Monday, August 11, 2008

Chemical Security Awareness Training

One of the things that I enjoy about blogging is that it provides a legitimate reason for surfing the Internet. Yesterday while visiting the SOCMA web site I found a link for chemical security awareness training. Naturally I followed the link.


An Odd Government Web Site


The site looked kind of strange. First thing that you see is the DHS banner across the top of the page. Then you notice that the web address is a ‘.COM’ instead of a ‘.GOV’ URL. Additionally, there are no links to any other site on the page nor is there any of the contact information that one usually associates with legitimate web sites.


Well, I checked with DHS and found out that it is a legitimate DHS Web Site. It is run by the Sector Specific Agency Executive Management Office (SSAEMO), apparently part of the National Infrastructure Protection Program. These are not the people who are responsible for CFATS.


A contact at the Department provided me with two .PDF documents that explain the web site, a fact sheet and a set of instructions. I could not find either document during a quick check of the DHS web site, but that is not surprising. The DHS web site, like most federal government sites, is poorly organized and hard to search.


Neither document is essential to use the site, except for one key piece of information that I will provide. So, let’sget cracking.


The Need for Security Awareness Training


This training has been developed for all people that work at chemical facilities, from the receptionist to the facility manager. It is based on the idea that any employee or contractor on site may see or hear something that may indicate a potential security breach, or impending attack at the facility. If everyone on site were on the lookout for such attempted breaches of security they could be reported and dealt with before they became a real threat to the safety of the facility, the employees and the community.


Actually, there is very little in this training program that would not apply to any facility in the United States. A few of the examples deal with specifically with things found only at chemical facilities, but even those would be illustrative of points at any type industrial facility. Any security manager could use this program as part of a comprehensive security training program.


Registering for Training


This training program is designed to be used by individual employees. Each person registers on the site and can get a prepared certificate of completion. This would be useful in documenting training (remember training is one of the risk-based performance measures that must be included in a high-risk chemical facility’s Site Security Plans). With appropriate computer projection equipment or a large screen TV, there is no reason that this training could not be used for a group training session.


To register on the site you need a Facility KeyVerification code. I can think of no reason that DHS would want to restrict access to this training. In fact, it seems that there is a single code for all facilities. So anyway, the ‘secret’ code is ‘ChemSec100’. It is case sensitive. If it is not entered correctly your whole computer network will blow up in your face (just joking, but they are carrying things a bit far here).


Once the secret code is entered you are taken to a standard sign-up screen. You create a login name (at least six characters) that allows you to log-on and off so that you do not have to complete the training in a single session. Again to make the process mysterious, the instructions warn “Do not use your last name”.


One last registration note, before you start your training you have to select your ‘bandwidth’ version. The training does make extensive use of videos so they have provided two different versions of the training; one for high-speed connections and one for dial-up connections. The high-speed version videos would load in pieces on a dial-up connection making the presentation very annoying. The developer, IEM Inc, is to be congratulated for making the two versions available.


Scenario-Based Instruction


There are nine modules in the program, an introduction and eight instruction modules. The most of the instruction modules are scenario-based. They show a video and the trainee is required to identify a ‘suspicious or non-secure situation or act’. They must also select an appropriate ‘corrective action’ that should be taken.


An incorrect response results in a brief explanation of why it was wrong. The scenario is then re-run and the trainee is given another chance to select the correct response. This continues until correct responses have been provided for all scenarios.


The scenarios are well crafted and represent some common techniques used in surveillance and information collection activities leading up to a potential attack. This is not an exhaustive coverage of those techniques, but it is well suited to the average employee. I would like to see a longer, more involved version for security personnel.


Scenario Tools


An interesting tool is used to allow the trainee to identify the ‘problem’ in the scenario. Once the scenario is played out, the video stops on the last frame. The trainee is asked to ‘roll’ the mouse over the scene to identify the problem. Rolling the mouse over various figures within the frame causes them to be highlighted in red and a brief explanation of that problem is provided. There are multiple items that can be ‘identified’ in each frame, only one of which is correct.


This works well on the scenario where employees coming back from lunch walk passed a hole in the fence. That hole is obviously the problem. It is less obvious on the scenario where an employee encounters a stranger carrying two large boxes approaching the card-controlled door. On my first attempt at this scenario I did not ‘find’ the missing ID badge on the stranger. I’m not sure that was a problem with my observational powers or a poorly designed picture.


Appropriate Response


As I mentioned earlier, not only does the trainee have to identify what is wrong, but also is required to select what would be an appropriate response for the scenario employee. In all cases that response is some variation of ‘notify your supervisor or security immediately’. When a response (correct or not) is selected the training re-enforces the idea that employees should not place themselves in danger by confronting suspicious people.


The counter-intelligence training that I received in the Army did not serve me well when selecting a correct response. For example, in the scenario involving a telephone call from an unfamiliar person in IT asking about user names and passwords I selected a response more in keeping with the military teaching of ‘don’t commit to providing or not providing the requested information; request another contact’.


The military not only did not want inappropriate information getting out, they wanted to track down and catch those requesting that information. Requesting another contact allowed the soldier to contact Counter Intelligence and allow them to make a decision on how to proceed. In most chemical facilities there is no counter-intelligence organization to follow-up on such requests. So I guess the scenario’s ‘appropriate response’ is appropriate.


Suggested Improvements


I actually like this training program. It is well thought out and entertaining. The information presented is valuable and I cannot really fault the information presented. It is not perfect; nothing conceived by humans is. That means that I have a couple of suggestions for improvements that I think should be considered when this program is updated.


First, do away with the ‘roll-over’ technique for selecting security issues in the scenarios. This makes it too easy to overlook the ‘correct’ answer. You do not want to set up the trainee to make an incorrect response. Use the same frame from the video and highlight all of the ‘answers’ currently provided and allow the trainee to select the appropriate answer.


Add one more informational unit before starting the scenarios. Teach what things that people should be looking for. Something along the lines of the Seven Signs of Terrorism (see: “The Seven Signs of Terrorism Videos”). This will give the trainee the tools necessary to make an informed judgment in the scenarios.


Finally, make a version of this training that can be used for group training at chemical facilities. It would allow the facility to conduct periodic security awareness training. The same scenarios could be used, but the response portion would be geared towards a group discussion rather than an individual selecting a response.


Once again, I think this is a good training program. I recommend it highly to all security managers, not just those at high-risk chemical facilities.

No comments:

/* Use this with templates/template-twocol.html */