Last week the DHS Infrastructure Security Compliance
Division (ISCD) updated their Chemical Security Assessment Tool (CSAT) web page; this
is part of the extensive
web site for the Chemical Facility Anti-Terrorism Standards (CFATS)
program. The only change to the CSAT page was the addition of a link to the new
CFATS Site Security Plan (SSP) Submission Tips web page.
This new web page is part of the on-going ISCD outreach
program to the CFATS regulated community. It is not a substitute for the SSP
manual and the Risk Based Performance Standards (RBPS)
Guidance manual, but rather a highlight of those types of things that have
apparently been found lacking in many SSP submissions in the past. It
highlights four major areas of concern:
• Consider what security measures
to address;
• Detail current security measures;
• Describe planned security
measures; and
• Specify facility-wide or asset-specific security
measures
What Security Measures
Of course, facilities are going to need to address security
measures in each of the 18 RBPS that are applicable to the DHS chemicals of
interest (COI) identified on the facility tiering letter. This section of the
web page addresses five “overarching objectives” of the SSP:
• Detection;
• Delay;
• Response;
• Cyber; and
• Security Management
These are covered in short (one paragraph) discussions and
links to the four RBPS fact sheets that ISCD began issuing earlier this year:
RBPS
8, Cyber Fact Sheet
RBPS
9, Emergency Response Fact Sheet
RBPS
12, Personnel Surety Program Fact Sheet
RBPS
18, Records Fact Sheet
Current Security Measures
This section briefly covers two rather broad topics:
• Be as detailed as possible; and
• Don’t overlook safety and
environmental measures already in place that contribute to security.
In my conversations with folks in the field the first point
is probably the most important for a successful SSP submission. This new web
page says it well and succinctly:
“The text boxes in the Chemical Security
Assessment Tool’s (CSAT) (/chemical-security-assessment-tool) SSP application
have been included so that facilities can more fully describe current security
measures, including how the measures address the relevant RBPS. The better DHS
can conceptualize and understand your approach to security measures, the better
DHS can evaluate whether they meet the applicable RBPSs.”
Facility-Wide vs Asset-Specific
The discussion here is important, though more than a little
simplified (to be expected in a short document like this). It boils down to
this. Security measures can be quite expensive, especially as the size of a
facility increases. Since different types of COI may require different types of
security measures, a facility may be able to significantly reduce costs by
confining certain security measures to just those areas where their listed COI
are stored or handled. Provisions are made in the CFATS to allow facilities to
do this.
Commentary
Again, ISCD has consistently tried to reach out to the CFATS
community and provide the necessary information to successfully comply with the
program requirements. This is part of that outreach. It is not (nor was it
intended to be) the ultimate word in developing a successful SSP submission. It
is just part of the process.
Facility security personnel will find this helpful only if
they are familiar with the RBPS Guidance document and the SSP manual. Another
source of useful information in this matter are two of the recently
published presentations from the 2017 Chemical Sector Security Summit:
In fact, the CSSS web site has
links to additional presentations from previous years that will also be helpful.
The whole CSSS program is helpful for anyone interested in chemical facility
security issues.
One final point, cybersecurity continues to pop up regularly
in any discussions about the CFATS program. ISCD is certainly taking great
pains to mention the topic whenever they discuss site security plans or
compliance inspections. They have taken particular care to ensure that they try
to communicate that ‘cybersecurity’ is not only important for the control
systems that touch on the handling and/or storage of covered COI, but also
includes cybersecurity measures to protect security controls (surveillance, intrusion
detection, and access control systems) as well as business systems that affect
the handling (ordering, selling or transporting), or storage of covered COI.
Posts
No comments:
Post a Comment