CSSS Reports

Well we are starting to see some reports about what went on at the Chemical Sector Security Summit last week. Earlier today the Roberts Law Group posted what appears to be the first of three blogs about the CSSS on their Homeland Security Law and Policy Blog. This short post looks at some of the numbers reported by DHS on the current status of the CFATS program. Reporting the Numbers Three important numbers here; 4110 final tiering letters sent, 887 yet to be sent, and 47 facilities that have had their initial inspections completed. The first two show that significant progress has been made on the reviews of Security Vulnerability Assessments. As we would expect, most of the ‘to be reviewed’ facilities are Tier 4 facilities and I would assume that the Tier 1 and 2 facilities in the ‘yet to be reviewed’ column were late entries. The number of inspections does not surprise me. As I have mentioned before these inspections have got to be time consuming and personnel intensive. This combined with the small inspection force means that the inspections will take time. The Roberts’ blog notes that DHS is “expected to increase PAIs to 30-40 per month” as 100 additional inspectors are added (an almost 60% increase in available inspectors). This will also be improved as the current inspectors get more proficient at conducting inspections and compiling reports (any skill gets better with practice). Also we would presume that generally speaking the chemical plants being inspected will be getting generally smaller and less complex as we move further down the Tier rankings (not always, of course, but generally speaking). More Information to Come I expect that we will be seeing more blog reports on the Summit in the coming days and weeks. The folks at SOCMA (co-sponsors of the Summit) have promised that they will be providing more information on their web site. If the previous Summits are any preview, we can expect DHS to publish copies of many of the slide presentations on the Summit Web Site in the coming weeks. I’m still hoping that they will expand that this year to videos of at least some of the presentations. I’ll certainly point out any information sources that I come across. In fact, bloggers feel free to let me know as you post about the Summit and I’ll promise plugs here on this site. I would like to suggest to the folks at DHS that they have two in-house blogs that are woefully underwritten that could be used to address CSSS information. Maybe ISCD and the Chemical Sector Office could show the rest of the Department (apologies to the TSA blog folks) how to communicate with the public.

Reader Comment 04-30-10 Cyber Inspections

Last Friday Edward, who has his own security blog, commented on my recent review of an article on cyber security. His comment was lengthy and well worth reading. He makes a number of good points about conducting threat assessments and designing an appropriate response. His final point is, I think, well worth a closer look. He closed by saying:

“While I think cyber security is going to be the wave of the future in this industry, thinking that the government can regulate this requirement effectively is naive. It is up to the facility to truly understand the threat and take the appropriate actions as opposed to striving for minimal compliance.”

CFATS Cyber Inspections I don’t believe that the current staff of chemical facility inspectors is really going to be striving for detailed investigations of cyber security issues. DHS has been looking at hiring people with physical security, law enforcement, or chemical engineering type backgrounds. While these folks will certainly be given some cyber security training during their 14 week Chemical Security Academy, they will not have the necessary background to do in-depth technical reviews of cyber security processes. At least in the initial round the most effective review of cyber security efforts at a facility will be done during the SSP submission. It will only be there that there will be a reasonable probability of an actual cyber security expert having a look at the facility program. Even there it will not be possible to do the type of detailed review of the threat assessment and response that Ed describes as being necessary to truly protect facility cyber assets. While program compliance is hardly ever an adequate measure of security, the current CFATS program’s approach to cyber security will hardly touch the reality of actually protecting industrial control systems (ICS) from potential terrorist attacks. This is not a slam of the CFATS program, just a realistic appraisal of what the Infrastructure Security Compliance Division at DHS can do. To be able to do an effective evaluation of facility ICS security they will have to have a significant cadre of ICS security experts. They would need to have at least two or three cyber security experts with ICS backgrounds in each of their regional offices to have any hope of having any possiblity of being able to conduct an a reasonable review of facility cyber security programs for every covered facility. Finding, much less hiring, 20 to 30 such experts willing to work for the Feds is just not possible in the current environment. The small existing cadre will find better pay and benefits in private industry. Future CFATS Cyber Security What will probably be a more effective way of dealing with the ICS security threat is to have a two fold enforcement program. Most facilities will have to maintain a fairly basic and simple cyber security program that addresses personnel security and limits physical and electronic access to critical systems. Inspections of this level of program will be little more than the check list type inspection that Ed described in his comments. With facilities that have been identified as a specific risk of cyber attack because of the existence of a specific threat or the existence of a high-consequence potential for release via ICS manipulation an additional would face additional scrutiny of their ICS security program. This would allow for a smaller, centralized and highly trained ICS cyber security team that would focus on just the higher risk facilities. In the mean time, what is a facility to do? It depends if the facility is more concerned with CFATS compliance or providing adequate security for their ICS. A compliance focused facility should probably rely on the reading of the RBPS Guidance manual and addressing the limited cyber security issues identified there. Facilities more interested in protecting their facilities from a terrorist cyber attack will need to get appropriate experts to do the type of threat and vulnerability assessment described by Ed.

Article on CFATS Inspection Delays

A bit of a controversy has brewed up after Monica Hatcher of the Houston Chronicle reported this last weekend on the delays in the CFATS inspection process. Ms Hatcher reported that only 12 facilities have been inspected to date. While this should not be news to readers of this blog, it apparently caught Rep. Gene Green (D, TX), a member of the House Homeland Security Committee, completely by surprise; so much so that he is now reconsidering his previous support for the House passed HR 2868. Sue Armstrong, the acting deputy assistant secretary for infrastructure protection at DHS, explained the inspection situation to the Senate Homeland Security and Governmental Operations Committee at its CFATS status hearing back on March 3rd. A large part of the problem is due to the fact that DHS must negotiate changes in each facility’s Site Security Plan (SSP) submission to get it up to where the Infrastructure Security Compliance Division (ISCD) believes that it meets the requirements of the Risk-Based Performance Standards (RBPS). The negotiations are necessary since Congress prohibited DHS from requiring any specific security measures as a pre-requisite for SSP approval. According to a subsequent article by Ms Hatcher, Rep. Shirley Jackson-Lee (D, TX), is planning on holding hearings in the Sub-Committee she chairs, the Subcommittee on Transportation Security and Infrastructure Protection, on the reasons for the delay. As a co-sponsor of HR 2868, she is concerned that these delays will further justify delays in considering and ultimately passing HR 2868 in the Senate. Inspection Delay’s Were Inevitable Actually, these delays could easily have been foreseen by anyone that has done any sort of compliance inspections. The complexity of the RBPS, the wide variety of the facilities that are covered under CFATS, and the restrictions that have been placed upon DHS by the Congress (including late funding of inspection personnel in the early part of the program) have all worked to make this a much more complex process than most people apparently expected. At this point the only thing that is going to make this go any faster will be a drastic scaling up of the number of facility inspectors. With 6,000 facilities to inspect, 50 weeks per year available for inspections, that means that there will have to be 120 inspections per week to get to every facility within a year. If you have a three person team conducting each inspection (a small number for the largest facilities, but probably too many for the smallest facilities) you would need at least 360 trained inspectors. That is assuming that they were able to complete one inspection per week Given the need to preview the negotiated SSP in detail before the inspection, and to compile and prepare the post inspection report; a week is probably too little time. Add to this the need for re-inspections, compliance assistance visits, and the inevitable other requirements that crop up in a government organization; and you probably really need 500 trained inspectors along with a substantial support staff. Oh, by-the-way, Ms Armstrong has mentioned a number of times the difficulties that the Department has been having getting qualified personnel through the lengthy and bureaucratic Federal hiring process. Oh yes, did I mention that each inspector must go through a 14 week training program since there is no pool of chemical facility security inspectors to hire from? In short, everyone is just going to have to accept that the facility inspection process is going to take at least two years to complete. And DHS intends to re-inspect Tier 1 facilities every year and Tier 2 facilities every two years. Secretary Napolitano needs to go back to Congress for more head count. ISCD is going to need it. Or, you could have DHS opperate like OSHA and EPA, do an inspection only after there is a terrorist attack. Then you can fine the facility while you’re counting the dead bodies.

CFATS Inspectors

I got an interesting email from a former brother at arms last week. He recently retired from the Air Force and had come across one of the many regional listings for openings for CFATS Inspectors. He provided me with a brief listing of his military background including his time as a full time inspector for the IG. He wanted to know what I thought of his chances of getting selected for the CFATS position.

This is an important question, especially since the Congress is on the verge of finally approving the funding for increasing the CFATS inspection force by 168 personnel. With unemployment fast approaching 10% there is even more competition than normal for any and all job postings. Trying to figure out your chances before you go through the motions of submitting an application is just another one of those aggravations that job seekers have to deal with. I provided him with my personal thoughts by return email, but I thought this would be a good time to revisit the question of how DHS can field a professional inspector cadre. I dealt with this a little over a year ago with another ex-military man from the same region in the country. Then I wrote a series of blogs on CFATS inspectors. As we approach the season of the first formal CFATS inspections, this might be a good time to re-visit the topic. 

Chemical Security Inspectors 

As I have noted on a couple of different occasions DHS has an interesting personnel problem staffing their CFATS Inspector ranks. It is not like they can go out to the local unemployment office and ask for applicants that have experience doing security inspections at high-risk chemical plants. There isn’t much of an experienced labor pool there. So what type of experience would one want to see in job seekers if they were hiring a federal inspection force to ensure that adequate security measures were in place at high-risk chemical facilities around the country? 

Well a degree in Chemistry or Chemical Engineering would be nice, especially if there were also practical experience in chemical manufacturing or distribution. Fully conversant with the use of a computer the applicant should be able to use a wide variety of applications and be conversant with at least one control system programming language. A familiarity with laws and regulations would be helpful; say some experience as a paralegal or summers as a law clerk. Some hands on experience at conducting site inspections would be helpful; it takes more than a little practice to be able to walk cold into a facility and find out the things they are trying hard not to tell you without actively lying. Military experience in security operations along with some small unit raid training and unconventional weapons experience would be very helpful. Some law enforcement experience would be nice as would the ability to speak one or more foreign languages (with Spanish high on the desirable list). Finally, the best applicant would love to live out of a suit case and should live to work. It is going to be awfully hard to find any candidate with even a small number of those qualities.

Training Inspectors Last spring when I was researching my blog piece on the DHS Chemical Security Academy I asked Sue Armstrong, then Director of ISCD, for some information on that program. I got a nice email back from her that included, among other things, a listing of the employment backgrounds of the inspectors that were currently in the field. Those backgrounds included: DHS Security Specialists Transportation/Inspection (Rail, Air, etc.) Immigration and Customs Enforcement Federal Protective Service Secret Service Emergency Services/First Responder State or local law enforcement HAZMAT Response Explosives/Bomb Technician Federal Air Marshal Chemistry/Chemical Processes and Manufacturing Agriculture Military (Army, Air Force, Navy, Marines, and USCG) Investigations (IG, Background, Arson, Post-Blast, Intelligence, etc.) 

Since DHS has been unable to get a bunch of people each with the broad background of desirable experience, they have opted for the next best thing. They have hired personnel with a wide variety of backgrounds and then trained them on the basic knowledge requirements at the Chemical Security Academy. 

On the Job Training 

I was really impressed with the foresight that DHS showed last July when they formally provided a mechanism for high-risk facilities to request a Compliance Assistance Visit. This was a timely program that would provide multiple benefits to both the visited site, but also to DHS and their inspector cadre. First facilities would be able to truly get government assistance to resolve compliance issues in a non-confrontational environment. At this point (before SSP’s are approved or in most cases even submitted) there is no down side to having an inspector visit the site. There is no danger that the inspector will find a violation that he would be forced to take action on; there can be no violations yet. Correcting a Risk-Based Performance Standard (RBPS) compliance problem before the facility SSP is submitted can only save time and money. 

DHS builds up a reputation in the regulated community for working with the covered facilities in a cooperative manner rather than in an adversarial relationship. This will be key in getting complete answers to future security questions. The key to an effective CFATS program (one that actively prevents terrorist attacks) is an open exchange of information (both ways) between DHS and the high-risk facilities. Finally, this program will give the academy trained inspectors a wide exposure to the vast variety of chemical facilities that will be covered by the CFATS regulations. Even chemists and chemical engineers with years of industry experience will have exposure to only a limited number of types of facilities in their career. The more facilities that each inspector can walk through and closely observe before they start their formal evaluations of site security plans this December, the better inspectors they will be. 

Initial Inspections 

Sue Armstrong, currently Acting Deputy Assistant Secretary Infrastructure Protection, told the Energy and Environment Subcommittee at the recent HR2868/HR3258 hearing that DHS will start their initial inspections of Tier 1 facilities in December. I would be willing to bet that, with the relatively small number of Tier 1 facilities and their very high-risk status, those inspections will be conducted by relatively large teams. This will be justified (properly so) by the importance of getting the inspection done quickly and completely. The large team size will also be a useful tool to get the inspectors working the inspection with a common procedure and working the inspection process bugs out in a common manner. I would bet that there will be extensive cross loading of the inspection teams from inspection to inspection to ensure that all teams are working from a similar sheet of music. 

This will go a long way to establishing a strong, consistent and effective inspection program.