Sunday, February 28, 2010

HAZMAT Trucks as Terror Targets

I ran into an interesting report last week that addressed the potential threat of a terrorist attack using truck-load quantities of hazardous materials as a weapon. The unclassified report was prepared by the Mineta Transportation Institutes (MTI) National Transportation Security Center of Excellence at San Jose State University in California. It was produced at the request of DHS. While I have some disagreement with some of their conclusion and I am concerned with some of the things that were left out of their discussion, I think that this document is certainly a good starting point for further discussion on the topic. Their conclusion that gasoline tanker trucks pose the largest threat for use in a terrorist attack is particularly timely given the current discussion about gasoline terminals and CFATS. HAZMAT as Weapons One of the interesting things that MTI has done is to look at the comparative effectiveness of different classes of hazardous materials as weapons. They look at toxic inhalation hazard (TIH) chemicals, explosives, flammable gasses and flammable liquids transported in full truck quantities on public highways. TIH Trucks: They note that TIH loaded trucks, if successfully attacked, would have the greatest potential for causing casualties, but note that the wide variety of variables that must be controlled to bring about those casualties makes it extremely unlikely that such an attack could be successfully made. Explosives Trucks: Explosives have the advantage of being very effective weapons of mass effect and relatively easy to employ. The major draw back that this study finds is that, because of this effectiveness, there are additional security measures employed to protect explosives trucks and there are relatively few of them on public roads available for use as weapons. Flammable Gasses Trucks: Flammable gasses such as propane or LPG would seen to be good potential weapons because they are both flammable and form vapor clouds that can be detonated. MTI notes that both of these weapon effects are hard to control and direct. Short of creating a BLEVE (boiling liquid expanding vapor-cloud explosion), the number of variables that must be controlled to effect a vapor-cloud explosion (VCE) are technically challenging. The major advantage to using these trucks as weapons is that they are much more readily available than are TIH or Explosives trucks. Flammable Liquids Trucks: Gasoline trucks are, by far, the most readily available hazmat found on the roads and byways of the United States. This makes them readily accessible to terrorists of all skill levels. The MTI report does not address the VCE potential for gasoline, but does provide extensive discussion about the use of gasoline fed fires as a weapon against both people and infrastructure.

Congressional Hearings Week 3-1-10

This week there are three hearings scheduled that might be of interest to the chemical security community. As might be expected, two will be budget hearings and the other is the first hearing in the Senate about the fate of the CFATS program. DHS Budget The Homeland Security subcommittee of the House Appropriations Committee will be holding two hearings on March 4th looking at different aspects of the President’s DHS budget request. In the morning they will be looking at the DHS intelligence efforts and the effectiveness of the fusion centers. In the afternoon they will be looking at the TSA budget. The fusion center hearing will probably focus on the DHS oversight of these State and locally run institutions. The funding of DHS representatives on these panels will be used as a surrogate for the discussion of how well these centers perform their intelligence analysis and sharing function while still protecting civil liberties. The importance of these centers for the chemical security community comes from their importance in the analysis of local intelligence that might allow for the early detection of potential terrorist threats to the chemical industry. The TSA budget will affect the staffing levels for TSA inspectors for both the Freight Rail Security program and the screening for air freight. Both of these programs will have an important impact on different portions of the chemical security community. Chemical facilities that ship and/or receive select hazardous materials by rail will be concerned about the continued implementation of the rail security program, especially in the continued development of how it will interface with the CFATS program. Facilities that ship chemicals via commercial airlines will be interested in the continued expansion of the air cargo screening program. CFATS The hearing that everyone in the community has been waiting for since the House passed HR 2868 last fall will finally occur this week. The Senate Homeland Security and Governmental Operations Committee will hold their first hearing examining the current state of the CFATS program. The hearing will be held on Wednesday morning and will be entitled “Chemical Security: Assessing Progress and Charting a Path Forward”. As has been typical for these hearings in the House, the Senate Committee will hear testimony from two panels. The first panel will be government witnesses, two from DHS;Rand Beers, Under Secretary, National Protection and Programs Directorate, and Sue Armstrong, Acting Deputy Assistant Secretary for Infrastructure Protection; and one from EPA; Peter Silva, Assistant Administrator for Water. Their testimony will almost certainly follow the same type information that they presented last summer to both the House Homeland Security and Energy and Commerce Committees. The questions asked by the committee of these witnesses will give us our first good look at how the various members look at the CFATS program. Questions about the delays in the inspection program for CFATS will be used by Sen. Collins (R, ME) and her supporters to justify the extension of the current CFATS program called for in S 2996. Sen. Lieberman (I, DE) and his supporters will concentrate on how CFATS can be extended to water treatment facilities, a major part of the HR 2868 agenda. One question will certainly be asked of this panel; why has the Administration asked for another one year extension of the CFATS program in their DHS budget request. Rand Beers is likely to be called on his testimony last summer that the Administration would not ask for an extension in the FY 2011 budget. Last year the Republicans used a similar extension request as a major point in their argument favoring a straight CFATS extension over HR 2868. It will be interesting to see how far the ‘bi-partisan’ support for S 2996 extends in the Committee. We still haven’t seen if the Committee will take up S 2996 or HR 2868 when they actually start their legislative work on the CFATS issue. If there is enough support for Sen. Collin’s bill from the Democrats on the Committee, then the initial work in the Senate will be focused on that bill. The second panel for this hearing will be composed of representatives of various portions of the chemical community. The American Chemistry Council (ACC) and the Society of Chemical Manufacturers and Affiliates (SOCMA) will both have industry members representing them. The voice of chemical workers will be represented by the UAW. All three organizations have testified before House committees and their positions are all well established. The questions for this panel will likely center on IST and worker rights issues. Both manufacturing representatives are against giving the government the ability to mandate implementation of inherently safer technology programs at chemical manufacturing facilities. They do take slightly different tacks with how the voice that opposition, but neither wants to see the current IST provisions in HR 2868 take place. The labor unions have aligned themselves with the environmental activists in calling for an expansive IST requirement.

Neither IST nor workers rights are addressed in Sen. Collin’s legislation. So these questions will provide some indications on how this Committee might proceed with the CFATS issue. Since industry has not been adamant in their opposition to the whistleblower, worker participation or background-check redress procedures included in HR 2868, the addition of these provisions to S 2996 may make her legislation more palatable to some of the moderate Democrats on the panel.

Friday, February 26, 2010

ACC and Cyber Security Testimony

Earlier this week a little bird told me (okay it was a tweet from CFATS, an American Chemistry Council spokesperson) about a letter that the ACC had sent to the leaders of the Senate Committee on Commerce, Science and Transportation for that committee’s hearing this week on cyber security issues. I didn’t pay much attention to this hearing since none of the witnesses were very much concerned with SCADA or ICS security issues. While I wish that the ACC had been asked to provide a live witness for the hearing, I’m glad that they were proactive enough to send this letter. I fully understand that the issue of cyber security is a very broad topic that covers a number of grievous sins. The problems of denial of service attacks, identity theft, phishing, and even cyber espionage all attract a great deal of public attention because most people can understand the consequences of those problems. The potential consequences of an attack on cyber control systems or other cyber control systems incidents is more difficult for most people (including congresscriters) to understand. But, that does not diminish the seriousness of the problem. ACC and DHS have both been active in their work on cyber control system security issues, but these two organizations only directly touch a relatively small hand full of chemical facilities that have both hazardous chemicals and cyber control systems. ACC’s direct effect is limited to their membership and DHS has only limited enforcement authority at the CFATS covered facilities. While the DHS CERT does provide cyber security training to non-CFATS facilities, they have no regulatory authority.

ACC is to be commended on their efforts to keep this issue before our legislators. I’m sure that other organizations are doing the same (and I would be more than happy to give direct kudos if they would share information on their efforts when I don’t see it), but all of us in the chemical security community need to be proactive in our communications with our personal representatives in Congress about the need to fund programs addressing this critical issue.

PHMSA Requirements for Security Plans

According to the RegInfo.gov web site the Office of Management and Budget (OMB) has cleared the PHMSA rule for the Revision of Requirements for Security Plans (RIN: 2137-AE22). Depending on the possible revisions that that OMB may have suggested to the rule, we should be seeing this final rule being published in the Federal Register in the coming weeks. The Regulatory Agenda web site describes this rule this way:

"In response to two industry petitions for rulemaking, this rulemaking will reconsider and refine the list of hazardous materials for which security plans are currently required. The industry petitioners asked PHMSA to amend the security plan regulations to create a distinction between hazardous materials that present a significant security risk while in transportation and the vast majority of hazardous materials that pose no significant security risk in transportation."

The NPRM was published in the Federal Register on September 9th, 2008 with the comment period ending on November 10th. Readers of this blog might remember that I looked at those public comments in five blog postings; 10-24-08, 10-31-08, 11-07-08, 11-14-08, and 11-21-08.

DHS Open Government Dialogue 02-25-10

More interesting posts are being made to the DHS Open Government Dialogue web site. We have a new Idea that might be of interest to the chemical security community and continued discussions on previously identified Ideas. There are a total of 81 Ideas that are being discussed and evaluated and there have been no additional ideas added to the 109 Off-Topic Idea list. The new Idea that might be of interest to readers of this blog comes from a TSA supervisor, Steven Hopkins. Steven suggests that the Department develop a Critical Infrastructure Watch Program modeled on the many neighborhood watch programs found in cities and towns across the nation. Steven would actually use current watch organizations where they exist near critical infrastructure or institute new organizations where necessary. This idea already has 3 Positive Votes. There is a new comment on the Port/Fuel Security Idea (6 Positive Votes). It describes an industry consortium, the DASH7 Alliance, which is already working on this RFID tracking device idea and how it might benefit DHS. My two ideas continue to gain more votes; Public Security Reporting Tools 6 Positive Votes and Explanations for Delays in Rule Making Process 7 Positive Votes. Edward Clark’s Fed Fatigue Idea continues to strike a cord with 12 Positive Votes.

Thursday, February 25, 2010

DHS Budget Hearings

I listened to both the Senate and House Homeland Security Committee hearings on the DHS budget today (the Senate hearing was yesterday, but the Internet is a great thing). I was severely disappointed that no one in either Committee had any questions about the CFATS program. The one year CFATS authorization extension request was not considered a significant issue. Oh well, maybe when NPPD gets around to their hearing appearances on their portion of the budget….

Reader Comment – 02-24-10 First Responder Ambushes

Red Team posted a comment to my blog about why first responders to a terrorist attack at a high-risk chemical facility might be at an additional risk of being attacked upon arrival. Red Team wrote:
“An ambush style attack with the use of direct fire weapons is possible, just look at the Mumbai attacks in '08. However, the use of IEDS is the most likely course of action. A VBIED (Vehicle Borne Improvised Explosive Device) is the most likely course of action by extremists. It's a technique that is proven. There is a lower risk of death or detection in a VBIED attack as opposed to a direct fire attack.”
I certainly have to agree with this tactical analysis. Recent history shows plenty of instances where terrorists place explosive devices of all sizes near the site of an initial attack with the specific intention of hurting first responders and the innocent on-lookers that respond to all noisy and violent incidents. It increases the terror factor and typically the body count for their attacks. What I was trying to point out in that blog was not how the attack might happen (and there are a multitude of possible ambush techniques that could be effectively used), but that first responders to a complex assault target like a chemical facility might be at an increased risk of such an ambush because of possible time constraints on the initial attack. A simple attack where a VBIED is crashed through the front gate and detonated takes no time, but an assault requiring multiple charges be set at specific locations for maximum effect cannot afford to be interrupted by the arrival of the cavalry. Having said that; Red Team, keep the tactical comments coming. Security managers need to understand how their potential opponents operate. Very few of them (SM’s) have the practical tactical training (a downside to the smaller professional military we have maintained since the end of the Draft in ’72) that some of us have received. A properly designed security system needs to take these tactical realities into account.

Wednesday, February 24, 2010

DHS Budget Hearing 2-24-10

I missed a chance to watch the first two budget hearings ‘live’ on the web yesterday and today because of other commitments. This evening was the first chance that I had to watch either of the two Senate hearings (Homeland Security yesterday and Appropriations today). I flipped a coin and watched the webcast of Sen. Byrd’s (D, WV) Homeland Security Subcommittee questioning Secretary Napolitano. While many of the questions were pointed or demanding, it was generally a friendly exchange. As I expected with the Secretary as the sole witness, there was very little mention of CFATS specifically or chemical security issues in general. While I half expected (hoped) someone would ask about the one year CFATS authorization extension; that question was never asked. The only chemical security related question came in the second round of questions asked by Sen. Byrd. Safety vs Security Byrd mentioned the recent fatal chemical accident at the Dow facility in Belle, WV where first responders (an ambulance crew) were not able to get any information about the accident (chemicals involved, extent of the leak, chemical protection requirements) until they had actually arrived at the scene. He noted that it reminded him of last years hearing when he described another chemical incident in West Virginia and he had asked Secretary Napolitano then what DHS was doing to make operations at high-risk chemical facilities safer. He asked the same question today. This year the Secretary was able to reply that the CFATS implementation was rolling along and would take care of the security issues. It wouldn’t have been a politically sound move for her to tell the SENIOR Senator that DHS is not really a safety organization it is a security organization, that the Senator’s particular question should be addressed to OSHA or EPA. Actually, to be fair to Sen. Byrd, there are some questions asked in the SSP questionnaire that kind of obliquely address the issue of communications with first responders. In a blog from last spring I noted that there were a number of questions dealing with first responder capabilities that could only be addressed by talking with the appropriate emergency response agencies. But, this is all the closer CFATS gets to requiring high-risk chemical facilities to provide information to those response agencies. Of course, Chairman Byrd’s hammer is control of the budget pathway for DHS. This tends to make many things look like security issues; when the only tool you have is a hammer many things begin to look like a nail. Too bad he doesn’t have the EPA Administrator or the Labor Department Secretary to call to task for the situation; but they are covered by other sub-committees.

Hopefully I will get to the Homeland Security hearing webcast tomorrow morning. There is probably a better chance for getting a CFATS question or two there.

Tuesday, February 23, 2010

DHS CFATS Webinar

As I reminded people last week, DHS had their CFATS Update Webinar on Monday afternoon. Sue Armstrong, the Acting Deputy Director for Infrastructure Protection, provided a solid over-view of the CFATS process and provided information on the current status of the implementation of the program. RBPS 12 Tool Ms Armstrong did announce that there would be a 30-day comment notice posted in the Federal Register in the coming weeks requesting further comments on the planned Personnel Surety Portal that DHS will be adding to the Chemical Security Assessment Tool (CSAT). Comments received in the earlier 60-day comment period have been used to modify the proposal. The tool will provide high-risk facilities with the capability of submitting names to DHS to have them checked against the Terrorist Screening Data Base (TSDB). This will help facilities fulfill part of the RBPS #12 requirements. Initial SSP Inspections Because of the snowy weather earlier this month, ISCD is behind on the schedule for conducting SSP validation inspections. The first two proof-of-concept inspections are underway. Armstrong did note that facilities can expect the inspections to take about a week to complete and there will be at least two inspectors, perhaps more, depending on the size of the facility. DHS currently only plans on getting through Tier 1 facilities in FY 2010. Final Tier Notifications DHS is continuing to complete reviews of submitted SVA’s. They are sending out about 500 final Tiering letters (the notification necessary to start the SSP process) each month, mainly to Tier 4 facilities now. They expect to have the initial final tier notifications completed this summer. Chemical Facility Inspectors DHS is continuing to higher more inspectors so the rate of inspections should continue to increase over time. The next class of the Chemical Security Academy (class 5) will graduate on April 8th. DHS just closed one series of job applications and expects to select the attendees for the next CSA class from the over 1000 applications received. The next job announcement will appear on USAJobs.gov later this spring or early summer. CFATS Legislation Ms. Armstrong announced that the Department expects to provide testimony before the Senate Homeland Security and Governmental Operations Committee on March 3rd about pending CFATS legislation. It was not clear from her comments whether the hearing would focus on just HR 2868, S 2996, or both. An archived version of this webinar will be available soon on the CIKR Learning Series web page. When it is, I’ll pass along the word of its posting. I certainly recommend that facility security managers listed to the one hour presentation as soon as practical.

DHS Open Government Dialogue 02-23-10

DHS had a nice jump in the number of Ideas posted to their Open Government Dialogue web page since the weekend. They are now up to 71 Ideas posted with the Off-Topic Ideas holding steady at 109. One of the newly posted Ideas will be of interest to the chemical security community. Tom Frock posted a suggestion that “ISO 18000-7 RFID tags” be used to track cargo shipments; Port/Fuel Security. As I noted in my comment on the idea, Congress has been slow to pass legislation requiring much in the way of truck shipment security measures and DHS would certainly need such authorization to start a Federal program requiring such measures. Do you think there is much chance that anyone in Congress is paying much attention to these Obama Administration web sites that are seeking public input? My two Ideas have garnered a small number of positive votes. Public Security Reporting Tools now has 3 positive votes and Explanations for Delays in Rule Making Process has 6 positive votes. To put this in perspective the top vote getter on the site currently has 27 positive votes and the lowest has 14 negative votes. The only other security related posting, Edward Clark’s Fed Fatigue, has 12 positive votes. If you haven’t already done so, sign up and take part in the idea exchange that is designed to make DHS a more transparent and responsive government agency.

Monday, February 22, 2010

Reader Comments 02-21-10 CG Inspectors

This weekend a reader, Matthew, left a comment on a blog posting from last fall about CFATS Inspectors. Matthew wrote:
“An solution to the problem... Coast Guard facility inspectors. Not active duty ones but folks getting out or already out. We already do this daily. There is no need for DHS to train some tsa screener how to inspect a facility. The skill set is already there hopefully they us it.”
While the Coast Guard has been inspecting MTSA covered facilities for quite some time now, those inspections are not the same type of inspection that the ISCD chemical security inspectors will be completing. For one thing, the MTSA inspections that the Coast Guard conducts are much more straightforward with fairly well defined rules. This allows the Coastie inspectors to rely heavily on checklists while conducting their inspections; something is there or it isn't. Since Congress forbade DHS from using that type of regulatory scheme in setting up the CFATS program, the duties of the chemical security inspectors (I’m sorry but I refuse to use the CSI acronym for these folks) are much more complex. This is the reason that there is a 14 week course for these inspectors verses the one day training Coast Guard inspectors get in their A School. I am sure however, that ISCD would be perfectly willing to hire ex-Coasties with MTSA experience (everything else being equal) into their chemical security inspectors program. That experience would certainly be valuable. I would be willing to bet that they would also get the veterans hiring preference points added to their applications. I understand that the most recent hiring announcement just recently closed, but there will be another announcement on USAJobs.gov later this year.

Sunday, February 21, 2010

Reader Comment 02-19-10 IST Misstated

Anonymous posted a comment about an earlier blog about the introduction to Sen. Collins’ S 2998. Anonymous’ full posting can be seen at the end of that blog, but it does included this important quote from a statement made by Sen. Collins:
“Forcing chemical facilities to implement IST could wreak economic havoc on some facilities and affect the availability of products that all Americans take for granted. For instance, according to October 2009 testimony by the Society of Chemical Manufacturers and Affiliates before the House Committee on Energy and Commerce, mandatory IST would negatively restrict the production of pharmaceuticals and microelectronics, unnecessarily crippling those industries.”
In today’s political climate we have come to expect and excuse politicians exaggerating their opponent’s position into something that can not be easily equated with the perceived reality. This is one of the reasons that the public is so disgusted with the political process. It was, however, professionally disheartening to me to see an organization that I have had a great deal of personal respect for stoop to the same level of disinformation in their Congressional testimony, especially when it is subsequently used by professional politicians to justify their own misinformed stand on an issue. There are a number of serious shortcomings with the IST language in HR 2868. First conducting an IST concurrently with the SSP submission is counterproductive since it does not allow for full accounting for the security costs of not applying the IST in determining the financial feasibility of the program. The language seriously underestimates the complexity of conducting an IST assessment in a chemical manufacturing environment and doesn’t provide a way out of the implementation when new and more detailed information shows that a marginal IST process it is no longer technically or financially feasible. It provides no inducement for industry to conduct the necessary research to develop useable IST programs. Ignoring these real difficulties (that could be overcome if industry, activists and Congress would work together) while slandering an entire piece of necessary legislation with made-up problems demeans the political process and provides legitimate adversaries with further justification for their mistrust of the chemical industry. The pharmaceutical industry is almost certainly the least likely industry in the United States to be affected by the current IST language in HR 2868. Their formulations and manufacturing procedures are strictly controlled by the Food and Drug Administration and can only be changed after extensive research, testing and evaluation. The time for completing those process change procedures would certainly be justification, under this legislation, for declaring that there is no current IST option available for assessment. Likewise, the electronic industry’s well known need for pure, uncontaminated raw materials mean that there will have been little process work done on diluted acids (for example) to replace the anhydrous materials currently in use. The lack of detailed process work that must precede the assessment of alternative materials would preclude the affirmative assessment that there are technically feasible alternatives to the chemicals currently in use. In fact, throughout the chemical manufacturing industry there will be very few alternative chemicals that will have had the laboratory and process research, or the customer re-evaluation of the manufactured product necessary to determine if there is a technically viable alternative process. In fact, it is not uncommon for manufacturers belonging to SOCMA to require months or years of work to qualify the same raw materials from alternative suppliers. Introduction of new materials typically requires years of research, testing, and evaluation. There are legitimate problems with the current legislation. Rather than throwing up straw obstacles to non-existent problems the chemical industry needs to work pro-actively with Congress to develop real, workable chemical security legislation. Doing anything less will just provide further ammunition to the more radical activist organizations proving that the chemical industry does not care about the safety and security of their workers and neighbors.

Saturday, February 20, 2010

New Open Gov Idea Posted

Earlier today I added a new Idea to the DHS Open Government Dialogue page. I added a suggestion under the Participation heading that each DHS security program have a web page for reporting security issues related to that program. There should be links on each page for that security program for the reporting page and a security issue reporting landing page with links to all of the program reporting pages. The discussion continues on my earlier Idea about delays in the rule making process. Feel free to vote and join that discussion. I’ve also joined into a discussion about mandating the filing of flight plans for general aviation. Needless to say this Idea was posted in response to this weeks attack on the IRS office in Austin, TX. Is this just a ‘feel good’ suggestion or will it prevent future attacks? Put in your two cents worth. The DHS Ideas page now has 55 Ideas posted and there are still 109 Off Topic Ideas.

Reader Comment 02-19-10 First Responders

Red Team left a comment on my recent posting on possible terrorist attack dry runs. Red Team wrote:
“You make a good point. Identifying a "soft target" versus a "hard target" is a priority for professionals. Conducting dry runs on sites is also a way to increase the chaos. Many groups, abroad at least, specifically target the first responders. We see this tactic in Pakistan, Afghanistan, Iraq and other high-risk/high-threat areas.”
The comments about targeting first responders are well made, but they may have particular importance when considering attacks on US chemical facilities. With a large number of chemical facilities choosing not to have armed security personnel on site for a variety of safety reasons, the law enforcement first responders will typically be the only people that will be able to stop armed intruders from achieving their objectives in an attack on these facilities. This means that ambushing the first responders may have to be a key element in a successful terrorist attack. This will almost ensure that a variety of dry run simulated attacks will have to be conducted against the targeted facility. The terrorists will need the response history to plan for an effective attack on those responders. Once again this points out the importance of having an effective counter-surveillance program. It also increases the need for reporting these incidents to the FBI so that a concerted effort to intercept the terrorists before they begin their actual attack on the facility.

Congressional Hearings Week of 02-22-10

Well Congress is finally coming back to work after being out most of the month of February for Snow Days and the Presidents’ Day Recess. As you would expect the budget is high on the hearing priority list. Secretary Napolitano will be making the Congressional rounds this week explaining the President’s DHS Budget request. She is scheduled for the following hearings:

Senate Homeland Security Committee, 2-24-10, 10:00 am EST House Appropriations HS Sub-Committee, 2-25-10, 10:00 am EST House Homeland Security Committee, 2-25-10, 2:00 pm EST

Typically, she will submit the same written testimony to each committee and it will be posted to the DHS web site as well. Usually the differences in the testimony will come in the questions that she is asked, but this year with the recent security incidents I expect she will be mostly asked the same questions about airline and general aviation security issues. Hopefully, someone will ask her about the 1 year CFATS authorization extension included in the President’s budget request. There will be one other chemical security connected budget hearing this week. The House Transportation Committee’s Subcommittee on Coast Guard and Maritime Transportation will look at the maritime related portions of the President’s Budget. Even though the Coast Guard falls under Homeland Security, this is one of the continuing oversight problems that the Secretary has to live with. There is no witness list yet for this hearing, but I suspect the Commandant will be explaining the President’s budget request. There might be a TWIC Reader question or two asked at this hearing but that will probably be the limit of MTSA coverage. There is one chemical security related hearing that doesn’t deal with the budget this week. The Senate Committee on Commerce, Science, and Transportation will be looking at cyber security and infrastructure protection on Tuesday at 2:30 pm EST. There is no witness list posted yet, but this committee has a history of looking at industrial control system security issues. This hearing may end up being interesting.

Friday, February 19, 2010

DHS CFATS Webinar

This is just a quick reminder that DHS will be conducting a webinar on Monday, February 22nd, on the CFATS program. Sue Armstrong, Acting Deputy Assistant Secretary for Infrastructure Protection, will be providing an update on the CFATS program. You can still register for the webinar.

CSSP Web Page Update 02-19-10

The DHS CERT Control Systems Security Program (CSSP) web page has been updated. The new format includes a listing of “Notable Infrastructure Security News”. The pull down tab in the center of the page currently lists links to four news stories;
War game simulates cyberattack Cyberattack simulation highlights vulnerabilities Teaming up for security Shell hit by massive data breach
All of the stories are interesting reads, but the last one is kind of scary for employees. It seems that someone accessed and downloaded the Shell contact data base (phone numbers and email addresses for employees and contractors). The list was then forwarded to a number of activist organizations that have opposed various Shell operations around the world. According to the article it is not yet clear if it was an unauthorized internal access or an outsider hack. Of special concern is that this now opens the company to potential spear phishing attacks that could provide detailed access to company operations data and possibly control systems access.

DHS Open Government Dialogue 02-18-10

Yesterday evening I went back to the DHS Open Government Dialogue web site to see how things were progressing. As of 6:30 pm EST there were 51 Ideas posted to the site for discussion and evaluation and 99 Off-Topic ideas (some Ideas were obviously moved to Off Topic). The rate of posting new ideas has drastically dropped off. Of course this will still be open for about another month, so there is still time for everyone to get their two cents worth posted. No new security related (chemical or otherwise) posts but I did get an interesting response to my earlier posting to the DHS Open Government website about delays in the rule making process. It looks like we are going to get a discussion going. Feel free to join in.

Another Potential Dry Run

Earlier this month I reported on an incident that could have been a potential dry run for an attack on a facility in Florida. Today I want to tell you about a news report from West Virginia that could also be part of a dry run for an attack on a chemical facility. This time a suspicious package was dropped off outside of a facility near Kenova, WV. According to the article a number of agencies responded to the initial report, including HAZMAT and the FBI. Once the package was determined to be safe, it was removed from the scene for additional investigation. What is a Dry Run Now, I need to clarify something. I do not know that there are attacks planned on these two facilities and no one has told me that law enforcement agencies are particularly concerned about these two incidents. What I am saying is that a professional planning an attack needs to collect information about security response measures at a potential target. One way to do that is to conduct a relatively innocuous dry run to see how the facility reacts. A professional response to the dry run will frequently lead to the selection of an alternative target. There is no percentage in attacking a well protected target when there are so many poorly protected targets available. If there is a particular reason why the specific target has been selected, these dry runs will allow the professional to probe for the inevitable weak points in a security perimeter. For example it will allow for the measurement of response times for off-site security response forces or it will allow for the evaluation of the sensitivity to unusual occurrences just outside the perimeter. Dry runs are one of the tools available to a terrorist group to use as part of their pre-operational surveillance. From the point of view of the terrorists, a detailed surveillance plan increases the chance of the success of their attack. From the point of view of the security specialist, it provides a chance to detect a potential attack in advance. This can allow law enforcement to track down and find the terrorist cell before the facility is actually endangered. Response to a Dry Run So what does a facility do when it encounters a suspected dry run? The first thing is that one never knows if it is a dry run or an actual attack until after the incident has been properly investigated. The package in this latest incident could have contained an explosive device to allow for the penetration of the perimeter or act as a distraction for an actual penetration on another portion of the perimeter. With this in mind, the initial response is the same as it would be for any suspicious activity. There should be an initial cursory investigation by facility security. The limits of this investigation need to be thought out in advance and will be dictated by the level of training of the security team. In any case the objective of this investigation is to determine if it is obviously an attack or obviously not an attack. In those cases the facility security procedures should outline the required response. The result of most initial investigations will fall between those two extremes. This would require the notification of the authorities (certainly including the FBI in the case of high-risk facilities covered under CFATS). This will allow for a full investigation to determine if there is a potential attack in the planning stages. Incident Review After the initial incident is closed at the facility, the security team should conduct an after action review. Local law enforcement and emergency response representatives should be included in the review process. The purpose of the review is to look at the response to determine what was done correctly and what needs to be improved. This review should include a detailed debrief of all facility personnel that were involved in the incident in any way to find out exactly what they did and did not do. The purpose of the review is to fully document the incident and to determine what could have been done better. Revisions to site security procedures are almost always a result of these reviews. CFATS facilities should send a copy of their incident review to DHS Infrastructure Security Compliance Division (ISCD). Contact the Help Desk (866-323-2957) for instructions on how this should be accomplished. Any changes that are made to the Site Security Plan must be reported to ISCD. Please remember that these reports are Chemical-Terrorism Vulnerability Information (CVI) and should be marked and protected accordingly.

Thursday, February 18, 2010

Water Security Breach

There is an interesting article over on Dispatch.com (Columbus, OH Dispatch) about a recent security breach at a local water treatment plant. The interesting thing about this breach is that the police can only narrow the time of the breach down to a time period of about 15 DAYS long. The intruders cut through two fences and stole 200 feet of copper wire from an on-site electrical sub-station while avoiding detection by facility security cameras.

According to the article, a spokesman from the American Water Works Association downplayed the seriousness of the breach since the drinking water treatment equipment on the 148 acre facility was not involved in the break-in. Hopefully that spokesman is not involved in advising member utilities on security matters.

Purpose of Perimeter Security

There are three complimentary reasons for having perimeter fences. The most obvious is to keep people out of the facility. All security professionals realize that fences can not stop unauthorized access, just deter it. To paraphrase a common folk saying; fences are designed to keep honest people honest. They will not keep out people determined to enter the facility.

With this in mind, we can see that a well constructed perimeter fence serves the second purpose of classifying intruders. Anyone breaching that barrier is a threat to the facility. Without a good perimeter barrier intruders could be anything from a casual passerby to someone with nefarious intent.

The third purpose is to provide early warning of intruders. This will allow a security response team, either guard force or police, to interdict and apprehend the intruders before they get into the restricted area at the heart of the facility; in this case the actual water treatment works or drinking water distribution system.

In this case while the perimeter barrier performed the first two functions, the third was completely lacking. While it was not apparently the intent of these intruders, someone wishing to do damage to the water supply for 1.1 million people could have conducted an extensive on-site reconnaissance of the facility security and conducted a well rehearsed attack on the water treatment equipment in the 15 day period that the breach had not been detected.

Critical Resources 

One would assume that an electrical substation on the grounds of the water treatment facility would be there, at least in part, to supply power to the water treatment equipment used on site. As such we would have to consider this substation a critical resource for this facility. A successful attack on this substation would shut down the water treatment facility and the supply of drinking water to much of the city of Columbus, OH.

Now there was another perimeter fence around this substation, but it was also penetrated without detection. It is not clear if this fence was simply a safety device, installed to keep untrained personnel away from dangerous electrical currents, or if it was an actual security barrier. It obviously performed neither function well.

One would like to assume that the security barrier around the actual treatment and distribution equipment would provide more of a warning of penetration. Based on the news report on this incident, I really doubt it. Oh well, it doesn’t matter anyway; no one wants to do harm to this country, there is no terrorist threat, and no one has ever attacked a water treatment facility. Why do we need security anyway……

Can S 2996 Pass in the Senate?

On Tuesday the Government Printing Office (GPO) finally had an official copy of S 2996 available via the Thomas.LOC.gov web site. Over the last week or so since I wrote about the introduction of this alternative to HR 2868, I have had a number of people ask me what I thought about this bill and I have invariably answered that I did not think that it had much chance of passage. But, after re-reading the posting about this bill over on Steve Roberts’ blog I have begun to re-think that stance. That posting noted that if S 2996 passed in the Senate there would have to be a conference committee to work out the differences between S 2996 and HR 2868. I wrote off this comment the first time I read it because I did not think that S 2996 had anywhere near the votes to pass, even though it is a ‘bipartisan’ bill. It just didn’t address enough of the issues important to the activists that form an essential part of the base of the Democratic Party. While I still don’t think that this bill can pass in its present form, I have begun to think about what changes could be made to the bill in the legislative process that could make it passable. The one assumption that I am going to make in this discussion is that this bill will essentially remain true to Sen. Collins’ (R, ME) well known objection to the chemical facility IST provisions in HR 2868. If we don’t keep that much of the current bill then we don’t even need to discuss this bill and we would just assume that the Senate would take up and pass HR 2868. Water Security Issues A passable bill will have to address the issue of the security of chlorine and anhydrous ammonia at water treatment and waste water treatment facilities. The 2008 report by the Center for American Progress points out that the large amounts of these chemicals stored at many water treatment and waste water treatment facilities would make these facilities prime terrorist targets. The failure of CFATS to address these security issues has been a major rallying cry for organizations like Greenpeace. If provisions similar to those found in Title II and Title III of HR 2868 were added to this bill, there would be some moderate Democrats that could support the legislation. It would give them some cover to respond to the activists while protecting them from active opposition from the chemical industry. The water treatment industry hasn’t been very happy with the IST provisions in HR 2868, but that haven’t been as adamant in their opposition as the chemical industry. This is mainly due to the provisions giving State control over the implementation requirements rather than the EPA. Technically, the IST provisions in Titles II and III would be the ones that would be most amenable to a reasonable assessment requirement. There are mature and well understood alternatives to the use of chlorine for disinfection. They are certainly not going to be useable at every facility, but the evaluation of their implementation does not require a lot of new science and or engineering work that might be required for the assessments at most high-risk chemical facilities. TIH Mitigation Organizations like Greenpeace are not going to be satisfied unless the legislation provides strong provisions giving the government authority to require changes to eliminate or at least drastically reduce the use of toxic inhalation hazard (TIH) at facilities any where near urban areas. Since we have already assumed for this discussion that an IST mandate cannot be added to this bill, some method of reducing the risk from those facilities will have to be included in the legislation to mute the complaints of the activists. I think that a provision giving the Secretary the authority to require significant mitigation measures for TIH releases might provide the necessary political cover on this issue. Requiring some sort of method to stop a toxic cloud from leaving the facility would be one potential provision. Now the activist will argue that there is no technology that could guarantee that there would be no off-site effects, but most moderate Democrats could probably accept a reasonable attempt to stop off-site consequences. Labor Issues There are a number of labor issues that will have to be addressed in any CFATS extension legislation if there is going to be any significant support by Democrats, particularly in the House. Whistleblower protections, including labor representatives in the security process, and redress procedures for the personnel surety process will have to be addressed. The chemical industry hasn’t been entirely happy with the provisions in HR 2868 for these areas, but they can apparently live with them. Including these provisions in S 2996 would go a long way to assuring union support for the legislation. Since labor unions are a major source of political support for the Democratic Party, these provisions will be necessary to gain enough support among moderate Democrats to gain passage of the legislation. Other Legislation Any definitive discussion about the possibility of passing chemical security legislation in the Senate is still a little premature. There is one more bill that we can expect to see before the Senate Homeland Security and Governmental Operations Committee takes up this issue. Sen. Lautenberg (D, NJ) has promised to introduce a bill that will probably be more to the liking of organizations like Greenpeace.

If that bill is moderate enough, it might be the bill that the Senate leadership decides to bring to the floor for a vote. If that bill contains too many provisions objectionable to the chemical industry, it is more likely that Sen. Lieberman (I, DE) would work with Sen. Collins to work out a compromise version of her bill. If those two could work out a compromise version of S 2996 then it would almost certainly pass in the Senate.

Wednesday, February 17, 2010

DHS Dialogue Posting 02-17-10

I did finally make my first posting to the DHS Open Government Dialogue website today. My comment was placed under the Transparency Heading and it suggested that DHS establish a web page that listed the congressionally mandate regulations that DHS has, as of yet, failed to implement by the legislatively imposed deadlines. The posting would provide a description of the current status of those regulations. This is an issue of that I have addressed previously in this blog. It will be interesting to see how this is received by other participants in the dialogue.

UP Seeks Review of STB USM Ruling

The Surface Transportation Board web page announced today that they had been served notice that the Union Pacific Railroad Company (UP) had filed a court action in the US Court of Appeals for the District of Columbia seeking a judicial review of the Boards recent decision in the matter of US Magnesium (USM) vs UP (STB Docket NOR 42114). Readers of this blog will recall that the original complaint by USM complained about the high rates they were forced to pay for the rail transport of chlorine from their facility in Utah. The case was decided earlier this month in USM’s favor. UP had complained that the Boards decision had been based upon an arbitrary and unfair decision about which rate comparisons were used to determine whether the rates were excessive. I haven’t read the actual complaint from the Court of Appeals, but that is probably the basis of this action. The chlorine rail transport rate issue continues.

CSAT Corporate Reporting Tool

The January-February 2010 issue of the Journal of Hazmat Transportation arrived today. Those of you who may subscribe to this journal may have noticed that I am a writer for this magazine. I cover chemical security issues (no surprise) and do reviews of pending legislation, public comments on proposed regulations and what ever else the Editor throws my way. The reason that I mention this here is that I did an article for this issue on a Corporate Reporting tool that DHS has posted in draft form on the Chemical Security Assessment Tool (CSAT) web site. Laurie Boulden, the Senior Compliance Officer for the Infrastructure Security Compliance Division at DHS has been developing this tool as a method for corporate security managers or compliance directors to have a single source for tracking the CFATS status of multiple facilities within their organization. Unfortunately, I can’t give you a URL for the article since it is not yet up on the Journal’s subscription only web site. If you or someone within your organization has a subscription to the print version of the Journal you can find the article on page 17.

Tuesday, February 16, 2010

Open Government – 02-16-10

It has now been four days since I first wrote about the DHS Open Government Dialogue web site and ten days since the site first opened and I have only seen one comment about security matters. And I am proud to say that the commentor is a reader from this site, though I must admit that it looks like Edward posted his comment before I mentioned the site in my blog. Edward posted a comment about what he calls Fed Fatigue; facilities having to deal with multiple security agencies because of overlapping authorities (ie: CFATS, MTSA and TSA). This is a real problem that causes both over spending on security to cover multiple, not quite duplicate requirements, as well as overspending on government program duplication. As of 10:00 pm EST tonight Edward had 11 positive votes and no comments. Another comment by wonderwits parallels a comment I made in my original blog about the evaluation tool for the publics ideas. The comment, User Response to Comments is Insufficient, made a similar suggestion to the one I made about using a scale of response instead of a binary up or down vote. Two other comments deserve positive mention here. An early comment under the Participation heading, Run more public dialogues like the Homeland Security Dialogue, made by drhonker, suggest that DHS run more public dialogues like the QHSR Dialogues; suggestion fulfilled, here is the Open Government Dialogue. Another, this time by jaorangement under the Transparency heading, DHS should live webcast all meetings, suggests that public meeting be web cast and be made available on line. This too is happening, but should be made universal. One comment that I want to give a BIG thumbs down to was suggested by cicala, also under the Transparency heading, non legitimate press. Cicala complains about “miss information spread by web press sites” which leads to anarchy and confuses the American public. Since I would probably be included in the ‘non-legitimate’ press, I strongly protest, claiming the infamous mantle of ‘free press’. And I proudly share that mantel with all of the 'idiots' [sarcastic grins] with whom I disagree. DHS has taken care of the “very lengthy, wandering documents that provide little in the way of useable suggestions” that I complained about in my initial blog. Instead of deleting them, they avoided the charge of censorship by moving the comments to an “Off-Topics” page. There are now 99 off-topic comments vs 45 on-topic ideas; actually a pretty good ratio in my experience. It is kind of sad that there have only been 45 constructive comments in ten days from across the country. Oops, before I complain about that, maybe I need to get a comment or two posted. Watch the Open Homeland Security page tomorrow. But then, you know that I will talk about it here.

Water Security

I’ve been having an interesting email conversation with Bob Radvanovksy, the gentleman who has started the WATERSEC List that I wrote about earlier. As one would suspect of someone who has taken on a task like this, he is passionate about water security issues. One of the interesting things that came out in our discussion is how he defines ‘water security’:

“The term "water security" is a misnomer term, and is nebulous by its very definition. It means to 'secure our water operations', which can be left up for any level of interpretation. This means physical, and logical, and operational security. Operational security might be how HAZMAT is handled before, during and after water purification processes; logical security includes both IT and SCADA systems; physical is premise site surveillance and perimeter protection. But it also means 'social security' - what we can do - as a society to preserve the human race from extinction because we *waste* so much water in Western world countries, while others in desertificated regions of the world, are dying of drought and thirst. Similar to the 'critical infrastructure protection', 'water security' applies 'securing both an operation, and an asset', something that many people have a difficult time comprehending.”

This is truly the scope of any issue dealing with security of critical resources like water, food, energy, and essential chemicals. The most obvious security need is to protect the physical infrastructure (including electronic controls and information systems) that provides the finished product to consumers. When one starts to seriously look into that aspect of security then the protection of the raw material (including energy) feeds that support that facility as well as the distribution network that delivers to the customer become obvious concerns as well. Now on this blog I have a particular interest about the security of many of the chemicals used in the treatment of water and waste water; chlorine gas, anhydrous ammonia and sulfur dioxide in particular. I think these chemicals are a real potential terrorist target because of the off-site impact they would have if they were released from their storage containers at the facility. But, I would be completely blind if I thought that was the only way that a terrorist could successfully use a water treatment facility as a weapon. The EPA has chosen (or was forced by Congress, depending on your view) to direct their major security attention to preventing contamination of drinking water coming out of these systems, but that is hardly the only way a water facility could be attacked. Shutting down a drinking water treatment facility for a major municipality through a successful attack on its processing equipment may have more of an adverse impact on the lives of most of the people in that community than an attack that ‘just’ releases a couple of tons of chlorine gas or contaminates the water with low levels of a poison. Compromising the water supply that goes to that facility, especially in areas where water is in short supply in general, could have even a greater impact on the served community. If Bob can bring even a little light to shine on these potential issues through the WATERSEC List, he will have done this country and perhaps significant portions of the world a major service. I’ll try to do my part, sharing my chemical security concerns about water security. If you have ideas or concerns about the issue, please actively join us on that discussion list. Everyone else that relies on water from public water systems for any part of their lives should at least monitor the discussions on the list.

Sharing Intelligence

There is an interesting article over on USAToday.com about a plan to share classified intelligence information with about 10,000 managers, supervisors and “behavior detection officers” working in airport security with TSA. Unfortunately, only 750 of the 10,000 currently have the requisite Secret clearance necessary to receive the information that could be critical to the performance of their mission. The remaining 9,250 should get their clearances within the next two years, according to the article. To the uninitiated, it would seem really odd that the TSA was just now getting around to getting important intelligence information down to the first line supervisor level. After all, didn’t the 9/11 Commission point out that failure to share information between intelligence agencies? Actually, the 9/11 complaint was that there wasn’t adequate sharing of information between intelligence agencies, not the lack of distribution of intelligence to the operational level. Intelligence Distribution Intelligence agencies, even down to the tactical level, exist to provide commanders (up to and including the President) and other executives with the information necessary to properly plan and execute their mission. Distributing the developed intelligence down through the organization is typically limited to one or two levels of subordinate organizations. Even then it is an abbreviated version of the information given to person to whom the agency reports. A major reason for this is that good operational security (OPSEC) requires that the enemy or adversary should not become aware of what one knows about their capability and intentions. That knowledge could result in changes in the adversary’s operations that might not be detected in time to take appropriate preventive actions. Additionally, intelligence collection agencies tend to want to protect their means and methods of data collection. If the adversary knew what information about their actions was actually being collected, they would be able to take additional countermeasures to prevent that collection in the future. Finally, we must remember that most of the collected intelligence information is never distributed outside of the collecting agency. The reason for that is that the raw data is collected in such large volume that sharing all of the unevaluated data would simply clog the communications channels. Analysts must sort, collate and verify the data before it can become useful information. Necessary Intelligence Distribution There are certain kinds of intelligence information that do require the widest possible dissemination. One important type is the intelligence indicator. When an agency develops information that an adversary typically does something before conducting a particular type of operation, then that action becomes an intelligence indicator of possible future action. The widest possible distribution of information on this operational ‘tell’ is important so that the ‘tell’ is detected and reported at the earliest opportunity. One typical ‘tell’ is information about how an adversary conducts pre-operational intelligence collection. For example, a terrorist needs to collect information on a target before that target is attacked. They need to know about the security measures that they will encounter, where critical portions of their target are located, and how to most effectively attack their intended target. Information about how a particular organization collects this information would provide a good indicator that an attack is potentially being planned. Another type of intelligence information that should require distribution to the operational level is information about new adversary capabilities and how to counter them is useful operational intelligence. For example, information on the Underwear Bombers placement of explosives along with information about how to detect that in a pat down search would aid in the early detection and prevention of this type of attack. One of the frequent problems with distributing this type of intelligence is that it is classified in order to protect the means and methods of collecting the information. This requires that the target operational users must have the appropriate security clearance and must be trained in how to deal with handling and disseminating classified material. It also requires a secure means of communications to transmit the information to the intended user. When the person to whom the information is being sent is a Federal government employee, the problem of security clearances is easier to handle. The appropriate agencies typically have the internal rules and regulations in place to govern the handling of classified information. They also have personnel who are qualified to train new recipients of a security clearance in the proper handling techniques. This is not typically the case in most civilian companies or even State and local governments. Intelligence and CFATS While the largest chemical companies probably have some intelligence collection/analysis capability, the vast majority of high-risk facilities have no internal access to counterterrorism intelligence. The CSAT web site does provide a semi-secure means of communication with the Federal government. There is also a set of common set of security information rules and techniques in place to protect sensitive information (the Chemical-Terrorism Vulnerability Information – CVI – program) already in place. What is needed now is an intelligence collection and analysis organization that is dedicated to providing intelligence necessary to protect high-risk chemical facilities against terrorist attack. Most of the collection effort will probably be aimed at training facilities facility management in the development of counter-surveillance programs for their facility and acting as a clearing house for information collected by such efforts. The remainder of the intelligence collection would consist of preparing ‘tasking requirements’ for other intelligence organizations for specific types of information that might indicate the development of tactics and techniques for attacks on chemical facilities. ISCD has been properly focused on developing the tools for identifying, assessing and initially securing high-risk chemical facilities. They now need to start developing an intelligence tool to help maintain adequate levels of protection at those facilities covered under the CFATS program. That tool would include the development of:
A requirement for developing counter-surveillance plans at each of the 6,000+ covered facilities; A collection plan for the counter-surveillance reports from those facilities; A set of chemical facility counter-terrorism collection requirements for other intelligence organizations; An intelligence analysis unit capable of producing intelligence reports at the CVI level for all covered facilities; and A program that would allow for the distribution of classified intelligence reports to Tier 1 (possibly Tier 2) facilities.
This intelligence collection and analysis capability would certainly require Congressional authorization and funding. Including such authorization in a bill that makes CFATS permanent would have the advantage of allowing for full integration of the intelligence requirements with the security requirements. Unfortunately, it would also add another couple of Congressional committees to the mix of those required to review the legislation before it came to the floor for a vote.

Sunday, February 14, 2010

Ameristar CFATS Seminar

A reader pointed me at the CFATS webpage for Ameristar Fence Company because a brief blurb for a CFATS seminar that Ameristar is conducting later this month at their Tulsa, OK facility shows on that page. Following a link on their takes you to the following announcement:
“Ameristar will host a CFATS seminar in Tulsa on February 24, 2010. The seminar will include a brief CFATS overview and update, a presentation by the FBI’s Joint Terrorism Task Force, and a panel discussing CFATS from an industry compliance perspective. The seminar will also include a special presentation on blast effects -- an issue that is especially important considering the assault team, standoff weapon, and vehicle-borne improvised explosive device attack scenarios applicable for Release Chemicals of Interest, as required by the CFATS Security Vulnerability Assessment. The day will conclude with a physical security display. Please call 866-467-2773 for more details.”
I contacted Chris L. Herold, the Market Manager for Ameristar Fence Products’ Security and Specified Products, and he was kind enough to provide me with some additional information. Steve Roberts of the Roberts Law Group in Houston, TX (I have previously mentioned his blog on Homeland Security Law) will be the featured speaker. Steve will be providing an overview of the CFATS program and an update on the current status of its implementation. He is going to specifically address current trends and compliance issues for the Site Security Plan. There will be two Special Agents, Brig Barker and Jimmy Looney, from the FBI’s Tulsa Field Office talking about the FBI’s Joint Terrorism Task Force. They will be discussing the JTTF’s role in responding to terrorist event and what resources they have for investigation of potential future attacks. They will also describe the FBI’s partnership with InfraGurd. Protective Technologies Group will be providing the presentation on blast effects. Their team will include John Crawford (President of Karagozian & Case), Dr. Gil Heemeir (UCSD) and Allan Mangold. They will be discussing explosives, blast effects, and mitigation of blast effects. This should be an interesting presentation for facilities trying to protect release COI from IED’s and VBIED’s. The day long seminar (9:30 am – 3:30 pm CST) will also include a panel discussion that will look at the CFATS program from the perspective of corporate security departments. The panel will include Rich Ryan from ADM; Jim Cummins from Air Liquide, and Peter Lofgren from Halliburton. According to Chris Herold the intended target audience is Industry (Security Directors, Plant Managers, HSE Managers, Security Coordinators, Compliance Officers), Security Integrators, Security Manufactures, Security Contractors. From the information provided this looks like it will be an interesting seminar. Apparently they do these 2 or 3 times a year, so if you can’t make the program this month there should be future opportunities to attend.

Saturday, February 13, 2010

New Information Source

Readers of this blog might remember that on a few occasions I have mentioned one of emails from Infracritical.com as the source for the information that I was writing about. Actually these emails came from one of the three List Serves run by that site; The CIPP List (Critical Infrastructure Protection and Preparedness), the TRANSEC List (Transportation Security), and the SCADASEC List (SCADA Security). Today Bob Radvanovsky announced that Infracritical.com was adding a fourth list to their lineup; the WATERSEC List (Water Security). List Serves Those of you who were not around in the days before high-speed modems, web pages and Google might not be familiar with List Serves. These were started in back the days of 4K (not a typo) Baud modems as a means of facilitating communications via computers. Users would send an email to the List Serve which would resend the email to all of those signed up on the list server. Typically the List Serve would send out a compilation of emails every day; a digest. Replies would be addressed to the List Serve and that was how high-speed communications worked back in the day. List Serves obviously still exist as they allow for a fairly rapid exchange of ideas among a relatively controlled group of individuals. The use of the central server for the receipt and sending of consolidated messages reduces the volume of email received by each individual. It also allows for moderation of the conversation since the owner of the list serve is the ultimate arbiter of who can send messages to the group and who receives the group communications. Most of the people participating in the discussions on the Infracritical.com lists are people that work in the field associated with the list and bring a wide variety of expertise to the exchange of ideas. Some of the comments fly well above my level of expertise since I am more of a generalist, but I find a great deal of valuable information on these lists on a regular basis. WATERSEC List The new list being offered by Infracritical.com is a recognition that while there are many areas of water system security that are addressed on the other three lists, the industry has so many unique security concerns that it deserves its own discussion group. I signed up as soon as I read the announcement in the Saturday digests from the other lists. I look for to following the discussions and mining the information for my discussions here on this blog. Discussing Security Issues One interesting item has already come out of signing up for the list; it arrived in the email confirming my successful joining of the list. There is a security issue warning that I had forgotten about in my previous sign-up confirmations:
“WARNING: Due to several legislative laws and regulations, PLEASE EXERCISE care/caution when discussing certain topics on this list. Infracritical DOES NOT condone the discussion of the destruction, dismantlement, disablement, rendering useless of any known critical infrastructure in specifics or details whatsoever, nor will Infracritical be held liable for such discussions, and is left solely to the discretion of the individual posting to this discussion forum mailing list. Reading this welcome/warning, and acknowledging it condones your act of acceptance to these terms.”
Now part of this is legal boilerplate for the self-protection of Infracritical.com, but it is something that anyone that promotes a public discussion of security issues must remember. These four List Serves are not actively moderated the way I moderate comments to this blog. The owner there can censure inappropriate comments, but they don’t review the comments prior to their going out to the list members.

Friday, February 12, 2010

DHS Open Government

Washington may have been essentially closed because of weather this week, but DHS has had an interesting operation up and running. It is part of the Obama Administration’s effort to open up the Executive Branch operations to public scrutiny. On Saturday DHS opened their new Open Government web page which Secretary Napolitano officially announced on Monday.

Transparency, Participation and Collaboration This is the initial effort for DHS in their implementation of the new Open Government Directive issued by President Obama. The Department has a deadline to have their new program up and running to “enhance transparency, participation, collaboration and innovation”. They are trying to change a government wide culture of failing to communicate with the public. The pervasiveness of this culture can be seen in even the small things. For example, this web page describes the implementation of the Open Government Directive this way:

“Within 120 days of December 8, 2009, the Department will develop and publish an Open Government Plan that will describe how it will improve transparency and integrate public participation and collaboration into its activities.”
Regular readers of government regulations and documents will find nothing unusual in this statement. People without that background, however, will be a little put off by the phase ‘within 120 days of December 8, 2009’. Wouldn’t it be clearer to most people to just give the date by which the Department will accomplish this task? The web site provides a number of examples of the Department’s existing efforts in ‘Transparency, Participation and Collaboration’. There are links to such pages as: U.S. Coast Guard Search and Rescue Statistics; Quadrennial Homeland Security Review; and San Diego Border Patrol Sector Community. Interestingly, for a ‘Security’ agency, there is only one example given that has anything to do with security issues, and that only remotely. The security related link goes to the Historical Transportation Security Fee Collection Data (TSA) page. DHS missed a major opportunity by not including links to various landing pages for security related issues, like the Critical Infrastructure Protection page or the Chemical Security page. Public Dialogue Since this project is all about including the public in various departmental functions, it is only appropriate that the Department is asking for public input on their public outreach program. Building on last summer’s success with the QHSR Dialogues, the Department has a public dialogue web page. The page will be open accepting comments and public votes upon those comments until March 19th, 2010. Unfortunately, I don’t think that this dialogue will be anywhere near as successful as the QHSR Dialogues, mainly due to the lack of structure on the current page. Where the QHSR dialogue was tightly structured, requesting comments on specific ideas (and using the responses to refine those ideas) the current dialogue simply asks for suggestions in the four categories and asking for the public to ‘vote’ for or against those suggestions. This open ended dialogue has resulted in some very lengthy, wandering documents that provide little in the way of useable suggestions. Further they make reading and voting upon the more valuable suggestions difficult because they clog up the web page, discouraging review and evaluation. The up or down voting on the suggestions will be less valuable than the sliding scale voting method used in the QHSR dialogue. It does reflect the current political environment by assuming that a person can be only for or against something. Unfortunately, that is not the way that things get done in the real world outside of Washington. Every suggestion will have at least some kernel of viability. The binary nature of the current voting does not allow the results to reflect that. Chemical Security Issues Like I did during the QHSR Dialogues, I will be searching through the suggestions being made, looking for those that I think might be of interest to the chemical security community. I’ll periodically share that list with my readers. This will help our community to respond (positively or negatively) to suggestions that could impact chemical security operations. If any reader has posted or does post comments to the Dialogue regarding chemical security issues, please let me know so that I don’t miss them in my review. I will also be making my contributions to the Dialogue and will be sharing those as well. I certainly encourage people to respond to all chemical security related responses, including mine. I will also be happy to provide this blog as a forum for more active participation in the discussion of these security issues. While this blog is certainly not a direct part of the DHS Dialogue, I do know that there are a number of DHS officials that regularly read this blog, so our discussions will be at least unofficially heard.

Thursday, February 11, 2010

Jihadist CBRN Threat

There is an interesting article over on Stratfor.com, an open-source private intelligence organization, that discusses the possibility of Jihadist organizations using chemical, biological, radiological or nuclear (CBRN) weapons against the United States. This is especially timely since the Obama Administration has repeatedly emphasized that the threat of terrorists using such weapons against the United States is among the greatest threats facing this country. The Stratfor analysts reason that it “chemical and biological weapons are expensive and difficult to use and have proved to be largely ineffective in real-world applications”. They compare the effectiveness of the Aum Shinrikyo chemical and biological attacks in Tokyo with the IED attacks on Madrid rail lines and note that the more readily available explosives are much more effective at causing death and destruction. They also point to the ineffectiveness of chlorine augmented attacks in Iraq to argue against the potential threat of improvised chemical weapons. They do describe two possible exceptions to this rule; the use of radiological dispersion weapons (the so called dirty bombs) and attacks on toxic chemical storage or transportation to disperse those chemicals. They note that a dirty bomb is technically quite simple, but it would cause few actual deaths or injuries beyond those caused by the conventional explosives used as the dispersion agent. In fact, they go so far as to coin a new descriptive term for this type weapon, weapon of mass disruption, because of the potential for panic related to the irrational fear of radioactivity. Readers of this blog will certainly be aware of the potential effectiveness of a successful attack on chemical storage facilities. Even this is less of a threat for large scale casualties, according to the Stratfor analysis. They state:

“Of course, it is not unimaginable for al Qaeda or other jihadists to think outside the box and attack a chemical storage site or tanker car, or use such bulk chemicals to attack another target — much as the 9/11 hijackers used passenger- and fuel-laden aircraft to attack their targets. However, while an attack using deadly bulk chemicals could kill many people, most would be evacuated before they could receive a lethal dose, as past industrial accidents have demonstrated. Therefore, such an attack would be messy but would be more likely to cause mass panic and evacuations than mass casualties. Still, it would be a far more substantial attack than the previous subway plot using improvised chemical weapons.”

The full article is worth reading, especially in light of the near constant stream of warnings about the weapon of mass destruction threat to the country.

CIKR Learning Series Webinar Postponed

According to the CIKR Learning Series web page, today’s webinar on “Making effective use of visualization technology” is being postponed because of the bad weather in the Washington D.C. area. The new date and time will be Wednesday, March 3, 2010, 1:00-2:00 p.m. (EST). This does not apparently affect the date for the CFATS update webinar; that is still scheduled for Monday, February 22, 2:00 – 3:00 p.m. (EST).

Emergency Response Communications

There is an interesting article over at SundayGazetteMail.com that describes the problems that result when a chemical facility fails to communicate with the emergency response teams that they expect to support the facility. The article reports that ambulances will no longer be automatically dispatched to chemical facilities in Kanawha County when emergency calls are received. The new rules are a result of the recent refusal of DuPont officials to tell responding ambulance personnel if an emergency call on January 23rd was due to a chemical leak until the ambulance was on the Belle, WV plant grounds. It turned out that they were responding to an injury that resulted from the release of phosgene on the site. The late notification prevented the emergency response personnel from taking appropriate self-protective measures. Kanawha County officials will now dispatch ambulances to a ‘staging area’ a mile from chemical facilities and hold them there until the facility provides complete information about the incident including information about chemicals involved. There is no word about how county officials will verify that the provided information is complete. Similar rules will apply to other emergency response personnel including law enforcement and fire fighting personnel. In my opinion, this is an unfortunate, but wholly appropriate response to the failure of both DuPont and Bayer CropScience to fully communicate information about recent incidents to the emergency response community. The timely assistance of off-site emergency response personnel is critical to the safe operation of any chemical facility. Poisoning the relationship with those personnel by failing to fully communicate appropriate chemical safety information is inexcusable, self-defeating and borders upon criminal. Worse yet, this type of incident only feeds the anti-chemical industry attitudes of many activist and is at least partially responsible for the calls for the government to control what chemicals high-risk facilities can use in their manufacturing processes. There is little wonder that large portions of the public mistrust the chemical industry.

Wednesday, February 10, 2010

Clerical Error – AN Safe

The Royal Canadian Mounted Police (RCMP) announced Wednesday afternoon that the two missing one-tonne (metric ton) bags of ammonium nitrate reported to be missing last December are not really missing. According to an article on BCLocalNews.com, an RCMP spokesman said that their investigation concluded that the “most reasonable explanation for the discrepancy is administrative error”. Kinder Morgan, the distributor handling the material, reported the bags as missing on December 31st. Their own internal investigation pointed to a clerical error and they reported that to the RCMP on January 6th. But, with the Winter Olympics opening later this week, and ammonium nitrate being a well known component for improvised explosive devices, the RCMP was taking no chances. According to the article:
“The investigating team, which included the Integrated National Security Enforcement Team (E-INSET), members of the Vancouver 2010 Joint Intelligence Group, Public Works Canada forensic accountants and Natural Resources Canada, conducted more than 200 interviews of drivers and others involved in transporting the material.”
Loss of Product In their advanced notice of proposed rule making (ANPRM) for the ammonium nitrate security program, DHS indicated that they intended to include in the final regulation a requirement to report the loss, theft or diversion of ammonium nitrate. While theft and diversion are relatively easy to define, the problem of loss is much more complicated as this Canadian incident shows. When inventorying discrete items, most people would expect it to be a relatively simple matter of counting the items. Of course, in the real world things are always more complicated. With a large number of items stored in multiple locations it is relatively easy to have counting errors. This is usually dealt with by having multiple counting teams conducting independent counts. Discrepancies are resolved by recounts until both counting teams come up with the same number. Things get more complicated when there are shipping and receiving operations going on during the count. This is why every organization establishes acceptable levels of inventory discrepancies; inventory inconsistencies below the acceptable level are not investigated. Things are much more difficult with frangible inventory items. Chemicals used in manufacturing, for example, are typically removed from inventory by weight not by container count. Process designers will frequently attempt to size production runs to consume full containers (or multiples of full containers). If, however, there are multiple chemicals going into a product (usually the case) it is practically impossible to size the process to consume full containers of all the chemicals involved. This means that every time the process is run, there will be containers of partially consumed chemicals left in inventory; typically called ‘piece containers’. Organizations with strong inventory control procedures will require that each piece container is re-marked with the current weight of the contents of the container. This is typically determined by taking the initial net weight and subtracting the amount consumed. Unfortunately, all industrial weighments will be close approximations rather than exact amounts. Scale accuracy and operational procedures will affect just how accurately those weighments will be made. An acceptable variation of 1% is not unusual in most of the chemical manufacturing industry. Now a 1% acceptable variation does not seem to be much to worry about. With a drum containing 450 lbs of a chemical that is only 4.5 lbs. Of course, 4.5 lbs of an explosive can be quite devastating; remember the Underwear Bomber only had a few ounces of PETN explosives and intended on bringing down an aircraft with it. For an 80,000 pound rail car load that could be 800 lbs of allowable variation; about half of the amount of ammonium nitrate used in the attack on the Murrah Building in Oklahoma City. Now ammonium nitrate is an industrial chemical, but most of it sold in the United States is sold as fertilizer. Most of it is sold in bulk as a dry powder. At manufacturer’s facilities it is loaded using conveyor belts onto trucks, railcars and barges. I’m not aware of what the fertilizer industry standards are for that type loading, but I would suspect that it would be more than 1%. At all but the largest distributors, the material is transferred into trucks by frontend loaders; 1% weighment variations in those types of operations would be all but impossibly tight. Reportable Loss So, how do you determine what level of ‘loss’ needs to be reported? In the Canadian incident they reported an apparent loss of 0.033%; most companies would consider that an allowable and unremarkable inventory error. And, in fact, that is what the RCMP concluded. Will DHS have the manpower, time and money to conduct a similar investigation for every inventory discrepancy of even 1%? Don’t answer too quick to answer; the 0.033% discrepancy of 6,000 metric tons of ammonium nitrate, if it had been real, it would have made significantly more than 4,800 lbs of improvised explosive device. That would be a very big, a very loud, and a very deadly explosion.

Tuesday, February 9, 2010

HR 4580 Introduced

Last week Congressman Markey (D,MA) introduced HR 4580, the Metropolitan Medical Response System Act of 2010. This bill would authorize the currently existing MMRS program that is administered under FEMA. The program was started under the Department of Health and Human Services (HHS) in 1996 and currently funds programs in 124 jurisdictions around the country. According to the findings section of this bill:
“The Metropolitan Medical Response System (MMRS) is the only program at the Federal level that supports the integration of local emergency management, law enforcement, and health and medical systems into a coordinated response to a mass casualty event caused by a weapon of mass destruction, an incident involving hazardous materials, an epidemic disease outbreak, or a natural disaster.” {§2(2)}
The bill notes that MMRS program “provides tangible benefits in the form of increased operational capacity and communication, improved personnel training, stockpiled pharmaceuticals, and adequate supplies of personal protective equipment and other specialized response equipment” {§2(5)}. The FY 2010 funding for this program was provided by the Homeland Security Grant Program (HSGP). A total of $39,359,956 in MMRS grants will be split evenly between the 124 agencies currently enrolled in the program. CFATS and Emergency Response While the bill lists a variety of federal programs that are supported by the existing MMRS grants, there is, unfortunately, no mention of how the program could support emergency response planning for high-risk chemical facilities covered under CFATS. This is somewhat surprising since Congressman Markey was so involved in the development and passage of HR 2868, a bill to extend the scope of CFATS authorization, in the House. I have often commented that emergency response planning has got to be a key component of any security plan. When most people think of emergency response they think of police, fire, and EMT personnel. What is typically missed is what happens after casualties are removed from the incident scene. After all, don’t doctors know how to treat casualties? Casualties from a chemical incident (terrorist or accident, it doesn’t make any difference) are going to present a wide variety of injuries and symptoms depending on the chemical involved. Toxic chemicals may present special challenges because of the wide variety of potential effects the patients will experience based on the type and extent of the exposure they experience. Lacking specific training for proper detection, diagnosis and treatment for the exposure to the specific chemicals involved, medical personnel may not be able to provide adequate medical care. It is absolutely critical that the medical personnel that will be performing triage, diagnosis and treatment are trained in advance on the proper responses to the chemical exposure for the potentially wide variety of chemicals found at a modern chemical facility. This can only happen when the medical management team is aware of the chemicals found at facilities within its service area and that requires communication with the chemical facilities. While all chemical facilities should be communicating with their supporting services as part of their facility emergency response planning, there is a special responsibility for facilities covered under CFATS regulations. By definition they have been identified as being at high-risk for a terrorist attack and their emergency response planning takes on a special significance because of that. High-risk facilities with release-toxic chemicals of interest (COI) should expect that terrorists would attempt to conduct an attack that would result in the release of those toxic COI. Thus, the medical community absolutely needs to be informed in advance of those COI. CFATS and MMRS Since the MMRS program is designed to provide support for mechanisms for coordinated emergency response functions to include the whole response community, specifically including hospitals, this legislation might be an appropriate place to address requirements for emergency response planning for CFATS facilities. Suggested provisions for CFATS emergency response planning would include:
Requiring each MMRS organization to establish a CFATS planning team, members of the team would include emergency response and medical members who have completed Chemical-Terrorism Vulnerability Information (CVI) training/certification; Requiring each CFATS facility with release-toxic COI on site to provide a list of all such chemicals to the local MMRS CFATS planning team; Requiring the MMRS CFATS planning team to develop a plan for dealing with chemical casualties for exposure to each of the release-toxic COI that have been identified in the team’s service area; Requiring the MMRS CFATS planning team to be involved in the planning for emergency response exercises conducted at CFATS facilities in the team’s service area; and Requiring DHS Chemical Facility Inspectors to include a review of MMRS CFATS planning team efforts in any inspection/evaluation of a CFATS facility containing release-toxic COI.
 
/* Use this with templates/template-twocol.html */