Get ready to comply with new security mandates

New anti-terrorism standards require the Department of Homeland Security to identify and regulate "high-risk chemical facilities." These facilities will be subject to a security vulnerability assessment. Where does your plant fit in with these new standards?

By David A. Moore and Dorothy Kellogg, AcuTech Consulting Group

2 of 4 1 | 2 | 3 | 4 View on one page

CFATS creates a system composed of discrete elements that, taken together, provide a progressive program to identify high-risk chemical facilities and impose security standards commensurate with the security profile of such covered facilities. The DHS-developed-and-owned online process for screening, SVA and SSP submittal is named the Chemical Security Assessment Tool (CSAT) and is available via

Figure 1 describes the general sequence of the key regulatory requirements and milestones. Facilities must first complete a Top-Screen. Those presumed to present a high level of security risk as a result of DHS’s analysis are next required to submit SVA. If the Department then assigns a facility to a tier, that facility becomes responsible for achieving the applicable RBPS and must develop a suitable SSP that DHS validates and approves. Enforcement will be based on the facility’s compliance with it’s SSP
Top-Screen. This collects answers to a series of questions intended to assess different impacts, and levels of impact, that could result from a terrorist incident at the facility — specifically, the risk to public health and safety from:

Figure 1

Figure 1. CFATS involves 10 steps, with more than half involving RBPS. (Click to enlarge)
  • in-situ release of toxic, flammable and explosive chemicals;
  • theft or diversion of chemical weapons and precursors, weapons of mass effect and Improvised Explosive Device (IED) precursors;
  • sabotage or contamination of materials that could release poisonous gases if exposed to water;
  • the inability of government to provide critical services, such as supply of potable water and electric power, and safety and security, in the event of an emergency; as well as
  • risks to the national or regional economy.

CSAT-SVA. This is a framework for analyzing and managing risks associated with terrorist attacks against critical assets. It provides a simple, convenient, computer-based methodology to identify, analyze and communicate the various characteristics and impacts that may lead terrorists to select a particular target and engage in a specific form of attack. It communicates to DHS the site’s estimate of the security elements currently in place that meet or exceed each of the applicable RBPS related to a common set of threat agents.

The CSAT-SVA has three fundamental objectives:

  1. Identifying a facility’s critical assets based on the results of the Top-Screen and as directed by DHS;
  2. Applying specified potential terrorist attack scenarios, as applicable, to each identified critical asset to refine the consequence estimates from the Top-Screen;
  3. Applying specified potential terrorist attack scenarios, as applicable, to each critical asset in light of the security measures in place to evaluate the gaps between the existing security measures and the RBPS.

The CSAT-SVA is a six-step process (see Figure 2) that links the output from the Top-Screen and general site attractiveness to specific assets, allowing more-focused consequence analysis and risk assessment, and providing a baseline for security countermeasures that will be articulated in the SSP.

Figure 2

Figure 2. The SCAT-SVA’s six steps lead to an assessment tailored to the site.

It documents the process of identifying security vulnerabilities and provides methods to evaluate the options for addressing those weaknesses using example countermeasures identified in the SSP Security Countermeasure Database.

The CSAT-SVA is used to further characterize the facility, determine plausible worst-case scenarios assuming successful attacks on critical assets, and evaluate vulnerability. A standardized set of potential terrorist attack scenarios and assumptions allows for cross comparison of chemical facilities and the determination of vulnerability on a common scale.

DHS’s presumptive tiering is based on the potential consequences that could be generated following a successful attack or due to the presence of types of chemicals at the facility. (The final threshold values that DHS will use for tier cutoff levels will be classified.) The Department will determine the final tier level for the facility and for the critical assets within the facility based upon the SVA results and the previous Top-Screen information. A facility’s tier level will depend upon the highest tier determined for all of its critical assets.

Potential terrorist attack scenarios

The CSAT tool employs a set of defined potential terrorist attack scenarios, used to both “produce” consequences (for the measurement of criticality) and to measure vulnerability. These aren’t “Design Basis” threats and in no way reflect the type of actual threats against which owner/operators will be expected to “defend.” Instead, they reflect the need for DHS to conduct comparative risk analysis uniformly and consistently across the sector.

The tool does include basic assessments of certain types of threats; however, it isn’t intended to be a full-scope, detailed analysis of all possible areas of vulnerability. It’s a measurement tool that will allow general categorization of a facility as vulnerable or not, critical or not, and, thus, help estimate the degree of risk posed by the listed chemicals. DHS will undertake detailed evaluations of specific security issues as part of the ongoing relationship between itself and the facility owner/operator.

Site security plans

The statute specifies that the Department “shall permit each facility, in developing and implementing Site Security Plans, to select layered security measures that, in combination, appropriately address the Security Vulnerability Assessment [for the facility] and the risk-based performance standards for security for the facility.” The statute specifically prohibits the Department from rejecting a SSP simply because it does not incorporate a specific type of security measure: “The Secretary may not disapprove a Site Security Plan submitted under this section based on the presence or absence of a particular security measure.”

2 of 4 1 | 2 | 3 | 4 View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments