Well, unless you were living way further out in the backwoods than I do, you have undoubtedly heard about the new Homeland Security National Terrorism Advisory System (NTAS) that was
announced this week by Secretary Napolitano. If you’re associated with the CFATS program you will also be aware of the thundering loud silence from ISCD about how to adapt the RBPS 13 portion of your site security plan to the replacement for the old color-coded HSAS system that formed the basis for RBPS 13 in the Risk-Based Performance Standards Guidance document.
To be fair to Director Driggers, he and his staff have larger problems to deal with. Besides, there is probably no one left in the Directorate that was part of the team that wrote the guidance document in the first place. So with that in mind I’ll give a little support and update the comments that
I posted earlier this week.
Why is Enhanced Security Planning Necessary?
I don’t need to tell security managers working at CFATS-covered facilities that security equipment, personnel, training and maintenance are very expensive. And with the realization that no security system is impregnable, there is always one more widget that can improve the situation. Unfortunately the rate of return (increased security/dollar spent) on those widgets also starts to fall off rather quickly.
The dark side of security planning is that security measures are a pain in the butt. A comprehensive security system interferes with the day-to-day operation of the facility in countless little ways. Sooner or later employees, especially the good ones, will find ways to circumvent the security processes to make their jobs easier. This is especially true if there seems to be no immediate prospect of an attack on the facility; I mean, what could it hurt????
So the security planner, knowing all of this, and under pressure to keep costs down because security is not a profit center, walks a fine line in trying to have enough security in place but not too much. So they look at the threat picture for chemical facilities (or whatever facility, this applies to everyone, but we are the chemical security community here) in the United States and its easy to see that the vast majority of terrorist attacks in the last ten years have been executed by less than effective terrorist wannabes.
Now this is good news as wannabes are much easier to defend against than the al Qaeda A team. To be on the safe side you plan your defenses for the Wannabe All Stars. You get that program in place, you train and practice, just to keep everyone sharp and everyone stays happy. And you have a facility security system that will deter, detect and delay the wannabes; the best of the wannabes maybe, but still wannabes.
The smart facility security officer knows, however, that the counter-wannabe security plan isn’t really good enough to prevent someone with truly evil intent, determination and a decent level of training and equipment from walking right through the security measures and capturing the flag. Hopefully it will be good enough to convince the A Team (from what ever league; trust me there are more evil doers than just al Qaeda out there) to go play at the next plant down the road with less proficient security.
No security manager worthy of the title can rest with just a defense against wannabes. They loose sleep at night worrying about what happens if they win the terrorist-site-selection lottery; if the A Team moves them to the top of their hit parade. Then the intelligence pukes (security guys and intel guys never really get along, they don’t trust each other too much) drop a message in the in-box saying that the bad guys have been talking about how lovely your facility would be with a large fireball in the center of the tank farm. Oh, and the ‘chatter’ sounds a lot like their visit is imminent. Have a nice day.
Too bad, you have a wannabe security plan in place and the pro’s are on the way. Too late to hold committee meetings, or get security upgrade requests onto the CEO’s desk for approval. Hell, the security widget salesman has heard the same news and isn’t returning your calls; he doesn’t want his product associated with a successfully attacked facility because his widget was half-installed. Besides, your insurance company is not going to pay the net-30 invoice anyway after the smoke clears.
Now, if you had a plan in place for how to deal with the pro’s; with all the approvals signed and purchase orders okayed, with everyone read in on what they had to do when you screamed ‘the A-Team is coming’; then you just might have a chance. If not, then just have them chisel your resignation letter on your headstone.
How do you do Enhanced Security Planning?
First off, you have to realize that security planning, just like any other kind of planning never stops. In production planning for instance, you formulate your plan then you monitor production and orders and modify your plan accordingly. In security planning you hope you never have to actually execute your A-Team plan. So to maintain proficiency you keep making new plans all of the time. Each new plan makes you more proficient at the planning and response process and makes you look at your overall site security plan from a slightly new perspective.
So the first thing you do is to identify your most important target at the facility. Then you determine the most common way that an A-Team terrorist would attack that target. Then you formulate a plan to counter that attack; simple enough, right? Oops, I forgot to tell you that you have to plan for 24-hour notice of the impending attack (hope you get more, pray you get at least that much), so scratch installing a new building around that target as part of your A-Team response plan.
So, you are going to have to depend on security upgrades that can be put in place quickly. Typically this is going to mean increased security personnel and changes to procedures. Installation of fixed equipment is too time consuming and expensive. If the supporting security company has portable security devices/equipment that can come into the facility when needed, this should certainly be examined. For the most part, however, the security equipment you have when you receive The Call, is what you are going to have to deter, detect and delay the attack.
Perimeter Patrolling
One good thing to remember in this planning effort; if you are within 24-hours of being attacked by the A-Team, you are under surveillance. They want to succeed real bad (at least as bad as you don’t want them to succeed) so they are not going to take chances that a small last minute security change will disrupt their attack plan; this is how they got to be the A-Team.
This means that visible up-grades to perimeter security are almost always a good idea. The fastest, easiest and cheapest security upgrade is increased patrolling inside and outside of the perimeter. The folks outside should be looking for the watchers; identify them, catch them, or disrupt them. If they are more worried about their own security than upgrades to your security you have probably prevented a successful attack. Oh, and don’t forget to include increased police patrols as part of your outside the perimeter patrol plan; they are very cost effective.
The increased interior patrols will make it harder for the A-Team to avoid early detection in their penetration of the facility perimeter. Just remember to keep your patrols following random routes and random patrol frequencies. This makes it harder to figure timing necessary to avoid even the increased patrols. You’re never going to have the funds or manpower necessary to eliminate all patrol gaps; adequately (not perfectly;
see my blog on randomizing security patrols) randomize your patrols so that the attacker can only identify an adequate patrol gap after it has effectively closed.
Interior Patrolling and Guard Posts
Most high-risk facilities, in a low-risk, wannabe-threat environment are not going to need security patrols roving through operational areas of the facility. Nor will they typically feel a need to have much in the way of internal guard posts. These security tools are just too much of an intrusion into production areas and get in the way. They also require much more in the way of chemical hazard communications training for the guard force.
With the A-Team outside the gates, however, this is going to be the only real cost-effective way of increasing the delay factor inside of the facility perimeter. Again, you have to remember that you are being watched. In this case the counter surveillance tactics work just a little bit different. You probably want the A-Team to know that you have increased the number of security personnel inside the perimeter; have the new security personnel show up in a van or bus for instance. You almost certainly don’t want them to know where the security personnel are at or what they are doing. If you are using internal patrols, the patrol plan needs to try to keep them invisible from outside of the security perimeter as much as possible.
If you are going to use security patrols in the operational areas of the plant, they need to be adequately protected against the production hazards found in those areas. This will mean the proper issue, fitting and use of personal protective equipment as well as being trained to be able to detect the specific hazards associated with the areas in which they are operating. This argues for not using new security personnel for this type duty. There are two obvious solutions; first use the newbie augmentation personnel on perimeter duty and facility experienced personnel for internal patrols; or have production personnel accompany these internal patrols to help keep them out of operational harms way.
Internal guard posts are much trickier to use than it would seem at first glance. Putting a guard out in the middle of nowhere, even with communications, is inherently ineffective. A guard post is only going to be effective when there is a physical structure that naturally channels attacking forces through that point and the guard has some way of controlling movement through that area of restricted movement. Typically, this is a locked door or gate that the guard controls.
If an attacker must mover through that portal to effectively complete their assault, this makes the security guard an obvious target. Protecting the guard from attack increases the effectiveness of the portal at preventing unauthorized access. Using video cameras and electrically operated locks makes a door monitor in the security control room effectively a guard post at that portal.
One last thing to remember, to a trained combatant, a wall is just slightly more of an impediment to entry than a closed, unlocked door. If you’ve ever seen a violent drunk put a fist through a wall, you have a good idea of what I mean.
Executing the Plan
Now there are certainly other tools and techniques that can be used for enhanced security measures and I’ll discuss some of them in upcoming blogs. I certainly would like to hear from the community on their unique ideas about temporary security measures that can be easily put into place at relatively short notice during periods of high threat. But for the purposes of this discussion this should be enough to take a look at how these increased patrolling measures can be put into a enhanced security plan and executed when The Call is received.
First off, the resources to implement the plan need to be carefully determined. Lets say that it will require two three-man patrol teams and a patrol supervisor on each shift to execute the enhanced perimeter patrol plan. Every facility that I have seen uses an outside security company to provide their security guards. The security company contract would then need to be modified to include the responsibility for providing the augmented security force on some sort of minimal notice. I would also include provisions for periodic implementation for short periods to exercise the augmentation plan for training and evaluation purposes.
Where increased police patrols are made a part of the external patrol plan the same sort of agreement needs to be reached with the local police department. One doesn’t normally contract for these services (someone please correct me if I’m wrong), but some sort of written agreement is certainly in order, if just to clarify the requirements.
Then when the call comes in, the facility security manager makes a single call to the security company and says ‘execute security augmentation plan 14’ or something simple like that that allows for immediate movement without a lot of discussion. A similar call is made to the local police department. And everyone starts to move into the higher security mode called for in the facility site security plan.
A Fast Response is better than the Right Response
OOPS. The Call says that it is a group of radical defenders of the lives of Rainbow Darters in a nearby stream that will be attacking not al Qaeda. This group is not interested in attacking your tank of tetramethyldeath (the tank that you identified as your number one target), rather they are after a storage tank where you store a flammable chemical that interferes with the breeding instincts of the Rainbow Darter. The Call goes on to explain that this is the A Team of radical environmentalists with skills and training comparable to anyone that the radical jihadists could send at you.
Oh my, that tank was never considered to be an enhanced target. Oh my, what to do? Don’t sweat it. Initiate the plan for the tetramethyldeath storage tank. Get the cavalry on the way. You can modify the internal patrol plan as necessary (if it was considered necessary in the first place) and the perimeter patrol plan is almost certainly fine without modification other than to tell everyone to look out for hippies in t-shirts and ratty-jeans instead of ‘arabs in flowing desert robes’ (Oh, you didn’t assume that al Qaueda would look like someone out of Lawrence of Arabia? Good for You).
There is an old military adage that says “No plan survives contact with the enemy”. No plan is going to properly predict what the attacker is going to do. The important thing to remember about any sort of contingency planning is that it is easier to modify an existing plan than it is to start a plan from scratch. The important thing is to get people responding and moving. Just the arrival of additional security personnel on the site may be enough to prevent an attack from taking place. This is why enhanced security planning is so important.