Monday, May 31, 2010
Energy Facility Security
Sunday, May 30, 2010
DHS CSAT FAQ Page Update 05-28-10
This last week saw DHS make more modifications to the responses on their Chemical Security Assessment Tool (CSAT) Frequently Asked Questions (FAQ) page than they have in quite some time. They modified responses to three previously asked questions and added seven new questions. The modified responses were for the following questions: 1473 What information do I need to know about my facility in order to register? 1563 How do I know if my facility is a Treatment Works as defined in Section 212 of the Federal Water Pollution Control Act? 1604 Do I need to keep a record and/or printout of my survey before transmitting it to DHS? There were no material changes to any of the modified responses. The DHS people were just cleaning up typographical errors and misspellings; all typical work that needs to be done to a data base this large. Special Note to DHS: you missed one error in the answer to question 1563: “recy6cling”. New FAQ I routinely recommend that all facility security managers (and other interested people) read the responses to all new questions, even if they do not appear to apply to the facility. This is because they always provide some level of insight into the thinking of ISCD and that is always valuable. The new questions added this week were: 1403 In the on-line SSP, how do I identify my facility's Cyber Control System on the map if it is managed off-site? 1661 What is the definition of A Commercial Grade (ACG) for the purposes of CFATS? Specifically, under Appendix A of the Chemical facility Anti-Terrorism Standards (CFATS), 6 CFR Part 27, if a chemical facility manufactures or otherwise possesses a Theft/Diversion or Sabotage chemical of interest (COI) but does not directly offer the chemical for commercial sale, does the facility need to count the chemical toward the applicable screening threshold quantity to determine if the facility must submit a Top-Screen to DHS? 1662 I have received an email notification that a CSAT Letter is available for viewing. How do I access this letter? 1663 I have a final tiering determination and SSP deadline, but have not yet submitted my SSP. I have also made material modifications to my site. What should I do? 1664 Between the time a facility submits an SSP for review and ISCD inspects the facility, could DHS direct a facility to cease operations? In other words, could DHS shut down a facility based on the content of a submitted SSP without an actual facility inspection? 1665 What are examples of redundant radio systems? 1666 Does a facility have an obligation to notify DHS if the facility itself is shutting down/closing? A Commercial Grade The response to question 1661 should be closely looked at by any facility that has an STQ amount of either a Theft/Diversion COI or a Sabotage COI on site. DHS clarifies in this response the status of a facility that possesses but does not sell those COI. DHS explains that the phrase “offered for commercial sale” does not mean that facilities that use but not sell these COI are exempt from reporting these materials on their Top Screen. The phrase is used to describe the chemical not the facility. There still remains one potential loop hole in this definition. If a facility produces the material for internal consumption and does not sell or transfer that material off-site, then it would appear that the facility would not be required to report it on the Top Screen. If I were in that situation, though, I would specifically ask DHS for their opinion on the matter before submitting my Top Screen. Change in COI The response to question 1663 is of particular importance to a wide range of facilities. When a facility has received their final notification letter of their tiering and SSP due date, but have not yet submitted their SSP, the facility does not get a reprieve from the SSP requirement by submitting a ‘material change’ Top Screen showing a reduction or removal of a COI from the facility. In addition to filing a new Top Screen, DHS wants facilities to report the change on their SSP. If the change has already been done, DHS wants it to be reported on the SSP as a “Planned Measure”. If the change is in process or planned to take place, DHS wants it to be reported as a “Proposed Measure”. This will allow DHS to evaluate the effect of the change on the security profile of the facility. For “Planned Measures”, DHS will consider those measures when deciding on the approval of the SSP. For “Proposed Measures”, DHS will not consider them in the approval decision process, but ISCD will inform the facility of the potential affect of the change on their CFATS Status. The most important part of this response, however, is found in the last paragraph:
“By stating a COI has been or will be permanently removed from a facility in the SSP, or that conditions have otherwise been permanently and materially changed, the facility is then legally bound to ensure that COI is in fact never held at that facility again or that the condition or material change remains in effect unless and until DHS approves a revision to the facility’s SSP. See §§ 27.210(d) and 27.245(a)(iii).”
It would seem to me that facilities would want to be very careful in reporting this type of change as a “Planned Measure”. If there is any reasonable chance that the facility will be returning the material to the facility, then it may be more prudent to report the change as a “Proposed Change”. This will not carry the same legal burden as a “Planned Measure” since DHS is not using that report in their actual consideration of the SSP.
Saturday, May 29, 2010
Long Weekend
Congress finished their work yesterday afternoon and took off for the long Memorial Day weekend; they won’t be back to work until June 7th (the Senate) or June 8th (the House). Not that they will actually be taking much time off, this is an election year so most of them will be spending lots of time talking to constituents back home. With the number of upsets so far this year in just the primary elections, electioneering is likely to be even more of a factor in the deliberations of Congress this year. Democrats will likely to try to bring up some measures for votes that their liberal base want to see passed, even though any realistic observer would be well aware that Senate Republicans, appealing to their conservative base, would certainly block actual votes. All posturing for the base, but it will take up time and make it more difficult to get any real work done.
This year it is possible that electioneering might even interfere with passage of the DHS budget. Typically the Defense budget and the DHS budget get passed even if the rest of the government gets covered by a continuing resolution until after the election. This year, because of immigration issues, the DHS budget might get held up as well. Then we will have to pay particular attention to the actual language of the continuing resolution to make sure that it actually continues the CFATS program that currently expires on October 4th.
Friday, May 28, 2010
Water Facility Security Training
“Utility operators will become familiar with the requirements of this Bill and how to comply with the Bill. Free RAMCAP compliant software is available to help systems prepare risk-based security plans, and alternative chemicals and processes to replace compressed gases.”Now HR 3258 was incorporated in HR 2868 as Title II of that bill and was subsequently passed in the House. Readers of this blog will know that I do not believe that this bill will come to a vote in the Senate this year. Having said that I am nearly certain that a similar bill will come up next year and there will be some sort of provisions for water facility security in that bill. I’m not sure what ‘RAMCAP compliant software’ Taud Training Station is using, but the RAMCAP program was one of the bases for the development of the current CFATS tools. Additionally, addressing the issue of ‘alternative chemicals and processes’ (I like that better than IST) should certainly be of benefit to water system operators even if there is no IST mandate in future legislation. A six hour training program will not provide in depth coverage of any of these topics, much less all of them, but it is certainly enough time to give a good overview and point participants in the proper direction for further training. I don’t know anything about the Taud Training Station or any of the specifics of their proposed training, but the info provided on the Facebook page certainly would be enough to get me to make a call to John Shadwick for further information if I was a small water system operator.
Reader Comment 05-26-10 CG Inspectors III
“Once the young man or woman figures out how to run the program, they move on and then people like me, who've been overseeing the regulatory compliance programs for major companies is left dealing with a new guy that doesn't know his arse from a hole in the ground. He interprets everything differently in an effort to distinguish himself from his predecessor and you find yourself revisiting ridiculous issues that were laid to rest years ago and that not only goes with the young E3, but for the officers as well. We recently had a LtCmdr openly state that "I reserve the right to be more intelligent that my predecessor." Upon hearing that, I could only shake my head.”In my time in the physical security field in the military I took for granted the phenomenon that Osocampana describes; that was simply the way the military did things. When new inspectors rotated into the command they brought a new way of looking at things and the focus of inspections changed slightly. In a way it made for a program that did not grow stale overtime. Of course, the only thing that we were expending on the program was time and hard work; inspectors could not require the expenditure of real money or long term capital expenditures. In the CFATS program, or the MTSA program, the new look can require the significant expenditure of money, money that inevitably must come from business revenues and could potentially have an important impact on profits. Fortunately for Osocampana and his fellow regulatory compliance officers, the CFATS program is being administered by the civilian side of the Federal government where professional inspectors can be expected to be around for long periods of time. No, the ‘new requirements’ in the CFATS program will from the minds of politicians not the opinions of the new inspector on station. This will make them more predictable and allow for facilities to have more input into the change. I’m just not sure that it will make for a more robust program over time or if it will just end up like the enforcement programs found in OSHA and EPA; only effective in response to incidents not preventing problems. We’ll see.
Thursday, May 27, 2010
Private Sector Resources Catalog
“The catalog provides information, contact numbers and email addresses, and websites for almost every program, office, and component within DHS.”The table of contents (which provides a click-able link to the chapters, a real valuable tool) provides a quick look at the available information. Of potential interest to the chemical security community are chapters on Cybersecurity and Communications (CS&C), Office of Infrastructure Protection (IP), Science & Technology Directorate (S&T), and Transportation Security Administration (TSA). Each chapter provides a fairly comprehensive list of programs with points of contact (POC) and/or web pages where further information can be found. Many of the programs listed are hard to find on the Internet without this guide. Other programs are briefly mentioned on the Internet, but no POC information has been made available for more information. So this is a valuable guide, though I don’t recommend printing it out; the real value lies in the link and it is easier to use them in a computer file than from a printed document. The web page for this document promises that “this catalog will be updated regularly to publicize new resources and increase private sector awareness”. Unfortunately, the page does not include a link that would enable someone to be notified when the catalog is updated. The page does include a ‘last reviewed’ date so it will be a fairly simple matter to click through to see when the catalog is revised, but it would be simpler if DHS would add this to their list of pages for which they provide notification of changes service. If DHS provides regular updates of the information (and some parts of DHS have better histories of updating information than others) available and provides links to that information in future updated versions of this guide, they will have gone a long way in redeeming their ‘Open Government’ operations in my eyes. This is a valuable document which will become even more valuable if it is kept updated at regular intervals.
Chemical Monitors
“Juror Kurt Jarreau said the parish had been battling the railroad company for years about quickly alerting emergency personnel when spills occur during derailment or other accidents, which he said happen often.”While I am glad to see that a local government is being proactive in taking steps to protect its citizens against potential toxic chemical leaks, I certainly don’t think that it should be their responsibility to take this particular action. For high-risk chemical facilities housing release toxic COI I have long advocated that such detection networks should be a necessary part of their security mitigation plan. Additionally, EPA should have required such systems as part of the emergency response requirements under a variety of community right-to-know rules. Of course, the CFATS rules explicitly exempted rail facilities from being considered as high-risk chemical facilities, noting that those facilities would be more appropriately regulated under TSA rules. Of course, TSA has done little to affect chemical security at rail (or any other type of transportation) facilities. They have regulated tracking and transfer activities for TIH rail shipments, but have not addressed any actual security activities except at shipper and receiver facilities that would presumably already be regulated under CFATS or MTSA regulations. Even at these shipper and receiver locations TSA has simply required the establishment of ‘rail secure areas’ for the storage of TIH railcars without specifying what that means. Presumably they would be expected to provide some physical security for TIH railcars stored on site, but there are no requirements for any kind of emergency response planning. And besides which, those ‘rail secure areas’ are not required when those same cars are stored 'temporarily' at rail yards. So, a small community in Louisiana is responsible for detecting a chemical leak on private property in order to protect their citizens from the toxic affects of such a leak. The railroad that owns the property apparently has no responsibility for notifying that community, no responsibility for planning for what must happen in the event of such a leak. That doesn’t seem right.
NSTAC Teleconference 06-10-10
Wednesday, May 26, 2010
Reader Comment 05-26-10 ICSJWG Agenda
CG Final Rule for LNG-LNH Facilities
CIKR Learning Series Page Update 05-25-10
Late yesterday DHS updated their Critical Infrastructure and Key Resources Learning Series [link added 05-26-10 22:45 EDT] web page. For some unexplained reason they removed the link to the last webinar that was added to the available archives, 2010 Hurricane Season: Tools for Understanding Risk. This webinar was held earlier this month and had just been added to the archive earlier this week. I checked this morning and the link above is still operational.
Tuesday, May 25, 2010
Reader Comment 05-25-10 CG Inspectors II
“My point is, as a CG Facility Inspector I want to make sure everyone who reads that story understands there was more than 1 day of training during MST "A" school. There is in-field training that is required prior to receiving that qualification that takes months and requires a lot of shadowing of someone qualified.”As a former military instructor I am well aware of the differences between formal instruction and on-the-job training. Both are an important part of producing a professional in any field. OJT, particularly when supervised by an intelligent and experienced mentor, is an invaluable part of the development of a security professional. The details of day-to-day operations; what to look for in a wide variety of facility settings, and, more importantly, how to deal with a variety of facility personnel; can only effectively be taught in a real world setting. There is, however, an inherent weakness in OJT; the lack of control of subject matter exposure. A daily work environment frequently limits the number and types of encounters that will be experienced in an OJT period. One of a kind facilities with unique requirements and characteristics are frequently missed in such programs. Types of facilities not found in a particular area will obviously be glossed over or ignored. A CGI trained at a West Coast port will have no exposure to the security concerns associated with loading bulk ammonium nitrate on river barges, for example. Now a classroom period of instruction on bulk loading of river barges will never completely substitute for working along side someone who has done hundreds of inspections of such facilities. But that classroom instruction will provide much more information than what someone would pick-up on the job in Long Beach. This is one of the reasons that when DHS set up the Chemical Inspector Academy that they include both the classroom instruction and visits to a variety of chemical facilities. And I certainly agree with our commentor that an experience CGI would almost certainly have an easier transition to become a chemical facility inspector than, for example, someone from the Federal Protective Service with more experience at office building security. But, we probably need all of the CGI that we have to continue to keep our MTSA facilities properly secured. Working-out Program Bugs Our anonymous commentor makes a point about the MTSA implementation that certainly applies to some extent to the CFATS program as well, writing that:
“I think it is worthy to note that the Coast Guard Facility Inspectors were handed a set of regulations a few years back and told to enforce them with little to no guidance. While we can all rant and rave about the injustice's done to the "mom and pop" facilities who had stringent (and arguably unnecessary) regulations enforced on them I think you have to remember that there should be a grace period for the CG to figure out how to do their job the best and safest way. In this instance I would consider the Coast Guard's approach to 33 CFR 105 facility security was "better too much then too little". Again, that can be argued either way.”CFATS inspectors are getting more formal training than the original MTSA inspectors did, but they are still the first ones on the ground, learning as they enforce. While it will be hard for facility personnel to accept this, they are going to have to deal with it. Even the ‘senior’ inspectors will only have a couple of facilities worth of experience under their belt when they show up at the front gate. There is a very good chance that they have never been in that particular type of chemical facility ever before in their life. There are no checklists and the inspectors are working off the same ‘vague’ guidance document that industry has been complaining about for a year now. This is another reason that these initial inspections are so time consuming. The inspectors are having to work with facilities to understand each facility’s unique situation. With the lack of CFATS inspection experience achieving that understanding will be that much more difficult. Both sides of the inspection process are going to have to work together to make this program effective.
ICSJWG Page Update 05-24-10
Workforce Development Control Systems Security Research International Coordination Standards Development Incident Response and Handling Vulnerability Management Emerging Technologies Managing Vendor Relations Law Enforcement and Forensics for ICS Integration of Cryptographic Technologies Security Management Metrics Information Sharing Wireless Integration in ICS environments Lessons learned Securing network perimeters Malware and Vulnerabilities Effective Cybersecurity Programs Coordination of Threat Reporting and Determining AttributionI don’t see a single topic listed here that wouldn’t be a valuable subject for discussion, but I would have liked to see at least one topic that directly addressed government cyber security standards (CIP, CFATS, etc). In fact, it would probably be worth while to have a representative of the various enforcement agencies provide updated information on their programs.
CSSP Page Update 05-24-10
CFATS Webinar
• CFATS Road Map & Timeline • CFATS Regulatory & Legislative Updates • CFATS Regulatory Considerations for SSPsAll three of these presenters are very knowledgeable and experienced speakers. The topics are timely and they certainly have the experience and background to provide valuable insights on their respective topics. Traci Perdum, the Senior Digital Editor for ChemicalProcessing.com will be moderating the program and live Q&A session that will follow the presentations. The only thing missing from this webinar is participation by DHS. ADT has had DHS presenters at earlier webinars. What would be interesting would be to have Larry Stanton give his presentation on the IST reporting tool that DHS is considering adding to the CFATS program. I have an article on their proposal coming out in the upcoming issue of the Journal of Hazmat Transportation. Stanton made his presentation back in March at a CCPS meeting and it would be interesting to see the response to the proposal before a more general audience like this.
Monday, May 24, 2010
Reader Comment 05-24-10 Video Surveillance Training
“In July, we are going to introduce a new plan just for basic video surveillance - $99 for the year. We want to make it as affordable as possible for end users to learn more about video surveillance.”I always applaud suppliers rolling back their prices. I know that John isn’t just targeting this price at the chemical security community, but I know that it will be appreciated by the facility security managers that that are trying to get up to speed on a wide variety of security subjects. This will make that task just a little easier.
Development Along Rail Lines
Sunday, May 23, 2010
HR 5346 Introduction
SCADA Vendor Support
Basic Video Surveillance
Different approaches to live surveillance monitoring Types of alarm monitoring Examples of conducting investigations Common number of cameras being used Common locations and types of cameras being used Privacy issues in using video surveillance Unrealistic or science fiction approaches to video surveillanceIt included a very good discussion about when and why facilities may or may not decide to have someone constantly monitoring the feeds from their security cameras. I especially appreciated the discussion of video quality and why it isn’t practical to have 100% perfect videos throughout the day. There are two additional podcasts in this introductory program; Video Surveillance Products Basics and Basics on Cost and Value of Video Surveillance. John includes links to written reports on both subjects for further detailed information. Once again I have to recommend another of John’s products. The podcasts are interesting conversations instead of lectures. Combined with the links to reports on information covered in the podcast the training value for this material is high. Once again, John is not trying to make anyone a video surveillance technician or integrator with this program, but he is providing valuable information to someone who will be dealing with these professionals.
Counter Surveillance
Friday, May 21, 2010
Greenpeace Security Inspections
FCC’s ERIC Rule
The rule establishes ERIC within the Public Safety and Homeland Security Bureau (PSHSB), but the details of the internal operation of ERIC were largely excluded from the final rule “because the adopted rules are rules of agency organization, procedure, or practice that do not substantially affect the rights or obligations of non-agency parties”. The rule does provide for the appointment of advisory bodies to advise ERIC. There is nothing in the rule that would specifically affect the chemical security community, but it does give me a chance to continue to plug for ensuring that security programs at high-risk chemical facilities can and do routinely communicate with local law enforcement.
The development of the use of the 700 MHz for broadband wireless communications for the public safety community provides an excellent opportunity to tie both the security teams and emergency response teams at high-risk chemical facilities into the communications capabilities of local law enforcement and first response community. In most cases where there is a serious incident, either accidental or as the result of an attack, at these facilities the on-site personnel will already be attempting to deal with the situation by the time that local response arrives on scene.
As the local incident commander takes control of the scene, gaining up-to-date information from the facility response teams will be critical in planning and executing the off-site response. This informational exchange can only be enhanced if the on-site personnel have interoperable communications and have trained with the local responders.
Of particular importance in this interoperable communications will be the provisions for high-speed data communications to share information like live video from on-site surveillance cameras. Additionally a wide range of process sensors could provide invaluable information about the physical conditions of critical storage tanks and process equipment. Facilities with a network of chemical detectors to identify and track leaks would find that the local responders would greatly appreciate that information.
So, I’m taking this opportunity to stand on my soap box to urge the FCC, through ERIC, to take into consideration the high-speed data communications requirements between high-risk chemical facilities (and obviously other critical infrastructure and key resource facilities) and local first responders and law enforcement when they plan. Unfortunately the FCC did not make provisions for public comments in the publication of this rule, so I just stand here on my soap box. Perhaps Congress could include provisions in any CFATS reauthorization (if and when) mandating the establishment of such communications channels.
Thursday, May 20, 2010
HR 4842 Committee Report
“The Commission shall give particular attention to threats that can disrupt or damage critical electric and electronic infrastructures, including— “(A) cyber attacks or unintentional cyber disruption [emphasis added]; “(B) electromagnetic phenomena such as geomagnetically induced currents, intentional electromagnetic interference, and electromagnetic pulses caused by nuclear weapons; and “(C) other physical attack, act of nature, or accident [emphasis added].”I think that it is entirely appropriate that the Commission is specifically being tasked to look at cyber disruptions that have nothing to do with intentional acts. Cyber attacks will almost certainly remain much less common than the accidents, equipment failures and weather events that will be a common part of our world for a long time to come. Their ability to disrupt the operation of critical cyber systems will vary from the inconvenient to catastrophic. But, they will inevitably cause more problems than actual terrorist attacks. The authorization for this Commission includes funding for two years. That is certainly reasonable for a comprehensive study like that envisioned in HR 4842. That is also the main shortcoming of these types of studies. They take too long to complete and then Congress will play with the results for a while before they have any chance of putting substantive legislation together Then there will be a lengthy rule making process started in motion. Even if this bill were approved this summer it would be late 2012 before we could possibly see even obvious measures make their way through the political system. The controversial recommendations could take much longer to move through the political maze.
CIKR Learning Series Page Updated 05-20-10
Wednesday, May 19, 2010
Right-to-Know vs Security
ICS Incident Reporting
ICS-CERT Watch Floor: 1-877-776-7585 ICS related cyber activity: ics-cert@dhs.gov General cyber activity: soc@us-cert.gov Phone: 1-888-282-0870On the ICS-CERT web page they provide a valuable piece of additional advice for on-line reporting (in my opinion it should be located on the reporting page as well, but no one is perfect). To protect sensitive business or systems information ICS-CERT recommends that that type of information should be encrypted and provides a public-key to accomplish that encryption. Old Information The old version of the CSSP page had some additional information that would still be of value. Fortunately the links from that old page are still active so I will provide the links here. First is the reporting of Phishing attacks. While these are not uniquely an ICS issue, I found that the Phishing reporting procedure can be very helpful. The second set of links provides a method of reporting vulnerability issues for industrial control systems. Reporting newly identified vulnerabilities is an important part of improving the overall security of control systems across the industry. ICS-CERT Assistance The CSSP page provides the information below about the assistance available from ICS-CERT. Unfortunately there is no specific information about how to request that assistance. I can only suggest that such requests should be included when contacting CERT with the information about the incident.
“The ICS-CERT encourages organizations to report vulnerabilities, suspicious activity, and cyber incidents that could have an impact on critical infrastructure control systems. The ICS-CERT will analyze the information and provide mitigation strategies as needed. In addition, the ICS-CERT is able to provide onsite assistance, free of charge, to organizations that require immediate investigation and resolve in responding to a cyber attack.”When an ICS incident, deliberate attack or miscellaneous system upset, occurs any additional assistance that can be had to help alleviate the situation means that the facility can get their critical systems up and working just that much faster.
Protection Against Explosions
Standard caveat; I am not an engineer; I am a chemist by schooling. I do have some experience with explosives from the Army, but I am not an explosives expert and I have never detonated anything as large as a VBIED (if someone wants to let me push the plunger on one in a controlled test, I will certainly be there). Finally, before you actually install some protective device make sure that you are dealing with an engineering firm that has some experience in the field.
Prevent Detonation
The most obvious protective technique is the prevention of the detonation of the explosive device. While most of the responsibility for this lies with the intelligence and law enforcement people, the facility does have some basic techniques that they can employ to aid in the effort. The most obvious is the employment of an active counter-surveillance program. Any effective terrorist attack is going to be preceded by a variety of surveillance efforts.
The earlier efforts may be harder to detect, but as attack planning advances the terrorists will have to acquire more detailed information about facility security procedures. Facility employees and security personnel should always be on the watch for suspicious personnel hanging around the facility. The facility counter-surveillance plan should include an educational component to make personnel aware of the potential threat and their responsibility to be aware of what goes on around the facility. There needs to be a clear reporting procedure and the reports need to be promptly forwarded to local law enforcement for follow-up investigation.
Standoff
The closer you can get an explosion to your target the more effect it will have. Conversely the further you can keep the explosion away from critical areas of the facility the less effect it will have. For a standard, non-focused explosion the force of the explosion should falloff as a square of the distance from the explosion. This means that even a small increase in the distance from the explosion can have a significant effect in force reduction.
Of course, the size of the explosion has an effect on the distance as well. I mean if you have a dry-box trailer packed with 40,000 lbs of commercial grade explosives the standoff distance will have to be much larger than if you have 500 lbs of homemade explosives in a panel van. So, to determine how far you have to keep the VBIED away from the potential target, you have to know how large a VBIED the terrorists will use against that target.
Obviously the terrorists are not going to tell you how large a VBIED they are going to use. So you have to guess; hopefully an educated guess, but a guess none the less. The guess should be based upon the potential risk; I would expect that a Tier 1 facility should expect a bigger VBIED than would probably be used against it than against a Tier 4 facility.
Don’t expect me to tell you what size to use; I just don’t have enough information to make even a lucky guess. Hopefully your security consultant will be able to provide a rationale for what ever size you pick. Once you have established your planning VBIED size you should be able to calculate (well the experts should be able to calculate, I haven’t seen the formulas) how far you have to keep the VBIED away from the target to have a reasonable chance of surviving without catastrophic damage.
If you want to keep your consultant on his toes, ask about max pressure and impulse effects. But, remember, you are going to need an expert. Anyone that tells you that there is a reasonable distance at which no damage will occur is either exaggerating or doesn’t understand explosions (a mile away from a 500 lb VBIED I would feel comfortable predicting little or no damage). With a VBIED attack if you can avoid catastrophic damage (ie: a quick, total drainage of a release-toxic COI from a large tank) you have achieved a reasonably successful defense. Your release mitigation techniques should be able to handle the results of non-catastrophic damage.
Blast protection The last type of protection is the one that probably requires the most expertise, physical blast protection. This can either be some sort of hardening of the target so that the blast will not affect it, or putting some sort of barrier between the potential blast and the target. Both require some special engineering skills and experience to properly design.
Once again, the size of the VBIED is a key design variable. If you dramatically underestimate the size of the device your blast barrier will become flying fragments that will contribute to the destruction of your target. One design element that needs to be considered is ‘line-of-sight’. Over longer ranges flying stuff from an explosion follow what is called a ‘ballistic arc’; the pieces fly up and out then fall to earth along an arc. The closer the initial trajectory is to 45° the further the projectile will fly.
At distances where blast effects predominate, however, the blast and projectiles are flying in essentially straight lines. Thus, any barrier must block the line of sight from the blast to the target. But, don’t forget to harden the top of the target to protect against falling debris.
Combination Plate The most effective VBIED protection scheme will utilize all three protective elements. Preventing detonation is, in my book, the most important element of the program. The lack of an explosion is the best protection. Remember, that the larger the VBIED, the more likely that there will be extensive pre-operational surveillance.
Putting together a large VBIED takes a lot of resources so the terrorists will do what ever is necessary to optimize their chance of a successful deployment; this means more surveillance. The last two, standoff and blast protection both require the services of someone who understands blast effects and blast protection engineering for optimal results. If you cut corners here you had better hope that your prevention program is very effective. A poorly designed protective program may actually increase the risk of a successful VBIED attack.
Special NOTE: Since this is a rather specialized field of study and application, I would certainly like to hear from practioners in the field. Discussion of the blast effect protection techniques would be particularly instructive.
Tuesday, May 18, 2010
Multiple Explosions
Monday, May 17, 2010
CSB ANPRM Comments Posted
Sunday, May 16, 2010
CFATS Background Check ICR Comments – 05-14-10
Saturday, May 15, 2010
CSB IST Study Comments 05-14-10
Friday, May 14, 2010
Water System Security Issues
ICSJWG Teleconferences
Today the DHS-CERT Control System Security Program Calendar web page shows a series of teleconferences to be held by various elements of the Industrial Control System Joint Working Group (ICSJWG) over the next two weeks. No real details are available, though I expect that the individuals involved probably understand what is going on. I suspect that it has something to do with the recently announced dates for the 2010 ICSJWG Fall Conference, October 25-28, 2010. The following teleconferences have been announced
ICSJWG Government Coordinating Council Teleconference – 5-20-10
ICSJWG Research and Development Subgroup Teleconference – 5-20-10
ICSJWG Vendor Subgroup Teleconference – 5-24-10
ICSJWG Workforce Development Subgroup Teleconference – 5-25-10
ICSJWG Industrial Control System Roadmap Subgroup Teleconference – 5-27-10
The web site provides an email POC, ICSJWG@dhs.gov, for further information about these teleconferences.
Hazardous Materials Seminar
Hazmat Intelligence Portal Beyond the Routing Regulation Rail Car Security Inspections (IEDs and More) TIH Risk Assessment National Hazmat Fusion CenterYou can still register for this seminar on line.