Review – CISA Updates ChemLock Training

Today, CISA’s Office of Chemical Security (OCS) updated their ChemLock landing page, adding a announcement about changes to their ChemLock: Introduction to Chemical Security training course. Clicking on the provided link it is obvious that the ChemLock Training page has been significantly rewritten. The ChemLock program is CISA’s voluntary chemical facility security program for chemical facilities that are not covered by the Chemical Facility Anti-Terrorism Standards (CFATS) program.

Today’s announcement notes that: “CISA is now offering the ChemLock: Introduction to Chemical Security training course on a quarterly basis.” This 1-2 hour course provides an introduction to identifying, assessing, evaluating, and mitigating chemical security risks. This course has been available by request. It remains available this way, but CISA has also scheduled a publicly-available on-line version of the class on a quarterly basis.

For more details about these changes, including registration links, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-updates-chemlock-training - subscription required.

Review - ChemLock Training

In addition to the chemical security fact sheets that I discussed last week, CISA’s new voluntary ChemLock program also provides chemical facilities with free chemical security training. These are designed to help chemical facilities not covered by the Chemical Facility Anti-Terrorism Standards (CFATS) program to establish a voluntary chemical security program. The list of free training programs now includes:

ChemLock: Introduction to Chemical Security, and

ChemLock: Secure Your Chemicals Security Planning

These two programs are designed to help facilities begin the development of their voluntary ChemLock facility security program. Future training programs may address other components of that security program.

Not Security Awareness Training

Neither of these two courses address chemical security awareness training for chemical facility personnel. There is a training course offered by FEMA via their Center for Domestic Preparedness. The 1-hour on-line course is primarily set up for independent study and requires an easy to obtain FEMA Student ID number. Facilities developing a ChemLock voluntary security program or are covered under the CFATS program may find that this training program for individuals would provide a good starting point for a facility chemical awareness training program.

Moving Forward

Facilities wishing to participate in these two ChemLock training programs should complete the ChemLock Services Request Form. Facilities wishing further information about these training programs or other facets of the ChemLock program should contact OCS by email at ChemLock@cisa.dhs.gov.

For more details about the training programs being offered by CISA, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/chemlock-training - subscription required.

 

Chemical Sector Security Awareness Training – March 2021

FEMA now has an on-line Chemical Sector Security Awareness Training (AWR-912) program available for use by the public, including personnel working at chemical facilities. This training program is not specifically targeted at employees at facilities regulated under either the Chemical Facility Anti-Terrorism Standards (CFATS) program or the Maritime Transportation Security Act (MTSA) program, but it could be used for general security awareness training by facilities in either program. Before an individual attempts to complete the course, they must register with FEMA and obtain a FEMA Student ID (FEMA SID).

NOTE: Readers who have received the March 2021 Chemical Security Quarterly email, will already have heard about this training program. You can sign-up to receive this email (and other CISA information via the https://public.govdelivery.com/accounts/GOVENGAGE/subscriber/new website).

Commentary

This is the new training program that CISA’s Chemical Sector-Specific Agency announced at the 2020 Chemical Security Summit last December. It is actually a rework of the training program that was originally introduced in 2008 and then discontinued sometime in 2015 without notice or explanation.

While this is billed as ‘Chemical Sector Security Awareness Training’ there is actually very little in this program that is uniquely targeted at the chemical sector. There are two video scenarios that use chemical imagery (totebins in one and a chemical railcar in another) to illustrate the need for individuals to be aware of their surroundings and the need for reporting unusual situations, but that hardly makes this chemical sector specific training.

There is no mention of the two federal regulatory programs that address security at chemical facilities, the Chemical Facility Anti-Terrorism Standards (CFATS) program and the Maritime Transportation Security Act (MTSA) program. There are certainly more ‘chemical facilities’ that are not covered by either program than there are covered facilities, it seems to me that there should at least have been some mention of these two important security programs.

Nor was there any discussion of the two specific reasons that a security awareness program at chemical facilities is important, deliberate release of hazardous chemicals as a means of attack on the local community or the theft/diversion of precursor chemicals for the manufacture of improvised explosives or improvised chemical weapons that could be used in a subsequent attack.

If CISA is expecting CFATS facilities to use this training program to satisfy the RBPS 11 annual training requirement for ‘All Remaining Employees’ it sadly only addresses one of the Training Topics listed in Table 13 of the RBPS Guidance Document; “Recognition of suspicious behavior”. Facilities would have to separately address the remaining training topics:

• Recognition and detection of dangerous substances and devices,

• Techniques used to circumvent security measures,

• Relevant provisions of the SSP, and

• The general meaning and consequential requirements of the different DHS Threat Levels

This training program hardly seems worth the effort.

ISCD Published Training Fact Sheet

Today the DHS Infrastructure Security Compliance Division (ISCD) published a new fact sheet providing information supporting Risk-Based Performance Standard (RBPS) #11, Training. As with the rest of the RBPS Fact Sheets, the bulk of the material in the two-page fact sheet is broad summary of the information available in the RBPS Guidance Manual.

There is one section of the Fact Sheet that provides information not available in the manual, the ‘Available Training and Resources’ section provides links. For the most part these are links to government web sites (from agencies like OSHA, EPA, and FEMA) that provide training that, while not specifically about the Chemical Facility Anti-Terrorism Standards (CFATS) program, they do provide chemical safety and incident response information that would be applicable at CFATS covered facilities.

There is on unusual link provided in this section, it is to the HazmatSchool.com. This is a private entity that provides on-line training for a fee (ranges from $10 to $349) on a variety of EPA and OSHA topics. None of the courses listed in the course catalog specifically cover security issues, but a number would probably provide valuable response information that could be applicable to a chemical security incident as well as a chemical accident.

I have not taken any of the training programs from the HazmatSchool, so I cannot comment of their efficacy. They do, however, provide a very good description of the limitations of on-line versus hands-on training in their explanation of why they do not offer an on-line 24-hour HAZWOPR class. It is well worth reading.

Homeland Security Committee Announce Markup Hearing for Thursday

This morning the House Homeland Security Committee announced that their Transportation Security Subcommittee would be holding a markup hearing on Thursday. Three bills would be included in the markup:

∙ H.R. 3102, the “Airport Access Control Security Improvement Act of 2015”.

∙ H.R. ____, the ‘‘Partners for Aviation Security Act”.

∙ Committee Print of H.R. ___, the “Transportation Security Administration Reform and Improvement Act of 2015”.

The first two bills are airport security bills pure and simple, so I intend to ignore them. The third bill contains two titles; the second being “Surface Transportation Security”. That means that it is fair game in this blog.

Surface Transportation Security Changes

This Title contains three sections:

Sec. 201. Surface Transportation Inspectors.

Sec. 202. Repeal of biennial reporting requirement for the GAO relating to the Transportation Security Information Sharing Plan.

Sec. 203. Repeal of frontline employee training requirements.

Section 201 outlines a new reporting requirement for the Comptroller Generals Office concerning “the efficiency and effectiveness of the Administration’s 4 Surface Transportation Security Inspectors Program” {§201(b)}. From the tenor of the items to be addressed in the report, the author (almost certainly the Committee Staff) don’t think much of the current crop of Surface Transportation Inspectors. It looks like they want the responsibility for this program to revert to the DOT modal agencies.

Section 202 removes a reporting requirement for the Comptroller Generals Office established in 49 USC 114(u)(7). This is a biennial reporting requirement on a user satisfaction survey concerning “the quality, speed, regularity, and classification of the transportation security information products disseminated by the Department of Homeland Security to public and private stakeholders”.

Section 203 removes the requirement for TSA to establish employee security training programs that were originally required under the 9/11 Commission Act of 6 2007 (Public Law 110–53). Those programs are:

∙ Public transportation security training program {6 USC 1137};

∙ Over-the-road bus security training program {6 USC 1184}

There are two other programs included in the elimination program set out in this section that have nothing to do with employee training; they both deal with employee threat assessment programs:

∙ Threat assessments (public transportation) {6 USC 1140};

∙ Threat assessments (railroad) (§1520 of the 9/11 Commission Act of 6 2007}

Both of those threat assessment requirements use virtually the same wording:

“Not later than 1 year after the date of enactment of this Act, the Secretary shall complete a name-based security background check against the consolidated terrorist watchlist and an immigration status check for all railroad frontline employees, similar to the threat assessment screening program required for facility employees and longshoremen by the Commandant of the Coast Guard under Coast Guard Notice USCG-2006-24189 (71 Fed. Reg. 25066 (April 8, 2006)).”

Commentary

TSA has never actually gotten around to establishing any of the programs mentioned in §203, so as a practical matter eliminating them does not make much difference. And since everyone knows (pardon the sarcasm) that terrorists never attack public transportation, there really is no need for security training of front line employees in that sector.

Likewise, there is no chance (again sarcasm alert) that terrorists would want to become railroad employees to effect an attack. And we know that terrorists have made no attempt to radicalize Americans as a part of an effort to encourage lone wolf attacks in this country. With both of those facts established, there is obviously no need to vet first line surface transportation employees against the TSDB.

ISCD Training Needs Program RFI

Last Wednesday the folks at DHS’s Infrastructure Security Compliance Division (ISCD; the people who administer the CFATS program) posted a request for information to the GSA web site about sources that might be interested in developing a training program for ISCD personnel. The responses to this RFI will be used for information and market research planning purposes, only; it is not a solicitation for bids.

ISCD is looking for information about organizations and/or individuals that have:

• Comprehensive knowledge of techniques and processes of conducting a comprehensive needs analysis;
• Knowledge of federal career fields, job series and required job tasks;
• Knowledge and proven experience with instructional systems design;
• Comprehensive knowledge of techniques and philosophies of adult learning principles;
• Skill in designing and developing a robust training program;
• Skill in applying analytical methods and evaluative techniques to measure and evaluate training programs;
• Experience with compiling and assembling training data for reporting purposes; and
• Ability to communicate effectively orally and in writing

The RFI notice includes detailed information about how to submit the required information. Responses need to be sent by January 19^th, 2015.

BTW: Thanks to @kgcrowther for pointing me at this information.

OSHA PSM and Emergency Response Planning

This is part of a continuing look at the public comments that have been posted to the docket for the OSHA Process Safety Management program advance notice of proposed rulemaking. Earlier posts in the series include:

• Public Comments on OSHA PSM ANPRM – 03-09-14

• Public Comments on OSHA PSM ANPRM – 03-09-14

• ICS and OSHA PSM

• Public Comments on OSHA PSM ANPRM – 03-22-14

• OSHA PSM Enforcement

• Public Comments on OSHA PSM ANPRM – 03-29-14

In Saturday’s post I mentioned that a “commenter noted that natural gas transmission and distribution facilities are already required to maintain close coordination with local emergency response authorities under 49 CFR 192.615”. That comment by the American Gas Association (AGA) points to one of the few places in Federal Regulations that provides specific requirements for the type and scope of emergency planning that must be undertaken by a chemical facility. As such, I thought that it would be a good idea to look at those requirements in some detail.

Emergency Planning

Section 192.615 outlines the requirements that every gas pipeline operator must adhere to for the establishment of emergency plans. Subparagraph (a) outlines the requirements for establishing a written plan for responding to gas pipeline emergencies. Subparagraph (b) establishes the requirements for communicating that plan to the employees of the gas pipeline operator. And subparagraph (c) addresses the requirements for coordinating with police, fire and other public officials.

Written Plan

Subparagraph (a) requires each operator to “establish written procedures to minimize the hazard resulting from a gas pipeline emergency”. The plan must address:

• Receiving, identifying, and classifying notices of events which require immediate response by the operator;

• Establishing and maintaining adequate means of communication with appropriate fire, police, and other public officials;

• Prompt and effective response to a notice of each type of emergency;

• The availability of personnel, equipment, tools, and materials, as needed at the scene of an emergency;

• Actions directed toward protecting people first and then property;

• Emergency shutdown and pressure reduction in any section of the operator’s pipeline system necessary to minimize hazards to life or property;

• Making safe any actual or potential hazard to life or property;

• Notifying appropriate fire, police, and other public officials of gas pipeline emergencies and coordinating with them both planned responses and actual responses during an emergency;

• Safely restoring any service outage;

• Beginning incident investigations under §192.617, if applicable, as soon after the end of the emergency as possible; and

• Actions required to be taken by a controller during an emergency in accordance with control room management regulations under §192.631.

Now the scope of the pipeline emergency plan may be a bit more expansive than one would expect to see at more typical chemical facilities. This is inherent in the fact that by their very nature, gas pipelines are mainly off-site facilities. Many of them run through or near inhabited areas which may significantly expand the scope of a gas pipeline incident.

This is further reflected in 192.615(a)(3) which defines the types of emergencies for which the pipeline written plan must provide a ‘prompt and effective response’. The four specific emergencies specified are:

• Gas detected inside or near a building;

• Fire located near or directly involving a pipeline facility;

• Explosion occurring near or directly involving a pipeline facility; and

• Natural disaster.

Employee Communications

Just having a written plan is not sufficient. This section of the pipeline safety regulations maintains that pipeline operators must share the written plan with their employees in a fairly specific manner. Section 192.615(b) requires operators to:

• Furnish its supervisors who are responsible for emergency action a copy of that portion of the latest edition of the emergency procedures;

• Train the appropriate operating personnel to assure that they are knowledgeable of the emergency procedures and verify that the training is effective; and

• Review employee activities to determine whether the procedures were effectively followed in each emergency.

While it is not specifically mentioned in the subparagraph (b) requirements the training must not only address what actions must be taken, but training needs to insure that each of the personnel have the capability to identify emergencies at the earliest opportunity and to be able to discriminate between the different types of emergencies to determine which action in the emergency plan should be taken.

The last requirement is often overlooked in emergency planning. After each incident where any portion of the emergency plan is put into operation, an after-action review (AAR) needs to be undertaken to ensure that not only were the employees’ actions correct with respect to the plan requirements, but also that the plan requirements were appropriate to the incident in question.

A natural extension of the AAR {again not specifically mentioned in §192.615(b)} is the need to revise the emergency plan based upon the lessons learned in the AAR.

Community Coordination

Since many gas pipeline incidents or accidents can have an immediate and devastating impact on the local community, close coordination between the gas pipeline operator and the local emergency response community is very important. This is reflected in the actions specified in §192.615(c). This subparagraph establishes the requirement for a pipeline operator to “establish and maintain liaison with appropriate fire, police, and other public officials”. This liaison is required in order to:

• Learn the responsibility and resources of each government organization that may respond to a gas pipeline emergency;

• Acquaint the officials with the operator’s ability in responding to a gas pipeline emergency;

• Identify the types of gas pipeline emergencies of which the operator notifies the officials; and

• Plan how the operator and officials can engage in mutual assistance to minimize hazards to life or property.

While the scope of the area that the operator is responsible for coordinating with local officials for emergency response actions is much larger than for most chemical facilities because of the length of most gas pipelines, the same reasons exist for making such coordination exist for any facility that houses or produces hazardous chemicals.

OSHA PSM Implications

In considering the current OSHA PSM standard and evaluating how well that standard addresses the requirement for emergency planning and community coordination, OSHA would do well to take a good hard look at §192.615. With very little modification to the wording in this portion of the Pipeline Safety Regulations, OSHA would have a fairly comprehensive set of requirements for PSM covered facilities upon which to base their emergency planning operations.

OMB Receives Two New Rules from Administration

Well, actually OMB received 5 new draft regulations from the Administration yesterday but two just might be of interest to readers of this blog. Unfortunately I can’t tell you much about either of them, or be completely sure I’m interested in them, because they have never been published in the Unified Agenda.

The two proposed rules (presumably going to be notices of proposed rulemaking – NPRM) are from the Coast Guard and DOD respectively. They are:

• Training of Personnel and Manning on Mobile Offshore Units and Offshore Supply Vessels Engaged in U.S. Outer Continental Shelf Activities; and

• Prohibition on Storage and Removal of Toxic and Hazardous Materials--Statutory Update (DFARS Case 2013-D013)

The first one is probably a safety training rule. If it is I won’t be much interested in it unless it also includes security training requirements. The second is just too odd of a title for a DOD rule (even a DFARS related one) that I’ll at least have to look at it.

All administrations have rules that come up outside of the planned rulemaking process, so there is nothing inherently unusual in these not being on the last Unified Agenda, and the last UA was published on July 4^th. But, it seems to me (and I haven’t done any statistical analysis on this so it is just an impression) that the Obama Administration does a lot of rulemaking outside of the Unified Agenda process.

DHS NICCS Publishes Cybersecurity Training and Education Catalog ICR

The DHS Cybersecurity Education Office (CEO) published a 30-day information collection request (ICR) notice in today’s Federal Register (78 FR 57643-56744) supporting the data collection efforts of the National Initiative for Cybersecurity Careers and Studies (NICCS) for the Cybersecurity Education and Training Catalog (CETC).

The CETC is a national level resource for the listing of cybersecurity training and certification programs. Given the DHS responsibility for cybersecurity operations within the Federal Government it appears that the CETC is currently focused on training programs by and/or for federal government agencies, but the ICR certainly allows for registration of private sector training providers. The ICR covers the registration of cybersecurity training and certification programs and their provision of standardized information about their programs.

The burden forecast for this ICR indicates that the CEO only expects about 300 cybersecurity training and certification respondents to register with the system. They expect the average respondent will interface with the program seven times at about an hour a response.

Public comments on this ICR notice may be provided to the Office of Management and Budget (OMB) via email (oira_submission@omb.eop.gov). Comments should be filed by October 21^st, 2013.

S 1353 Introduced – Cybersecurity

As I noted last week, Sen. Rockefeller (D,WV) introduced S 1353, the Cybersecurity Act of 2013. This bill has received a lot of attention in the main stream press as a bill that would formally implement the cybersecurity framework initiated by the Obama Cybersecurity Executive Order (EO 13636), but there is very little linkage, if any, between the two.

The bill is organized into three Titles:

Title I — Public-Private Collaboration on Cybersecurity

Title II — Cybersecurity Research and Development

Title III — Education and Workforce Development

The last two titles are little more than rehashes of R&D and education programs outlined in other legislation and share the same short comings. No new funds are identified for the new and or repurposed programs so they will either have to steal funds from other worthwhile programs without Congress accepting responsibility for that reprograming or the new programs will die still born due to the lack of funds.

The meat of the bill is found in Title I, but even that suffers from the lack of specific funding authority for the executive actions that are directed to be accomplished by that title.

Definitions

Before we actually get to Title I we need to first glance through Sections 2 and 3. Section 2 of the bill defines three terms to be used in this bill:

• Cybersecurity mission;

• Information infrastructure; and

• Information system.

The first is a very expansive term that describes a wide range of activities that includes such things as threat reduction, international engagement, resiliency (which is not an activity the last time I looked) and incident response to name a few. It also ropes in some aspects of even more disparate activities such as law enforcement, diplomacy, military and intelligence missions where they relate to the security and stability of cyberspace.

The second term, ‘information infrastructure’, means “the underlying framework that information systems and assets rely on to process, transmit, receive, or store information electronically” {§2(b)}. Interestingly the definition specifically includes “communications networks, and industrial or supervisory control systems [emphasis added] and any associated hardware, software, or data”.

Before anyone gets too excited about the specific of control systems, it needs to be made clear that the construction of the second and third definitions limits those control systems to those that directly support information systems. The definition of that term comes from 44 USC 3502(8) where it is defined as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information”. So we can forget this bill covering security for any control system that manufactures, controls or moves anything besides information.

One last thing that we need to look at before we get to Title I is §3 of the bill. It specifically and unequivocally states:

“Nothing in this Act shall be construed to confer any regulatory authority on any Federal, State, tribal, or local department or agency.”

Public-Private Collaboration - NIST

Section 101(a) starts out by modifying the list of activities that the Secretary of the Department of Commerce is allowed (not required) to perform through the Director of the National Institute of Standards and Technology (NIST) under 15 USC 272(c) by adding sub-paragraph (15) that would allow “on an ongoing basis, [to] facilitate and support the development of a voluntary, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to reduce cyber risks to critical infrastructure”.

If the drafters of this bill had really wanted NIST to undertake a proactive cybersecurity development program they would have listed this program in §272(b) under the mandated functions of the Institute rather than under the allowed activities in §272(c). This is especially true since §272(c)(13) and (c)(14) already provide wide latitude to study computer controls and information systems.

Section 101(b) goes on to add another paragraph to 15 USC 272. Section 272(e) provides additional details about how the Director is to go about executing his newly allowed activities. There is a lot of coordinating and consulting mentioned before one gets to the meat in §272(e)(1)(A)(iii) that outlines a mandate (in an allowed, not required activity) to “identify a prioritized, flexible, repeatable, performance-based, and cost-effective approach” that can be voluntarily adopted “owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks”.

Section 272(e) goes on to require that the approach would

• Mitigate impacts on business confidentiality {§272(e)(1)(A)(iv)(I)};

• Protect individual privacy and civil liberties {§272(e)(1)(A)(iv)(II)};

• Incorporate voluntary consensus standards and industry best practices {§272(e)(1)(A)(v)};

• Align with international standards ‘to the fullest extent possible’ {§272(e)(1)(A)(vi)}; and

• Prevent conflict with regulatory requirements, mandatory standards and related processes {§272(e)(1)(A)(vii)}.

Section 272(e)(2) provides limited protection of information shared with or provided to the Director of NIST in support of §272(c)(15). It specifically states that the information “shall not be used by any Federal, State, tribal, or local department or agency to regulate the activity of any entity”. The bill does not, however, provide any protection against public disclosure of that information or use of that information in civil actions by those other than the government. Nor are there any provision to protect against anti-trust actions based upon the sharing of standards, best practices or security practices.

There are also no provisions in this bill for protected information sharing about specific intelligence or threat information. To be fair, one would not expect that in an NIST activity as it is not part of the intelligence community, but the sharing of threat intelligence will almost certainly have a major impact on the development of best practices, methodologies and procedures. Without open and effective threat information sharing the effectiveness of any such developments will be stunted to say the least.

EO Lite

Because the crafters of this bill limited Title I of the bill to just activities at NIST, this bill only supports just the barest number of supports for the Cybersecurity Framework currently be  developed by NIST in support of the President’s EO. Without the activities outlined for agencies in DHS, DOD, Justice and GSA in the EO, the most effective parts of the Framework are either not present or not supported by this flimsy legislative structure.

The biggest shortcoming of this bill in this regards is the complete lack of any indication that one of the largest portions of the cybersecurity threat currently facing this country is not information related (though that is certainly an important area of concern) but rather the vulnerability of physical control systems to manipulations that could cause  widespread physical damage, mass casualties or the destruction of infrastructure that would reverberate throughout our economy through cascading supply chain damage.

Moving Forward

This bill will likely move through markup today without discussion. The big question will be if, after the summer recess, it will have any chance of making it to the floor of the Senate. A lot of that will depend on the competing bills that are crafted between now and then. This is a bland enough bill that it would probably pass, both here and in the House if it were to make it a vote.

Ethanol Safety Training

There is an interesting short article over at www.ProgressiveRailroading.com about a series of ethanol safety seminars that will be held in California next month. The training co-hosted by the Renewable Fuels Association and the Ethanol Emergency Response Coalition (EERC) will address some of the peculiar problems that emergency responders will face with ethanol and ethanol-blended fuels incidents. Since ethanol fuels are typically moved by truck or rail (not pipeline for a number of technical reasons) first responders far from ethanol production facilities (and their associated expertise) are having to deal with ethanol related spills and fires.

The seminars will focus on:

• An introduction to ethanol and ethanol-blended fuels;

• Chemical and physical characteristics of ethanol and hydrocarbon fuels;

• Transportation and transfer of ethanol-blended fuels;

• Storage and dispensing locations;

• Firefighting foam principles and ethanol-blended fuel;

• Health and safety considerations for ethanol-blended fuel emergencies; and

• Tank farm and bulk storage fire incidents

For those not able to attend these seminars (and more are planned outside of California), the EERC has a web site with training materials for local responders to use to familiarize themselves with the ethanol response issues.

NIST Framework Development Update – 06-22-13

Earlier this week the National Institute of Standards and Technology published a brief update about the development of the Cybersecurity Framework on their web site. The update provides a brief discussion of where the process currently is and how NIST intends to get to the required publication of the Framework. This is part of NIST’s commendable attempt to keep the cybersecurity community engaged in the process.

Cybersecurity Framework Elements

The important new information in this update is a listing of the elements that NIST intends to include in their draft Framework. While most of this was outlined in the President’s Executive Order (EO 13636), this update provides a little more meat to the bare bones provided by the President. Abstracting that information further, the NIST Framework will:

• Identify effective existing practices to inform an organization’s risk management decisions;

• Provide a modular and flexible approach to enable organizations to relate cybersecurity needs to diverse sector and organization business drivers;

• Reinforce cybersecurity risk management as it relates to the enterprise risk management processes of an organization;

• Provide a means for an organization to express the maturity of their cybersecurity risk management practices;

• Include workforce considerations; and

• Address the need for organizations to manage the various types of dependencies, including those related to providers, processes, and technologies.

Workforce Considerations

The brief discussion of the workforce considerations deserves special emphasis. This document makes it clear that the Cybersecurity Framework will address to separate levels of training requirements. First there will be the general awareness of cybersecurity requirements that all personnel with access to the critical cyber-systems will have to undergo. Interestingly the update makes it clear that the ‘all personnel’ should include “employees, partners, and customers” that have system access.

The second level of training will have to focus on ‘cybersecurity personnel’. The update notes that “the cybersecurity workforce must be trained and must maintain the skills necessary to understand the operating environment, the threats and vulnerabilities to that environment, and the practices available to combat those threats and vulnerabilities” (pg 2). The development of this type of training is one of the areas that NIST should stress in their proposed Federally Funded Research and Development Center (FFRDC). At the very least there is going to have to be some sort of federal support and guidance in the development of this professional workforce training program.

NIST Still Looking for Information

The update makes it clear that NIST is not done with the information collection phase of its process development (and hopefully this indicates the realization that such information collection efforts will have to continue to be an integral part of the Framework). Specifically NIST is looking for additional input in the following areas:

• The identification and availability of foundational cybersecurity practices;

• The actionable expression and management of privacy and civil liberties needs;

• The availability of outcome-oriented metrics that leaders can use in evaluating the position and progress of the organization’s cybersecurity status; and

• The mechanisms to enable critical dependency analysis for supply chains based on mission/business function.

Moving Forward

The update reiterates the previous report that NIST will have an outline of the draft of the preliminary (this will certainly be a working document given all of those qualifiers) Cybersecurity Framework available by the end of the month; which means this coming week. All of this lead up to the 3^rd Cybersecurity Framework Workshop to be held in San Diego, CA on July 10^th and 12^th.

NIST expects this Workshop to result in an initial draft of the Framework to include “a corresponding list of standards, guidelines, and practices that are currently being used by industry” (pg 2). We can only hope that the Framework being developed includes a methodology for keeping that list updated with revisions and new standards as the cybersecurity field continues to grow and mature.

NIST recognizes that everyone with an interest in, or input for, the development of the Cybersecurity Framework will not be able to attend the Workshop in San Diego. They are encouraging folks who cannot attend to provide their input via email (cyberframework@nist.gov).

DHS Updates Chemical Sector Training and Resources Page

Earlier today the folks at the Chemical Sector Office in NPPD updated their training and resources web page. Alert readers might remember that this is the page that I received premature notification of the change to this web page almost two weeks ago. Most of the changes are editorial in nature but there is one fairly substantive change and a major overlook on the page.

The editorial changes are simply changes in wording or style. For instance on of the old headers was ‘Publications’; it is now ‘Chemical Sector Publications and Resource Kits’. It may be slightly more informative, but hardly a necessary change.

The substantive change that justifies the changed web page deals with the Chemical Sector Security Summit. The previous version of this page (dated August 8, 2011) still carried information on the then recently held meeting from last July. That information has long since been updated on other DHS pages, but it is just now being updated here. Not a problem since it will still be just a short while (hopefully) before the registration process starts and requires further modification of this page.

The section where needed corrections were overlooked actually comes just before the CSSS information on the page. The section on the ‘Security Seminar & Exercise Series for Chemical Industry Stakeholders’ still shows scheduled exercise dates for long past exercises from August and September of last year. At the very least these should have been deleted when the page was updated today. What is of real concern is that apparently there have not been any of these exercises executed or scheduled since the Fairview Heights, Il exercise on September 15^th. That’s really a shame.

Chemical Inspectors and ISCD Problems

I got an interesting email from a reader last week who has an interest in becoming a chemical facility security inspector (CFSI) for the CFATS program at DHS. After reading the FoxNews.com story about the problems at ISCD he was concerned about how those problems might affect his prospects for future employment in that area. That question has specific meaning for the reader, but is also of a more generic concern for the chemical security community.

First off, let me make clear that, in my opinion, the CFATS program is going to be around for quite some time. There has been no serious talk by anyone in Congress about disbanding the program and many who want to see the program expanded to include some of the classes of facilities that are currently exempted from CFATS coverage. In fact, the political debate about the CFATS program has always been about the scope and coverage of the program, not the need for a chemical security program.

Shortage of Chemical Security Professionals

One of the weak spots in the CFATS program has always been the CFSI. This is not due to any personal or professional shortcomings of the current crop of CFSI, but rather the fact that until very recently there was no such thing as a chemical security inspector. In fact, there have been virtually no chemical security personnel at all.

Okay, there have been security personnel at chemical facilities for a long time and their number certainly increased after 9-11, but for the most part these have been standard security personnel concerned with standard security matters such as entry control, perimeter patrols, and loss prevention. The number of people that understood the unique security aspects of process chemistry, both as targets and as potential weapons, was extremely small and most were concerned about security of overseas chemical facilities owned by the major chemical companies.

In the same way there were very few people in the chemical processing industry who really understood security; locks, fences, and rent-a-cops seemed to be adequate security to most chemists and engineers.  Even then the basic necessities of those programs such as key control, clear zones and gate procedures were beyond the understanding or concern of chemical professionals.

CFSI Training Issues

Because of the lack of chemical security professionals, the bulk of the first CFSI hired and trained by ISCD were in fact security professionals; security managers, inspectors and law enforcement types. Most of them came from backgrounds in the Federal Government since this eased many of the vetting requirements.

This created a bit of a training problem for ISCD. While the training should have been concentrated on CFATS related issues (§550 restrictions, RBPS guidelines, etc) much of the focus of the Chemical Facility Security Academy had to do with chemical process and safety issues. Security personnel had to be trained in the basics of chemical process language, equipment, and chemical handling as well as the standard OSHA mandated training for personnel operating in chemical processing facilities. And there had to be at least a couple of trips to actual chemical processing facilities so that CFSI wouldn’t be totally overwhelmed by the complexity of things when they strolled into their first official inspection.

With all of that on the docket there certainly wasn’t time in the 8 week training program to include such things as the pros and cons of various security and chemical safety devices, cybersecurity fundamentals for both IT and control systems, personnel surety standards (that still don’t exist) and a whole host of other matters that would need to be evaluated in chemical security inspections.

I know that ISCD has attempted to recruit more personnel from the chemical industry to fill vacated and new CFSI positions. I have seen no figures to date on the success of that effort, but even if successful, that only complicates the training problem as people with chemical backgrounds have to be taught all of the standard security stuff about which they are clueless.

This training issue is going to plague the CFATS program for the foreseeable future. Until there is a stable stream of personnel with industry experience as chemical security professionals ISCD will be hiring people that lack significant parts of the skill sets needed to be a CFSI. One of the best places that DHS could put some chemical security grant money is to one of the schools that has an industrial chemistry program (a relatively new discipline of its own) to develop a degree program for chemical security professionals.

CFSI Requirements

In my opinion, a CFSI should first be a chemical professional. This means at least a BSc degree in chemistry or chemical engineering, perhaps industrial hygiene. Experience working in a chemical processing facility would be a plus. This background would provide the CFSI the ability to speak with and understand the engineers and chemists that run most facilities.

I don’t mean to denigrate the skill and knowledge necessary to be a security professional, but a large part of the knowledge base in that profession will not be of much use in a chemical processing environment. Besides, the §550 restrictions on specifying security requirements will get many people from a real security background in trouble in the field.

A law enforcement background will not be particularly useful in this position. The skills and training necessary to be a cop do not really apply to security (though cops will generally understand security better than chemists) and there is little need for the investigational skills associated with law enforcement. Any actual attacks or suspected attacks will be investigated by local police or the FBI not ISCD.

Restricting the hiring of CFSI to people with a chemical background will make the training problem easier for the Chemical Security Academy. They would be able to concentrate on security issues and program requirements.

So You Sill Want to be a CFSI?

So after all is said and done what does it take to become a CFSI? The short answer is you put in an application when a position vacancy is announced on USAJobs.gov. I just did a search and there are no such jobs currently listed. You can set up an account on the site and have them notify you when a vacancy is announced. You’ll have to use the ‘Advanced Search’ option and I would limit the search to DHS and NPPD under the ‘Agency Search’ option.

What qualifications are necessary? Well you have to be a US Citizen and be capable of getting a Secret security clearance. Beyond that you’ll have to look at the announcement in USAJobs.gov. This is still an evolving position and I expect further changes to be made in the job requirements based on the ISCD report (though I still haven’t seen the report).

What are your prospects of getting hired? That’s a good question. There are only a limited number of positions available (160 is the latest figure that I recall) and I believe that most are currently filled. I don’t see a major expansion any time soon. I don’t know how much of a turnover the Department is having (I would hope that the ISCD report touches on that, but we still haven’t seen a publicly released copy), but I don’t expect that it is real high.

Oh yes, expect to have to move. DHS has been advertising these positions as location specific for a regional office and the last listing that I saw said that they would not pay relocation expenses for new hires.

Law Enforcement and CFATS

The attentive reader might remember a post I did at the end of last month about an on-line training program about the Suspicious Activity Reporting program. Shortly after that post, I was contacted by James Cavanagh, the head of LEAPS.TV (the outfit that prepared that training program), thanking me for the positive review.

In the ensuing discussion he asked me if I would be interested in working on a project. His organization does these on-line training programs for law enforcement and emergency management personnel. He had received some requests for training on CFATS for law enforcement personnel and he thought that I might be able to provide some input on the subject.

It’s been an interesting project and I’ve had some interesting conversations with some law enforcement types about their perspective on chemical facility security. As one would expect, they have a slightly different look at the subject and it has been very educational for me.

In any case, Jim just sent me the link to the advance notice for this webinar. It will be free and it will remain on the LEAPS.TV site for future viewing for a relatively short time (four weeks, I think). After that I’ll see about getting it posted somewhere else. It is being designed to give law enforcement personnel a brief overview of the CFATS program and how that program might affect them if they have a covered facility in their community.

Any CFATS covered facility might want to recommend this to their local police department. It is free and LEAPS.TV has an arrangement so that they can award continuing education credits for participants.

If there is enough interest in the program we might be able to provide additional instructional material to provide more detailed information about what local law enforcement needs to know about chemical facility security.

Private Sector Resources Catalog 2.0

On Thursday I informed you that the latest revision of the Private Sector Resources Catalog had been released and I also said that I would let you know about the changes that would be of interest to the chemical security community after I had a chance to do an in depth review of the new document. Well, as promised, here it is.

First, I did not do an in depth review of the entire document. I concentrated on the four chapters that I thought would be of the most interest to the chemical security community. That does not mean that there won’t be items of potential interest in the other chapters of the Catalog, it just means that I don’t have time to go through the whole thing. Those four chapters are:

• Cybersecurity and Communications (CS&C)
• Office of Infrastructure Protection (IP)
• Transportation Security Administration (TSA)
• U.S. Coast Guard (USCG)

New Programs

There are a number of new programs listed in each of these chapters. I am not going to provide explanations of all of them; I’ll just list the titles. If it looks like something that might be potentially interesting, use the links above to find a brief description of the program as well as either a web site or email address to obtain additional information.

Cybersecurity and Communications

• The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
• Research and Standards Integration Program (RSI)
• Telecommunications Service Priority (TSP) Program

Office of Infrastructure Protection

• Chemical Sector Training and Resources Database
• DHS Webinar “Surveillance Detection Awareness on the Job”
• Improvised Explosive Device (IED) Search Procedures Workshop
• IED Threat Awareness and Response
• Infrastructure Information Collection System (IICS)
• IP Sector-Specific Tabletop Exercise Program (IP-SSTEP) Chemical Sector Tabletop Exercise (TTX)
• Protected Critical Infrastructure Information (PCII) Web-base
• Protected Critical Infrastructure Information (PCII) Officer Training
• Chemical Facility Security: Best Practice Guide for an Active Shooter Incident
• Chemical Sector Training Resources Guide
• The Roadmap to Secure Control Systems in the Chemical Sector
• Chemical Sector Security Awareness Guide

Transportation Security Administration

• Maritime Passenger Security Courses
• Air Cargo Screening Technology List-For Passenger Aircraft

Coast Guard (no new programs listed)

I have already written about many of these new programs. Those that I haven’t, I am asking for additional information about and you may see them listed here in future posts.

Removed Programs

In going through these chapters I did note that there were some programs that were missing from the new catalog. Three were three from the Office of Infrastructure Protection chapter that I thought might be of interest to the chemical security community. Since they are not listed in the new catalog, there is no explanation about if/why they may have been discontinued. I am trying to get such explanations and will relay them to my readers if/when. In the meantime here is a list of the delisted programs:

• Improvised Explosive Device (IED) Awareness Web Training
• Surveillance Detection Web Training
• Security Outreach and Awareness Program (SOAP)

Training Programs

There is a wealth of training programs available in this catalog covering a wide variety of subjects and skill levels. Many of them were specifically developed by DHS agencies to meet mandated training requirements. I won’t guarantee the quality or appropriateness of each of these training programs. Each will have a variety of good points and bad points that will have to be evaluated for each facility’s training requirements. But, one thing is for sure, you won’t be able to beat the prices.

Once again, if you are responsible for a DHS covered program, particularly security related programs, you owe it to yourself and your organization to download the appropriate chapters of this Catalog and take a good hard look at the resources that DHS is providing. Your tax dollars are paying for this catalog and the resources listed. Get your share of the benefit.

DHS Updates Critical Infrastructure and Key Resources Webpage 06-21-01

This morning the folks at DHS the Chemical Sector CIKR webpage, adding a link to a new web page on Training and Resources. This web page can also be accessed directly from the Critical Infrastructure landing page. This new Training and Resources page provides a lot of new and updated comments about, and links to, DHS provided training support. Among the programs listed are:

· Web-Based Chemical Security Awareness Training · Chemical Sector Explosive Threat Awareness Training Program (CSETAT) · Voluntary Chemical Assessment Tool (VCAT) · Security Seminar & Exercise Series with State Chemical Industry Councils · Chemical Sector Security Summit

Additionally the page provides a listing of a number of valuable documents available from the Chemical Sector Office. These include:

· Who's Who in Department of Homeland Security Chemical Sector Security · Chemical Sector Security Awareness Guide · Chemical Facility Security: Best Practices Guide for an Active Shooter Incident · Infrastructure Protection Sector-Specific Tabletop Exercise Program (IP-SSTEP) Chemical Sector Tabletop Exercise (TTX) Materials

I’ll try to get hold of some of these guides so that I can review them and give you a better understanding of their utility.

Water Facility Security Training

I ran across an interesting training notice on Facebook for a training class for water facility personnel to prepare utilities for the security and safety requirements under House of Representative’s Bill HR 3258, the “Drinking Water System Security Act of 2009.” The class will be held the week after next in Murfreesboro, TN. According to the notice:

“Utility operators will become familiar with the requirements of this Bill and how to comply with the Bill. Free RAMCAP compliant software is available to help systems prepare risk-based security plans, and alternative chemicals and processes to replace compressed gases.”

Now HR 3258 was incorporated in HR 2868 as Title II of that bill and was subsequently passed in the House. Readers of this blog will know that I do not believe that this bill will come to a vote in the Senate this year. Having said that I am nearly certain that a similar bill will come up next year and there will be some sort of provisions for water facility security in that bill. I’m not sure what ‘RAMCAP compliant software’ Taud Training Station is using, but the RAMCAP program was one of the bases for the development of the current CFATS tools. Additionally, addressing the issue of ‘alternative chemicals and processes’ (I like that better than IST) should certainly be of benefit to water system operators even if there is no IST mandate in future legislation. A six hour training program will not provide in depth coverage of any of these topics, much less all of them, but it is certainly enough time to give a good overview and point participants in the proper direction for further training. I don’t know anything about the Taud Training Station or any of the specifics of their proposed training, but the info provided on the Facebook page certainly would be enough to get me to make a call to John Shadwick for further information if I was a small water system operator.

DHS CERT CSSP Calendar Page Update

Today the DHS CERT Control Systems Security Program Calendar page was updated to include a number of new training dates through December, 2010. Until this update the latest training date listed on the calendar was in April, 2010. The May program includes three regional presentations of the “Introduction to Industrial Control Systems Cybersecurity” presented by DHS CERT CCSP. They will be conducted in San Diego, CA (5-4-10); Orange County, CA (5-5-10); and Scottsdale, AZ (5-13-10). The first two courses provide email links for registration, but no info on the course. The last one provides a link to a course brochure that should be good (except for dates/locations) for all three courses.

Chlorine DVD Review

I always like to pass along information about hazard communication tools so I was really happy to find a review of a new chlorine information video at SecurityManagement.com. The 28 minute video by Emergency Film Group is part of their Hazchem series of videos and comes highly recommended by Mayer Nudell, the reviewer. I was particularly interested in the comment that the film addresses, along with the typical physical and health hazard information, the DHS “reporting and security requirements for handling chlorine”. This information might not be particularly important for emergency response personnel, but it should make this video useful as part of the annual training requirement listed in the TSA security regulation.