Saturday, December 13, 2008

High-Risk Chemical Facility Identified in Local Press

Somewhere the security gods are shuddering in dismay; there has been a high-profile violation of the rules protecting Chemical-Terrorism Vulnerability Information (CVI). The Orlando Sentinel broke the story about a local high-risk chemical facility that is in the process of preparing their Security Vulnerability Assessment. What is the identity of the well known chemical facility? It is Sea World. Actually, three Orlando area theme parks had to submit Top Screens, according to the story. Both Disney World and Universal were told by DHS that they were not designated as high risk facilities. Busch Entertainment Corp, the owners of Sea World, would not tell the Orlando Sentinel if their other two Sea World Facilities (in San Diego and San Antonio) were also undergoing SVA evaluations (well, someone understands security). So, someone at Sea World leaked the information to the reporter, Jason Garcia, at the Orlando Sentinel. Also, according to the story, the CFATS status appears to have been confirmed by a facility spokeswoman. So what? What can DHS do about it now that the cat is out of the bag? According to Section 27.400(j), the unauthorized disclosure of CVI is “is grounds for a civil penalty and other enforcement”. Section 27.300(b)(3) sets the maximum penalty at $25,000. The newspaper and the reporter are in the clear, the CVI rules only apply to personnel who were provided proper access to the CVI. The Rest of the Story… Just a quick side note; Paul Harvey really did come up with a good line, and it is especially appropriate here. Forget for the remainder of this blog posting the CVI issue. What I want to do with the remainder of this posting is ask each reader, “How would you like to be responsible for the CFATS implementation at Sea World?” Let’s take a look at the situation. The perimeter security is probably pretty good; they only want people coming through the paying entrances or the employee entrances. The physical screening for weapons and explosives is probably better than that done at most chemical facilities. They employees are almost certainly checked out pretty good, though they probably don’t check the DHS Terrorist Database. What is lacking is any sort of vetting process for the paying customers; the only identification that is checked is their credit card or cash. Separating the Chemical Facility and the Public Facility Okay, so they have to keep the paying customers away from the chemical facility portions of the park. This is nothing new for these theme parks. They do an excellent job of keeping the public separated form the support sections of the facility. The biggest part of that is nothing more than keeping the supporting structure well camouflaged and hidden. Once you have those isolation techniques down to a science, the rest of the security plan is fairly straight forward. Establish a security perimeter around the chemical assets. Control access with RFID identification cards or biometric identification. Establish multiple layers of security to allow for a reasonable response time for the facility security team. All of the rest of it falls into place fairly easily. Once you get passed the idea of the tourist trap as a high-risk chemical facility and realize that you have to properly define what the chemical facility is and what is the theme park, then developing your security plan is fairly easy. It is just that first step that is conceptually so difficult.

1 comment:

Anonymous said...

What public info is already available on this facility --e.g., the Risk Management Plan? Never a word on the public's right to know?
What alternative chemicals are available/already used by other safer facilities?
Is a major Disney or Sea World facility (the crowd) a terrorist target (e.g., from nearby rail lines carrying poison gas cargoes) as a major tourism venue?

/* Use this with templates/template-twocol.html */