Today the Cybersecurity, Infrastructure Protection, and
Innovation Subcommittee of the House Homeland Security Committee held a
hearing on “Securing Our Nation's Chemical Facilities: Stakeholders
Perspectives on Improving the CFATS Program” (video here). The Subcommittee
heard from a panel of labor and safety advocates as well as a representative of
the American Chemistry Council (ACC).
Witnesses
Today’s witnesses included (link to prepared testimony):
• Mr.
John Morawetz, International Chemical Workers Union Council;
• Dr.
Mike Wilson, Ph.D, MPH, BlueGreen Alliance;
• Pamela
Nixon, People Concerned About Chemical Safety; and
As I mentioned in an earlier
blog post, there was a fifth witness originally scheduled to be on the
panel. There was no indication today why Randy E. Manner, Manner Analytics, was
not present at the hearing.
Expected Coverage
As expected, based upon previous hearings and the change in
leadership in the House, much of the questioning today addressed four topics:
• Voluntary ‘best practices’;
• Information sharing;
• Employee involvement; and
• Whistleblower protections
The ‘new’ term ‘best practices’ has apparently replaced the
more controversial ‘inherently safer technology (IST)’ that was used extensively
in the chemical safety and security discussions in the earlier Democratic lead House.
All of the questioners and panel members (even to an extent Meskill) generally
agreed that the sharing of ‘best practices’ related to actions that facility
could take to reduce their chemical risk was a good idea. There were no concrete
ideas (or even suggestions) how those ‘best practices’ could be implemented at
other facilities. There was a general agreement that DHS Infrastructure
Security Compliance Division (never named in the hearing) should share what
information that it did have.
The ‘information sharing’ bit was mainly about how and what CFATS
facilities should share with local first responders, emergency planners and
local communities to help respond to the release of chemicals or chemical
incidents resulting from terrorist attacks, weather emergencies or accidents.
Again, there was a general agreement that that information sharing was
important and should be expanded. Ranking Member Katko (R,NY) made the point
that other regulatory programs had more expansive information sharing
requirements where concerns should more probably be addressed. Katko made a
vague point about the CVI requirements for first responders.
Employee involvement in safety and security planning has
long been a priority for Democrats. The point was made many times by Committee
members and panelists that line employees would have valuable insights that should
be included in identifying security vulnerabilities and planning for site
security plans. Meskill made the point that they included employees at all
stages of the security (and safety) planning and implementation process but
agreed that she could not speak for all CFATS facilities.
The Democrats again have long had concerns about the
whistleblowing protections provided to employees. Member concerns about
protecting employees from retaliation due to their reporting security (and
safety) problems at facilities. Interesting, none of the panel members could
provide any information on the problem when questioned. Katko pointed out (in
the only second round of questioning in the hearing) that the CFATS Tip Line
provided a way that employees could anonymously report problems at covered
facilities (including the lack of initial notification to ISCD).
Cybersecurity
The one new (and unexpected to me) topic that came up a
number of different times was cybersecurity. Langevin (D,RI), Rice (D,NY) and
Jackson-Lee (D,TX) all had questions about cybersecurity issues. Langevin questioned
cybersecurity training (particularly in control rooms); Rice asked about
cybersecurity standards in CFATS and Jackson-Lee announced that she would be
introducing the Frank Lautenberg Chemical Facility Cybersecurity. No detailed
responses were available from any of the panel members.
Commentary
In an earlier set of blog posts I identified those items
that I though should be addressed in any legislation reauthorizing the CFATS
program. Two of those posts are appropriate (in my opinion) responses to some
of the questions raised today. Those include:
• Best
practices (IST); and
There are a couple of things that still need to be addressed
here. First is Katko’s comments about the applicability of Chemical-Terrorism
Vulnerability Information (CVI) requirements to first responders. ISCD has long
maintained that first responders entering a facility in response to an actual
emergency situation are not required to be CVI qualified; actual emergency
response does not rely on access to CVI controlled information. Emergency
planning is something else entirely. There are requirements (§7.02) outlined in the CVI
Guidance manual for providing access to CVI information to State and local
officials, including emergency response planners. That guidance ends by explaining:
“State, local, and tribal
officials, including first responders, must have access to any information that is
necessary to plan for and respond to an emergency event at a chemical facility
[emphasis added]. It is equally important that this information is available in
a form that is readily accessible and easily disseminated. Accordingly, to the
extent possible, facilities should provide information to State, local and
tribal entities in non-CVI form. In many cases, a facility can provide a
product that contains all of the necessary operational and facility-specific
information and excludes CVI.”
Katko also made a point that should be remembered by
everyone involved in the CFATS reauthorization process; the CFATS regulations
are not the only federal rules that require chemical companies to coordinate
emergency response planning information with local authorities. Facilities
could easily find the necessary information for emergency response planners in
their already required information provided to local fire departments and Local
Emergency Planning Committees (LEPCs).
There are some exceptions to the EPA reporting requirements that
apply to CFATS facilities. Most chemicals on the DHS list of chemicals of
interest (COI) that triggers CFATS reporting requirements that are not on the
EPA’s Risk Management Program list of covered chemicals are covered by CFATS
because they can be used for preparing improvised explosives or improvised
chemical weapons. While these chemicals are not generally as much of an
off-site hazard as the RMP covered chemicals, the emergency response planning
is more of a law enforcement issue than fire department response planning. This
would make for some interesting information sharing requirements that are not
specifically outlined in any existing regulations.
The other interesting thing that came out of this hearing
was the new Committee interest in cybersecurity issues. Richmond’s Subcommittee
should probably hold another hearing (maybe two) specifically about
cybersecurity issues. This is going to be a complex set of issues and a wide
variety of experts and stakeholders are going to have to be involved in the
efforts to address it.
One thing that the Committee crafters are going to have to
deal with in writing cybersecurity requirements is that the CFATS program is a
risk-based program that prohibits DHS from requiring specific security measures.
This is due to the recognition that each of the very wide variety of covered
facilities (from a number of different chemical and non-chemical manufacturing facilities)
require differing security measures to protect against terrorist attacks. This
remains true for the varying information and control system technologies that
will be found in these facilities.
Posts
No comments:
Post a Comment