Terror Proofing the Plant

Monday, October 25, 2010 @ 08:10 PM gHale

As the need for industrial safety and security soars, one thing is for certain: CFATS is the law. Chemical Facility Anti-Terrorism Standards spur security system design.

By Nicholas Sheble
Industrial safety and security business revenues are soaring.
Ever since the Y2k millennium bug in the late 1990s, then buttressed by the 9/11 attacks, and periodically reinforced by a modern terrorist/insurgent/freedom fighter/wacko, moves to physically protect and cyber secure our manufacturing facilities and refineries have been undertaken by corporations and mandated by governments.
American Chemistry Council members have spent more than $8 billion on facility security enhancements since 2001 and have helped lead the way on chemical plant security ahead of government regulation.[private]
CFATS (Chemical Facility Anti-Terrorism Standards) is the United States’ legislation that serves as a set of government security regulations for high-risk chemical facilities such as chemical plants, electrical generating facilities, refineries, and universities.
CFATS is 6 CFR (Code of Federal Regulations), Part 27. The U.S. Department of Homeland Security promulgated the Final Rule on April 9, 2007. The regulations came into effect on June 8, 2007, apart from material covered in Appendix A, which took effect on November 20, 2007.
CFATS compliance, consulting, and security vendors and providers number in the tens and hundreds now and include automation big boys like Invensys, Honeywell, Siemens, and Yokogawa. As well, myriad experts and reputable corporations have sprung to the fore to fill the enormous security breach that has developed over the past decade including AcuTech, ADT Advance Integration, BPS, Huffmaster, and Industrial Defender.
Here’s what you need to know about Chemical Facility Anti-Terrorism Standards.

Consequences, Vulnerabilities
Congress directed the Department of Homeland Security to identify and secure those chemical facilities that present the greatest security risk. DHS sees “security risk” as a function of the following:
• The consequence of a successful attack on a facility (consequence)
• The likelihood that an attack on a facility will be successful (vulnerability)
• The intent and capability of an adversary in respect to attacking a facility (threat)
Specifically high-risk chemical facilities are the target of the department and the DHS’s mission is to ensure their security.
Since each chemical facility faces different security challenges, Congress explicitly directed the Department to issue regulations “establishing risk-based performance standards for security chemical facilities.”
Performance standards work particularly well in a security context because they provide individual facilities the flexibility to address their unique security challenges. Using performance standards instead of prescriptive standards also helps to increase the overall security of the sector by varying the security practices the different chemical facilities use. Security measures that differ from venue to venue mean each presents a new and unique problem for an adversary to solve.
DHS developed a risk-based “tiering” structure that will allow it to focus resources on the high-risk chemical facilities. It will assign facilities to one of four risk-based tiers ranging from high (Tier 1) to low (Tier 4) risk.
Assignment of tiers relies on an assessment of the potential consequences of a successful attack on assets associated with chemicals of interest. The Department of Homeland Security uses information submitted by facilities through the Chemical Security Assessment Tool (CSAT) Top Screen and Security Vulnerability Assessment processes to identify a facility’s risk.
That risk is a function of the potential impacts of an attack (consequences), the likelihood that an attack on the facility would be successful (vulnerabilities), and the likelihood that such an attack would occur at the facility (threat).

Determining the Appropriate Tier
The highest tier facilities, or Phase 1 facilities, are those that the DHS has specifically requested to complete the Top Screen. These facilities had to complete a Security Vulnerability Assessment (SVA), which provides more in-depth information that allows the Department to assign a final risk tier ranking to the facility.
Facilities that complete the CSAT Top Screen and do not meet the consequence thresholds do not need to comply with CFATS.
DHS recognizes that facilities have dedicated and invested time, resources, and capital to identify vulnerabilities and improve overall security. Facilities will be able to make use of information from these improvements. Facilities may also leverage their existing security measures in working toward compliance with CFATS and specifically the risk-based performance standards.
DHS considers a variety of factors in determining the appropriate tier for each high-risk facility, including information about the public health and safety risk, as well as the presence of chemicals with a critical impact on the governance mission and the economy.
A copy of the CFATS regulation, the Appendix A Chemicals of Interest list, and various guidance documents are available at DHS.
The Chemical Facility Anti-Terrorism Standards (CFATS) program requires covered facilities to submit a Site Security Plan (SSP) using DHS’s Chemical Security Assessment Tool (CSAT) website. The SSP is a crucial step in any facility’s compliance program. Here are 10 suggestions for those working on their SSPs.
Contact the CSAT Help Desk by phone at 866-323-2957 or use the CSAT Help Desk Web Form.
CFATS is not just for “chemical facilities.” Any facility that possesses regulated chemicals at or above screening threshold quantities (STQs) is a chemical facility in CFATS. There are quite a few facilities that exceed these thresholds, including colleges and universities, refineries, mining operations, liquefied natural gas storage, and manufacturing facilities.
Nicholas Sheble is a contributing technical editor for ISSSource. His email is nsheble@isssource.com.[/private]

Leave a Reply

You must be logged in to post a comment.