“Today, as we evolve from a post-9/11 anti-terrorism mission, we are focused on new threats, including threats to our critical infrastructure, to soft targets in crowded places, as well as nation state threats to our key cyber systems and election infrastructure. We are very mindful of the more traditional threats, but we are also very aware of emerging threats. As our nation’s risk advisors, we must analyze what is coming next and understand the risks associated with new threats,” says Brian Harrell.
Harrell is Assistant Director for Infrastructure Security within the new DHS Cybersecurity and Infrastructure Security Agency (CISA). In addition to the Infrastructure Security Division, there are four additional divisions: Cybersecurity Division, Emergency Communications Division, National Risk Management Center and a Stakeholder Engagement Division.
CISA’s mission is extensive: to help secure the nation’s critical infrastructure from physical and cyber threats, and to create a more secure and resilient infrastructure for the future. It relies on partnerships and a national outreach across the private and public sectors, and delivering technical assistance and assessments to federal stakeholders, as well as to infrastructure owners and operators.
Dave Wulf,Associate Director, Chemical Security
As CISA works toward reauthorizing the Chemical Facilities Anti-Terrorism Standard (CFATS) program, what is CISA’s role in chemical security and its work with first responders and law enforcement to ensure dangerous chemicals do not get into the wrong hands? Dave Wulf is CISA’s Associate Director for Chemical Security. Wulf has previous experience with the Bureau of Alcohol, Tobacco, Firearms, and Explosives in the Department of Justice, with roles such as Chief, Office of Regulatory Affairs, Director of the National Center for Explosives Training and Research and Senior Counsel for Field Operations.
What is the status of the chemical security threat in the United States?
Dave Wulf: The chemical terrorism threat is as real and as relevant today as it has ever been. Chemicals that trigger coverage under the CFATS program continue to be acquired and used by adversaries around the world. They also continue to view chemical facilities as attractive targets.
The cyber threat is also a real one within the chemical sector. We have seen instances in which cyber malefactors have targeted chemical facilities in the oil and natural gas sector.
What is the value of the Chemical Facility Anti-Terrorism Standards (CFATS) program to national security and the chemical sector?
Dave Wulf: CFATS is the principal means by which we foster security at America’s highest risk chemical facilities. One foundational element of the program is our list of chemicals of interest. It includes 320 chemicals that at specific quantities and concentrations, will trigger reporting requirements. Therefore, if a facility has one or more of the chemicals at or above the specified quantities or concentrations, we will know it. It gives us information about a facility and its chemical inventory. We run that information through a risk assessment process to determine whether the facility is or is not at high risk of a terrorist attack or exploitation.
Up to 30,000 facilities have filed those initial “top screen” reports with us. From that list, we have identified approximately 3,300 facilities that are currently deemed to be high risk. From there, we put those facilities into tiers, with tier one being the highest high risk, and tier four being the lowest of the high risk, yet still a high risk to national security.
We work with the facilities as they develop site security plans under the CFATS program. They are required to address 18 risk-based performance standards. Measures are designed to deter, detect and/or delay a potential terrorist attack, to address cybersecurity and to address insider threat, among other concerns.
It is a targeted program, but it is also a flexible program, and we think that is really important, given the diversity of chemical facilities. The universe of chemical facilities covered under CFATS incorporates not only chemical manufacturers and chemical distributors, but also semi-conductor fabrication sites, food processing sites, wineries, breweries and water parks. It is not a one-size-fits-all situation, which is why the flexibility of CFATS is important.
We have a strong level of commitment and buy-in across the industry stakeholder community. The spirit in which we operate is to work with the facilities that are working in good faith with us to be in compliance. We use enforcement authorities only as a last resort.
How has CFATS improved security at high-risk chemical facilities?
Dave Wulf: Implementing CFATS has meant that tens of thousands of additional security measures have been put in place at high-risk facilities across the country, which is a 55-percent level of improvement in security posture at those facilities. The existence of the program has contributed to a true culture of chemical security across the relevant industry communities.
We believe it takes the entire community to secure America’s chemical infrastructure, and the commitment we have from our industry stakeholders has been amazing. We have had strong support on the Congressional side that has enabled us to continue to grow and improve the program. In 2014, Congress authorized CFATS on a long-term basis that gave us a four-year authorization and that has afforded us the stability needed to ensure that we can to recruit and retain the best and brightest and to make key programmatic improvements. That has been important for our industry stakeholders, as well, as they have made significant capital investments in CFATS focused security measures. These companies deserve to know that the program is here to stay.
How do you see chemical security evolving and your program adapting to new challenges in the future?
Dave Wulf: There is more work to do to assist the 30,000 or more facilities that are not assessed as high risk under CFATS. We would like to give them incentives to enhance their security and further grow the culture of chemical security in the United States.
We are also working on fostering security at the point of sale for explosives precursor chemicals. The Secure Handling of Ammonium Nitrate Act, which was signed into law in 2008, called for all sellers and purchasers of ammonium nitrate products to be registered with DHS and vetted against the national terrorist screening database. We realized, however, that anything we do to address the security of ammonium nitrate at the point of sale would shift the risk to the dozen other high-threat, improvised explosive devices (IED) precursors. With this in mind, we commissioned a National Academy of Sciences study to look at the issue, and we received recommendations confirming that a broader approach — focused on a larger number of precursor chemicals — but in a way that would be less burdensome by retailers — would be optimal. We are now engaging with Congress, and my hope is that Congress will enact a framework that meaningfully and smartly secures transactions for these openly-available explosives precursor chemicals.
Five Key Areas
Harrell has vast knowledge of critical infrastructure security, with previous roles as Managing Director of Enterprise Security at the Duke Energy Corporation and Director of the Electricity ISAC and Director of Critical Infrastructure Protection Programs at the North American Electric Reliability Corporation (NERC), where he was charged with helping protect North America’s electric grid from physical and cyber-attacks. He was appointed by President Trump in December 2018, shortly after the legislation creating CISA was signed into law, as the first Assistant Director for Infrastructure Security.
“With a name like the Cybersecurity and Infrastructure Security Agency, the value proposition is inherent,” Harrell says. “People know what we bring to the table and they are seeing their products and services on a regular basis. We are trying to gravitate towards where the threats are, while meeting industry halfway to put tools into their hands that they can use to mitigate risk.”
Harrell notes that while CISA’s mission is vast, it is focused on five key priorities. The first is the risks to the critical supply chain, which includes risks associated with 5G and Chinese espionage. Second is protecting federal networks in the .gov systems throughout the United States.
The third is industrial control systems or SCADA systems, which are used to control electricity, and to provide clean water and vital chemicals. To mitigate that risk, Harrell advocates for an integrated approach to addressing physical and cyber convergence. “We see a gravitation towards the understanding that physical security, cybersecurity and emergency management have a common nexus,” he says. “Physical threats can impact cyber operations. Intrusions into our cyber systems can potentially be the enemy avenue of approach to shutting down IP-based cameras, access control systems or safety systems for our critical infrastructure.”
“We have seen a number of attacks where attackers are in the folds where no one is looking, so without a converged program, you may be running undue risk,” he adds. “It is no longer good enough to meet with a cyber team every Tuesday. The programs must be in lockstep, coordinated and functioning with full situation awareness. To have silos is no longer good enough.”
Office for Bombing Prevention
Sean Haglund, Chief of the Office for Bombing Prevention
How has CISA’s Office for Bombing Prevention worked to develop training, exercises and other tools and resources to help localities understand and defuse the threat of IEDs?
Sean Haglund is the chief of the Office for Bombing Prevention within the Cybersecurity and Infrastructure Security Agency Infrastructure Security Division. He is a retired Air Force officer with 25 years of experience as an explosive ordnance disposal technician. He also has experience with the J8 Joint Chiefs of Staff in the Joint Requirements Office for chemical, biological, radiological and nuclear defense at the Pentagon.
How serious a threat are bomb attacks in the U.S. today? Has this threat increased or decreased in recent years?
Sean Haglund: The threat in the U.S. is real. Groups such as ISIS, Al-Qaeda and other violent extremist organizations around the world, as well as at home, continue to promote violent attacks against the homeland and our allies and interests abroad. Part of the challenge is that instructions for making improvised explosive devices are widely available on the internet, and unfortunately, construction and concealment techniques are shared freely through many forms of social media.
Another challenge is that IED components, such as switches, batteries, containers, as well as the explosives themselves, explosive powders, exploding targets and other explosive precursor chemicals that you could use to manufacture homemade explosives, are also largely unregulated and easily accessible.
Although we’ve seen a slight downturn in bomb threats that people are making, actual device related incidents have gone up over the last couple of years. Authorities have been finding more bomb-making materials and more viable IEDs that have the potential to detonate or that detonated.
For instance, according to OBP’s 2018 TRIPwire IED report, which tracks open-source intelligence data, in 2018 “device incidents” increased to a total of 718 devices, compared to 684 device incidents in 2017 (+4.9 percent) and 637 in 2016 (+12.7 percent). Bomb threats declined 6.9 percent in 2018, but suspicious packages increased by 8.5 percent during the same timeframe.
Overall, improvised explosive devices are an enduring global security threat and challenge that requires a government approach and partnerships with our allies and partners overseas. The Office for Bombing Prevention leads the DHS effort in this area.
What is the difference between a bomb and an improvised explosive device (IED)?
Sean Haglund: The term bomb is a broad term. It is used frequently to describe homemade explosive devices or IEDs.
An IED is exactly that. It’s a device that is made using homemade explosives, military explosives, or commercial explosives, and it can employ a wide range of materials, power sources, switches, containers and more. The unique nature of an IED is that it can come in virtually any shape and size. It can be cleverly disguised to look like any ordinary item, such as a backpack, a laptop computer, or a mail package, and its design is really only limited by the creativity of the bomb maker.
What is the Office for Bombing Prevention’s role in preventing these attacks?
Sean Haglund: The Office for Bombing Prevention (OBP) is the center of gravity for our agency’s counter IED services. The OBP leads DHS’ efforts to implement a national policy for countering IEDs to enhance the nation’s ability to prevent, protect against, respond to and mitigate the use of explosives against critical infrastructure across the U.S., including the private sector and federal, state, local, tribal and territorial entities.
We focus our efforts through an organization comprised of four branches: a training and awareness branch, an information sharing and decisions support branch, a capability assessment and planning support branch and a branch that focuses on the coordination of national and intergovernmental bombing prevention efforts.
What have you specifically done to respond to concerns about physical attacks at large-scale events, such as at outdoor fairs and sports events?
Sean Haglund: More than one year ago, OBP responded to concerns about physical attacks on soft targets or large-scale events by publishing the Security and Resiliency Guide for Counter-IED Concepts, Common Goals, and Available Assistance (C-IED). The guide seeks to help operators of commercial spaces, public safety officials and others implement counter-IED programs and activities within their overall emergency management approach. The guide helps them take better advantage of all available U.S. government resources to build and sustain their counter-IED preparedness.
In addition, OBP created four annexes that are sector specific, designed for the lodging industry, outdoor event sponsors, sports leagues and public assembly venues, which includes movie theaters, convention centers and other areas where large numbers of people meet. Currently, we are in the process of drafting a fifth annex specific to the healthcare industry. The guide lays out 10 common goals for building counter-IED preparedness and offers solutions from a wide range of government and academic entities to solve any gaps.
What do you do to help municipalities prepare for and prevent IED attacks?
Sean Haglund: OBP has created a wide range of training courses and planning tools and awareness guides that help our state and local authorities, as well as our private partners prepare for and prevent IED attacks. Within our counter-IED training and awareness branch, we deliver and build a comprehensive curriculum of web-based training, virtual and in-person training courses. The courses have been well received. In March, the 100,000th participant completed an OBP counter-improvised explosive device (C-IED) training and awareness course.
We also instituted a “train the trainer” program where we train local, state and federal partners such as the New York Police Department, New York Port Authority, Transportation Security Administration, U.S. Mint and others, to teach our certified bombing prevention courses. We expanded the program into the private sector as well, by partnering with an outside company to teach the OBP courses.
The Bomb-Making Materials Awareness Program (BMAP) is a specific outreach and awareness program where we partner with local communities and ask them to serve as law enforcement’s eyes and ears by increasing their awareness of products that a bad actor could potentially use to construct a bomb or another dangerous device. The BMAP course teaches community liaisons how to recognize chemicals and other household and publicly or commercially available products that can be used to produce improvised explosive devices.
Duvall County, Fla. recently hired an individual designated as its BMAP liaison and program manager. This jurisdiction now has a dedicated BMAP representative who can tailor BMAP and other OBP information to meet the needs of the local community that could include schools, retail sales outlets, public gathering places and more. It is a great fit as every county, city and jurisdiction has different resources and capabilities, so the ability to tailor the message at the local level is a huge advantage. I foresee this continuing to grow and spread across many communities throughout the U.S.
Who are your bomb prevention trainings available for, and how can people access them?
Sean Haglund: Within OBP, we track the tactics, techniques and procedures (TTPs) that are used by the violent extremist groups around the world. In tracking that threat information, we look for potential trends, or those TTPs that adversaries could potentially use in the homeland, and we continuously adjust our training and awareness information to stay ahead of the threat landscape. While our focus is domestic, we try to harvest the information that we get from our partners, allies and our liaison organizations to maintain awareness of the threat and stay ahead of it.
OBP training courses are offered at no cost. They all comply with the American National Standards Institute, and they’re all accredited through the International Association of Continuing Education and Training, and because of that accreditation, they’re all certified for Continuing Education Units (CEUs). The only thing that is required to participate is a FEMA student ID number. We have in-person training and webinar-based training, and it is tailorable to the needs of the participant.
The fourth area is soft targets and crowded places, including schools, houses of worship, festivals and other places where people gather. “Since coming to CISA back in December, this has really been my number one priority,” Harrell says. “Quite frankly, I’m simply following the current threat landscape and the weekly headlines. There is a small segment of society that is hate-filled, bigoted and they want to hurt the most innocent among us. Attacks such as the Pulse nightclub, the Pittsburgh Tree of Life Synagogue and the Las Vegas country concert really demonstrate that attackers are looking for those soft targets in crowded places.”
The fifth area is election security. “We know and understand that the Russians were active in 2016 with respect to influencing our opinions on certain topics,” he explains. “They are interested in exploiting any avenue, whether through probing our election infrastructure for potential weakness, or dividing public opinion by using fake social media accounts to instigate race baiting and motivating certain hate groups. Knowing this, we have worked to share security best practices and to help create an election Information Sharing and Analysis Center, which is the central information sharing hub for the election subsector. As threats materialize and we see them in the federal space, we push out alerts. Information sharing is part and parcel to threat mitigation. We are absolutely going to be ready for the presidential election in 2020.”
An additional area for Harrell is insider threat mitigation. “Individuals within companies have solid and institutional knowledge as to how to bring a company to its knees,” he says. “They may have the keys to the kingdom and unescorted access to the crown jewels. They can destroy key system components or steal proprietary or customer data from an enterprise. Therefore, knowing and monitoring the actions of employees is critical. I believe that investing in an insider threat program is worth its weight in gold and may stop or mitigate an attack before it starts. I suggest investment in an access control system that highlights potential access probing, or using software that alerts you when proprietary information, trade secrets, customer data or sensitive information leaves your system and goes to a personal account or even overseas. Those investments go well beyond traditional background checks.”
Interagency Security Committee
Daryle Hernandez, Director, Interagency Security Committee
Twenty-five years after the Oklahoma City Bombing, where does the U.S. stand with federal facility protection? How has security for federal facilities evolved, along with the civilians who work and visit them? The Interagency Security Committee (ISC) has become the gold standard in developing tailorable and scalable guidance, policies and standards for federal facility security. States, localities and some private sector entities have adopted many aspects of the ISC’s approach.
Daryle Hernandez is director of the ISC. He spent 27 years in the Department of Defense (DoD); the last three years he ran the U.S. Army’s protection program, where he implemented the insider threat program due to the Bradley Manning and Edward Snowden incidents. He also served with FEMA on a National Incident Management Assistance team, conducting incident management and response operations as the DoD liaison for them.
What is the Interagency Security Committee (ISC) and what does it do?
Daryle Hernandez: We are a collaborative and authoritative group of 62 departments and agencies. The ISC is chaired by DHS. We produce industry-leading security policies, standards and recommendations to enhance the security and protection of federal facilities in the U.S.
That includes a six-step process that begins with categorizing risk at a particular facility through analyzing the risk and tailoring the countermeasures associated with that risk to produce a set of countermeasures that provide a level of protection commensurate with the risk level. That standard has a threat annex associated with it, which we update on an annual basis. We also have another standard related to prohibited items in federal facilities. Collectively, those are the core standards that drive security and protection efforts in federal facilities. Even more, we have a policy related to active shooter for federal facilities.
The executive order that created the Interagency Security Committee lays out the applicability of the ISC’s work, which is specific to federal facilities in the executive branch. It exempts DoD, but DoD finds value in the ISC, so they have adopted our standards for their off-installation facilities.
Next year marks the 25th anniversary of the Oklahoma City bombing. What has changed since then in how we approach federal facility security?
Daryle Hernandez: First, we now have authoritative guidance for federal facilities that did not exist. There were no minimum security standards prior to the creation of the ISC. At that point, every federal department and agency pursued security using disparate approaches. Now we have a unifying guidance.
Second, while traditional threats remain, such as IEDs and vehicle-borne explosive devices, we now have a number of emerging threats, to include drones, vehicle ramming and cybersecurity. We have had to increase and expand to keep pace with the growth of threat factors. We have also had to become a risk-based organization. As an example, the risks to a CIA facility and a Smithsonian facility are going to be different. Therefore, our approach to securing them has to be tailorable and scalable.
Another significant change is that we will begin reporting and monitoring compliance with ISC policies and standards, both from the department agency level down to the facility level. It is a requirement of the executive order, and our membership is fully behind it. We will implement it this fall.
The information will be maintained by DHS and its members, to measure strengths and weaknesses, and then focus on areas where we see systemic problems. It will provide that department and agency a holistic view of itself that it may or may not already have. Compliance assistance will follow the results.
How do security and safety standards for federal facilities differ from what the private sector would use?
Daryle Hernandez: While there are some additional requirements levied on federal facilities, there are many more similarities than differences. Our location within CISA allows us to leverage the synergies between the work that we do on behalf of federal facilities and the work that other parts of our agency does with the private sector. Some examples of that collaboration from the federal facility side and the private sector critical infrastructure side include work on vehicle ramming, counter-drone and bombing prevention, to name a few.
Can you give some examples of good practices that you would recommend for all facilities?
Daryle Hernandez: We have published a set of security specialist competencies to lay out, from stem to stern, the competencies that you would want in a security specialist for your enterprise. We also publish best practices for armed security officers in federal facilities. And, we have a best practices guide for facility leasing agents. How do you work with your facilities or leasing experts within your organization to ensure that you get your security requirements baked into a lease proposal?
We also have a best practice for finding and managing physical security resources and for security office staffing. The latter is to help security practitioners build the case for a staffing level for the missions that they have been given.
There have been a number of attacks to federal buildings since the Alfred P. Murrah building bombing, and threats remain. To counter that, the Interagency Security Committee with its members is a recognized leader in providing a risk management approach that is top tier and is recognized as a gold standard.
Overall, Harrell would like the public and private sector to see CISA’s Infrastructure Security Division as a trusted partner to mitigate physical and cyber risks. Its resources are vast, and all of them are free of charge to stakeholders. For example, a Hometown Security site at www.dhs.gov/cisa/hometown-security has resources for communities related to soft target security, such as active shooter preparedness and school safety. For insider threats, a video is available at https://www.dhs.gov/cisa/insider-threat-mitigation with mitigation steps. For the physical cyber and foreign influence aspects of election security, the CISA Protect 2020 site at https://www.dhs.gov/cisa/protect2020 offers infographics, reports and more.
“My vision is simple,” Harrell says, “to create relationships under blue sky conditions and not under crisis; to provide expertise and a roadmap for what good security looks like; to share threat information back and forth and be timely with it; and to exercise incident response and recovery and to help when a target does get hit.”