Thursday, February 3, 2011

CFATS and Shutdowns

There is an interesting discussion on the Cyber Security in Real-Time Systems group on LinkedIn. It deals with a British Airways employee that got the job at BA to further his particular terrorist aims. Which of course leads to the issue of ‘insider attacks’, though to my mind, this is more of an infiltration attack’ but that is another issue. As with many discussions that I get involved in a CFATS issue was raised. In particular Joel Langill raised the following:

“One aspect that sticks in my head is that this standard does not seem to specifically address the situation when the facility (or process unit) is shutdown, isolated and decontaminated for activities such as a scheduled maintenance turnaround or outage. This is when you have a lot of contractors within the facility, and reasonable exposure to equipment. I also do not think that during this time, background checks are required since the chemical threat is actually absent during the turnaround.”
I made a brief reply on the discussion page, but I thought that a more detailed discussion would be appropriate here. To be sure I did a brief blog post on this a couple of years ago, but we know more about CFATS now so it is time to revisit the issue.


Many large industrial facilities that run essentially 24-7 have to shut down the facility periodically for scheduled maintenance of their equipment. This is also the time for installing new equipment. Production employees are typically given block vacations. A huge crew of construction and maintenance folks takes over the facility, working around the clock to get the plant turned around. Two terms are usually used to describe this production hiatus: shutdown or turnaround.

Now I have never worked in a facility that did this sort of operation, but I have a number of friends that do turnaround work and a number of customers of the chemical companies that I worked for had these regularly scheduled events. I think Joel’s comment implies that the hazardous chemicals are removed from the site during the shutdown, but I’m not sure that that is true in very many cases. Certainly the companies that I worked for never had to schedule post-turnaround shipments and we never took product back at the start of a customer’s turnaround.

For the sake of this discussion, let’s assume that some facilities will remove DHS chemicals of interest (COI) from the facility prior to starting a turnaround and others won’t. So, that gives us two cases to look at from CFATS perspective.

Background Checks

DHS has made it clear that they expect everyone who has unescorted access to critical assets at a high-risk chemical facility to undergo some sort of background check including (eventually) a review against the TSA’s Terrorist Screening Data Base (TSDB). We’re not sure yet (DHS personnel surety program is still in development) whether the facility must do the check or whether the contractor must do the checks for their employees working on a covered site.

Since a wide variety of contract personnel will be on site and most employees will not, there is little chance of having contract personnel escorted by covered employees. We must assume that, everything else being equal, all contractors on-site during a turnaround will have had to undergo an appropriate background screening, including TSDB (if/when DHS gets that program up and runnign).

Facilities Where COI is Not Removed

If the COI remain on-site during a turnaround, there is no question that the facility remains a covered facility with all the SSP requirements in place. In fact, it would seem to me that this is one of those periods of increased risk (because of the number of people working on site with all of the confusion that that brings) that is supposed to be addressed by RBPS #14.

Facilities are going to have to have a written plan in place for the security measures that will be instituted and modified during the turnaround. This would include provisions for the requirement to perform and document background checks, including TSDB, for most contractors. It would also include provisions for escort requirements for those without such background checks (and there will inevitably be some). Both classes of contractor employees would have to be clearly identifiable to security personnel and facility employees working on site.

Critical assets will have to be divided into at least two separate groups; those that are easy to surreptitiously sabotage (control systems come immediately to mind) and those that their sabotage is harder to disguise. The former assets will require additional security measures like requiring escort by facility personnel for any contractors working in the area. For contractors/vendors directly working on those assets, the escort must be fully knowledgeable in the operation of the equipment to be able to detect more subtle sabotage efforts.

Additional security personnel are almost certainly going to be necessary. The flow of personnel and deliveries through the gates will increase, and it would not be unusual for the contractors to use additional gates that are normally kept closed. The number and frequency of roving patrols will probably need to be increased to deal with the number of people wandering around the facility to ensure that they don’t stumble into areas where they don’t belong.

Even the number of people monitoring video surveillance systems will probably need to increase, even for facilities using automated surveillance monitoring. The large increase in the number of people moving around and the unusual areas in which they will be working will quickly overload normal monitoring capabilities.

Security training for all of the temporary folks working on site cannot be overlooked. The standard awareness training given to all employees will be necessary and the identification of critical assets and the rules associated with their access will need to be clearly covered. The added security personnel will need to be trained and the entire security force will need additional training on the changes to the security program required by the turnaround.

One final note; if the turnaround plan for RBPS #14 was not included in the approved SSP, it will have to be approved by DHS before it can be implemented. I don’t believe that DHS has a formal process yet for approving these types of temporary additions to an approved SSP, so the best bet would be to contact the Help Desk early in the planning process. For facilities without an approved SSP (and that is all but at most four facilities as I write this) a technical edit may be the easiest way to add the RPBS 14 changes. One should expect that the approval process (at least for the foreseeable future) will be a time consuming process.

COI Removed from Site

Joel’s comments assume (I think; I’m making an assumption about Joel’s assumptions, always dangerous) that the COI are removed from the site before the shutdown begins. The normal person might jump to the conclusion that that would result in the removal of the site from the high-risk chemical facility list; that may be a very dangerous assumption.

A number of facilities have been removed from CFATS coverage because they removed COI from the facility, or even just reduced the maximum inventory of the COI by some significant amount. If the facility has not been given their final tier assignment (had their SVA approved by DHS) the process is fairly straight forward, wait at least 60 days after the change has been made and submit a new Top Screen. When DHS reviews that new Top Screen they will either remove the facility from the CFATS list, reduce the preliminary tier ranking, or do nothing.

That “60 days” is a key element here. The Top Screen requires a facility to report the highest inventory in the last 60-days. This was included to take into account the vagaries of inventory management and reduce the number of Top Screen submissions required to keep the CFATS system up-to-date. It is obvious then that the Top Screen route will not be applicable to a normal shutdown, most shutdowns are completed in well under 60 days.

For facilities that have received their ‘final’ tiering notice (have at least started their SSP clock) the whole situation gets a great deal more complicated. While a Top Screen may be submitted, DHS has made it fairly clear that they will require a detailed explanation of why the change is being made and will conduct a formal review of the change. I don’t believe that they have specifically addressed the shutdown issue, but they certainly haven’t done so publicly.

I don’t suspect that DHS would allow for a total suspension of SSP requirements for a temporary period when there are no COI on site. I would bet that if they were told that the facility would be starting up after the shutdown period, they would maintain the facility on their list of covered facilities. I don’t believe that they would even temporarily lower the tier ranking. In fact, I would nearly wager money (something I don’t do, there’s a story about a horse race and the favorite breaking a leg 4 lengths in front on the home stretch that I won’t go into here) that DHS would require an RPBS #14 plan for such an eventuality before even considering allowing a reduction in security requirements.

The problem is that if you substantially reduce the security requirements, you make it easier for someone to sabotage the facility for later activation. Facilities with just theft/diversion COI this is not as applicable, but for any release COI facilities it would be too easy to hide a device (or virtual device in cyber systems) that would be difficult or impossible to detect prior to start up.

Shutdown Security Procedures Required

Adequate security procedures, including background checks are going to be necessary for high-risk facilities during shutdown, even if there are no COI on site. The need is there to prevent the initiation of a subtle, delayed attack on the facility during the shutdown that would culminate only after the COI returns. A detailed RBPS 14 shutdown security plan will need to be developed whether or not COI will be present.

No comments:

/* Use this with templates/template-twocol.html */