We frequently hear how things changed after 9/11 and nowhere did they change more than in the security industry. One of the important lessons we learned from the 19 terrorists who attacked us that morning was that we no longer had to just worry about bombs being brought onto our shores. Instead, the nation saw how a common airliner could be turned into a massive, deadly explosive. It taught us what we already had an inkling of, when in April 1995, homegrown terrorists blew up the Oklahoma City federal building with a nitrogen-based (from fertilizer) blast. We learned that terrorists do not need to bring bombs into our country; we already have potentially lethal explosives sitting in airports, chemical plants and manufacturing facilities throughout the nation.
Fortunately, Congress and the Department of Homeland Security (DHS) recognized the need to identify potentially dangerous chemicals and place standards on facilities where they are made, used and stored. Just as the U.S. Environmental Protection Agency (EPA) has required all water districts serving more than 3,300 people to implement increased security measures, so has Congress put in place legislation that directs chemical facilities to undergo a series of risk assessments aimed at identifying potential terrorist targets.
According to DHS, the Chemical Facility Anti-Terrorism Standard (CFATS) was created in 2006 to establish security standards for facilities considered to be at high risk. CFATS defines security requirements based on a list of about 323 chemicals, called COIs or chemicals of interest. CFATS does not just affect the chemical or petrochemical industries. It also includes sectors such as chemical manufacturing, storage and distribution, energy and utilities, agriculture and food, paints and coatings, explosives, mining, electronics, plastics and healthcare.
CFATS does not apply to facilities under the jurisdiction of the Maritime Transportation Security Act (MTSA); Department of Defense owned or operated facilities or those regulated by the Nuclear Regulatory Commission. Public water systems and wastewater treatment facilities fall under EPA regulations.
The DHS set thresholds for each of the COIs. The facilities that use or store chemicals above those thresholds were required to submit a "top screen" to the department. So far, DHS has indicated that about 32,000 facilities submitted top screens. Of those, about 7,000 were notified that they were required to move to the second step – a Security Vulnerability Assessment (SVA).
Facilities were placed into categories after the top screen analyzed the type, quantity, storage, manufacturing and handling of each COI. The SVA then took a more in-depth look at each facility and its existing security and vulnerabilities to come up with a final ranking based on four tiers. Facilities with the highest level of COIs and vulnerability combined were placed into tier one. Those with the lowest levels of chemicals and threats were put in tier four.
According to DHS, the more than 6,000 facilities were divided as follows:
Tier 1 – 140
Tier 2 – 681
Tier 3 – 1,613
Tier 4 – 3,943
DHS considers its criteria for tier rankings to be classified and does not disclose what elements make a facility a tier one. The rankings appear to be based on a combination of factors from the top screen and SVA submissions. Characteristics obviously change from site to site, but tier ratings appear to be based on a combination of COI type and amount, proximity to a population center and the recognition of the COI by the general public.
Letters to tier one facilities were sent out on May 15, 2009 notifying them of their final ranking and the requirement to submit a Site-Security Plan (SSP) in the next 120 days. Letters to the next three tiers are expected to be mailed soon.
The DHS letter sent out to each facility will likely outline specific issues that must be covered in the SSP. This is to ensure that facilities develop and implement a security plan appropriate for the facility's relative risk. The guide for developing the plan is covered in a set of 18 published Risk-Based Performance Standards (RBPS) and each tier has a specific set of standards to meet. Putting together an SSP will be a challenging task for most facilities. DHS estimates a minimum of 200 man hours are needed for the submission of each plan. The good news is facilities will have some flexibility in determining how to meet the RBPS.
RBPS cover a variety of areas including perimeter security, securing set assets, screening, as well as access control and monitoring. Every facility must submit an SSP online and describe how it will meet the requirement of each RBPS including a description of equipment, processes and procedures.
Some integrators experienced in petro-chemical facility security have been following CFATS from its inception. These integrators can help petro-chemical facilities both with their SSP submission and the implementation by providing solutions for specific tier rankings and each RBPS. Many petrochemical facilities have safety officers but some do not have personnel specifically covering security issues, so the safety officer has to fill in the gaps. To help them with the process, these facilities need to look for a security integrator with the following qualities:
- An extensive background in chemical plant security with an understanding of the industry's needs and complexities.
- A knowledge and understanding of CFATS. The integrator needs to know the background and have a good understanding of tiering and RBPS requirements.
- Chemical-terrorism Vulnerability Information certification (CVI) – DHS has implemented restrictions to make sure that the information facilities have provided the department does not fall into public hands. An integrator with CVI certification has been pre-screened and instructed on what information needs to be kept private and how to keep it from getting into the public arena.
- Safety Act Certification – This means that the integrator's electronic security services have been certified by the DHS to limit the legal liability of the end-user if a terrorist act should occur.
An integrator should also be aware of the latest technology available to meet the specific security needs of chemical plants. Perimeter security is the first RBPS and integrators need to be highly educated about the latest in intrusion detection including fiber-based fencing, video analytics and radar detection. Access control is another key element in plant security and the integrator should know the latest in access cards and biometric security. Integrators also need to have knowledge about the basics, including K-rated fences and vehicle barriers that can withstand a hit from a 15,000-pound vehicle at 30, 40 & 50 miles per hour.
Another key element to selecting an integrator is to look for one that will examine a facility's security goals and challenges and come back with cost-effective solutions based on the integrator's knowledge and background in security and specifically chemical facility security. A design-build approach gives the integrator the freedom to put together the best and most efficient system available which usually saves the end-user money and time.