Slowly but surely, utilities including chemical plants are embracing higher level access control requirements.

For example, this past April the Department of Homeland Security (DHS) published the new Chemical Facility Anti-Terrorism Standard (CFATS) in the Federal Register. It requires “chemical” facilities, some for the first time, to define and formally address security at their facility.

The new rule will require facilities fitting certain profiles to complete an online risk assessment. A company determined to pose a greater risk will be required to conduct vulnerability assessments and submit site security plans that meet DHS performance standards, which can include securing perimeter targets, controlling access and deterring theft of chemicals. Failure to comply can result in penalties of up to $25,000 per day and an order to cease operations.

THE PATH TO THE NEW RULE

Since 2003, DHS began working with the private sector in the chemical industry, as well as other interested parties, on chemical facility security issues. Many companies in the chemical industry have initiated voluntary security programs and have made significant capital investments in responsible security measures. Members of the American Chemistry Council, for example, invested more than $3.5 billion to enhance security since 9/11. Despite these initiatives, the Secretary of Homeland Security concluded that voluntary efforts alone would not provide sufficient security for the nation.

On September 8, 2006, the Secretary requested that Congress provide his department with regulatory authority to establish and require implementation of risk-based performance standards for the security of the nation’s high-risk chemical facilities. Congress took action on those requests, and in October the President signed the Department of Homeland Security Appropriations Act of 2007, which provides DHS with the authority to regulate the security of high-risk chemical facilities.

A RULE WITH CONTROVERSY

Since the pending rule was published for public comment in December, some state and local governments have publicly denounced several sections of the Chemical Facility Anti-Terrorism Standard as being weak. New Jersey has been the most vocal of all. At the top of the state’s complaint about CFATS is the pre-emption language. Under CFATS, DHS would allow the federal government to overrule state laws on chemical security – something New Jersey Governor Jon Corzine believes would weaken New Jersey’s laws and regulations. Governor Corzine vowed to legally challenge the pre-emption language if necessary.

The companies that qualify as high risk (and even some in the medium risk category) will be required to prepare a vulnerability assessment and site security plan.

VULNERABILITY ASSESSMENTS

Like the requirements of the Maritime Transportation Security Act of 2002 (MARSEC), chemical facilities, regardless of whether they are on a navigable waterway, will need to perform a vulnerability assessment of their facility. These assessments, if done correctly, can take up to two weeks on larger facilities and not only review the physical security protection sets, but also examine the processes used in the manufacturing of the chemical and identify any weaknesses that could be exploited by a terrorist element.

SITE SECURITY PLAN DEVELOPMENT

Developing a site security plan, while not the easiest task a security professional performs, requires a knowledge base of basic security processes and programs to assure the vulnerabilities identified (and not otherwise mitigated) during the assessment are addressed in the security plan. The site security plan developed under CFATS must also address the following “risk based performance standards.”

• Secure and monitor the perimeter of the facility
• Secure and monitor restricted areas or potentially critical targets within the facility
• Control access to the facility
  • Measures to deter unauthorized introduction of dangerous substances and devices
  • Measures implementing a regularly updated identification system that checks the identification of facility personnel
• Deter vehicles from penetrating the facility perimeter
• Secure and monitor the shipping and receipt of hazardous materials for the facility
• Deter theft or diversion of potentially dangerous chemicals
• Deter insider sabotage
• Secure and monitor the perimeter of the facility
• Secure and monitor restricted areas or potentially critical targets within the facility
• Control access to the facility
  • Measures to deter unauthorized introduction of dangerous substances and devices
  • Measures implementing a regularly updated identification system that checks the identification of facility personnel
• Deter vehicles from penetrating the facility perimeter
• Secure and monitor the shipping and receipt of hazardous materials for the facility
• Deter theft or diversion of potentially dangerous chemicals
• Deter insider sabotage
• Deter cyber sabotage
• Develop and exercise an emergency plan to respond to security incidents
• Maintain effective monitoring, communications and warning systems including:
  • Measures designed to ensure that security systems and equipment are in good working order
  • Measures designed to ensure regular testing of security systems
  • Measures to allow the facility to promptly identify and respond to security system and equipment failures
• Ensure proper security training, exercises and drills of facility personnel
• Perform appropriate background checks on and ensure appropriate credentials for facility personnel
• Escalate the level of protective measures for periods of elevated threat
• Address specific threats, vulnerabilities or risks identified by the DHS
• Report significant security incidents to DHS
• Identify, investigate, report, and maintain records of significant security incidents and suspicious activities in or near the site
• Establish official(s) and an organization responsible for security and for compliance with the standard
• Maintain appropriate records
• Address specific threats, vulnerabilities or risks identified by DHS
• Address any additional performance standards DHS may specify

MULTI-FACETED TEAM APPROACH TO COMPLIANCE

With the complexity of vulnerability assessments and the need to develop a comprehensive security plan, no single security company has the resources to dedicate to such a project and assure the quality of the product meets every aspect of the regulation. To add to the complexity, the ever-evolving rulemaking process is adding almost daily challenges to implementation of the rule. What’s a law abiding chemical company to do?

• In August 2006, AlliedBarton Security Services formed the Chemical Petro- chemical Security Alliance (CPSA). The alliance consists of several of the United State’s top chemical petrochemical security consulting companies as well as key industry leaders. The alliance provides “thought leadership” in the form of white papers, industry articles and speaking opportunities and is an ongoing forum for sharing up-to-date information and best practices. Having access to experts with up-to-the-minute information on facility security requirements and practices is invaluable as the chemical security industry evolves.

PROGRAM IMPLEMENTATION – CFATS COMPLIANCE

With the assessments done and security plan developed it’s now time to put in place the program. Easy, right? Not really.

Special requirements necessitate special training. To address the special needs of organizations in the chemical and petrochemical industries, it was determined a comprehensive training program would need to be developed around compliance with government regulation (CFATS and MARSEC).

• Safety Awareness – Security officers will be given monthly safety awareness training on all OSHA industrial safety topics.
  
  
• Safety Recognition and Response – After successful completion of the awareness training, security personnel are instructed to recognize safety hazards during their normal patrols and, when identified, provide the appropriate response to assure no one gets hurt.
  
  
• Accident Investigation/Root Cause Analysis – One of the keys to a successful accident prevention program is to assure a proper investigation with a root cause analysis conducted immediately after an accident. Security personnel (trained observers), who are typically “first on the scene” of many accidents, are taught accident investigation techniques to assure the most accurate information is available to determine a root cause for the accident, thereby preventing its recurrence.

The challenge for the security industry is to educate. Educate the industry on the aspects of a sound security program and the fine marriage of manned-guarding and security technology. Educate security personnel on the challenges of protecting a chemical/petrochemical facility and giving them the necessary skill sets to be successful at doing it.

As the rulemaking process evolves and refines, the true test of program is its adaptability to change and improve over time. I believe the program that we have put together will past the test with flying colors.

SIDEBAR: Roll Out the Security

Some organizations such as Marathon-Ashland Petroleum and American Electric Power literally think outside the box in retrofitting higher-level protection. For example, from MSSI, the MAC (Modular Access Control) Container is a standard ISO container that has been modified to include a set of walk-through turnstiles, equipped with a variety of scanning features that can use card-reading, iris, facial and palm scans, metal detection and a myriad of other techniques to discriminate among those who are authorized to enter or exit a site. The container also houses an air-conditioned guard booth with the latest phone and computer connections. This approach is for both perimeter security and the safety of those working in potentially dangerous environments.

The containers are already in use in many facilities for maintaining and monitoring plant security, especially during turnarounds and outages when maintenance work is being performed.

SIDEBAR: An ‘Ideal’ Training Program

• Vehicle Bomb Search Techniques – All too often security officers conduct cursory searches focused more on theft prevention than the detection of contraband and/or explosive materials.
  
  
• Security Officer Basic Courses – An introductory course teaching the basic foundation of security techniques is essential to a good chemical petrochemical security officer.
  
  
• MARSEC Training – With many of the chemical petrochemical companies having an operation on a navigable waterway the Maritime Transportation Security Act of 2002 required security personnel to be consistently trained on the requirements of this regulation. A provision of CFATS will allow companies who are compliant with MARSEC to submit their MARSEC security plan as an “Alternative Security Plan” for compliance with CFATS.
  
  
• Conflict Resolution/Management of Aggressive Behavior (MOAB) – With many chemical petrochemical facilities experiencing heightened security measures for the first time facility personnel and contract personnel were becoming more aggressive and trying to bypass security access control procedures in order to get into the facility in a more timely manner. Security officers trained in conflict resolution and MOAB would be able to sternly but diplomatically enforce the policies and procedures and thereby assure the integrity of the access control program.
  
  
• CPR/First Aid/AED – Many chemical petrochemical facilities have an internal emergency response team and quite often security personnel are used to supplement these teams. And more often than not security personnel are first on the scene in these emergencies. When seconds count, this life skill training is invaluable to the person who is on the receiving end.
  
  
• Basics of Supervision – All too often the security (contract security companies in particular) rewards top performing security officers with promotions to supervision. And all too often, the appropriate training needed to be an effective and successful supervisor is not provided.
  
  
• Incident Command – As the security profession evolves, and in consideration of costs, security personnel are being asked to take on more responsibility. One of these increased responsibilities is to assume command of emergency situations at the client sites until the client can arrive and assume control. Training security supervisors in the basics of incident command is essential to ensure that emergencies are handled in the most proficient and professional manner.
  
  
• HAZMAT – As with Incident Command, security personnel are frequently being asked to expand their scope of duties to reduce operating costs. Being a HAZMAT trained responder is another example of the diversity of duties and responsibilities that are available in this program.
  
  
• Fire Brigade/Confined Space Rescue – Based on HAZMAT skills.