Chemical Facility Anti-Terrorism Standards (CFATS) Deadline Approaching
Posted: January 13th, 2012Author: All4 Staff
Environmental professionals are used to acronyms. EPA, NPDES, PSD, RMP, RCRA – we’ve heard them all and may even understand many of them. But just as soon as we get the environmental acronyms figured out, many of us are now subject to the Chemical Facility Anti-terrorism Standards (CFATS) and have been forced to learn some more! Not only have we had to learn about them, but we are fast approaching another set of CFATS deadlines for the Security Vulnerability Assessment (SVA) component of the standards.
Chemical facilities that store certain chemicals of interest (COIs) in amounts greater than the screening threshold quantity (STQ) identified in Appendix A of 6 CFR Part 27 are subject to the regulation and were required to: (1) register and, (2) complete the Top-Screen analysis by January 22, 2008 using the Chemical Security Assessment Tool (CSAT). Most facilities have been in a “holding pattern” since the Top-Screen submittal. However, the Department of Homeland Security (DHS) has recently distributed letters to CFATS-affected facilities outlining each facility’s preliminary tier determination and its schedule for submission of the next step – the SVA.
- Preliminary Tier 1 facilities have 90 days to complete and submit the SVA.
- Preliminary Tier 2 facilities have 120 days to complete and submit the SVA.
- Preliminary Tier 3 facilities have 160 days to complete and submit the SVA.
- Preliminary Tier 4 facilities have 180 days to complete and submit the SVA or a DHS-approved Alternative Security Plan (ASP).
What is an SVA?
The Center for Chemical Process Safety (CCPS) defines the SVA in their publication – Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites – as “[t]he process of determining the likelihood of an adversary successfully exploiting vulnerability, and the resulting degree of damage or impact.”
This may be the first step in the CFATS process where an environmental professional can get that uneasy feeling due to a lack of familiarity with an SVA. ALL4 recommends that SVAs be lead by experts with security backgrounds, which is how they are traditionally done. The CSAT SVA process is based on the CCPS SVA methodology and focuses on following areas:
- SVA Project Planning
- Facility Characterization
- Threat Identification
- Vulnerability Analysis
- Computer System Analysis
- Support Documentation
The procedure for conducting the SVA is unique and will require an individual or team with knowledge and experience with process safety; security principals and practices; information technology (IT); and facility-specific operations. Based on the depth and breadth of knowledge required, it is unlikely that one individual will possess all of the expertise needed to complete the SVA. ALL4 will typically include environmental, security, health and safety, IT, operations, purchasing, and management personnel as part of the SVA team to ensure that all avenues are considered.
The SVA process includes the following seven (7) activities:
1. SVA Project Planning
The SVA planning process includes assembling the appropriate team and developing a strategy to perform the SVA. The planning process will include, but is not limited to: assembling the necessary documentation; scheduling time with operations personnel, security personnel, and suppliers; reviewing maps and aerial photographs; and assembling existing SOPs, O&M manuals, raw material management procedures, security plans, etc.
2. Facility Characterization
Facility characterization involves reviewing much of the information assembled during the planning step. The goal of the characterization is to understand the COI “lifecycle” and to understand the facility infrastructure that will be considered as part of the vulnerability analysis and/or countermeasure steps in the SVA process. The infrastructure to be considered includes: security equipment and procedures; utility backup systems and redundant systems; inventory control procedures; access controls; shipping/receiving controls; cyber controls; etc.
3. Threat Identification
The initial Top-Screen analysis provided each facility with the identification of the COI that must be considered for the SVA. However, there are additional identification steps to consider in order to more accurately identify threats. For example, specific information for each COI must be considered including: storage locations and conditions, containment systems, leak detection systems, control systems, other mitigating measures in place, etc.
4. Vulnerability Analysis
The Vulnerability Analysis requires the SVA team to evaluate various attack scenarios based on the type of security issue (i.e., release, theft/diversion, sabotage) and the COI, and then to assess the vulnerability of each attack scenario. This assessment includes identifying the probability of an attack scenario occurring, and then systematically analyzing its impact. The vulnerability analysis includes the consideration of countermeasures.
5. Computer Systems Analysis
The CSAT SVA module includes a section on computer systems. The Computer Systems Analysis will most likely require support from IT personnel and considers the vulnerability of each cyber control system or cyber business system.
The consideration of Countermeasures is a key component of the attack scenario analysis. As part of this process, the team may also identify gaps or weaknesses in existing countermeasures that the facility may want to “shore up” independent of completing the CSAT SVA.
7. Support Documentation
The formal support documentation for the CSAT SVA is completion of the SVA module. However, any other information developed during the SVA process should be maintained by the facility and treated as chemical-terrorism vulnerability information (CVI).
Now that I know what an SVA is, what should I be doing?
DHS has estimated that it will require 250 man-hours to complete the SVA (CSAT Security Vulnerability Questions, June 2008, Version 1.0); therefore, even the Preliminary Tier 4 facilities should get started with the process. Also remember that there are CVI implications for completion of the SVA process and there may be the need to extend CVI training to other members of the assembled team. The major steps include: (1) identifying and assembling the team, (2) assembling and reviewing the facility information, (3) conducting the SVA, (4) completing the CSAT SVA module, and (5) addressing any gaps identified during the SVA process.
After submitting the SVA, the DHS will review and approve the SVA and issue a final tier determination. A Site Security Plan may then be required to be submitted consistent with a schedule provided by DHS.
How can ALL4 help?
ALL4 can help lead the SVA process and can support any follow-up effort addressing gaps identified during the process. ALL4’s CFATS team is lead by Mr. Len Cross and Mr. Bill Straub.
Mr. Cross has more than 33 years of experience in security issues – both domestic and international. During a 26-year career in the FBI, Mr. Cross conducted and directed investigations and crime scenes on criminal and terrorist matters. These include the World Trade Center, Oklahoma City (SANG Building), and Saudi Arabia (Khobar Towers). During the Gulf War, Mr. Cross was responsible for identifying critical assets and conducting security surveys in the New England area including airports, seaports, nuclear energy plants, infrastructure, and hazardous materials storage facilities. Mr. Cross is an experienced lecturer and author at domestic and international security conferences and seminars on topics ranging from crime scene management to vulnerability assessments. In addition, he is a certified instructor at the U.S. Merchant Marine Academy, teaching the Maritime Transportation Security Act – Facility Security Officers course, which was used as the blueprint for the Chemical Facility Anti-Terrorism Standards (CFATS).
Mr. Straub is one of the founding Principals of ALL4 and has more than 17 years of professional experience that encompasses many aspects of the environmental consulting industry with an emphasis in air quality. Mr. Straub has significant experience managing the implementation of the Risk Management Program (RMP) both at the corporate and plant levels across numerous industries. His responsibilities have included program management, executive management coordination/training, agency interaction, public outreach, submittal development, recordkeeping/reporting system implementation and management, and auditing. Mr. Straub has supported several clients with the Top-Screen analysis and the CFATS exercises to date. Mr. Straub is also an experienced lecturer and author at environmental conferences and seminars on various topics such as the CFATS, RMP, and New Source Review air permitting