Wednesday, June 30, 2010

S 3538 Introduced

Last week Sen. Bond (R, MO) introduced S 3538, the National Cyber Infrastructure Protection Act of 2010 with the GPO posting a copy of the introduced bill today. This is another cyber security bill targeted mainly at protecting Federal government ‘information networks’. There is no mention of ‘industrial control systems’ or ‘SCADA’ in the proposed legislation. There are, however, some provisions that might be of interest to the chemical security community. The bill would establish within the Department of Defense a National Cyber Center. While the center would receive administrative and logistical support from DOD, the Director would report directly to the President and would not be part of the Executive Office of the President. This would make the Center very nearly a Cabinet level agency. It is when we delve down into the duties of the Director that we start to see some wording that could provide justification for the Center to have some affect on industrial cyber security activities for areas other than just ‘information networks’. The constant use of the modifying term ‘information networks’ through out the rest of the bill make these paragraphs standout because of the lack of that terminology. Imminent Cyber Attack For example §103(d)(7) requires the Director to “provide recommendations, on an ongoing basis, to Federal agencies, private sector entities, and public and private sector entities operating critical infrastructure for procedures to be implemented in the event of an imminent cyber attack that will protect critical infrastructure by mitigating network vulnerabilities”. This doesn’t appear to give the Director authority to develop or enforce cyber security regulations for companies operating critical infrastructure facilities. However, the fact that the Director would have budgetary authority over the cyber security activities of the executive branch agencies would give special weight to the Director’s recommendations. Cyber Security Intelligence Section 103(d)(11) would require the Director to “develop plans and policies for the sharing of cyber threat-related information among appropriate Federal agencies, and to the extent consistent with the protection of national security sources and methods, with State, tribal, and local government departments, agencies, and entities, and public and private sector entities that operate critical infrastructure”. The bill does not provide the Director with any specific intelligence collection or analysis capability. It does, however, specifically give the Director “access to all intelligence relating to cyber security collected by any Federal agency” {§104(b)}. To make the information sharing requirement really effective would require funding and staffing for a cyber security intelligence analysis unit within the Center. Vague Provisions Since these provisions do not provide explicit authorization for ‘SCADA’ or ‘ICS’ related regulatory actions, we will have to watch any hearings and reports to see if there is more concrete language that would provide clearer indications of ‘Congressional intent’ to support industrial cyber security activities by the Center or the Director. So, I’ll add this to the list of bills that I will watch for as we rapidly head for the election season this fall.

Tuesday, June 29, 2010

Canadian Ammonium Nitrate Security

This year we have watched two Canadian news stories about the loss of traceability of significant amounts of ammonium nitrate fertilizer prior to separate high-profile activities that could be considered potential terrorist targets, the Winter Olympics and the G8/G20 Summit. Now there is a report on HomelandSecurityNewswire.com that a Canadian agricultural retailer’s group is urging the government to establish “a comprehensive, national plan to make [agricultural] inputs secure”. The plan being proposed by the Canadian Association of Agri-Retailers (CAAR) would “include perimeter fencing, surveillance and alarm devices, lighting, locks, software, and staff training in various security techniques, at retail outlets. Estimated cost: $100 million”. While it might seem unusual for a retail group to urge that such high-cost measures should be required by the government, a careful reading of a recent CAAR press release reveals the reason; they expect the Canadian government to pick-up a substantial portion of the that $100 million tab. The CAAR agenda is much more clear when you read their publication; Integrated Site Security Protocol. Subtitled “The Case for Government Cost-Sharing”, the document calls for the Canadian government to subsidize the security measures. Specifically the document states that (pg 3):
“CAAR proposes a 50% enhanced tax credit with accelerated capital depreciation for eligible security expenses similar to legislation passed under the U.S. Farm Bill for American agri-business facilities.”
BTW: The US farm lobby was only able to get a 30% tax credit included in the 2008 Farm Bill (Section 12405). If CAAR gets their 50% credit will their US counterparts then request a 70% credit so they can continue to compete with their northern neighbors? CAAR, it seems, has seen the writing on the wall and realizes that its constituent retailers are going to be required to take substantial efforts to secure such agricultural ‘inputs’ as ammonium nitrate and anhydrous ammonia fertilizers as well as a variety of pesticides and fumigants. Rather than try to legislatively fight those requirements, they are pushing for financial support in executing those requirements.

Lautenberg Named Interim Chairman of Homeland Security Subcommittee

According to a Committee news release Senate Appropriations Committee Chairman Inouye (D, HI) appointed Sen. Lautenberg (D, NJ) as the interim chairman of the Subcommittee on Homeland Security to replace the late Sen. Byrd (D, WV). It is likely that this interim appointment will be confirmed by the Senate Democratic Caucus. The position of Chairman will give Sen. Lautenberg a large measure of discretional authority over the content of the Department of Homeland Security budget bill that is currently being written in that sub-committee. With Lautenberg’s interest in chemical facility security measures, it would not be unexpected to find more attention being paid, for example, to the expected extension of the CFATS authorization in that budget bill.

Chemical Sector Security Summit Page Update 06-28-10

Yesterday DHS updated their 2010 Chemical Sector Security Summit web page. The Summit is next Monday and Tuesday so I keep looking for last minute changes in the program. The change made yesterday is one of those changes that probably made sense to the people managing the page, but appears to be meaningless to everyone else. They re-did the ‘Contact’ section at the bottom of the page. The contact email address remains the same, but they removed the suggested reason for contacting anyone at that address. They had asked “Questions about the Summit?” and included the email address in the canned answer. Now the email address just stands alone beneath the ‘Contact’ header. They also removed the old link to the Chemical Sector-Specific Agency from the bottom of the page. That old listing was a little duplicative since the same link is provided at the top of the page. Oh well, we are still informed that more “conference details will be available soon”; so I’ll keep watching the page.

HR 5890 Introduced

Last Thursday HR 5890 was introduced in the House and the printed version of the bill became available yesterday. This bill would authorize the appropriations for the Department of Homeland Security for FY 2011. Both Chairman Lieberman (Senate Homeland Security and Governmental Affairs) and Chairman Thompson (House Homeland Security Committee vowed to pass such a bill this year. The odd thing about this bill, however, is that it was introduced by Rep. King (R, NY), the Ranking Member of the House Homeland Security Committee, and cosponsored by the Republican members of that Committee. That combined with the fact that the bill was referred to six committees, including Armed Services of all things, means that this bill will likely never get considered by the House, particularly in an election year. Chemical Security Provisions This 414 page bill is a comprehensive authorization bill, with the potential to have wide spread affects of interest to the chemical security committee. Some of the titles that could apply to chemical security issues include:
TITLE II—Authorization Of Appropriations TITLE III—Congressional Oversight TITLE VI—Transportation Security TITLE VII—Maritime Security TITLE VIII—Infrastructure Protection And Cybersecurity TITLE XII—Miscellaneous Provisions
The following sections should be of particular interest to our community:
Sec. 685. Pipeline security study. Sec. 692. Surface transportation security. Sec. 694. Limitation on issuance of HAZMAT licenses. Sec. 709. Waterside security of certain dangerous cargo. Sec. 724. Risk-based cargo security program. Sec. 811. Extension of chemical facilities antiterrorism security program. Sec. 904. Metropolitan Medical Response System program. Sec. 1203. Civil liability for disclosure of protected security information.
The §811 provisions would extend the current §550 authorization for the CFATS program until October 4th, 2015. It would also add a voluntary chemical security training program and a voluntary chemical security exercise program. Readers of this blog will recognize that these are the same provisions found in S 2996 and its companion bill HR 5186. Congressional Oversight Even though the CFATS reauthorization provision would be primarily targeted at our community, I think that the most important provision of this bill would be found in §301(c) that deals with Congressional oversight of homeland security matters. That paragraph reads:
“The Speaker shall consider the recommendations of the National Commission on Terrorist Attacks Upon the United States for consolidating oversight and review of homeland security, and to the maximum extent feasible, minimize the impact that the referral to multiple committees of matters under paragraph (a) related to homeland security and the Department of Homeland Security will have on the ability of the House of Representatives to provide clear and consistent guidance to the Department and act on such measures in a timely and effective manner consistent with those recommendations.”
If actually passed (unlikely with so many different committees having to sign off on this bill) this would greatly reduce the number of committees that would have their hand in the homeland security pie. This could greatly streamline the law making process for homeland security matters. I know that the leadership of DHS would greatly appreciate the decrease in the number of times that they have to explain the same thing to different committees. Committee chair are more likely to vote to completely stop their own pay than reduce the areas over which they exert power. This is not a partisan slap as the Republicans did nothing to address this problem when they controlled both houses of Congress and the White House. This is strictly a matter of the exercise of personal political power. That means that this provision would probably be doomed even if this bill had a chance

Monday, June 28, 2010

Article Link

Last week I mentioned an article from CQ about recent CFATS enforcement activities being conducted by DHS. A reader had provided me with a copy of the article, but no link. Today Jonathon Greenwood from Don Greenwood & Associates provided me with a link to the article on LexisNexis.com. I always prefer to provide links to the articles that I comment about so that my readers can read the whole thing, rather than just my comments. Thanks Jon for helping out.

S 2996 Mark-Up?

An article over on EPOnLine.com again mentions the possibility of Sen. Collins’ (R, ME) CFATS reauthorization bill (S 2996) being marked up in the Senate Homeland Security and Governmental Affairs Committee. I mentioned an earlier claim for a mark-up being scheduled for this bill and I have also discussed what I thought would be necessary to get such a mark-up successfully completed in that Committee. It is almost too late now to get this bill (or any CFATS reauthorization bill) to the floor of the Senate before the summer recess in August, especially since we have the 4th of July ‘weekend’ (a week long weekend) coming up at the end of this week. While the Collins’ bill might get out of Committee I don’t believe that it would be considered (favorably or otherwise) on the floor of the Senate. The current level of mistrust for big chemical companies is just too high because of the BP leak in the Gulf. The rest of the article is a very interesting and readable account of the Chemical Sector Security Summit being co-sponsored by SOCMA and DHS next week. If you don’t already have confirmed reservations it’s too late. But, you can read tweeted updates by following SOCMA on Twitter®.

Updating Appendix A

I have been hearing from a number of different sources that the folks at ISCD are working with a couple of different industry groups at looking at modifications to the list of DHS chemicals of interest found in Appendix A. This November it will be three years since the publication of that list so it is certainly time for adjustments to be made. No word on any specifics of those discussions, but I have some ideas about what may be under discussion and, of course, some ideas of what changes I would like to see made. Gasoline One thing that is certainly under discussion will be the issue of the coverage of gasoline storage terminals. Back in January DHS issued a request for comments on their attempts to regulate security at gasoline storage terminals. This was basically issued in response to a petition submitted by the International Liquid Terminals Association (ILTA) that “raised both technical and procedural issues related to the applicability of Appendix A and the Top-Screen requirement to” gasoline terminals (75 FR 2446). One of the major issues raised by industry was the fact that the DHS interpretation of the rules as applying to such terminals had never been expressly discussed in any rule making process, thus violating a number of rules for establishing regulations. So any rule updating Appendix A will certainly include addressing the gasoline issue. As I have mentioned on a number of occasions, I firmly believe that gasoline terminals should be regulated under CFATS. While gasoline vapor cloud explosions are not easy to affect, I think that the danger of a potential VCE is being down played by industry. An accidental VCE is a low frequency hazard because of the various factors that must come together for the VCE to occur. In a properly planned and executed terrorist attack every effort will be made to optimize conditions to provide the necessary prerequisites for a VCE. I also think that even if a terrorist attack fails to put those various conditions together to actually form a VCE and only causes a major terminal fire, that would be counted as a successful terrorist attack. Because of the special place that gasoline has in our economy, the destruction of a major gasoline terminal with the accompanying probable damage to a fuel pipeline would have serious economic effects. This is especially true in a weakened economy. Finally, serious consideration needs to be made about declaring gasoline a theft/diversion chemical of interest. A tanker load of gasoline is an easily transportable and deployable potential flame weapon. Either through a fire in the tanker on a crowded freeway during rush hours in a major urban area or pouring gasoline from a four inch hose into a large building like a major shopping mall could cause huge number of casualties at very soft targets. While the same could be said for any flammable liquid, gasoline has a special place because of the huge number of tankers on the road every day and the political connections to the Middle East. Al Qaeda has remarked on this political status and has vowed on a number of occasions to target gasoline manufacture and distribution. Removing COI or Increasing STQ I would hope that DHS would take a look at the data that they have accumulated on a huge number of Top Screens submitted over the last two and a half years. I would be very surprised if such a review did not find that there were some chemicals on the list of COI that did not result in facilities being declared high-risk chemicals. This could be caused by either relatively low inventory levels or isolation from civilian populations or other potential targets. If a chemical currently on the list is not associated with any high-risk facilities, it would seem that we could remove that chemical from the list. Without increasing the risk of potential terrorist attack, we could reduce the administrative burden on facilities submitting needless Top Screen. The same could be said for the setting of Screening Threshold Quantities (STQ). If all high-risk facilities for a particular COI have substantially more inventory than the current STQ, then DHS would be justified in increasing STQ for that COI; again reducing a needless administrative burden.

On the other hand if every facility (or even most of them) with just barely an STQ amount has been declared a high-risk facility, then DHS might want to consider lowering the STQ. If the risk for just an STQ is high enough to be of concern, then we are almost certainly not identifying all of the at-risk facilities. Methyl Bromide I have pointed out on a number of occasions that DHS relied on misleading information from the EPA when it specifically included methyl bromide from the list of release toxic COI. EPA assured DHS that methyl bromide was being phased out as use as a soil fumigant, but subsequent EPA actions reveal that the chemical will be around for some time. This combined with the political reasons that methyl bromide is supposed to be phased out could make this a specific target chemical for any number of different eco-terrorist groups. DHS needs to consider adding this to the list of COI. Feedback As I understand things, during this development process, DHS is working with a variety of industry groups on the revision of Appendix A. While some people get upset about this type of ‘special privilege’ being given to industry, I think that it is entirely proper that the people that will be most directly affected by these regulations have some input in their development. Let’s face it, the real probability of any given facility being attacked is quite small, but all of the high-risk facilities are being required to spend big money to prevent the low-probability occurrence activity. On the other hand, groups other than industry also have a stake in these regulations. The environmentalists will probably get more say in the development of the revision to Appendix A than they did the development of the original list, just give the political party in power. Unfortunately, that still leaves many groups under represented; including local emergency response planning groups and even first responders. I would like to open this up discussion here on this blog. I know that there are a number of DHS folks that read this blog, including someone in the Secretary’s office. Let’s see if we can get a good discussion about what types of changes should be made to the Appendix A list of COI, including changes in specific SQT amounts. For this discussion I would appreciate it if we left the ‘Anonymous’ identification alone. If you don’t want to give your name (and I know a number of good reason why that would happen) at least give a description of your background or affiliation (ie: “chemplant worker”, “local organizer”, “EMT”, or “security guard”). Remember, for most of us this will probably be your only chance for input until the NPRM for the change is published.

Saturday, June 26, 2010

On-Site Chlorine Generation

The safety objections to the large scale production and transportation of chlorine gas is one of the things that drives most of the supporters of mandating inherently safer technology process changes as part of chemical security regulations. While other toxic inhalation hazard (TIH) chemicals are also targeted, it is safe to say that chlorine is the major target, mainly because of the huge volumes in commerce. While there are economical alternatives to chlorine for many users, there are a number of places where chlorine gas just cannot be economically replaced with safer chemicals. A recent article at ICIS.com highlights another potential alternative for many of these facilities, on-site chlorine generation. This article is not a theoretical discussion of potential techniques. Instead it looks at a variety of commercially available technologies and the companies that produce them. Nothing really new in the article, but it is valuable in that it provides contact links for further information on the individual commercial processes that provide chlorine generation (both as chlorine gas and as sodium hypochlorite) on-site. These links make it easier for chlorine users to start the process of looking for potential alternatives to receiving rail cars of liquefied chlorine gas. These commercial systems will not completely eliminate the shipping of chlorine; the economics of the systems just won’t make sense in every application. A number of facilities will have quality standards that probably would not be met by these systems. But, for a large number of potential chlorine users, these options will certainly be worth considering.

Community Preparedness Update

Well, I blew it earlier this week when I explained a recent change to the web page of the Private Sector Office. You might remember that I explained that the recent change to that page was the addition of “a link to sign up for notifications” when that page changed. Well that was certainly true for the change to the Private Sector Resources Catalog web page, but the new link on the Private Sector Office page was something else entirely. That link was to sign up for “Community Preparedness Updates”. I received my first weekly update by email on Thursday. This brief email newsletter looked at a variety of activities undertaken by DHS and the Administration that could affect private sector preparedness. The topics covered in this first newsletter were:
• Energy Efficiency • Intellectual Property (IPR) Enforcement • National Values, National Security • PS-Prep • Administration Continues to Coordinate Closely with State and Local Partners on BP Oil Spill Response
Each topic receives a brief discussion in the newsletter with embedded links to more information. For example the ‘PS-Prep’ section explains that the Department of Homeland Security announced the standards that would be used for the new voluntary accreditation and certification program for private sector organization preparedness planning. It provided links to the standards, the FEMA preparedness web site, as well as a preparedness web page targeted at families. I have been critical of the Open Government efforts of the Department (they still are not actively pushing their public participation web site), but this is a very well intentioned effort in brining information about what the government is doing directly to the public. Unfortunately, if they don’t do more to publicize their efforts, this will become just another show piece that accomplishes nothing. The Department has to learn that you can’t just build it and expect the public to come; that only happens in corn fields. I certainly think that this email notification is worth while and I am glad that I signed up for it, even if I didn’t know what I was getting at the time. I think that most of the readers of this blog would also find this a valuable information resource.

Friday, June 25, 2010

S 3480 Passes in Committee

The cyber security bill, S 3480, that I mentioned earlier this week, was ordered reported favorably out of the Senate Homeland Security and Governmental Affairs Committee on Thursday. As I expected it was amended with substitute wording on a voice vote, and the details are not available. There were no indications that there was the addition of any significant ICS security measures. As I mentioned in my earlier blog we will just have to wait for the bill to actually be reported and that could take a while; we are still waiting for the report on the Lieberman-Collins WMD bill (S 1649) that was ordered reported back in November.

At the same hearing the Committee also ordered reported favorably the nomination of Nomination of John S. Pistole to be an Assistant Secretary, U.S. Department of Homeland Security (TSA). That report (a much less formal document) was acted upon by the Senate today when they confirmed Pistole to be the head of TSA.

DHS Budget Bill Passes First Hurdle

The Homeland Security Subcommittee of the House Appropriations Committee marked-up and passed to the full committee the FY 2011 DHS Budget Bill. The meeting was moved up one day from what I had reported earlier this week. That bill has yet to be introduced so there is no bill number or printed version of the bill available yet. All we really know to date comes from the Subcommittee web site. Chairman Price provides an overview of the proposed bill, noting that it is a bipartisan bill with much input from Republican members. He talks about a number of dollar adjustments to many high-profile programs but does not mention chemical security issues. A chart providing a comparison of high-level dollar amounts between the passed bill and this years spending and the Obama budget request shows where the $43.9 billion is going. Infrastructure Protection would receive $330,342,000 a decrease of almost $17 million over FY 2010 but only $3.4 million less than what the Administration requested. No telling where the cutbacks come from at this point. The Subcommittee report also provides a table of earmarks that are included in the legislation at this point. The number can probably be expected to grow. An article on GovExec.com notes that this is the first FY 2011 budget bill to make it out of a subcommittee in either house. Maybe this bill can make it through the entire process before the legislative branch completely shuts down for electioneering.

Active Shooter Plan

In a posting earlier this week I mentioned that DHS Chemical Sector Office had a number of new security planning documents available on its Training and Resources web page. Among the documents that I said could be requested from the Chemical Sector Office was the Best Practices Guide for an Active Shooter Incident.

Having received my copy, I would like to look at that guidance. This booklet looks at some things that facilities should consider in developing their emergency response plan for an active shooter. This is not a counter-terrorism plan; it deals with the more likely incident where an individual, usually someone associated with the facility, enters the facility and starts shooting at employees. It defines an active shooter this way:
“An active shooter is an individual actively engaged in killing or attempting to kill persons in a confined and populated area. In most cases, active shooters use firearms with no apparent pattern or method to select their victims.”
We have seen these types of incidents take place at all sorts of facilities; it is only a matter of time before one happens at a chemical facility. This guidance document was developed based upon a number of table top exercises that DHS held with a variety of chemical facilities across the nation. The guidance in the document is written with a broad brush reflecting the reality that each facility is going to have their unique situation that will have to be dealt with in their emergency response plan. 

The booklet does briefly address arguably the most important part of an active shooter plan; how to recognize the warning signs of an employee on the edge of breaking and becoming an active shooter. The ‘red flags’ that it identifies may be predictors of potential for violent behavior, but I don’t think that it adequately addresses the fact the vast majority of people exhibiting these factors never take up a gun to threaten much less shoot their co-workers. Over reacting to these indicators could do serious damage to the morale and cohesiveness of the facility work force.

Pre-Planning 

The one of the strong points in this document is the section dealing with pre-planning guidance. The pre-planning section provides a list of things that the facility management needs to do during the development of their plan. The actions listed are not targeted specifically at chemical facilities; they could be used by just about any civilian facility in developing an active shooter plan. For example, the document advises:
“Invite all emergency services responders to tour your site and provide details about the facility that will help responders to adjust their protocols if necessary.”
This is certainly good advice for any facility, but it fails to address many of the special situations involved at chemical facilities. I would have liked to see this statement followed by a list of some of those chemical specific situations, including:
HAZMAT storage locations; Locations where flammable atmospheres might be expected; Listing of hazardous chemicals on site, to include MSDS; and Chemical release evacuation procedures.
If the active shooter remains in the office areas of the facility there would be no problems for the responders. As soon as the shooter moves to production or storage areas, the law enforcement personnel are going to have to take many more factors into account in their shoot/no shoot decision making process. Without significant prior training, they are going to make poor and potentially catastrophic decisions.

Incident Response 

The section on the planning for the actual response to an active shooter incident switches to a slightly different format. It poses a number of questions that management needs to take into consideration in planning what should take place during an incident. Once again, most of these questions would apply to any facility. Three very good questions, however, target chemical specific situations. These are
“Are there any safety concerns as emergency responders enter process areas?" 
“What are the personnel procedures for safely securing operations that include hazardous materials?” 
“At what point do site emergency procedures dictate process shutdown?”
This section also provides a brief listing of the ways that a relatively ‘simple’ active shooter scenario can get really complicated. In addition to the typical problems potentially found in any facility (hostages, explosive devices, etc) this section identifies a “chemical release” as a potentially complicating situation. Someone is going to have to start thinking about how an active shooter could complicate the chemical release emergency response plan.

Incident Recovery 

This guide continues the question format into the section on what needs to be done after the active shooter is killed/detained. I am really happy to see that this important part of the situation is addressed. Most planning operations fail to take into account what happens after the active portion of the operation is completed. There is a nice balance in the questions posed in this section. Safety, security, and business continuity are all at least briefly addressed. Two questions have special significance for chemical facilities:
“Who will make re-entry decisions?” 
“Who will provide safety and security debriefings?”
Again, I would have liked to see more chemical facility specific details provided for both of these questions. Re-entry decisions will require taking into account legal (crime scene), psychological (clean up of blood etc), and chemical safety issues. A number of people will provide input on the decision, but who will have the responsibility and training to make the decision needs to be identified in advance. And don’t forget to take into account that the selected individual may be in the hospital or the morgue; identify multiple backups.

The safety debriefing is particularly important at a chemical facility. Every attempt must be made to identify all shots fired in, around or at process areas of the facility. Then every bullet must be traced to see what equipment may have been damaged before start up begins. Actual shutdown activities need to be reviewed to see what was done and what wasn’t; inadequate shut down procedures could have catastrophic consequences if not identified and addressed in a timely manner.

Employee Response 

There is a section of this guide that specifically addresses individual employees responses in an active shooter incidet. It addresses issues that need to be considered prior to an active shooter incident occurring, actions to take initially during an incident and, very importantly, how to respond to law enforcement personnel entering the facility during an incident. The guidance is good for general facility type response but, once again, does not adequately address the complicating factors that are found in chemical facilities.

Tabletop Exercises 

The final section of the guidance document very briefly addresses the importance of conducting tabletop exercises of the facility’s emergency response plan for active shooters. The opening paragraph of this short section is one of the best descriptions of the importance of exercises in general.
“Proactive chemical facility managers and emergency responders use facilitated tabletop exercises to simulate security incidents or natural disasters and engage in interactive discussions on how to prepare for, respond to, and recover from such events. Interactive tabletop exercises allow participants to test critical thinking skills, learn how the public and private sectors will react to a security breach, and identify areas for improvement.”
DHS, through the Chemical Sector office, has worked with state chemical industry councils to “develop the voluntary Security Seminar and Exercise Series”. These facilitated exercises can help facilities and local responders work out the bugs in their emergency response plans before they actually have to be implemented. The DHS Chemical Sector-Specific Agency can be contacted for further information about these exercises.

Recommendation 

When I requested this booklet from DHS I was hoping to see a guide on how to prepare for an active shooter terrorist attack where a team of terrorists attacks a facility with small arms and limited size explosive devices. While I was slightly disappointed that it didn’t address that scenario, this document is probably more valuable since the probability of the type of disgruntled ex-employee active shooter described in the guidance is a much higher probability event.

High-risk chemical facilities will have many counter-terrorist security measures that reduce the chance of an active shooter incident, but the chance of a gun toting employee getting past those security measures can be way too high to prevent these types of attacks. An emergency response plan for these situations needs to be developed for all chemical facilities regardless of their risk for a terrorist attack.

While I have some concerns that there is not enough information in this guide specifically tailored to chemical facilities, I think that this guide is well worth the time and energy needed to read and consider the implications for your facility. The price (did I mention that it is free?) obviously can’t be beat. And there is an awful lot of valuable information in the 16 page booklet. I fully recommend that every chemical facility manager should have a marked-up, well read copy of this booklet on his desk. Contact the DHS Chemical Sector-Specific Agency today to get your copy.

Thursday, June 24, 2010

Greenpeace Inspections Continue

Greenpeace is continuing in their latest chemical security campaign where they ‘inspect’ the security at selected high-profile, high-risk chemical facilities. While they used their Greenpeace blimp on their DuPont inspections last month the Greenpeace blog reports that their inspection of the Kuehne Chemical plant in South Kearny, NJ was done on the ground. This facility was selected for its production and shipping of chlorine gas and its close proximity to New York City.

Both the Greenpeace blog and local news reports play up the apparent ‘under-reporting’ of the amount of chlorine that could be released in a ‘worst-case scenario’. This plays on the continuing controversy in the ever-changing estimates by BP of the worst-case flow rate from their damaged well in the Gulf of Mexico. This is a point that Greenpeace is adding to their justification for asking the government to require the use of IST processes where possible; chemical companies cannot be trusted to know or acknowledge the risk they forcing on local communities.

They point out that Kuehne Chemical reported that their worst-case release for this plant was a single 90-ton railcar when they could have up to 11 such cars on their site at one time. Of course the fact that EPA defines a worst-case as only being from a single vessel/container is completely ignored in the articles. An accidental release is what EPA is concerned about not the potentially larger catastrophic release caused by deliberate attacks.

Security Concern 

According to the one article, Greenpeace has reported their concerns about the “lax security” they found at the plant. The article quotes the Greenpeace letter as saying “Greenpeace was able to move freely around the perimeter of this plant in daylight without interruption or contact with any plant security or other security personnel”. A picture of one of the inspectors on the Greenpeace blog may provide an explanation for that hands-off security response. The picture shows one of the inspectors wearing a clearly marked Greenpeace t-shirt. I would not be surprised if security manager opted to avoid a possible confrontation by not contacting the Greenpeace representatives as long as they remained outside of the company security perimeter. There is, in fact, one school of security thought that calls for always avoiding personal interaction with apparent surveillance teams as long as they remain outside of the security perimeter.

I would like to think, however, that there was a security report made and that local procedures were followed for investigating the obvious surveillance of the facility. This could easily have been done via security cameras or even by the use of binoculars or telephoto lenses on hand held cameras. Information obtained would be forwarded to local police intelligence organizations, including possibly the local Joint Terrorism Task Force.

I really don’t like mentioning this because I grew up politically in the paranoid 60’s and 70’s, but I wouldn’t be surprised if there weren’t a file on this ‘investigation’ at the JTTF office. Hopefully, it would be nothing more than some photos from the facility security folks and a note saying “Greenpeace”. This would allow the quick identification of these folks at another facility as ‘harmless’ political activists requiring no security response. I would suspect, however, that the folder would contain considerably more information than that.

MTSA Facility 

The local news article makes a point of mentioning that this is a Maritime Transportation Security Act (MTSA) covered facility which makes it exempt “from a temporary federal law regulating chemical facilities” (CFATS). The article goes on to say that Rick Hind, from Greenpeace, said that the MTSA rules were ‘less stringent’ than the CFATS rules.

I’m not sure that ‘less stringent’ is quite the correct term. The CFATS Risk Based Performance Standards cover more security concerns, but are unable to specify security measures. The Coast Guard rules for MTSA covered facilities are much more specific in what is required. Fortunately, ISCD and the Coast Guard are working together to try to define common security strategies that would fulfill the different legislative mandates for the two programs.

The two programs will never be completely the same because two different sets of Congressional Committees oversee the two programs. Until Congress resolves that issue these programs will continue to have different requirements.

New Legislation

The Greenpeace blog has slightly changed the Congressional outcome that they are supporting. Up until recently they have called for their supporters to get behind the HR 2868 bill that was passed in the House last November. Now they are calling for supporters to get behind “Senator Lautenberg’s bill” that has yet to be introduced.

The local news report notes that Sen. Lautenberg (D, NJ) “plans to introduce a Senate version of the bill within the next few weeks”. I have mentioned more than a couple of times that I don’t think that there is enough time to get HR 2868 through the system before the end of this session. Sen. Lautenberg’s much delayed legislation has even less chance of passage due to the continued delays in its introduction.

Continued Greenpeace Inspections 

The one thing that this latest Greenpeace chemical facility security inspection shows, though, is that Greenpeace has far from given up on getting a new CFATS authorization bill passed that includes a robust IST provision. Their continued use of this inspection technique at high-profile high-risk chemical facilities around the population centers along the East Coast is surely to be expected. It gives them good press play in the large urban centers and that will be noticed.

To be truly effective, however, they are going to have to take this technique on the road to areas where the local congressional delegation is not already favorably disposed to IST. I would not be surprised to see their Greenpeace Blimp show up on the gulf coast, harping on their message of equating BP’s apparent incompetence/malfeasance (take your pick) with inadequate chemical security. If they can make that stick on the Gulf Coast, they may have a chance in Congress.

Wednesday, June 23, 2010

Reader Comment 06-23-10 Enforcement

Anonymous left a comment about my post earlier today concerning the enforcement action that DHS is taking against eighteen facilities that essentially refused to submit their site security plan. Anonymous provides some appropriately vague additional information that sounds like it is coming from an insider, writing:
“All 18 sites refused to turn in their SSP back in 2009. All of these sites had SSP deadlines prior to February. All were also issued warning letter after warning letter regarding the issue.”
Finally, Anonymous asks “what else CAN DHS do?” The legalistic answer, of course, is assess $25,000 per day fines and ultimately shut down the facilities. I’m sure that was not the intent of the question that Anonymous asked. Again, I sense the frustration of a DHS employee that I’m sure reflects the frustration of the leadership of the Infrastructure Security Compliance Division. DHS has worked hard to make the CFATS regulations work. They developed the initial framework in record time and worked hard to keep the regulated facilities in the loop during the development of the process. With each new process added to the program, they field tested their newly developed tools at some of the highest risk facilities in the country. Even after being tested and revised, the DHS people have been quick to correct and revise their tools to reflect the real world problems that can only be found during the enforcement process. This is not to say that industry has always been happy with the rules that came out of the CFATS process. From the beginning a number of groups attempted to bring political pressure to bear on DHS to go easy on them. Where there were legitimate reasons to ease the rules (most farmers are hardly terror targets so DHS gave them a temporary bye while they worked on the higher risk facilities first) DHS backed off. Where the reasons were less clear cut, DHS went to a formal comment process to get a clearer understanding of the issues. DHS has worked hard to keep the community informed about the process. They have gone to just about every possible venue where they could talk about CFATS to people that would actually be implementing the rules. They have gone to talk to industry groups and participated in webinars. They established a truly extensive frequently asked questions page and regularly updated the information on that page. They offered to conduct courtesy visits and routinely negotiated differences between what they wanted and facilities were able or willing to give. Finally, DHS has taken a great deal of heat about the slow pace of their inspections and approvals. They stoically stood and took the abuse for that, knowing full well that the reason that the process was taking longer than many people expected was that DHS was proactively living within the constraints set by Congress and taking pains not to try to specify procedures and equipment. Instead of taking the regulatorily easy route to enforcement, they have been negotiating appropriate security measures for facilities. So, with DHS taking great efforts to work with industry to come up with the appropriate ways of protecting facilities against terrorist attacks, they still run into 18 facilities that essentially thumb their nose at ISCD, the Federal Government and of course their neighbors. I understand the frustration but take heart, those 18 facilities are less than 1/3 of 1% of the universe of high-risk facilities. If that is the limit of the recalcitrant facilities they have to deal with, DHS can mark itself lucky. This is why sanctions were included in the CFATS regulations. DHS just needs to continue to slog on and apply those sanctions as they have done all of their work to date, professionally, dispassionately and effectively. If these facilities cannot come into the fold, fine them and shut them down. Don’t waste a great deal of time or effort; there are many more facilities that need and want the assistance that DHS can provide.

CFATS Enforcement Actions

A long time reader of this blog sent me a copy of an article from CQ Homeland Security, DHS Begins Chemical Security Enforcement, that is important to all members of the chemical security community. Unfortunately I don’t have a subscription and the reader did not provide a link to the article. It was dated yesterday so subscribers should be able to find the article. Any way, the article states that DHS has initiated enforcement action against 18 high-risk chemical facilities for failing to file site security plans. The compliance orders are the first step in an enforcement process that could result in large fines and potentially closed facilities. Obviously these 18 facilities are not identified in the article. The deadline that each of these facilities missed was the 120-day requirement to file their site security plans. According to the article the deadlines were before February 15th for each of these facilities. With those compliance dates these are likely Tier 1 or 2 facilities. DHS has been working hard to work cooperatively with industry to move forward with the implementation of the CFATS requirements. This move should signal to industry that DHS has only so much patience and is willing to use the compliance sanctions available to it to require implementation.

HR 5548 Introduced

Last week HR 5548, the Protecting Cyberspace as a National Asset Act of 2010, was introduced in the House. If that title sounds familiar it is because this is a companion bill to S 3480 that I discussed earlier. The House version of this bill was introduced by Rep. Harmon (D, CA) and King (R, NY), continuing the bipartisan tradition for this legislation started in the Senate. An article at SecProdOnline.com briefly discusses the provisions of this bill. The introduction of this companion bill will slightly increase the chances of this cyber security legislation becoming law. It will allow for simultaneous committee action in both houses of Congress. That is important with a bill like this, since there are multiple committees in both houses that have jurisdiction over different provisions in the bill. The House Homeland Security Committee is going to have to take some quick action on this bill if it is to get to a floor vote this year. We have a lengthy 4th of July ‘weekend’ coming up and then the summer recesses in August. Little will get done when Congress returns in September because of the pre-election posturing that is inevitable in any even numbered year. This year we can expect it to be worse than normal. As I noted in my posting on S 3480, this bill, if passed, could have a significant effect on come high-risk chemical facilities. It doesn’t address industrial control systems security, but it may affect standard IT systems at selected ‘critical facilities’. That being the case, I’ll continue to track both of these pieces of legislation, reporting on significant events and changes in both bills.

Coordinate Public Warnings

There is a disturbing article over on WLKY.com about a chemical incident in the Rubbertown area in Louisville, Kentucky. An apparently minor railcar leak at the Dow facility there resulted in area chemical alerts to be sounded. While this sounds like the kind of response that could result in saved lives, local activists claim that local residents were never notified of what actions to take to protect themselves from potential exposure. Now this is one of those areas where there have been longstanding conflicts between a number of chemical facilities and local residents, so this could just be a continuation of the ongoing communication problems in the area. It does, however, highlight a key component of any emergency response plan for high-risk chemical facilities, notification of the local community. In this case the chemical cloud did not apparently make it to the facility perimeter, always a good thing for their neighbors. Local alarms were initiated upon detection of the leak; this would allow for the most response time, providing neighbors with hopefully adequate time to take protective actions. Of course, those neighbors would have to know what actions to take for these automated alarms to be truly effective. Just providing detection and alarms is not an adequate emergency response plan. To be effective, these measures have to be backed up by adequate training of those potentially affected by the detected leaks. Providing training to off-site personnel can be challenging, but it is typically much easier to accomplish than would be responding to law suits that would be inevitably be the result of an inadequately prepared emergency response plan. Having worked in chemical facilities, I clearly understand that the management focus in the event of any chemical release is to gain control of the release and return the facility to full functionality as quickly as possible. This is why the planning and practice of the communication response is a key part of the facility emergency response plan. These communications need to become such an automatic response that they do not consume management time and resources during actual events. Finally, after any incident or exercise, every facility should conduct an after action review of what happened. Problems need to be identified in these effective non-events so that they can be prevented from recurring in events that are actually life-threatening. In this case, plant management needs to sit down with the complaining activists and figure out what needs to be done to solve this communications problem. While these two sides are probably never going to see eye-to-eye, they do need to be able to talk to one another.

Tuesday, June 22, 2010

DHS FY 2011 Budget

Well, it looks like we are now officially going to start the DHS Budget season. The Homeland Security Subcommittee of the House Appropriations Committee is now scheduled to hold a Subcommittee markup hearing for the FY 2011 DHS budget bill. The actual bill has yet to published or even introduced. The hearing will be on Friday, 06-25-10 at 1:15 pm EDT. I think that we can safely assume that there will be a provision extending the CFATS authorization for at least another year. What else will get added remains to be seen; but we are at least getting the process started. Whether or not a DHS budget bill will actually get passed before the election in November remains to be seen. I expect that we will see continuing resolutions all over the place this year.

DHS Private Sector Office Page Update 06-22-10

DHS updated the web page for their Private Sector Office. Readers of this blog will probably recognize that this office is the one that is responsible for publishing (and maintaining) the Private Sector Resources Catalog that I wrote about last month. The web page for that catalog was also updated. There were not any real new changes in information on either site; DHS just added a link to sign up for notifications when those pages change. While there have been some holes in this notification system, if you are interested in keeping updated on this catalog, it seems to me to be worth the very minor effort to get signed up for this notification. If they miss notifying you (and it has happened to me a couple of times) you aren’t out anything. If they do email you the notification, then you’ll probably get it before you read about the change in here in my blog. Of course, you could just wait for my notification. I add editorial comments and typically point out obscure bits of information of interest to the chemical security community.

Monday, June 21, 2010

Reader Comment 06-19-10 Chlorine Gas

Fred Millar replied to my complaints about his use of the term ‘midnight rules’ in a comment to that blog post. Just one of the typical problems with the use of political terms, they have meanings and they have connotations. In the current environment of political discourse we all have a tendency to hear the connotations that fit out pre-conceived picture of the political scene. I withdraw my complaint. Catastrophic Leaks Fred does close his comment with something certainly worth discussing. He wrote:
“Some homeland security experts talk about "The next BOOM?" that will compell attention to lack of effective regulation, whereas I tend to focus on the the next screaming "WHOOSH!" of toxic gas, which the best US gas modelers assume will mostly all blast out of a 90-ton chlorine railcar , e.g., within 2 minutes. Leaving local emergency responders no effective response except to run with everybody else.”
Fred is absolutely correct, the catastrophic failure of a chlorine (or anhydrous ammonia, or hydrogen fluoride, or whatever TIH of your particular fear) railcar is just about the most horrible consequence that can be reasonably imagined as a consequence of a terrorist attack or even just a plain old accident. Forget the overblown fears of a rogue nuke or a jihadist bio-attack; those are just Hollywood scenarios. Having said that, I don’t spend much time worrying about a catastrophic failure of a railcar. That takes too much skill, practice and patience to execute. You can’t just slap an explosive charge on one of the essentially armored tanks and get a catastrophic failure (and I have been assured by some people that would know that such testing has been done). I know the techniques that would have to be used, on a theoretical basis, and they are painstaking and require extensive practice and precise execution. In my opinion this puts them beyond the skill set of our recent attackers. So, I am concerned, but not worried. Less than Catastrophic Leaks No, what I am more afraid of happening is that an adequately trained and experienced attacker manages to put a relatively small hole in the side of one of these tankers. The huge toxic cloud that Fred fears from a catastrophic failure would not result and quite frankly no one would know to run from the much smaller toxic cloud that would form along the right-of-way of the train. The deaths would be relatively few, probably measured in the low hundreds (I know hundreds of dead civilians is unthinkable, but much less terrible than the tens of thousands that Fred is concerned with). The concentration would be low enough and the gas irritating enough to cause most people to get out of the cloud before they were exposed to a fatal dose. As the train continued to motor unaware through a large urban area at 10 to 15 miles per hour it would spread a cloud of chlorine gas that would permeate the areas on either side of the tracks, as the urban wind currents spread the cloud in unpredictable local eddies. Determining what areas to evacuate, and in which to order residents to shelter-in-place would take so much time as to be totally ineffective. Large numbers (thousands?) of people would be seriously injured before anyone realized the source of the release and could do something to stop the train and mitigate the release. For most of those injured people, if they were treated properly and promptly, the effects would be unpleasant, but certainly survivable. Unfortunately, our medical services are not set up to handle truly mass casualty type events over a large area of an urban center. The lung damage alone will require large numbers of ventilators and specialized therapies that are just not available on that scale. This would lead to subsequent deaths that would not be laid at the feet of the attackers, but would be blamed, with more than some justification, on the government for not adequately addressing the emergency needs of the populous. Prevention Which ever of us is more probably correct in predicting the more likely attack, I don’t think either of us really expects such an attack to happen (I know I don’t; I fear it, but don’t expect it). If that’s the case why worry? If I’m wrong about the attack not happening, the results just don’t bear considering. We call this low probability, high consequence event; you know like a well blow-out a mile down in the Gulf. With events like this you know that you have to take some action to prevent the unlikely. The question is how many resources can you afford to expend to prevent an unlikely event like this? This is what we need to decide. Both Fred and I would like to see all through-shipments of TIH chemicals moved outside of major urban areas. This would effectively eliminate the risk of these cars being targeted by terrorist, reducing the risk to ‘just’ the normal (very low) accident rate associated with the shipment of these chemicals. Fred believes that re-routing can accomplish this in most instances, I think that it is going to require some significant infrastructure changes (I know Fred, I oversimplified both of our positions, completely overlooking the elimination of some number of shipments). But, in any case, no matter how much Fred and I argue this between ourselves, it is readily apparent that no one is really willing to address this issue in a meaningful way. The costs are just too high it seems. Hopefully we will have time to change that calculation before such an attack actually occurs.

DHS Updates Critical Infrastructure and Key Resources Webpage 06-21-01

This morning the folks at DHS the Chemical Sector CIKR webpage, adding a link to a new web page on Training and Resources. This web page can also be accessed directly from the Critical Infrastructure landing page. This new Training and Resources page provides a lot of new and updated comments about, and links to, DHS provided training support. Among the programs listed are:
· Web-Based Chemical Security Awareness Training · Chemical Sector Explosive Threat Awareness Training Program (CSETAT) · Voluntary Chemical Assessment Tool (VCAT) · Security Seminar & Exercise Series with State Chemical Industry Councils · Chemical Sector Security Summit
Additionally the page provides a listing of a number of valuable documents available from the Chemical Sector Office. These include:
· Who's Who in Department of Homeland Security Chemical Sector Security · Chemical Sector Security Awareness Guide · Chemical Facility Security: Best Practices Guide for an Active Shooter Incident · Infrastructure Protection Sector-Specific Tabletop Exercise Program (IP-SSTEP) Chemical Sector Tabletop Exercise (TTX) Materials
I’ll try to get hold of some of these guides so that I can review them and give you a better understanding of their utility.

Railroad Security

Thanks to an article at ProgressiveRailroading.com I read a recent report by the Teamsters Union that looks at railroad security from an interesting perspective, that of the people that drive the trains and maintain the railroad tracks. While these people are certainly not security experts, their responses to the two different surveys included in this report provide an interesting look at indicators of how extensively the railroads are implementing their security measures.

Now anyone with a basic knowledge of statistics knows that there are limitations on the conclusions that can be drawn about the security program of any specific railroad from the surveys that were the basis for this report. A real assessment of their security would have to be conducted by an unaffiliated outside agency with standardized sets of measurements against established security standards. Unfortunately, there are no such assessments being made, so survey results like those included in this report are all that we have to go on.

The report acknowledges that the railroad industry has taken significant efforts to improve their security since the last survey that the Teamsters undertook in 2005. The report notes that the industry has “expanded security patrols, security training, electronic surveillance, access controls and operates a 24/7 Operations Center” (pg 4). Whether or not these efforts have been effective in reducing the possibility of a successful terrorist attack on railroads is the important question that this report attempts to answer.

Question Wording 

One of the key requirements for a ‘good’ survey is that the questions have to be clear in their intent. A vague question can draw responses that point to different meanings to different responders. Some of the questions in this survey were very vague. For example they asked members of the Brotherhood of Locomotive Engineers and Trainmen (BLET) (pg 10):
“Was the rail yard access secure today?” “Was the equipment access secure today?”
Without a common definition of ‘secure’ the response to these questions could mean a wide variety of things to different people. Even when taking that into consideration the responses to those questions point to a wide spread dissatisfaction with the effectiveness of security measures; the overwhelming response (92% and 86% respectively) is that these areas were not adequately secured.

Question Order 

Even the order that questions are asked can have an important affect on how one can interpret the responses. The two different surveys used similar questions in differing orders to look at the presence of security officers. The BLET survey asked (pg 13):
“Was there a visible rail police presence in the yard today?” “Was today a heightened terrorist alert day?”
The BMWED (Brotherhood of Maintenance of Way Employees Division) survey asked (pg 14):
“Was today a heightened terrorist alert day?” “If yes, were there additional security personnel on duty in the yard or on locomotive?”
The response to the BLET survey tells us something about general rail police security presence (93% said ‘no’) while the BMWED responses only tells us about that security presence on days when there was a heightened alert level (98% said no). The reduction in sample size for the second question is not addressed.

BTW: There was an interesting bit of information about the effectiveness of terror threat level communication produced in the responses to the ‘heightened terrorist alert’ questions; a large number of responders did not know if there was a heightened threat level (58% and 47% respectively) on the day they answered the survey questions.

Employee Observations 

There were a large number of sanitized comments from individual employees included in the report. The report writers are to be commended for their well documented editing to remove information that would allow someone to identify specific locations where security issues were identified. This serves to both protect the facilities and to prevent identification of personnel making negative comments about their employers.

While adding color commentary to the discussion, these comments were entirely one-sided (critical of security) and did not significantly add to the discussion of the overall security of the industry. These apocryphal reports could be significant to local facilities, but I would expect that the Teamsters’ leadership would be less than willing to share that level of information, fearing potential retaliation on the individuals making the comments.

Deserves Consideration 

This report is an important, if somewhat flawed, look at railroad security issues. The report certainly indicates that there are a wide variety of problems with the security at railroad facilities across the country. The problems identified deserve consideration by congressional committees responsible for both homeland security and transportation safety.

Sunday, June 20, 2010

Congressional Hearings Week of 06-21-10

There will only be three congressional hearings this week that look to be of interest to the chemical security community. There will be mark-ups of two different pieces of legislation that could peripherally affect the community and then a pipeline safety hearing that might be of interest. Mark-ups As I mentioned in a blog posting last Friday, the Senate Homeland Security and Governmental Affairs Committee will be doing their mark-up of S 3480 along with some other legislation. The Committee is also expected to vote on the nominee for the head of TSA. The hearing will be held on Thursday at 2:30 pm EDT. The House Homeland Security Committee will be holding their mark-up on HR 5498, the Committee’s WMD legislation. I mentioned in an earlier blog the base bill won’t have much effect on the chemical security community, but revisions in the mark-up could change that. The hearing will be held on Wednesday at 10:00 am EDT. Pipeline Safety The Subcommittee on Surface Transportation and Merchant Marine of the Senate’s Commerce Committee will be holding a hearing to look at the safety of the nation’s pipelines. While there has been no announcement that security issues will be specifically looked at, in today’s environment security should be considered an integral part of any safety program, especially for hazardous materials pipelines. This hearing will be held on Thursday at 2:30 pm EDT.

S 3480 – Cyber Security

Last week I took a brief look at some concerns being expressed about the new comprehensive cyber security bill coming out the offices of Sen. Lieberman (I, CT) and Sen. Collins (R, ME). At that time I hadn’t had a chance to review the text of the bill. Now that I have had a chance to do so it doesn’t seem that this bill will have serious affects on industrial control systems (ICS), but owners of conventional IT systems at chemical facilities that are considered to be critical infrastructure may be affected. ICS I have to waffle a little bit on the potential affects on ICS. I cannot find anywhere in the bill where the terms ‘industrial control system’ or ‘SCADA’ are mentioned. These are two of the most commonly used descriptors of the computer systems used to control chemical processes. In fact the word ‘industrial’ only shows up once in the legislation and that in regards to industrial espionage {§406(a)(2)(E)}. I don’t think that it is unreasonable to assume that ICS are not covered under the introduced bill. Having said that, there may be a loophole that regulators could use to attempt to regulate ICS in ‘critical industries’. In defining ‘cyberspace’ the legislators expansively state that it includes “the Internet, telecommunications networks, computer systems, and embedded processors and controllers [emphasis added] in critical industries” {§3(2)}. Since this statement is modifying ‘the interdependent network of information infrastructure’, I think that any such ICS regulations would certainly end up in lengthy court battles. Information Systems The major focus of this legislation is the protection of information systems of the Federal Government, but it does potentially apply many of the same controls to privately owned information networks. Covered critical infrastructure is defined as a system “that is on the prioritized critical infrastructure list established by the [DHS] Secretary under section 210E(a)(2)” {§241(4)(A) in §201}. Section 503 provides guidance to the Secretary about the maintenance of the ‘critical infrastructure list’. The catch all phrase “any other security related factor determined appropriate by the Secretary” could certainly be used to include high-risk chemical facilities on this list. I’ll leave the analysis of what specific affects that this bill could have on the managers of IT systems in these high-risk chemical facilities to those with more experience in IT systems; I have only been a user of such systems. Mark-up As I mentioned in a posting on Friday, this bill is currently scheduled to be marked-up in the Senate Homeland Security and Governmental Operations Committee on Thursday. There is no telling what changes will be made at that hearing. In fact, given the way that Senate committees conduct such hearings, we will have little idea of what changes have been made to the legislation until the final committee report is filed. I am certainly not going to predict when that will occur; we are still waiting on the report from this Committee on S 1649, the WMD bill that Sen. Lieberman and Collins pushed last year and upon which mark-ups were finished back in November. If and when a report on this bill is published, I will again look to see if there have been any provisions made that would specifically address ICS at high-risk chemical facilities.

Friday, June 18, 2010

Homeland Security Business Meeting Agenda

The Senate Homeland Security and Governmental Affairs web site now has an agenda posted for their Business Meeting next week; nothing on it about any CFATS legislation. So Sen. Collins’ reported comments and my resulting explorations were for naught. As I did expect, the nomination of John Pistole to be head of the TSA and a mark-up of S 3480, the Lieberman-Collins cybersecurity bill, are both on the agenda as well as a number of items of import to someone, but not the chemical security community.

FRA ICR for Reporting Alleged Violations

Today the Federal Railroad Administration published in the Federal Register a 30-day notice for a new information collection request to be submitted to the Office of Management and Budget. The new ICR would allow the FRA to use an on-line form to collect information on allegations of “potential violations of Federal railroad safety and hazardous materials transportation laws, regulations, and orders to the Federal Railroad Administration”. This reporting capability is required by the Rail Safety Improvement Act of 2008. The 60-day comment period for this ICR was published in the Federal Register on April 8, 2010 (75 FR 18012). No comments were received on that notice by the June 7th closing date. Comments on this notice should be sent via email to oira_submissions@omb.eop.gov, referencing the OMB control number (2130-New). The docket number provided in the notice should not be used as it is not the correct docket number for this ICR; the correct docket number is FRA-2010-0005-0008.

Thursday, June 17, 2010

Senate Homeland Security Committee Business Meeting 06-24-10

The Senate Homeland Security and Governmental Operations hearing schedule web page today shows that they have scheduled a Business Meeting for June 24th. Business meetings are typically where legislation mark-ups are held and nominations are voted upon. No details are yet listed for the topics to be covered in this scheduled hearing. In light of Sen. Collins’ (R, ME) reported remarks about a mark-up of CFATS legislation possibly being conducted next week, this would be the reasonable venue for that to take place. That would presume that Sen. Collins and Chairman Lieberman (I, CT) had come to some sort of accommodation on their differing views on IST provisions in such legislation. A full blown mark-up hearing like we saw in the House Homeland Security Committee mark-up hearing last year is just not going to happen in this Committee. For one reason, the TSA nomination will probably be considered and possibly even a mark-up of S 3480 the newly introduced cyber security bill. The only possible way that I see this happening (and I have a very cloudy crystal ball) is for the Collins’ bill (S 2996) to be modified to a one or two year extension of CFATS (instead of the five year extension in the current version) along with the addition of a ‘assess and report’ IST provision similar to what DHS has been working on. This would allow DHS to collect hard data on the types of assessments that would be done and have hard data for evaluation of how DHS could determine what IST measures would be mandated for a facility. It would also allow for some time for the Chemical Safety Board to have their IST study completed. That sort of compromise might get Lieberman and Collins on board. That would be sufficient to get it through a favorable Committee vote. I don’t think this compromise would get the bill to the floor of the Senate as Sen. Reid (D, NV) has already taken enough flack from the House Democrats for watering down legislation. Since this bill is not high on the Obama agenda there would be little to force this bill to the floor in an election year shortened session. And it would never survive a House vote.

DB on S 3480

Dale Peterson over at DigitalBond.com, writes in a serious control system security blog, and he has an interesting, if brief, look at S 3480, the Protecting Cyberspace as a National Asset Act of 2010, sponsored by Sen. Lieberman (I, CT) and Collins (R, ME). I’ve just downloaded a copy of that legislation, so I’ll reserve my comments on the bill. Here I’ll just look at Dale’s comments. Conflict of Interest Beyond having concerns about DHS being able to actually take on the tasks outlined in the bill due to manpower and funding constraints, Dale has concerns about the control system security set-up in the bill. He writes:
“Are we really proposing that DHS set the regulations, be in position to issue fines, and help owner/operators comply with regulations, and be brought in for remediation? So then they could be regulating the security controls they recommended, designed and maybe helped implement? Sounds like the days of the accounting companies providing services to companies they audited.”
Then he questions if this is what DHS wants or if it is completely from the minds of the Senators. I can’t answer that question any better than Dale can apparently. I would hope that if DHS was buying off on this they would point out the need for loads of additional resources. I’m not sure completely I share Dale’s concern about the internal conflicts of interest. This could be set up in such a way that separate sections of DHS-CERT have responsibility for the different parts of the system. ICS Remediation Interestingly, the Control System Security Program people at DHS-CERT did apparently volunteer to get into the remediation business for a short period of time last month. I noted in an earlier blog that they posted the following offer on their web page:
“In addition, the ICS-CERT is able to provide onsite assistance, free of charge, to organizations that require immediate investigation and resolve in responding to a cyber attack.”
The offer was missing from the revised web page just five days later. No explanation was given, but it could have been due to lack of manpower, or even complaints from the industry that this was putting CERT in direct, and unfair competition with a number of companies. I just don't know, but it is an interesting coincidence. I’ll be trying to wade through the lengthy bill to pull out the stuff of interest to the chemical security community. In the mean time, take a quick look at Dale’s post, it is an interesting read. BTW: Yesterday Rep. Harmon (D, CA) introduced another ‘comprehensive’ cyber security bill (HR 5548). It is not yet available from GPO so I have no details available yet, except that it is also a bipartisan bill, having been co-sponsored by Rep King (R, NY) the ranking member of the House Homeland Security Committee.

Reader Comment 06-14-10 Rail Routing

Earlier this week Fred Millar left a comment on my latest blog post concerning hazmat rail routing rules being affected by the PTC regulations; actually that post of mine was a response to an earlier comment by Fred. He continues to make the point that the hazmat rail routing decisions are being made in secret without significant input from governments and communities along the affected routes. Protected Information Fred is absolutely correct that there has not been, nor will there be, any public discussion of these routing decisions; the information is protected information under Federal law. As I have repeatedly noted about such secrecy rules, there is a difficult balance that has to accomplished between the public right-to-know about hazards to which they are exposed by such shipments and legitimate security concerns about the information getting into the hands of those who would use it to attack that same public. The public would probably be perfectly willing to allow the restriction of such information if they felt that there was some method of checks and balances that was protecting their interest. Unfortunately, as Fred points out, there is no effective review of these routing decisions. While the FRA has assured us that they will ‘aggressively’ pursue evaluations of these routing decisions, they do not have the manpower and/or time to do more than provide a cursory review of the documentation of route analysis. Given the fact that each railroad will be conducting these route security reviews using a mandated 27 different factors, it would take days to effectively review a single route analysis. Even if FRA had the time to do this, there are no standards against which to evaluate such decisions. There is not even a set of guidelines about how to weight the different factors. Congress would have to significantly expand the inspection force employed by the FRA to give that agency any chance of effectively policing this routing rule. Given the current example in the Gulf of what happens when Federal agencies inadequately enforce existing regulations, you would think that Congress might consider such expansions of inspection forces. It’s too bad that our legislators have a real bad reputation for learning lessons from actual problems. Midnight Regulations Fred continues to misuse the term ‘midnight regulations’ to describe the rail routing rule that was published in its final form in the closing days of the Bush administration. There was an extensive comment period on the NPRM for that rule and the FRA was actually well over the statutory time limit in publishing the rule. If this rule had been published in its current form three months earlier (which still would have been late according to the authorizing statute) there would have been nothing more that could have been done to modify the affects of that rule. If the rule had been further delayed, there is no indication that the Obama Administration would have done more than review and approve the current language of that final rule. So continuing to imply that the Bush Administration did something less than ethical (in this case) is not productive. Conflicting Regulations Fred points out that the railroads apparently made some of their re-routing decisions based upon the requirements of the TSA security rules affecting TIH railcar shipments rather than the requirements of the FRA rule. This is almost certainly the case (though I have no hard data, its restricted information remember, to support this assumption) and should come as no surprise to anyone that is paying attention. The fact is that even the more limited TSA inspection force would be able to more effectively police the security rule because it has easier to evaluate compliance.

Wednesday, June 16, 2010

BP and CFATS

There have been a number of Tweets (including two from greenpeaceusa) this evening pointing at a New York Times article that attempts to link the actions of BP and resumption of consideration of legislation to re-authorize the CFATS program. The Greenwire article makes a major point of the fact that BP opposed the early attempt in the Bush Administration to control chemical facility security via the EPA rather than Homeland Security. What this has to do with the current CFATS debate is left to the imagination. EPA and IST Claiming that some sort of EPA security regulation would have included inherently safer technology (IST) requirement is just too much of a stretch. EPA is responsible for a number of chemical process safety regulations and has never seriously considered mandating IST, at heart a process safety technique, in the requirements for any of their programs. Nor have I heard any of the current ‘IST as a security measure’ proponents mention requiring IST as an EPA or OSHA safety mandate. Public Response to Chemical Attack There is an interesting point made in the article that should be considered by industry supporters. It quotes a Bush era EPA official as saying (and I paraphrase) that given the outraged response in Congress and the public to the current BP performance, industry can only expect the same response (or worse) if they are victims of a successful terrorist attack that unleashes toxic chemicals in a city. There is a serious difference between an incident due to apparent malfeasance and a release due to a terrorist attack. Having said that, I’m afraid that this might easily be the type outcome we could expect to see if we have a serious major mass casualty incident at a high-risk chemical facility. You can see the forerunners of this response in the number of questions that were asked about why the 9/11 attacks were not prevented, placing blame on the government not the terrorists. Needless to say, if such an attack occurred while the reauthorization status of CFATS remained in limbo, then it would not take any time to see Congress pass a reauthorization bill that would make HR 2868 look like a chemical industry proposal. That the cost of that draconian legislation would end up shutting down a large number of chemical facilities would not matter. Knee-jerk reactions, by definition, by-pass the thought process both in the body and the body politic.

Reader Comment 06-14-10 Updating COI

J Stebbins posted an interesting comment to my blog from last week about adding anhydrous ammonia as a Theft-Diversion COI. He made two points; one looking at updating DHS information and the second about planning versus response. Both points are well worth reading in their entirety. Updating COI List J Stebbins reported on his(her) experience in suggesting that DHS update some information on their Commercial Facilities Sector portion of the National Infrastructure Protection Plan (NIPP), writing about their reply; “we [DHS] conduct reviews every three years and this information will be updated shortly”. In the business community this is not considered a very responsive answer, but DHS operates under a different set of rules. We have to remember that sovereign power does not rest with the government in this country. This means that the government has to involve the public in their decision making process. There are laws and regulations governing that process. For example, let’s look at my proposal to add a theft-diversion security risk to the current listing for anhydrous ammonia in Appendix A to 6 CFR part 27. To get this relatively minor regulatory change completed they would first have to draft and publish an Notice of Proposed Rule Making (NPRM) in the Federal Register and allow a public comment period on the proposal. Before that is done, however there would be a great deal of research that would need to be done, including making an estimate of the cost of the regulatory change and its effect on small businesses, state and local governments, and other regulatory agencies. If any of those effects were determined to be large enough there would have to be a variety of regulatory and political reviews conducted in DHS and with OMB before the decision was made to go ahead with publishing the proposed regulation. After the NPRM was published and the comment period ran out, then DHS would have to review each of the comments received. They would need to determine if any changes needed to be made because of the comments received. Then they would need to prepare the justification for the changes that were and were not made and the final rule would be drafted. This would then go through a more formal review process in DHS and would then be formally submitted to the Office of Information and Regulatory Affairs at OMB for their review. Once all of those formal reviews took place and appropriate modifications were made and re-reviewed then the final rule would be published in the Federal Register. Now completing this process is time and resource intensive. Regulatory changes are not made lightly and in this example would not be made for a single minor change. Either multiple small changes would be made at one time, or the agency would simply wait until the next major change was made to that regulation to include the minor changes previously identified. Having said that, why did I recommend making this change? Well, it has been three years now since Appendix A was first proposed and it would seem reasonable that it is time for a review of that document. In fact, I have been hearing rumors of just such a review taking place with ISCD talking to various groups about what appropriate changes should be made to Appendix A. So, while we’re talking about this, does anyone have any suggestions for changes to the list of COI? Planning versus Response J Stebbins also looks at the difference between recognizing and planning for potential problems versus waiting for them to happen and then responding to the results of the problem, writing:
“Cost is always going to be a stickler when it comes to this, however, what is the cost of not doing something to prevent a catastrophe from occurring, versus cleaning up after the catastrophe has occurred.”
He then points to the current problem of crude oil blowing into the Gulf of Mexico as an example of why planning is preferable to reacting. I certainly agree with this in principle. Being an ex-military man I am well aware of the adage about ‘proper prior planning prevents piss poor performance’. But, the problem of cost cannot be ignored. This is the reason that ‘risk based planning’ has become such an important buzz phrase. A manager in a modern business is just like any other employee, he holds his job only as long as he demonstrates that he can do it well; maximizing profits and minimizing risk. Since evaluation cycles are relatively short, any low probability risk will probably not get serious attention as it would be unlikely to come to pass within time that the manager is in charge of the facility, project, or product line. This is where the Government comes into the business decision process. Congress determines what risks that the people have determined to be unacceptable to the majority of the citizens. They then establish laws specifying what actions business must take to minimize or mitigate those risks. The Executive Branch then implements rules and regulations to enforce those laws and ensures that business complies with those rules. A problem arises when the Government must rely on the expertise of the regulated community to identify how to regulate the risks. When knowledge only comes from practical experience in the field, then the Government needs to draw upon that knowledge to effectively regulate. The problem comes when the agency responsible for the regulation becomes so dependant on the industry information that they abdicate their responsibility to enforce the regulations. It looks like that is what happened in the MMS-BP case.
 
/* Use this with templates/template-twocol.html */