As more and more chemical companies move through the various review and evaluation processes demanded by the Chemical Facility Anti-Terrorism Standards (CFATS) of the U.S. Department of Homeland Security (DHS), important issues about the practical implications and the cost of the initiative are emerging.
Personal surety programs (PSP), and top screens and materials modifications pose particular concern to the Society of Chemical Manufacturers and Affiliates (SOCMA), Washington, D.C.
In terms of PSP, under CFATS companies must carry out appropriate background checks, to ascertain immigration status and criminal history, and to ensure via the FBI's terrorists' screening database that an individual has no terrorist ties.
This will lead to duplication of existing screening programs, says Michael Kennedy, SOCMA senior manager, government relations. In the preamble to the original CFATS final rule, DHS indicated that a person who has successfully undergone a security threat assessment conducted by DHS and possesses a valid DHS credential such as a TWIC, HME, NEXUS or FAST "will not need to undergo additional vetting by DHS." However, he points out, DHS now states that an affected individual who possesses a current and valid TWIC "will likely require less information' to be submitted than an affected individual who does not have a TWIC."
"So these simple criteria have mushroomed into something bigger — it gets quite complicated quite quickly. Now there is a lot of ambiguity about what is an affected individual. For example, does this include contractors? Does having camera coverage of an individual count as unescorted? What if there is a guy at the back of the plant coming to collect a bag of ammonium nitrate. Does he count?"
The DHS gives facilities some discretion to interpret all this, but SOCMA is pushing for more guidance for the simple reason that a DHS inspector might disagree with a particular company's interpretation.
With regard to material modifications, the DHS requires covered facilities to submit a revised Top Screen within 60 days of any "material modification made to its operations or site." This means adding or removing a chemical of interest (COI), reducing its volume and, sometimes, simply moving where it's kept.
"One of our members queried the DHS whether or not they had to file a Top Screen for moving a COI from one part of the site to another. They got varying interpretations from the DHS. But the company filed one anyway," says Kennedy.
The DHS already must contend with a sizable volume of Top Screens because many companies want to get out of the CFATS program altogether. This can happen two ways: the DHS, after its initial review and evaluation of Top Screen data, deems a facility not high risk; or the DHS, after issuing a facility a preliminary CFATS tier ranking and then getting a Security Vulnerability Assessment (SVA), determines the facility isn't high risk.
"Even if following a DHS review and evaluation of SVA data, the facility is deemed not high risk and allowed to drop out of CFATS, the DHS is still looking for documentation, especially on the supply chain. They want to know where the chemical goes to next if it is not on your site. This brings in added problems for batch manufacturers, where COIs go up and down monthly depending on what is being manufactured at the time," Kennedy notes.
One of the solutions proposed by SOCMA is an editable Top Screen through which companies could tell the DHS what the new chemical is and how they will handle its security on site. Another idea is a notice of limited modification — a detailed description of new chemicals coming on site.
"DHS is certainly listening to this and we might see changes coming down the pipe, but what we haven't seen so far is proper cooperation between the DHS and the industry in order to reduce the burden of Top Screens."
SOCMA, other trade organizations and operating companies put their concerns to the DHS in early July in Baltimore, Md., at a specially convened chemical sector security summit attended by DHS secretary Janet Napolitano.
Here SOCMA and others outlined their concerns about credentialing and its cost burden. The issue of discretion with PSP also was raised. "The point about discretion is a 'Catch 22,'" states Kennedy. "Under the risk based performance measures (RBPM), operators set the measures and then these get graded when the DHS does its audit."
A Company Perspective
A speaker from one multinational chemical maker pointed out how broad the DHS definition of assets actually is — ranging from the COI production unit to the corporate security operations center, from local closed-circuit cameras and doors to the corporate enterprise management system and IT network, and from onsite uniformed guards to the corporate security team.
The same speaker described how the company managed the DHS inspectors' visit to one of its main sites. The day began with an initial overview of the firm's global security program, a tour of its security operations center, lunch with North American operations managers, a review of the customer qualification program, and an overview of its cyber program.
The company found the DHS inspectors to be open and honest, providing valuable feedback on the site security plan (SSP). However, they had physical security backgrounds and limited knowledge of the particular chemical sector. So, the inspectors benefited from the corporate review, he added.
The firm offered some general recommendations: A corporate review is essential and will greatly reduce the inspectors' time on site. The DHS should use the same SSP reviewer and inspectors for a company's multiple sites. It also should expand inspector training to cover the different sectors within the chemical industry.
For her part, secretary Napolitano told the summit that CFATS is a flexible, practical and collaborative program that plays in key role in enhancing the security and resilience of the country's chemical facilities and critical infrastructure. She also went on to emphasize the importance of cyber security — in addition to physical security measures — as a key part of any critical infrastructure security strategy.
(For more on the summit, see: http://community.ChemicalProcessing.com/content/napolitano-talks-cfats and http://community.ChemicalProcessing.com/content/cfats.)
CFATS and Cyber Security
The DHS RBPS guidance document devotes ten pages to cyber security, stressing that the measures, practices and metrics mentioned are just options, not mandatory. However, Andrew Ginter, chief security officer for Industrial Defender, Foxborough, Mass., believes they are very basic elements that any credible security plan really must address. "I think a site that ignores the guidance really will have trouble meeting the objectives of the CFATS regulation." But he also feels that a lack of specific guidance leaves a lot of room for interpretation.
At the same time, Ginter points out that the importance of cyber security can't be over-emphasized. CFATS cyber-security measures could help counter not just terrorist threats but the most common security incidents afflicting chemical sites: run-of-the-mill viruses, malware and Trojan infections propagated via USB flash-memory sticks.
"The most recent incident at a chemical site that springs to mind is a copy of Conflicker [worm] that made it on to the control system via a USB stick in the hands of a contractor. Our people saw an unusual number of dropped packets on the control system firewall — presumably the worm calling in to its control server. We alerted the customer, who found the worm and found that it had propagated to a number of adjacent control computers as well. The customer shut down the affected systems and cleaned them out."
Host intrusion prevention system (HIPS) products — also called whitelisting or application control — can prevent such infestations. A HIPS checks that software is allowed to run on a computer. If unauthorized software — like the Conflicker malware — installs itself through some vulnerability and then tries to run, the HIPS software refuses to launch it. Some HIPS products come with technology to disable USB mass-storage devices entirely, without disabling other kinds of USB devices.
The cost of installing a HIPS is only a small part of what could be a substantial expense to implement the cyber-security aspects of CFATS.
"The problem with hardening the 'soft interior' of a control system is that hardening involves change," Ginter explains. "And, of course, controlling change is a very big deal in the chemical industry because of the need to keep the chemical process operating safely. Securing a control system component with patches, internal network segmentation, host firewalls, stopping unnecessary services, removing unnecessary software, installing anti-virus [AV], installing HIPS or even updating AV signatures regularly all involve change in the technology that is the heart of the control system. Anything you change has to be reviewed and tested for safety, and the cost of the reviews and testing increase drastically once you start making anything more than extremely small changes. Much of the time anything you do has to be reviewed and blessed by the control system vendor as well, if you want the vendor to continue supporting you."
On the other hand, he points out, an insecure system isn't safe either. "Microsoft stopped supporting Windows 2000 recently — many of our customers' sites are deciding right now whether they are going to spend money to upgrade their systems and retest them, or spend to more thoroughly segment their networks to make it harder for malware to propagate to and from these systems and retest that configuration, or to spend money to install other security like HIPS on those vulnerable systems, and retest that. This is the trade off our customers struggle with every day."
According to Ryan Loughin, director, Petro-Chem & Energy Division, ADT Advanced Integration, Norristown, Pa., and CP's security blogger, the biggest concern he hears day-in and day-out from chemical companies affected by CFATS relates to cost. And the answer is by no means straightforward.
"So many factors go into the cost pot — for example, the geography of a site and its size. We talk about protecting the facility versus protecting the asset. Protecting the facility on a big Tier 1 site might involve monitoring five miles of perimeter fencing, for example. If you can't shrink the perimeter, then this becomes the most expensive scenario typically. On the other hand, at another similar-sized facility, the COI might be in a remote or segregated area within the site — in which case you could implement the perimeter around that asset and work your way out, with the level of security needed decreasing as you move further towards the main facility perimeter."
Relatively speaking, he says, the first scenario could cost $5 million to meet the RBPS, the second potentially $1 million.
Of course, smaller sites usually don't incur such costs. ADT has several clients that store hundreds of gas cylinders in warehouses on a small site. "We could cage up the warehouse and then work outwards as before to the perimeter. This might cost $50,000–$200,000 per site. However, [this adds up] if the client has 40 or 50 sites…," he notes.
Loughin also cautions that CFATS might well involve substantial ongoing costs. "For example, additional security personnel might be required. Additional perimeter lighting measures require additional ongoing power consumption. Also, the DHS is looking for a robust maintenance program and they have high expectations about the quality of these programs. As a company we are challenged with helping a covered facility not only reduce the capital cost but also in designing a system or program that will minimize the ongoing costs as well."
Overall Loughin believes that the DHS is working well with the industry and that having a successful dialogue between the two is vital to making the CFATS process as simple as possible. "DHS is definitely partnering with the industry: it wants common-sense, practical solutions after all."
Seán Ottewell is Chemical Processing's Editor at Large. You can e-mail him at firstname.lastname@example.org.