CFATS: How to meet the new antiterrorism standards

DHS compliance: practical steps

24 March 2008 00:00  [Source: ICB]

Companies can better manage the new Chemical Facility Anti-Terrorism Standards (CFATS) by proactively securing information and assessing site vulnerability

Consultant's corner
Fabrice Lebourgeois and Neal Drawas/Marsh

SIX YEARS after the 9/11 attacks and 12 years on from the Oklahoma City bombing, the risk of a terrorist attack against chemical facilities and other critical US infrastructure remains a serious homeland security issue.

Many chemical companies have proactively set their own security standards and are working closely with federal, state, and local government agencies. Administration officials have often praised the industry's work in the area. Organizations such as the American Chemistry Council have led the way, developing a voluntary security regimen under the Responsible Care program. Its 130 members have invested nearly $5bn (€3.2bn) since 2001 to enhance security at their facilities.

However, concerns about chemical security extend well beyond the confines of chemical manufacturers to a variety of chemical users and distributors, which may not be fully aware of the potential terrorist danger certain chemicals pose and may not have taken appropriate security measures.

The result is the Chemical Facility Anti-Terrorism Standards (CFATS) regulatory framework, put forth last year by the Department of Homeland Security (DHS) by authorization of Congress. CFATS imposes a new compliance burden, but companies can better manage that drain on resources by proactively taking practical steps to secure the necessary information and assess their site's vulnerability.

NOW IN FORCE

All provisions of CFATS became operative last November, when the DHS published the Chemicals of Interest (COI) list, also referred to as "Appendix A." Each regulated facility had to complete a preliminary screening assessment by January 22. This "Top Screen" will be used by the DHS to determine the level of risk associated with the facility. Based on the Top Screen information, the DHS will classify a regulated facility into one of four risk tiers.

Approximately 40,000 facilities submitted Top Screen information by the deadline, and the DHS is now in the process of determining the tier ranking of each. Those facilities with high-risk rankings will be asked to provide Site Vulnerability Assessment (SVA) information within 90 days of receiving the DHS request.

Regardless of tier ranking, all regulated facilities must comply with statutory requirements for the submission and protection of information developed under CFATS. These include: vulnerability assessments, site security plans, and other security-related information, records, and documents, which will be protected from public disclosure.

CFATS defines this sensitive information as Chemical-terrorism Vulnerability Information (CVI). Regulated facilities must develop a plan and determine which information should be classified as Sensitive But Unclassified (SBU) in accordance with the DHS' document control procedures.

While regulated facilities await notification from the DHS of their tier classification and request for SVA information, those anticipating that they might be in the high-risk category should assess their existing security plans in light of the SVA requirements and begin to develop their CVI plans. This will enable them to be in compliance faster, as well as to ensure that the measures taken meet the goals of the DHS.

WHAT TO DO AND WHEN TO DO IT

The following are preparatory suggestions for regulated facilities.

Certain questions should be considered when instituting a CVI program. First: what is the overarching driving force behind your program? Are you merely trying to comply with the basic DHS requirements, or will you be using these efforts to classify and thereby restrict public access to a body of sensitive information? Clarifying this up-front will help colleagues identify and control access to these documents.

Prior to any actual document identification, the facility should identify who is going to be the CVI director and who will have access to CVI sensitive information and documents. These individuals should be properly trained with respect to the document security requirements, and they should be provided with the necessary document storage equipment and systems.

The CVI requirements apply to all senior managers and members of the board of directors, and they govern the control of paper documents as well as electronic information. The DHS training is straightforward and should be incorporated into compliance training for the facility's CVI plan. A printed Certificate of Completion must be provided to each participant, and copies should be maintained by the designated CVI Director.

Next is identifying the documents requiring CVI classification. The DHS has delineated 22 such documents. However, this list is expandable, as it includes derivative documents and "other," as designated by the CVI Director. These documents can come from a broad range of departments such as purchasing, research and development, health and safety, or operations.

One approach would be to identify any item or process that touches that document or information, and then to look at all of the upstream or downstream processes and documentation associated with it. Any information that can identify types of chemicals, operations, shipping locations, security procedures, emergency procedures, or facility vulnerabilities, can be deemed acceptable for consideration as CVI.

As of January 22, with the submittal of the Top Screen, all regulated facilities have documents that are classified as "sensitive," and they must be secured in accordance with the facility CVI plan.

At the same time, regulated facilities, particularly those that suspect they will be classified as Tier 1 or 2, should begin the process of preparing an SVA the DHS methodologies may differ from those of the organization and may necessitate gathering and organizing various component plans and procedures, including: site layout drawings and plans with details of property lines ingress/egress points traffic flow and locations of major structures and process equipment. A comprehensive schedule of the Chemicals of Interest, the relevant inventories, locations and methods of transportation is also critical and constitutes another prerequisite for a DHS-approved SVA study.

ASSET CHARACTERIZATION

For the DHS' SVA, "Asset Characterization" data is key to recognizing the terrorist targets and potential threats at a facility. Certainly, if the site has conducted other SVAs, regardless of the methodology employed, those studies will have important Asset Characterization data. However, if an SVA has not been undertaken, a schedule of assets will need to be developed to identify critical plant equipment, structures and processes, critical functions, and interdependencies. The schedule of assets should also include infrastructure and utilities, such as steam systems, water systems and electricity grids and the inherent dependencies of the plant upon them, as well as whether the hardware is on or off-site.

Information on the economic criticality of the facility and its research, storage, or production processes will be needed in the consequence analysis portion of the SVA study. This may be expressed several ways, but optimally, it can be represented in the site's annual financial income or some similar dollar value. Inclusive in the impact recognition will be the effect on humans, both inside and outside the facility fence line. Local and regional impacts to communities and surrounding natural resources will have to be delineated as well.

DATA GATHERING

Prior to beginning the SVA process, facilities should gather as much data as possible regarding the architectural, electronic and operational physical security measures in place for each participating site. Include any specific measures in place to secure critical on-site assets being assessed as part of this process (for example bollards around a particular asset to prevent accidental or intentional vehicle ramming fencing, or lighting).

Facilities should simultaneously gather information concerning the cyber security measures they have in place to protect their critical IT-based systems. IT and network systems in place at a site to monitor, support, or control the site's critical chemical assets will also be assessed as part of the SVA process.

The site's existing countermeasures have a direct impact on the facility's ability to mitigate plausible terrorist scenarios. Conducting an evaluation of their effectiveness or lack thereof is one of the later and more critical steps of the SVA process.

Information gathered in preparation of this evaluation should include, but not be limited to, architectural plans for the site and buildings, as-built drawings for electronic security systems such as CCTV systems, card access systems, and intrusion detection systems, maintenance and repair records for these systems, standard operating procedures pertaining to physical and cyber security, a breakdown of the security staff, all information pertaining to security-related training (for example topics covered, training material, or regularity), the various posts security personnel are assigned to and all supporting documentation that sets forth their day-to-day duties, as well as duties associated with elevated threat conditions.

Drawings that pertain to plant equipment that mitigates fires, explosions, spills and toxic gas releases would also be helpful. Crisis management, disaster recovery, and emergency response plans that point toward prevention activities, reaction and mitigation capabilities, as well as documentation listing the regularity of any drills and exercises in place to support these efforts should be included in the consequence mitigation analysis.

The DHS regulations cover a wide range of organizations that manufacture, use, store, or distribute chemicals, and all will be at differing stages of preparedness for compliance with the new rules.

Given the plans, processes, and documentation needed, organizations with facilities that may be deemed high-risk should begin to inform employees of the possible actions to be taken, ensure the proper resources are in place, and assess current security measures against DHS requirements. This will enable more effective implementation of, and compliance with, CVI and SVA requirements and ensure that facilities are better prepared to face any number of security challenges.

Fabrice Lebourgeois, managing director, is the national practice leader for Marsh's chemicals practice. He is based in Philadelphia, Pennsylvania. Lebourgeois' experience includes overseeing mergers and acquisition due-diligence projects, identifying emerging-risk issues in the chemical industry, and developing innovative solutions to reduce clients' cost of risk. He is currently responsible for the development, assessment, and oversight of chemicals client relationships and industry growth strategy.

Neal Drawas, managing director of the environmental, health and safety practice at Marsh Risk Consulting Practice, is senior project manager, performing risk-mitigation assessments for commercial and industrial clients. His experience includes examining existing programs to determine appropriate readiness levels and adequacy, procedural and systems development and implementation, training, and supplemental support in developing practical solutions for environmental, employee and product safety, security and business continuity.

ICIS Copyright © Reed Business Information 2009

For the latest chemical news, data and analysis that directly impacts your business sign up for a free trial to ICIS news - the breaking online news service for the global chemical industry.

Get the facts and analysis behind the headlines from our market leading weekly magazine: sign up to a free trial to ICIS Chemical Business.