Protecting Chemical Facilities Against Terrorist Attack

by Patrick Coyle

The U.S. Department of Homeland Security (DHS) Appropriations Act of 2007, passed by Congress in 2006, authorized the secretary of that department to establish a regulatory program to oversee the security of chemical facilities considered at high risk for terrorist attack. In the spring of 2007, the Chemical Facility Anti-Terrorism Standards (CFATS) program was born.

Using his/her authority to evaluate the risk levels of chemical facilities, the secretary determines the nature and likelihood of a potential threat based on an operational definition of a chemical facility and the possession of a “screening threshold quantity” (STQ) of specific chemicals of interest (COI). The COI list (found in CFATS Appendix A, 6 CFR Part 27) includes the chemicals that, if released during a terrorist attack, would pose a threat of fire, explosion, and/or toxic exposure to the local community. Other chemicals are also included on the COI list that, if stolen or misdirected, could be used to manufacture explosive devices or chemical munitions for a subsequent attack.

The STQs are established at a level commensurate with the specific risk of the chemical, meaning that a high-risk chemical facility might not be a theoretically “typical” chemical manufacturing or distribution center. Any facility, in fact, that is home to a COI at or above the STQ limit could be declared a high-risk chemical facility. For that reason, the current facility list includes (but is not limited to) such disparate facilities as university laboratories, food processing plants, and agricultural complexes.

Risk Also Based on Location

The impact of a terrorist attack that includes the release of a certain quantity of a toxic chemical would vary to some extent according to the location of the chemical facility. For example, the effects of a 10,000-lb. release of anhydrous ammonia would be more serious in an urban area than on a Kansas farm, a consideration that puts the urban target at higher risk of an attack than the agricultural target.

In 2007, to evaluate the comparative risks based on location, DHS established the Chemical Security Assessment Tool’s Top-Screen program, which requires any facility that possesses a COI at or above the STQ level to submit certain information to the department’s Infrastructure Security Compliance Division (ISCD) – specifically including the maximum amount of each COI on hand within the past 60 days – along with certain basic information about the location of the facility. After reviewing the data submitted, the ISCD makes a preliminary determination of the high-risk status of the facility.

The need for that information quickly became evident. DHS Under Secretary Rand Beers stated in Senate testimony on 3 March 2010 that, when the first Top-Screens were received – in December 2007 and January 2008 – nearly 38,000 facilities had submitted their reports, and over 7,000 of them were notified that they might be at high risk for a terrorist attack. The other facilities were informed that their risks did not meet the criteria established for participation in the CFATS program – but were also advised that, if their COI inventory changed, they would have to submit a new Top-Screen.

Information Protection & Vulnerability Assessment

Once designated as a high-risk facility, that facility then must provide additional and more detailed information to ISCD. To ensure that the business and security information provided in the submissions is protected from disclosure by the government, Congress also required the DHS secretary to develop an “information protection” program that would exempt, from various federal disclosure rules, the information provided by the facilities participating in the program.

In response, DHS developed in 2006 a new Chemical-Terrorism Vulnerability Information program to protect the information provided to ISCD under the CFATS program from disclosure under the Freedom of Information Act. In court proceedings, therefore, such information receives protection similar to that afforded classified information – but there also are some provisions included that permit information sharing with state and local emergency response officials.

To make a final determination that the initially designated facilities would actually be at a high threat of terrorist attack, DHS requires the submission of additional facility information under what is called a Security Vulnerability Assessment. Such assessments, which are submitted via another secure application in the Chemical Security Assessment Tool, provide ISCD with additional information about the facility layout, chemical storage, and safety/security systems.

After analyzing the Security Vulnerability Assessment data, ISCD makes a final determination of whether or not a specific facility is at high risk of terrorist attack, then assigns the facility to one of the four risk tiers – tier one being the highest risk and tier four the lowest. The tier ranking is important because the standards for the facility security measures are tied to that ranking.

Standards, Plans, Metrics & Guidelines

When Congress authorized the CFATS program, it included a provision that prohibited the DHS secretary from requiring any specific security measures for the approval of a site security program. To comply with that requirement, DHS incorporated into the CFATS regulations a list of 18 Risk-Based Performance Standards (RBPS) that must be met for a security plan to be approved.

In 2009, ISCD also published an RBPS Guidance document that provides additional information about not only the standards mandated but also the types of protection measures that may be appropriate for meeting those standards. The Guidance also provides a series of security metrics for each RBPS, based on the tier ranking of the facility, that spell out the difference in the requirements that must be met for each of the standards postulated.

CFATS-covered facilities are required to submit their security plans to ISCD for approval – by, for example, using a Site Security Plan (SSP) application in the online Chemical Security Assessment Tool. The SSP application provides a series of questions that the facility must answer about its current security processes, planned security measures, and proposals for future improvements.

Slow Progress – But Improvements Promised

Analysts at ISCD headquarters review the SSP submissions to determine if the measures planned are adequate to protect the facility in accordance with the RBPS for the appropriate tier ranking. If it is determined that those standards are in fact met, ISCD then: (a) authorizes the facility to implement the plan; (b) sends chemical facility security inspectors to the site to review the implementation process; and (c) approves the SSP – but not until after the inspectors report that the plan is in fact being properly implemented.

The step-by-step submission, authorization, and inspection process has proven, however, to be much more difficult and time-consuming than DHS had anticipated. In fact, according to the latest testimony (on 11 September 2012) of Beers before a subcommittee of the House Energy and Commerce Committee: (a) More than 3,600 facilities had by that time received final notification of their high-risk status and tier rankings; but (b) only 73 facility SSPs had been authorized as of that date; and (c) only one had been approved. David Wulf, Director of the Infrastructure Security Compliance Division, reported on 17 January 2013 that DHS is currently working on various procedures and process changes that will enable the authorization and approval rate to be significantly improved.

The chemical security program authorized by Congress in 2006 was intended to be an interim solution while Congress considered and approved a more comprehensive program. That has been more politically difficult than initially expected. Meanwhile, though, the continued authorization of the CFATS program has been renewed every year in the DHS appropriations bills. The current spending bill, and authorization for CFATS, expires on 27 March 2013.

Patrick Coyle is a 15-year veteran of the U.S. Army and has worked for 17 years in the chemical process industry – including 12 years as a process chemist and one year as a quality assurance manager. He also has taught industrial safety, and has been a freelance writer since 2006. For the past six years he has used his unique background to write a chemical security blog: the "Chemical Facility Security News."