Guest author Patrick Coyle covers Chemical Sector security, cybersecurity legislation and ICS security on his Chemical Facility Security News.
Last month the American Chemistry Council announced that it had, in conjunction with the Infrastructure Security Compliance Division (ISCD) of DHS, developed an alternative security plan (ASP) for the use in submitting data to ISCD about security measures for high-risk chemical facilities covered under the CFATS program. This ASP will allow facilities to submit their information in a format that is more user friendly for both facility personnel and the Chemical Facility Security Inspectors (CFSI) that will evaluate the effectiveness of those measures.
The Current SSP
The current site security plan (SSP) application in the on-line Chemical Security Assessment Tool (CSAT) is more of a questionnaire about the security measures in place at a facility rather than an actual security plan. It utilizes a combination of response buttons, pull-down menus, fill-in-the-blank boxes and data download tools to acquire the information that the analysts at ISCD would use to evaluate the facility security measures.
The system was designed to allow for an initial electronic analysis of the information before it was provided to human analysts for review. Unfortunately, in practice the design did not elicit enough detailed information from facilities for an effective review of the site security plan. This greatly slowed the initial authorization of the security plans and effectively stalled the final approval of those plans; only two facilities out of more than 4,000 have had their plans approved in the last two years.
The Use of the ASP
The use of an ASP does not change the requirements for the facility to meet the risk-based performance standards (RBPS) set for the facility’s tier level (risk ranking; 1 to 4, one being highest risk). Those standards are set forth in the CFATS regulations (6 CFR 27.230) and explained in some detail in the Risk-Based Performance Guidance document.
What the ACC ASP does is to format the information needed by ISCD to evaluate the facility security program in a single Word document that could be published as a standard corporate document describing the security program. The document (along with supporting diagrams and photographs) is uploaded into the SSP application instead of answering all of the questions about the program.
The ACC ASP is actually just the template for that document. It provides section and paragraph headings as well as a basic outline of the information to be included for each paragraph. An associated guidance document provides additional information about what level of detail is needed by ISCD for the authorization and approval of the site security plans.
Cybersecurity issues are addressed in the RBPS, the existing SSP application and the ACC ASP. DHS has not done a good job of differentiating between the security requirements for IT systems and control systems; either in the RBPS or the SSP application. The ACC ASP does a slightly better job in that it does require (para 5.9) a description of the different cyber-systems (business, process control, fire and gas detection are all mentioned; security systems are overlooked) that affect the security of the various DHS chemicals of interest (COI) addressed in the SSP.
To be fair to the ACC, they are not trying to establish security standard, but rather trying to ensure that all of the information that ISCD needs to evaluate the facility security program is made available in a useable format. Establishing real control system security standards for high-risk chemical facilities will have to be addressed in a different venue.
A more in-depth review of the ACC Alternative Security Program is available on my blog - Chemical Facility Security News.
Image by BiblioArchives / LibraryArchives