The tragic events of September 11th and the days that followed changed how chemical facilities approach security.
No longer was physical security enough. Chemical companies developed stringent security measures to prevent three types of terror attacks, reports Scott Jensen, director of communications for the American Chemistry Council.
He explains, “Traditionally, people thought of protecting a chemical facility from direct attacks on the facility itself.”
This concern is valid, he adds. A direct attack or sabotage could expose people nearby to hazardous chemicals. The Environmental Protection Agency (EPA) estimates there are 15,000 facilities that produce, use or store potentially dangerous quantities of hazardous chemicals, with most plants in densely populated areas. The EPA also finds a single attack at half of the plants would affect 1,000 people, while a single attack at over 120 of these plants could affect one million people.
However, the aftermath of 9/11 added two new concerns. First, the tragedy raised awareness of preventing theft or diversion of chemicals that terrorists might use in an attack, such as ammonium nitrate or peroxides for an improvised explosive device (IED). It also cast a closer eye on the economic criticality of these facilities, where a terrorist attack could disrupt production and wreak economic havoc.
“There are some facilities that are more vulnerable to terrorist attack. They are among the few that make a certain material or substance, and that chemical has a critical use,” he says.
On the eve of the 20th anniversary of 9/11, the Cybersecurity & Infrastructure Security Agency (CISA) also warns of cyberattacks designed to disable chemical facilities. CISA has released a new webpage and fact sheet, “Chemical Facility Anti-Terrorism Standards (CFATS): Reporting Cyber Incidents,” to help high-risk CFATS facilities know how and when to report significant cyber incidents under the Risk-Based Performance Standard (RBPS) 8—Cyber and RBPS 15—Reporting of Significant Security Incidents.
The efforts are part of CISA’s response to the Colonial Pipeline cyberattack, which highlighted another way for terrorists to disrupt chemical operations. The ransomware attack shutdown the pipeline for five days and compromised the personal information of nearly 6,000 individuals. Cybersecurity concerns at chemical companies range from hijacks of critical systems to leaks of proprietary or sensitive personal information.
“In all terror risk areas, it’s important to stay vigilant,” Jensen stresses. “You need to operate from the perspective that the risk is constant. And you must collaborate with the proper authorities at the federal and local level to share information, train and drill with each other to keep your facility secure.”
Report Chemicals of Interest
Keeping hazardous chemicals out of the hands of those who may misuse them falls on facility owners and operators, employees, and emergency responders.
The Department of Homeland Security (DHS) Chemical Facility Anti-Terrorism Standards (CFATS) program works with these entities to harden security. CFATS identifies and regulates high-risk chemical facilities to ensure they enact security measures that reduce terrorism risks.
Appendix A of the CFATS regulation (6 CFR Part 27) lists over 300 chemicals of interest (COI) and their respective screening threshold quantities (STQ) and concentrations. The organization categorizes COI under three main security issues:
- Release: Toxic, flammable, or explosive chemicals or materials that can be released at a facility.
- Theft or Diversion: Chemicals or materials that, if stolen or diverted, terrorists can convert into weapons using simple chemistry, equipment, or techniques.
- Sabotage: Chemicals or materials that mix with readily available materials for acts of terror.
Companies must report any COI that meets or exceeds the STQ and concentration to CISA.
Steps for High-Risk Companies
All facilities with COI must complete Chemical Terrorism Vulnerability (CSV) training, register for a Chemical Security Assessment Tool (CSAT), and submit a Top Screen (an online survey available through the CSAT). Companies can work with agencies such as EPA and OSHA for help with the Top Screen process, Jensen adds.
“CFATS uses a formula to determine risk,” Jensen says. “They look at materials on site, their amounts, and where the facility fits in a potential threat portfolio. They also consider if the facility is close to densely populated areas.”
If a company meets CFATS high-risk criteria, Jensen reports the program requires it to develop security protocols that meet a set of risk-based performance standards. “They don’t dictate the security measures that companies put in place,” he says. “They set a standard for different threat scenarios and then companies must put together a security plan and implement measures that meet these standards.”
The CFATS process goes as follows:
- CISA reviews the Top-Screen using a risk-based method to determine if a facility is “high risk.” If they deem the facility “high-risk,” the company receives a Tier of 1, 2, 3, or 4 rating, with Tier 1 being the highest risk.
- The program requires tiered facilities to submit a Security Vulnerability Assessment (SVA) and a Site Security Plan (SSP) or an Alternative Security Plan (ASP) that meets the CFATS Risk-Based Performance Standards (RBPS). Tier 3 and 4 facilities can submit an Expedited Approval Program (EAP) SSP instead of an SSP or ASP.
- The CFATS RBPS Guidance assists high-risk chemical facilities in selecting security measures and activities—perimeter security, access control, personnel security, cyber security, and more—tailored to their tier level and unique considerations.
- CISA will review submitted documentation and determine whether it meets CFATS regulation requirements. The facility receives a Letter of Authorization if efforts meet requirements.
- The organization then schedules an Authorization Inspection to verify the accuracy of the content listed in the security plan and that existing and planned measures satisfy risk standard requirements.
- Once facilities compete security work, they can expect recurring Compliance Inspections to ensure they continue to adhere to approved security measures.
Even if CFATS labels a company as low risk, Jensen notes companies can compare their security efforts to CFATS performance-based standards. “CFATS will work with facility operators to help them manage their vulnerabilities,” he says. “They won’t provide specific recommendations but will share their performance-based standards.”
The first security measure companies often consider is perimeter fencing. The goal is to keep bad actors out so they cannot steal or use chemicals for IEDs, chemical releases and more. But there are other best practices that enhance security at chemical facilities, Jensen adds.
“Physical security is part of it. You want to beef up your perimeter fencing, add security cameras to monitor the perimeter, and access control systems,” he says. “But you also can reduce chemical inventories and conceal chemicals within the facility, screen people coming into and leaving the facility, and restrict access to sensitive areas.”
Drone capabilities also boost security, he adds. Chemical facilities often use drones to monitor the perimeter. But Jensen warns they also pose a threat. “Terrorists might use a drone to attack a facility or to surveil it,” he says, so companies must take steps to protect against that.
He notes the Federal Aviation Authority (FAA) has struggled to pass a ruling that protects critical infrastructure from unauthorized drone use. “That is something we’ve been urging the FAA to complete,” he says. “We must address these security issues.”
Outside Help for Lower-Risk Facilities
Not every facility qualifies as high risk under the CFATS program. But help is available for those entities as well.
The DHS has created the Chemical Sector Coordinating Council to advance the physical and cybersecurity and emergency preparedness of chemical company infrastructure. Council charters in communities across the U.S. can assist chemical facilities of all sizes with security.
“These are peer groups where people can talk about security issues and coordinate efforts,” he says. “These groups have members from companies of varying sizes that can walk others through security issues.”
ACC members also can take part in the Responsible Care program, which strives to boost the industry’s commitment to employee, community and environmental safety. This program can be a valuable resource to chemical companies of all sizes, Jensen says.
“There is a component of Responsible Care called Responsible Care Security Code,” he says. “It helps chemical companies tap into a peer group to help them with vulnerability assessments, security plans, and regulatory filings.”
The best approach for chemical companies of all sizes, he says, is to work with local, state and federal entities. “Most local municipalities and counties have programs,” he says. “You should at least coordinate with them.”
There is an overlap between security and safety, he adds. Security is about intentional acts and safety covers accidents. Jensen reports the government regulates each differently. “All security efforts should include working with EPA-created entities called Local Emergency Planning Committees,” he says. “There many LEPCs across the United States. They help with emergency coordination and planning and can be a great resource.”
Future for CFATS
CFATS, in partnership with ACC, has worked since 9/11 to improve security at chemical facilities and protect them from terrorist threats. But Congress still considers CFATS an interim program. To keep it going, Congress must periodically reauthorize the program.
“CFATS is up for reauthorization,” Jensen says. “If Congress does not reauthorize it, DHS will lose its authority to regulate chemical security. This is an important program, and I would encourage chemical companies to contact members of Congress and let them know how this program raises the bar on security at chemical facilities. It is something we must preserve and maintain.”