Security / Physical Security / Cyber Security

Plant Security Deserves More Attention

Government mandates and industry self interest are fostering progress

By Mark Rosenzweig, Editor in Chief

I've visited more than a few facilities in my time and, frequently, first impressions can be telling. For instance, it's often apparent from a cursory view how well a site is maintained and the quality of housekeeping. Rust-encrusted equipment and dust-covered steelwork scream out that corners are being cut.

Likewise, how access to a site is controlled can say a lot about how secure it is. At some facilities, I've simply driven in, parked, and then walked over to a building, all unsupervised, before I signed in at a reception desk; I easily could have gone elsewhere on the site. At other places, I've checked in at a guardhouse at the plant gate and been directed to walk or drive over to a certain building, unescorted again.

Sometimes the receptionist or guard just asked for my name, my company and the person I was there to see, not for any real identification.

Unfortunately, I continue to encounter too many facilities that could stand improvement in their maintenance and housekeeping and, more importantly, in security.

Some relatively recent CP surveys back up my impression about site security. In one poll a couple of years ago, nearly 40% of respondents rated the security of their sites as poor or very poor. And in a survey last year, almost 30% of respondents called the security of operator consoles in control rooms poor or very poor — and we all know the dangers that can pose.

In today's world a lax approach to security is indefensible, particularly at sites that handle hazardous chemicals. That's why the American Chemistry Council added a security code to the Responsible Care program mandated for all its member companies. That's also the underlying reason behind the new Chemical Facilities Anti-Terrorism Standards (CFATS) of the U.S. Department of Homeland Security's (DHS).

As "CFATS required over 36,000 sites handling specific chemicals of interest to complete a Top Screen. From this group, the DHS tentatively designated nearly 7,000 as 'high risk' chemical sites," noted a recent CP article, "Defuse CFATS Challenges." "Each of these had to submit a security vulnerability assessment. The DHS then assigned the sites to one of four tiers, based on the risk posed."

Affected facilities then must meet so-called Risk-Based Performance Standards (RBPS).

"The current 18 RBPS (19 counting the 'any additional' caveat that allows the DHS to add future standards) cover securing and monitoring the site, controlling access, coordinating emergency response and crisis management, training, recordkeeping, and a dozen other related topic areas. Each has graduated levels of performance expectations (metrics) applicable to one or more of the four tiers," explained that article.

Right now, the DHS is sending out letters that indicate final tier designation. The last of these letters should arrive at sites sometime this summer.

Once a facility receives its final tier designation, it must develop a Site Security Plan (SSP) that complies with the requirements of the particular tier. RBPS metrics drive the specifics of the SSP. The DHS must approve the SSP.

Developing a SSP undoubtedly will pose challenges at many facilities. First-time efforts of any kind often can seem daunting — in this case, sites must grapple with a host of issues about which they don't have much familiarity and expertise. For instance, the SSP demands lots of physical security information such as the kinds of access control measures, door hardware, camera types and lighting levels in various parts of the site, notes "Consider an Alternative Security Plan."

One obvious resource for know-how is local law enforcement. However, sites only can share security details with outsiders who are Chemical-terrorism Vulnerability Information (CVI) certified by the DHS. "In a survey of more than a dozen regulated facilities in rural areas of the U.S., none of the responding Sheriff's Departments was aware of the requirement for CVI training. As a result, nobody in those agencies has a CVI certificate that would have allowed the site and its consultant to discuss regulatory requirements or share detailed security-planning information… A review of the National Sheriff's Association Web site reveals no information on CFATS or CVI," that article reported.

At least most of us can understand physical security concerns and ways of addressing them. Cyber security raises a host of arcane issues. Indeed, many sites don't appreciate all their vulnerabilities and often make basic errors, cautions "Protect Your Plant." Check the tips in "Strengthen Your Cyber Security."

Sites must adjust to paying more attention to security. To help, CP's launched the Chemical Security Action Blog. After all, we're seeing just the beginning of what's bound to be an ongoing focus on enhanced security that likely will lead to even more stringent requirements.

Mark Rosenzweig is Chemical Processing's Editor in Chief. You can e-mail him at