Sunday, February 28, 2010
HAZMAT Trucks as Terror Targets
Congressional Hearings Week 3-1-10
This week there are three hearings scheduled that might be of interest to the chemical security community. As might be expected, two will be budget hearings and the other is the first hearing in the Senate about the fate of the CFATS program. DHS Budget The Homeland Security subcommittee of the House Appropriations Committee will be holding two hearings on March 4th looking at different aspects of the President’s DHS budget request. In the morning they will be looking at the DHS intelligence efforts and the effectiveness of the fusion centers. In the afternoon they will be looking at the TSA budget. The fusion center hearing will probably focus on the DHS oversight of these State and locally run institutions. The funding of DHS representatives on these panels will be used as a surrogate for the discussion of how well these centers perform their intelligence analysis and sharing function while still protecting civil liberties. The importance of these centers for the chemical security community comes from their importance in the analysis of local intelligence that might allow for the early detection of potential terrorist threats to the chemical industry. The TSA budget will affect the staffing levels for TSA inspectors for both the Freight Rail Security program and the screening for air freight. Both of these programs will have an important impact on different portions of the chemical security community. Chemical facilities that ship and/or receive select hazardous materials by rail will be concerned about the continued implementation of the rail security program, especially in the continued development of how it will interface with the CFATS program. Facilities that ship chemicals via commercial airlines will be interested in the continued expansion of the air cargo screening program. CFATS The hearing that everyone in the community has been waiting for since the House passed HR 2868 last fall will finally occur this week. The Senate Homeland Security and Governmental Operations Committee will hold their first hearing examining the current state of the CFATS program. The hearing will be held on Wednesday morning and will be entitled “Chemical Security: Assessing Progress and Charting a Path Forward”. As has been typical for these hearings in the House, the Senate Committee will hear testimony from two panels. The first panel will be government witnesses, two from DHS;Rand Beers, Under Secretary, National Protection and Programs Directorate, and Sue Armstrong, Acting Deputy Assistant Secretary for Infrastructure Protection; and one from EPA; Peter Silva, Assistant Administrator for Water. Their testimony will almost certainly follow the same type information that they presented last summer to both the House Homeland Security and Energy and Commerce Committees. The questions asked by the committee of these witnesses will give us our first good look at how the various members look at the CFATS program. Questions about the delays in the inspection program for CFATS will be used by Sen. Collins (R, ME) and her supporters to justify the extension of the current CFATS program called for in S 2996. Sen. Lieberman (I, DE) and his supporters will concentrate on how CFATS can be extended to water treatment facilities, a major part of the HR 2868 agenda. One question will certainly be asked of this panel; why has the Administration asked for another one year extension of the CFATS program in their DHS budget request. Rand Beers is likely to be called on his testimony last summer that the Administration would not ask for an extension in the FY 2011 budget. Last year the Republicans used a similar extension request as a major point in their argument favoring a straight CFATS extension over HR 2868. It will be interesting to see how far the ‘bi-partisan’ support for S 2996 extends in the Committee. We still haven’t seen if the Committee will take up S 2996 or HR 2868 when they actually start their legislative work on the CFATS issue. If there is enough support for Sen. Collin’s bill from the Democrats on the Committee, then the initial work in the Senate will be focused on that bill. The second panel for this hearing will be composed of representatives of various portions of the chemical community. The American Chemistry Council (ACC) and the Society of Chemical Manufacturers and Affiliates (SOCMA) will both have industry members representing them. The voice of chemical workers will be represented by the UAW. All three organizations have testified before House committees and their positions are all well established. The questions for this panel will likely center on IST and worker rights issues. Both manufacturing representatives are against giving the government the ability to mandate implementation of inherently safer technology programs at chemical manufacturing facilities. They do take slightly different tacks with how the voice that opposition, but neither wants to see the current IST provisions in HR 2868 take place. The labor unions have aligned themselves with the environmental activists in calling for an expansive IST requirement.
Neither IST nor workers rights are addressed in Sen. Collin’s legislation. So these questions will provide some indications on how this Committee might proceed with the CFATS issue. Since industry has not been adamant in their opposition to the whistleblower, worker participation or background-check redress procedures included in HR 2868, the addition of these provisions to S 2996 may make her legislation more palatable to some of the moderate Democrats on the panel.
Friday, February 26, 2010
ACC and Cyber Security Testimony
Earlier this week a little bird told me (okay it was a tweet from CFATS, an American Chemistry Council spokesperson) about a letter that the ACC had sent to the leaders of the Senate Committee on Commerce, Science and Transportation for that committee’s hearing this week on cyber security issues. I didn’t pay much attention to this hearing since none of the witnesses were very much concerned with SCADA or ICS security issues. While I wish that the ACC had been asked to provide a live witness for the hearing, I’m glad that they were proactive enough to send this letter. I fully understand that the issue of cyber security is a very broad topic that covers a number of grievous sins. The problems of denial of service attacks, identity theft, phishing, and even cyber espionage all attract a great deal of public attention because most people can understand the consequences of those problems. The potential consequences of an attack on cyber control systems or other cyber control systems incidents is more difficult for most people (including congresscriters) to understand. But, that does not diminish the seriousness of the problem. ACC and DHS have both been active in their work on cyber control system security issues, but these two organizations only directly touch a relatively small hand full of chemical facilities that have both hazardous chemicals and cyber control systems. ACC’s direct effect is limited to their membership and DHS has only limited enforcement authority at the CFATS covered facilities. While the DHS CERT does provide cyber security training to non-CFATS facilities, they have no regulatory authority.
ACC is to be commended on their efforts to keep this issue before our legislators. I’m sure that other organizations are doing the same (and I would be more than happy to give direct kudos if they would share information on their efforts when I don’t see it), but all of us in the chemical security community need to be proactive in our communications with our personal representatives in Congress about the need to fund programs addressing this critical issue.
PHMSA Requirements for Security Plans
According to the RegInfo.gov web site the Office of Management and Budget (OMB) has cleared the PHMSA rule for the Revision of Requirements for Security Plans (RIN: 2137-AE22). Depending on the possible revisions that that OMB may have suggested to the rule, we should be seeing this final rule being published in the Federal Register in the coming weeks. The Regulatory Agenda web site describes this rule this way:
"In response to two industry petitions for rulemaking, this rulemaking will reconsider and refine the list of hazardous materials for which security plans are currently required. The industry petitioners asked PHMSA to amend the security plan regulations to create a distinction between hazardous materials that present a significant security risk while in transportation and the vast majority of hazardous materials that pose no significant security risk in transportation."
The NPRM was published in the Federal Register on September 9th, 2008 with the comment period ending on November 10th. Readers of this blog might remember that I looked at those public comments in five blog postings; 10-24-08, 10-31-08, 11-07-08, 11-14-08, and 11-21-08.
DHS Open Government Dialogue 02-25-10
Thursday, February 25, 2010
DHS Budget Hearings
Reader Comment – 02-24-10 First Responder Ambushes
“An ambush style attack with the use of direct fire weapons is possible, just look at the Mumbai attacks in '08. However, the use of IEDS is the most likely course of action. A VBIED (Vehicle Borne Improvised Explosive Device) is the most likely course of action by extremists. It's a technique that is proven. There is a lower risk of death or detection in a VBIED attack as opposed to a direct fire attack.”I certainly have to agree with this tactical analysis. Recent history shows plenty of instances where terrorists place explosive devices of all sizes near the site of an initial attack with the specific intention of hurting first responders and the innocent on-lookers that respond to all noisy and violent incidents. It increases the terror factor and typically the body count for their attacks. What I was trying to point out in that blog was not how the attack might happen (and there are a multitude of possible ambush techniques that could be effectively used), but that first responders to a complex assault target like a chemical facility might be at an increased risk of such an ambush because of possible time constraints on the initial attack. A simple attack where a VBIED is crashed through the front gate and detonated takes no time, but an assault requiring multiple charges be set at specific locations for maximum effect cannot afford to be interrupted by the arrival of the cavalry. Having said that; Red Team, keep the tactical comments coming. Security managers need to understand how their potential opponents operate. Very few of them (SM’s) have the practical tactical training (a downside to the smaller professional military we have maintained since the end of the Draft in ’72) that some of us have received. A properly designed security system needs to take these tactical realities into account.
Wednesday, February 24, 2010
DHS Budget Hearing 2-24-10
I missed a chance to watch the first two budget hearings ‘live’ on the web yesterday and today because of other commitments. This evening was the first chance that I had to watch either of the two Senate hearings (Homeland Security yesterday and Appropriations today). I flipped a coin and watched the webcast of Sen. Byrd’s (D, WV) Homeland Security Subcommittee questioning Secretary Napolitano. While many of the questions were pointed or demanding, it was generally a friendly exchange. As I expected with the Secretary as the sole witness, there was very little mention of CFATS specifically or chemical security issues in general. While I half expected (hoped) someone would ask about the one year CFATS authorization extension; that question was never asked. The only chemical security related question came in the second round of questions asked by Sen. Byrd. Safety vs Security Byrd mentioned the recent fatal chemical accident at the Dow facility in Belle, WV where first responders (an ambulance crew) were not able to get any information about the accident (chemicals involved, extent of the leak, chemical protection requirements) until they had actually arrived at the scene. He noted that it reminded him of last years hearing when he described another chemical incident in West Virginia and he had asked Secretary Napolitano then what DHS was doing to make operations at high-risk chemical facilities safer. He asked the same question today. This year the Secretary was able to reply that the CFATS implementation was rolling along and would take care of the security issues. It wouldn’t have been a politically sound move for her to tell the SENIOR Senator that DHS is not really a safety organization it is a security organization, that the Senator’s particular question should be addressed to OSHA or EPA. Actually, to be fair to Sen. Byrd, there are some questions asked in the SSP questionnaire that kind of obliquely address the issue of communications with first responders. In a blog from last spring I noted that there were a number of questions dealing with first responder capabilities that could only be addressed by talking with the appropriate emergency response agencies. But, this is all the closer CFATS gets to requiring high-risk chemical facilities to provide information to those response agencies. Of course, Chairman Byrd’s hammer is control of the budget pathway for DHS. This tends to make many things look like security issues; when the only tool you have is a hammer many things begin to look like a nail. Too bad he doesn’t have the EPA Administrator or the Labor Department Secretary to call to task for the situation; but they are covered by other sub-committees.
Hopefully I will get to the Homeland Security hearing webcast tomorrow morning. There is probably a better chance for getting a CFATS question or two there.
Tuesday, February 23, 2010
DHS CFATS Webinar
DHS Open Government Dialogue 02-23-10
Monday, February 22, 2010
Reader Comments 02-21-10 CG Inspectors
“An solution to the problem... Coast Guard facility inspectors. Not active duty ones but folks getting out or already out. We already do this daily. There is no need for DHS to train some tsa screener how to inspect a facility. The skill set is already there hopefully they us it.”While the Coast Guard has been inspecting MTSA covered facilities for quite some time now, those inspections are not the same type of inspection that the ISCD chemical security inspectors will be completing. For one thing, the MTSA inspections that the Coast Guard conducts are much more straightforward with fairly well defined rules. This allows the Coastie inspectors to rely heavily on checklists while conducting their inspections; something is there or it isn't. Since Congress forbade DHS from using that type of regulatory scheme in setting up the CFATS program, the duties of the chemical security inspectors (I’m sorry but I refuse to use the CSI acronym for these folks) are much more complex. This is the reason that there is a 14 week course for these inspectors verses the one day training Coast Guard inspectors get in their A School. I am sure however, that ISCD would be perfectly willing to hire ex-Coasties with MTSA experience (everything else being equal) into their chemical security inspectors program. That experience would certainly be valuable. I would be willing to bet that they would also get the veterans hiring preference points added to their applications. I understand that the most recent hiring announcement just recently closed, but there will be another announcement on USAJobs.gov later this year.
Sunday, February 21, 2010
Reader Comment 02-19-10 IST Misstated
“Forcing chemical facilities to implement IST could wreak economic havoc on some facilities and affect the availability of products that all Americans take for granted. For instance, according to October 2009 testimony by the Society of Chemical Manufacturers and Affiliates before the House Committee on Energy and Commerce, mandatory IST would negatively restrict the production of pharmaceuticals and microelectronics, unnecessarily crippling those industries.”In today’s political climate we have come to expect and excuse politicians exaggerating their opponent’s position into something that can not be easily equated with the perceived reality. This is one of the reasons that the public is so disgusted with the political process. It was, however, professionally disheartening to me to see an organization that I have had a great deal of personal respect for stoop to the same level of disinformation in their Congressional testimony, especially when it is subsequently used by professional politicians to justify their own misinformed stand on an issue. There are a number of serious shortcomings with the IST language in HR 2868. First conducting an IST concurrently with the SSP submission is counterproductive since it does not allow for full accounting for the security costs of not applying the IST in determining the financial feasibility of the program. The language seriously underestimates the complexity of conducting an IST assessment in a chemical manufacturing environment and doesn’t provide a way out of the implementation when new and more detailed information shows that a marginal IST process it is no longer technically or financially feasible. It provides no inducement for industry to conduct the necessary research to develop useable IST programs. Ignoring these real difficulties (that could be overcome if industry, activists and Congress would work together) while slandering an entire piece of necessary legislation with made-up problems demeans the political process and provides legitimate adversaries with further justification for their mistrust of the chemical industry. The pharmaceutical industry is almost certainly the least likely industry in the United States to be affected by the current IST language in HR 2868. Their formulations and manufacturing procedures are strictly controlled by the Food and Drug Administration and can only be changed after extensive research, testing and evaluation. The time for completing those process change procedures would certainly be justification, under this legislation, for declaring that there is no current IST option available for assessment. Likewise, the electronic industry’s well known need for pure, uncontaminated raw materials mean that there will have been little process work done on diluted acids (for example) to replace the anhydrous materials currently in use. The lack of detailed process work that must precede the assessment of alternative materials would preclude the affirmative assessment that there are technically feasible alternatives to the chemicals currently in use. In fact, throughout the chemical manufacturing industry there will be very few alternative chemicals that will have had the laboratory and process research, or the customer re-evaluation of the manufactured product necessary to determine if there is a technically viable alternative process. In fact, it is not uncommon for manufacturers belonging to SOCMA to require months or years of work to qualify the same raw materials from alternative suppliers. Introduction of new materials typically requires years of research, testing, and evaluation. There are legitimate problems with the current legislation. Rather than throwing up straw obstacles to non-existent problems the chemical industry needs to work pro-actively with Congress to develop real, workable chemical security legislation. Doing anything less will just provide further ammunition to the more radical activist organizations proving that the chemical industry does not care about the safety and security of their workers and neighbors.
Saturday, February 20, 2010
New Open Gov Idea Posted
Reader Comment 02-19-10 First Responders
“You make a good point. Identifying a "soft target" versus a "hard target" is a priority for professionals. Conducting dry runs on sites is also a way to increase the chaos. Many groups, abroad at least, specifically target the first responders. We see this tactic in Pakistan, Afghanistan, Iraq and other high-risk/high-threat areas.”The comments about targeting first responders are well made, but they may have particular importance when considering attacks on US chemical facilities. With a large number of chemical facilities choosing not to have armed security personnel on site for a variety of safety reasons, the law enforcement first responders will typically be the only people that will be able to stop armed intruders from achieving their objectives in an attack on these facilities. This means that ambushing the first responders may have to be a key element in a successful terrorist attack. This will almost ensure that a variety of dry run simulated attacks will have to be conducted against the targeted facility. The terrorists will need the response history to plan for an effective attack on those responders. Once again this points out the importance of having an effective counter-surveillance program. It also increases the need for reporting these incidents to the FBI so that a concerted effort to intercept the terrorists before they begin their actual attack on the facility.
Congressional Hearings Week of 02-22-10
Well Congress is finally coming back to work after being out most of the month of February for Snow Days and the Presidents’ Day Recess. As you would expect the budget is high on the hearing priority list. Secretary Napolitano will be making the Congressional rounds this week explaining the President’s DHS Budget request. She is scheduled for the following hearings:
Senate Homeland Security Committee, 2-24-10, 10:00 am EST House Appropriations HS Sub-Committee, 2-25-10, 10:00 am EST House Homeland Security Committee, 2-25-10, 2:00 pm EST
Typically, she will submit the same written testimony to each committee and it will be posted to the DHS web site as well. Usually the differences in the testimony will come in the questions that she is asked, but this year with the recent security incidents I expect she will be mostly asked the same questions about airline and general aviation security issues. Hopefully, someone will ask her about the 1 year CFATS authorization extension included in the President’s budget request. There will be one other chemical security connected budget hearing this week. The House Transportation Committee’s Subcommittee on Coast Guard and Maritime Transportation will look at the maritime related portions of the President’s Budget. Even though the Coast Guard falls under Homeland Security, this is one of the continuing oversight problems that the Secretary has to live with. There is no witness list yet for this hearing, but I suspect the Commandant will be explaining the President’s budget request. There might be a TWIC Reader question or two asked at this hearing but that will probably be the limit of MTSA coverage. There is one chemical security related hearing that doesn’t deal with the budget this week. The Senate Committee on Commerce, Science, and Transportation will be looking at cyber security and infrastructure protection on Tuesday at 2:30 pm EST. There is no witness list posted yet, but this committee has a history of looking at industrial control system security issues. This hearing may end up being interesting.
Friday, February 19, 2010
DHS CFATS Webinar
CSSP Web Page Update 02-19-10
War game simulates cyberattack Cyberattack simulation highlights vulnerabilities Teaming up for security Shell hit by massive data breachAll of the stories are interesting reads, but the last one is kind of scary for employees. It seems that someone accessed and downloaded the Shell contact data base (phone numbers and email addresses for employees and contractors). The list was then forwarded to a number of activist organizations that have opposed various Shell operations around the world. According to the article it is not yet clear if it was an unauthorized internal access or an outsider hack. Of special concern is that this now opens the company to potential spear phishing attacks that could provide detailed access to company operations data and possibly control systems access.
DHS Open Government Dialogue 02-18-10
Another Potential Dry Run
Thursday, February 18, 2010
Water Security Breach
According to the article, a spokesman from the American Water Works Association downplayed the seriousness of the breach since the drinking water treatment equipment on the 148 acre facility was not involved in the break-in. Hopefully that spokesman is not involved in advising member utilities on security matters.
Purpose of Perimeter Security
There are three complimentary reasons for having perimeter fences. The most obvious is to keep people out of the facility. All security professionals realize that fences can not stop unauthorized access, just deter it. To paraphrase a common folk saying; fences are designed to keep honest people honest. They will not keep out people determined to enter the facility.
With this in mind, we can see that a well constructed perimeter fence serves the second purpose of classifying intruders. Anyone breaching that barrier is a threat to the facility. Without a good perimeter barrier intruders could be anything from a casual passerby to someone with nefarious intent.
The third purpose is to provide early warning of intruders. This will allow a security response team, either guard force or police, to interdict and apprehend the intruders before they get into the restricted area at the heart of the facility; in this case the actual water treatment works or drinking water distribution system.
In this case while the perimeter barrier performed the first two functions, the third was completely lacking. While it was not apparently the intent of these intruders, someone wishing to do damage to the water supply for 1.1 million people could have conducted an extensive on-site reconnaissance of the facility security and conducted a well rehearsed attack on the water treatment equipment in the 15 day period that the breach had not been detected.
Critical Resources
One would assume that an electrical substation on the grounds of the water treatment facility would be there, at least in part, to supply power to the water treatment equipment used on site. As such we would have to consider this substation a critical resource for this facility. A successful attack on this substation would shut down the water treatment facility and the supply of drinking water to much of the city of Columbus, OH.
Now there was another perimeter fence around this substation, but it was also penetrated without detection. It is not clear if this fence was simply a safety device, installed to keep untrained personnel away from dangerous electrical currents, or if it was an actual security barrier. It obviously performed neither function well.
One would like to assume that the security barrier around the actual treatment and distribution equipment would provide more of a warning of penetration. Based on the news report on this incident, I really doubt it. Oh well, it doesn’t matter anyway; no one wants to do harm to this country, there is no terrorist threat, and no one has ever attacked a water treatment facility. Why do we need security anyway……
Can S 2996 Pass in the Senate?
On Tuesday the Government Printing Office (GPO) finally had an official copy of S 2996 available via the Thomas.LOC.gov web site. Over the last week or so since I wrote about the introduction of this alternative to HR 2868, I have had a number of people ask me what I thought about this bill and I have invariably answered that I did not think that it had much chance of passage. But, after re-reading the posting about this bill over on Steve Roberts’ blog I have begun to re-think that stance. That posting noted that if S 2996 passed in the Senate there would have to be a conference committee to work out the differences between S 2996 and HR 2868. I wrote off this comment the first time I read it because I did not think that S 2996 had anywhere near the votes to pass, even though it is a ‘bipartisan’ bill. It just didn’t address enough of the issues important to the activists that form an essential part of the base of the Democratic Party. While I still don’t think that this bill can pass in its present form, I have begun to think about what changes could be made to the bill in the legislative process that could make it passable. The one assumption that I am going to make in this discussion is that this bill will essentially remain true to Sen. Collins’ (R, ME) well known objection to the chemical facility IST provisions in HR 2868. If we don’t keep that much of the current bill then we don’t even need to discuss this bill and we would just assume that the Senate would take up and pass HR 2868. Water Security Issues A passable bill will have to address the issue of the security of chlorine and anhydrous ammonia at water treatment and waste water treatment facilities. The 2008 report by the Center for American Progress points out that the large amounts of these chemicals stored at many water treatment and waste water treatment facilities would make these facilities prime terrorist targets. The failure of CFATS to address these security issues has been a major rallying cry for organizations like Greenpeace. If provisions similar to those found in Title II and Title III of HR 2868 were added to this bill, there would be some moderate Democrats that could support the legislation. It would give them some cover to respond to the activists while protecting them from active opposition from the chemical industry. The water treatment industry hasn’t been very happy with the IST provisions in HR 2868, but that haven’t been as adamant in their opposition as the chemical industry. This is mainly due to the provisions giving State control over the implementation requirements rather than the EPA. Technically, the IST provisions in Titles II and III would be the ones that would be most amenable to a reasonable assessment requirement. There are mature and well understood alternatives to the use of chlorine for disinfection. They are certainly not going to be useable at every facility, but the evaluation of their implementation does not require a lot of new science and or engineering work that might be required for the assessments at most high-risk chemical facilities. TIH Mitigation Organizations like Greenpeace are not going to be satisfied unless the legislation provides strong provisions giving the government authority to require changes to eliminate or at least drastically reduce the use of toxic inhalation hazard (TIH) at facilities any where near urban areas. Since we have already assumed for this discussion that an IST mandate cannot be added to this bill, some method of reducing the risk from those facilities will have to be included in the legislation to mute the complaints of the activists. I think that a provision giving the Secretary the authority to require significant mitigation measures for TIH releases might provide the necessary political cover on this issue. Requiring some sort of method to stop a toxic cloud from leaving the facility would be one potential provision. Now the activist will argue that there is no technology that could guarantee that there would be no off-site effects, but most moderate Democrats could probably accept a reasonable attempt to stop off-site consequences. Labor Issues There are a number of labor issues that will have to be addressed in any CFATS extension legislation if there is going to be any significant support by Democrats, particularly in the House. Whistleblower protections, including labor representatives in the security process, and redress procedures for the personnel surety process will have to be addressed. The chemical industry hasn’t been entirely happy with the provisions in HR 2868 for these areas, but they can apparently live with them. Including these provisions in S 2996 would go a long way to assuring union support for the legislation. Since labor unions are a major source of political support for the Democratic Party, these provisions will be necessary to gain enough support among moderate Democrats to gain passage of the legislation. Other Legislation Any definitive discussion about the possibility of passing chemical security legislation in the Senate is still a little premature. There is one more bill that we can expect to see before the Senate Homeland Security and Governmental Operations Committee takes up this issue. Sen. Lautenberg (D, NJ) has promised to introduce a bill that will probably be more to the liking of organizations like Greenpeace.
If that bill is moderate enough, it might be the bill that the Senate leadership decides to bring to the floor for a vote. If that bill contains too many provisions objectionable to the chemical industry, it is more likely that Sen. Lieberman (I, DE) would work with Sen. Collins to work out a compromise version of her bill. If those two could work out a compromise version of S 2996 then it would almost certainly pass in the Senate.
Wednesday, February 17, 2010
DHS Dialogue Posting 02-17-10
UP Seeks Review of STB USM Ruling
CSAT Corporate Reporting Tool
Tuesday, February 16, 2010
Open Government – 02-16-10
Water Security
I’ve been having an interesting email conversation with Bob Radvanovksy, the gentleman who has started the WATERSEC List that I wrote about earlier. As one would suspect of someone who has taken on a task like this, he is passionate about water security issues. One of the interesting things that came out in our discussion is how he defines ‘water security’:
“The term "water security" is a misnomer term, and is nebulous by its very definition. It means to 'secure our water operations', which can be left up for any level of interpretation. This means physical, and logical, and operational security. Operational security might be how HAZMAT is handled before, during and after water purification processes; logical security includes both IT and SCADA systems; physical is premise site surveillance and perimeter protection. But it also means 'social security' - what we can do - as a society to preserve the human race from extinction because we *waste* so much water in Western world countries, while others in desertificated regions of the world, are dying of drought and thirst. Similar to the 'critical infrastructure protection', 'water security' applies 'securing both an operation, and an asset', something that many people have a difficult time comprehending.”
This is truly the scope of any issue dealing with security of critical resources like water, food, energy, and essential chemicals. The most obvious security need is to protect the physical infrastructure (including electronic controls and information systems) that provides the finished product to consumers. When one starts to seriously look into that aspect of security then the protection of the raw material (including energy) feeds that support that facility as well as the distribution network that delivers to the customer become obvious concerns as well. Now on this blog I have a particular interest about the security of many of the chemicals used in the treatment of water and waste water; chlorine gas, anhydrous ammonia and sulfur dioxide in particular. I think these chemicals are a real potential terrorist target because of the off-site impact they would have if they were released from their storage containers at the facility. But, I would be completely blind if I thought that was the only way that a terrorist could successfully use a water treatment facility as a weapon. The EPA has chosen (or was forced by Congress, depending on your view) to direct their major security attention to preventing contamination of drinking water coming out of these systems, but that is hardly the only way a water facility could be attacked. Shutting down a drinking water treatment facility for a major municipality through a successful attack on its processing equipment may have more of an adverse impact on the lives of most of the people in that community than an attack that ‘just’ releases a couple of tons of chlorine gas or contaminates the water with low levels of a poison. Compromising the water supply that goes to that facility, especially in areas where water is in short supply in general, could have even a greater impact on the served community. If Bob can bring even a little light to shine on these potential issues through the WATERSEC List, he will have done this country and perhaps significant portions of the world a major service. I’ll try to do my part, sharing my chemical security concerns about water security. If you have ideas or concerns about the issue, please actively join us on that discussion list. Everyone else that relies on water from public water systems for any part of their lives should at least monitor the discussions on the list.
Sharing Intelligence
A requirement for developing counter-surveillance plans at each of the 6,000+ covered facilities; A collection plan for the counter-surveillance reports from those facilities; A set of chemical facility counter-terrorism collection requirements for other intelligence organizations; An intelligence analysis unit capable of producing intelligence reports at the CVI level for all covered facilities; and A program that would allow for the distribution of classified intelligence reports to Tier 1 (possibly Tier 2) facilities.This intelligence collection and analysis capability would certainly require Congressional authorization and funding. Including such authorization in a bill that makes CFATS permanent would have the advantage of allowing for full integration of the intelligence requirements with the security requirements. Unfortunately, it would also add another couple of Congressional committees to the mix of those required to review the legislation before it came to the floor for a vote.
Sunday, February 14, 2010
Ameristar CFATS Seminar
“Ameristar will host a CFATS seminar in Tulsa on February 24, 2010. The seminar will include a brief CFATS overview and update, a presentation by the FBI’s Joint Terrorism Task Force, and a panel discussing CFATS from an industry compliance perspective. The seminar will also include a special presentation on blast effects -- an issue that is especially important considering the assault team, standoff weapon, and vehicle-borne improvised explosive device attack scenarios applicable for Release Chemicals of Interest, as required by the CFATS Security Vulnerability Assessment. The day will conclude with a physical security display. Please call 866-467-2773 for more details.”I contacted Chris L. Herold, the Market Manager for Ameristar Fence Products’ Security and Specified Products, and he was kind enough to provide me with some additional information. Steve Roberts of the Roberts Law Group in Houston, TX (I have previously mentioned his blog on Homeland Security Law) will be the featured speaker. Steve will be providing an overview of the CFATS program and an update on the current status of its implementation. He is going to specifically address current trends and compliance issues for the Site Security Plan. There will be two Special Agents, Brig Barker and Jimmy Looney, from the FBI’s Tulsa Field Office talking about the FBI’s Joint Terrorism Task Force. They will be discussing the JTTF’s role in responding to terrorist event and what resources they have for investigation of potential future attacks. They will also describe the FBI’s partnership with InfraGurd. Protective Technologies Group will be providing the presentation on blast effects. Their team will include John Crawford (President of Karagozian & Case), Dr. Gil Heemeir (UCSD) and Allan Mangold. They will be discussing explosives, blast effects, and mitigation of blast effects. This should be an interesting presentation for facilities trying to protect release COI from IED’s and VBIED’s. The day long seminar (9:30 am – 3:30 pm CST) will also include a panel discussion that will look at the CFATS program from the perspective of corporate security departments. The panel will include Rich Ryan from ADM; Jim Cummins from Air Liquide, and Peter Lofgren from Halliburton. According to Chris Herold the intended target audience is Industry (Security Directors, Plant Managers, HSE Managers, Security Coordinators, Compliance Officers), Security Integrators, Security Manufactures, Security Contractors. From the information provided this looks like it will be an interesting seminar. Apparently they do these 2 or 3 times a year, so if you can’t make the program this month there should be future opportunities to attend.
Saturday, February 13, 2010
New Information Source
“WARNING: Due to several legislative laws and regulations, PLEASE EXERCISE care/caution when discussing certain topics on this list. Infracritical DOES NOT condone the discussion of the destruction, dismantlement, disablement, rendering useless of any known critical infrastructure in specifics or details whatsoever, nor will Infracritical be held liable for such discussions, and is left solely to the discretion of the individual posting to this discussion forum mailing list. Reading this welcome/warning, and acknowledging it condones your act of acceptance to these terms.”Now part of this is legal boilerplate for the self-protection of Infracritical.com, but it is something that anyone that promotes a public discussion of security issues must remember. These four List Serves are not actively moderated the way I moderate comments to this blog. The owner there can censure inappropriate comments, but they don’t review the comments prior to their going out to the list members.
Friday, February 12, 2010
DHS Open Government
Washington may have been essentially closed because of weather this week, but DHS has had an interesting operation up and running. It is part of the Obama Administration’s effort to open up the Executive Branch operations to public scrutiny. On Saturday DHS opened their new Open Government web page which Secretary Napolitano officially announced on Monday.
Transparency, Participation and Collaboration This is the initial effort for DHS in their implementation of the new Open Government Directive issued by President Obama. The Department has a deadline to have their new program up and running to “enhance transparency, participation, collaboration and innovation”. They are trying to change a government wide culture of failing to communicate with the public. The pervasiveness of this culture can be seen in even the small things. For example, this web page describes the implementation of the Open Government Directive this way:
“Within 120 days of December 8, 2009, the Department will develop and publish an Open Government Plan that will describe how it will improve transparency and integrate public participation and collaboration into its activities.”Regular readers of government regulations and documents will find nothing unusual in this statement. People without that background, however, will be a little put off by the phase ‘within 120 days of December 8, 2009’. Wouldn’t it be clearer to most people to just give the date by which the Department will accomplish this task? The web site provides a number of examples of the Department’s existing efforts in ‘Transparency, Participation and Collaboration’. There are links to such pages as: U.S. Coast Guard Search and Rescue Statistics; Quadrennial Homeland Security Review; and San Diego Border Patrol Sector Community. Interestingly, for a ‘Security’ agency, there is only one example given that has anything to do with security issues, and that only remotely. The security related link goes to the Historical Transportation Security Fee Collection Data (TSA) page. DHS missed a major opportunity by not including links to various landing pages for security related issues, like the Critical Infrastructure Protection page or the Chemical Security page. Public Dialogue Since this project is all about including the public in various departmental functions, it is only appropriate that the Department is asking for public input on their public outreach program. Building on last summer’s success with the QHSR Dialogues, the Department has a public dialogue web page. The page will be open accepting comments and public votes upon those comments until March 19th, 2010. Unfortunately, I don’t think that this dialogue will be anywhere near as successful as the QHSR Dialogues, mainly due to the lack of structure on the current page. Where the QHSR dialogue was tightly structured, requesting comments on specific ideas (and using the responses to refine those ideas) the current dialogue simply asks for suggestions in the four categories and asking for the public to ‘vote’ for or against those suggestions. This open ended dialogue has resulted in some very lengthy, wandering documents that provide little in the way of useable suggestions. Further they make reading and voting upon the more valuable suggestions difficult because they clog up the web page, discouraging review and evaluation. The up or down voting on the suggestions will be less valuable than the sliding scale voting method used in the QHSR dialogue. It does reflect the current political environment by assuming that a person can be only for or against something. Unfortunately, that is not the way that things get done in the real world outside of Washington. Every suggestion will have at least some kernel of viability. The binary nature of the current voting does not allow the results to reflect that. Chemical Security Issues Like I did during the QHSR Dialogues, I will be searching through the suggestions being made, looking for those that I think might be of interest to the chemical security community. I’ll periodically share that list with my readers. This will help our community to respond (positively or negatively) to suggestions that could impact chemical security operations. If any reader has posted or does post comments to the Dialogue regarding chemical security issues, please let me know so that I don’t miss them in my review. I will also be making my contributions to the Dialogue and will be sharing those as well. I certainly encourage people to respond to all chemical security related responses, including mine. I will also be happy to provide this blog as a forum for more active participation in the discussion of these security issues. While this blog is certainly not a direct part of the DHS Dialogue, I do know that there are a number of DHS officials that regularly read this blog, so our discussions will be at least unofficially heard.
Thursday, February 11, 2010
Jihadist CBRN Threat
There is an interesting article over on Stratfor.com, an open-source private intelligence organization, that discusses the possibility of Jihadist organizations using chemical, biological, radiological or nuclear (CBRN) weapons against the United States. This is especially timely since the Obama Administration has repeatedly emphasized that the threat of terrorists using such weapons against the United States is among the greatest threats facing this country. The Stratfor analysts reason that it “chemical and biological weapons are expensive and difficult to use and have proved to be largely ineffective in real-world applications”. They compare the effectiveness of the Aum Shinrikyo chemical and biological attacks in Tokyo with the IED attacks on Madrid rail lines and note that the more readily available explosives are much more effective at causing death and destruction. They also point to the ineffectiveness of chlorine augmented attacks in Iraq to argue against the potential threat of improvised chemical weapons. They do describe two possible exceptions to this rule; the use of radiological dispersion weapons (the so called dirty bombs) and attacks on toxic chemical storage or transportation to disperse those chemicals. They note that a dirty bomb is technically quite simple, but it would cause few actual deaths or injuries beyond those caused by the conventional explosives used as the dispersion agent. In fact, they go so far as to coin a new descriptive term for this type weapon, weapon of mass disruption, because of the potential for panic related to the irrational fear of radioactivity. Readers of this blog will certainly be aware of the potential effectiveness of a successful attack on chemical storage facilities. Even this is less of a threat for large scale casualties, according to the Stratfor analysis. They state:
“Of course, it is not unimaginable for al Qaeda or other jihadists to think outside the box and attack a chemical storage site or tanker car, or use such bulk chemicals to attack another target — much as the 9/11 hijackers used passenger- and fuel-laden aircraft to attack their targets. However, while an attack using deadly bulk chemicals could kill many people, most would be evacuated before they could receive a lethal dose, as past industrial accidents have demonstrated. Therefore, such an attack would be messy but would be more likely to cause mass panic and evacuations than mass casualties. Still, it would be a far more substantial attack than the previous subway plot using improvised chemical weapons.”
The full article is worth reading, especially in light of the near constant stream of warnings about the weapon of mass destruction threat to the country.
CIKR Learning Series Webinar Postponed
Emergency Response Communications
Wednesday, February 10, 2010
Clerical Error – AN Safe
“The investigating team, which included the Integrated National Security Enforcement Team (E-INSET), members of the Vancouver 2010 Joint Intelligence Group, Public Works Canada forensic accountants and Natural Resources Canada, conducted more than 200 interviews of drivers and others involved in transporting the material.”Loss of Product In their advanced notice of proposed rule making (ANPRM) for the ammonium nitrate security program, DHS indicated that they intended to include in the final regulation a requirement to report the loss, theft or diversion of ammonium nitrate. While theft and diversion are relatively easy to define, the problem of loss is much more complicated as this Canadian incident shows. When inventorying discrete items, most people would expect it to be a relatively simple matter of counting the items. Of course, in the real world things are always more complicated. With a large number of items stored in multiple locations it is relatively easy to have counting errors. This is usually dealt with by having multiple counting teams conducting independent counts. Discrepancies are resolved by recounts until both counting teams come up with the same number. Things get more complicated when there are shipping and receiving operations going on during the count. This is why every organization establishes acceptable levels of inventory discrepancies; inventory inconsistencies below the acceptable level are not investigated. Things are much more difficult with frangible inventory items. Chemicals used in manufacturing, for example, are typically removed from inventory by weight not by container count. Process designers will frequently attempt to size production runs to consume full containers (or multiples of full containers). If, however, there are multiple chemicals going into a product (usually the case) it is practically impossible to size the process to consume full containers of all the chemicals involved. This means that every time the process is run, there will be containers of partially consumed chemicals left in inventory; typically called ‘piece containers’. Organizations with strong inventory control procedures will require that each piece container is re-marked with the current weight of the contents of the container. This is typically determined by taking the initial net weight and subtracting the amount consumed. Unfortunately, all industrial weighments will be close approximations rather than exact amounts. Scale accuracy and operational procedures will affect just how accurately those weighments will be made. An acceptable variation of 1% is not unusual in most of the chemical manufacturing industry. Now a 1% acceptable variation does not seem to be much to worry about. With a drum containing 450 lbs of a chemical that is only 4.5 lbs. Of course, 4.5 lbs of an explosive can be quite devastating; remember the Underwear Bomber only had a few ounces of PETN explosives and intended on bringing down an aircraft with it. For an 80,000 pound rail car load that could be 800 lbs of allowable variation; about half of the amount of ammonium nitrate used in the attack on the Murrah Building in Oklahoma City. Now ammonium nitrate is an industrial chemical, but most of it sold in the United States is sold as fertilizer. Most of it is sold in bulk as a dry powder. At manufacturer’s facilities it is loaded using conveyor belts onto trucks, railcars and barges. I’m not aware of what the fertilizer industry standards are for that type loading, but I would suspect that it would be more than 1%. At all but the largest distributors, the material is transferred into trucks by frontend loaders; 1% weighment variations in those types of operations would be all but impossibly tight. Reportable Loss So, how do you determine what level of ‘loss’ needs to be reported? In the Canadian incident they reported an apparent loss of 0.033%; most companies would consider that an allowable and unremarkable inventory error. And, in fact, that is what the RCMP concluded. Will DHS have the manpower, time and money to conduct a similar investigation for every inventory discrepancy of even 1%? Don’t answer too quick to answer; the 0.033% discrepancy of 6,000 metric tons of ammonium nitrate, if it had been real, it would have made significantly more than 4,800 lbs of improvised explosive device. That would be a very big, a very loud, and a very deadly explosion.
Tuesday, February 9, 2010
HR 4580 Introduced
“The Metropolitan Medical Response System (MMRS) is the only program at the Federal level that supports the integration of local emergency management, law enforcement, and health and medical systems into a coordinated response to a mass casualty event caused by a weapon of mass destruction, an incident involving hazardous materials, an epidemic disease outbreak, or a natural disaster.” {§2(2)}The bill notes that MMRS program “provides tangible benefits in the form of increased operational capacity and communication, improved personnel training, stockpiled pharmaceuticals, and adequate supplies of personal protective equipment and other specialized response equipment” {§2(5)}. The FY 2010 funding for this program was provided by the Homeland Security Grant Program (HSGP). A total of $39,359,956 in MMRS grants will be split evenly between the 124 agencies currently enrolled in the program. CFATS and Emergency Response While the bill lists a variety of federal programs that are supported by the existing MMRS grants, there is, unfortunately, no mention of how the program could support emergency response planning for high-risk chemical facilities covered under CFATS. This is somewhat surprising since Congressman Markey was so involved in the development and passage of HR 2868, a bill to extend the scope of CFATS authorization, in the House. I have often commented that emergency response planning has got to be a key component of any security plan. When most people think of emergency response they think of police, fire, and EMT personnel. What is typically missed is what happens after casualties are removed from the incident scene. After all, don’t doctors know how to treat casualties? Casualties from a chemical incident (terrorist or accident, it doesn’t make any difference) are going to present a wide variety of injuries and symptoms depending on the chemical involved. Toxic chemicals may present special challenges because of the wide variety of potential effects the patients will experience based on the type and extent of the exposure they experience. Lacking specific training for proper detection, diagnosis and treatment for the exposure to the specific chemicals involved, medical personnel may not be able to provide adequate medical care. It is absolutely critical that the medical personnel that will be performing triage, diagnosis and treatment are trained in advance on the proper responses to the chemical exposure for the potentially wide variety of chemicals found at a modern chemical facility. This can only happen when the medical management team is aware of the chemicals found at facilities within its service area and that requires communication with the chemical facilities. While all chemical facilities should be communicating with their supporting services as part of their facility emergency response planning, there is a special responsibility for facilities covered under CFATS regulations. By definition they have been identified as being at high-risk for a terrorist attack and their emergency response planning takes on a special significance because of that. High-risk facilities with release-toxic chemicals of interest (COI) should expect that terrorists would attempt to conduct an attack that would result in the release of those toxic COI. Thus, the medical community absolutely needs to be informed in advance of those COI. CFATS and MMRS Since the MMRS program is designed to provide support for mechanisms for coordinated emergency response functions to include the whole response community, specifically including hospitals, this legislation might be an appropriate place to address requirements for emergency response planning for CFATS facilities. Suggested provisions for CFATS emergency response planning would include:
Requiring each MMRS organization to establish a CFATS planning team, members of the team would include emergency response and medical members who have completed Chemical-Terrorism Vulnerability Information (CVI) training/certification; Requiring each CFATS facility with release-toxic COI on site to provide a list of all such chemicals to the local MMRS CFATS planning team; Requiring the MMRS CFATS planning team to develop a plan for dealing with chemical casualties for exposure to each of the release-toxic COI that have been identified in the team’s service area; Requiring the MMRS CFATS planning team to be involved in the planning for emergency response exercises conducted at CFATS facilities in the team’s service area; and Requiring DHS Chemical Facility Inspectors to include a review of MMRS CFATS planning team efforts in any inspection/evaluation of a CFATS facility containing release-toxic COI.