Thursday, March 14, 2013

CFATS Risk Assessment


I had received an advance copy of the testimony of Timothy J. Scott, Chief CSO at Dow Chemical for today’s CFATS hearing and one thing that I was struck by was the concerns that he stated about the way that facilities were assigned to risk-based tiers. Then last night I read the testimony of Stephen L. Caldwell, from GAO, and the latest GAO report also addressed concerns about that process. The two looked at different aspects of the problem, the transparency of the process and the effectiveness of the process. Both are important considerations.

Transparency

Scott, who is also representing the American Chemistry Council in this hearing, notes that (pg 4):

In some cases, some ACC members have questioned their tier assignment either because it does not mesh with the onsite security assessment or it is inconsistent with other similar covered facilities managed by the same company. However, when engaging DHS on their tier assignment, the typical response is that it is ‘classified’.”

In my experience the ‘it’s classified’ response is frequently intended to mask the fact that the speaker just does not want to talk about the issue. For a tier assignment methodology to be truly ‘classified’ (you know National Security, Secret, Top Secret etc) the methodology would have to use active intelligence information about a specific threat to that facility or category of facilities.

Scott refers to this when he says: “However, other tiering factors such as local threat information are not shared with the facility.”

Scott goes on to make the point that no one has more of a ‘need to know’ about local threat information than the facility security manager who “has the ultimate responsibility for the safety and security of its operations, and he or she also has the authority to make informed risk mitigation and security investment decisions”. As I have mentioned before ISCD must establish a methodology for sharing threat information with facilities.

Risk Assessment

Now, having said all of that, according to the GAO report, maybe the ‘its classified’ really is ‘we don’t want to talk about it’. According to the GAO (pg 7):

• ISCD is inconsistent in how it assesses threat using the different models because while it considers threat for the 10 percent of facilities tiered because of the risk of release or sabotage, it does not consider threat for the approximately 90 percent of facilities that are tiered because of the risk of theft or diversion; and

• ISCD does not use current threat data for the 10 percent of facilities tiered because of the risk of release or sabotage.

Why isn’t ISCD using current threat data for at least the release and sabotage tiered facilities? The GAO investigation reveals that:

“ISCD officials said they do not use the information because it is “self-reported” by facilities [on the SVA submission] and they have observed that it tends to overstate or understate vulnerability”.

Which means, of course, that ISCD doesn’t have any specific threat information to share. It also means that the ‘it’s classified’ response is a pure smoke screen. The good news is that they don’t have to waste time setting up an intelligence sharing effort.

No Economic Risk

The current Security Vulnerability Assessment (SVA) tool in the CFATS program asks a limited number of questions about the economic importance of the facility. The reason is that one of the factors that should be considered in a risk assessment is the economic consequences of a successful terrorist attack on the facility. The destruction of a facility that would cripple the economy is certainly a high-risk facility even if only a limited number of people would be affected by the direct physical consequences of the attack.

Again, according to the GAO (pg 6):

“Our review of ISCD’s risk assessment approach and discussions with ISCD officials shows that the approach is currently limited to focusing on one component of consequences—human casualties associated with a terrorist attack involving a chemical of interest—and does not consider consequences associated with economic criticality.”

Why aren’t the economic consequences considered? It will require additional work; work that was just recently started. Sandia Labs has been commissioned to develop the information about “how ISCD could gather needed information and determine the risk associated with economic impact”. That information won’t be available until June of next year. Who knows how long it will take to convert the information to action.

Moving Forward

I’m sure that there will be some questions today about this risk evaluation process in the Environment and the Economy Subcommittee CFATS hearing. It would seem to me that this topic is important enough to require its own separate hearing. Companies are spending lots of money on security solutions for these high-risk chemical facilities. In most cases the amount of money is directly related to the tier rankings arrived at by the flawed risk assessment process currently in use by ISCD.

No comments:

 
/* Use this with templates/template-twocol.html */