Friday, July 31, 2009

Reader Comment – 07-29-09 – CFATS Personnel Surety

Back on Wednesday an anonymous reader posted a comment to my original blog on the DHS CSAT Personnel Surety ICR; actually I think it was partially a reply to another reader comment and my blog. Anonymous concluded the comments with the statement that: “The details aren't available in the Federal Register notice, but the department is holding meetings with an outline of what they're thinking and making that information available to these certain groups.” That sounds a little sinister, so I did some checking. DHS is certainly talking to a variety of affected industry groups about their intentions. The ICR was mentioned at the Chemical Sector Security Summit by Sue Armstrong, the head of Infrastructure Security Compliance Division of DHS. There she promised to brief members of the appropriate Sector Coordinating Councils (self-organized, self-led groups that are broadly representative of owners and operators and their associations within the sector, which are focused on homeland security and critical infrastructure protection) and listen to their input on the potential programs. Next week the ‘listening sessions’ will be held with the Oil and Natural Gas Sector Coordinating Council (8/3 at 2:00 pm) and the Chemical Sector Coordinating Council (8/5 at 10:00). I’ll see if I can get someone to get me some information on the feedback presented in those sessions. There is certainly nothing sinister about this outreach effort. The owner-operators of the chemical facilities that will be affected by the CFATS Personnel Surety Program certainly deserve to have their input into the development of that system. That was one of the main reasons that the ICR notice was published in the Federal Register in the first place. That is the main reason that I wrote about the ICR in my blog. The more publicity that the program gets the better it can become.

QHSR Now on Twitter

This is just a very quick note that you can now follow the Quadrennial Homeland Security Review on Twitter at QHSR Dialogue. Also, please remember that the first dialogue starts on Monday, August 3rd. So, if you want to participate go to the QHSR Dialogue Homepage and sign-up.

PTC NPRM and Cyber Security

Since Positive Train Control is, at its most basic, a cyber control system, it is heartening to see that FRA is actively addressing security measures in this NPRM. While this does not have any direct affect on the chemical security community, I do believe that a brief look at how FRA treats the control system security issue provides a good look at methodologies that could be appropriate for chemical process control systems.

Design Criteria 

In the discussion of §236.1003 FRA explains that security must be considered as one of the design parameters of the system. They note that security “is an important element in the design and development of PTC systems and covers issues such as developing measures to prevent hackers from gaining access to software and to preclude sudden system shutdown, mechanisms to provide message integrity, and means to authenticate the communicating parties” (74 FR 35984).

These should also be part of the design criteria for any industrial control system, but they particularly important for critical control systems at high-risk chemical facilities. Later in the same discussion the FRA notes that another design element, integrated security, “recognizes that optimum protection comes from three mutually supporting elements: physical security measures, operational procedures, and procedural security measures”. Physical security includes measures that “prevent or deter attackers from accessing a facility, resource, or information stored on physical media and guidance on how to design structures to resist various hostile acts” (74 FR 75985).

Finally, since PTC systems are based upon communications between operational units and fixed activities, communications security measures need to be an integral part of system design parameters. In this context communications security measures include systems designed to “deny unauthorized persons information derived from telecommunications and ensure the authenticity of such telecommunications”.

Cryptography Requirements 

One of the key communications security measures that the PTC NPRM is considering requiring where communications confidentiality is required is the use cryptography to both prevent message interception and spoofing as well as provide for communication authentication. It is interesting to note that FRA recognizes that there are no reasonably unbreakable cryptographic techniques. They note that “modern cryptographic practice has discarded the notion of perfect secrecy as a requirement for encryption, and instead focuses on computational security. Under this definition, the computational requirements of breaking an encrypted text must be infeasible for an attacker” (74 FR 35999).

All cryptographic systems use some sort of ‘key’ to share the encryption-decryption procedures between the sender and receiver of the encrypted message. Management of those keys “includes ordering, generating, distributing, storing, loading, escrowing, archiving, auditing, and destroying the different types of material”. Appropriate attention must be paid to each step of this process to protect the keys from inappropriate disclosure.

The NPRM also takes a pragmatic approach to the physical security requirements of the cryptographic equipment. Instead of requiring a ‘tamper-proof’ standard for the physical protection of equipment, the FRA is recommending that the equipment be made ‘tamper-resistant’ and ‘tamper-evident’. To provide an additional level of security, they will require that the equipment be installed in a readily visible location so that the physical evidence of tampering would reasonably be expected to be detected in normal operations of the equipment.

As with most of the requirements found in this NPRM, FRA does not specify the specific cryptographic techniques or equipment that must be used. What it does require is that the railroad must specify the techniques to be used in their PTC Development Plan (PTCDP). While most high-risk chemical facilities do not typically consider communications security in their cyber security plan, any facility that allows off-site communications with their control systems does need to consider protecting that communication with cryptographic techniques. Those communications would not be limited to off-site human access to those systems, but could include system-to-system communications with enterprise information systems.

All-in-all this is an interesting discussion of cyber security measures. It is not comprehensive, but it does provide a perspective that has been missing from many discussions of control systems security. It would certainly be interesting to see what comments cyber security professionals provide in the public discussion of this NPRM.

Thursday, July 30, 2009

Practical SCADA Security

There is an interesting article over on about the efforts that Air Liquide has taken to protect its industrial control systems network. Many of the details described are well over the head of people that are not control systems engineers (and that certainly includes me), but it does provide some insight into the types of efforts that need to be made to secure complicated control system networks. There are a couple of items in the article that should be of interest to anyone in the chemical security community that works with plants with automated control systems. The first is found in the opening paragraph of the article. It is a description of the existence of common software security gaps in two commercially available control system packages, CitectSCADA and Areva's e-terrahabitat. Buffer overflow vulnerabilities are well understood openings in software security processes that allow an outsider to gain control of the system. The presence of such software holes makes it much easier to penetrate system security. The second item of interest is their discovery of a number of compromised computers on their network. While the article does not mention the use of those slaved computers to manipulate the control system, it does indicate the level of system penetration that can be achieved when there are inadequate system protections in place. Finally, the article notes the importance of including security system engineers in the development and deployment of a security system. The article author has been working in industrial control system design and development for a large number of years. Most high-risk chemical facilities do not have that level in-house of systems engineering experience available. They will have to rely on cyber security experts to an even greater extent. I do hope that the author will report the history of compromised computers on the industrial network to the team over at; they would be valuable data points to include in the RISI data base.

Wednesday, July 29, 2009

DHS-ChemITC Webinar

As I mentioned earlier this week ChemITC and DHS Infrastructure Security Compliance Division hosted a webinar today on the “DHS CSAT Site Security Plan”. The webinar was completed earlier this afternoon, and I was pleased with the presentation. The people who prepared and presented the program did a very good job on the presentation. There was plenty of good information in the program and I recommend it to anyone that is getting ready to start their SSP preparation process. Facility Submitters will be given information about signing up for the webinar when they receive their email from DHS notifying them that there SSP notification letter has gone out. Any facility that has received their letter, but not the Submitter email should contact the CSAT Help Desk (866-323-2957) for more information. Miscellaneous Information On disheartening, but probably inevitable piece of information that was provided early on in the presentation is that facilities should expect a potential delay of ‘months’ between the SSP submission and the appearance of the DHS implementation inspection. This delay is due to the extensive review process that needs to be done of the SSP submission and the small number of inspectors currently available for the review process. While I was writing this posting I received a ‘follow-up’ email from one of the presenters with some additional information about questions that were asked at the end of the presentation. One that will be of interest to readers of this blog concerns the status of the DHS notification letters. David E. McCullin, Program Analyst, Infrastructure Security Compliance Division, writes that: “The process of sending the tier two letters has begun but is not yet complete. Approximately 2/3 of the tier two facilities and 1/4 of the tier three facilities have been sent.” SSP Assets Probably the most valuable part of the presentation is the clarification of what assets need to be identified in the SSP submission. The presenters made clear that the SVA assets have nothing to do with the SSP. The one minor problem this part of the presentation was the continual reference to the ‘definition of assets in the RBPS document’ without a specific reference to where. It took some looking but page 16 of the RBPS Guidance Document provides the following definition:
“‘Asset’ means any on-site or off-site activities; process(es); systems; subsystems; buildings or infrastructure; rooms; capacities; capabilities; personnel; or response, containment, mitigation, resiliency, or redundancy capabilities that support the storage, handling, processing, monitoring, inventory/shipping, security, and/or safety of the facility’s chemicals, including chemicals of interest (COI).”
The RBPS Guidance then goes on to provide a listing of some typical assets. All of this is good, but does not provide much guidance on what ‘assets’ should be listed in the SSP. The presenters provided some interesting guidelines that sound like they should be helpful. No recording was allowed of the presentation so this is my paraphrase of what they said:
Any on-site asset that has no security measures beyond those available to the site as a whole need not be listed. Any asset that has specific security measures unique to just that asset should be listed. Any asset that the facility thinks may have inadequate security should be listed. Any off-site asset should be listed.
The presenter short-stopped the question of why anyone would voluntarily report an inadequately protected asset by noting that the DHS inspectors will certainly note inadequate security in their initial inspection of SSP implementation so the facility should get ahead of the curve and self-identify the problem. This was definitely a good presentation and I recommend that facilities sign-up for this weekly presentation as soon as they receive their notification emails. It would probably be a good idea to set this up in a facility conference room so that the entire SSP team can view the presentation together. An internet linked computer is required as is a phone with a ‘mute button’. One last operational note: this presentation is made over the HSIN network. DHS will not send out the link to the presentation until just before the start of the presentation. So the person submitting the email request for the presentation should be able to access their email from the computer where the presentation will be viewed. The phone number and access code for the audio link will be provided on-line just before the start of the presentation. This is a little different than most webinars and was not adequately explained to those of us who signed up for today’s presentation through ChemITC.

TSA Pipeline Security ICR

Today the Transportation Security Administration (TSA) posted a sixty-day notice of their intention to request authority from the Office of Management and Budget (OMB) to collect information from operators of hazardous material pipelines as part of their revised pipeline security program. Public comments are requested on the information collection needs for “the voluntary submission of pipeline operator security manager contact information to TSA's Pipeline Security Division and the reporting of security incident data to the Transportation Security Operation Center (TSOC)” (74 FR 37723). Comments are due by September 28th and should be mailed or delivered to:
Ginger LeMay Office of Information Technology, TSA-11 Transportation Security Administration 601 South 12th Street Arlington, VA 20598-6011
This information collection request (ICR) will be submitted in support of a planned update of the Pipeline Security Information Circular. The 2002 Circular will be replaced by the Pipeline Security Guidelines to be published later this year.

HR 3258 Analysis – 50 Enforcement Agencies

This is another in a continuing series of blog postings about the recently introduced HR 3258, the Drinking Water System Security Act of 2009. This bill is designed to be a companion bill to HR 2868, the Chemical Facility Anti-Terrorism Act of 2009, extending chemical facility security rules to water treatment facilities. Previous postings in this series include: HR 3258 Section-by-Section Analysis HR 3258 Analysis – Political Background As I noted in the previous posting in this series, one of the political realities that led to the writing of HR 3258 is that the US EPA is already responsible for a significant portion of the regulation of water treatment facilities, including security against deliberate contamination of the water supply. While the leadership of the House Energy and Commerce Committee obviously feels that this is a logical extension of EPA authority, this does result in some inherent regulatory complications. Covered Facilities When DHS was looking at the possibility of the water treatment facility exemption being removed by HR 2868 they estimated that there would be an additional 3,000 facilities added to the CFATS program based on the presence of COI (typically chlorine, or anhydrous ammonia) at or above the screening threshold quantity (STQ). This would have almost doubled the number of covered facilities. HR 3258 uses an entirely different standard to determine what facilities would be considered ‘covered facilities’. Instead of relying on the presence of a quantity of specific chemicals on-site, the standard set forth in this legislation is the size of the served community. It makes any “community water system serving a population greater than 3,300’ {§1433(a)(2)(A)} a covered facility. While I have not seen any specific figures for the number of facilities that this would cover, but it would be substantially more than 3,000. The reason for this is that these regulations would cover more than just the security of chemicals at these facilities. This legislation would extend and expand the current physical security requirements for protecting the water supply to the protection of the hazardous chemicals used at many of these facilities. This was done to ensure that there would only be one set of security rules covering these facilities. Duplication of Efforts This, of course, raises the question about duplication of regulatory efforts in the EPA and DHS. The argument can certainly be made that DHS has expended a great deal of time, effort, and money setting up the regulatory tools needed to enforce CFATS. Regulations have been written. Innovative on-line reporting and evaluation tools have been developed and supporting documentation has been written and revised. And, the Chemical Security Academy has been developed to train a professional staff of chemical security inspectors. The counter to that argument is that substantial portions of the CFATS program will not actually apply to water treatment facilities. The list of 300+ chemicals of interest (COI) is certainly over-kill when it comes to the limited chemical inventories of these treatment plants. Nor will there be the complexity and variety found in the loosely defined chemical industry; the regulations and reporting tools will be easier to develop for a this relatively uncomplicated industry. This should also make those tools easier to understand and use. One way to look at this issue is to ask would it be easier to add chemical security to existing water security regulations or to add water facility security to existing chemical security regulations. Obviously, Chairman Waxman decided that the former would make more sense, especially since he took the opportunity provided to increase substantially the water security requirements. Enforcement Activities The US EPA currently uses a distributed enforcement model when dealing with water treatment facilities. This means that the Administrator has delegated enforcement authority to the individual States where they have expressed a willingness, and presumably demonstrated an ability, to take on that task. Forty-nine states (Wyoming is the exception) have accepted that delegation. This enables the EPA to have a very small enforcement staff. That delegation has been specifically included in the language of one portion of this legislation. Section 1433(g) gives authority to the State (where the State has primary enforcement authority) the responsibility for determining if a high-risk (Tier 1 or 2) water treatment facility must implement ‘methods to reduce the consequences of a chemical release from an intentional act ‘methods to reduce the consequences of a chemical release from an intentional act’. While provisions have been made to require the reporting of that decision to the Administrator, there is nothing allowing the Administrator to overturn that decision. This is the only portion of the regulation that addresses the use of delegated enforcement authority. But, since the US EPA routinely uses this enforcement model for water facility regulations, I would suspect that the EPA would rely on State officials to enforce this regulation as well. Lacking specific authority to hire and train a significant enforcement staff, it would not only be reasonable, but it would necessary if there is to be even a minimal effort to enforce these requirements. This comes with it own set of problems. First there is the question of uneven enforcement activities. How is the EPA going to ensure a minimal level of training for the inspectors from 49 states? This will be especially important since the Administrator is required to establish risk-based performance standards rather than prescriptive standards for site security plans. The EPA could establish a training program similar to the Chemical Security Academy being run by DHS. Or perhaps they could contract with DHS to conduct that training. The next surmountable problem is the sharing of information with State agencies. The language in HR 3258 requires the submission of ‘Top Screen’ type information, vulnerability assessments and site security plans to the Administrator. All of this information will be protected information under rules that should be similar to the Sensitive Security Information rules established by TSA. Secure methods of sharing that information with States will have to be developed. There will undoubtedly be other issues that will have to be dealt with due to this distributed enforcement model used by the EPA. I can’t think of any that would be insurmountable, but they will complicate the development and enforcement of the regulations that will have to be written to implement these regulations.

Tuesday, July 28, 2009

4th ISA WWAC Symposium

I’ve passed this by a couple of times because I did not see any mention of coverage of security measures, but the International Society of Automation (ISA) is holding their 4th annual Water & Wastewater and Automatic Controls (WWAC) Symposium next week in Orlando, FL. While none of the announcements that I have seen mentioned security for control systems, I finally did some digging and found a copy of the program brochure which does show two security sessions. Security Related sessions include:
A Practical Approach to Securing Your WTP/WWTP, Kevin Finnan, CSE-Semaphore SCADA Cyber Security Defense — In-depth Approach, Jim Redifer, Rockwell Automation
I must admit that I believe that these two 30-minute sessions hardly provide adequate treatment of control system security and am surprised that ISA is providing so little coverage of this important topic especially on critical infrastructure systems like water & wastewater treatment facilities. If professional organizations like ISA don’t take the lead in this area, our critical infrastructure is going to continue to become more at risk from catastrophic cyber attacks.

PTC NPRM and TIH Chemicals

As I noted last week, the Federal Railroad Administration (FRA) recently released a notice of proposed rule making to establish the procedures and standards that railroads would use to implement the Positive Train Controls required by the Rail Safety Improvement Act of 2008 (RSIA08). As promised, I will try to outline how this proposed rule might affect shipments of toxic inhalation hazard (TIH) chemicals.

PTC Requirements

Through RSIA08 Congress required that covered railroads had to install PTC systems by 2015. This aggressive schedule is based in large part on the results of two accidents; the 2005 Graniteville, SC chlorine-release collision between two freight trains and the 2008 Chatsworth, CA collision between a freight train and a passenger train. Both of these deadly collisions would have clearly been prevented if there had been PTC systems on the trains involved.

As a result Congress enacted RSIA08 that would require PTC systems to be installed on all intercity and commuter passenger rail lines and “on freight-only lines when they are part of a Class I railroad system, carrying at least 5 million gross tons of freight annually, and carrying any amount of poison- or toxic-by-inhalation (PIH or TIH) materials” (74 FR 35954). This would mean that almost any Class 1 rail line that carried PIH/TIH chemicals would be required to have a PTC system installed.

At the same time, a Class 1 freight line that did not carry PIH/TIH and did not share the line with passenger service would not require the installation of PTC systems. Later in the NPRM FRA clearly states the potential problem associated with the confluence of PTC requirements and TIH shipments during the discussion of §236.1005:
“The RSIA08 mandate, which entails an expenditure of billions of dollars, most of it nominally because the lines in question carry PIH, presents additional enormous incentive for the Class I railroads to shed PIH traffic and, further, to concentrate the remaining PIH traffic on the fewest possible lines of railroad” (74 FR 35964).
Later the FRA addresses this issue and goes back to the issue of Congressional intent and concludes that it “does not believe that the Congress intended an implementation that would create substantial incentives to drive PIH traffic off of the railroads or concentrate it in such a way that large urban areas would see an increase in volume above that expected using normal, direct routing of the shipments” (74 Fr 36965).

To prevent the problem of railroads self-limiting the PIH shipment routing, the FRA establishes a routing baseline of 2008. Thus, FRA would require {in §236.1005(b)(2)} that “that the determination of Class I freight railroad main lines required to be equipped be initially established and reported as follows using a 2008 traffic base for gross tonnage and determine the presence of PIH traffic based on 2008 shipments and routings” (74 FR 35965). Thus, essentially all Class I freight lines that had carried TIH/PIH chemicals in 2008 will be required to be equipped with PTC systems.

PIH Rerouting Requirements 

The FRA solution to the PIH-PTC issue certainly seems to ensure that the railroads do not use this rule as justification to stop carrying PIH chemicals on existing routes and push PIH shipments off onto highway carriage which would be less safe and less secure. But, in yet another example of the Law of Unintended Consequences, this rule will interfere with the intended operation of a final rule published last November by the Pipeline and Hazardous Material Safety Administration (PHMSA); Enhancing Rail Transportation Safety and Security for Hazardous Materials Shipments.

Among other things, that rule required railroads to collect information on PIH shipments; current routes and alternative routes for those shipments. Then they would be required to select the safest and most secure routes practicable for those shipments based on a complex analysis of those routes. Appendix D to 49 CFR part 172 provides a listing of 28 factors that railroads will be required to use to evaluate the safety and security of routes. One of those factors is the relative cost of the different routes.

If an alternative route for a class 1 railroad were to take the PIH shipment over a freight rail track that had not previously carried PIH chemicals then the selection of that route would incur the additional cost of equipping the line with a PTC system. While the current route would also require implementation of PTC requirements, the railroad would not have to consider those costs as part of the route selection analysis. The costs for the current route would have to be borne regardless if PIH chemicals continue to be carried on that line. This would mean that there would be no PTC cost avoidance by changing routes.

This problem could be avoided if the FRA were to include provisions in the proposed rule to allow for changes to the 2008 based route determination to be modified by changes to PIH chemical shipment routes introduced between before October 1st 2010, if that route determination was made under provisions of 49 CFR §172.820. This would allow class 1 railroads to remove routes from initial PTC coverage if it were moving PIH chemicals from that route to an alternate because of a re-routing decision. Obviously the alternate route would be considered for PTC coverage requirements under the provisions of this rule.

Small Railroads and PIH 

Under the proposed rule Class II and Class III freight railroads are not generally required to implement PTC technology on purely freight lines. The current proposed rule does not provide for a PTC exemption for Class II and Class III operating on passenger routes because “FRA has not been able to define conditions that would apparently be suitable in every case” (74 FR 35972). The FRA does request comments on whether it should consider including in the proposed rules provisions requiring smaller railroads carrying “PIH traffic on PTC equipped track through a densely populated area” (74 FR 35973) on freight only lines to equip its train with compatible PTC equipment.

Monday, July 27, 2009

DHS-ACC Webinar – SSP

I was kind of surprised today to see a very brief notice in one of my daily SmartBrief® emails that DHS and ChemITC were collaborating on a webinar this week on “DHS CSAT Site Security Plan”. Neither the collaboration nor the webinar was surprising; but the very short notice was. The webinar will be held this Wednesday, July 29th at 11:00 a.m. EDT. If you are interested in registering for the free webinar, just click on this link. The presenters for the webinar will be two people from the Infrastructure Security Compliance Division of DHS. According to the ChemITC web page, David McCullin, a program Analyst, and Mat Davey, a consultant, will “provide information on the content and functionality of the CSAT SSP tool as well as important considerations to facilitate an accurate completion of the SSP”. I have been on the observer side of a couple of ChemITC sponsored webinars and have found them to be well worth the time and an exceptional value, especially since they are free. I have signed up and look forward to hearing what these two gentlemen have to say about the SSP submission process.

Chemical Transportation Advisory Committee Meeting – 8-11-09

The Coast Guard published a notice in last Friday’s Federal Register announcing that the Chemical Transportation Advisory Committee and some of its subcommittees and working groups would be meeting at the Coast Guard Headquarters in Washington, D.C on August 11th and 12th. The purpose of these meetings are to discuss various issues relating to the marine transportation of hazardous materials in bulk. The full Committee will receive a variety of reports from the subcommittees. Additionally there will be a report on the CFATS inspection process. One of the subcommittees that will be holding a meeting will be the Hazardous Cargo Transportation Security (HCTS) Subcommittee. The Subcommittee will discuss progress with the Transportation Workers Identification Credentials (TWIC) program and proposed Advanced Notice of Arrival (ANOA) regulatory changes. All meetings will be open to the public. Anyone wishing to make an oral presentation at the meetings needs to contact Commander Michael Roldan at 202-372-1420 no later than August 7th. Written material for distribution at the meetings should reach Cmdr Roldan by the same date at:
COMMANDANT ATTN (CG-5223) U.S. Coast Guard 2100 2nd St., SW., STOP 7126 Washington, DC, 20593-7126
In the same issue of the Federal Register the Coast Guard posted a notice that it is accepting applications for the eight positions on the Chemical Transportation Advisory Committee that expire on December 31st, 2009. CTAC advises the Coast Guard on issues relating to the safe and secure transportation and handling of hazardous materials in bulk on U.S.-flag vessels in U.S. ports and waterways. That advice may be used to help formulate the US position on hazmat transportation issues facing the International Maritime Organization. Applicants should have direct knowledge about such issues based on their experience with chemical manufacturing companies, companies that handle or transport chemicals in the marine environment, vessel design and construction companies, marine safety or security companies and marine environmental protection groups. The Coast Guard actively supports the Department’s policies on gender and ethnic diversity and encourages applications from women and minorities. CTAC member receive no compensation from the US Government. Applications are available electronically at (Docket No USCG-2009-0671)

HR 3258 Analysis – Political Background

Last week I posted a section-by-section analysis of HR 3258, the water system security companion to HR 2868. That analysis looked at what the legislation said and required. Today I would like to start to look at those requirements as a whole and compare how the affect on water treatment facilities would compare to both the current CFATS program and the updated program envisioned in HR 2868. But first we need to look at the differences between water treatment facilities and commercial chemical facilities. Water Treatment vs Chemical Facilities Before we can look at the affect of these regulations we first have to understand that there are fundamental differences between water treatment facilities and high-risk chemical facilities. These differences are going to color the differences between how chemical security regulations are applied at these two distinct types of facilities. First chemical facilities are privately owned and are operated to produce profits for their owners. Most water treatment facilities are government owned or closely controlled by a local government agency. The reason for government control is that these facilities are almost always a monopoly; the sole source for drinking water for the served population. An important part of this government control is that local politicians typically control the rates that the facility operator can charge for their product. While the US Environmental Protection Agency has some level of regulatory control over almost all CFATS covered facilities the regulations that govern those facilities are significantly different than the regulations that govern the relationship between the US EPA and water treatment facilities. Furthermore, for all but one state (Wyoming) and the District of Columbia, the US EPA has delegated most of the control for water treatment facilities to State agencies. Finally, there are already Federal regulations in place that address anti-terrorism security measures for water treatment facilities. Those regulations are designed to loosely protect water systems from contamination, not control the theft or release of water treatment chemicals. Those regulations do require covered water facilities to complete a security vulnerability assessment, but do not require the completion or independent evaluation of site security plans. Political Considerations One of the considerations that goes into the development of any major legislation in Congress is the determination of which committee has oversight responsibility for that legislation. As many commentators have discussed the formation of the Homeland Security Department has created a problem in Congress because a wide number of government agencies, all with their own history of Congressional oversight, were combined into a new organization with its own oversight committee. Again, many commentators have noted that Congressional committees jealously guard their oversight responsibility. This is a simplistic view of the situation. It is certainly true that surrendering some oversight responsibility to another committee would result in a reduction of the authority of a committee, most importantly the authority to direct the spending of money into member’s districts. But, to be perfectly fair, each committee staff has built-up a level of expertise in the operations, legislative background, developing plans of the supervised agency. Transferring that expertise is not simple, nor is has there been much effort made to encourage that transfer by the Congressional leadership on either side of the aisle. Other fights have had higher priority. This situation has been particularly difficult for those that have been considering the regulation of chemical security at water treatment plants. After 9/11 it was clear that public water treatment works were a potential terrorist target and the EPA and Congress worked out rules for the protection of those facilities from attacks that posed threats to the purity of the water output of those facilities. It was a natural outgrowth of the EPA regulation of water facilities; the EPA’s coverage had always been concerned with the water coming out of the facilities. It has been clear for some time that the regulation of chemical security at water treatment facilities was going to be primarily concerned with preventing the release of toxic inhalation hazard (TIH) chemicals, chlorine gas and anhydrous ammonia in particular. While there are available substitutes for these chemicals, that substitution is not as simple as stopping the shipment of chlorine and starting to receive industrial strength bleach instead. The technical challenges are further complicated by the fiscal realities that govern water treatment facilities; limited capital reserves, limited access to credit, and ultimately, voter approval requirements for any major expenditure of funds. Finally, there is always the conflict between local governance and federal oversight. This is a conflict that dates back to well before the establishment of United States, and is actually a direct outgrowth of revolution that separated the colonies from the control of the British government. Local communities jealously guard their control of police, schools and water treatment facilities. Members of Congress are well aware of this and tend to tread lightly when imposing requirements on local governments, especially laws that require those governments to spend local money, the infamous ‘unfunded mandates’. All of these political considerations color the application of chemical security regulations at water treatment facilities. Problems with these considerations have, to date, prevented the regulation of the widely recognized hazards of TIH chemicals at these facilities. Many water treatment facilities have, however, already started with the development of their own security plans and, frequently, the substitution of less hazardous chemicals. A good analysis of such actions can be found in the June 2008 testimony of Mr. Brad Coffey, Water Treatment Section Manager, Metropolitan Water District of Southern California, before the Subcommittee on Environment and Hazardous Materials. Separate Regulation A good understanding of these political realities is what lead to the development of HR 3258 as a separate bill from HR 2868. First this bill had to amend the Safe Drinking Water Act instead of the Homeland Security Act as that act already regulated the physical security of drinking water facilities. It only makes sense to extend those existing security regulations to include the protection of the chemicals used in water treatment. That logically lead to making the US EPA the lead agency for the expanded security regulations; they were already responsible for the managing the current security regulations. It also acknowledges the fact that the EPA has historically shared the responsibility for regulation of such facilities with State agencies and extends that shared responsibility to chemical security regulations. This will also color the details of the implementation that we will look at in future a future blog.

Saturday, July 25, 2009

Congressional Hearings – Week of 7-27-09

The only hearing currently being listed for this week that may be of interest to the chemical security community is a hearing by the Subcommittee on Intelligence, Information Sharing and Terrorism Risk Assessment Hearing on the “Information Sharing Environment”. Since this should include some discussion of sharing intelligence with critical infrastructure sectors, it may be interesting. The hearing will be held on Thursday, July 30th at 10 a.m. EDT. Technically both the Judiciary and the Energy and Commerce Committees are supposed to report on HR 2868 at the end of the week. This would require them to hold hearings this week, do what ever markups are necessary and report the bill; this unlikely to be done this week. The Judiciary Committee could possibly squeeze in a sub-committee hearing on the Civilian Suits provisions of the bill, but a full committee report is unlikely. I would be surprised if the subcommittee hearing postponed last week in the Energy and Commerce Committee were held this week; that Committee is still being strangled by health care bill. In any case look for an extension of the reporting requirements on HR 2868 to be issued by the Speaker on Friday.

Friday, July 24, 2009

QHSR Update – 07-24-09

I received an interesting email today from National Dialogue on the Quadrennial Homeland Security Review. They wanted to thank me for signing up to participate in the National Dialogue. They also told me that I was one of only 1700 people that had signed up to date to participate in the dialog that ‘starts in less than two weeks from today’. Then they ask me to do my part in spreading the word by:
"Forward this email… "Post a message or link… "Use the AddThis button…"
So here is my continuing contribution…. DHS is Trying, But It is obvious that DHS and their host, the National Academy of Public Administration (NAPA), are trying hard to get active participation in the Dialogue. I applaud their objective, but continue to have doubts about the way they are doing things. But I will admit they are apparently listening. In an earlier posting on this topic I objected to the way NAPA was using a third-party web site to host their documents; that has been corrected. Their one page .PDF flyer is now on the NAPA web site. The sign-up for the Dialogue is also handled directly from page instead of going to the third-party site. So they are getting better and some of my earlier misgivings about recommending participation have been appropriately dealt with. But, they still need some help on their web skills. Their email does not have a single clickable link to take you to their web page; you have to copy and paste the web address. The ‘AddThis’ button they ask us to use does not exist; there is, however, a ‘Share’ button that any current internet user is accustomed to seeing/using. I still have high hopes for this public participation in the QHSR. The idea of using the internet for active participation in setting national policy is an idea that has a lot of merit. If DHS manages to pull this of well, it will certainly be used in other areas by this administration. If it flops, however, it will be a long time before anyone risks their reputation on another attempt at participative governance.

Positive Train Control Systems

Earlier this week the Federal Railroad Administration (FRA) published a notice of proposed rule making implementing the Positive Train Control (PTC) Systems requirements set forth in the Railroad Safety Improvement Act (RSIA) of 2008 (Public Law 110–432). While this is a highly technical proposed regulation primarily affecting the railroad industry, it has the potential for directly affecting the shipment of TIH chemicals by rail and rail-rerouting plans. I’ll address these issues in a later blog. Comments may be submitted electronically at (Docket No. FRA-2008-0132). Comments should be submitted by August 20th, 2009 though comments received after that may still be considered. Public Hearing The FRA also announced a public hearing concerning this NPRM. The hearing will be held in Washington, D.C. on August 13th. The meeting will last all day (9 a.m. to 6 p.m.). Written notification of intent to present oral testimony at the hearing should be faxed to the FRA Docket Clerk at (202) 493-6068 or sent by mail to:
FRA Docket Clerk Office of Chief Counsel Federal Railroad Administration 1200 New Jersey Ave. SE.,RCC-10, Stop 10 Washington, DC 20590
Notification should identify the party the person represents, the particular subject(s) the person plans to address, and the time requested. The notification should also provide the Docket Clerk with the participant's mailing address, other contact information and three copies of the oral statement to be presented.

Reader Comment – 07-22-09 RISI

Wednesday John Cusimano of exida left a comment about an earlier post on the ‘birth’ of RISI. He pointed out that I failed to acknowledge the role of Mark Fabro of Lofty Perch. My apologies to Mark and all of the folks involved with RISI. John also took the opportunity to ask us to “Please check the website [link added] regularly as, especially over the next few months, we expect things to be very dynamic.” While I certainly look forward to reporting on developments at RISI, especially sharing any developing information on the control system security incidents, I urge any of my readers that work with control systems to track the site and their reports. And most importantly, Please REPORT CONTROL SYSTEM INCIDENTS.

HR 3258 Section-by-Section Analysis

On July 20th Chairman Waxman and four fellow Democrats from the House Energy and Commerce Committee introduce HR 3258, the Drinking Water System Security Act of 2009. This bill is designed to be a companion bill to HR 2868, the Chemical Facility Anti-Terrorism Act of 2009, extending chemical facility security rules to water treatment facilities. This bill would amend §1431 of the Safe Drinking Water Act (42 U.S.C. 300i–2) by completely rewording that section of the Act {§2(a)}. Any violations of the current version of §1431 that occur before the effective date of the regulations required in this bill will result in those rules remaining in effect for that facility until the issues are resolved or enforcement proceedings have been completed {§2(b)(3)}. What follows is a section-by-section analysis of the provisions of this proposed legislation. I will reserve my comments for a later posting. Section 1431(a) This section requires that the Administrator of the US EPA issue regulations establishing risk-based performance standards for the security of covered water treatment facilities. A covered water treatment system would be any system that serves a population of 3,300 or more or is so designated by the Administrator. It would require those regulations to establish requirements for the conduct of security vulnerability assessments (SVA), development of site security plans (SSP) and the preparation of emergency response plans (ERP) for covered facilities. The regulations would require an update those SVA’s every 5 years or whenever system changes at the facility could result in the reassignment of the risk-based tier ranking of the facility. SSP’s and ERP’s would also be updated every five years, but SSP’s would have to be updated after every update of the SVA. Because most States have primary enforcement responsibility for water treatment systems, the Administrator is required to consult with State authorities during the development and carrying out these regulations. The Administrator is also required to consult with the Secretary of DHS regarding {§1431(a)(4)}:
“(A) provision of threat-related and other baseline information to covered water systems; “(B) designation of substances of concern; “(C) development of risk-based performance standards; “(D) establishment of risk-based tiers and process for the assignment of covered water systems to risk-based tiers; “(E) process for the development and eval1uation of vulnerability assessments, site security plans, and emergency response plans; “(F) treatment of protected information; and “(G) security at co-managed drinking water and wastewater facilities.”
In establishing a list of substances of concern the Administrator should establish a threshold quantity for release or theft of the substances. The Administrator would take into consideration the toxicity, reactivity, volatility, dispersability, combustibility, and flammability of the substance. The selection of the threshold quantity should reflect the amount of the substance that, when released, would result in death, injury, or serious adverse effects to human health or the environment. The Administrator should take Appendix A to 6 CFR part 27 into account when establishing the list. The Administrator would also provide baseline information to covered water systems on what intentional acts are probable threats to{§1431(a)(6)}:
“(A) substantially disrupt the ability of the system to provide a safe and reliable supply of drinking water; “(B) cause the release of a substance of concern at the covered water system; or “(C) cause the theft, misuse, or misappropriation of a substance of concern.”
Section 1431(b) The risk-based performance standards (RBPS) will provide for separate and increasing stringent standards based on the covered water system’s risk-based tier assignment. The Administrator will take into account 6 CFR 27.230 when developing these RBPS. Section 1431(c) The SVA will assess the system’s vulnerability to a range of intentional acts, including intentional release of a substance of concern. At a minimum the assessment will include:
“(1) pipes and constructed conveyances; “(2) physical barriers; “(3) water collection, pretreatment, treatment, storage, and distribution facilities; “(4) electronic, computer, and other automated systems that are used by the covered water system; “(5) the use, storage, or handling of various chemicals, including substances of concern; “(6) the operation and maintenance of the covered water system; and “(7) the covered water system’s resiliency and ability to ensure continuity of operations in the event of a disruption caused by an intentional act.”
Section 1431(d) The regulations will provide for a risk-based tier ranking system with four tiers and tier 1 being the highest risk tier. The Administrator will require covered water systems to submit information necessary to asses the tier ranking for that system. The Administrator will advise the covered water systems of the reason for their ranking. In determining the ranking the Administrator will take into account the potential consequences from {§1431(d)(1)(B)}:
“(i) an intentional act to cause a release, including a worst-case release, of a substance of concern at the covered water system; “(ii) an intentional act to introduce a contaminant into the drinking water supply or disrupt the safe and reliable supply of drinking water; and “(iii) an intentional act to steal, misappropriate, or misuse substances of concern.”
Section 1431(e) The regulations will allow each covered water system to develop it’s site security plan by providing a layered security and preparedness measures that will address each of the vulnerabilities identified in the SVA and all of the RBPS required by this legislation. Section 1431(f) The SSP and ERP shall describe the roles and responsibilities for employees and contractors in deterring and responding to intentional acts. Each covered water system will provide annual training for its employees and contractor employees on those roles and responsibilities Each covered water system will include at least one supervisory and at least one non-supervisory employee and an employee representative from each recognized/certified bargaining agent (for either facility or contractor employees) in the development of the SVA, SSP and ERP for the facility. Section 1431(g) For each covered water system that possesses or plans to possess an substance of concern above the threshold quantity, there will be a requirement to include in the SSP for that system an assessment of ‘methods to reduce the consequences of a chemical release from an intentional act’. The assessment would consider factors appropriate to the system’s security, public health, or environmental mission, and include a discussion of:
The methods assessed; How the methods could reduce the potential extent of death, injury, or serious adverse effects to human health resulting from a chemical release; How the methods could affect the presence of contaminants in treated water, human health, or the environment; Of the feasibility of the methods; The costs associated with implementing the methods; Any other relevant information; and Whether the facility has implemented or plans to implement any of the methods discussed.
For Tier 1 and Tier 2 facilities that are required to complete the assessment and are located in a State that exercises primary responsibility for water treatment facilities, the State may require the facility to implement methods to reduce the consequences of a chemical release from an intentional act. If a State decides not to require that implementation it will so notify the Administrator. In all other states the Administrator retains the authority to require Tier 1 and Tier 2 water treatment facilities to implement the methods assessed by that facility. The authority making the decision to mandate implementation will consider factors appropriate to the security, public health, and environmental missions of covered water systems, including an evaluation of whether the method{§1431(g)(3)(C)}:
“(i) would significantly reduce the risk of death, injury, or serious adverse effects to human health resulting directly from a chemical release from an intentional act at the covered water system “(ii) would not increase the interim storage of a substance of concern by the covered water system; “(iii) would not render the covered water system unable to comply with other requirements of this Act or drinking water standards established by the State or political subdivision in which the system is located; and “(iv) is feasible, as defined in section 1412(b)(4)(D), to be incorporated into the operation of the covered water system.”
If a covered water system prepares an inadequate assessment, or the State fails to make a decision about the implementation of methods, or the State fails to enforce an order to implement methods, the Administrator may assume the appropriate responsibility and order compliance after providing a 30 day notice. Failure of a State with primary enforcement authority to fail to properly implement and enforce this rule may result in the Administrator reviewing the primary enforcement authority of that State. Section 1431(h) Each covered facility is required to submit an SVA and an SSP to the Administrator and the Administrator is required to review those documents. The Administrator has the option to approve the submitted documents if they meet the requirements of this section, or to require the covered facility to correct significant deficiencies. One of the required documents has a ‘serious deficiency’ if the Administrator, in consultation (if appropriate) with the State exercising primary enforcement authority, determines that {§1431(h)(2)}:
“(A) such assessment does not comply with the regulations established under section (a)(1); or “(B) such plan— “(i) fails to address vulnerabilities identified in a vulnerability assessment; or “(ii) fails to meet applicable risk-based performance standards.”
Section 1431(i) Each covered water facility is required to prepare and Emergency Response Plan (ERP). They are required to certify the completion of the ERP to the Administrator not later than 6 months after the first completion or each revision of the facility SVA, or after any revision of the ERP. Each covered water facility ERP will include {§1431(i)(3)}:
“(A) plans, procedures, and identification of equipment that can be implemented or used in the event of an intentional act at the covered water system; and “(B) actions, procedures, and identification of equipment that can obviate or significantly lessen the impact of intentional acts on public health and the safety and supply of drinking water provided to communities and individuals.”
The covered water facility will provide appropriate information to any local emergency planning committee, local law enforcement officials, and local emergency response providers to ensure an effective, collective response. Section 1431(j) Each covered facility will maintain copies of their current SVA, SSP and ERP. Section 1431(k) The Administrator will audit and inspect covered water facilities to ensure compliance with this section. During such inspections the Administrator or designated representative will have full access to all personnel at the facilty. Section 1431(l) The Administrator will prepare regulations covering the prohibition of public disclosure of protected information. The level of protection will be similar to those required for Sensitive Security Information under §525 of the Department of Homeland Security Appropriations Act, 2007 (Public Law 109–295; 120 Stat. 1381). Those regulations will make the unauthorized disclosure of protected information the equivalent of a Class A Misdemeanor with up to a year in prison and/or fines in accordance with chapter 227 title 18 USC. The regulations will include provisions for sharing information with {§1431(l)(1)(A)} “Federal, State, local, and tribal authorities, first responders, law enforcement officials, designated supervisory and non-supervisory covered water system personnel with security, operational, or fiduciary responsibility for the system, and designated facility employee representatives, if any. Such standards shall include procedures for the sharing of all portions of a covered water system’s vulnerability assessment and site security plan relating to the roles and responsibilities of system employees or contractor employees under subsection (f)(1) with a representative of each certified or recognized bargaining agent representing such employees, if any”. Section 1431(m) Covered water facilities will continue to be exempt from the CFATS regulations, underlying legislation, HR 2868 and the rules resulting there from. Section 1431(n) This section does not preempt any State or political subdivision thereof, from adopting and enforcing more stringent regulations. Section 1431(o) The Administrator may assess a civil penalty of up to $25,000 per day for violations of these regulations including failure to fully implement the SSP by the required date. The Administrator may also seek injunctive relief in US District Court. The Administrator may not take action against a covered facility for an inadequate assessment of, or failure to implement, methods to reduce the consequences of a chemical release as result of an intentional act, if the State exercising enforcement authority has approved the assessment or the decision not to implement such methods. Section 1431(p) The Administrator will prepare a report to Congress three years after passage of this act, and every three years there after, on the progress of the implementation of the rules required by this section. Detailed requirements for the report are provided. Section 1431(q) The Administrator will establish a grant program to assist the States in implementing this rule. The Administrator will contract with the National Institute of Health Sciences to make and administer worker training grants; worker training would cover facility employees and contractor employees, as well as first responders and emergency responders that would respond to an intentional act at a covered facility. Section 1431(r) The Act would appropriate $315 million for FY2011. Of that money $30 million would go to administrative costs of the Administrator or States and $125 million may be used to implement methods of reducing consequences of a chemical release from an intentional act at a covered facility.

Thursday, July 23, 2009

Reader Comment – 07-22-09 – Emer Mgmt Solutions

Yesterday a reader, MMV, left a comment about an earlier posting about the fatal Tanner Industries anhydrous ammonia release. That posting briefly described emergency management tools that could detect toxic clouds and predict their spread, allowing for a better emergency response. MMV responded by writing “I have heard of such chemical emergency management solutions. One is from a company called SAFER Systems in case anyone is interested.” I did a quick check of their web site and they certainly do a better job of describing how such a system should work than I did in my earlier post. I don’t know anything about the company or how well their system works, but anyone interested in emergency response planning for a facility that has toxic release inventories should read the presentations on the SAFER Systems web site. The system described would have gone a long way to preventing the off-site death in this latest incident if it had been used by a good emergency response plan. This is still the major point that I wanted to make in the original posting. All of the tools in the world will not help if there is not a good emergency response plan in place. A well planned and exercised emergency response plan will over come the lack of a lot of fancy equipment. Combine the two and you have a real good chance of coming out of a significant toxic release without any serious off-site consequences. BTW - Anyone with detailed knowledge of the Safer System please contact me.

TSA Enforcement Procedures Final Rule

Earlier this week the Transportation Security Administration published a final rule in the Federal Register implementing new procedures for enforcing TSA surface transportation requirements in 49 United States Code. Additionally the rule re-organized the structure of 49 CFR 1503 without making any substantive changes. Because no new requirements are being imposed on the regulated community, TSA issued this final rule without any intermediate notices. Public comments on the final rule are being accepted until September 21st, 2009 while the regulations go into effect on August 20th. Comments may be submitted electronically to at docket number TSA-2009-0013. Surface Regulation Enforcement Authority The Implementing Recommendations of the 9/11 Commission Act of 2007 (Public Law 110–53) provided authority for the TSA to enforce surface transportation requirements in 49 USC and the Transportation Workers Identification Credential system requirements in chapter 701 in 46 USC. This regulation applies the same enforcement procedures used by the TSA in aviation security matters outlined in 49 CFR part 1503 to violations of surface transportation security regulations. The areas of surface transportation security addressed by this regulation include rules concerning CDL’s with hazmat endorsement (49 CFR parts 1570 and 1572) as well as rail transportation security regulations (49 CFR part 1580). The TSA enforcement procedure requires that before TSA can assess a civil penalty they provide a 30 day Notice of Proposed Civil Penalty. During that period the alleged violator may elect to pay the proposed penalty, show that the violation did not take place, present mitigating information, or explain why the alleged violator cannot pay the penalty. If the civil penalty is not paid during the 30 day period the respondent must request an informal hearing with TSA counsel or a formal hearing before an Administrative Law Judge. If the issue is not resolved in the 30 day period, TSA will issue a Final Notice of Proposed Civil Penalty (FNPCP). The alleged violator then has 15 days to pay, reach a settlement or request a formal hearing before an ALJ. The formal hearing will be conducted in accordance with the rules set forth in 49 CFR part 1503 sub-part G. The final ruling by the ALJ may be appealed to the TSA Decision Maker (the Assistant Secretary of Homeland Security (Transportation Security Administration) or his or her designee). The ruling of the TSA Decision Maker is the final agency action and may be appealed in US District Court. Reorganizing 49 CFR part 1503 TSA is including an extensive reorganization of part1503 of 49 CFR. In making these changes TSA intends to “conform to the understood policy, intent, and purpose of the original regulations, with such amendments and corrections as will remove ambiguities, contradictions, and other imperfections” (74 FR 36033). For the most part this means that sections were renumbered and re-titled. In some cases, however, large sections were broken down into separate sections and redistributed throughout the part. For example §1503.16 was broken down into 8 separate sections. While the re-organization forms the major part of the changes made to part 1503, there were minor changes made to many of the individual sections. Those changes are explained in the pre-amble to the rule. Amendments and corrections were not made to every section. Since this section deals with enforcement and investigation procedural matters, analysis of these changes is best left to the lawyers. One thing is certain, however, changing section numbers is going to have an effect on procedures that have been written in a number of organizations that reference the old section numbers. A careful review of any procedure that deals with TSA enforcement actions needs to be done to ensure that references to 49 CFR part 1503 actually point at the intended section.

Wednesday, July 22, 2009

S 1274 Status Update – 07-21-09

The Senate Committee on Commerce, Science, and Transportation held an Executive Session yesterday afternoon at which they marked-up S 1274, a bill to prevent the re-occurrence of the efforts of Bayer CropScience to limit the discussion of information related to their fatal accident last year by excessive claims of coverage as Sensitive Security Information. The bill was ordered to be reported favorably with an amendment in the nature of a substitute. There was no discussion and the substitute language is not currently available. When the Committee report is made available, I’ll take a look at what changes have been made. I’m still not sure why Sen. Rockefeller (D,WV), the sponsor of this bill, is proceeding with this legislation as he was able to get identical provisions added to the Senate version of HR 2892, the DHS FY2010 Budget. Of course that bill has not yet passed, or even come out of conference committee. He may just be covering his bets.

Reader Comment – 07-20-09 – Ammonia Incident

It was a busy day yesterday and I did not get a chance to formulate a reply to another anonymous comment on the recent fatal anhydrous ammonia spill in Swansea, SC. In this case it appears that Anonymous is someone in the business of supplying emergency response solutions. As such I think that it is important to re-print his lengthy reply in its entirety. Anonymous wrote:
“You bring up many good points regarding not only this chemical event, but chemical events in general. Preventative measures while certainly important are most often not enough and unfortunately it sometimes takes a "newsworthy" event to bring this into the light. “There are readily-available chemical emergency management solutions for both industrial sites, as well as local, county, state and even federal responders and emergency management agencies, that would allow them to effectively monitor, model and quickly determine - using a variety of real-time sensor information, an extensive database of chemicals and GIS data - what chemical(s) is involved, what the release rate of the chemical is/was, where the toxic cloud is headed over time, who will be impacted over time (schools, churches, hospitals, etc. in the projected path) and in what concentrations. This is just a portion of the useful information available. “Such solutions permit informed decision making in the event of an emergency. They can be used as a pre-event planning tool, emergency response decision mechanism and post-event analysis aid. They permit responders to quickly make shelter-in-place and evaluation decisions and thus can and do help to limit the loss of life and property plus minimize the disruption to both business and personal life within nearby areas. “And when linked with available ENS technologies, they provide a superior planning, response and notification solution. “Unfortunately the implementation of such solutions is not currently mandated by government although some states like West Virginia have recently enacted legislation but more and more as deaths occur, one must ask themself - why not?”
The type system that Anonymous describes is something that I have mentioned generically on a number of occasions. An array of chemical detectors is set up surrounding the facility with the highest concentration around the high-risk storage locations. At a facility like the Tanner facility in South Carolina they have the advantage of only requiring a single sensor type because they have a single hazardous chemical, ammonia (the sensors would detect both anhydrous and aqueous forms). Combined with meteorological sensors, a geographic information system (GIS), and sophisticated (but readily available) predictive software and you have an information source for a intelligent emergency response system, providing facility and off-site responders with time critical information about the extent, location and future impact areas for the spill. Now add an electronic emergency notification system (ENS) and you have a system that quickly begins automated notification of potentially affected parties. Combine that with prior chemical threat notification, education and training and you have a system that will greatly reduce the consequences of accidental or deliberate release. I am sure that there must be companies out there that have systems like this commercially available. Anonymous probably works for (or perhaps even owns) such a company. I would love to see a good simulation of how such a system works and would certainly be willing to share a link with my readers. The closing question in the posting by Anonymous is an important question. The reason that state and local governments don’t require better emergency response planning and notification is complex. Obviously such measures cost money that comes straight out of the bottom line since they are not profit centers, but that is the reason that companies avoid such technology, not law makers. The cynical response to that is that law makers are more responsive to businesses than to ordinary citizens, and there is a certain amount of truth in that response. Unfortunately for businesses, when there is enough of a public outcry the politicians do respond and that response is typically more costly than reasonable preventive measures. In this case the response will not likely be requiring sophisticated emergency response measures; it is more likely to be serious mandatory implementation of inherently safer technology. No matter what IST proponents say, mandatory IST provisions will put companies like Tanner Industries out of business. Tanner’s business is the distribution of anhydrous ammonia, a targeted TIH chemical; as more of their customers convert to ‘safer’ alternatives Tanner will loose business. Loose enough business and Tanner will close it’s gates. It would seem to me that companies like Tanner should be leading the charge to implement these emergency response systems. Not only is it the right thing to do, it is likely the only thing that will prevent a serious incident that will make real mandatory IST a political reality.

Reporting Attacks on Control Systems

Monday, July 20th, 2009 was an important day for control system security. The long awaited birth of RISI (Repository of Industrial Security Incidents) finally occurred. The RISI is a data base operated by Security Incidents Organization (, a non-governmental organization (NGO) that will collect, investigate, analyze, and share information about security incidents involving industrial control systems. Walt Boyes and Joe Weiss from are part of the team that has been working on bringing this organization and data base to life. Other easily recognized names behind this start-up include: John Cusimano, of exida, Eric Byres of Byres Security div. of Exida, Todd Stauffer, also of exida, Aris Espejo of Syncrude Ltd., Eric Cosman of Dow Chemical Company. To give a viable start to this project the RISI database was started with data from 150 cyber incidents that had been gathered by the Industrial Security Incidents Database (ISID) an academic project starting in 2001. This makes RISI currently the largest database of control system incidents. Those incidents include accidental cyber-related incidents, as well deliberate events such as external hacks, Denial of Service (DoS) attacks, and virus/worm infiltrations that did or could have resulted in loss of control, loss of production, or a process safety incident. While the Security Incidents Organization is a registered non-profit, it does have expenses to cover. There is an annual membership fee for full access to the RISI database, but in a remarkable marketing idea for a bunch of control geeks, they offer a free 3 month membership (or extension of membership) for each industrial cyber incident reported. Anyone that is responsible for an industrial control system (especially control systems at high-risk chemical facilities), or for security of the same, should visit the organization web site. A detailed exploration of the site would be well worth your time. I’m adding the site to my list of daily internet stops.

Tuesday, July 21, 2009

HR 3258 Introduction

Yesterday, Chairman Waxman of the House Energy and Commerce Committee introduced HR 3258, Drinking Water System Security Act of 2009. It was posted to the GPO web site this morning, so I have yet to conduct a thorough review of the provisions. Doing a very quick speed read it is apparent that this bill started out as Title II of HR 2868 but quickly took on a life of its own. The bill looks like it is going to establish CFATS lite under the EPA to regulate the security of water treatment facilities. A brief look at the provisions makes me think that this will actually increase the physical security requirements for water treatment facilities (an easy task since there were no previous requirements), but waters down (unintended pum, I promise) the protections for chlorine and anhydrous ammonia that would have been required under HR 2868. Since this stand alone bill does not seem to mention HR 2868 or the CFATS exemption for water treatment plants, I would assume that the Energy and Commerce Committee will find it necessary to add the water treatment facility exemption back into HR 2868. One reader has already pointed out to me that this bill is simply an exercise in protecting congressional turf. That is the only reason that any reasonably sane person could have for setting up a duplicate organization in a separate executive agency to do the same thing. Perhaps they should lump this bill into one of the stimulus packages since it will certainly be an exercise in increasing the federal workforce. In any case, I’ll take a more detailed look at the bill and get back with a more detailed analysis of its provisions. Oh, yes. The first hearing for this bill was supposed to have been the Energy and Environment Subcommittee Hearing on Thursday morning. William Almond (SOCMA) is reporting on TWITTER that that hearing has been postponed (no date announced yet I understand) because of problems the Energy and Commerce Committee is having completing their mark-up of the healthcare reform bill.

Reader Comments – 07-19-09 – Ammonia Incident

On Sunday morning Scpck posted a comment to Friday’s posting about last week’s fatal anhydrous ammonia accident in South Carolina. Scpck’s comments are posted here in their entirety:
“From what I read and heard the local authorities did try to direct traffic away, but no road block was made for traffic entering from the opposite side of the gas cloud.The OSHA and other Hazmat entities came quite a bit later. Most people did not even know the plant was there, nor what danger existed. It is not listed as a Tier 1 on the Tanner web site and apparently the only safety classes offered were in Georgia 2 years ago. This is NOT a good thing. A mother driving through the vapour DIED leaving two teenage children.”
From the comment about the Tier 1 status, I would bet that Scpck is not a long time reader nor a member of the chemical security committee. That’s fine; I suspect that Scpck is a local looking for answers and searching where-ever the net leads. I am afraid that I have no more answers than their local papers at this point, the investigation is at too early a stage for me to be able to explain much.

Scpck does provide some important information to readers of this blog however, reporting that “Most people did not even know the plant was there, nor what danger existed.” On one hand this statement seems to contradict some of the news reports that came out this weekend where some residents complained of frequent ammonia odors coming from the facility. That isn’t unexpected. Even very small leaks of anhydrous ammonia produce small clouds and ammonia is detectable in very low concentrations; it is a very pungent chemical.

Scpck’s comment is almost certainly more applicable to the larger community rather than to immediate neighbors. With the large anhydrous storage tanks and rail cars on site, there should certainly be concern that a large cloud of anhydrous ammonia could affect the nearby community. While we would certainly expect that Tanner Industries has been in contact with local first responders to coordinate the emergency response, it seems pretty clear that the community has not been included in that emergency response planning.

Trying to get the community to respond properly in an emergency situation always works better if they know what is expected of them. That doesn’t assure proper response, but it does make it more likely.

DHS CSAT FAQ Page Update – 07-17-09

Last week DHS only provided two new FAQ questions/answers on their extensive Frequently Asked Questions web page. Those questions were: 1392: When would I have the ability to transfer my account or reassign my user role? 1640: When will I be notified if I have to complete a SVA? Transfer User Account The answer to this question briefly explains that user accounts can only be changed after the user name and password have been issued. This is done to protect the facility from attempts to hijack the facility accounts to gain access to the facility security information stored on-line. The registration system is an open access system, so no changes are allowed in that system. There is a separate, secured access system, designed to handle change requests. That is the User Change Request System. SVA Notification I am not sure that the answer provided for this question actually addresses the desired information. It does do a good job of describing what information the SVA notification provides, but it does not address the timing of that notification. Part of the problem DHS has in answering questions like this is that there are a number of factors that go into the timing of the review of the submitted Top Screen, and then making the initial determination that a facility is a high-risk facility and determining the preliminary tier ranking. The complexity of the Top Screen will certainly bear on the length of time it will take to make the appropriate determinations. A simple Top Screen with a single COI in a well defined area will take much less time to reach a determination than a Top Screen with multiple COI in multiple risk categories stored in a variety of conditions and areas within the facility. While the initial evaluation is done by computer, each Top Screen submission is also reviewed by a real live person. This leads to the another variable in determining how much time it takes to evaluate a Top Screen. Currently the limited numbers of personnel available for enforcement activities in the CFATS program are tied up with a large number of initial Site Security Plans. Since these are Tier 1 and Tier 2 facilities currently undergoing SSP submission, they would generally be expected to have a higher priority than new Top Screens. The good news is that while the facility is waiting for their SVA notification letters, they can go ahead and start collecting data for the SVA submission. If they are subsequently notified that they are a high-risk facility they will have a head start on preparing their submission. If they are told that they are not a high-risk facility (and thus not covered by the CFATS regulations) the information they have gathered will help them to make their own assessment of their site security status, valuable information for any facility. Finally, the time spent waiting for DHS notification does not count towards the deadlines that the facility must meet in complying with their responsibilities under CFATS.

Monday, July 20, 2009

Sodium Fluoroacetate Review

This weekend I was working on an article for the Journal of Hazmat Transportation on HR 2868. As part of that work I was taking a detailed look at the wording of that legislation as found in the Part 1 of House Report 111-205. It was then that I found one of those tiny amendments to a serious bill that cause so many problems for those in the regulated community: §3(h) Review Of Designation Of Sodium Fluoroacetate As A Substance Of Concern, found on page 20 of House Report 111-205. Sodium Fluoroacetate Let me start out by saying that Sodium Fluoroacetate is one nasty chemical. It is poisonous, but only by ingestion. It is a registered rodenticide and is manufactured in this country as ‘1080’ and has been used to kill coyotes . It is a naturally occurring compound found in the leaves of many plants growing in Australia, Brazil and Africa according to Wikipedia. Many animal advocate organizations have opposed its use because it causes convulsions and other visible neurological symptoms prior to death. A fatal dose is only 10 mg/kg of body weight for humans, thus only 820 mg could be lethal to a human weighing 180-lbs but it must be ingested or injected to be lethal. Fortunately it is a solid, so it hardly qualifies as a weapon of mass effect. There are no other ingestion-only toxics included on the current list of chemicals of interest, and it is unlikely that this chemical was even considered for inclusion on that list when the Department started working on developing the list of chemicals of concern Manipulating the Committee System There has been a move to ban the manufacture and sale of this chemical for a number of years. Congressman DeFazio (D,OR) has introduced bills twice (HR 4567 – 109th Congress and HR 4775 – 110th Congress), but they have never received a hearing, much less a floor vote. Interestingly, Congresswoman Zoe Lofgren (D,CA) was a co-sponsor of HR 4775. The §3(h) provision was not in the original version of the bill introduced in the House. It was certainly not discussed in the Committee mark-up sessions. Which means it either must have been included in Chairman Thompson’s amendment in the form of a substitute, or it had to have been added by Committee staff. According to the statement made by Chairman Thompson, and verified by Ranking Member King, made on the first day of the mark-up, the two of them reviewed a number of non-controversial amendments and agreed to roll them into one amendment that was subsequently offered by the Chairman. Since ‘1080’ is manufactured in the district of one of the members of the Committee, Rogers(R,AL), it is unlikely that this would have been considered by Mr. King or Chairman Thompson to be a non-controversial amendment. So, how did this provision get in the legislation? I can only see two possibilities. First it was buried in an amendment that was okayed by Thompson and King; in which case a member of the committee played games with the process to pursue a personal agenda. Second it was added by a member of the staff as part of the routine ‘cleaning up’ of a piece of complicated legislation; a clear usurpation of legislative authority. In either case, the provision should be removed from the proposed legislation.

HR 2868 Hearing Update 07-20-09

Today the House Energy and Commerce Committee has the Thursday hearing about HR 2868 posted on their web site. The Energy and Environment will be conducting the hearing at 10:00 am. Apparently the hearing will cover two bills, HR 2868 and a bill that has yet to be submitted; The Drinking Water System Security Act of 2009. No other information is currently available on that bill so it is not clear if it is a chemical security bill for drinking water facilities or a bill focused on the security of the drinking water. There is no official listing of witnesses available on the Committee website, but I have heard that Sue Armstrong from DHS will be appearing as a witness.

Security Integrators

There is an interesting article over on by Ryan Laughin. He provides a brief overview of the CFATS program. Of course, plenty of people have been providing such overviews recently. What is unique about his article is that he provides a list of qualities that a facility needs to look for when hiring a security integrator. Security Integrator Security integrator is one of those interesting new terms than many people in the chemical industry are learning about due to the requirements for implementing complicated new security procedures because of the CFATS regulations. A security integrator is essentially a specialized contractor who deals with a wide variety of security system providers. A quick review of the Risk-Based Performance Standards Guidance document quickly reveals that there will be a wide variety of security measures required at high-risk chemical facilities to bring them within compliance. There are a number of different suppliers, dealers, and installers available for each of these measures. Not only will it be difficult for the facility security officer to select the best team for each measure, additional work will have to be done to make sure that all of the systems work together to effectively protect the facility. That is the job of the security integrator. Unfortunately, that is about all that I know about security integrators. Oh yes, and one other thing; in his article Laughin provides a list of ‘qualities’ to look for in an integrator. Those qualities are:
“A knowledge and understanding of CFATS. The integrator needs to know the background and have a good understanding of tiering and RBPS requirements. “Chemical-terrorism Vulnerability Information certification (CVI) – DHS has implemented restrictions to make sure that the information facilities have provided the department does not fall into public hands. An integrator with CVI certification has been pre-screened and instructed on what information needs to be kept private and how to keep it from getting into the public arena. “Safety Act Certification – This means that the integrator’s electronic security services have been certified by the DHS to limit the legal liability of the end-user if a terrorist act should occur.”
These three qualities seem to be self-evident and probably do not do too much to limit the choices available to the facility security officer. Certainly there should be more that one should be looking for in hiring for this kind of service. I know that there are at least a couple of security integrators among the regular readers of this blog. What other qualities would security integrators suggest?

Friday, July 17, 2009

Congressional Hearings Next Week

The congressional web sites that I routinely check only show one hearing of possible interest to the chemical community next week. I have heard that the Energy and Environment Subcommittee of the House Energy and Commerce Committee will be holding a meeting on HR 2868 next Thursday. This confirms the Twitter report that I mentioned yesterday. The listed hearing includes the mark-up of S 1274 in the Senate Energy and Commerce Committee. You might remember that Sen. Rockefeller introduced this bill to prevent another Bayer-SSI fiasco from occurring. Why is his committee is marking up this bill when he inserted the same provisions in the DHS Budget Bill (HR 2892) that passed in the Senate? Perhaps they are going to go back and put some teeth in the bill by adding some sort of sanctions for using the SSI markings to cover-up safety concerns. Or, perhaps they are going to go back and add CVI coverage. Or perhaps the good Senator does not believe the provision in the DHS bill will survive conference.

Signup for QHSR Dialogs

The DHS Blog had a brief piece yesterday about the Quadrennial Homeland Security Review (QHSR). It addressed a subject that has already been covered here, the public dialog that DHS is including as an integral part of their review. What is new in this piece is that DHS is announcing the web site where we can sign-up to take part in the review. The web site is being hosted by the National Academy of Public Administration and I have a significant complaint about how they are dealing with things. First off, rather than keep things on the web site set up for this project, they have farmed out the hosting of documents to a separate web site To view or download documents from this site you must register with Now, I don’t know anything about this website or the people that run it, but this seems to be a crazy way to run a government sponsored dialogue. The one thing that really bothers me is that the privacy disclaimer on the web site specifically says that “Information collected through this page will only be used to contact you about this National Dialogue, and will not be shared with any third parties or government organizations, including the U.S. Department of Homeland Security.” Having to go through and register there makes that claim patently false. Now I have signed up, with some reluctance to be sure, with this mishmash of web sites to that I’ll be involved in the ‘dialogue’. I cannot, however, in good conscience recommend that anyone else do so. I will report on what ever kind of problems (or possibly the lack there of) that comes from signing up with this mess. I would certainly be willing to bet that my incoming spam rate is going to go way up. Buyer be ware and proceed with caution.

Fatal Ammonia Incident

This last Wednesday there was a fatal accident at an ammonia storage facility in Swansea, SC. What marks this as being different from the large number of seemingly common reported anhydrous ammonia incidents, other than the death of course, is that this took place at a chemical facility rather than a food processing facility. Furthermore, the death took place off-site which may have an impact on the IST discussion taking place in Congress.

The Accident

The release took place during transfer operations. The Tanner Industries facility was apparently receiving a truck load shipment of anhydrous ammonia (NH4). A transfer line ruptured while the material was being moved into a storage tank. Initial reports indicate that about 1,800 lbs of anhydrous ammonia was released from the hose before the truck driver was able to get the discharge valve closed on the truck. As the liquid material exited the hose, the pressure reduction resulted in the conversion of the material from a liquid to a gaseous form. Additionally, some of the material would have reacted with moisture in the air to be chemically converted to aqueous ammonia (NH3OH), the form of ammonia typically found in very dilute form in household cleaners.

The gas cloud drifted off-site. Fortunately for the about 1,000 residents of the town of Swansea the wind was light and away from town. Unfortunately for the motorist that was killed, the cloud drifted across US 321. When her car stalled when it entered the cloud, the mother of two teenagers left the car in an attempt escape, but was quickly overcome by the toxic fumes. An additional 14 people were treated for exposure to the fumes and seven of those were transported to a local hospital for additional treatment. Authorities credit actions of the truck driver with limiting the amount of the release and a state official who happened to be driving by with blocking the road and preventing other drivers from being overcome.

No Security Issues

There are no indications that this was anything other than an industrial accident. News reports do note that there was an electrified fence surrounding the facility, so Tanner Industries apparently take their security responsibilities seriously. With a number of large anhydrous ammonia storage tanks on site, it is likely that this facility was a covered facility under CFATS regulations. With its isolation in a rural area, it is unlikely that that it was a Tier 1 facility. It will be interesting to see if Tanner Industries makes the same mistake that Bayer did earlier this year and try to use CVI markings on documents to limit the CSB discussion of their handling procedures.

Safety Issues

The Chemical Safety Board has a team on-site and may end up adding this accident to their short list of formal investigations. Until their investigation is complete we really can’t make a definitive statement about the cause of the accident or what could have been done to prevent the accident. There are some indications of how Tanner dealt with safety issues.

First it is apparent that there were systems in place to prevent the storage tank from draining out through the ruptured hose. This is important. The large amount of anhydrous ammonia typically found in these tanks would have resulted in a much larger cloud and potentially more injuries and deaths. If news reports are correct, and the truck driver had to manually shut the discharge valve on the truck, the facility did not have high-flow shut off systems in place for truck unloading operations. These systems sense the high-flow rates associated with this type of accident and automatically shut off valves on the truck side of the hose, limiting the amount of material that would be discharged from the truck. These systems have been recommended by the CSB in other TIH chemical incidents, but have not been required by OSHA.

IST Implications

At first glance, the Swansea, SC facility should be a poster child for proper use of IST considerations. The facility that handles large quantities of an inhalation hazard chemical is sited in an isolated area where a catastrophic accident could only affect a limited number of people. This is reflected by the fact that this facility was not listed on either list in the CAP Chemical Security 101 report. So, how then does this incident have potential IST implications?

First, IST proponents will be quick to point out that if an incident like this can happen at a facility whose sole function is the handling of anhydrous ammonia, then it can certainly happen at food processing facilities in urban areas. Tanner Industry employees will certainly be more experienced and better trained at the techniques for handling this dangerous material.

Finally, if down stream users of anhydrous ammonia were to find substitute materials then there would be a reduced need for handling anhydrous ammonia at facilities like this. Reduced handling would seem to reduce the likelihood of accidents like this.

Emergency Response Plan

The one thing that this incident points out is that if a facility only relies on preventive measures to protect against the consequences of a release (accidental or deliberate) they are going to get caught short sooner or later. Facilities with sufficient volumes of toxic release chemicals to have an off-site affect need to have emergency response plans that include emergency public notification of significant releases. Facilities with large quantities of toxic release COI also need to consider their moral responsibility for providing at least token mitigation measures. Automated alarm systems are widely available to alert a control room or security center of significant leaks.

Facilities like this that are going to have an immediate impact near their fence line should have audio alarms that can be heard within a reasonable distance of the facility to alert their neighbors of an impending toxic cloud. More distant neighbors can be alerted by phone alerts. All of those neighbors need to be notified in advance of what to do in the event of an alert. The question of what to do with a major roadway near the facility is more difficult because the measures need to be coordinated with state and/or local highway officials.

A stop light system like those used at many fire stations would probably be the easiest system to establish. The light remains green for normal conditions and only turns red in the event of a chemical emergency. This would probably need to be backed up by an automated sign that would provide emergency information. A backup response by local law enforcement personnel would also be recommended.

Finally, many inhalation hazard chemicals have some affinity for water or are chemically converted to less hazardous forms when they react with water. Facilities can mitigate the affect of releases of these chemicals by using automated fog machines and water sprays to reduce the size of, or even eliminate, the toxic cloud. Systems must include provisions for collecting runoff, but disposing of hazardous waste is better than dealing with off-site deaths and injuries.

I’ll be watching the follow-up on this tragic incident. The public response from Tanner Industries has been encouraging, but it will be interesting to see if they can sustain that response. Probably more important will be to see if the CSB conducts a full investigation of this incident and what the result of that inspection will be. Because of the wide spread use of anhydrous ammonia in commercial cooling systems, I hope that CSB takes advantage of this incident to look at anhydrous ammonia handling.
/* Use this with templates/template-twocol.html */