Sunday, March 11, 2012

CFATS Threat Assessment

WARNING: If you are a government employee or a government contractor, reading or discussing the document referenced in this post, under the Obama Administration’s Wikileaks Doctrine, may place your job and/or security clearance/access at risk. You are probably okay reading this blog, just stay away from the links and don’t discuss it with anyone. This post will not self-destruct in 30 seconds. 29..28..27…..

The good folks (unless you work for DHS then they’re the ‘nasty folks’) over at have published yet another FOUO document that might be of interest to folks in the chemical facility security community. This time it is the threat assessment for CFATS facilities published on the day that the CFATS program became active, June 8th, 2007. One would like to think that ISCD sent a copy to each facility that registered for the CSAT tool, but I really doubt it.

Nothing earth shattering in the way of intelligence information in this report, and not a whole lot has changed. An updated version of this report would probably add a couple of relatively new al Qaeda affiliate groups. The section on cyber-attacks would probably include a brief discussion of Stuxnet, Duqu and phishing attacks.

Chemical Mistake

There is one glaring mis-statement of fact in this document. On page 6 (page 7 Adobe) the report makes the silly statement that one of the limiting factors in a chemical release attack is gaining access to an explosive powerful enough to cause a toxic chemical release without destroying the chemical in the process (I’m paraphrasing not quoting so I can get around the FOUO paragraph markings). I can’t think of a non-nuclear explosive device powerful enough to destroy the toxicity of chlorine gas, anhydrous ammonia, or hydrogen fluoride, three of the most common toxic gasses in the US chemical industry inventory today. Besides, there is no real need for a large explosive device to be used when attacking these tanks; while the pressure tanks themselves are relatively well ‘armored’ the various piping and valve connections are not. And a variety of liquid toxic inhalation hazard chemicals are stored in much less well ‘armored’ storage tanks that would easily be successfully attacked by a well-constructed IED.

Importance of Threat Assessments

Threat assessments such as this, particularly since this is an FOUO marked document, not a classified document, presents a summary of the information the intelligence community has on potential attackers. While this is just a high-level summary, lacking in any significant details, it does provide high-risk chemical facilities with some information about the threat against which they must orient their security measures.

This means that it is very important that DHS updates these assessments on a periodic basis and push them down to the targeted community. DHS has an active email address of at least one person (frequently two or more) at every high-risk chemical facility in the United States. Pushing these out to the field should be relatively easy to accomplish. If they are not actively pushed down to the facility security manager level they are useless documents.

Document Markings

The use of ‘FOUO’ markings in documents pushed to the private sector only has effects on government employees and contractors. Once in the hands of individuals in the private sector those markings have no practical effect. If DHS is interested in protecting information about threats to the CFATS community, then they should junk the ‘FOUO’ markings and go with the Chemical-terrorism vulnerability information (CVI) marking. CFATS facilities have rules that they must abide by in protecting CVI information; rules that do not apply to FOUO marked documents.

CVI markings provide less legal protection that classified document markings, but they would allow for disclosure of some nearly classified intelligence information to the folks that would have some use for the information. It should be easier to sanitize intelligence reports to the CVI protection level than to FOUO level of nearly no protection. It would be helpful if someone in DHS were specifically tasked with developing intelligence reports for chemical facilities marked as CVI; a chemical facility fusion center would be the ideal responsible entity.

No comments:

/* Use this with templates/template-twocol.html */