[ID] => 9834
[post_author] => 5714
[post_date] => 2018-07-13 11:11:25
[post_date_gmt] => 2018-07-13 10:11:25
[post_content] => Recent changes to the Chemical Facility Anti-Terrorism Standards (CFATS) programme in the US mean that the Department for Homeland Security (DHS) will expect facilities in scope of the Standards to interact with it in a different way. Chemical production, storage and distribution facilities in scope of CFATS – which aims to monitor the security of explosives precursors in particular – will also be assigned to one of four tiers, based on risk, that will enable DHS to target its efforts most effectively.
The changes to CFATS were explained to the US storage terminal industry during the ILTA annual conference in Houston in June this year by Amy Graydon from DHS and Capt Ryan Manning of the US Coast Guard (USCG). Before explaining the recent changes they looked back to the fundamental reason for the system. Initially authorised by Congress in 2007, the programme takes a multi-tiered risk assessment approach to identify high-risk chemical facilities. After a tier has been assigned, facilities are required to meet and maintain performance-based security standards appropriate to the facilities and the risks they pose.
CFATS is administered by the Infrastructure Security Compliance Division (ISCD) of DHS, which works with facilities to ensure they have security measures in place to reduce the risks associated with certain hazardous chemicals. More than 300 ‘Chemicals of Interest’ (COIs) and their respective screening threshold quantities (STQ) are listed in Appendix A of CFATS, which can be found in Title 6 of the Code of Federal Regulations (6 CFR), Part 27.
On 18 December 2014, the CFATS Act was signed into law, reauthorising the CFATS programme for four years, expiring in 2019. The CFATS Act of 2014 provides DHS with the authority to enter, inspect and audit the property, equipment, operations and records of facilities in scope of CFATS.
HOW IT WORKS
The CFATS COIs are categorised according to three main security issues:
- toxic, flammable, or explosive chemicals or materials that can be released at a facility
- theft or diversion: chemicals or materials that, if stolen or diverted, can be converted into weapons using simple chemistry, equipment or techniques
- sabotage, referring to chemicals or materials that can be mixed with readily available materials.
The Chemical Security Assessment Tool (CSAT) is an online portal that houses the surveys that facilities are required to submit so DHS can determine which facilities are considered high-risk under the CFATS Act. All facilities that meet or exceed the specified concentrations and quantities for any COI are required to report possession of those chemicals to DHS by completing an online survey called a ‘Top-Screen’ using DHS’s CSAT system.
DHS maintains a 60-day policy for companies that hold COIs, meaning any company that holds a COI has 60 days to let DHS know so that the facility can be classified into a CFATS tier if required. Facilities determined to be high-risk are ranked into tiers 1, 2, 3 and 4 with tier 1 being the highest risk. Those that are determined not be high-risk are not regulated under the CFATS programme.
Since the Act was passed in 2014, DHS has created a revised tiering methodology that aims to better address security in facilities working with or producing COIs and make improvements to the tiering process, the result of which is known as the CFATS enhanced tiering methodology.
DHS determined that 36 per cent of the previously high-risk population remained in the tier that was originally allocated to them and 28 per cent of facilities have now moved to a different tier. These movements were found to be due to multiple factors, although the main cause was the addition of another site, or another COI to an existing site. Interestingly, 15 per cent of facilities previously considered to be high-risk are now considered not to be high-risk.
According to Graydon, the research that lead to the CFATS enhanced tiering methodology also found that facilities were able to make some structural and operational changes in order to maintain the highest level of security possible. Some facilities that have multiple sites near to one another found that by moving COIs into one facility, security measures can be focused on a single site, rather than several, making compliance with CFATS more straightforward.
CSAT it also contains the Security Vulnerability Assessment (SVA), Site Security Plan (SSP) and the Personnel Surety Programme (PSP). In September 2016, CSAT 2.0 was released in conjunction with the CFATS enhanced tiering methodology. With the updated CSAT 2.0 system came some structural changes to the surveys and applications. Updated questions in the Top-Screen survey are now included to provide more clarity for both the applicant and DHS. Additionally, this also cuts down the time it takes the applicant to provide DHS with important information about a given facility and the time it takes DHS to get back to the applicant regarding its decision.
Speaking on the topic of cyber security, Manning pointed to RBPS 9 – Cyber, the performance standard that addresses the deterrence of cyber sabotage, including preventing unauthorised on-site or remote access to critical process controls, critical business systems and other sensitive computerised systems.
When reviewing the cyber security section of an SSP, DHS considers the type of cyber assets, including control and business systems, as well as the types of enhanced security measures that would be appropriate for the sites involved. COIs play an important role when looking at a facility’s cyber security as, for example, businesses with critical business systems such as an inventory management system can be exploited and this could result in theft, diversion or sabotage of a COI.
Cyber security is also important when considering critical physical security systems. Often, facilities that have physical security systems, utilise these systems through remote connection and this can open the doors to cyber threats, not only to the COIs but the entire site.
The CFATS programme provides continuous support and guidance to facilities that fall under the CFATS umbrella. DHS has in the past year made more authorisation checks for new companies compared to compliance checks for existing companies, indicating a growing desire from the industry for the programme’s continuation. While it is currently uncertain whether the programme will be reauthorised in 2019, it is important to note that CFATS has made positive changes in the industry and its continuation would provide beneficial security to not only the facilities but the wider population as well.
[post_title] => CFATS: Layer cake
[post_status] => publish
[comment_status] => open
[ping_status] => open
[post_name] => cfats-layer-cake
[post_modified] => 2018-07-31 17:25:52
[post_modified_gmt] => 2018-07-31 16:25:52
[post_parent] => 0
[guid] => https://www.hcblive.com/?p=9834
[menu_order] => 0
[post_type] => post
[comment_count] => 0
[filter] => raw