Friday, December 10, 2010

CFATS Reader Communications

I had an interesting email conversation with a reader yesterday. She sent me an email to let me know about a typo in my post about HR 3082. Along with her polite question about the extension date on CFATS she thanked me for my CFATS reporting. She works at an industry representation organization and was responsible for tracking programs like CFATS that were of interest to some of the facilities in their industry; an industry that is not typically considered to be a chemical industry.

I am always interested in hearing about how CFATS affects these non-chemical high-risk chemical facilities, so I asked what is for me is a fairly standard request. I told her that I would like to hear about any problems facilities in her industry were having with CFATS implementation or enforcement. She vaguely promised to see what she could do about getting me the information, but you could tell from the tone of the last email that she had some legitimate concerns about disclosure rules.

We’ll see how that particular request goes, but I it got me started thinking about making the request to the general readership. It would save me some time waiting to be contacted by people like her in the various industries that are affected by CFATS. So here goes.

CFATS Covered Facilities

When one hears the term chemical facility security, one has the immediate tendency to think of classical chemical manufacturing and distribution facilities. While CFATS is applicable to these types of facilities, the regulation drafters at DHS knew that a great many of the facilities handling chemicals of potential interest to terrorists were far removed from that classic model. So they wrote the CFATS regulations focusing on the chemicals of interest rather than on the type of facility.

The variety of industries potentially affected is astounding. It includes meat packers (anhydrous ammonia for refrigeration systems), water parks (chlorine gas for water disinfection), agricultural facilities (a variety of pesticides and fertilizers) and even electrical power generation facilities (ammonia for smoke stack scrubbers). All of these industries have security programs of varying sorts, but few of them were focused on potential terrorist attacks on their chemical use/storage facilities.

Unique Issues

Many of these facilities are going to have their own unique problems with CFATS implementation and enforcement activities. Commercial facilities might have to worry about how to deal with personnel surety programs applicability to their customers. Distribution facilities might have to worry about meeting a variety of requirements with a very limited manpower pool. Many of these facilities have space issues that make it difficult to comply with detect and delay requirements.

Each of these facilities is going to have to consider their own situation and how they are going to apply the CFATS risk-based performance standards in formulating their security response to the threat of a potential terrorist attack. In many instances the ‘normal’ security responses are not going to work and the facility security management team will have to come up with unique and creative responses of their own.

I really want to hear about these security challenges (and potential solutions). One of the reasons is that I love an intellectual challenge. I enjoy thinking about these situations and coming up with my own ideas of how they can be dealt with. And I obviously enjoy sharing my thoughts and observations (or else I wouldn’t be writing this blog). I am not vain enough (not quite) to think that my thoughts are going to solve all of the problems of the industry, but they might spark some thoughts or observations that had not been considered by the facilities having problems.

More importantly, my readers include a large number of people with a wide variety of security experience and backgrounds. Many of them are willing to comment on my expressed thoughts and observations with corrections and new ideas of their own. Again the additional eyes may see or know something that might be helpful in solving the problems.

Another important part of the audience of this blog comes from Washington, regulators and legislators (and their staffs). These folks are typically focused more upon the large picture, but they need to hear the unique problems (and solutions) that the CFATS program engenders. It may come as a surprise to people in industry, but most of these beltway folks do really care about what happens with the regulated community and want their laws and regulations to work.

CVI Issues

I am well aware that individual CFATS facilities have to follow the DHS rules on the protection of Chemical-Terrorism Vulnerability Information and I certainly would not advocate sharing protected information with me. While I have completed the original CVI training program and have my authorized user number, I would have a hard time convincing a DHS Chemical Security Inspector that I generally have a need to know (This of course does not apply if I am doing specific consulting work for a facility, but there I would also be covered by non-disclosure agreements as well as CVI rules).

I also know that, according to Google, about 20% of my readership is from outside of the United States. Most of these readers have legitimate chemical security concerns of their own and are interested in seeing how we take care of our similar issues. Others are people that have to do business with CFATS affected facilities and need to understand the security constraints on their business. I must, however, consider the possibility that there may be a few readers that might want to use information from this blog to do harm to CFATS protected facilities.

So, generally I don’t want readers to send me information that might be covered by CVI rules. More over, I will be very careful that anything that I reveal will not be able to be used to be used to identify a specific facility, or provide information necessary to formulate a successful attack on a facility.

This is one of the reasons that I typically make this request to organizations that represent industries rather than individual facilities. This typically makes information that I receive once removed from the facility level and thus that much less likely to involve covered or sensitive material. That doesn’t mean that I don’t want to hear from facilities (I certainly do), but I don’t want to make anyone uncomfortable by seeming to want them to violate CVI rules.


There is one last point that I would like to make on this issue. While I enjoy writing about chemical security issues, I do not write about everything that I hear. I have had interesting discussions with a number of people in both the chemical facility and security industry side of the issue that I will never be able to include in the blog. Security issues and CVI issues are a concern in some instances. In other cases legal, commercial or political concerns restrict my ability to share the information. That is the way of the world.

I am certainly not going to restrict who I listen to because of these concerns. The information that I gain from these exchanges helps to inform me about a wide variety of issues and concerns. The information helps me to formulate my responses to a number of the other issues that I address in this blog.

I would like to note that if a reader wants to share information in confidence that they should make that clear up front. While I can usually spot CVI information fairly easily, the legal, political or commercially sensitive information is quite frequently harder to spot. But remember a blogger is at heart a reporter and a commentator. We exist to share and expound on information. I have done my best to respect confidences, but I do have to know about them to properly respect them.

So, if you have a unique concern about CFATS implementation or enforcement, please let me know. I or my readers may have ideas that might be of help to you. Or just explaining the problem to me may allow you to look at it in a slightly different light that allows you to come up with your own solution. And that’s the whole point, lets solve these problems.

No comments:

/* Use this with templates/template-twocol.html */