Review - 2021 Chemical Security Summit Presentations

Yesterday CISA updated the Chemical Security Summit (CSS) web page to provide links to some of the presentations that were made at last month’s virtual summit. The links go to copies of the slides used in the presentations, not videos of the actual presentations, so a lot of detail is missing. And they have not covered all of the presentations that were made. Still, there is a great deal of information here.

The presentation slides available include:

• CFATS Risk-Based Performance Standards (RBPS) Deep Dive and Best Practices

• CFATS Personnel Surety Program Overview and Demonstration

• Cyber-Physical Security Convergence in the Private Sector

• Cyber Threat Hunting: Industrial Control System Security

• How to Conduct a Chemical Security Exercise

• Jack Rabbit III Program Update

• P4 – A Platform for Public-Private Emergency Management Collaboration

• Voluntary Chemical Security Initiatives: CISA ChemLock

• Case Study on Recent Disruptions in the Supply of Chlorine: Impacts and Responses

Missing Presentations

The following presentations that were made in the 3-day Summit did not make it to the list of published presentations:

• State of Chemical Security,

• Industry Perspective on the Threat Landscape,

• FBI Chemical Threat Briefing,

• FBI Case Study on Economic Espionage in the Chemical Sector, and

• Probabilistic Analysis for National Threats Hazards and Risks (PANTHR) Overview.

I have no idea why the first two presentations did not make the publication cut. The two FBI were restricted (no press allowed) presentations in the first place so, there is no surprise that the slides were not shared. I was surprised that the DHS S&T PANTHR presentation did not get published. The program web site coverage is extensive, so there should not have been any concerns about sensitive information.

For more details, including brief summaries, about the presentations, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2021-chemical-security-summit-presentations - subscription required.

Review - 2021 Chemical Security Seminars – Cyber-Physical Convergence

Yesterday was the 2^nd of three weekly Chemical Security Seminars that for a second year are taking the place of the Chemical Security Summit due to Covid-19 pandemic. Again, because of other commitments, I was only able to take in one of the presentations; “Cyber-Physical Convergence in the Private Sector”. Copies of the slides for many (sadly not all) of the presentations will probably be available next month.

NOTE: See my post about last week’s presentation on ChemLock.

According to the agenda for yesterday’s seminar, the presentation was to be focused on “operating in today’s threat environment of hybrid attacks that target both physical and cyber assets and the risksassociated with siloed security functions.” The two presenters were:

• Sandra Parker, Global Improvement Director – Cybersecurity, Dow, Inc., and

• Bradford Willke, Senior Advisor for Cyber-Physical Convergence, Infrastructure Security Division, CISA

Each of the speakers provided a brief overview of the topic from their different perspectives and then the moderator, Todd Klessman, Deputy Associate Director, CISA Chemical Security, guided a discussion on the topic with help from questions from the audience.

I enjoyed both presentations and the discussion afterwards. Parker and Wilke both had valuable insights into the problems associated with providing security for a modern chemical manufacturing operation. Unfortunately, the discussion was targeted at large corporate operations where you can find security operations centers and separate silos for IT, OT, and physical security. There was little here that would be of much help to medium to small size chemical facilities. And, while safety operations were mentioned, there was little discussion about integrating safety into security planning or security into safety risk management.

For more details about the presentation, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2021-chemical-security-seminars-460 - subscription required.

ISCD Publishes 2018 Regional Meeting Presentations

Today the DHS Infrastructure Security Compliance Division (ISCD) published a notice on the Chemical Facility Anti-Terrorism Standards (CFATS) landing page that ‘select presentations’ from the 2018 Regional Meetings are available on the Chemical Sector Regional Event Presentations page.

Five presentations are available:

• NPPD Voluntary Programs;

• CFATS Compliance Lessons Learned and Guideposts;

• CFATS Frequently Asked Questions;

• IP Regional Service Delivery Model; and

• Security of Soft Targets and Crowded Places – Resource Guide

After a quick review of each of the slide sets, it is easy to tell that there is worthwhile information available just reviewing the slides. Unfortunately, if the presenters were worth anything at all (and I expect that they were well prepared), then the oral presentation provided a lot more information, clarification and insight. Unfortunately, not everyone has a travel budget that allowed for attending a regional meeting; this is why I have advocated for the use of either video conferencing or at least video recording the key presentations at meetings such as this.

I was disappointed that two presentations were not included in the selection published today. The ones that I was also hoping to see were:

• Cybersecurity Capability Overview; and

• Malicious Use of Drones

DHS Publishes 2015 CSSS Presentations

Earlier this week DHS updated the Chemical Sector Security Summit web site. A number of the presentations that were made at the 2015 CSSS in July now have their slides available on-line.

The on-line slides include:

• Infrastructure Security Compliance Division (ISCD) Regulatory Update

• Outcomes and Perspectives of Executive Order (EO) 13650: Improving Chemical Facility Safety and Security

• Chemical Facility Anti-Terrorism Standards (CFATS) and Maritime Transportation Security Act (MTSA) for Newcomers

• What to Expect During a CFATS Inspection

• Alternative Security Programs (ASPs) and Expedited Approval Program (EAP) Site Security Plan (SSP)

• Site Security Plans (SSPs) and Compliance Inspection Trends

• Responsible Agriculture Session

• Local Resources (Presentations from ISCD and the  State, Local, Tribal, and Territorial • • • • Government Coordinating Council)

• Incident Management: The Role of Social Media Messaging

I have done a quick look review of all of these slide sets and they all contain some valuable information about various aspects of the CFATS Program. Unfortunately, they do not contain the audio portion of the presentation so some of the detailed information provided at the CSSS has been lost. The Department did provide web casts of two presentations this year; the keynote by Amy Pope and David Wulf’s CFATS Update. Hopefully there will be more web casts next year.

2012 CSSS Presentations – CFATS at Educational Institutions

This is the another in a series of blog posts about presentations made at the recent 2012 Chemical Sector Security Summit. The first in the series dealt with the problems associated with the presentations in general. The subsequent posts will deal with the information provided in the slide presentations. The published presentations only provide the outline, I’ll try to fill in what information that I can from other sources or my best guesses.

2012 CSSS Presentations Available – Really

2012 CSSS Presentations – SSP Lessons Learned

2012 CSSS Presentations – Cybersecurity

2012 CSSS Presentations – CFATS Personnel Surety Program

This post will look at the application of the CFATS program at educational institutions. The presentation was made by Brad Huntsman of ISCD. Since the first draft of the CFATS regulations DHS has made it clear that they expected that there would be portions of educational facilities that would fall under the CFATS definition of a high-risk chemical facility, including laboratories and physical plant operations. This brief presentation looks at how many such facilities actually made it onto the current list of high-risk chemical facilities regulated under CFATS.

Coverage

The CFATS regulations require any facility that has had in the last 60-days an inventory of any of 300+ DHS chemicals of interest (COI; Appendix A, 6 CFR Part 27) in excess of the listed screening threshold quantity (STQ) to submit a Top Screen to provide DHS with the initial information needed to determine if a facility could potentially be regulated under the CFATS program. Slide # 3 of the presentation notes that the following areas of educational facilities could be affected by this Top Screen submission requirement (Note: This is not an exhaustive list):

• Chemistry labs;

• Research facilities;

• Field houses;

• Pool complexes; and

• Agricultural, medical, and other campus facilities

Slide #4 provides the following data on the number of Top Screen submissions and subsequent status under the CFATS rules:

• 324 Top Screen submissions;

• 60 Regulated high-risk chemical facilities; and

• 8 Pending final status determination.

After each potentially regulated facility submits a subsequent Security Vulnerability Assessment (SVA) ISCD makes a final determination if the facility is a covered facility and places it into one of four risk tiers ranking its potential risk for terrorist attack; Tier 1 is the highest tier ranking. Slide #4 also provides data on the tier rankings of the 60 regulated educational facilities.

• 1 Tier 1 facility;

• 17 Tier 2 facilities;

• 6 Tier 3 facilities; and

• 36 Tier 4 facilities.

There is nothing in the presentation that explains why there is a Tier 1 facility on this list, but I would suspect that it is due to the presence of a large amount of a toxic inhalation hazard chemical (probably chlorine or anhydrous ammonia) at a campus support facility though it could be due to the presence of relatively small amounts of actual chemical weapons grade materials at a research lab. The Tier 4 facilities are probably due to the significant presence of theft-diversion chemicals in campus labs or research facilities; these would be due to chemicals that could be used to make improvised explosives or chemical weapons.

Defining Covered Facilities

Because an educational institution is regulated under CFATS does not mean that the entire facility is placed under strict security controls. This would be patently untenable for an entire college or university to be placed under the type security measures necessary to comply with the Risk-Based Performance Standards for high-risk chemical facilities.

As do all chemical facilities, these schools have the option of just what portion of their campus will be included in the boundaries of the reported facility. In fact, the 60 CFATS covered facilities are located at only 45 different schools. This means that some number of schools have multiple covered facilities within their campus.

Educational Security Measures?

It does not appear that Mr. Huntsman provided any information about how the Department expected these facilities to go about adequately security their facilities. The presentation includes a generic page that deals with “CFATS Outreach to Colleges and Universities” but it provides no real information other than mentioning “DHS has created outreach materials” (a tri-fold brochure that can be accessed on the CFATS Knowledge Center web page. Sorry no permanent link is available; go to ‘page 2’ of the Documentation section at the bottom left of the page) for such institutions.

Because of the problems that ISCD is having with their Site Security Plan approval process, I would suspect that, other than the one Tier 1 facility, they have not given a lot of thought to the process of how schools should go about securing their high-risk chemical facilities.

2012 CSSS Presentations – CFATS Personnel Surety Program

This is the another in a series of blog posts about presentations made at the recent 2012 Chemical Sector Security Summit. The first in the series dealt with the problems associated with the presentations in general. The subsequent posts will deal with the information provided in the slide presentations. The published presentations only provide the outline, I’ll try to fill in what information that I can from other sources or my best guesses.

2012 CSSS Presentations Available – Really

2012 CSSS Presentations – SSP Lessons Learned

2012 CSSS Presentations – Cybersecurity

Today I will address the presentation made by Matthew Bettridge of DHS ISCD on the CFATS Personnel Surety Program. The PSP is supposed to address the requirement of §27.230(a)(12)(iv) that requires high-risk chemical facilities to include in their personnel surety programs “measures designed to identify people with terrorist ties”. Currently the only federally acceptable way to identify such people is to compare a person’s identity against the Terrorist Screening Database (TSDB) administered by the Transportation Security Administration.

DHS Does Not Grant/Deny CFATS Access

As currently set forth in RBPS #12 and the CFATS regulations, ISCD does not intend to administer a program like the TSA TWIC or HME. There is no regulatory standard for access to CFATS facilities similar to the ones found in those programs. CFATS facility management will be the one to decide what standards must be met in the general background checks to be conducted by the facility. The only regulatory requirement is that the facility must submit information (what information has yet to be established) to ISCD to allow TSA to conduct a check against the TSDB. There is not even a prohibition against a person who is listed on the TSDB as a suspected terrorist being given unaccompanied access to critical areas of a high-risk chemical facility.

Previous Attempt at PSP

The presentation takes two slides to try to clarify the proposed requirements of the PSP that was recently withdrawn from consideration by the Office of Management and Budget (OMB). The OMB must sign-off on the program because it collects and processes information supplied by the public and the OMB is tasked to ensure that such information collection requests are lawful, necessary, and minimally invasive. How much of that previously proposed PSP will be contained in the new program that has yet to be developed remains to be seen.

The New Proposal

Under Secretary Beers recently told a Congressional Sub-committee that the Department will publish the new proposal within 30 days. Given that short time frame (and reasonably that means that the final draft has to be circulating for review within NPPD), it is kind of surprising that there was so little information in this presentation about what ISCD intended to include in their new proposal.

Actually, there was only one new item floated in this presentation (unless Bettridge talked about others that were not in the slide). That was to allow the use of TWIC readers in lieu of submitting personally identifiable information to ISCD/TSA. If this does come about, ISCD will have a TWIC reader ‘rule’ in place before the Coast Guard (I know TSA and CG have already done the hard work, but it will be ironic in any case).

Use of the TWIC

If this clearly authorized use of the TWIC reader is included in the final CFATS PSP it is going to have its upsides and downsides. Truck drivers with either a TWIC or HME (I think that TWIC readers should recognize HME’s but I’m not positive; anyone want to chime in here?) will have a delivery edge at CFATS facilities, but it will also increase the number of truck drivers that are going to have to try to get a TWIC (and many won’t be able to because of criminal records) as CFATS security managers begin to require drivers to have TWICs to enter their facility. This is going to put driver’s at places away from TWIC Enrollment Centers at even more of a disadvantage.

Facilities wishing to go to the TWIC for their PSP are going to have problems with the same criminal conviction problem that is going to be facing truck drivers. Many owners have been willing to overlook some criminal convictions that TSA will not let slide because they know the worker involved or are willing to take the risk for a variety of reasons. Sliding the whole PSP responsibility to TSA will force a number of people out of the chemical workplace.

Finally, if there is a large-scale move to using TWIC Readers for PSP purposes at CFATS facilities the need for processing a large number of new applications is going to coincide with a large number of renewals of current TWIC users. This could create the same kind of back log in the system that we saw in the early days of the initial issuance of the TWIC.

PSP Approval

Unless ISCD requests emergency approval of their new PSP information collection request (ICR) it is going to take at least six months for the approval process to move forward. Here is what I see as an absolute ‘best case’ approval

• October 11, 2012 – Publish 60-day ICR notice in the Federal Register.

• December 11, 2012 – Close public comment period on 60-day notice .

• January 11, 2013 – Publish 30-day ICR  notice in the Federal Register

• February 11, 2013 – Close public comment period on 30-day notice and submit ICR to OMB

• March 11, 2013 – OMB gives approval of ICR

Actually I think that the ‘best case’ is, as is usual, unobtainable. Unless there is a very dramatic change in the PSP proposal, there will be extensive public comments on both ICR notices and responding to those will delay any subsequent work on the ICR. If Romney wins in November, the change in management at DHS will also slow the approval process. Finally, the screwed up budget process will also weigh down all processes in the Executive Branch.

I will be happily surprised if we have an operational PSP in place by this time next year.

2012 CSSS Presentations – Cybersecurity

This is the Third in a series of blog posts about presentations made at the recent 2012 Chemical Sector Security Summit. The first in the series dealt with the problems associated with the presentations in general. The subsequent posts will deal with the information provided in the slide presentations. The published presentations only provide the outline, I’ll try to fill in what information that I can from other sources or my best guesses.

2012 CSSS Presentations Available – Really

2012 CSSS Presentations – SSP Lessons Learned

In this post I’ll look at two presentations that were made concerning cybersecurity. The first (not necessarily in order of presentation at the CSSS) was presented by Lisa Kaiser from ICS-CERT and the second was made by a consultant, Edward J Liebig of CTO Commercial Security Consulting. Neither specifically addresses the cybersecurity requirements of CFATS program (RBPS #8).

ICS-CERT Info

For readers of this blog there is very little new information in Lisa’s presentation. The first statement on her first real slide (#2) sets the tone for the presentation;

• Internet facing control system devices are a BAD idea

The rest of that slide presents the standard ICS-CERT view of internet facing devices. The next slide (#3) explains one of the reasons for that view; she describes the SHODAN search engine. The slide doesn’t explicitly state that attackers can use SHODAN to find control systems that face the Internet, but I expect that her explanation covered that. The next slide it the standard ICS-CERT pie chart about 2011 incidents, pointing out that 5% of the 2011 incidents were chemical related, though I doubt that she mentioned that there were no actual ICS attacks included in that 5%.

The most valuable slide in the presentation, in my opinion, is slide #5, Key Control Systems Contacts. It includes email contacts for:

• Joining the Industrial Control System Joint Working Group (ICSJWG; icsjwg@hq.dhs.gov);

• Joining the ICS-CERT Portal (cssp@dhs.gov);

• Reporting ICS-CERT Incidents (ics-cert@dhs.gov); and

• Reporting other cyber-incidents (soc@us-cert.gov)

It also includes links for the ICS-CERT web site and the Cybersecurity Evaluation Tool (CSET). I hope that Lisa spent some amount of time explaining the CSET and how useful it would be to have an ICS-CERT team on site when running the tool.

A Cybersecurity Consultant’s View

Liebig’s presentation looks at cybersecurity from a consultants view of the process of evaluating and improving the security of cyber systems, both enterprise and control systems. He starts with an overview of the ICS threat environment, concentrating on the big threats, Stuxnet, Flame and Shodan (#3). Then he goes on to look at CFATS as a ‘call to action’ for addressing cybersecurity, making two important points (#5):

• The requirement for a “combined domain expertise in IT Security, ICS and Manufacturing Operations, with consistent cyber policy from the Enterprise Data Center to the Plant Control Room.”

• “Compliance is not enough – we must go “Beyond CFATS” to meet today’s cyber threats to manufacturing operations.”

He makes the point (#6) that cybersecurity evaluations are not unique to CFATS; noting that MTSA, and industry standards such as Responsible Care® also require cybersecurity assessments. Next he looks at (#7) building an ‘ICS Cyber Security Roadmap’ that looks at risk assessment, gap analysis, remediation & mitigation, and prioritization/roadmap.

The remaining slides in the presentation provide a great deal of high-level information about ‘Critical Success Factors’ (#8) and ‘Key Learnings’ (#9). Both pages have a large number of interesting bullet points that could have had their own pages. All of the points made are valuable, but the most interesting from my point of view are:

• “Understand that cyber security gaps will be a combination of people, process, and technology and actively engage all three aspects to assess and close gaps (including ICS suppliers).”

• “The engagement and awareness better aligns IT, Security and Operations stakeholders in understanding of how cyber risk is measured and managed.”

• “Assessments should be done at the ICS device level.”

• “Consider the impact on Safety/Health/Environment, Operations/Cost, and Company Image/Brand.”

The last page looks at how the previous slides were applied in an actual unnamed client operation. This is again a bullet-point dense slide that would be best understood with the presenter providing the necessary supporting details (yet another plug for future web casts). The key bullet point here is the last that addresses the ‘Client Value delivered’ with three important points made:

• Complete Risk Assessment & Remediation Plans to meet Security Policy and CFATS requirements.

• Clear understanding of risk to Manufacturing Operations across key plants.

• Comprehensive approach to rolling out Plant Cyber Security Standards globally.

This certainly sounds like what you pay a good cybersecurity consultant to provide. Now the facility just needs to make it work.

2012 CSSS Presentations – SSP Lessons Learned

This is the second in a series of blog posts about presentations made at the recent 2012 Chemical Sector Security Summit. The first in the series dealt with the problems associated with the presentations in general. The subsequent posts will deal with the information provided in the slide presentations. The published presentations only provide the outline, I’ll try to fill in what information that I can from other sources or my best guesses.

2012 CSSS Presentations Available – Really

The first presentation that I’ll look at is the SSP Lessons Learned (or CFATS Update, depending on which web page you look at) made by John Ferrell. The presentation states that he works in ISCD and the most recent information I can find (from 2009 and that is certainly out-of-date with the multiple changes in ISCD) shows him being an Inspector and the Acting Section Chief for Strategic Operations.

CFATS Update

The presentation provides some statistical data on the CFATS program as of August 1, 2012 (the most recent data that I’ve seen). It provides four basic sets of data; regulated facilities (“approximately 4500”), tiering distribution (3% Tier 1, 12% Tier 2, 29% Tier 3, 55% Tier 4), security issues (94% Theft/diversion, 32% Release, 14% Sabotage), and facilities no longer covered (1,809 removed COI, 925 reduced COI).

I find it interesting that the only time actual numbers are provided is when they discuss the number of facilities removed from the program. This comes out to about 38% of the original number of facilities. It would be interesting to see if anyone has done anything to determine how many (if any) of these removals were due to the economic downturn.

The fact that the security issues comes out to a total of 140% should not come as a surprise to anyone. Many facilities are going to have multiple COI under different security issues and some chemicals are listed under multiple security issues. What is scary is that the bulk of covered facilities are theft/diversion COI. Insider pilfering, for example, of relatively small quantities of these materials could result in the construction of significant weapons (either IEDs or chemical weapons).

SSP Status

There is one slide on the status of the SSP program. A total of 63 facilities have had their SSP authorized or conditionally authorized (nobody has ever defined the term ‘conditionally authorized’ in a venue that I have seen) that is only eight more than Secretary Beers testified (pg 5) had been completed in February. The presentation notes that 14 authorization inspections have been completed (as of August 1, 2012), but does not say that any SSPs have been approved (the hoped for result of an authorization inspection).

Oh yes, the current goal of completing Tier 1 inspections has slipped again, from by the end of FY 2012 to “as soon as possible”. That is certainly comforting.

SSP Lessons Learned

There is a nice slide about what SSPs should include. Here is the complete list:

• More detailed descriptions of security measures

• Information on all 18 Risk-Based Performance Standards (RBPS) – if an RBPS is not applicable, state why the RBPS does not apply

• Safety and environmental measures that contribute to security, if appropriate

• Descriptions of planned measures the facility has committed to implement

• Descriptions of proposed measures on which the facility would like Department feedback

• Whether a security measure is applied facility-wide or to a specific asset

Now most of these are addressed (certainly incompletely) in the questions asked in the SSP submission tool. Either industry is not competent to answer these questions as asked (I seriously doubt that that is the case) or ISCD is not asking the right questions. So, I’ll ask again a real simple question, why hasn’t ISCD re-written the SSP questions so that industry can provide the required information? If it makes the questions more complicated, so be it.

Miscellaneous Information

The last two information slide provide typical fluff information about the program, including some web links. One of the slides does mention that facilities can directly contact the local Commander (regional head of Chemical Facility Inspectors) and notes that the contact information had been made available in the ‘Conference booklet’. This would be some nice information to have on the DHS web site.

DHS Updates 2011 CSSS Page – Presentations Available

Today the DHS Office of Infrastructure Protection updated their web page for the 2011 Chemical Sector Security Summit, adding links to many of the presentations from the CSSS. It will take a while before I have a chance to review all of the presentations; I’ll report on the ones that appear to be of interest.

There are limitations, however, in these presentations. They are the slide presentations that were shown at the Summit, not the actual presentations. A good presenter provides much more detail in the verbal portion of their presentation than can be put into a slide. This is the reason that I have been banging the drum to encourage DHS to make videos of the presentations and putting them up on the web.

I wrote in an earlier post about an indication that DHS was going to be attempting to do this for one of the presentations at the CSSS. Well, there is nothing on the new page that indicates that DHS has done so. It could be that the post-production work on the video is still underway and it will be posted at a later date. If that is the case, I am happy to have DHS post the easier to process slide presentations. Of course, it would be nice if they mentioned that the video was in progress. At the very least it would keep people like me from picking at them.

As always, if there are readers who were present (or even better presenters) that want to share their views about any of the presentations, drop me a line or post your comments to this post.

Tidbits from Security Summit Presentations

As I noted yesterday, DHS has posted copies of the slides used in their presentations at the 2009 Chemical Sector Security Summit on the CSSS web site. In today’s posting I’ll abstract some of the interesting (to me at least) bits of information that can be found in these slides. I still don’t have much in the way of supporting information; just the copies of the slides. Ammonium Nitrate Regulations “Background Check − Individuals registering with DHS will have their identifying information screened against information in the Terrorist Screening Database (TSDB)” “Registration Numbers – Individuals registering with DHS will generally be issued or denied registration numbers within 72 hours of receipt of a complete registration application” “Manner of storage of records − Facilities have discretion over the creation, formatting, and storage of their records, provided they contain the required data fields” “Any AN seller who has knowledge of a theft or unexplained loss of AN must report such theft or loss to Federal law enforcement within 24 hours of discovery” “For loss reporting, an individual must report any loss of AN where the loss deviates from the amount of loss that typically occurs during routine production, storage, transportation, or use of AN” “An individual who is denied an AN Registered User Number has a right to appeal that decision, and the appeal must be heard in 72 hours” “An individual who is denied an AN Registered User Number has a right to appeal that decision, and the appeal must be heard in 72 hours” “DHS expects to publish the AN NPRM this fall” “DHS will conduct extensive outreach on the AN regulations” Chemical Facility Anti-Terrorism Standards Overview “Current Preliminary Tiering – 6,400 total facilities” “Top-Screen Resubmissions – 4,002 received “123 Tiered Up (Error 72/Material Modification 31) [3%] “1,537 Tiered Down (Material Modification 1020)” [38%] [2,342 No change by my calculations – 59%] “SVA Review Process and Tiering Engine – “Subject Matter Expert (SME) reviews of each for chemical, physical and cyber security “Tiering engine assigns overall risk score (CxVxT), ensuring consistent application of methodology and appropriate final tiering demarcation points “Review process identifying facilities/companies needing immediate action” “Personnel Surety portal status (TSDB check for RBPS 12, Personnel Surety) − “Working with SCO and TSA to build portal “PRA published in FR June 10, comment period closes August 10 “Scheduled to be operational in late 2009” “DHS receives and reviews a facility’s SSP for the following: “Compliance with due date (date received vs. due date) “Administrative completeness and accuracy “Description of the Security Risk Management Program- “Quantitative review via Security Risk Engine “Qualitative review via DHS SMEs: Physical Security Analyst, Cyber Security Analyst, Chemical Analysts” “Indefinite Agricultural Production Facilities Top-Screen Extension “Issued December 20, 2007 for possession of COI solely for preparation for treatment of or during application to crops, feed, land or other areas on an agricultural production facility “Next Steps - “Use current CFATS authority to direct distributors to complete supplemental Ag-focused questions (Shared with USDA for comment week of 6/22) “Evaluate regulatory approach based upon data review (possibly set Ag COI STQs)” Chemical-terrorism Vulnerability Update “In the event of any disagreement between the facility and the public official regarding the precise CVI to be disclosed or the method of disclosure, DHS encourages the parties to refer the matter to DHS.” “In the event of any disagreement between the facility and the Federal Official regarding the disclosure of CVI or the method of disclosure, the parties to refer the matter to DHS.” Site Security Plan Development and Inspections “Preparation for Inspection “Pre-visit logistics –availability of required personnel, facilities, and site assets, etc. “Assembly of supporting documentation –procedures, plans,records, etc. that support the facility characterization, asset characterization(s), and explanation of RBPS satisfaction described in the Site Security Plan.” Site Security Plan “SSP tool allows for multiple preparers (CVI Certified) − “Identify relevant facility, company and corporate level expertise “Organize SSP team members “Clarify individual responsibilities “Schedule the SSP’s completion, validation, and submission “SSP submitters will be locked out when multiple users are loggedin “The last answer cancels the previous answer in the SSP” Theft & Diversion: Prevention and Compliance “This RBPS, especially the ‘Theft’ element, applies to some degree to virtually all covered facilities, insofar as a facility is not covered in the first place if it has no ‘potentially dangerous chemicals’.” “Diversion is the criminal act of acquiring a product (or service) by means of deception.” “DHS expects to see specific measures addressing both the “straightforward”issue of theft and the more complicated issue of diversion in some combination depending on the Tier Level.” “Another excellent source document on counter-diversion programs is the Drug Enforcement Administration's Chemical Handler’s Manual” Voluntary Practices and Industry Practices “Bi-annual Classified Briefings “The SSA sponsors classified briefings for cleared industry professionals in order to assist them with prioritizing the level and type of security measures to implement “Both physical and cyber threats are briefed and any other topics of interest to chemical supply chain professionals” “The Chemical Sector is participating in a pilot program to improve cyber information-sharing processes which includes monthly calls between small trusted cyber security group in the Chemical Sector, the National Cyber Security Division (NCSD) and Chemical SSA” “Voluntary Chemical Assessment Tool (VCAT) “The web-based tool facilitates a cost-benefit analysis allowing users to select the best combination of physical security countermeasures and mitigation strategies to reduce overall risk” “Multi-plant tours designed to give public sector partners involved with chemical security an opportunity to see firsthand the security measures at facilities” General Comments Looking at these slides, it certainly seems like the Chemical Sector Security Summit should have been a worthwhile meeting to attend. But give the fact that there are over 6,000 covered facilities there is no way that the Summit was large enough to include participation of even just a single representative of each facility. The Chemical Sector Coordinating Council and the Chemical Sector-Specific Agency, the co-sponsors of the event, need to consider web casting the presentations.