Get ready to comply with new security mandates

New anti-terrorism standards require the Department of Homeland Security to identify and regulate "high-risk chemical facilities." These facilities will be subject to a security vulnerability assessment. Where does your plant fit in with these new standards?

By David A. Moore and Dorothy Kellogg, AcuTech Consulting Group

3 of 4 1 | 2 | 3 | 4 View on one page

A SSP must take into account both the SVA for the covered facility and the applicable RBPS. The plan must identify and describe the function of the measures the facility will employ to close the gaps between the existing security measures and the RBPS for its assigned tier. DHS will determine that the specific options selected by the site owner/operator protect against the various potential attack scenarios in the SVA and adequately address the RBPS.

Covered facilities also will have a continuing obligation, which will vary based on their risk-based tier, to maintain and periodically update their SSP.

RBPS per tier level

There are four risk-based tiers, ranging from highest risk at Tier 1 to lowest risk at Tier 4. This generally means that Tier 1 facilities must effectively demonstrate “more robust” security systems — meaning those with greater capability, reliability and resistance to defeat than those provided by lower tier facilities. DHS will consistently apply performance standards across all tiers, but guidelines for each tier vary relative to the consequence of malevolent acts posed by each facility. As already noted, the Act restrains DHS from requiring any specific measures.

CFATS includes nineteen risk-based performance standards (see Table 1). Each covered facility must select, develop and implement appropriate risk-based measures to satisfy these standards.


Section 27.230 Risk-Based Performance Standards

(1) Restrict Area Perimeter. Secure and monitor the perimeter of the facility;

(2) Secure Site Assets. Secure and monitor restricted areas or potentially critical targets within the facility;

(3) Screen and Control Access. Control access to the facility and to restricted areas within the facility by screening and/or inspecting individuals and vehicles as they enter, including:
(i) Measures to deter the unauthorized introduction of dangerous
substances and devices that may facilitate an attack or actions having serious negative consequences for the population surrounding the facility; and
(ii) Measures implementing a regularly updated identification system that checks the identification of facility personnel and other persons seeking access to the facility and that discourages abuse through established disciplinary measures;

(4) Deter, Detect, and Delay. Deter, detect, and delay an attack, creating sufficient time between detection of an attack and the point at which the attack becomes successful, including measures to:

(i) Deter vehicles from penetrating the facility perimeter, gaining unauthorized access to restricted areas or otherwise presenting a hazard to potentially critical targets;
(ii) Deter attacks through visible, professional, well maintained security measures and systems, including security personnel, detection systems, barriers and barricades, and hardened or reduced value targets;
(iii) Detect attacks at early stages, through counter-surveillance, frustration of opportunity to observe potential targets, surveillance and sensing systems, and barriers and barricades; and
(iv) Delay an attack for a sufficient period of time so to allow appropriate response through on-site security response, barriers and barricades, hardened targets, and well-coordinated response planning.

(5) Shipping, Receipt, and Storage. Secure and monitor the shipping, receipt, and storage of hazardous materials for the facility;

(6) Theft and Diversion. Deter theft or diversion of potentially dangerous chemicals;

(7) Sabotage. Deter insider sabotage;

(8) Cyber. Deter cyber sabotage, including by preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control And Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process Control Systems (PCS), Industrial Control Systems (ICS); critical business systems; and other sensitive computerized systems;

(9) Response. Develop and exercise an emergency plan to respond to security incidents internally and with assistance of local law enforcement and first responders;

(10) Monitoring. Maintain effective monitoring, communications and warning systems, including:

(i) Measures designed to ensure that security systems and equipment are in good working order and inspected, tested, calibrated, and otherwise maintained;
(ii) Measures designed to regularly test security systems, note deficiencies, correct for detected deficiencies, and record results so that they are available for inspection by the Department; and
(iii) Measures to allow the facility to promptly identify and respond to security system and equipment failures or malfunctions;

(11) Training. Ensure proper security training, exercises, and drills of facility personnel;

(12) Personnel Surety. Perform appropriate background checks on and ensure appropriate credentials for facility personnel, and as appropriate, for unescorted visitors with access to restricted areas or critical assets, including:

(i) measures designed to verify and validate identity;
(ii) measures designed to check criminal history;
(iii) measures designed to verify and validate legal authorization to work; and
(iv) measures designed to identify people with terrorist ties;

(13) Elevated Threats. Escalate the level of protective measures for periods of elevated threat;

(14) Specific Threats, Vulnerabilities, or Risks. Address specific threats, vulnerabilities or risks identified by the Assistant Secretary for the particular facility at issue;

3 of 4 1 | 2 | 3 | 4 View on one page

Join the discussion

We welcome your thoughtful comments. Please comply with our Community rules.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments