CFATS and Iranian Threat Reports

It has been over a week now since the Cybersecurity and Infrastructure Security Agency (CISA) published their NTAS Bulletin about the ‘Iranian Threat’. Since then CISA has also published a document entitled “Increased Geopolitical Tensions and Threats” and the CISA Bomb-Making Materials Awareness Program (BMAP) sent out an email Special Advisory Bulletin (SAB) entitled “Iranian-Inspired Terrorism Threat” (see unofficial copy here).

IED Theat

All of these documents from CISA highlighted the potential for “Improvised explosive devices (IEDs), which are a staple tactic of the Islamic Revolutionary Guard Corps (IRGC), its Quds Force (focused on external, global operations), and proxy entities such as Hizbollah”. The BMAP SAB focused on retailer actions and specifically noted that:

“WARNING: While no information indicating a specific, credible threat to the Homeland, was assessed, individuals inspired to commit acts of terrorism may try to acquire or legally purchase common household items such as explosive precursor chemicals (EPCs), explosive powders, and IED components at retailers in your community to construct IEDs for use against infrastructure targets.”

With all of this supposed focus on improvised explosives what is the Chemical Facility Anti-Terrorism Standards (CFATS) program doing for this potential threat?

RBPS-13 Requirements

The CFATS regulations require facilities to address in their site security plan a risk-based performance standard requirement to “Escalate the level of protective measures for periods of elevated threat” 6 CFR 27.230(13). The Risk-Based Performance Standard (RBPS) guidance manual addresses this requirement under RBPS-13, Elevated Threats (pg 101). Unfortunately, that document was written when the old ‘Color-Coded’ Homeland Security Advisory System (HSAS) was still in effect. The guidance manual has not been updated to reflect the change to the ‘new’ National Terrorism Advisory Systems (NTAS) that was implemented by DHS in 2011.

In 2011, DHS did publish three documents on the CFATS Knowledge Center page which provided updated information on the enhanced security trigger points in the new NTAS with the understanding that with the exception of those revised triggers, the RBPS-13 guidance in the manual was still appropriate. Unfortunately, only one of those documents, FAQ 1724, remain on the Knowledge Center, and that was updated on May 17^th, 2017 to reflect the addition of ‘Bulletins’ to the NTAS system.

Since the NTAS issued a Bulletin on January 4^th, it is important to look at FAQ 1724 to see what actions are required for a CFATS facility when a Bulletin is issued:

“NTAS Bulletins were added to the advisory system to communicate current developments or general trends regarding threats of terrorism. NTAS Bulletins permit the Secretary to communicate critical terrorism information that, while not necessarily indicative of a specific threat against the United States, can reach homeland security partners or the public quickly, thereby allowing recipients to implement necessary protective measures. CFATS facilities should monitor the system for Bulletins for situational awareness and may use their best judgement to apply the information posted as applicable to the facility.”

So, facilities are under no specific requirement to implement their enhanced security measures under RBPS-13 simply because this Bulletin was issued. Now individual facilities could have been contacted directly by the Infrastructure Security Compliance Division (ISCD) to increase their security posture due to the Bulletin or either of the other two threat assessment documents I described above. There has been no indication that this has been done on any large scale.

Precautionary Actions

Since this is largely an increased IED threat, facilities that manufacture, store or use chemicals identified as IED precursors (including those not listed in Appendix A to 6 CFR Part 27) should probably review the enhanced security procedures listed in their Site Security Plan and implement those focused on increased awareness. They might also want to consider implementing increased physical security controls around small, man-portable packaging containing those precursor chemicals. Finally, a call to the facility’s Chemical Security Inspector for additional guidance would probably be a good idea.