Since Sept. 11, 2001, the chemical industry has made tremendous strides in improving the security of its facilities, infrastructure and IT. Even though national security regulations remain stalled, members of the American Chemistry Council (ACC) and the Synthetic Organic Chemicals Manufacturers Association (SOCMA) have completed site vulnerability assessments, and many are now starting to implement security improvements at their plants. ACC members have already completed implementation for Tier 1 facilities, which represent the highest potential risk. They will finish security implementation for Tier 2 facilities by June, and for remaining facilities by the end of the year, says Marty Durbin, ACC's team leader for security.
This year, the industry plans to synchronize efforts in facility and IT security. Through the Chemical Sector Cybersecurity Program and CIDX, efforts are also underway to help ensure that chemical companies' process-control and IT departments are on the same page when it comes to security).
Currently, though, only some of the thousands of chemical processing and storage facilities in the United States are members of the trade groups spearheading these efforts. "At this point, it's safe to say that most chemical plants haven't even done site vulnerability assessments. They're behind the curve," says Richard Sem, a 34-year security veteran and former senior Pinkerton executive who now runs his own consulting firm in Plainfield, Ill. Many think, "It's not going to happen here," and don't see security as a priority, he says.
For some companies, the problem may not be assessment, but the next, and most difficult step: implementation. Some plant managers are dragging their feet due to budgetary and internal political issues, Sem says. An average- size chemical plant can easily spend from hundreds of thousands to millions of dollars on site security. Companies should realize that they don't have to spend a fortune to secure their facilities, he says. "Generally, the most critical business processes should determine how to prioritize the intensity and focus of security efforts," says Troy Smith, senior vice president and practice leader for IT Security with the risk-assessment specialists, Marsh Inc., New York.
A mid-November report by the television news magazine, "60 Minutes," found significant security loopholes at chemical plants near New York, Los Angeles, Chicago and Houston. At one facility outside of Pittsburgh, Pa., owned by the Neville Chemical Co., reporters found an open gate near an anhydrous ammonia facility and no particular protection for a boron trifluoride storage unit. More disturbing, perhaps, was that until someone at the plant called the police, who escorted the reporters off the site and cited them for trespassing, employees didn't take steps to remove them from the premises.
Neville Chemical was in a situation that many chemical companies may now find themselves in. It had completed a site vulnerability assessment that found weaknesses in perimeter security, with unlocked gates in need of repair along the rail line that runs through the plant site.
The company had already taken steps to improve security, and had an employee training program in place, says Jack Ferguson, vice president of manufacturing and plant manager. After Sept. 11, 2001, Neville had decreased the maximum quantity of boron trifluoride onsite by 50%, and the average quantity onsite by 65%. It had also improved perimeter security, negotiated with the railroad, developed a plan and put out design bids for the gate-repair work. "New gates were not the answer," Ferguson says. "We needed new fences encompassing a rail spur."
Once it found that track repairs were also needed, Neville applied for funding from the Federal Rail Administration and decided to postpone the repair work, as chief operating officer Thomas McNight explained in a letter to "60 Minutes'" parent network, CBS. When the company learned that funding would not be granted, it decided to go ahead with the repairs anyway before the "visitors" arrived. Neville installed the gates in November, Ferguson says, and has also completed plans for work required to meet Coast Guard regulations for waterfront facility security. If they hadn't recognized the "60 Minutes" crew, he says, staff would have reacted right away.
Ferguson wouldn't comment on economic pressures. "Security measures have to fit plant location, raw materials and products. There can't be a 'one size fits all' approach," he says.
In the mock drill and exercises shown here, participants acted out a WMD scenario involving chemicals. These drills were a part of TOPOFF2, an extensive emergency response program held in Seattle and Chicago last year. Since Sept. 11, 2001, many chemical companies have improved their onsite response and coordinated efforts with local responders.
Doing the right thing
However, others believe that the industry can learn some valuable lessons from the report. For one thing, more companies need to move from an emphasis on response to an approach that includes deterrence, Sem says. The first deterrent, and the most powerful and inexpensive solution, is employee awareness training.