Questions on CFATS Risk Methodology

Wednesday, March 20, 2013 @ 05:03 PM gHale

Risk assessment methodology used to classify chemical facilities under the Chemical Facility Anti-Terrorism Standards program came under fire during a hearing in Washington last week.

The Government Accountability Office released a preliminary report on the program criticizing officials for not considering facility vulnerability and mostly ignoring threat data when assigning a risk tier to the 4,380 facilities nationwide covered under the CFATS regulation.

CFATS Funding in Doubt
DHS: CFATS Doing Better
CFATS Reaches Stage Three
Stopping Stuxnet Attacks

The basis of the risk methodology is on the consequence to human life the release or theft of a chemical would cause or on the consequence to lives by sabotage, the GAO says.

Watchdog officials find multiple faults with the methodology, based on standards called for by the CFATS regulation. Consequence assessment should also consider the direct economic effects, auditors say, and CFATS officials consider threat data in the risk assessments of only about 350 facilities, just those at risk of sabotage. In addition, they don’t take into account vulnerability, at all. (Threat is the likelihood of an attack; vulnerability is the likelihood of a successful attack, given an attempt.)

But focusing “principally on consequences in a regulatory compliance framework is an appropriate way to tier facilities,” said David Wulf, director of the DHS Infrastructure Security Compliance Division. He testified before the House Energy and Commerce subcommittee on the environment and the economy.

Were CFATS to focus heavily on vulnerability, facilities could potentially drop in and out of the program were operators to diminish their risk score through vulnerability mitigation but then stop implementation because a lower risk score would make the measures optional — and so become higher risk again, Wulf said. “We would have sort of a roller coaster effect,” he added.

Rand Beers, who heads the DHS National Protection and Programs Directorate, said CFATS addresses all three aspects of risk, just not in the tiering methodology. The site security plans that facility operators create are where users can address vulnerabilities, he said.

Nonetheless, “we’re going to take note of the GAO’s comments on this,” Beers said, noting that DHS has commissioned an independent review of the risk methodology –although the GAO notes the panel is not to develop alternative chemical facility risk assessment methods.

The department has also hired Sandia National Laboratories to examine incorporating economic data into consequences assessment; according to the GAO report, Sandia should report back in June 2014.

As for site inspection of facilities with authorized security plans, Wulf said authorization inspections of tier one and two facilities (those at highest risk) will be complete in 2014. The GAO calculates at the current pace of review, it could take 7 to 9 years to complete final inspection for all CFATS-covered facilities, a rate Wulf said is unacceptable and that DHS will attempt to speed up.

Leave a Reply

You must be logged in to post a comment.