Amid these industry efforts, American Chemistry Council (ACC) CEO Chris Jahn has criticized both Congress and the White House for policy decisions he believes have compromised national security. Jahn specifically pointed to the lapse of the CFATS program in July 2023 as a significant issue in an editorial he penned for Homeland Security Today.
Jahn warned that its expiration has created vulnerabilities that could be exploited by terrorists.
Without CFATS, chemical companies cannot vet personnel against the FBI’s terrorist screening database, meaning more than 100,000 people have not been vetted since its lapse, wrote Jahn in his editorial.
But in the absence of CFATS, security companies are stepping up to provide more sophisticated boundary-protection technologies to the industry.
One of those companies is surveillance technology provider Blue Eye. Davis Lim, the company’s head of strategy at remote video monitoring (RVM) specialist, says he’s seeing many industrial customers implementing internal security rules.
“Even though advanced security measures are no longer mandated by the government, we see customers in this space mandating that their properties leverage remote video monitoring all the time,” he says.
As an example, Lim cites the company’s experience over several years with a major global chemical distribution company (unnamed, for security reasons).
The sales process began with an in-person audit of several of its manufacturing and distribution sites to identify which cameras should and shouldn't be monitored to ensure the company wasn’t paying for unnecessary coverage.
“For large enterprise clients like this one, we offer a month-long pilot program at no cost, which allows us to calibrate the system and gather preliminary data on site behavior,” he explains. “During a pilot program, we collaborate with the customer to define response protocols, ranging from dispatching police or security to notifying employees via phone or walkie-talkie in case of suspicious activity.”.
He describes implementation costs as minimal. For this customer, the initial investment involved just a server and speakers, with setup costs remaining under a few thousand dollars per site.
Ongoing costs are between $1,000 and $2,500 per month, depending on the number of cameras being monitored.
Blue Eye’s ability to scale up its service quickly means that new sites are easily added. In fact, the company monitors all the customer’s U.S. sites and now is expanding into its Canadian operations.
Lim emphasizes that there’s much more RVM technology today than just cameras, sensors and software.
Blue Eye, for example, uses a homegrown monitoring platform rather than off-the-shelf solutions, which enables it to better control and tailor the development of new features to customers’ specific requirements (Figure 1). An in-house event queuing module verifies suspicious activity. The technology is also camera agnostic, meaning customers can leverage their existing video surveillance system without needing to rip and replace it with new cameras. Because no new camera hardware is required, the timeline to initiate service is typically ten days or less, compared to industry standards of 45 days or more.
Users can regularly access key performance indicators through a dashboard, while a network of integrators works with other product and service suppliers to ensure the most efficient security strategy.
Thermal AI and Smart Access Control Enhance Protection
Other security technology vendors are using risk-based performance standards provided by the lapsed CFATS regulations as the basis their approach to reduce vulnerability and manage risk at chemical facilities.
Sightlogix is one example. It has developed smart thermal cameras that can detect an intruder’s speed, bearing and geo-location in milliseconds for a rapid pre-emptive response. The company’s geospatial system provides early-warning covering over 100-meter-wide buffer zones outside, inside and at the fence. This video analytic “blanket” of security around chemicals stored inside the perimeter mitigates possible sabotage or theft where fences would otherwise impede business operations.
The company’s latest innovation is thermal AI nuisance alarm filtering, an edge-based addition that tackles the outright errors in detection and nuisance alarms often caused by atmospheric factors, such as lightning, wind and reflections at chemical plants.
With reduced false alarms and enhanced accuracy, Sightlogix believes its latest offering will help chemical companies cut costs associated with false alarm responses and maintenance while keeping operational efficiency optimized.
Meanwhile, Dutch technology company Nedap has developed a software-based access control system.
Known as AEOS, it is built on open standards and integrates with a wide range of technologies including video monitoring and biometric readers. It has the flexibility to scale easily, too.
AEOS operates via a web-based dashboard. Users can add extra functionality by selecting extra options from the access control software.
AEOS governs who has access to certain areas, which doors they have access to and what times they can gain access. Here, for example, contractors and junior staff may only be allowed access during their standard shift pattern, whereas senior staff can enter the building at any time.
The system also can be set so that, for example, contractors are only allowed access if it shows they’ve presented their certification.
What gives users even more control is that a good access-control system lets them set these parameters for each individual – and quickly updates them whenever necessary.
Identifiers include access cards, badges, tags, pin numbers and biometric identifiers such as fingerprints and iris scans.
This comprehensive package attracted Saudi Aramco when the company was looking for a way to improve security by controlling access to its facilities across Saudi Arabia.
The company needed a technology with a flexible, open architecture, so it could connect multiple technologies on one platform. Saudi Aramco also required a system that was fully certified to protect against cyberattacks and could handle thousands of transactions daily.
Nedap achieved this by connecting multiple locations over a secure network to a central AEOS server. This included the company’s uPass Reach long-range UHF RFID reader, SAP biometrics, including camera-based facial recognition software for critical locations, and a video management system from Milestone Systems.
Saudi Aramco’s digital transformation also included Smart Bluetooth low energy and QR-based readers with a mobile app.
Fortifying Physical Barriers Against Modern Threats
Security gate specialist Tymetal has been involved in perimeter security since 1985.
“The world has become a much more dangerous place since then. More threats by bad actors which can cause harm to the public exist now,” says Todd Kehley, certified automation gate designer with the company.
One example he cites is the proactive security needed to safeguard personnel and plant from motorized vehicles intent on delivering explosives. This has prompted Tymetal to focus on stopping an attacking vehicle as quickly as possible, disarming it and reducing or preventing it from causing harm.
The threat of attack by firearms has also become more prevalent, causing the company to focus on incorporating ballistic material into its products.
Chemical companies in 2024 want hardened perimeters to reduce the threat that bad actors, such as terrorists and vandals pose, and to give additional response time should such an attack occur, Kehley says. They also are seeking protection of valuable company assets and proprietary information. They want effective, efficient and reliable security measures that protect personnel safety and plant profitability, Kehley notes.
Compliance with federal regulations remains an important driver, too: “Tymetal has worked with companies to help them meet guidelines that were set by CFATS and, although Congress allowed the expiration of CFATS, the standards are still of a high level of importance.”
The company works closely with specialist security management organizations, such as ASIS International, to better understand industry needs, develop products and establish protocols to create a more safe and secure environment, too.
“The sensitivity of products handled by chemical companies and the potential harm that they can cause makes perimeter security a high-level priority,” he says. “Understanding the traffic flow in and out of the facility is important. This helps to provide direction on what the needs are, the products that can be used to meet those needs while still allowing the facility to function productively.”
This means integrating security gates with surveillance systems, access control systems, intrusion-detection systems, AI, drones, lasers and cybersecurity.
Kehley emphasizes that no “cookie cutter” solution will protect the vast area that most chemical companies cover.
Instead, the company’s team of security experts works closely with each facility to optimize the mix of rated gates, fences, bollards, and other products that it needs.
The costs of Tymetal’s security products vary widely depending upon the situation. A simple automated cantilever can be in the range of $15,000-$25,000, while high security ballistic level gates run into the hundreds of thousands of dollars (Figure 2).
Cybersecurity Concerns Persist in Post-CFATS Era
Meanwhile, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), which previously enforced CFATS, has issued a statement urging facilities to uphold both cyber and physical security measures.
This follows an investigation into the hacking of its chemical security assessment tool (CSAT) in January.
While CISA’s investigation found no evidence of exfiltration of data, it says this intrusion may have resulted in the potential unauthorized access of top-screen surveys, security vulnerability assessments, site security plans, personnel surety program submissions and CSAT user accounts.
While the investigation found no evidence of credentials being stolen, CISA is encouraging individuals who had CSAT accounts to reset passwords for any account, business or personal, which used the same password. This, the organization says, can help to prevent possible “password spraying” attacks in the future.