Closing the gap on chemical plant security
This year, the industry plans to synchronize efforts in facility and IT security. Through the Chemical Sector Cybersecurity Program and CIDX, efforts are also underway to help ensure that chemical companies' process-control and IT departments are on the same page when it comes to security).
Currently, though, only some of the thousands of chemical processing and storage facilities in the United States are members of the trade groups spearheading these efforts. "At this point, it's safe to say that most chemical plants haven't even done site vulnerability assessments. They're behind the curve," says Richard Sem, a 34-year security veteran and former senior Pinkerton executive who now runs his own consulting firm in Plainfield, Ill. Many think, "It's not going to happen here," and don't see security as a priority, he says.
For some companies, the problem may not be assessment, but the next, and most difficult step: implementation. Some plant managers are dragging their feet due to budgetary and internal political issues, Sem says. An average- size chemical plant can easily spend from hundreds of thousands to millions of dollars on site security. Companies should realize that they don't have to spend a fortune to secure their facilities, he says. "Generally, the most critical business processes should determine how to prioritize the intensity and focus of security efforts," says Troy Smith, senior vice president and practice leader for IT Security with the risk-assessment specialists, Marsh Inc., New York.
A mid-November report by the television news magazine, "60 Minutes," found significant security loopholes at chemical plants near New York, Los Angeles, Chicago and Houston. At one facility outside of Pittsburgh, Pa., owned by the Neville Chemical Co., reporters found an open gate near an anhydrous ammonia facility and no particular protection for a boron trifluoride storage unit. More disturbing, perhaps, was that until someone at the plant called the police, who escorted the reporters off the site and cited them for trespassing, employees didn't take steps to remove them from the premises.
Neville Chemical was in a situation that many chemical companies may now find themselves in. It had completed a site vulnerability assessment that found weaknesses in perimeter security, with unlocked gates in need of repair along the rail line that runs through the plant site.
The company had already taken steps to improve security, and had an employee training program in place, says Jack Ferguson, vice president of manufacturing and plant manager. After Sept. 11, 2001, Neville had decreased the maximum quantity of boron trifluoride onsite by 50%, and the average quantity onsite by 65%. It had also improved perimeter security, negotiated with the railroad, developed a plan and put out design bids for the gate-repair work. "New gates were not the answer," Ferguson says. "We needed new fences encompassing a rail spur."
Once it found that track repairs were also needed, Neville applied for funding from the Federal Rail Administration and decided to postpone the repair work, as chief operating officer Thomas McNight explained in a letter to "60 Minutes'" parent network, CBS. When the company learned that funding would not be granted, it decided to go ahead with the repairs anyway before the "visitors" arrived. Neville installed the gates in November, Ferguson says, and has also completed plans for work required to meet Coast Guard regulations for waterfront facility security. If they hadn't recognized the "60 Minutes" crew, he says, staff would have reacted right away.
Ferguson wouldn't comment on economic pressures. "Security measures have to fit plant location, raw materials and products. There can't be a 'one size fits all' approach," he says.
In the mock drill and exercises shown here, participants acted out a WMD scenario involving chemicals. These drills were a part of TOPOFF2, an extensive emergency response program held in Seattle and Chicago last year. Since Sept. 11, 2001, many chemical companies have improved their onsite response and coordinated efforts with local responders.
Doing the right thing
However, others believe that the industry can learn some valuable lessons from the report. For one thing, more companies need to move from an emphasis on response to an approach that includes deterrence, Sem says. The first deterrent, and the most powerful and inexpensive solution, is employee awareness training.
Other obvious steps are ensuring that gates are locked and well-lit, and that outsiders are not permitted onsite or into sensitive areas. "I often test security awareness by trying to gain access to control rooms," Sem says. "In some cases, until staff have been adequately sensitized and trained, I've been allowed to walk right in without question."
Lighting shouldn't be neglected, either. It's usually fine near operating areas, Sem says, but can be quite poor along fence lines. Technology can also help. Sem often recommends closed-circuit TV monitors with good motion-detection capabilities. "CCTV makes intruders worry they're being watched and greatly expands the range of security officers. Instead of having 10 monitor a site, you only need one or two."
The human factor
"The threats are internal, not external, and can play havoc with systems, like when a disgruntled employee changes a process recipe," says Marsh's Smith.
Security requires looking more closely into hiring and training practices. "Companies are getting much better on this front, particularly in contractor hiring, which had been a real Achilles' heel two years ago", Sem says.
However, there have been cases in which companies may have hired unpredictable workers. Last month, for example, a contract security guard at a BASF ammonia facility in Freeport, Texas, claimed that he had been shot by a foreign intruder in a pickup truck who had been photographing the facility.
Local police are still investigating the case, which made headlines and raised public concerns about chemical plant safety. "We haven't ruled anything out, and are awaiting forensics analysis and ballistics test results," says Freeport police chief Henrietta Gonzalez. However, the guard failed a polygraph test administered by the FBI, and two weeks later, he was arrested on misdemeanor charges related to domestic violence: threatening a woman and trying to prevent her from calling 911.
Earlier last month, Pilot Chemical Co. discovered that a senior foreman who had worked at its Houston plant for over 20 years and had an exemplary work record was a fugitive from California with a burglary record. Most companies do background checks, and more than half do criminal record checks on potential hires, but some may only do them for their local area, Sem adds.
Overall, many chemical plants are making progress on the long, hard road to improved facility security. Proactive companies and members of ACC are "well ahead of the curve," says Marsh's Salmans, and the industry is shifting its focus from crisis management to critical incident prevention.
In addition to employee training, threat analyses and vulnerability assessments, priorities now, Salmans says, are optimizing plant emergency operation plans and integrating them with local emergency services. "Instead of depending solely on the government, each plant, post-9/11, needs to be independent to some degree," he says. "That need wasn't there in the past."
An area to scrutinize is implementation, where it's easiest for a security program to fall through the cracks, Sem says. "The lowhanging fruit, like perimeter fences, awareness training and lighting, can be addressed easily enough, but longer-term fixes can hit budgetary walls as companies move from crisis to crisis." Implementation needs a budget and management support.
Third-party verification can be extremely helpful in vetting site assessments and implementations. Currently, the Responsible Care Code specifies that companies can have local law enforcement and fire chiefs look at facility plans. They may be very familiar with the emergency response aspects of a site security plan, but they may not always be the best choice when determining other security strategies or assessing investments in equipment. "Law enforcement and security don't always mean exactly the same thing," Sem says.
Management buy-in is another critical factor for assuring a successful security plan. In particular, companies need to ensure that security, like environmental health and safety, is an integral part of their management of change program, Sem says, so that when processes, equipment, and business practices change, security will still be optimized.
Need to look offshore