Feel secure about vulnerability assessments
The U.S. government has established its first-ever security mandates for “high risk chemical facilities” (www.ChemicalProcessing.com/articles/2007/095.html). The Chemical Facility Anti-Terrorism Standards are designed to identify high risk facilities through a series of steps involving both the chemical facilities and the U.S. Department of Homeland Security (DHS). The lynchpin for facilities to be included in the process is whether they manufacture, use, store or distribute certain chemicals above a specified quantity. These chemical and quantities are defined in Appendix A of the standards.
A company must prepare compliance materials if DHS deems that all aspects of the regulation apply to a facility. In this article, we offer some guidance to help you prepare such materials and respond to DHS in the event your facility must conduct a security vulnerability assessment.
Initial steps
Organizations that manufacture, use, store or distribute chemicals contained in Appendix A were required to register and complete a Top Screen process under Public Law 109- 295 Section 550. This step had to be finished within 60 days after the November 20, 2007 release of Appendix A.
The Chemical Security Assessment Tool (CSAT) is DHS’s system for collecting and analyzing key data from chemical facilities that have the potential to fall under the new regulations. CSAT will be used to support the preliminary and final decisions about placing a facility into one of four risk-based tiers.
Companies were required to register for CSAT and use it to provide information to DHS regarding facility background, chemicals on site and the risks associated with those chemicals. This submission can be made only via the Internet (https://csat-registration.dhs.gov/). There are very stringent requirements on controlling information associated with the CSAT process. Prior to getting access to the CSAT system, all persons who are involved must be pre-certified by DHS. To gain certification persons must demonstrate an understanding of the importance of safeguarding information related to chemical security vulnerability. To register and get the appropriate employees trained, visit the DHS web site at https://csat.dhs.gov/cvi_training/.
After completing your Top Screen process online, a screen informing the user that the facility “may be regulated” or “not regulated” will appear. Subsequently, DHS will notify you by mail to confirm whether or not you will be regulated under CFATS and, if so, to what risk tier you will be assigned.
Security vulnerability assessment
If, following the Top Screen process, DHS informs your company that a facility will be regulated, you must conduct a Security Vulnerability Assessment (SVA). You will have 90 days after DHS classifies the site to complete and submit this assessment. The mission of the vulnerability assessment will be to reduce the risk of:
• toxic chemical release;
• theft and diversion of chemicals that could be used as precursors for explosives or weapons of mass destruction;
• sabotage or contamination of chemicals; and
• impact on critical government activities and the national economy.
The SVA clearly is a collaborative process whose success depends upon the quality of the team that’s assembled to conduct the study. The team typically should consist of representatives from site security, risk management, operations, engineering, safety, environmental protection, regulatory compliance, logistics/distribution, information technology and other areas, as required. To have a valid outcome, it’s important to include a security professional on your team.
Many organizations will need to look outside for the security expertise necessary to complete the SVA. Hire only an independent consultant. Consider, for example, members of the International Association of Professional Security Consultants (IAPSC), as they must adhere to a strict code of ethics and are truly full-time independent consultants, not part-time consultants or ones tied to the sale of products or other services like hardware salesmen, guard contractors or private detectives who may profess to do it all. Your consultant should have experience working in the chemical industry and with the common methodologies for conducting SVAs, such as that from the Center for Chemical Process Safety. Look for credentials like Certified Protection Professional (CPP) or Physical Security Professional (PSP) from ASIS International or Certified Security Consultant (CSC) from the International Association of Professional Security Consultants. A key component of SVAs is actually understanding where adversaries can exploit weaknesses in a facility’s security — certifications indicate that a consultant can offer sound opinions.
Preparing your SVA
Six tips for SVA success1. Plan the activity well in advance; senior leadership should communicate to the entire organization about the assessment and seek candid input.2. Ensure the full support and authorization of management before proceeding with the SVA.3. Insist upon data that are verified and complete. Consider the use of a scenario worksheet in documenting the information in your SVA. (Figure 2 shows a sample worksheet.) Such a form will greatly aid in getting your information organized in the way it will need to be entered into CSAT at the conclusion of the SVA.4. Keep the objectives and scope concise; DHS will provide structure in the initial written communication after the Top Screen is complete.5. Staff the team with people knowledgeable of and experienced at the process they are reviewing (release, theft/diversion, etc.).6. Use a team leader who is skilled in the SVA process methodology so it can be properly facilitated. |
Asset characterization. This involves the identification of critical assets (done in the Top Screen), evaluation of existing countermeasures and quantification of the severity of consequences. The severity of the consequences and asset attractiveness are used to screen the facility assets into those that require only general security countermeasures versus those that require more specific actions; protection levels must be spelled out in your site security plan. As soon as possible identify the scenarios that will be addressed in your SVA (i.e., release, theft/diversion, etc.) because the remainder of the SVA will focus on the risk associated with these scenarios.
Threat assessment. This determines the estimated general threat level, which varies as situations develop. Depending upon the threat level, security measures greater than baseline ones likely will be necessary. While threat assessments are key decision-support tools, always bear in mind that such assessments, even if updated often, might not adequately capture emerging threats posed by some adversaries. No matter how much we know about potential threats, we’ll never know that we have identified every threat or that we have complete information even on the threats about which we are aware.
Vulnerability assessment. The identification of security vulnerabilities underpins the validity of the whole process. Existing security measures must be evaluated to ensure they are being managed in a manner that provides the most value to the organization. Ultimately, the deliverable of this phase is the assessment of the level of effectiveness in reducing vulnerability and meeting applicable risk-based performance standards. This is the phase where your security professional should be doing most of the work.
Risk analysis. This includes a determination of the relative initial degree of risk to the chemicals of interest in terms of the expected effect on each critical asset and the likelihood of the success of an attack; it typically is represented in a matrix.
Improvement (risk reduction) is derived from identifying additional countermeasures that can be applied to:
• reduce the probability of a successful attack on a chemical of interest;
• enhance the degree of risk reduction;
• increase the reliability/maintainability of security; and
• decrease the consequences of an event.
Risk is reassessed after proposed countermeasures are applied to the scenarios addressed in your SVA. Measures accepted by management must then be incorporated into your site security plan.
Results of the SVA will be entered into CSAT and will form the basis of the site security plan. In fact all vulnerabilities identified in the SVA must be addressed in the site security plan, which is due 120 days after your SVA is complete.
Protecting information
It’s crucial to safeguard Chemical-Terrorism Vulnerability Information (CVI) from disclosure to unauthorized persons. While a company likely will certify only a limited number of employees as able to handle CVI, all employees must know enough about what to do if CVI documents are found unsecured. Staff must be taught how to recognize this information based on this labeling:
Chemical-terrorism Vulnerability Information
(Placed in the header of each page.)
Each cover page, title page and page within the document should have the following statement inserted: WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR 27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR 27.400(e). Unauthorized release may result in civil penalties or other action. In any administrative or judicial proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h) and (i).
Any documentation prepared due to your SVA should be labeled accordingly.
A start towards security
These new standards will substantially expand the security requirements for many chemical facilities that have never before been covered under government security guidelines. Clearly, it’s necessary to get a start on them. However, much work by both the private sector and the government will have to be done before all of the high risk chemical facilities in the United States can fully meet the standards.
Frank Pisciotta, CSC, is president of Business Protection Specialists, Canandaigua, N.Y. E-mail him at [email protected].
Deborah Allen, CPP, is director of product stewardship and security at Potash Corp., Northbrook, Ill. E-mail her at [email protected].