Review - ChemLock Exercises – Chemical Sector IED

NOTE: This is the first in a series of blog posts looking at various CISA Tabletop Exercises Packages (CTEP) offered to chemical facility managers by the new CISA ChemLock program, a voluntary chemical security program run by the Office of Chemical Security (the CFATS folks). It is a follow-up to my earlier Overview post. CTEP administrative documents can be found here. The scenario manuals can be found here.

This post looks at the Chemical Sector IED (docx download link) (BTW: someone needs to talk with CISA about the hazards of links that automatically download MS Office or .PDF documents) scenario. For those of you who have played wargames or D&D, this scenario is going to be a bit of a disappointment. There is no dungeon master script and there are no unit markers with strength points and movement allowances. More importantly, there are no winners. These scenarios provide a brief generic description of an attack and its aftermath with a series of discussion questions about what should have been done, what should be done, and who had responsibility for the various actions.

The Scenario Document

The basic scenario document downloaded from the Physical Security Scenario page consists of a Word® document that facilities can customize for their situation. It contains three modules:

• Incident and Response,

• Sustained Response, and

• Short-Term Recovery.

Each module contains a brief and rather generic description of the each phase of the incident and a series of questions to guide a discussion between the exercise participants about actions that could have been taken before during and after each phase of the incident to mitigate the effects. Some of the questions will not be appropriate for smaller scale exercises with limited (or no) outside participation. Those questions should just be ignored during the exercise. Management may want to raise those questions, though, with the Local Emergency Planning Committee (LEPC).

Alternate Use

While these questions were designed to be discussed after a facility has had a chance to develop a site security plan (SSP), an enterprising security manager would do well to look at these questions while developing that SSP. The questions, while not exhaustive, are comprehensive and provide a good look at what the site security plan should include for this particular scenario. They provide an informed look at some of the issues that the plan should be expected to address.

For more details, including the major discussion questions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/chemlock-exercises - subscription required.

Review - ChemLock Exercises – An Overview

Developing a chemical facility security plan is just a time-consuming, compliance exercise until it has been tested. Instead of waiting for a real-world security incident to be the first test of a facility security plan, a smart security team will conduct a variety of exercises to evaluate the efficacy of the plan and the assumptions which drove its development. CISA’s new ChemLock program, a voluntary off-shoot of the successful Chemical Facility Anti-Terrorism Standards (CFATS) program, provides a number of exercise tools that facility security managers can use to plan, execute and evaluate a series of exercises to see how well their facility security plan stands up to a variety of security scenarios.

ChemLock Exercise Web Page

This page is the starting point for exercise planning and development. Most of (okay maybe all, but I am not sure about that) the information here was not specifically developed by the CISA Office of Chemical Security (the folks that manage the CFATS program), but rather by the wider range of offices within CISA and DHS.

There are two general options provided on this page. The first (and easiest) is a series of canned CISA Tabletop Exercises Package (CTEP). The CTEPs are no-cost to download and include the scenario-specific situation manual, planner handbook, facilitator/evaluator handbook, and assorted forms and templates. The second option is to contact the ChemLock folks to ask for assistance in planning and executing an exercise. That option is initiated by the use of the same  ChemLock Services Request Form that I have mentioned in a number of earlier posts.

Which Exercise?

In a perfect world, every facility would run every exercise as routine part of operations. Obviously, that is not going to happen in the real world. If a facility has never run an exercise of this sort, it is probably best to concentrate on one exercise and run it through a couple of iterations before trying to determine what sort of ‘exercise schedule’ will be appropriate for the facility.

I will be looking at individual exercise packages in future posts, but each facility is going to have to determine which exercise would be the most appropriate to start with. Facilities are going to want to start with something simple, but something that is a real potential threat at that facility. For example, a vehicle borne explosive device is probably not a serious threat at a facility that does not have significant inventories of toxic inhalation hazard chemicals on site unless an attacker has a particular issue with the facility.

Remember, though, the whole purpose of the ChemLock program is to help chemical facilities solve their security issues. The folks at OCS have offered to provide that assistance. So, facilities should contact the ChemLock folks with their questions about these exercise programs. Questions should be addressed via email to ChemLock@cisa.dhs.gov.

For more details about these exercise offerings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/chemlock-exercises-an-overview - subscription required.

HR 3223 Introduced - CISA Cyber Exercise Act

Last week Rep Slotkin (D,MI) introduced HR 3223, the CISA Cyber Exercise Act. The bill would establish in CISA the National Cyber Exercise Program. It also takes care of some administrative changes to the section numbering in Subtitle A of title XXII of the Homeland Security Act of 2002.

Cyber Exercise Program

Section 2(a) of the bill amends the Homeland Security Act of 2002 by adding a new §2220A, National Cyber Exercise Program. It establishes in CISA the National Cyber Exercise Program to evaluate the National Cyber Incident Response Plan, and other related plans and strategies. The program will be {new §2220A(a)(2)(A)}:

• Based on current risk assessments, including credible threats, vul­ner­a­bil­i­ties, and consequences,

• Designed, to the extent practicable, to simulate the partial or complete incapacitation of a government or critical infrastructure network resulting from a cyber incident,

• Designed to provide for the systematic evaluation of cyber readiness and enhance operational understanding of the cyber incident response system and relevant information sharing agreements, and

• Designed to promptly develop after-action reports and plans that can quickly incorporate lessons learned into future operations.

The Exercise Program will include a selection of model exercises that State, local, and Tribal governments, as well as private sector entities, could use in the design, implementation, and evaluation of exercises that {new §2220A(a)(2)(B)(ii)}:

• Conform to the requirements described above,

• Are consistent with any applicable national, State, local, or Tribal strategy or plan, and

• Provide for systematic evaluation of readiness.

HSA Cleanup

Congress writes many of their homeland security bills as amendments to the Homeland Security Act of 2002. The piecemeal nature of these amendments frequently results in section numbering issues that have to be created. The current version of the HSA has a series of these issues in Subtitle A,Cybersecurity and Infrastructure Security, of Title XXII. The table of contents shows:

Sec. 2214. National Asset Database.

Sec. 2215. Sector Risk Management Agencies.

Sec. 2215. Cybersecurity State Coordinator.

Sec. 2215. Joint cyber planning office.

Sec. 2215. Duties and authorities relating to.gov internet domain.

Sec. 2216. Cybersecurity Advisory Committee.

Sec. 2217. Cybersecurity Education and Training Programs.

Section 2(b) of the bill corrects this multiple §2215 situation so that the revised table of contents will read:

Sec. 2214. National Asset Database.

Sec. 2215. Duties and authorities relating to .gov internet domain.

Sec. 2216. Joint cyber planning office.

Sec. 2217. Cybersecurity State Coordinator.

Sec. 2218. Sector Risk Management Agencies.

Sec. 2219. Cybersecurity Advisory Committee.

Sec. 2220. Cybersecurity Education and Training Programs.

Sec. 2220A. National Cyber Exercise Program.

Moving Forward

As I mentioned earlier, this bill will be marked up this afternoon by the House Homeland Security Committee. I expect that the bill will receive substantial bipartisan support. I then expect it to be considered by the full House under the suspension of the rules process.

Commentary

CISA, and it’s predecessor agency, have already been holding a series of national cybersecurity exercises, so this bill is not really starting something new with the National Cyber Exercise Program. I am not sure if CISA has had a formal program for being able to share exercise models with State, local and Tribal governments so this may be an addition to the existing program.

It would be nice if CISA were able to stand up something like the TSA’s Exercise Information System to aid in the development of industry and local government cybersecurity exercises. Unfortunately, this bill does not go quite that far, and it does not provide for any funding that would allow for that type of expansion.