario safety regulations


Additional follow up information was also included in a Toronto Star article. The city will be inspecting 580 homes in the area for blast related damage and asbestos contamination. It is not clear from the article where the asbestos came from. The City of Toronto expects to spend about $1.5 million (Canadian Dollars) in site and neighborhood cleanup. A suit against Sunrise Propane to recover those costs is likely.


Fixed Facility Transfers


In the way I used the term in my blog, this would have to be considered a ‘legitimate transfer’. In the way that government officials look at propane transfer operations it seems that it was an illegal transfer. The reason for that is that the transfer was taking place from one truck to another truck. Ontario safety rules require that bulk propane transfers take place between a fixed storage tank and a vehicle mounted tank and specifically prohibit truck-to-truck transfers. Both articles note that the Ontario Technical Standards and Safety Authority (TSSA) had previously cited the Sunrise Propane site for such transfers.


Neither article explains the reason for the regulations, other than saying that it reduces the possibility of leaks and fires. Without having seen the actual regulations, I can guess the reasoning. If the Ontario regulators also require high-flow cutoff valves on their propane storage tanks, such valves can greatly reduce the volume of product loss during a hose or connection failure. Without a requirement to have such valves on the storage tanks, there is no reason why a tank-to-truck transfer would be inherently safer than a truck-to-truck transfer.


High-Flow Cutoff Valves


These valves are safety devices that are placed between the tank and the main discharge valve on the tank. They include a flow meter that detects the rate of chemical movement through the discharge line. If the flow exceeds a pre-set value, indicating a large leak, the valve automatically closes, shutting off the flow to the leak.


Without such a valve in place, a human operator has to be present at the transfer, notice the leak, move to the valve control, and close the valve. In the event of a hose or line failure, that operator is in a high risk environment and may have to risk his life to close the valve. Officially, no company is going to ask, or in most cases even allow, an operator to take that risk.


Tank wagons and railcars are not equipped with high-flow cutoff valves fora variety of reasons. Facilities that handle high numbers of hazmat loadings may put such a valve on their permanent loading/unloading lines so that a valve very near the end of the line that connects to the mobile tank is controlled in the same manner. This limits the amount of unprotected line to the small amount between the valve and the mobile tank. Then frequent inspections are done on that short section of line to detect potential failures before they occur.


The United States Chemical Safety Board has recommended that OSHA require such valves on all fixed tanks used to store PIH chemicals, chlorine in particular. To the best of my knowledge, OSHA has yet to do so.


High-Flow Cutoff Valves as Security Devices


There is also a security aspect to the high-flow cut off valve. One of the easiest types of attacks to execute against a high-risk chemical facility containing release COI is for an insider to walk over to the bottom valve on a release COI storage tank and open the valve. Wearing suitable protective gear, the insider would just walk away and join the facility evacuation. A properly installed high-flow cutoff valve would make such an attack much more difficult.


The same relatively simple, stand-alone control system that operates the valve could also be programmed to sound a warning (a pre-set verbal notification over a PA system or plant radio system would work well). It could also initiate various release mitigation measures such as fire suppression systems.


As with all security and safety systems, high-flow cutoff valves must be appropriately designed, installed and maintained to be effective. They certainly should be considered for all facilities with storage tanks containing release-toxic or release-flammable chemicals of interest.

DHS Chemical Facility Inspectors

I got an interesting series of emails from a reader, Brandon Williams, last week. He wanted to know what I had heard about what was happening with the expansion of the DHS personnel that would be doing the hands-on work of inspecting high-risk chemical facilities and helping them with the implementation of the Site Security Plans called for in the CFATS regulations.


Current Workforce


DHS has been using a limited number of personnel to ‘help’ Phase I facilities work their way through the CFATS implementation. This assistance has been more about helping DHS work the bugs out of the CFATS process than it has been about assisting presumably high-risk facilities work through Top-Screen and SVA submissions. The work of these personnel has not been enforcement, but about debugging the system before large numbers of facilities started work on these programs.


In a number of different forums it has been noted that there are about 100 personnel working on CFATS related issues. These personnel have been working for the Infrastructure Security Compliance Division (ISCD). What is not clear is how many of these people are actual inspectors and how many are working in various administrative and support roles.


Expanding Workforce


With over 7,000 high-risk facilities involved (some of them quite large and complex) DHS needs a large force of dedicated and well trained inspectors. To be ready to begin the first round of site visits the hiring should have already begun. This is what Brandon was asking about; why hasn’t this hiring begun?


Brandon has done quite a bit of research on this expanding workforce. He believes that DHS is planning on opening 10 field offices with five inspectors and an area commander at each office. He has seen position announcements for each of these positions, but no indications that hiring has actually started.


Budgetary Stepchild


CFATS was established as a congressional afterthought in the 2007 budget process. Actually it was more politically involved than that, but the effect was the same. DHS was given the responsibility to put together a program to regulate high-risk chemical facilities that congress did not have the stomach to battle through. Along with that minimal guidance, congress provided minimal funding.


The 2008 budget process wasn’t much better. Early in the process there was a big fight over propane and there was the threat by Senator Grassley to withhold enforcement funds from the DHS authorization. In the end there was no DHS Authorization Bill, it was rolled into what the press called the Omnibus Spending Bill.


Well, I am good at tracking down odd provisions in the requirements portions of legislation, but I have never learned how to follow the money. So, I checked with someone at DHS who should understand the money. He told me that there was some money in the 2008 budget for personnel, but no money for establishing the regional offices.


Regional Offices


It seems that DHS is not only capable of writing complex regulations with minimal congressional supervision, but they are also capable of squeezing money out of the budget for establishing at least a couple of regional offices. Three of the planned ten regional offices are being put together, only they are being called pilot offices for now.


What is interesting is the three cities where these ‘regional’ pilot offices are being established; Houston, Newark, and Philadelphia. Houston and Newark were selected for obvious reasons. Both have large number of chemical facilities, mainly based on petrochemicals. Philadelphia is harder to understand. It has a significant chemical base, but it is very close to Newark. I would have expected to see something in the Midwest or West Coast, to ease inspector travel times if nothing else.


The Way Forward


Where DHS is going from here is less clear. I have discussed the current budget impasse in a couple of blogs (see: “Department of Homeland Security Appropriations Act, 2008”). The current administration lacks the political capital and will to force full implementation of CFATS. The House leadership seems to be indifferent, at best, to concerns about security at high-risk chemical facilities.


It seems likely that the three inspection teams currently being formed, augmented by the people already on hand, will be all that will be available for at least the first round of plant visits. We will have to wait to see what the next congress decides to do (or not do if Speaker Pelosi continues on her current course) about chemical facility security.

Monday, August 25, 2008

Reader Comments 08-22-08

John Honovich


John Honovich posted a comment to last Friday’s blog (see: “Electronic Security Networks”). While he agreed with much of what I wrote, he also had an important observation:


·         “One of the practical challenges I still see is the interaction between IT and security organizations. While it's not necessarily a technical issue, it can become a practical issue to coordinate these two departments working together.  Have you seen or heard such issues?”


The last chemical plant that I worked in did not have a security organization (pre-CFATS). When they installed the video camera system, the contractor worked with the plant, not IT. Our Process Engineer was a computer whiz any way so there were no problems tying the system into the plant (corporate) network. No thought was given to the security of the camera system.


It would be interesting to hear from any readers that have any current experience working out issues between IT and Security.


Fred Millar


Fred Millar posted a comment on his blog about one of my blogs from earlier this month (see: “Community Right to Know and CFATS”). He liked the information and posted a link to an article about the lack of security on rail shipments of hazardous chemicals in St. Louis.


This was the same day that I saw three chlorine railcars sitting on a siding in my hometown for over six hours. There was no one around but the hundreds of people driving by just a hundred feet away without even a fence for ‘protection’. Oh yes, there was an elementary school about a half-mile downwind of where the railcars were parked.


Fred and I frequently disagree on the industrial use of chemicals like chlorine, but I always agree with him that the security on rail lines is less than inadequate.

Chemical Incident Review 8-25-08

Once again, since there have been no reported terrorist incidents at chemical facilities reported in the press, we will look at chemical accidents and incidents that have been reported. It has been a busy couple of weeks according to news reports, so we have lots to choose from. Remember, this is not being done to review safety, but rather to look at such incidents to see what they can teach us about security and mitigation.


Illegal Methamphetamine Lab; Jonesburg, MO


The Warren County Sheriff’s Department found six propane-cylinders filled with anhydrous ammonia during the search of a ‘suspected’ methamphetamine lab. Five of the tanks were found buried in the ground. Unwilling to transport the pressurized cylinders of a corrosive chemical, the authorities punctured the cylinders and let the gas disperse on site.


This is just another in a series of incidents that point out the theft/diversion hazards associated with anhydrous ammonia. As I pointed out in an earlier blog (see: “Anhydrous Ammonia Drill”) DHS does not list anhydrous ammonia as a theft/diversion COI. Facilities with anhydrous ammonia still need to take precautions to prevent theft and diversion.


Sunrise Propane Industrial Gasses; Toronto, Ontario


A series of explosions at a propane distribution facility destroyed that facility, heavily damaged five nearby houses and blew out windows a ‘fair distance from the scene’. One facility employee was missing and a number of nearby residents were injured by the blast and flying debris. A number of law suits have already been initiated because the facility was sited in a residential neighborhood.


It will be a while before the cause of the initial explosion is determined. With the incident taking place early Sunday morning it is unlikely that it was caused by a legitimate transfer operation, but an attempted theft of propane has not yet been ruled out. Security procedures that are designed to protect against a terrorist attack could be expected to be effective against theft and vandalism.


CSX Train Derailment; Hendersonville, TN


A train derailment where 17 CSX railcars left the tracks presented a different sort of Hazmat situation. None of the derailed cars contained chemicals; they were carrying cars, trucks and SUVs. The Hazmat situation arose when one of the derailed cars hit a storage shed owned by the White House Utility district. The shed was used for storing chemicals.


Many chemical facilities are built adjacent to rail lines. A derailment could send railcars crashing into storage tanks, warehouses, or processing facilities at many of these facilities. A railcar crashing into a PIH storage tank would result in just as catastrophic a release as a VBIED. And it may be easier to cause a significant derailment than to get a VBIED close enough to a ‘protected’ PIH tank.


High-risk chemical facilities with adjacent rail lines needs to look at their possible vulnerability to secondary releases due to a passing train derailing near their facility. It would be hard to armor a storage tank to withstand a rail car collision. The only real defense would be to move the tanks far enough away from the rail line.


Shell Hydrogen Refueling Station; White Plains, NY


The White Plains, NY fire department had to deal with a hazmat incident that could be come all too common in the future if hydrogen powered vehicle advocates have their way. A compressor at a Hydrogen Refueling Station (currently the only one in the NYC area) caught fire. The fire was put out before the hydrogen ‘tank’ was involved.


This facility only has a 79 lb (36 kg) hydrogen storage tank. The hydrogen is made to demand by hydrolysis of water. The demand is so low (6 to 8 customers) right now that this tank size is adequate. As fuel cell or hydrogen combustion vehicles become more common the tank size will increase to meet the demand.


When the hydrogen storage tanks reach 10,000-lbs in size, these ‘gas stations’ will have to submit Top-Screens because hydrogen is a flammable release COI. It will be interesting to see how their site security plans deal with the open access necessary for customer service. The current ‘exemption’ for gasoline stations could not be justified for hydrogen because even a small breach of containment on a pressurized storage tank would result in a large fuel-air cloud that could be devastating if ignited.

Homeland Security Advisory Council Teleconference

Last week DHS posted a notice in the Federal Register that the Homeland Security Advisory Council would be holding a teleconference on September 11th, 2008. The Council will be “reviewing and reporting to the Secretary of the Department of Homeland Security the ten most pressing strategic-level challenges that will confront the next Secretary of Homeland Security.”


Members of the public wishing to participate in the teleconference need to register by September 8th. Written documents may be submitted to docket # DHS-2008-0086 at

DHS FAQ Update 08-22-08

This week DHS had only a single update/review done on their CSAT FAQ webpage. It deals with the effect of ‘material modifications’ made by a facility between the time their Top-Screen was submitted and the date required for SVA submission. The question reads:


  • “1531. My circumstances have changed from my original Top-Screen submission. What do I base my SVA on—my original submission, or the material modifications I have made?”

There is nothing really new in the answer. The facility is required to submit a new Top-Screen and the current SVA deadline remains the same, unless and until that deadline is modified by the DHS response letter to the new Top-Screen. If the facility believes that the new Top-Screen will significantly modify their status (change the tier ranking or remove the facility from CSAT status) they may request an extension of their SVA deadline, using the new Top Screen submission as justification.


I am disappointed that the CSAT Help Desk did not include the alternate address for submission in their reply. Last week (see: “DHS FAQ Page Update 08-15-08”) I noted that DHS included the street address in their reply about Top-Screen extensions. This is needed when a facility wishes to use someone other than the USPS to transmit their extension request. For those needing that address, here it is:


C/O Dennis Deziel
Chemical Security Compliance Division
Office for Infrastructure Protection
Mail stop #8100
U. S. Department of Homeland Security
Murray Lane, SW, Building 410
Washington, DC 20528

Friday, August 22, 2008

Electronic Security Networks

Last week John Honovich posted an interesting article on this web site dealing with the value of megapixel camera. The article is informative and provides some links to interesting camera views of actual cameras in the field. The article is well worth reading by any security manager looking a installing or adding to a video security system.


One of the things that I like about John’s site is that he provides a forum for reader feedback and discussion. It provides for alternative view points other than just John’s. It also provides an easy way to ask for additional information and clarification.


Security Networks


On this particular article there was a response by a reader, Monk. Among other things Monk noted:


  • “I'd love to hear what people, in particular IT folks, are saying about these new cameras. It seems they will either be VERY excited about it, due to the control they can have over Security Resources, OR, they will completely be against the possibility, and Security will be forced to install and support their own LAN for the purpose of the new cameras...”

Monk’s comment brought an odd thought to my devious mind. As more and more security systems, including video monitoring, are put into place, they seem to be connected to the company computer network. That network may be used for communications links between sensors/cameras and a central monitoring station, or sharing security observation/detection information with various corporate entities. This is much the same thing that has been done with SCADA systems.


One of the complaints that we have seen about SCADA systems is that, through their interconnections with the corporate network, these systems have become vulnerable to outsider penetration and control. If that is true for SCADA systems, would it not also be true for security networks? Wouldn’t someone who was preparing to attack a high-risk chemical facility want to be able to see, or control, what that facility’s security staff sees?


Isolation of Security Networks


 With this in mind I posted a question to John’s site that asked if these IP video systems shouldn’t be isolated from corporate networks. There was a pretty quick and informative reply from John. I’ll post part of his reply here (for the complete discussion see the bottom of the page of the earlier referenced article):


  • As a matter of fact, many IP video surveillance systems are being deployed on dedicated LANs separate from the general IT LAN. I do not know nor can I reliably estimate a percentage breakdown of dedicated versus converged. However, I know with customers I work with this is fairly common.”

There are, of course, arguments that can be made for connecting security systems to the corporate network. It provides for easy central oversight of the security systems and provides for information sharing with management. Likewise, information flow from corporate to security through the network can provide for inbound and outbound shipping verification and verification of employee identification from other corporate sites.


In short, there is no hard or fast rule to answer the question about connecting security (or SCADA) systems to the corporate network. What is certain is that the decision needs to be carefully made and appropriate safeguards need to be put into place to control to limit information access and system control.


Site Security Plan


The security of electronic security systems needs to be addressed in the site security plan (SSP) for the facility. It should be dealt with in the same manner as the SCADA system. The system connections need to be defined and the access controls need to be delineated and verified, preferably by a separate security consultant from the one that had the system installed. Any of the changes that are made to the network or security system need to be thoroughly reviewed, and if possible, tested before the change goes live.


A bright shiny new security system can be the key to protecting the high-risk chemical facility from a terrorist attack. Unfortunately, if that system is inadequately protected against outside access and compromise, that same system may provide the tech savy terrorist the keys to a successful attack on the facility.

Anhydrous Ammonia Mass Casualty Event

There is an interesting set of articles on about a 2004 incident at a South Dakota meat packing plant where an anhydrous ammonia leak injured 100 personnel on site. The articles focus on the management of the incident as a mass casualty incident, so there is little information provided about the actual cause of the incident. Even so, there are some interesting observations that should be of interest to anyone developing an emergency response plan for a high-risk chemical facility.


Evacuation Plan


One of the first problems the responders encountered was accounting for personnel. With an outside temperature of 10°F people evacuating the contaminated area of the facility quickly looked for a place to get warm. Some went to the administration building, others got in their cars and left the facility.


All facilities have evacuation plans. They usually concentrate on getting people out of buildings. Once the people are outside most plans designate a primary assembly area. Chemical facilities concerned about fumes affecting the assembly area will probably include a secondary assembly area for poor wind conditions.


This incident points out that environmental conditions other than just wind need to be taken into account when planning evacuation routes and assembly areas. Facilities in areas that routinely experience sub-freezing temperatures need to take this into account. It may be something as easy as portable heaters or as complex as inflatable shelters.


Secondary Attacks on Assembly Areas

High-risk chemical facilities have additional considerations that need to be included in their evacuation planning. A common terrorist tactic is to execute a two-phase attack. Once the initial attack is executed and the response occurs the secondary attack is initiated to engage responders. A perfect target for this type of secondary attack would be the assembled workforce for the chemical facility.


 An attack on the assembled plant personnel would have the obvious affect of increasing the casualty count. It would also remove a source of trained personnel that could be expected to help in the response to the attack. And, as in any secondary attack, it ties up additional emergency response personnel that should be dealing with the effects of the primary attack.


The attacks can be executed in a variety of ways. A suicide bomber could be infiltrated into the facility as a driver or vender. A car bomb could be parked outside of the fence line near the assembly area. An armed team could be positioned in an area where they could take the assembly area under small arms fire.


Terrorist Identification of Assembly Areas


Identification of assembly areas would be part of the typical pre-attack surveillance plan used by professional attackers. Long term observation of the facility could show the surveillance team where the assembly area is by watching employee behavior during periodic facility drills. The same result could be obtained by observing facility response to minor attacks or bomb threats. Finally, insider information, deliberate or inadvertent could provide the attackers with the same information.


Protecting Assembly Areas


The emergency response plans for high-risk chemical facilities already looks to protect facility personnel by having them move to a safe area in the event of a facility emergency. Safety is currently defined as free of chemical contamination. That definition needs to be revised for facilities facing the risk of a potential terrorist attack.


One simple technique to reduce the chances of the assembly area becoming a secondary target is to deny the adversary the ability to identify the target. Selecting an assembly area that it is out of public view would be a first step to denying that information to a surveillance team. Facility personnel need to understand that the location of the assembly areas is part of the facility security information that should not be disclosed to outsiders.


Physical protection of the assembly area is more difficult. Constructing bomb-proof bunkers is not practical. Isolation of the area from public access and observation does provide a certain amount of physical protection. Berms or blast walls can be constructed to help protect against car bombs. The standard bomb detection procedures used to protect the facility against explosives being smuggled into the facility will prevent suicide bombers from attacking the assembly area.


Finally, the security response portion of the emergency response plan needs to include the requirement for security personnel to proceed to the assembly area to provide local protection for the employees, contractors, and site visitors seeking shelter in that area. These security personnel should be trained to lookout for the signs of a secondary attack on those people.


Prior Planning Essential


In an era where there is a significant possibility that high-risk chemical facilities may be the target for a terrorist attack it is important that a great deal of thought and planning should go into the facility site security plan. Part of the planning should be directed at the selection and preparation of the assembly area where facility personnel will seek safe haven in the event of an emergency. Proper prior planning will help prevent that site from becoming a secondary terrorist target.

Thursday, August 21, 2008

Another Alternate SVA Approved

The National Association of Chemical Distributors (NACD) announced that the security vulnerability assessment (SVA) methodology that they had developed for use by chemical distributors has been accepted by the Center for Chemical Process Safety (CCPS) as consistent with their SVA criteria. The NACD SVA Methodology for Chemical Distribution Facilities was specifically designed to deal with the security issues associated with chemical distributors.


Alternate Security Plans


As I noted in an earlier blog (see: “SVA for Tier 4 Facilities”), the CFATS regulations provide that high-risk chemical facilities that have been given a preliminary tiering assignment of Tier 4 may submit an alternate security plan (ASP) instead of completing the CSAT on-line SVA. DHS has the sole authority to accept or decline, in whole or in part, any such alternate security plan.


Since DHS based their SVA on work done by the CCPS, it is presumed that an SVA methodology that has been accepted by the CCPS as meeting their SVA criteria will have a high probability of being approved as an acceptable ASP. It is not a guarantee of approval. It just means that an SVA properly conducted with a CCPS ‘approved’ methodology will probably meet most of the DHS criteria for acceptance.


Why Allow the Use of an ASP


DHS originally included the ASP process to allow relatively lower risk high-risk facilities to use previously done security work to fulfill the CFATS requirements for SVAs and site security plans (SSP). The idea was that the hard work that had already been done did not need to be duplicated if it met the DHS standards for the work. DHS will allow an ASP to substitute for a CSAT SVA for Tier 4 facilities and for a CSAT SSP for all but Tier 1 facilities.


It is not clear that using the NACD SVA Methodology fits into this model. Facilities that used this SVA method to conduct their SVA before June 23rd of this year (the date DHS introduced the CSAT SVA to the public) are meeting the original intent of the ASP rule. Those that start using the NACD SVA now do not meet that intent. It is unlikely that DHS will differentiate between the two cases when making their decision to accept or decline the ASP as a substitute for the CSAT SVA.

Wednesday, August 20, 2008

DHS ‘Laws and Regulations’ Page Updated 8-18-08

DHS recently updated the Chemical Security portion of its ‘Laws and Regulations’ web page. The new change adds a link to the Consolidated Appropriations Act of 2008. Section 534 of that bill modified the authorizing legislation (Section 550 of the 2007 Homeland Security Appropriations Act) for the CFATS regulations. That bill was passed last December so this update is right on-time.


As I noted in a blog posted after that bill was signed (see: “DHS and the Omnibus Spending Bill”) there were two chemical security related provisions included in that bill. One of those was included in Section 534 and it dealt with changes to the rules for federal preemption in the CFATS regulations. The other section (Section 889) dealt with adding rules for the control of Ammonium Nitrate.


Federal Preemption Rules for CFATS


The Section 550 revision included in the 2008 authorization bill added a sub-paragraph to the CFATS authorizing language. That sub-paragraph reads:


  • “(h) This section shall not preclude or deny any right of any State or political subdivision thereof to adopt or enforce any regulation, requirement, or standard of performance with respect to chemical facility security that is more stringent than a regulation, requirement, or standard of performance issued under this section, or otherwise impair any right or jurisdiction of any State with respect to chemical facilities within that State, unless there is anactual conflict between this section and the law of that State.”

To date we have not seen an NPRM (Notice of Proposed Rule Making) that would implement this requirement. Of course there is no actual requirement for such change as long as DHS enforces the pre-emption provisions of 6 CFR part 27 in accordance with the law that authorizes those rules. It could, however, cause some confusion as we get further removed from the passage of such law and people forget that it exists.


Secure Handling of Ammonium Nitrate


The Section 889 provisions, on the other hand, do provide timetables for the implementation of regulations to control the sale and transfer of ammonium nitrate. There are three specific time limits in that bill:


  • Establish (within 90 days, March 25, 2008) a threshold concentration of ammonium nitrate in a mixture,
  • Prepare (within 6 months, June 26, 2008) a proposed rule regulating the sale and transfer of ammonium nitrate,
  • Within 1 year (December 26, 2008) issue a final rule implementing the requirements of this section.

The first two have passed without apparent action. It could be argued that the concentrations established in Appendix A to 6 CFR part 27 (published before this bill was passed) meets the first requirement. We’ll let that one slide.


The second requirement has not been met and it is almost two months overdue. Of course the requirements that Congress set down for that legislation were fairly detailed and complex. I thought that the six month requirement for draft regulations was kind of tight, especially since Congress prohibited DHS from preempting any existing federal rules dealing with ammonia nitrate. The research and coordination requirements to keep that requirement intact could take six months.


When I asked my contact at DHS about the status of this draft regulation I was curtly informed that the work was progressing. Well, no one likes to be reminded that they are missing deadlines (even unrealistic ones). And, of course, the implementation of Top-Screens and SVA’s has not interfered with work on these rules. In any case, DHS hopes to publish this draft regulation in the near future.

Anhydrous Ammonia Drill

A full scale drill was conducted in Corunna, Mi simulating a chemical attack on a school. The scenario wasn’t a typical terrorist attack. According to the article the scenario was two “disgruntled students” releasing an all-too available poison-inhalation-hazard (PIH) chemical, anhydrous ammonia. A vacant building was used to simulate the school and a smoke generator with lemon extract was used to simulate the chemical release. The entire county emergency services apparatus, including volunteer auxiliaries, was involved in the exercise.


Availability of Anhydrous Ammonia


Anhydrous Ammonia is probably one of the most commonly stolen industrial chemicals in the United States. Used in the manufacture of methamphetamines, it is commonly taken from tanks at farms, agricultural supply centers or commercial refrigeration facilities. A pressurized gas, it is often transferred into portable propane tanks for transportation to, and use in, illegal meth labs.


Anhydrous ammonia is a toxic gas. Fortunately, at much less than lethal levels it is an irritant that ‘encourages’ evacuation or avoiding higher concentrations. Most people can smell ammonia at concentrations of about 25 ppm and OSHA has set a 50 ppm TWA (Time Weighted Average for an eight hour working day) exposure limit. At higher concentrations it will burn the skin, eyes, nose and lungs. Severe chemical burns of the lung tissue can easily cause a painful, agonizing death. Temporary blindness is not unusual at significantly less than lethal concentrations.


Small Scale Anhydrous Ammonia Attacks


Small scale attacks like that envisioned in this drill are not likely to cause wide spread deaths. The limited amount of ammonia contained in apropane tank like those found on gas grills is not likely to form killing clouds in an open area. Injuries and panic are likely, but not death.


Introducing anhydrous ammonia into a closed classroom, with blocked doors and no working ventilation increases the probability of fatalities quickly. The panic associated with burning eyes, temporary blindness, and difficulty breathing would cause additional casualties and fatalities. Prompt decontamination and treatment of internal and external chemical burns for twenty to thirty students and teachers would quickly over whelm all but the largest trauma centers.


Government Controls


DHS lists anhydrous ammonia as a toxic-release COI (Appendix A, 6 CFR 27). Facilities that have more than 10,000 lbs of anhydrous ammonia on hand are required to complete a Top-Screen submission to allow DHS to determine if they are a high-risk chemical facility that would be governed under the Chemical Facility Anti-Terrorism Standards (CFATS). Facilities with smaller quantities are not regulated by the Federal Government for the security of that material, though the recent Farm Bill did authorize (see: “HR2419 Update 05-14-08”) $60.00 per tank grants for locks on agricultural anhydrous ammonia tanks.


Chlorine, another PIH, is listed as both a toxic-release and a theft/diversion COI. That means that facilities with as little as 500 pounds of chlorine on-hand have to submit a Top-Screen and may be regulated under CFATS.


Many states (Michigan and Illinois for example) require minimal security protections for anhydrous ammonia. These regulations typically require locks on valves and periodic visual checks of the tanks. These are certainlynot comprehensive security procedures.


Terrorist Threat?


The attachment of small cylinders of chlorine to vehicle born improvised explosive devices (VBIEDs) to make a ‘dirty bomb’ has been seen in Iraq where chlorine is much more readily available than anhydrous ammonia. Those dirty bombs have not been very successful in increasing the casualty count of the attacks.  They may have reduced the speed of rescue personnel and increased initial panic when people realized that chemicals were involved in the attack. But, small amounts of toxic gas disperse too quickly in the open to be very effective weapons.


The closest that I have seen to a confined space attack with a toxic gas was the Sarin attacks in the Japanese subways a number of years ago. Sarin is much more toxic than anhydrous ammonia or chlorine, but those attacks still had relatively low casualty rates. The reason was the lack of control of the ventilation system and the very small amounts of toxin used.


A full 5-gallon pressure container of anhydrous ammonia could certainly contain enough material for near lethal concentrations of ammonia in a classroom, if the ventilation system was shut down and the exits were blocked. This would not be the type attack expected of al Qaeda, but many ‘wanna be’ groups would find this well within their capabilities and it would certainly attract media attention.


Increased Security is Reasonable


Due to the possible terrorist attack potential and the certain, wide-spread use in the manufacture of illicit drugs, there should be an increased appreciation of the community threats associated with small amounts of anhydrous ammonia. While the farm lobby would certainly object (see what they did with propane) it is clear that there needs to be increased security controls on the storage of anhydrous ammonia.


The simplest thing that could be done would be for DHS to add anhydrous ammonia to the list of theft/diversion COI with a reasonable STQ. No new legislation would be required. All that would be necessary would be a notice in the Federal Register (and hiring a couple dozen people to answer the indignant calls from farm state delegations).


Oh well, its not going to happen. Not unless the smoke generator in the empty building becomes an actual cylinder of anhydrous ammonia in a real school. Then those farm state senators and congress people will be crying bloody murder, asking why something hadn’t been done.

Monday, August 18, 2008

DHS FAQ Page Update 8-15-08

Well this is another week with a large number of FAQ page updates and reviews. The 33 questions were in ten categories. The list below shows the categories and the number of questions listed in each.


  • Additional Resources (1)
  • Appendix A (3)
  • CFATS Regulation (14)
  • Facility Information (3)
  • Registration Exemptions and Inclusions (2)
  • Top-Screen Navigation and Troubleshooting (1)
  • User Registration Process (1)
  • User Roles (2)
  • Username/Passwords (1)
  • Web Portal Troubleshooting (5)

Again, I am not going to attempt to review each question/answer. For the vast majority there is no need since they are simple rehashing/reviews of previous answers. I will certainly take a look at new information and interesting replies.


Facility Owner-Operator Questions


  • 1376: Client has questions about 1.2-78 in Top Screen. He wants clarification of the owner/operator ramifications. Client is a 3rdparty logistics company who runs a company for a 2nd party client that leases the building from an owner. What if client cannot obtain owner information for facility? Who do they list in this question block?

I think that I have finally found an instance where the Help Desk gave an inappropriate answer to a question. In this case their answer can be summed up by quoting the last sentence in the answer “The person submitting the Top Screen should still be able to obtain any information needed to answer questions about the owner from the owner or operator of the facility, but in any event the owner/operator and submitter should work together to complete the Top Screen.”


From what I read in the question the building owner has essentially nothing to do with the Top Screen for this facility. The person that should be involved in the Top Screen is the operator of the facility (the ‘2nd party client’). They are the ones that ‘own’ the chemical facility operated within this building. They should probably ‘authorize’ someone from the logistics company to submit the Top Screen.


Truck and Train Facilities and CFATS


  • 1178: Are truck terminals and railroad facilities subject to the CFATS regulation?

DHS is taking a hands-off approach to both truck terminals and rail facilities for a number of political and practical reasons. Congress has sent conflicting signals to DHS on these two by failing to resolve the conflicting federal jurisdiction requirements. Practically speaking it would be difficult to bring transportation companies under the current Top-Screen/SVA umbrella due to the transitory nature of their on-hand chemical inventories.


The answer did leave the questioner with the same caveat seen in earlier rail regulation questions on this page; “As with railroad facilities, DHS may, in the future re-evaluate the coverage of trucking terminals. DHS would do so by issuing a rulemaking considering the matter.”


Background Checks for First Responders


  • 1368: Are background checks required for fire department personnel (firefighters and fire protection engineers)? If so, would the background check used for initial employment be acceptable?

DHS gave a very short answer to this question; “6 CFR Part 27 does not require that fire department personnel undergo background checks”. The answer might have been more useful if it included some additional information.


First, 6 CFR Part 27 does not require background checks; DHS is prohibited from specifying any security measure (the Section 550 authorization states that: “the Secretary may not disapprove a site security plan submitted under this section based on the presence or absence of a particular security measure”).


Second, one of the risk-based performance-measures that will have to be addressed in the site security plan (SSP) for the high-risk chemical facility will be a personnel surety program. One portion of that would be some sort of background check for personnel with ‘unaccompanied access to restricted portions of the facility’. Facility fire department personnel might be covered under that provision but personnel from municipal fire departments or volunteer fire departments (VFD) would not.


Finally, ‘authorized users’ of chemical-terrorism vulnerability information (CVI) may be given a ‘background’ check against terror watch lists by DHS during the training/vetting process. This process is handled by DHS through their on-line training site, so that ‘background check’ is essentially transparent to the facility or individual unless there is a problem.


It is not clear from the CVI Procedures Manual if government employees below state level (including fire fighters) will have to undergo that training and vetting process to be brought into the emergency planning process needed to support the SSP. Completely unaddressed is the issue of VFD personnel who are not government employees.


Requests for Extensions


  • 1380: How do I request an extension of the Top-Screen filing deadline?

The new information here is the addition of an address that can be used by shipper/mailers other than the United States Postal Service. UPS® or FedEx® are not supposed to be able to deliver to anything but a street address. That address is:


C/O Dennis Deziel
Chemical Security Compliance Division
Office for Infrastructure Protection
Mail stop #8100
U. S. Department of Homeland Security
<?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />245 Murray Lane, SW, Building 410
Washington, DC 20528

/* Use this with templates/template-twocol.html */