Wednesday, March 31, 2010
DHS CERT Training Web Page Update 03-29-10
Tuesday, March 30, 2010
Radical Militias and Chemical Security
PHMSA Rushes Fee Increase Rule
Water Facility Security Lacking
Monday, March 29, 2010
S773 Passed in Committee
Sunday, March 28, 2010
DHS CSAT FAQ Page Update – 03-28-10
Saturday, March 27, 2010
Reader Comment 03-24-10 LEPC
Friday, March 26, 2010
Reader Comment 03-24-10 Chlorine Hazards
“You need to take a closer look at real data, e.g., from the gas dispersion modelers.And I'd appreciate if you would highlight for your readers the Chlorine Institute's venerable Pamphlet 74, available for download free from their website, especially the pages on the 90-ton chlorine tank car.”Pamphlet 74
The Pamphlet 74 that Fred refers to is a very detailed discussion on how to determine the area at risk in the event of a variety of chlorine releases. Fred is correct that the Chlorine Institute offers this document as a free download. Unfortunately, they will not get any points for having a customer friendly web site to get the download; you have to go through a lot of steps to download a .PDF document. Be persistent, it is a valuable documents for anyone interested in discussing the very real threats from chlorine gas releases.
I re-read the discussion on modeling chlorine gas release scenarios this morning and I will have to admit that my description of the dispersion pattern is a tad bit simplistic. I wrote: “The wind disperses a chemical cloud in a fan shaped pattern.” In the early stages of a catastrophic release of chlorine there are a number of factors that cause some initial dispersion that is not wind dependant. This is the reason that the base of the dispersion pattern shown on page 24 of Pamphlet 74 is so wide.
To be fair, I also exaggerated the width of the cloud at its maximum extent by using the fan description. The width of the exposed area drops off fairly quickly at the far end of the dispersion pattern. Even so, the basic comment about the limited area of coverage stands. The area under the 3 ppm exposure limit on the diagram is a flattened oval 41.5 miles long and 2.3 miles wide, not a circular area with a radius of 41.5 miles.
While the entire circle is ‘potentially’ at risk from a chlorine release, only a small fraction (1.8%) would actually be exposed in the event of the actual release. The two charts on the next page of the pamphlet provide some additional important details about the dispersion of the toxic cloud. The first chart, Peak Concentration as a Function of Time, shows how long it takes for the toxic cloud to reach various distances. More importantly it shows that the cloud moves through an area, leaving the area with minimal continued exposure after it has move on.
This does ignore the fact that some residual chlorine gas could remain in low lying areas out of sunlight for significant lengths of time. This means that there will only be a limited need for decontamination after the incident. The second chart, Peak Concentration as a Function of Distance, shows how quickly the concentration drops off as the cloud disperses. To understand the practical affects of that change in concentration we need to understand the medical affects of chlorine gas as a function of exposure concentration.
Chlorine Exposure Effects
According to the OSHA web site for chlorine, an exposure “to 15 ppm causes throat irritation, exposures to 50 ppm are dangerous, and exposures to 1000 ppm can be fatal, even if exposure is brief”. As with any chemical exposure the longer one is exposed to a given concentration of the chemical, the greater the potential harm. Thus we can see that the peak concentration drops below irritant level fairly quickly.
Chlorine is Very Dangerous
Now, having exposed the hype, it must be clearly understood that there will be a significant area under the exposure curve where people will die if they are not adequately protected against exposure. There is an even larger area where there will be serious medical consequences from exposure to the peak concentration levels as the toxic cloud passes through the area. Looking at the charts on pages 24 and 25 of Pamphlet 74 it looks like anyone inadequately protected in the cloud for up to a couple of miles away from the catastrophic release from a full railcar is at serious risk of being killed by the cloud. Inadequate protection in the cloud at distances of up to 15 miles from the release could have very serious medical consequences.
This is why I am against the political exaggeration being used in the current Greenpeace campaign. The opposition can simply dismiss their warnings as exaggerations from people who don’t know what they are talking about (which is obviously another political exaggeration, but exaggeration begets exaggeration). This reduces the effectiveness of the very real message that should be communicated to everyone that lives near a chlorine storage facility. It diminishes the message actually communicated to the politicians who don’t have the time to read and interpret Pamphlet 74.
Thursday, March 25, 2010
Reader Comment 03-24-10 CVI Issue
It is always nice to know that readers are paying attention to the details. Jon Greenwood posted a comment on my post about the first responder training at the meat processing facility. When I wrote about security issues being addressed, Jon commented:
“What about CVI for CFATS facilities? I don't believe that includes the press, and members from the local schools, churches, and civic organizations. The first responders definitely have a "Need to Know", and I believe every facility should include them in their security plans. I guess that's why there is a section for them in the SSP. But if I was an SSO of a facility, I don't think I'd want the general public to know about the security features (or lack of, in some cases) at my facility and I think that would violate CVI unless all those people had CVI.”
Jon is obviously correct, I did not address the Chemical-Terrorism Vulnerability Information (CVI) issue in my comments and should have. Anytime there is a discussion about security issues for any kind of facility (CFATS or not), careful attention must be paid to the make-up of the audience. Depending on the level of detail provided in the discussion, there is a very good chance that only CVI cleared personnel would be able to hear the discussion of security issues. This is going to be one of the major headaches for a facility security officer. How can they determine what information they can share about the facility security plan? Now the average fireman or cop on patrol is probably not going to be CVI certified, but they should be aware of many of the provisions of the security plan so that they can properly respond to an emergency on site. There should be people in the various departments of the local emergency response community, however, that are properly certified for CVI access so that they can participate in the security planning process. But even these people will not need to be read in on all of the details of the plan. Public Involvement Having said that, I would maintain that there should be some level of involvement of the local community in the security process. First off, they are going to have to be made aware of their personal responsibilities in the emergency response plan for an attack on the facility; that ERP should be an integral part of the security plan. Every neighbor that would be affected by a successful attack is going to have to know how to respond in that event, in order to protect themselves. This means that they are going to have to know how to determine that they are at immediate hazard, and how to respond to various possible outcomes from a successful attack. Trying to explain this to them as a toxic cloud forms outside their home is too late.
Additionally, neighbors can be a valuable resource in identifying the early stages of the preparation for an attack on the facility. They would probably be the first to recognize strangers in the area; strangers conducting pre-operational reconnaissance. They would be able to report suspicious behaviors and unusual questions being asked about the facility. For them to be actively involved, they are going to have to be educated about the potential risk, the things they could be expected to report, and how to make such reports. Completely shutting them out of the security process because they are not CVI certified is short sighted. They don’t need to be informed about much of the security plan, but they do need to know that the facility is potentially at risk of being a target of a terrorist attack.
Wednesday, March 24, 2010
FBI and Optimizing CCTV
DHS CERT CSSP Calendar Page Update
Tuesday, March 23, 2010
Working with Local First Responders
DHS Open Government Dialogue Closed
Monday, March 22, 2010
DHS CSAT FAQ Page Update 03-19-10
Greenpeace Targets Collins
“If that chlorine was released in an accident or through a terrorist act, 145,000 Mainers in a 25-mile radius could immediately become injured and even killed through this toxic gas cloud rolling through our neighborhoods.”First off, as I mentioned in the earlier blog, only a small fraction of that ’25-mile radius’ would actually be exposed to chlorine gas in a catastrophic release. Since chlorine can only spread with the wind it could take quite some time for the toxic cloud to spread to the 25-mile limit of exposure risk. In fact a stronger wind which would spread the cloud quicker would actually reduce the toxicity of the cloud. With a minimally effective emergency response plan there would be a couple orders of magnitude fewer casualties than claimed by Belliveau. Now, don’t get me wrong. Chlorine is a nasty toxic chemical. Those personnel exposed to lethal concentrations of the gas (most likely plant personnel and immediate down wind neighbors in a catastrophic release) will die a horrible death. Those exposed to less than lethal concentrations will have a variety of injuries, a limited number of which will affect the injured the rest of their lives. No Industry Response Unfortunately Public Broadcasting the piece by Anne Mostue, will leave the listener/viewers with the grossly exaggerated claims of Belliveau standing as ‘facts’. The article does note that the attempts were made to talk to facility representatives but no response was received. It is unfortunate that there was not an attempt to talk to first responders or local emergency planners in the area to get their view of the risk. With the public debate being pushed very effectively by Greenpeace and other environmental and labor activists, it is a shame that the chemical industry does not undertake an education campaign to provide potentially effected people with the actual facts about the possible hazards and the efforts being taken to both prevent and mitigate catastrophic leaks of these toxic chemicals. This lack of response is especially disturbing considering the legal and moral obligations that these facilities have to communicate chemical safety information to the population at potential risk. Allowing this exaggerated information to stand unchallenged is a complete abrogation of their hazard communication responsibility and probably increases the likelihood that counterproductive IST language will be included in any legislation that could come out of Congress, state legislatures or local government agencies.
Sunday, March 21, 2010
Congressional Hearings, Week of 3-22-10
Chemical Security Inspector Opening
Friday, March 19, 2010
UP and USM to Settle
Counterterrorism Info to Private Sector
DHS Open Government Dialogue Last Day
Reader Comment 03-16-10 More HR 2868
An Anonymous reader posted a comment to my earlier blog on the earlier discussion on the status of HR 2868. Anonymous wrote: “Can't see why Sen. Lieberman would introduce anything now, being that 2 Democrats have already endorsed the Collins bill. He would not have the votes to get it out of committee.” Reality It sure would be nice if politics were that simple. First we must realize that there is no current open opposition for making the current CFATS regulations permanent. There is some significant opposition (firmly led by Sen. Collins) to including IST mandate language in the authorizing legislation. There is also significant support for such a mandate (just as firmly led in the past by Sen. Lieberman). Sen. Lieberman and Sen. Collins are well known for their ability and desire to work out reasonable compromises on a variety of Homeland Security issues. And both Senators want to see permanent chemical security authorization passed. Finally, we have to admit that, while S 2996 does have ‘bipartisan’ support in being co-sponsored by two Democrats, it has virtually no chance of being passed into law. Democrats in the House have firmly established that they will not accept permanent legislation for CFATS without a number of pro-labor provisions, including some sort of IST provision. I’m not even sure that there are enough votes in the Senate to pass S 2996. Actually, this calculus may explain why DHS began work on their own draft for CFATS legislation. The Administration supports having IST language in any legislation making CFATS permanent. If DHS can work out some compromise language that will be acceptable to the House Democrats and Sen. Lieberman while not overly offending industry and Sen. Collins, then we might have a chance of getting enough votes in both the Senate and the House for a bill that permanently authorizes CFATS. Potential for Compromise Now I do think that a reasonable IST compromise can be written that would garner grudging support of significant portions of the chemical industry. Such support would be key to gaining support of moderate Republicans and conservative Democrats. Just look at the reduced industry opposition to the water IST provisions in HR 2868. Next week’s CCPS meeting will be essential in establishing the theoretical basis for such support. The important consideration this year will be the issue of timing. The closer we get to the November elections, the harder it will be to get the necessary votes. Legislators are more likely to oppose making votes on controversial legislation the closer they are to the voters’ evaluations. IST supporters are less likely to support compromise wording because of the large groundswell of support for IST from labor and environmental groups (just search for ‘chemical security’ on Twitter to see how hard Greenpeace is working this issue). IST opponents are less like to risk charges of killing jobs.
The real problem is that the Obama Administration has just not demonstrated that they are capable of internally approving politically controversial proposals in a timely manner, particularly in the homeland security arena. If the White House can speed their internal approval process and get the DHS draft legislation to the Senate in a timely manner (and that draft adequately addresses legitimate industry IST concerns, of course) then CFATS can pass before the summer recess.
Thursday, March 18, 2010
CCSP Congress to Address IST Issues
“The US Department of Homeland Security’s Chemical Security Analysis Center (CSAC), part of the Directorate of Science and Technology, has initiated an effort to enhance the safety and security of hazardous chemicals. As a first step, AIChE’s Center for Chemical Process Safety (CCPS) has received a contract to develop a formal scientific and technical definition of Inherently Safer Technology (IST). This definition is intended to help inform discussions of the role of IST in chemical plant and refinery security.”Back in February the CCPS and DHS held a workshop for technical experts in the field in Houston, TX. The formal report from that session will be presented at next weeks Global Congress on Process Safety. In fact, there will be two half-day sessions at the meeting in San Antonio that will specifically address the issues surrounding IST and chemical facility security. Both sessions will take place on Monday, March 22nd. The morning session will include:
10:00 am - Overview of Inherently Safer Technology (Dennis C. Hendershot) 10:30 am - The DHS Chemical Facility Anti-Terrorism Standards – A Risk-Based Approach to Chemical Facility Security (Larry Stanton) 11:00 am - Inherently Safer Technology Trade-Offs (Jatin Shah)The afternoon session will include:
1:30 pm - Federal View of Inherently Safer Technology From the CSB Perspective (John Bresland) 2:00 pm - ACC Philosophy On the Appropriate Application of Inherently Safer Principles (Peter N. Lodal, Laurie A. Miller) 2:30 pm - Applying Inherently Safer Systems – Contra Costa County's Experience (Randall Sawyer) 3:30 pm - Facilitated Panel Discussion and Audience Q&A/Discussion SessionThe panel for the afternoon’s discussion will include all of the earlier presenters. While the CCPS is preeminently a safety organization (recognized throughout the world for their safety expertise) they also provide information and expertise that is critical to the thoughtful development of security procedures and processes. As we have come to expect, there will be a number of other presentations at this process safety meeting that will address issues of concern to the chemical security community. They will include:
● Simulating the Consequences of an HF Release and Evaluating the Effectiveness of Safeguards to Reduce those Consequences (Randy Hawkins, Daniel Sheahan) ● Atmospheric Storage Tank Explosion Modeling (Jérôme Taveau, Jérôme Richard) ● Update of “Guidelines to Vapor Cloud Explosion, Pressure Vessel Burst, BLEVE and Flash Fire Hazards” (Quentin A. Baker, Adrian J. Pierorazio, John L. Woodward, Ming Jun Tang) ● Consequence Modeling of Chlorine Release (Prakash Amulakh Shah, Chandrakant J. Patel, Ms. Raja Kirthi Kalluri) ● Learning the Lessons From Buncefield (Ian Travers) ● Process Safety and Chemical Security—the Need for Company Specific Risk Criteria (Brad A. Fuller)If you can make the time and get to San Antonio, TX next week, I think that the sessions would certainly be worth your time. Registration is still open and CCPS is allowing people to register on each day of the meeting.
DHS Open Government Dialogue 03-17-10
Wednesday, March 17, 2010
DHS CIKR Learning Series Web Page Update 03-17-10
Reader Comment 03-16-10 Is HR 2868 Dead
Security Incentives
Tuesday, March 16, 2010
HR 4842 Mark-Up
Today the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the House Homeland Security Committee held a hearing to markup the recently introduced DHS Science and Technology Directorate Authorization bill, HR 4842. A number of minor amendments were adopted by voice vote and the Subcommittee favorably reported the amended bill to the full Committee. Chairwoman Clarke (D, NY) explained that the purpose of this legislation “is to ensure that the Science and Technology Directorate has the right tools available to be successful”. She further explained that success “means delivering products into the hands of our first responders, law enforcement officials, or critical infrastructure owners to help them achieve their mission and make America more secure”. Amendments were offered by Rep. Austria (R, OH), Rep. Kilroy (D, OH), Rep. Sanchez (D, CA), and Rep. Lujan (D, NM). All were passed on a voice vote with no demands for recorded votes. In today’s political climate this is a remarkable showing of bipartisan support for this legislation.
Two of the amendments might be of interest to the chemical security community. Ms Kilroy’s amendment added a new research program requirement to “develop and support cyber forensics and attack attribution” to §404(b). As part of the cyber security incentives research the S&T Directorate is required to under take with the National Research Council, Ms Sanchez’ amendment would include “analysis of the current marketplace and recommendations to promote cybersecurity insurance” in §405(b).
3 Reader Comments 03-15-10 SSP Experience
“Sales, Human Resources, and Customer Service uniquely impact COI security at different phases of the inventory or production cycle. One effect of SSP interaction with support departments can be the bridging of ‘silos’ within some organizations.”He also notes that communications with the emergency response community is necessary to answer some of the questions posed in the SSP. This communication “exchange contributes to a more thorough understanding of the challenges first responders face specific to the facility's COI”. This is another positive aspect of the SSP process. I urge all readers interested in the CFATS process to go back and read all three postings from these security professionals. I’m sure that these are not the only opinions out there on efficacy of the SSP process. I (and my reader presumably) want to hear about problems and challenges that facilities are having in their completion of the SSP. Those observations may lead to improvements in the methodology.
HR 4842 Introduction – DHS S&T Authorization Bill
On Monday, Rep. Yvette Clarke (D, NY), Chairwoman of the House Homeland Security Committee’s Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, introduced HR 4842, the Homeland Security Science and Technology Authorization Act of 2010. Chairman Thompson (D, MS) and the ranking member on the subcommittee, Rep. Lungren (R, CA) are co-sponsors of HR 4842. This bill would authorize the DHS S&T Directorate for FY2011 and FY2012. There are a number of provisions of this bill that will be of interest to the chemical security community. Cybersecurity R&D Section 404 of this bill calls for the S&T Directorate to conduct and support a variety cybersecurity research and development efforts. The bill would authorize the appropriation of $75 million in both FY 2011 and FY 2012 for such R&D efforts to “prevent, detect, and respond to acts of terrorism and other large-scale disruptions to information infrastructure” {§404(d)}. One of the specified efforts would be to assist “the development and support of technologies to reduce vulnerabilities in process control systems” {§404(b)(5)}. Section 405 would require the S&T Directorate to work with the National Research Council to conduct a study of incentives to encourage to private sector to increase its efforts in the field of cybersecurity. One of the areas the bill directs to be included in the study is the evaluation of the use of regulations that would impose “under threat of civil penalty best practices on system operators of critical infrastructure” {§405(b)(3)}. Chemical Security R&D Section 409 would establish requirements for R&D to be conducted by the S&T directorate in the areas of chemical and biological threats research. Specifically for chemical security the Directorate would be tasked to “develop technology to reduce the Nation’s vulnerability to chemical warfare agents and commonly used toxic industrial chemicals” {§409(d)}. Included in this would be the establishment of the Chemical Security Analysis Center. The CSAC would be tasked with “conducting risk and vulnerability assessments based on chemical threat properties” {§409(d)(1)}. Additionally the Directorate would be required to work to “foster a coordinated approach to returning a chemically contaminated area to a normal condition, and to foster analysis of contaminated areas both before and after the restoration process” {§409(d)(3)} Mark-up Hearing
The Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology has a hearing scheduled for today at 2:00 pm EDT to markup this bill.
IST Questions – Active Mitigation
An IST Tool for CSAT
Reader Email – 03-04-10 IST Rules
IST Questions – Inventory Management
IST Questions – Chemical Substitution
As I explained in the initial posting in this series active mitigation systems include automated, active safety systems that chemically or physically modify an RTCOI so that a catastrophic release of the material does not have a significant effect outside the facility boundaries. The main controversy with these systems is their reliability in the destructive environments associated with terrorist attacks. Because of this controversy, the initial questions will establish the efficacy of the system.
Chemical Neutralization
The initial questions will establish the existence of chemical reactions that will convert the RTCOI to a chemical that does not present the same vapor phase toxicity. Follow-up questions will look at how quickly the reaction proceeds and examine the byproducts, chemical and physical, of that reaction. Finally the questions will examine if it is possible to design an automated system to effect the chemical neutralization that does not require operator action and will proceed in the event of loss of power or computer control.
Once the effectiveness of the neutralization system is established, the cost of the system will be established. As in earlier process changes that require new equipment these questions will address engineering estimates for the costs of these installations. As with any preliminary estimates they will include known costs (e.g.: list cost of storage tanks) plus a standard engineering markup to cover installation costs. DHS would have to establish a standard method for determining that markup.
Physical Neutralization
Typically physical neutralization systems convert the vapor phase of an RTCOI into a form that would not leave the confines of the facility; the most common is one that uses a solvent spray to dissolve the released toxic vapor. The initial questions will look at the efficacy of the spray system, establishing the amount of solvent necessary to knock down a catastrophic release of the material from the single largest container on site. Subsequent questions will establish how the system will be designed to remain effective if power systems are shut down by the terrorist attack. Again, once the efficacy of the proposed system was established the costs of the system would have to be examined.
100% Efficacy?
One political question that would have to be addressed with this type of IST program is whether or not the neutralization system would have to achieve 100% neutralization to be considered an adequate IST system. The argument can be made that reducing the amount of the RTCOI that leaves the facility to an amount less than as the Tier Reduction Quantity (TRQ) or the Facility Elimination Quantity (FEQ) established for that facility would be a sufficient risk reduction to meet the requirements for the current language in HR 2868. Thus 100% efficacy would not be required for these systems.
Monday, March 15, 2010
Greenpeace Chemical Security Campaign
Sunday, March 14, 2010
Reader Comment 03-13-10 SSP Experience
“While I'm getting things off my chest, this process looks like its developers never actually saw especially small facilities with relatively limited resources. The SSP tries too much to be all things to all facilities with little concern for their size, function, location, etc. Perhaps it would have been better if there had been separate SSP's based, in addition to Tier level, upon the size of facility or type (i.e. chemical, educational, manufacturing, paper, water treatment, etc.)”Now, I know that DHS developed all of their tools with the intention that any covered facility, regardless of size or type, could provide information about their security efforts. This means that there are many questions that will be answered “No” or “N/A” by many facilities; especially smaller facilities. I’m not sure, however, that DHS has communicated adequately that they are not expecting that facilities should be using these questions as security guidelines that must/should be followed by every facility. Part of the problem is, of course, caused by the Congressional restriction that DHS could not require specific security measures as a pre-requisite for SSP approval. I understand, and agree with, the underlying reason, but it does make it more difficult for DHS to communicate what is expected of facilities. Another problem was the short amount of time that DHS had to get this stuff all put together. There simply wasn’t time to develop separate SSP’s for each industrial sector that might have covered chemicals on-site. Though, to be fair, DHS has addressed a number of individual chemical communities with the suggestion that they develop an Alternative Security Plan process for their specific situations. Most have declined, allowing the burden to remain at the doorstep of DHS. Some individuals at ISCD have been particularly upset with the academic community in this respect. SSP Misnomer Dick Sem also points out a problem with terminology, writing about the Site Security Plan process that “And once you're done, you have a completed checklist with planned and proposed measures but no actual plan.” A number of writers (myself included) have pointed out this particular problem, but none of us have yet come up with a good solution. It certainly wouldn’t be practical for each facility to submit a compilation of all of the security procedures that are in use at a facility. For a larger facility this could easily run to a couple hundred pages of densely written pages explicating who does what to whom. Evaluating such documents at DHS would certainly be unmanageable with twice their current staff. Now, those procedures are actually more important than the SSP submission checklist when it comes to actually protecting the facility. But there is another problem with the submission of full procedures; DHS has taken the stance that the approved SSP is, in fact, an enforceable contract between DHS and the facility. Once the SSP is submitted and approved, DHS can require the facility to properly employ, train and maintain they system outlined in their SSP. Failure to do so, could result in $25,000/day fines. Now everyone knows that effective procedures must be living documents; constantly being updated and revised to reflect their operation in the real world. As long as such changes do not change the answers to the SSP questionnaire, facilities would have more leeway to make these modifications. If the actual procedures were submitted and approved, DHS would have to buy off on even the smallest procedural changes. Process Discussion One thing that we have seen is that DHS realizes that their process must also grow and evolve as lessons are learned. Comments like Dick Sem’s are an important part of the process of making the CFATS program more effective. I know that I have a significant readership at ISCD; so DHS is seeing this discussion. I would like to solicit comments from anyone that has been involved in the implementation process. Comments from security professionals are important, but so are comments from security managers of facilities that are going it alone, without advice from security professionals. System integrators and vendors will also have valuable inputs to this discussion. We do have to worry about CVI issues in this discussion. While I have decried the overuse of ‘Anonymous’ in posted comments, I would much rather have that than names that can be linked back to a single facility. And please, let’s keep the discussion generic so that no facility’s security is compromised.