Over the last couple of decades, the safety, well being and protection of people who work in, and live around, refineries and chemical facilities has been a priority. The Chemical Safety Board (CSB) has investigated hundreds of blasts, explosions and other incidents to determine their root causes. During this time, internal threats have been thoroughly evaluated and studied, process safety management (PSM) standards have been improved, and investments in protective equipment, devices and buildings have been made. As a result, the safety inside chemical facilities has improved dramatically over the years. More recently, the vulnerabilities from external threats to high-risk chemical facilities and refineries have been emphasised and investments have been (and continue to be) made accordingly. Often, external threats intended by ill-willed individuals or groups can be more illusive and, therefore, difficult to defend against. However, from a physical security standpoint, there are best practices from other sectors, such as government facilities and airports, that should be evaluated. Large investments in high-risk targets to deter or mitigate incidents have been made and have proven effective. From a corporate standpoint, investments in security are often vying for their share of capital against other profit
centre divisions that can quantify actual returns on such investments. If the threats are not well-defined or understood, investments can be difficult to justify. However, in today’s climate, ensuring that high-risk chemical facilities are able to operate without incidents caused by external threats often requires investments in various layers. Keeping a facility protected from a threat that is constantly adaptive comes at a cost. Although safety inside chemical plants is better today than two decades ago, external security threats to plants cannot make such claims. Chemical security background Shortly following the 11 September 2001 terrorist attacks, the Nuclear Regulatory Commission (NRC) instituted a mandate requiring all nuclear facilities to be able to defend themselves against a ground assault. To this day, when viewing the exterior of any nuclear facility, one can see ballistic guard buildings surrounding its parameter. This sight alone is a deterrent. It was determined that the risks associated with a successful attack on a nuclear facility would have dramatic adverse and regional ramifications, which thus justified the investment. In 2006, the Council on Foreign Relations flagged chemical plants as targets for terrorists.1 A report identified
two main threats to chemical plants: direct attack or sabotage, which could expose the surrounding population to hazardous chemicals; or theft of chemicals, which could provide terrorists with a weapon for use in a future attack. At that time, it was determined that attacks on chemical facilities in the US would have the potential to affect thousands, and possibly millions, of people. In addition to the human cost, an attack on a chemical plant could send shockwaves through the US economy. Many chemical plants and refineries are located near ports or major highways. Therefore, an attack could disrupt the flow of commerce through those areas. Later that year, the US Congress mandated that ‘high-risk’ chemical facilities develop and implement security plans to guard against the possibility of terrorism. Today, various federal agencies and departments are charged with overseeing chemical security. The US Department of Homeland Security (DHS) has oversight of Chemical Facility Anti-Terrorism Standards (CFATS) and the Maritime Transpiration Security Act (MTSA). The US Department of Transportation (DOT) under HM-232 oversees Security of Hazardous Materials Transported in Commerce, and the Transportation Security Administration (TSA) Rail Security Rule applies to facilities that ship/receive certain classes and quantities of ‘rail security sensitive materials’ (RSSMs).
Authorised by Congress in 2007, CFATS was formed under the direction of the DHS to develop a dynamic multi-tiered risk assessment process and identify high-risk facilities to meet and maintain performance-based security standards appropriate to the facilities and the risks they pose. Many are under the mistaken impression that CFATS is a chemical manufacturers’ regulation. However, it is a regulation that covers facilities that not only manufacturer but also uses chemicals. CFATS jurisdiction is for facilities that use, manufacture, store or handle specific quantities of approximately 322 chemicals that the DHS has identified as being extremely dangerous. Affected industry sectors include chemical manufacturing, storage and distribution, and energy and utilities. These are named ‘chemicals of interest’ (COI) and are listed in Appendix A of the regulation. Chemical security under the Trump administration Although the Trump administration has reduced some regulatory requirements from a US Environmental Protection Agency (EPA) standpoint, for chemical manufactures, there appears to be a renewed focus on chemical security. In late 2016, the DHS revamped its online chemical security assessment tool (CSAT), which captures chemical security related information from over 38 000 facilities nationwide. Historically, approximately 10% of these facilities have been regulated by the DHS through its security focused risk-based performance standards. The DHS now expects all facilities that previously submitted their information into CSAT (from 2008 through 2016) to resubmit the information using a new online tool called CSAT 2.0. In fact, the DHS has been sending notices through its databases to these 38 000 facilities on a rolling basis
since early 2017, and will continue sending these notices out this year. Additionally, the DHS is coordinating its database with both the databases of the US EPA and Occupational Safety & Health Administration (OSHA) to identify and notify other potential industrial and commercial facilities, which may be subject to CFATS, but had not previously submitted their facility information to the DHS. As per the October 2017 CFATS update, DHS has received nearly 80 000 top-screen submissions from nearly 40 000 unique facilities. The CFATS programme currently covers 3492 facilities, of which 2766 have approved security plans and 2807 have had compliance inspections.
Physical security A key component of CFATS is a site security plan (SSP). In order to derive an SSP, a security vulnerability assessment (SVA) is carried out to assess everything from physical security, access control, loss prevention/material control, crises management, policies and procedures, information/cyber security, etc. These points are identified by the SSP, which then establishes countermeasures. In evaluating countermeasures to each of its vulnerabilities, the following should be considered: Deterrence: reduce possible attacks, making a ‘high-risk’ target less obvious and/or inaccessible. Delay: make attacks more difficult and slowing time for detection and response. Detection: identify attacks before or during the action and deploy appropriate response.
These guidelines apply whether one is planning to defend against a sophisticated cyber attack or a physical attack by one or more individuals. Although there are numerous elements and sections to an SSP that are of equal importance, in light of recent incidences, this article intends to focus on physical security and evaluate practical countermeasures to such high-risk facilities.
Mitigating obvious vulnerabilities There is a concept in process safety called ‘layers of protection’, which is also applicable in physical security. Such layers provide concentric rings of security, each of which are designed to deter, delay and detect, as well as mitigate the severity of an undesirable event. By preventing penetration beyond the first ring of protection, the damaging effects to life and property can be lessened or mitigated. Therefore, the logical extension is to mitigate any threats and prevent any penetration beyond the physical parameter of a facility. The cost/benefit analysis by the NRC revealed that investments were justified to heavily defend the parameters of nuclear facilities. Key access areas are fortified with anti-truck defences and any breech from the parameter of the facility is handled from two different guard posts in strategically stationed blast/ballistic resistant buildings. There are currently 61 commercially-operating nuclear power plants with 99 reactors in 30 US states. This is a far more manageable universe than the 3492 facilities covered by CFATS. Nonetheless, there are practical elements that should be considered in an SSP, which would not only
effectively defend an attack, but also psychologically deter or prevent one in the first place. To defend against an outside intruder effectively, onemust understand the mindset, methods and tools/tactics that are commonly used, and plan accordingly. It is important to realise that critical information is readily available from public sources, particularly the internet, which can provide the unintended consequence of offering valuable clues to criminals or terrorists. A simple understanding of the COI, and knowing the companies that manufacture or use such chemicals, may assist in narrowing the scope for those looking to inflict harm. It is important that any SVA considers an objective visual assessment from public roads surrounding such facilities, as well as a Google Maps view of the plant. This basic assessment can provide potential targets and connect dots for helping terrorists on mapping out the weakest line of defence in a potential attack. From the most elementary perspective, if it is determined that a target is well-fortified, it is less likely to be challenged. Over the last several years, rented cargo trucks with basic, readily available explosives and assault rifles have accounted for mass casualties in numerous cities. While it may be impossible to prevent criminals from driving cargo trucks, countermeasures should be considered for the prospect of such an attack.
proven to be ill-founded since there has not been an attack on such a facility. Others might argue that it is because of such investments that attacks may have actually been thwarted before even attempted. Indisputably, when it comes to preventing external attacks, the best defence is one that is strong and quite noticeable. References