One of the solutions proposed by SOCMA is an editable Top Screen through which companies could tell the DHS what the new chemical is and how they will handle its security on site. Another idea is a notice of limited modification — a detailed description of new chemicals coming on site.
"DHS is certainly listening to this and we might see changes coming down the pipe, but what we haven't seen so far is proper cooperation between the DHS and the industry in order to reduce the burden of Top Screens."
SOCMA, other trade organizations and operating companies put their concerns to the DHS in early July in Baltimore, Md., at a specially convened chemical sector security summit attended by DHS secretary Janet Napolitano.
Here SOCMA and others outlined their concerns about credentialing and its cost burden. The issue of discretion with PSP also was raised. "The point about discretion is a 'Catch 22,'" states Kennedy. "Under the risk based performance measures (RBPM), operators set the measures and then these get graded when the DHS does its audit."
A Company Perspective
A speaker from one multinational chemical maker pointed out how broad the DHS definition of assets actually is — ranging from the COI production unit to the corporate security operations center, from local closed-circuit cameras and doors to the corporate enterprise management system and IT network, and from onsite uniformed guards to the corporate security team.
The same speaker described how the company managed the DHS inspectors' visit to one of its main sites. The day began with an initial overview of the firm's global security program, a tour of its security operations center, lunch with North American operations managers, a review of the customer qualification program, and an overview of its cyber program.
The company found the DHS inspectors to be open and honest, providing valuable feedback on the site security plan (SSP). However, they had physical security backgrounds and limited knowledge of the particular chemical sector. So, the inspectors benefited from the corporate review, he added.
The firm offered some general recommendations: A corporate review is essential and will greatly reduce the inspectors' time on site. The DHS should use the same SSP reviewer and inspectors for a company's multiple sites. It also should expand inspector training to cover the different sectors within the chemical industry.
For her part, secretary Napolitano told the summit that CFATS is a flexible, practical and collaborative program that plays in key role in enhancing the security and resilience of the country's chemical facilities and critical infrastructure. She also went on to emphasize the importance of cyber security — in addition to physical security measures — as a key part of any critical infrastructure security strategy.
(For more on the summit, see: http://community.ChemicalProcessing.com/content/napolitano-talks-cfats and http://community.ChemicalProcessing.com/content/cfats.)
CFATS and Cyber Security
The DHS RBPS guidance document devotes ten pages to cyber security, stressing that the measures, practices and metrics mentioned are just options, not mandatory. However, Andrew Ginter, chief security officer for Industrial Defender, Foxborough, Mass., believes they are very basic elements that any credible security plan really must address. "I think a site that ignores the guidance really will have trouble meeting the objectives of the CFATS regulation." But he also feels that a lack of specific guidance leaves a lot of room for interpretation.
At the same time, Ginter points out that the importance of cyber security can't be over-emphasized. CFATS cyber-security measures could help counter not just terrorist threats but the most common security incidents afflicting chemical sites: run-of-the-mill viruses, malware and Trojan infections propagated via USB flash-memory sticks.